[SECURITY][PATCH] PAM change reverses test for valid password

Jeremy Allison jeremy at valinux.com
Tue May 1 16:56:40 GMT 2001

On Tue, May 01, 2001 at 06:40:26PM +1000, Andrew Bartlett wrote:
> The change to the PAM setup to use NT_STATUS constants had an
> unfortunate side-effect - it reversed the check for a password being
> valid, ie WRONG passwords are considered correct.
> This affects both plaintext logins and SWAT.  My patch (on which the
> changes were based) included changes that made this not entirely obvious
> when the patch was not applied in full.  (I'll be more careful about my
> comments in future).
> The error was introduced into the CVS tree at Mon Apr 30 20:37:44 2001
> This patch also fixes some bugs introduced in the PAM changes that made
> correct plain-text authentication impossible.

Thanks Andrew for the tidyups, I've committed them in 2.2
and HEAD. What did you think of the other changes to the
patch ? I removed the use of the global variables, and
added the userdata pointer stuff in the dynamic pwconv
code instead. I also changed the style of :

if (do_something == success)
		if (do_something_else == success)
				if (do_another_thing == success)
						return success;
return fail;

To the (much preferable in Tridge's and my opinion) style
of :

if (do_something != success)
		return Fail;
if (do_something_else != success)
		return Fail;
if (do_another_thing != success)
		return Fail;
return success;

As this style of code is *much* easier to understand.


Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.

More information about the samba-technical mailing list