Handle failures in pam_setcred

diff --git a/NEWS b/NEWS
index 983f0727db658f2975e9594c724528ca28e0cf20..4ed8bc70cadc60c8edebe1ba662f236b1cbc5067 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 Overview of changes in lightdm 1.1.10
 
     * Backup .xsession-errors on login
+    * Handle failures in pam_setcred
 
 Overview of changes in lightdm 1.1.9
 

diff --git a/src/session-child.c b/src/session-child.c
index 68ec36bb9a9026d3c6d6d5b1070f34b33d4907bf..f2aadbb6247f95441e142113f0b18539643011e8 100644 (file)
--- a/src/session-child.c
+++ b/src/session-child.c
@@ -364,6 +364,11 @@ session_child_run (int argc, char **argv)
 
     /* Set credentials */
     result = pam_setcred (pam_handle, PAM_ESTABLISH_CRED);
+    if (result != PAM_SUCCESS)
+    {
+        g_printerr ("Failed to establish PAM credentials: %s\n", pam_strerror (pam_handle, result));
+        return EXIT_FAILURE;
+    }
      
     /* Open the session */
     result = pam_open_session (pam_handle, 0);

diff --git a/tests/Makefile.am b/tests/Makefile.am
index 13aae050a2801794b2a5e106a97d325606106c2f..13a105020edaf795bf9b1b1df9b422cd37cdc512 100644 (file)
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -17,6 +17,9 @@ TESTS = \
        test-autologin-new-authtok \
        test-autologin-denied \
        test-autologin-expired \
+       test-autologin-cred-error \
+       test-autologin-cred-expired \
+       test-autologin-cred-unavail \
        test-autologin-session-error \
        test-autologin-logout \
        test-autologin-previous-session \
@@ -146,6 +149,9 @@ EXTRA_DIST = \
        data/xsessions/default.desktop \
        scripts/autologin.conf \
        scripts/autologin-crash-authenticate.conf \
+       scripts/autologin-cred-error.conf \
+       scripts/autologin-cred-expired.conf \
+       scripts/autologin-cred-unavail.conf \
        scripts/autologin-denied.conf \
        scripts/autologin-expired.conf \
        scripts/autologin-guest.conf \

diff --git a/tests/scripts/autologin-cred-error.conf b/tests/scripts/autologin-cred-error.conf
new file mode 100644 (file)
index 0000000..06dcb35
--- /dev/null
+++ b/tests/scripts/autologin-cred-error.conf
@@ -0,0 +1,44 @@
+#
+# Check automatic login stops if an account can't establish credentials
+#
+
+[LightDM]
+minimum-display-number=50
+
+[SeatDefaults]
+autologin-user=cred-error
+
+#?RUNNER DAEMON-START
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# (Session fails)
+
+# X server stops
+#?XSERVER :50 TERMINATE SIGNAL=15
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# Greeter starts
+#?GREETER :50 START
+#?XSERVER :50 ACCEPT-CONNECT
+#?GREETER :50 CONNECT-XSERVER
+#?GREETER :50 CONNECT-TO-DAEMON
+#?GREETER :50 CONNECTED-TO-DAEMON
+
+# Cleanup
+#?*STOP-DAEMON
+# Don't know what order they will terminate
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?RUNNER DAEMON-EXIT STATUS=0

diff --git a/tests/scripts/autologin-cred-expired.conf b/tests/scripts/autologin-cred-expired.conf
new file mode 100644 (file)
index 0000000..b55b86d
--- /dev/null
+++ b/tests/scripts/autologin-cred-expired.conf
@@ -0,0 +1,44 @@
+#
+# Check automatic login stops if an account has expired credentials
+#
+
+[LightDM]
+minimum-display-number=50
+
+[SeatDefaults]
+autologin-user=cred-expired
+
+#?RUNNER DAEMON-START
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# (Session fails)
+
+# X server stops
+#?XSERVER :50 TERMINATE SIGNAL=15
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# Greeter starts
+#?GREETER :50 START
+#?XSERVER :50 ACCEPT-CONNECT
+#?GREETER :50 CONNECT-XSERVER
+#?GREETER :50 CONNECT-TO-DAEMON
+#?GREETER :50 CONNECTED-TO-DAEMON
+
+# Cleanup
+#?*STOP-DAEMON
+# Don't know what order they will terminate
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?RUNNER DAEMON-EXIT STATUS=0

diff --git a/tests/scripts/autologin-cred-unavail.conf b/tests/scripts/autologin-cred-unavail.conf
new file mode 100644 (file)
index 0000000..0ead338
--- /dev/null
+++ b/tests/scripts/autologin-cred-unavail.conf
@@ -0,0 +1,44 @@
+#
+# Check automatic login stops if an account can't access credentials
+#
+
+[LightDM]
+minimum-display-number=50
+
+[SeatDefaults]
+autologin-user=cred-unavail
+
+#?RUNNER DAEMON-START
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# (Session fails)
+
+# X server stops
+#?XSERVER :50 TERMINATE SIGNAL=15
+
+# X server starts
+#?XSERVER :50 START
+#?XSERVER :50 INDICATE-READY
+
+# LightDM connects to X server
+#?XSERVER :50 ACCEPT-CONNECT
+
+# Greeter starts
+#?GREETER :50 START
+#?XSERVER :50 ACCEPT-CONNECT
+#?GREETER :50 CONNECT-XSERVER
+#?GREETER :50 CONNECT-TO-DAEMON
+#?GREETER :50 CONNECTED-TO-DAEMON
+
+# Cleanup
+#?*STOP-DAEMON
+# Don't know what order they will terminate
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?(GREETER :50 TERMINATE SIGNAL=15|XSERVER :50 TERMINATE SIGNAL=15)
+#?RUNNER DAEMON-EXIT STATUS=0

diff --git a/tests/src/libsystem.c b/tests/src/libsystem.c
index 34be41a97ca37149ea956fe36766b8158a91f955..13abda8ca07834fd6835d5c787b4b5f73e85c7d9 100644 (file)
--- a/tests/src/libsystem.c
+++ b/tests/src/libsystem.c
@@ -728,6 +728,9 @@ pam_open_session (pam_handle_t *pamh, int flags)
     if (pamh == NULL)
         return PAM_SYSTEM_ERR;
 
+    if (strcmp (pamh->user, "session-error") == 0)
+        return PAM_SESSION_ERR;
+
     if (strcmp (pamh->user, "make-home-dir") == 0)
     {
         struct passwd *entry;
@@ -735,9 +738,6 @@ pam_open_session (pam_handle_t *pamh, int flags)
         g_mkdir_with_parents (entry->pw_dir, 0755);
     }
 
-    if (strcmp (pamh->user, "session-error") == 0)
-        return PAM_SESSION_ERR;
-
     return PAM_SUCCESS;
 }
 
@@ -820,6 +820,13 @@ pam_setcred (pam_handle_t *pamh, int flags)
     pam_putenv (pamh, e);
     g_free (e);
 
+    if (strcmp (pamh->user, "cred-error") == 0)
+        return PAM_CRED_ERR;
+    if (strcmp (pamh->user, "cred-expired") == 0)
+        return PAM_CRED_EXPIRED;
+    if (strcmp (pamh->user, "cred-unavail") == 0)
+        return PAM_CRED_UNAVAIL;
+
     /* Join special groups if requested */
     if (strcmp (pamh->user, "group-member") == 0 && flags & PAM_ESTABLISH_CRED)
     {

diff --git a/tests/src/test-runner.c b/tests/src/test-runner.c
index bad796d5dca81ffeaa0b17ac657f39c84020ed4d..a8ed58608ddb3b5453718cc57348b16be29a2845 100644 (file)
--- a/tests/src/test-runner.c
+++ b/tests/src/test-runner.c
@@ -1383,6 +1383,12 @@ main (int argc, char **argv)
         {"make-home-dir",    "",         FALSE, "Make Home Dir User", NULL,  NULL, NULL,          NULL,          1025},
         /* This account fails to open a session */
         {"session-error",    "password", TRUE,  "Session Error",      NULL,  NULL, NULL,          NULL,          1026},
+        /* This account can't establish credentials */
+        {"cred-error",       "password", TRUE,  "Cred Error",         NULL,  NULL, NULL,          NULL,          1027},
+        /* This account has expired credentials */
+        {"cred-expired",     "password", TRUE,  "Cred Expired",       NULL,  NULL, NULL,          NULL,          1028},
+        /* This account has cannot access their credentials */
+        {"cred-unavail",     "password", TRUE,  "Cred Unavail",       NULL,  NULL, NULL,          NULL,          1029},
         {NULL,               NULL,       FALSE, NULL,                 NULL,  NULL, NULL,          NULL,             0}
     };
     passwd_data = g_string_new ("");

diff --git a/tests/test-autologin-cred-error b/tests/test-autologin-cred-error
new file mode 100755 (executable)
index 0000000..1beec10
--- /dev/null
+++ b/tests/test-autologin-cred-error
@@ -0,0 +1,2 @@
+#!/bin/sh
+./src/dbus-env ./src/test-runner autologin-cred-error test-gobject-greeter

diff --git a/tests/test-autologin-cred-expired b/tests/test-autologin-cred-expired
new file mode 100755 (executable)
index 0000000..a07f881
--- /dev/null
+++ b/tests/test-autologin-cred-expired
@@ -0,0 +1,2 @@
+#!/bin/sh
+./src/dbus-env ./src/test-runner autologin-cred-expired test-gobject-greeter

diff --git a/tests/test-autologin-cred-unavail b/tests/test-autologin-cred-unavail
new file mode 100755 (executable)
index 0000000..933b3f8
--- /dev/null
+++ b/tests/test-autologin-cred-unavail
@@ -0,0 +1,2 @@
+#!/bin/sh
+./src/dbus-env ./src/test-runner autologin-cred-unavail test-gobject-greeter