diff options
author | dumbbell <dumbbell@FreeBSD.org> | 2012-03-26 12:18:15 +0000 |
---|---|---|
committer | dumbbell <dumbbell@FreeBSD.org> | 2012-03-26 12:18:15 +0000 |
commit | 43dc3df2a88b5212772576e4ff9092fb5b7ce8a2 (patch) | |
tree | 90ec575f43730b12bc6d919f918a0ebcef3e3694 /libexec/getty | |
parent | a8f59181c3423ffe1d54c152aefeb37f0234923e (diff) | |
download | FreeBSD-src-43dc3df2a88b5212772576e4ff9092fb5b7ce8a2.zip FreeBSD-src-43dc3df2a88b5212772576e4ff9092fb5b7ce8a2.tar.gz |
Use program exit status as pam_exec return code (optional)
pam_exec(8) now accepts a new option "return_prog_exit_status". When
set, the program exit status is used as the pam_exec return code. It
allows the program to tell why the step failed (eg. user unknown).
However, if it exits with a code not allowed by the calling PAM service
module function (see $PAM_SM_FUNC below), a warning is logged and
PAM_SERVICE_ERR is returned.
The following changes are related to this new feature but they apply no
matter if the "return_prog_exit_status" option is set or not.
The environment passed to the program is extended:
o $PAM_SM_FUNC contains the name of the PAM service module function
(eg. pam_sm_authenticate).
o All valid PAM return codes' numerical values are available
through variables named after the return code name. For instance,
$PAM_SUCCESS, $PAM_USER_UNKNOWN or $PAM_PERM_DENIED.
pam_exec return code better reflects what went on:
o If the program exits with !0, the return code is now
PAM_PERM_DENIED, not PAM_SYSTEM_ERR.
o If the program fails because of a signal (WIFSIGNALED) or doesn't
terminate normally (!WIFEXITED), the return code is now
PAM_SERVICE_ERR, not PAM_SYSTEM_ERR.
o If a syscall in pam_exec fails, the return code remains
PAM_SYSTEM_ERR.
waitpid(2) is called in a loop. If it returns because of EINTR, do it
again. Before, it would return PAM_SYSTEM_ERR without waiting for the
child to exit.
Several log messages now include the PAM service module function name.
The man page is updated accordingly.
Reviewed by: gleb@, des@
Sponsored by: Yakaz (http://www.yakaz.com)
MFC after: 2 weeks
Diffstat (limited to 'libexec/getty')
0 files changed, 0 insertions, 0 deletions