On Thu, Mar 10, 2016 at 12:54:15PM +0100, Pavel Březina wrote:
> On 03/08/2016 05:55 PM, Sumit Bose wrote:
> >Hi,
> >
> >This patch fixes a 2FA issues observed with sudo. See commit message for
> >details.
> >
> >bye,
> >Sumit
> >
> >
> >0001-pam_sss-reorder-pam_message-array.patch
> >
> >
> > From 2c38adad7b527aceb4f9cb41c7d7b4c66d4580c9 Mon Sep 17 00:00:00 2001
> >From: Sumit Bose<sb...@redhat.com>
> >Date: Mon, 7 Mar 2016 17:07:16 +0100
> >Subject: [PATCH] pam_sss: reorder pam_message array
> >
> >There are different expectations about how the pam_message array is
> >organized, details can be found in the pam_start man page. E.g. sudo was
> >not able to handle the Linux-PAM style but expected the Solaris PAM
> >style. With this patch both styles should work as expected.
>
> I don't see any detail explaining this in the man page... could you
> elaborate please?
ah, sorry, it is not pam_start but the pam_conv man page:
"""
In passing, it is worth noting that there is a descrepency between the
way Linux-PAM handles the const struct pam_message **msg conversation
function argument from the way that Solaris' PAM (and derivitives, known
to include HP/UX, are there others?) does. Linux-PAM interprets the msg
argument as entirely equivalent to the following prototype const struct
pam_message *msg[] (which, in spirit, is consistent with the commonly
used prototypes for argv argument to the familiar main() function: char
**argv; and char *argv[]). Said another way Linux-PAM interprets the msg
argument as a pointer to an array of num_msg read only 'struct
pam_message' pointers. Solaris' PAM implementation interprets this
argument as a pointer to a pointer to an array of num_msg pam_message
structures. Fortunately, perhaps, for most module/application developers
when num_msg has a value of one these two definitions are entirely
equivalent. Unfortunately, casually raising this number to two has led
to unanticipated compatibility problems.
For what its worth the two known module writer work-arounds for trying
to maintain source level compatibility with both PAM implementations
are:
· never call the conversation function with num_msg greater
than one.
· set up msg as doubly referenced so both types of conversation
function can find the messages. That is, make
msg[n] = & (( *msg )[n])
"""
>
> >- mesg[0] = (const struct pam_message *) m1;
> >- mesg[1] = (const struct pam_message *) m2;
> >+ mesg[0] = (const struct pam_message *) m;
> >+ mesg[1] = & (( *mesg )[1]);
>
> Is it possible to use &m[1] instead of this?
I took this version to match the suggestion from the man page, but if
you agree I'll add a comment why this somewhat odd notation is used.
bye,
Sumit
>
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
