SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List Re: newrole cleanup patch This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: Steve G <linux_4ever_at_yahoo.com> Date: Wed, 21 Dec 2005 09:30:42 -0800 (PST) >+ if( strncmp(ttyn, "/dev/", 5) == 0 ) >+ tty_name = ttyn+5; >+ else >+ tty_name = ttyn; > >I have seen this idiom before, but am not clear on the rationale. If >the tty isn't under /dev, then what are the real implications? Possibly >this should just be an error condition? Its so that we get the tty's name rather than the path. >+ >+ if( PAM_SUCCESS != pam_set_item( pam_handle, PAM_TTY, tty_name ) ) { >+ fprintf( stderr, _("failed to set PAM_TTY\n") ); >+ goto out; >+ } >+ ><snip> >@@ -199,6 +212,7 @@ int authenticate_via_pam( const struct p > } > > / We're done with PAM. Free `pam_handle'. / >+out: > pam_end( pam_handle, PAM_SUCCESS ); > >This isn't really new to your patch, but it seems like this code should >be cleaned up in general to save the pam error status from the pam_* >functions and pass that status to pam_end(). This applies both to your >new call to pam_set_item as well as the existing calls to >pam_authenticate() and pam_acct_mgmt(), and we likely should be jumping >to out upon a failure in pam_authenticate() rather than calling >pam_acct_mgmt() at all in that case, right? Right. I'll make those adjustments. >I'm a little concerned that if we report "Error!" rather than "Warning!" >and then proceed (if permissive), then the user could get confused I'll make adjustments to switch between Error & Warning. -Steve Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Wed 21 Dec 2005 - 12:30:48 EST This message: [ Message body ] Next message: Steve G: "Re: newrole cleanup patch" Previous message: Stephen Smalley: "Re: Adding audit messge to newrole" In reply to: Stephen Smalley: "Re: newrole cleanup patch" Next in thread: Stephen Smalley: "Re: newrole cleanup patch" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom