bug in checkpassword-pam (0.90.2)

[Alexey M. <al...@hs...>]

>>>>> "JV" == John Vaughan <jva...@ag...> writes:

JV> Hi,

JV> I've just spent many days (I'm a sysadmin, not a programmer)
JV> tracking down a bug in the pam authentication part of
JV> checkpassword-pam.

JV> In log_pam.c, line 122, you have:

JV>     pam_error = pam_setcred(pamh, PAM_CRED_ESTABLISH);

JV> There's no such define as 'PAM_CRED_ESTABLISH' - it should be
JV> 'PAM_ESTABLISH_CRED' (see 'man pam_setcred');

JV> Once I changed it to:

JV>     pam_error = pam_setcred(pamh, PAM_ESTABLISH_CRED);

JV> It worked fine...

Wow!   Thanks.  What operating system do you have? 


Oh, I've just looked in headers in my Debian and I'm now extremely
frightened:

alexm@tyranny:~/checkpassword-pam$ grep PAM_ESTABLISH_CRED /usr/include/security/*.h
/usr/include/security/_pam_compat.h:# undef PAM_ESTABLISH_CRED
/usr/include/security/_pam_compat.h:# define PAM_ESTABLISH_CRED      0x1
/usr/include/security/_pam_types.h:#define PAM_ESTABLISH_CRED              0x0002U


Feel the difference between two last #defines 8-[ ] People, do you see
something like that on your system?

Comments in log_pam.c say:

	/* for compability with older pam stuff, before the stupid transposition */
	#ifndef PAM_CRED_ESTABLISH
	#define PAM_CRED_ESTABLISH  0x0002U
	#endif	

I think it could be changed to

#define PAM_CRED_ESTABLISH PAM_ESTABLISH_CRED


though I'm already way fscking afraid of it all :)


JV> Here's a diff, just for the heck of it ;)

;) 


JV> Thanks for doing this by the way - you seem to be the only person
JV> interested in get CVS to work with PAM at all...

Oh, do you run cvs-nserver in production?

AFAIK, there are couple more PAM-related patches, but mine is the
cleanest of all ;)



Many thanks again, it's not obvious how frightening this bug is.

--alexm