[patch] pam_exec: use program exit code instead of
dumbbell at FreeBSD.org
Wed Feb 8 17:11:38 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
On 01/26/2012 11:07, Gleb Kurtsou wrote:
> Please consider making it optional. It will break for generic
> applications because pam_sm_chauthtok error codes are documented
> and standardized. I'm not aware of any application that uses PAM
> error constants as exit code.
des@ reviewed the patch too and suggested the same thing. Therefore I
changed it to make this behaviour optional.
Here's a new patch:
The changes compared to the original pam_exec(8) are:
o [*] Add a "return_prog_exit_status" option to enable the
If this option is not enabled (default), the current behaviour
remains. However, when the program fails, the return code is
PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
If this option is enabled, the program exit status is used as
the return value of the PAM service module function. If this
code is invalid for the calling function, log an error and
o New environment variables are set:
- $PAM_SM_FUNC: the name of the PAM service module function
- [*] All valid PAM return codes numerical values are
available as environment variables ($PAM_SUCCESS,
$PAM_USER_UNKNOWN, $PAM_PERM_DENIED, etc.).
o Change some return codes from PAM_SYSTEM_ERR to PAM_SERVICE_ERR.
o Change many log messages to include the PAM service module
o waitpid() is now called in a loop. If it returned because of
EINTR, do it again. Before, it would return PAM_SYSTEM_ERR
without waiting for the child to exit.
o Update man page.
[*] New compared to previous patch.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the freebsd-current