You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "zhangqiang (JIRA)" <ji...@apache.org> on 2016/10/25 00:38:59 UTC
[jira] [Updated] (RANGER-1187) In pamCredValidator.c, pam_end() is
not called if authentication fails.
[ https://issues.apache.org/jira/browse/RANGER-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
zhangqiang updated RANGER-1187:
-------------------------------
Affects Version/s: (was: Ranger)
Fix Version/s: (was: Ranger)
> In pamCredValidator.c, pam_end() is not called if authentication fails.
> -----------------------------------------------------------------------
>
> Key: RANGER-1187
> URL: https://issues.apache.org/jira/browse/RANGER-1187
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: zhangqiang
> Priority: Minor
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In main method of C file "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
> when authentication fails, pam_end() is not called before exit(1),
> which result in PAM transaction is not closed.
> The pam_end() function terminates a PAM transaction and destroys the
> corresponding PAM context, releasing all resources allocated to it.
> int main(int ac, char **av, char **ev)
> {
> char username[64] ;
> char password[64] ;
> char line[512] ;
> int retval;
> pam_handle_t *pamh = NULL;
> fgets(line,512,stdin) ;
> sscanf(line, "LOGIN:%s %s",username,password) ;
> conv.appdata_ptr = (char *) password;
> retval = pam_start("ranger-remote", username, &conv, &pamh);
> if (retval != PAM_SUCCESS) {
> /* why expose this? */
> fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
> exit(1);
> }
> retval = pam_authenticate(pamh, 0);
> if (retval != PAM_SUCCESS) {
> fprintf(stdout, "FAILED: Password did not match.\n") ;
> exit(1);
> }
> /* authorize */
> retval = pam_acct_mgmt(pamh, 0);
> if (retval != PAM_SUCCESS) {
> fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
> exit(1);
> }
> /* establish the requested credentials */
> if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
> fprintf(stdout, "FAILED: Error setting credentials for [%s].\n", username) ;
> exit(1);
> }
> /* not opening a session, as logout has not been implemented as a remote service */
> fprintf(stdout, "OK:\n") ;
> if (pamh) {
> pam_end(pamh, retval);
> }
> exit(0) ;
> }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)