-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Can't do this. Your patch replicates the PAM conversation in entrance
login, which, apart from potentially opening up security holes, will
result in an unnecessary double auth. Besides, we cannot move the PAM
conversation out of the entrance process. That will not work (and even
if it did would not be right). The proper solution I see for this issue
is to attempt to preserve the pam handle for the entrance_login process
(perhaps through IPC) so that the login process can then wait until the
session is over and then end the PAM session.
Sebastian Dransfeld wrote:
| Sebastian Dransfeld wrote:
|
|> Corey Donohoe wrote:
|>
|>> I'll see about tending to this when I get home this evening. Someone
|>> recently mentioned that the pam_close_session is being called to
|>> early, and should be called from entrance_login(which isn't possible).
|>
|>
|>
|> Why isn't this possible? The documentation says that it should be
|> possible to run pam_open_session and pam_close_session from two
|> different processes.
|>
|> Sebastian
|
|
| Seems to work here. See the applied patch. pam_console expects PAM_USER
| and PAM_TTY to be set.
|
| Sebastian
|
|
| ------------------------------------------------------------------------
|
| Index: AUTHORS
| ===================================================================
| RCS file: /cvsroot/enlightenment/e17/apps/entrance/AUTHORS,v
| retrieving revision 1.2
| diff -u -r1.2 AUTHORS
| --- AUTHORS 26 May 2003 05:59:43 -0000 1.2
| +++ AUTHORS 11 Jan 2005 11:45:53 -0000
| @@ -1,5 +1,6 @@
| Ibukun Olumuyiwa <[EMAIL PROTECTED]>
| Corey Donohoe <[EMAIL PROTECTED]>
| Tilman Sauerbeck <[EMAIL PROTECTED]>
| +Sebastian Dransfeld <[EMAIL PROTECTED]>
|
| Credits to Chris Thomas for some of the original work on elogin.
| Index: src/client/entrance_auth.c
| ===================================================================
| RCS file:
/cvsroot/enlightenment/e17/apps/entrance/src/client/entrance_auth.c,v
| retrieving revision 1.23
| diff -u -r1.23 entrance_auth.c
| --- src/client/entrance_auth.c 5 Jan 2005 23:10:28 -0000 1.23
| +++ src/client/entrance_auth.c 11 Jan 2005 11:45:55 -0000
| @@ -2,7 +2,7 @@
| @file entrance_auth.c
| @brief Variables and data relating to system authentication
| */
| -#include"entrance_auth.h"
| +#include "entrance_auth.h"
| #include "util.h"
|
| static char *
| @@ -87,7 +87,7 @@
| #if HAVE_PAM
| if (e->pam.handle)
| {
| - pam_close_session(e->pam.handle, 0);
| + /*pam_close_session(e->pam.handle, 0);*/
| pam_end(e->pam.handle, PAM_SUCCESS);
| e->pam.handle = NULL;
| }
| Index: src/client/entrance_login.c
| ===================================================================
| RCS file:
/cvsroot/enlightenment/e17/apps/entrance/src/client/entrance_login.c,v
| retrieving revision 1.2
| diff -u -r1.2 entrance_login.c
| --- src/client/entrance_login.c 4 Feb 2004 20:59:35 -0000 1.2
| +++ src/client/entrance_login.c 11 Jan 2005 11:45:55 -0000
| @@ -4,16 +4,133 @@
| #include <sys/types.h>
| #include <sys/wait.h>
|
| +#ifdef HAVE_CONFIG_H
| +# include "../config.h"
| +#endif
| +
| +#ifdef HAVE_PAM
| +# include "entrance_auth.h"
| +pam_handle_t *pamh;
| +#endif
| +
| +#ifdef HAVE_PAM
| +/* PAM Conversation function */
| +int
| +entrance_auth_pam_conv(int num_msg, const struct pam_message **msg,
| + struct pam_response **resp, void *appdata_ptr)
| +{
| + int replies = 0;
| + Entrance_Auth *e = appdata_ptr;
| + struct pam_response *reply = NULL;
| +
| + reply =
| + (struct pam_response *) malloc(sizeof(struct pam_response) *
num_msg);
| +
| + if (!reply)
| + return PAM_CONV_ERR;
| +
| + for (replies = 0; replies < num_msg; replies++)
| + {
| + switch (msg[replies]->msg_style)
| + {
| + case PAM_PROMPT_ECHO_ON:
| + reply[replies].resp_retcode = PAM_SUCCESS;
| + reply[replies].resp = (char *) strdup(e->user);
| + break;
| + case PAM_PROMPT_ECHO_OFF:
| + reply[replies].resp_retcode = PAM_SUCCESS;
| + reply[replies].resp = (char *) strdup(e->pass);
| + break;
| + case PAM_ERROR_MSG:
| + case PAM_TEXT_INFO:
| + reply[replies].resp_retcode = PAM_SUCCESS;
| + reply[replies].resp = NULL;
| + syslog(LOG_INFO, "PAM: %s.", msg[replies]->msg);
| + break;
| + default:
| + free(reply);
| + return (PAM_CONV_ERR);
| + }
| + }
| +
| + *resp = reply;
| + return (PAM_SUCCESS);
| +}
| +
| +int
| +init_pam(const char *user, const char *display)
| +{
| + int pamerr;
| + struct pam_conv conv;
| +
| + conv.conv = entrance_auth_pam_conv;
| + conv.appdata_ptr = NULL;
| +
| + /* We'll use our own pam file */
| + if ((pamerr =
| + pam_start("entrance", user, &conv,
| + &pamh)) != PAM_SUCCESS)
| + {
| + syslog(LOG_CRIT, "PAM: %s.", pam_strerror(pamh, pamerr));
| + return ERROR_NO_PAM_INIT;
| + }
| +
| + /* Set TTY to DISPLAY */
| + if ((pamerr =
| + pam_set_item(pamh, PAM_TTY, display)) != PAM_SUCCESS)
| + {
| + syslog(LOG_CRIT, "Error: Unable to configure PAM_TTY.");
| + return ERROR_PAM_SET;
| + }
| +
| + return E_SUCCESS;
| +}
| +
| +int
| +end_user_session(const char *user)
| +{
| + int pamerr;
| +
| + syslog(LOG_INFO, "Ending session for user \"%s\".", user);
| +
| + if ((pamerr = pam_close_session(pamh, 0)) != PAM_SUCCESS)
| + {
| + syslog(LOG_CRIT, "PAM: %s.", pam_strerror(pamh, pamerr));
| + return ERROR_NO_PAM_INIT;
| + }
| +
| + if ((pamerr = pam_end(pamh, 0)) != PAM_SUCCESS)
| + {
| + syslog(LOG_CRIT, "PAM: %s.", pam_strerror(pamh, pamerr));
| + return ERROR_NO_PAM_INIT;
| + }
| +
| + return E_SUCCESS;
| +}
| +#endif
| +
| int
| main(int argc, char **argv)
| {
| pid_t pid;
| + char *user;
| + char *display;
|
| - if (argc != 2)
| + if (argc != 4)
| return 0;
|
| - pid = atoi(argv[1]);
| - if (waitpid(pid, NULL, 0) == pid)
| + user = argv[1];
| + display = argv[2];
| + pid = atoi(argv[3]);
| +
| +#ifdef HAVE_PAM
| + init_pam(user, display);
| +#endif
| + if (waitpid(pid, NULL, 0) == pid) {
| +#ifdef HAVE_PAM
| + end_user_session(user);
| +#endif
| exit(0);
| + }
| return -1;
| }
| Index: src/client/entrance_session.c
| ===================================================================
| RCS file:
/cvsroot/enlightenment/e17/apps/entrance/src/client/entrance_session.c,v
| retrieving revision 1.67
| diff -u -r1.67 entrance_session.c
| --- src/client/entrance_session.c 27 Dec 2004 06:45:14 -0000 1.67
| +++ src/client/entrance_session.c 11 Jan 2005 11:45:56 -0000
| @@ -357,6 +357,7 @@
| pid_t pid;
| char buf[PATH_MAX];
| char *shell = NULL;
| + char *user, *display;
|
| entrance_auth_setup_environment(e->auth, e->display);
| if ((e->session) && (strlen(e->session) > 0))
| @@ -428,14 +429,18 @@
| break;
| }
| _entrance_session_user_list_fix(e);
| + user = strdup(e->auth->user);
| + display = strdup(e->display);
| entrance_session_free(e);
| /* this bypasses a race condition where entrance loses its x
connection */
| /* before the wm gets it and x goes and resets itself */
| sleep(10);
| /* replace this rpcoess with a clean small one that just waits for
its */
| /* child to exit.. passed on the cmd-line */
| - snprintf(buf, sizeof(buf), "%s/entrance_login %i", PACKAGE_BIN_DIR,
| - (int) pid);
| + snprintf(buf, sizeof(buf), "%s/entrance_login %s %s %i",
PACKAGE_BIN_DIR,
| + user, display, (int) pid);
| + free(user);
| + free(display);
| execl("/bin/sh", "/bin/sh", "-c", buf, NULL);
| }
|
- --
Ibukun Olumuyiwa
http://xcomputerman.com
"I will stand upon my watch, and set me upon the tower,
and will watch to see what he will say unto me,
and what I shall answer when I am reproved."
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB5KBpImU2r6Etn78RAskjAKDgXprBe8tzk+J6u/WNOOVem2z8KgCdG1ac
qe51TCXgcKO2cYjpcbx18gg=
=EBx+
-----END PGP SIGNATURE-----
-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
enlightenment-devel mailing list
enlightenment-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/enlightenment-devel
