homed: remove PAM_USER_UNKNOWN test in pam_sm_acct_mgmt

Why this change --------------- Assumption - PAM's auth stack is properly configured. Currently account pam_systemd_home.so returns PAM_SUCCESS for non systemd-homed users, and a variety of return values (including PAM_SUCCESS) for homed users. account pam_unix returns PAM_AUTHINFO_UNAVAIL for systemd-homed users, and a variety of return values (including PAM_AUTHINFO_UNAVAIL) for normal users. No possible combination in the pam stack can let us preserve the various return values of the modules. For example, the configuration mentioned in the manpage causes account pam_unix to never be reached since pam_systemd_home just returns a success for ordinary users. Users with expired passwords are allowed to log in because a check cannot be made. More configuration examples and why they don't work are mentioned in #16906 and the downstream discussion linked there. After this change ----------------- account pam_unix will continue to return wrong value for homed users. But we can skip the module conditionally using the return value from account pam_systemd_home. We can already do this with the auth and password modules.
2024-11-01 09:21:26 +03:00 · 2020-10-18 15:29:40 +05:30 · 2020-10-18 15:29:40 +05:30 · 842067e675
commit 842067e675
parent 429495163c
1 changed files with 0 additions and 2 deletions
--- a/src/home/pam_systemd_home.c
+++ b/src/home/pam_systemd_home.c
@ -833,8 +833,6 @@ _public_ PAM_EXTERN int pam_sm_acct_mgmt(
                pam_syslog(handle, LOG_DEBUG, "pam-systemd-homed account management");

        r = acquire_home(handle, /* please_authenticate = */ false, please_suspend, debug);
-        if (r == PAM_USER_UNKNOWN)
-                return PAM_SUCCESS; /* we don't have anything to say about users we don't manage */
        if (r != PAM_SUCCESS)
                return r;