You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "zhangqiang (JIRA)" <ji...@apache.org> on 2016/10/18 11:15:58 UTC

[jira] [Created] (RANGER-1187) In pamCredValidator.c, pam_end() is not called if authentication fails.

zhangqiang created RANGER-1187:
----------------------------------

             Summary: In pamCredValidator.c, pam_end() is not called if authentication fails.
                 Key: RANGER-1187
                 URL: https://issues.apache.org/jira/browse/RANGER-1187
             Project: Ranger
          Issue Type: Bug
          Components: Ranger
    Affects Versions: Ranger
            Reporter: zhangqiang
            Priority: Minor
             Fix For: Ranger


In main method of C file "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
when authentication fails, pam_end() is not called before exit(1),
which result in PAM transaction is not closed.
The pam_end() function terminates a PAM transaction and destroys the
corresponding PAM context, releasing all resources allocated to it.

int main(int ac, char **av, char **ev)
{
	char username[64] ;
	char password[64] ;
	char line[512] ;

	int retval;
	pam_handle_t *pamh = NULL;

	fgets(line,512,stdin) ;
	sscanf(line, "LOGIN:%s %s",username,password) ;
	conv.appdata_ptr = (char *) password;

	retval = pam_start("ranger-remote", username, &conv, &pamh);
	if (retval != PAM_SUCCESS) {
		/* why expose this? */
		fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
		exit(1);
	}

	retval = pam_authenticate(pamh, 0);
	if (retval != PAM_SUCCESS) {
		fprintf(stdout, "FAILED: Password did not match.\n") ;
		exit(1);
	}

	/* authorize */
	retval = pam_acct_mgmt(pamh, 0);
	if (retval != PAM_SUCCESS) {
		fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
		exit(1);
	}

	/* establish the requested credentials */
	if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
			fprintf(stdout, "FAILED: Error setting credentials for [%s].\n", username) ;
    		exit(1);
	}

	/* not opening a session, as logout has not been implemented as a remote service */
	fprintf(stdout, "OK:\n") ;

	if (pamh) {
		pam_end(pamh, retval);
	}

	exit(0) ;
}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)