[gdm] Don't reveal which user names are valid without authenticating
- From: Ray Strode <halfline src gnome org>
- To: svn-commits-list gnome org
- Cc:
- Subject: [gdm] Don't reveal which user names are valid without authenticating
- Date: Tue, 12 Jan 2010 16:49:06 +0000 (UTC)
commit 1d693eff2060e5db07b09323fd14fdb582e1ec9e
Author: Brian Cameron <Brian Cameron sun com>
Date: Tue Jan 12 11:45:39 2010 -0500
Don't reveal which user names are valid without authenticating
If you enter an invalid account name, then hit return for the password,
it pops up "No account present for user"
GDM should not allow users to find out which account names are valid or
invalid without authenticating.
I understand that the face browser does expose some users, but this is
still an issue for systems that do not have the face browser enabled.
Also, even with the Face Browser, certain users are filtered or
excluded, and users should not be able to find out information about
such users.
To fix, this problem, simply change the PAM_USER_UNKNOWN return code
code from pam_authenticate to PAM_AUTH_ERR.
See https://bugzilla.gnome.org/show_bug.cgi?id=606703
daemon/gdm-session-worker.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 47a5c08..be371ca 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -1406,6 +1406,14 @@ gdm_session_worker_authenticate_user (GdmSessionWorker *worker,
if (error_code != PAM_SUCCESS) {
g_debug ("GdmSessionWorker: authentication returned %d: %s", error_code, pam_strerror (worker->priv->pam_handle, error_code));
+ /*
+ * Do not display a different message for user unknown versus
+ * a failed password for a valid user.
+ */
+ if (error_code = PAM_USER_UNKNOWN) {
+ error_code = PAM_AUTH_ERR;
+ }
+
g_set_error (error,
GDM_SESSION_WORKER_ERROR,
GDM_SESSION_WORKER_ERROR_AUTHENTICATING,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]