bin/107612: pam_nologin(8) ignore the login class capability nologin except default class.

[TANAKA Hiroyuki]

>Number:         107612
>Category:       bin
>Synopsis:       pam_nologin(8) ignore the login class capability nologin except default class.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 06 11:50:20 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     TANAKA Hiroyuki
>Release:        6.2-RC1
>Organization:
>Environment:
FreeBSD tachikoma 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 16 05:12:08 UTC 2006     root at opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
>Description:
The pam_nologin module is only use the "default" entry in /etc/login.conf database.
I want to use login class for local users to control nologin with specific pam entries.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- pam_nologin.c.org	Sat Apr 13 07:27:21 2002
+++ pam_nologin.c	Sat Jan  6 20:18:32 2007
@@ -73,7 +73,11 @@
 
 	PAM_LOG("Got user: %s", user);
 
-	lc = login_getclass(NULL);
+	pwd = getpwnam(user);
+	if (pwd && pwd->pw_uid == 0)
+		retval = PAM_SUCCESS;
+	
+	lc = login_getpwclass(pwd);
 	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
 	login_close(lc);
 	lc = NULL;
@@ -84,15 +88,10 @@
 
 	PAM_LOG("Opened %s file", NOLOGIN);
 
-	pwd = getpwnam(user);
-	if (pwd && pwd->pw_uid == 0)
-		retval = PAM_SUCCESS;
-	else {
-		if (!pwd)
-			retval = PAM_USER_UNKNOWN;
-		else
-			retval = PAM_AUTH_ERR;
-	}
+	if (!pwd)
+		retval = PAM_USER_UNKNOWN;
+	else
+		retval = PAM_AUTH_ERR;
 
 	if (fstat(fd, &st) < 0)
 		return (retval);

>Release-Note:
>Audit-Trail:
>Unformatted: