diff --git a/CHANGELOG b/CHANGELOG index f90cb3e6..f45da409 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -35,6 +35,8 @@ Where you should replace XXXXX with a bug-id. 0.73: please submit patches for this section with actual code/doc patches! +* avoid potential SIGPIPE when writing to helper binaries with (Bug + 123399 - agmorgan) * replaced bogus logic in the pam_cracklib module for determining if the replacement is too similar to the old password (Bug 115055 - agmorgan) diff --git a/modules/pam_pwdb/support.-c b/modules/pam_pwdb/support.-c index 2cbcb576..d43e0554 100644 --- a/modules/pam_pwdb/support.-c +++ b/modules/pam_pwdb/support.-c @@ -378,13 +378,14 @@ static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd) exit(PWDB_SUCCESS+1); } else if (child > 0) { /* wait for child */ - close(fds[0]); if (passwd != NULL) { /* send the password to the child */ write(fds[1], passwd, strlen(passwd)+1); passwd = NULL; } else { write(fds[1], "", 1); /* blank password */ } + close(fds[0]); /* we close this after the write because we want + to avoid a possible SIGPIPE. */ close(fds[1]); (void) waitpid(child, &retval, 0); /* wait for helper to complete */ retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR; diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 256e4999..a0f2c52d 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -398,7 +398,6 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig exit(PAM_AUTHINFO_UNAVAIL); } else if (child > 0) { /* wait for child */ - close(fds[0]); /* if the stored password is NULL */ if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ write(fds[1], "nullok\0\0", 8); @@ -411,6 +410,7 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig } else { write(fds[1], "", 1); /* blank password */ } + close(fds[0]); /* close here to avoid possible SIGPIPE above */ close(fds[1]); (void) waitpid(child, &retval, 0); /* wait for helper to complete */ retval = (retval == 0) ? PAM_SUCCESS:PAM_AUTH_ERR;