[Fedora-directory-commits] ldapserver/ldap/servers/plugins/pam_passthru pam_passthru.h, 1.4, 1.5 pam_ptimpl.c, 1.7, 1.8 pam_ptpreop.c, 1.4, 1.5

[Richard Allen Megginson (rmeggins)]

Author: rmeggins

Update of /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15273

Modified Files:
	pam_passthru.h pam_ptimpl.c pam_ptpreop.c 
Log Message:
PAM is not thread safe.  Therefore, we must put the code that accesses PAM
in a critical section.  This fix creates a mutex at init time and uses that
mutex to create a critical section around all PAM API access.



Index: pam_passthru.h
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_passthru.h,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- pam_passthru.h	19 Apr 2005 22:07:30 -0000	1.4
+++ pam_passthru.h	15 Jul 2005 18:13:28 -0000	1.5
@@ -131,6 +131,7 @@
 /*
  * pam_ptimpl.c
  */
+int pam_passthru_pam_init( void );
 int pam_passthru_do_pam_auth(Slapi_PBlock *pb, Pam_PassthruConfig *cfg);
 
 #endif	/* _PAM_PASSTHRU_H_ */


Index: pam_ptimpl.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- pam_ptimpl.c	19 Apr 2005 22:07:30 -0000	1.7
+++ pam_ptimpl.c	15 Jul 2005 18:13:28 -0000	1.8
@@ -39,6 +39,11 @@
 
 #include "pam_passthru.h"
 
+/*
+ * PAM is not thread safe.  We have to execute any PAM API calls in
+ * a critical section.  This is the lock that protects that code.
+ */
+static Slapi_Mutex *PAMLock;
 
 /* Utility struct to wrap strings to avoid mallocs if possible - use
    stack allocated string space */
@@ -271,6 +276,8 @@
 	my_data.pb = pb;
 	my_data.pam_identity = pam_id.str;
 	my_pam_conv.appdata_ptr = &my_data;
+	slapi_lock_mutex(PAMLock);
+	/* from this point on we are in the critical section */
 	rc = pam_start(pam_service, pam_id.str, &my_pam_conv, &pam_handle);
 	report_pam_error("during pam_start", rc, pam_handle);
 
@@ -351,6 +358,8 @@
 
 	rc = pam_end(pam_handle, rc);
 	report_pam_error("during pam_end", rc, pam_handle);
+	slapi_unlock_mutex(PAMLock);
+	/* not in critical section any more */
 
 	delete_my_str_buf(&pam_id);
 
@@ -376,6 +385,20 @@
 }
 
 /*
+ * Perform any PAM subsystem initialization that must be done at startup time.
+ * For now, this means only the PAM mutex since PAM is not thread safe.
+ */
+int
+pam_passthru_pam_init( void )
+{
+	if (!(PAMLock = slapi_new_mutex())) {
+		return LDAP_LOCAL_ERROR;
+	}
+
+	return 0;
+}
+
+/*
  * Entry point into the PAM auth code.  Shields the rest of the app
  * from PAM API code.  Get our config params, then call the actual
  * code that does the PAM auth.  Can call that code up to 3 times,


Index: pam_ptpreop.c
===================================================================
RCS file: /cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptpreop.c,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- pam_ptpreop.c	19 Apr 2005 22:07:30 -0000	1.4
+++ pam_ptpreop.c	15 Jul 2005 18:13:28 -0000	1.5
@@ -128,6 +128,12 @@
 		return( -1 );
     }
 
+    if (( rc = pam_passthru_pam_init()) != LDAP_SUCCESS ) {
+		slapi_log_error( SLAPI_LOG_FATAL, PAM_PASSTHRU_PLUGIN_SUBSYSTEM,
+						 "could not initialize PAM subsystem (%d)\n", rc);
+		return( -1 );
+    }
+
     return( 0 );
 }