From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 8 Jan 2025 16:04:07 +0000 (+0100)
Subject: login: Fix no-pam authorization regression
X-Git-Tag: 4.17.2~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c45b076b1c4d4829d96a16001f7d681fa526574f;p=thirdparty%2Fshadow.git

login: Fix no-pam authorization regression

The list_match function handles EXCEPT entries through recursive
calls. It calls itself with NULL, which was then passed to strtok so
parsing continued at current position.

Replacing strtok with strsep, this means that EXCEPT entries never
match, because strsep(NULL, ...) always returns NULL, i.e. the
code treats everything after EXCEPT as non-existing.

Fix this by passing current list pointer to recursive call.

Fixes: 90afe61003ef (2024-07-04; "lib/, src/: Use strsep(3) instead of strtok(3)")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/src/login_nopam.c b/src/login_nopam.c
index 1a97de5cc..de9513554 100644
--- a/src/login_nopam.c
+++ b/src/login_nopam.c
@@ -171,7 +171,7 @@ list_match(char *list, const char *item, bool (*match_fn)(char *, const char*))
 		while (   (NULL != (tok = strsep(&list, sep)))
 		       && (strcasecmp (tok, "EXCEPT") != 0))
 			/* VOID */ ;
-		if (tok == NULL || !list_match(NULL, item, match_fn)) {
+		if (tok == NULL || !list_match(list, item, match_fn)) {
 			return (match);
 		}
 	}