0.70: Four columns in PAM auth broken (change attached)

Project moved to github: https://github.com/pam-pgsql/pam-pgsql

Brought to you by: jandd, pgpkeys, primozb, zippybr

#9 0.70: Four columns in PAM auth broken (change attached)

Status: open

Owner: William Grzybowski

Labels: None

Priority: 5

Updated: 2012-09-14

Created: 2010-01-27

Creator: James Bellinger

Private: No

In pam_pgsql.c, pam_sm_acct_mgmt(pam_handle_t pamh, int flags, int argc, const char *argv), in the event that there are four columns,

                        if (PQnfields(res)>=4) {
                            char *nulltok_db = PQgetvalue(res, 0, 3);
                            rc = PAM_PERM_DENIED;
                        }

needs to be

                        if (PQnfields(res)>=4) {
                            char *nulltok_db = PQgetvalue(res, 0, 3);
                            if (!strcmp(nulltok_db, "t")) { rc = PAM_PERM_DENIED; }
                        }

The existence of four columns should not be sufficient to deny permission.

Discussion

William Grzybowski - 2010-03-07

Well, sort of.

The query for account should return 3 columns, the first column tell us if the password is expired (account suspended), the second one if a new password should be asked and the third one if the password itself if NULL or BLANK.

But i agree with you, this code is not right, there is no point to get the four column value.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

0.70: Four columns in PAM auth broken (change attached)

Project moved to github: https://github.com/pam-pgsql/pam-pgsql

Group

Searches

Help

#9 0.70: Four columns in PAM auth broken (change attached)

Discussion