Skip to content

login: Clean up PAM resource handling #1599

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alejandro-colomar merged 3 commits into from
Apr 7, 2026
+18 −12
Merged

login: Clean up PAM resource handling #1599

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e781b94
login: Call pam_open_session after pam_setcred
stoeckmann Mar 24, 2026
2d078a3
login: Call pam_close_session only with session
stoeckmann Mar 24, 2026
8aa65c7
login: Delete creds if pam_open_session fails
stoeckmann Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 18 additions & 12 deletions src/login.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,6 @@ static pam_handle_t *pamh = NULL;
(void) pam_end(pamh, retcode); \
exit(1); \
}
#define PAM_END { retcode = pam_close_session(pamh,0); \
(void) pam_end(pamh,retcode); }

#endif /* USE_PAM */

Expand Down Expand Up @@ -698,13 +696,13 @@ int main (int argc, char **argv)
fprintf (stderr,
_("Maximum number of tries exceeded (%u)\n"),
failcount);
PAM_END;
pam_end(pamh, retcode);
exit(0);
} else if (retcode == PAM_ABORT) {
/* Serious problems, quit now */
(void) fputs (_("login: abort requested by PAM\n"), stderr);
SYSLOG(LOG_ERR, "PAM_ABORT returned from pam_authenticate()");
PAM_END;
pam_end(pamh, retcode);
exit(99);
} else if (retcode != PAM_SUCCESS) {
SYSLOG(LOG_NOTICE, "FAILED LOGIN (%u)%s FOR '%s', %s",
Expand Down Expand Up @@ -742,7 +740,7 @@ int main (int argc, char **argv)
fprintf (stderr,
_("Maximum number of tries exceeded (%u)\n"),
failcount);
PAM_END;
pam_end(pamh, retcode);
exit(0);
}

Expand All @@ -766,11 +764,6 @@ int main (int argc, char **argv)
}
PAM_FAIL_CHECK;

/* Open the PAM session */
get_pam_user (&pam_user);
retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
PAM_FAIL_CHECK;

Comment thread
alejandro-colomar marked this conversation as resolved.
/* Grab the user information out of the password file for future usage
* First get the username that we are actually using, though.
*
Expand Down Expand Up @@ -805,6 +798,17 @@ int main (int argc, char **argv)
* into account.
*/

/* Open the PAM session */
get_pam_user (&pam_user);
retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
if (retcode != PAM_SUCCESS) {
fprintf(stderr,"\n%s\n", pam_strerror(pamh, retcode));
SYSLOG(LOG_ERR,"%s",pam_strerror(pamh, retcode));
pam_setcred(pamh, PAM_DELETE_CRED);
pam_end(pamh, retcode);
exit(1);
}

#else /* ! USE_PAM */
while (true) { /* repeatedly get login/password pairs */
bool failed;
Expand Down Expand Up @@ -1093,15 +1097,17 @@ int main (int argc, char **argv)
if (child < 0) {
/* error in fork() */
fprintf(stderr, _("%s: failure forking: %s"), Prog, strerrno());
PAM_END;
retcode = pam_close_session(pamh, 0);
pam_end(pamh, retcode);
exit (0);
} else if (child != 0) {
/*
* parent - wait for child to finish, then cleanup
* session
*/
wait (NULL);
PAM_END;
retcode = pam_close_session(pamh, 0);
pam_end(pamh, retcode);
exit (0);
}
/* child */
Expand Down
Loading