You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Qiang Zhang (JIRA)" <ji...@apache.org> on 2016/10/28 10:15:59 UTC

[jira] [Assigned] (RANGER-1187) In pamCredValidator.c, pam_end() is not called if authentication fails.

     [ https://issues.apache.org/jira/browse/RANGER-1187?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Qiang Zhang reassigned RANGER-1187:
-----------------------------------

    Assignee: Qiang Zhang

> In pamCredValidator.c, pam_end() is not called if authentication fails.
> -----------------------------------------------------------------------
>
>                 Key: RANGER-1187
>                 URL: https://issues.apache.org/jira/browse/RANGER-1187
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: zhangqiang
>            Assignee: Qiang Zhang
>            Priority: Minor
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> In main method of C file "\incubator-ranger\unixauthpam\src\main\c\pamCredValidator.c",
> when authentication fails, pam_end() is not called before exit(1),
> which result in PAM transaction is not closed.
> The pam_end() function terminates a PAM transaction and destroys the
> corresponding PAM context, releasing all resources allocated to it.
> int main(int ac, char **av, char **ev)
> {
> 	char username[64] ;
> 	char password[64] ;
> 	char line[512] ;
> 	int retval;
> 	pam_handle_t *pamh = NULL;
> 	fgets(line,512,stdin) ;
> 	sscanf(line, "LOGIN:%s %s",username,password) ;
> 	conv.appdata_ptr = (char *) password;
> 	retval = pam_start("ranger-remote", username, &conv, &pamh);
> 	if (retval != PAM_SUCCESS) {
> 		/* why expose this? */
> 		fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ;
> 		exit(1);
> 	}
> 	retval = pam_authenticate(pamh, 0);
> 	if (retval != PAM_SUCCESS) {
> 		fprintf(stdout, "FAILED: Password did not match.\n") ;
> 		exit(1);
> 	}
> 	/* authorize */
> 	retval = pam_acct_mgmt(pamh, 0);
> 	if (retval != PAM_SUCCESS) {
> 		fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ;
> 		exit(1);
> 	}
> 	/* establish the requested credentials */
> 	if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
> 			fprintf(stdout, "FAILED: Error setting credentials for [%s].\n", username) ;
>     		exit(1);
> 	}
> 	/* not opening a session, as logout has not been implemented as a remote service */
> 	fprintf(stdout, "OK:\n") ;
> 	if (pamh) {
> 		pam_end(pamh, retval);
> 	}
> 	exit(0) ;
> }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)