From: Chandradeep Dey Date: Sun, 18 Oct 2020 09:59:40 +0000 (+0530) Subject: homed: remove PAM_USER_UNKNOWN test in pam_sm_acct_mgmt X-Git-Tag: v247-rc1~30 X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=commitdiff_plain;h=842067e6753d8cad951c83ac62681c539e1b1a07 homed: remove PAM_USER_UNKNOWN test in pam_sm_acct_mgmt Why this change --------------- Assumption - PAM's auth stack is properly configured. Currently account pam_systemd_home.so returns PAM_SUCCESS for non systemd-homed users, and a variety of return values (including PAM_SUCCESS) for homed users. account pam_unix returns PAM_AUTHINFO_UNAVAIL for systemd-homed users, and a variety of return values (including PAM_AUTHINFO_UNAVAIL) for normal users. No possible combination in the pam stack can let us preserve the various return values of the modules. For example, the configuration mentioned in the manpage causes account pam_unix to never be reached since pam_systemd_home just returns a success for ordinary users. Users with expired passwords are allowed to log in because a check cannot be made. More configuration examples and why they don't work are mentioned in #16906 and the downstream discussion linked there. After this change ----------------- account pam_unix will continue to return wrong value for homed users. But we can skip the module conditionally using the return value from account pam_systemd_home. We can already do this with the auth and password modules. --- diff --git a/src/home/pam_systemd_home.c b/src/home/pam_systemd_home.c index 8fe52f44aac..544eae91642 100644 --- a/src/home/pam_systemd_home.c +++ b/src/home/pam_systemd_home.c @@ -833,8 +833,6 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt( pam_syslog(handle, LOG_DEBUG, "pam-systemd-homed account management"); r = acquire_home(handle, /* please_authenticate = */ false, please_suspend, debug); - if (r == PAM_USER_UNKNOWN) - return PAM_SUCCESS; /* we don't have anything to say about users we don't manage */ if (r != PAM_SUCCESS) return r;