From df6ebefef7d9ebbb5aa36e6c5685e67e81fe775e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marco=20Trevisan=20=28Trevi=C3=B1o=29?= Date: Tue, 2 Mar 2021 15:03:38 +0100 Subject: [PATCH] pam_fprintd: Consistently return PAM_AUTHINFO_UNAVAIL when device has no prints Loading saved prints may lead to an error if they were stored long time ago and so they're using a wrong format. In such case we list the prints as available even though they are really not, so the PAM module won't return PAM_AUTHINFO_UNAVAIL as in the no-prints case but PAM_USER_UNKNOWN. This will lead some auth systems (such as gdm) to keep retrying using PAM fprintd module, even if it's not really available. --- pam/pam_fprintd.c | 2 +- tests/pam/test_pam_fprintd.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) mode change 100755 => 100644 tests/pam/test_pam_fprintd.py diff --git a/pam/pam_fprintd.c b/pam/pam_fprintd.c index 9c4adcf..8cbd01c 100644 --- a/pam/pam_fprintd.c +++ b/pam/pam_fprintd.c @@ -351,7 +351,7 @@ verify_started_cb (sd_bus_message *m, if (sd_bus_error_has_name (error, "net.reactivated.Fprint.Error.NoEnrolledPrints")) { pam_syslog (data->pamh, LOG_DEBUG, "No prints enrolled"); - data->verify_ret = PAM_USER_UNKNOWN; + data->verify_ret = PAM_AUTHINFO_UNAVAIL; } else { diff --git a/tests/pam/test_pam_fprintd.py b/tests/pam/test_pam_fprintd.py old mode 100755 new mode 100644 index c17dfbe..be66818 --- a/tests/pam/test_pam_fprintd.py +++ b/tests/pam/test_pam_fprintd.py @@ -177,7 +177,7 @@ class TestPamFprintd(dbusmock.DBusTestCase): ] self.device_mock.SetVerifyScript(script) - tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_USER_UNKNOWN) + tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE, expected_rv=PAM_AUTHINFO_UNAVAIL) res = pypamtest.run_pamtest("toto", "fprintd-pam-test", [tc], [ 'unused' ]) def test_pam_fprintd_blocks_unexpected_auth(self):