From: Oliver Kurth <okurth@vmware.com>
Date: Fri, 17 Feb 2017 21:26:23 +0000 (-0800)
Subject: Map certain PAM errors to VGAUTH_E_AUTHENTICATION_DENIED.
X-Git-Tag: stable-10.1.5~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72a5cb442d7e61e33e5ca6fde37beeeb522a6ab9;p=thirdparty%2Fopen-vm-tools.git

Map certain PAM errors to VGAUTH_E_AUTHENTICATION_DENIED.
---

diff --git a/open-vm-tools/vgauth/lib/authPosix.c b/open-vm-tools/vgauth/lib/authPosix.c
index c77c14f0c..8de8b5a7c 100644
--- a/open-vm-tools/vgauth/lib/authPosix.c
+++ b/open-vm-tools/vgauth/lib/authPosix.c
@@ -261,6 +261,7 @@ VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx,
    pam_handle_t *pamh;
    int pam_error;
    PamData pd;
+   VGAuthError err;
 #else
    struct passwd *pwd;
 #endif
@@ -270,34 +271,6 @@ VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx,
       return VGAUTH_E_FAIL;
    }
 
-#ifdef sun
-/* Solaris does not have PAM_MODULE_UNKNOWN. */
-#define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
-                    Warning("PAM error: %s (%d)\n", \
-                            dlpam_strerror(pamh, pam_error), pam_error);  \
-                    dlpam_end(pamh, pam_error); \
-                    if (PAM_AUTH_ERR == pam_error || \
-                        PAM_USER_UNKNOWN == pam_error) { \
-                       return VGAUTH_E_AUTHENTICATION_DENIED; \
-                    } else { \
-                       return VGAUTH_E_FAIL; \
-                    } \
-                 }
-#else
-#define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
-                    Warning("PAM error: %s (%d)\n", \
-                            dlpam_strerror(pamh, pam_error), pam_error);  \
-                    dlpam_end(pamh, pam_error); \
-                    if (PAM_AUTH_ERR == pam_error || \
-                        PAM_USER_UNKNOWN == pam_error || \
-                        PAM_MODULE_UNKNOWN == pam_error) {\
-                       return VGAUTH_E_AUTHENTICATION_DENIED; \
-                    } else { \
-                       return VGAUTH_E_FAIL; \
-                    } \
-                 }
-#endif
-
    pd.username = userName;
    pd.password = password;
    PAM_conversation.appdata_ptr = &pd;
@@ -310,12 +283,44 @@ VGAuthValidateUsernamePasswordImpl(VGAuthContext *ctx,
    }
 
    pam_error = dlpam_authenticate(pamh, 0);
-   PAM_BAIL;
-   pam_error = dlpam_acct_mgmt(pamh, 0);
-   PAM_BAIL;
-   pam_error = dlpam_setcred(pamh, PAM_ESTABLISH_CRED);
-   PAM_BAIL;
-   dlpam_end(pamh, PAM_SUCCESS);
+   if (pam_error == PAM_SUCCESS) {
+      pam_error = dlpam_acct_mgmt(pamh, 0);
+      if (pam_error == PAM_SUCCESS) {
+         pam_error = dlpam_setcred(pamh, PAM_ESTABLISH_CRED);
+      }
+   }
+   dlpam_end(pamh, pam_error);
+   if (pam_error != PAM_SUCCESS) {
+      switch (pam_error) {
+         /*
+          * Most PAM errors get mapped to VGAUTH_E_AUTHENTICATION_DENIED,
+          * but some are mapped into VGAUTH_E_FAIL.
+          */
+         case PAM_OPEN_ERR:
+         case PAM_SYMBOL_ERR:
+         case PAM_SERVICE_ERR:
+         case PAM_SYSTEM_ERR:
+         case PAM_BUF_ERR:
+         case PAM_NO_MODULE_DATA:
+         case PAM_CONV_ERR:
+         case PAM_ABORT:
+#ifndef sun   /* The following error codes are undefined on Solaris. */
+         case PAM_BAD_ITEM:
+         case PAM_CONV_AGAIN:
+         case PAM_INCOMPLETE:
+#endif
+            err = VGAUTH_E_FAIL;
+            break;
+
+         default:
+            err = VGAUTH_E_AUTHENTICATION_DENIED;
+            break;
+
+      }
+      Warning("PAM error: %s (%d), mapped to VGAuth error "VGAUTHERR_FMT64"\n",
+              dlpam_strerror(pamh, pam_error), pam_error, err);
+      return err;
+   }
 
 #else /* !USE_PAM */