* src/login.c: Open the PAM session before pam_setcred and before

initgroups. This is more consistent with rfc86.0.
2009-04-20 12:54:17 +00:00 · 2009-04-20 12:54:17 +00:00 · c694843da5
commit c694843da5
parent 432faba3e1
2 changed files with 13 additions and 3 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2009-04-20  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* src/login.c: Open the PAM session before pam_setcred and before
+	initgroups. This is more consistent with rfc86.0.
+
 2009-04-20  Nicolas François  <nicolas.francois@centraliens.net>

 	* src/login.c: Added helper functions get_pam_user() and
--- a/src/login.c
+++ b/src/login.c
@ -849,6 +849,11 @@ int main (int argc, char **argv)
 	}
 	PAM_FAIL_CHECK;

+	/* Open the PAM session */
+	get_pam_user (&pam_user);
+	retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
+	PAM_FAIL_CHECK;
+
 	/* Grab the user information out of the password file for future usage
 	 * First get the username that we are actually using, though.
 	 *
@ -880,9 +885,9 @@ int main (int argc, char **argv)

 	retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
 	PAM_FAIL_CHECK;
-
-	retcode = pam_open_session (pamh, hushed (username) ? PAM_SILENT : 0);
-	PAM_FAIL_CHECK;
+	/* NOTE: If pam_setcred changes PAM_USER, this will not be taken
+	 * into account.
+	 */

 #else				/* ! USE_PAM */
 	while (true) {	/* repeatedly get login/password pairs */