Relevant BUGIDs: 123399

Purpose of commit: bugfix

Commit summary:
---------------
avoid possibility of SIGPIPE from helper binary non-invocation or
early exit.

CHANGELOG

@@ -35,6 +35,8 @@ Where you should replace XXXXX with a bug-id.
 0.73: please submit patches for this section with actual code/doc
       patches!
 
+* avoid potential SIGPIPE when writing to helper binaries with (Bug
+  123399 - agmorgan)
 * replaced bogus logic in the pam_cracklib module for determining if
   the replacement is too similar to the old password (Bug 115055 -
   agmorgan)

modules/pam_pwdb/support.-c

@@ -378,13 +378,14 @@ static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd)
 	exit(PWDB_SUCCESS+1);
     } else if (child > 0) {
 	/* wait for child */
-	close(fds[0]);
 	if (passwd != NULL) {            /* send the password to the child */
 	    write(fds[1], passwd, strlen(passwd)+1);
 	    passwd = NULL;
 	} else {
 	    write(fds[1], "", 1);                        /* blank password */
 	}
+	close(fds[0]);   /* we close this after the write because we want
+			    to avoid a possible SIGPIPE. */
 	close(fds[1]);
 	(void) waitpid(child, &retval, 0);  /* wait for helper to complete */
 	retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR;

modules/pam_unix/support.c

@@ -398,7 +398,6 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig
 	exit(PAM_AUTHINFO_UNAVAIL);
     } else if (child > 0) {
 	/* wait for child */
-	close(fds[0]);
 	/* if the stored password is NULL */
 	if (off(UNIX__NONULL, ctrl)) {	/* this means we've succeeded */
 	    write(fds[1], "nullok\0\0", 8);
@@ -411,6 +410,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig
 	} else {
 	    write(fds[1], "", 1);                        /* blank password */
 	}
+	close(fds[0]);       /* close here to avoid possible SIGPIPE above */
 	close(fds[1]);
 	(void) waitpid(child, &retval, 0);  /* wait for helper to complete */
 	retval = (retval == 0) ? PAM_SUCCESS:PAM_AUTH_ERR;