do not drop PAM_OLDAUTHTOK if mismatched - can be used by further modules

2016-04-06 14:37:35 +02:00 · 2016-04-06 14:37:35 +02:00 · 492bcabc07
commit 492bcabc07
parent ef5646f9ed
2 changed files with 9 additions and 9 deletions
--- a/pam-1.2.1-unix-get-authtok.patch
+++ b/pam-1.2.1-unix-get-authtok.patch
@ -138,11 +138,8 @@ index fa29327..49dd831 100644
 
 			if (retval != PAM_SUCCESS) {
 				pam_syslog(pamh, LOG_NOTICE,
-@@ -723,14 +712,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
- 		if (retval != PAM_SUCCESS) {
- 			D(("Authentication failed"));
+@@ -725,12 +714,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			pass_old = NULL;
-+			pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
 			return retval;
 		}
 -		retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
@ -154,7 +151,7 @@ index fa29327..49dd831 100644
 		retval = _unix_verify_shadow(pamh,user, ctrl);
 		if (retval == PAM_AUTHTOK_ERR) {
 			if (off(UNIX__IAMROOT, ctrl))
-@@ -760,23 +745,14 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -760,23 +744,14 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		 * previous call to this function].
 		 */
 
@ -181,7 +178,7 @@ index fa29327..49dd831 100644
 
 		D(("get new password now"));
 
-@@ -785,7 +761,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -785,7 +760,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 		if (on(UNIX_USE_AUTHTOK, lctrl)) {
 			set(UNIX_USE_FIRST_PASS, lctrl);
 		}
@ -192,7 +189,7 @@ index fa29327..49dd831 100644
 		retval = PAM_AUTHTOK_ERR;
 		while ((retval != PAM_SUCCESS) && (retry++ < MAX_PASSWD_TRIES)) {
 			/*
-@@ -793,12 +771,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -793,12 +770,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			 * password -- needed for pluggable password strength checking
 			 */
 
@ -206,7 +203,7 @@ index fa29327..49dd831 100644
 
 			if (retval != PAM_SUCCESS) {
 				if (on(UNIX_DEBUG, ctrl)) {
-@@ -822,7 +795,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
+@@ -822,7 +794,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
 			retval = _pam_unix_approve_pass(pamh, ctrl, pass_old,
 			                                pass_new, pass_min_len);
 
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.2.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -373,6 +373,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html

 %changelog
+* Wed Apr  6 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-7
+- do not drop PAM_OLDAUTHTOK if mismatched - can be used by further modules
+
 * Mon Apr  4 2016 Tomáš Mráz <tmraz@redhat.com> 1.2.1-6
 - pam_unix: use pam_get_authtok() and improve prompting