X-Git-Url: https://git.armaanb.net/?a=blobdiff_plain;f=pam.c;h=f8785bb1016be59c49c26e0f36378807f70689ca;hb=71b759e2542878de5c75a7101f2400cf35ec6299;hp=e0f17a536012b6bca3bccad1f2a74a2f0458326c;hpb=ed7fb0a2f40f2f51304f676963a459f2986f5ea0;p=opendoas.git

diff --git a/pam.c b/pam.c
index e0f17a5..f8785bb 100644
--- a/pam.c
+++ b/pam.c
@@ -14,6 +14,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include "config.h"
+
 #include <sys/types.h>
 #include <sys/wait.h>
 
@@ -21,10 +23,10 @@
 #include <errno.h>
 #include <limits.h>
 #include <pwd.h>
-#ifdef HAVE_READPASSPHRASE_H
+#ifdef HAVE_READPASSPHRASE
 #	include <readpassphrase.h>
 #else
-#	include "readpassphrase.h"
+#	include "sys-readpassphrase.h"
 #endif
 #include <signal.h>
 #include <stdio.h>
@@ -35,7 +37,12 @@
 
 #include <security/pam_appl.h>
 
-#include "includes.h"
+#include "openbsd.h"
+#include "doas.h"
+
+#ifndef HOST_NAME_MAX
+#define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
+#endif
 
 #define PAM_SERVICE_NAME "doas"
 
@@ -117,7 +124,7 @@ fail:
 	for (i = 0; i < nmsgs; i++) {
 		if (rsp[i].resp == NULL)
 			continue;
-		switch (style = msgs[i]->msg_style) {
+		switch (msgs[i]->msg_style) {
 		case PAM_PROMPT_ECHO_OFF:
 		case PAM_PROMPT_ECHO_ON:
 			explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
@@ -125,6 +132,7 @@ fail:
 		}
 		rsp[i].resp = NULL;
 	}
+	free(rsp);
 
 	return PAM_CONV_ERR;
 }
@@ -237,7 +245,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 #endif
 
 	if (!user || !myname)
-		errx(1, "Authorization failed");
+		authfail();
 
 	ret = pam_start(PAM_SERVICE_NAME, myname, &conv, &pamh);
 	if (ret != PAM_SUCCESS)
@@ -269,7 +277,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 
 	if (!nopass) {
 		if (!interactive)
-			errx(1, "Authorization required");
+			authfail();
 
 		/* doas style prompt for pam */
 		char host[HOST_NAME_MAX + 1];
@@ -283,7 +291,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 		if (ret != PAM_SUCCESS) {
 			pamcleanup(ret, sess, cred);
 			syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-			errx(1, "Authorization failed");
+			authfail();
 		}
 	}
 
@@ -296,7 +304,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 	if (ret != PAM_SUCCESS) {
 		pamcleanup(ret, sess, cred);
 		syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-		errx(1, "Authorization failed");
+		authfail();
 	}
 
 	/* set PAM_USER to the user we want to be */
@@ -305,9 +313,9 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 		warn("pam_set_item(?, PAM_USER, \"%s\"): %s", user,
 		    pam_strerror(pamh, ret));
 
-	ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+	ret = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
 	if (ret != PAM_SUCCESS)
-		warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s", pam_strerror(pamh, ret));
+		warn("pam_setcred(?, PAM_REINITIALIZE_CRED): %s", pam_strerror(pamh, ret));
 	else
 		cred = 1;
 
@@ -323,8 +331,13 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 	}
 
 	/* return as child */
-	if (child == 0)
+	if (child == 0) {
+#ifdef USE_TIMESTAMP
+		if (fd != -1)
+			close(fd);
+#endif
 		return;
+	}
 
 #ifdef USE_TIMESTAMP
 	if (fd != -1) {