Page MenuHomeFreeBSD

pam_exec(8) expose_authtok should send a trailing NUL

Authored by on Aug 30 2018, 11:20 AM.



On Linux PAM, pam_exec(8) expose_authtok sends the password followed by a NUL character. The FreeBSD version doesn't send the NUL. The invoked program may or may not notice, depending on the language, but since the point of expose_authtok is to be compatible with Linux PAM we should send that trailing NUL too.

Test Plan

Create an executable script /tmp/ to dump the password into a file:

cat > /tmp/captured

Create a service file /etc/pam.d/my-service containing:

auth required /path/to/ expose_authtok /tmp/
account required

Install pamtester with pkg, and then test with:

pamtester my-service abc authenticate

Enter "hello" at the password prompt. Now od -c /tmp/captured should show:

0000000    h   e   l   l   o  \0

The same test run on a Linux system ("apt-get install pamtester" for Debian) shows the same output.

Diff Detail

rS FreeBSD src repository
Automatic diff as part of commit; lint not applicable.
Automatic diff as part of commit; unit tests not applicable.

Event Timeline created this revision.Aug 30 2018, 11:20 AM
des accepted this revision.Sep 4 2018, 9:01 AM
This revision is now accepted and ready to land.Sep 4 2018, 9:01 AM
This revision was automatically updated to reflect the committed changes.