From 0e59802be5baf922f4627e7dfde565c1e7bc2913 Mon Sep 17 00:00:00 2001
From: christos <christos@NetBSD.org>
Date: Wed, 12 Jan 2005 01:38:23 +0000
Subject: [PATCH] Fail closed for NetBSD. If /etc/pam.d and /etc/pam.conf are
 missing, then return PAM_SYSTEM_ERR. This is done by checking that chains
 have at least one member.

---
 dist/openpam/lib/openpam_dispatch.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dist/openpam/lib/openpam_dispatch.c b/dist/openpam/lib/openpam_dispatch.c
index f87feca320b4..cb4cc491e2a6 100644
--- a/dist/openpam/lib/openpam_dispatch.c
+++ b/dist/openpam/lib/openpam_dispatch.c
@@ -97,6 +97,12 @@ openpam_dispatch(pam_handle_t *pamh,
 		RETURNC(PAM_SYSTEM_ERR);
 	}
 
+#ifdef __NetBSD__
+	/* Require chains to exist, so that we don't fail open */
+	if (chain == NULL)
+		RETURNC(PAM_SYSTEM_ERR);
+#endif
+
 	/* execute */
 	for (err = fail = 0; chain != NULL; chain = chain->next) {
 		if (chain->module->func[primitive] == NULL) {