[Bug 238041] [PATCH] pam_exec prompt for password for every pam function when enabled expose_authtok

Wed May 22 07:38:17 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238041

Qiantan Hong <qhong at mit.edu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|Affects Only Me             |Affects Many People

--- Comment #1 from Qiantan Hong <qhong at mit.edu> ---
Steps to reproduce:

put this to /etc/pam.d/system:

auth optional pam_exec.so expose_authtok /etc/pam.d/test

put this to /etc/pam.d/test:

#!/bin/sh
read token
exit 0

Expected result: Prompt for password on each authentication

Actual result: Prompt for password on every pam function, e.g. twice on su
(pam_sm_authenticate and pam_sm_setcred, the second one has no effect)

Patch:
Index: pam_exec.c
===================================================================
--- pam_exec.c  (revision 348097)
+++ pam_exec.c  (working copy)
@@ -4,6 +4,7 @@
  * Copyright (c) 2001,2003 Networks Associates Technology, Inc.
  * Copyright (c) 2017 Dag-Erling Smørgrav
  * Copyright (c) 2018 Thomas Munro
+ * Copyright (c) 2019 Qiantan Hong
  * All rights reserved.
  *
  * This software was developed for the FreeBSD Project by ThinkSec AS and
@@ -495,7 +496,7 @@
        ret = parse_options(__func__, &argc, &argv, &options);
        if (ret != 0)
                return (PAM_SERVICE_ERR);
-
+       options.expose_authtok = 0;
        ret = _pam_exec(pamh, __func__, flags, argc, argv, &options);

        /*
@@ -535,7 +536,7 @@
        ret = parse_options(__func__, &argc, &argv, &options);
        if (ret != 0)
                return (PAM_SERVICE_ERR);
-
+       options.expose_authtok = 0;
        ret = _pam_exec(pamh, __func__, flags, argc, argv, &options);

        /*
@@ -575,7 +576,7 @@
        ret = parse_options(__func__, &argc, &argv, &options);
        if (ret != 0)
                return (PAM_SERVICE_ERR);
-
+       options.expose_authtok = 0;
        ret = _pam_exec(pamh, __func__, flags, argc, argv, &options);

        /*
@@ -612,7 +613,7 @@
        ret = parse_options(__func__, &argc, &argv, &options);
        if (ret != 0)
                return (PAM_SERVICE_ERR);
-
+       options.expose_authtok = 0;     
        ret = _pam_exec(pamh, __func__, flags, argc, argv, &options);

        /*
@@ -649,7 +650,7 @@
        ret = parse_options(__func__, &argc, &argv, &options);
        if (ret != 0)
                return (PAM_SERVICE_ERR);
-
+       options.expose_authtok = 0;
        ret = _pam_exec(pamh, __func__, flags, argc, argv, &options);

        /*

Index: pam_exec.8
===================================================================
--- pam_exec.8  (revision 348097)
+++ pam_exec.8  (working copy)
@@ -1,6 +1,7 @@
 .\" Copyright (c) 2001,2003 Networks Associates Technology, Inc.
 .\" Copyright (c) 2017 Dag-Erling Smørgrav
 .\" Copyright (c) 2018 Thomas Munro
+.\" Copyright (c) 2019 Qiantan Hong
 .\" All rights reserved.
 .\"
 .\" Portions of this software were developed for the FreeBSD Project by

-- 
You are receiving this mail because:
You are the assignee for the bug.
