|
|
e904a3 |
From 9c45ba07d6ff03ef7a2e67d25c75a4e3fa6179fa Mon Sep 17 00:00:00 2001
|
|
|
e904a3 |
From: Stef Walter <stefw@gnome.org>
|
|
|
e904a3 |
Date: Fri, 14 Mar 2014 11:08:02 +0100
|
|
|
e904a3 |
Subject: [PATCH] pam: Fix issue with changed password not unlocking keyring
|
|
|
e904a3 |
|
|
|
e904a3 |
This is a backport of fix on master with the same subject. There's
|
|
|
e904a3 |
a bit of strange code in the are of this fix, but lets keep it as
|
|
|
e904a3 |
minimal as possible.
|
|
|
e904a3 |
|
|
|
e904a3 |
If a user (needs to) change their password while authenticating (via
|
|
|
e904a3 |
GDM for example), and pam_gnome_keyring is configured to start the
|
|
|
e904a3 |
daemon from the session PAM stage, then we were failing to pass the
|
|
|
e904a3 |
changed password to our session handler.
|
|
|
e904a3 |
|
|
|
e904a3 |
Fix this issue so that this workflow works.
|
|
|
e904a3 |
|
|
|
e904a3 |
https://bugzilla.gnome.org/show_bug.cgi?id=726196
|
|
|
e904a3 |
---
|
|
|
e904a3 |
pam/gkr-pam-module.c | 40 ++++++++++++++++++++++++++++++----------
|
|
|
e904a3 |
1 file changed, 30 insertions(+), 10 deletions(-)
|
|
|
e904a3 |
|
|
|
e904a3 |
diff --git a/pam/gkr-pam-module.c b/pam/gkr-pam-module.c
|
|
|
e904a3 |
index 8ad814c..52514b8 100644
|
|
|
e904a3 |
--- a/pam/gkr-pam-module.c
|
|
|
e904a3 |
+++ b/pam/gkr-pam-module.c
|
|
|
e904a3 |
@@ -824,6 +824,19 @@ parse_args (pam_handle_t *ph, int argc, const char **argv)
|
|
|
e904a3 |
return args;
|
|
|
e904a3 |
}
|
|
|
e904a3 |
|
|
|
e904a3 |
+static int
|
|
|
e904a3 |
+stash_password_for_session (pam_handle_t *ph,
|
|
|
e904a3 |
+ const char *password)
|
|
|
e904a3 |
+{
|
|
|
e904a3 |
+ if (pam_set_data (ph, "gkr_system_authtok", strdup (password),
|
|
|
e904a3 |
+ cleanup_free_password) != PAM_SUCCESS) {
|
|
|
e904a3 |
+ syslog (GKR_LOG_ERR, "gkr-pam: error stashing password for session");
|
|
|
e904a3 |
+ return PAM_AUTHTOK_RECOVER_ERR;
|
|
|
e904a3 |
+ }
|
|
|
e904a3 |
+
|
|
|
e904a3 |
+ return PAM_SUCCESS;
|
|
|
e904a3 |
+}
|
|
|
e904a3 |
+
|
|
|
e904a3 |
PAM_EXTERN int
|
|
|
e904a3 |
pam_sm_authenticate (pam_handle_t *ph, int unused, int argc, const char **argv)
|
|
|
e904a3 |
{
|
|
|
e904a3 |
@@ -886,11 +899,9 @@ pam_sm_authenticate (pam_handle_t *ph, int unused, int argc, const char **argv)
|
|
|
e904a3 |
|
|
|
e904a3 |
/* Otherwise start later in open session, store password */
|
|
|
e904a3 |
} else {
|
|
|
e904a3 |
- if (pam_set_data (ph, "gkr_system_authtok", strdup (password),
|
|
|
e904a3 |
- cleanup_free_password) != PAM_SUCCESS) {
|
|
|
e904a3 |
- syslog (GKR_LOG_ERR, "gkr-pam: error storing authtok");
|
|
|
e904a3 |
+ ret = stash_password_for_session (ph, password);
|
|
|
e904a3 |
+ if (ret != PAM_SUCCESS)
|
|
|
e904a3 |
return PAM_AUTHTOK_RECOVER_ERR;
|
|
|
e904a3 |
- }
|
|
|
e904a3 |
}
|
|
|
e904a3 |
|
|
|
e904a3 |
return PAM_SUCCESS;
|
|
|
e904a3 |
@@ -1017,18 +1028,20 @@ pam_chauthtok_update (pam_handle_t *ph, struct passwd *pwd, uint args)
|
|
|
e904a3 |
{
|
|
|
e904a3 |
const char *password, *original;
|
|
|
e904a3 |
int ret, started_daemon = 0;
|
|
|
e904a3 |
-
|
|
|
e904a3 |
+
|
|
|
e904a3 |
+ ret = pam_get_item (ph, PAM_AUTHTOK, (const void**)&password);
|
|
|
e904a3 |
+ if (ret != PAM_SUCCESS)
|
|
|
e904a3 |
+ password = NULL;
|
|
|
e904a3 |
+
|
|
|
e904a3 |
ret = pam_get_item (ph, PAM_OLDAUTHTOK, (const void**)&original);
|
|
|
e904a3 |
if (ret != PAM_SUCCESS || original == NULL) {
|
|
|
e904a3 |
syslog (GKR_LOG_WARN, "gkr-pam: couldn't update the login keyring password: %s",
|
|
|
e904a3 |
"no old password was entered");
|
|
|
e904a3 |
+ if (password)
|
|
|
e904a3 |
+ stash_password_for_session (ph, password);
|
|
|
e904a3 |
return PAM_IGNORE;
|
|
|
e904a3 |
}
|
|
|
e904a3 |
|
|
|
e904a3 |
- ret = pam_get_item (ph, PAM_AUTHTOK, (const void**)&password);
|
|
|
e904a3 |
- if (ret != PAM_SUCCESS)
|
|
|
e904a3 |
- password = NULL;
|
|
|
e904a3 |
-
|
|
|
e904a3 |
if (password == NULL) {
|
|
|
e904a3 |
/* No password was set, and we can't prompt for it */
|
|
|
e904a3 |
if (args & ARG_USE_AUTHTOK) {
|
|
|
e904a3 |
@@ -1064,9 +1077,16 @@ pam_chauthtok_update (pam_handle_t *ph, struct passwd *pwd, uint args)
|
|
|
e904a3 |
|
|
|
e904a3 |
/* if not auto_start, kill the daemon if we started it: we don't want
|
|
|
e904a3 |
* it to stay */
|
|
|
e904a3 |
- if (started_daemon && !(args & ARG_AUTO_START))
|
|
|
e904a3 |
+ if (started_daemon && !(args & ARG_AUTO_START)) {
|
|
|
e904a3 |
stop_daemon (ph, pwd);
|
|
|
e904a3 |
|
|
|
e904a3 |
+ /*
|
|
|
e904a3 |
+ * Likely the daemon is being started later in the session if we weren't
|
|
|
e904a3 |
+ * allowed to autostart it here. Store the password for our session handler
|
|
|
e904a3 |
+ */
|
|
|
e904a3 |
+ stash_password_for_session (ph, password);
|
|
|
e904a3 |
+ }
|
|
|
e904a3 |
+
|
|
|
e904a3 |
if (ret != PAM_SUCCESS)
|
|
|
e904a3 |
return ret;
|
|
|
e904a3 |
|
|
|
e904a3 |
--
|
|
|
e904a3 |
1.8.5.3
|
|
|
e904a3 |
|