[patch] pam_exec: use program exit code instead of PAM_SYSTEM_ERR

Tue Jan 24 14:25:09 UTC 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

If the specified program exits with non-zero, current implementation
of pam_exec(8) logs this code and return PAM_SYSTEM_ERR. Therefore,
applications have no idea what went wrong with authentication.

Attached is a patch that changes the behaviour to always return the
program exit code as-is. This lets the program returns meaningful
informations to applications.

I also added a small paragraph explaining this to the man page.

I'm planning to commit this to -CURRENT (maybe in a week or two) and
merge it to 9 and 8 if there're no objections.

Thanks for any comments!

- -- 
Jean-Sébastien Pédron
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8ev0IACgkQa+xGJsFYOlNjyACfSg6NgDLy+7VF6rEVV6yTINTd
rlgAoNpgWLvYBEL2DCejuPDz0yQRf5QY
=JEte
-----END PGP SIGNATURE-----
-------------- next part --------------

diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8
index 311d64c..c5d2404 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.8
+++ b/lib/libpam/modules/pam_exec/pam_exec.8
@@ -32,7 +32,7 @@
 .\"
 .\" $FreeBSD$
 .\"
-.Dd February 1, 2005
+.Dd January 24, 2012
 .Dt PAM_EXEC 8
 .Os
 .Sh NAME
@@ -59,6 +59,12 @@ variables:
 .Ev PAM_TTY ,
 and
 .Ev PAM_USER .
+.Pp
+The program exit code should be one of the codes defined in
+.Pa /usr/include/security/pam_constants.h
+under section "XSSO 5.2". Authentication is successful if the return code is
+.Er PAM_SUCCESS
+(0), failed otherwise.
 .Sh SEE ALSO
 .Xr pam_get_item 3 ,
 .Xr pam.conf 5 ,
diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c
index b7a870f..d497479 100644
--- a/lib/libpam/modules/pam_exec/pam_exec.c
+++ b/lib/libpam/modules/pam_exec/pam_exec.c
@@ -141,12 +141,7 @@ _pam_exec(pam_handle_t *pamh __unused, int flags __unused,
 		openpam_log(PAM_LOG_ERROR, "unknown status 0x%x", status);
 		return (PAM_SYSTEM_ERR);
 	}
-	if (WEXITSTATUS(status) != 0) {
-		openpam_log(PAM_LOG_ERROR, "%s returned code %d",
-		    argv[0], WEXITSTATUS(status));
-		return (PAM_SYSTEM_ERR);
-	}
-	return (PAM_SUCCESS);
+	return (WEXITSTATUS(status));
 }
 
 PAM_EXTERN int
