login: Call pam_open_session after pam_setcred

According to Linux-PAM's pam_setcred(3) and su implementation,
credentials shall be set before session is opened.

Adjust login to follow this rule, which is also applied by util-linux
login/su and at least gdm (didn't check more implementations).

The current style matches Appendix B of X/Open RFC 86.0 (from 1995).

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

diff --git a/src/login.c b/src/login.c
index 1da71b104693988aa1458760cb593934d24f00e9..59fbf1d92b9297def0a12eff324ae58398fce686 100644 (file)
--- a/src/login.c
+++ b/src/login.c
@@ -766,11 +766,6 @@ int main (int argc, char **argv)
        }
        PAM_FAIL_CHECK;
 
-       /* Open the PAM session */
-       get_pam_user (&pam_user);
-       retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
-       PAM_FAIL_CHECK;
-
        /* Grab the user information out of the password file for future usage
         * First get the username that we are actually using, though.
         *
@@ -805,6 +800,11 @@ int main (int argc, char **argv)
         * into account.
         */
 
+       /* Open the PAM session */
+       get_pam_user (&pam_user);
+       retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
+       PAM_FAIL_CHECK;
+
 #else                          /* ! USE_PAM */
        while (true) {  /* repeatedly get login/password pairs */
                bool failed;