From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Tue, 24 Mar 2026 13:36:14 +0000 (+0100)
Subject: login: Call pam_open_session after pam_setcred
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=c2e472176ac958941e34bd6f68a630862ed431cb;p=thirdparty%2Fshadow.git

login: Call pam_open_session after pam_setcred

According to Linux-PAM's pam_setcred(3) and su implementation,
credentials shall be set before session is opened.

Adjust login to follow this rule, which is also applied by util-linux
login/su and at least gdm (didn't check more implementations).

The current style matches Appendix B of X/Open RFC 86.0 (from 1995).

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---

diff --git a/src/login.c b/src/login.c
index 1da71b104..59fbf1d92 100644
--- a/src/login.c
+++ b/src/login.c
@@ -766,11 +766,6 @@ int main (int argc, char **argv)
 	}
 	PAM_FAIL_CHECK;
 
-	/* Open the PAM session */
-	get_pam_user (&pam_user);
-	retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
-	PAM_FAIL_CHECK;
-
 	/* Grab the user information out of the password file for future usage
 	 * First get the username that we are actually using, though.
 	 *
@@ -805,6 +800,11 @@ int main (int argc, char **argv)
 	 * into account.
 	 */
 
+ 	/* Open the PAM session */
+	get_pam_user (&pam_user);
+	retcode = pam_open_session (pamh, hushed (pam_user) ? PAM_SILENT : 0);
+	PAM_FAIL_CHECK;
+
 #else				/* ! USE_PAM */
 	while (true) {	/* repeatedly get login/password pairs */
 		bool failed;