[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Compile error in current CVS, src/server.c:5500

From: Derek Robert Price
Subject: Re: Compile error in current CVS, src/server.c:5500
Date: Mon, 21 Jul 2003 14:49:57 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Mark D. Baushke wrote:

Hi Brian,

Brian Murphy <brian@murphy.dk> writes:
Mark D. Baushke wrote:
To be honest, I wonder why the result of pam_end() is not being captured
and causing a call to pam_strerror().
Well, pam_strerror needs the pam handle which gets destroyed by the
call to pam_end to work and pam_end either returns success or failure
(PAM_SYSTEM_ERROR) but no extra information. At least as far as I can
see from the PAM code.

Okay. I was just going by the 'man pam_end' man page where-in I see

      May be translated to text with pam_strerror(3).

but it seems that the man page is for both pam_start() and pam_end(). It
is not clear from the documentation if the pam handle is really
destroyed if PAM_SUCCESS is not returned and I have not actually looked
in any of the open source implementations to see if anything is still
around for pam_strerror() to use for the handle or not.

Despite asking for the pam_handle_t, are you sure pam_strerror really uses it? The man page only specifies,

   "This  function returns some text describing the Linux-PAM error associ-
     ated with the pam_error argument."

It might be worth a code scan or just plain trying to call pam_strerror with a NULL pointer in place of the pam_handle_t argument.

However, it is my understanding that pam_end() will return PAM_SUCCESS
if everything goes well and and one of the other PAM_* macros from the
pam types on failure. So at the least, I would expect something like:

   retval = pam_end(pamh, retval);
   if (retval != PAM_SUCCESS)
       printf("E Fatal error, aborting.\n\
error EACCES pam failed to release authenticator (retval=%d)\n", retval);
       error_exit ();

or some such kind of indication to avoid losing information about what
happened. This kind of message may help us debug future problems with
the PAM service rather than just ripping it out as not being
maintainable. 1/2 :-)

Assuming that you can't find a way to use pam_strerrorm I'll second that with an, "harrumph", as opposed to a half-smile. :)

Also, I'd still like to understand why you aren't calling pam_strerror when the three calls previous to pam_end fail to return PAM_SUCCESS.



Email: derek@ximbiot.com

Get CVS support at <http://ximbiot.com>!
Predeterminism was doomed from the start.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]