Never fail open: auth chain *must* have at least one required or binding

element.
2005-03-16 15:28:55 +00:00 · 2005-03-16 15:28:55 +00:00 · 6a3704f4d9
parent 7cd222b164
commit 6a3704f4d9
1 changed files with 20 additions and 0 deletions
--- a/dist/openpam/lib/openpam_configure.c
+++ b/dist/openpam/lib/openpam_configure.c
@ -329,6 +329,26 @@ openpam_configure(pam_handle_t *pamh,
 		if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
 			goto load_err;
 	}
+#ifdef __NetBSD__
+	/*
+	 * On NetBSD we require the AUTH chain to have a binding
+	 * or a required module.
+	 */
+	{
+		pam_chain_t *this = pamh->chains[PAM_AUTH];
+		for (; this != NULL; this = this->next)
+			if (this->flag == PAM_BINDING ||
+			    this->flag == PAM_REQUIRED)
+				break;
+		if (this == NULL) {
+			openpam_log(PAM_LOG_ERROR,
+			    "No required or binding component "
+			    "in service %s, facility %s",
+			    service, _pam_facility_name[PAM_AUTH]);
+			goto load_err;
+		}
+	}
+#endif
 	return (PAM_SUCCESS);
 load_err:
 	openpam_clear_chains(pamh->chains);