[gdm] Don't reveal which user names are valid without authenticating



commit 1d693eff2060e5db07b09323fd14fdb582e1ec9e
Author: Brian Cameron <Brian Cameron sun com>
Date:   Tue Jan 12 11:45:39 2010 -0500

    Don't reveal which user names are valid without authenticating
    
    If you enter an invalid account name, then hit return for the password,
    it pops up "No account present for user"
    
    GDM should not allow users to find out which account names are valid or
    invalid without authenticating.
    
    I understand that the face browser does expose some users, but this is
    still an issue for systems that do not have the face browser enabled.
    Also, even with the Face Browser, certain users are filtered or
    excluded, and users should not be able to find out information about
    such users.
    
    To fix, this problem, simply change the PAM_USER_UNKNOWN return code
    code from pam_authenticate to PAM_AUTH_ERR.
    
    See https://bugzilla.gnome.org/show_bug.cgi?id=606703

 daemon/gdm-session-worker.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)
---
diff --git a/daemon/gdm-session-worker.c b/daemon/gdm-session-worker.c
index 47a5c08..be371ca 100644
--- a/daemon/gdm-session-worker.c
+++ b/daemon/gdm-session-worker.c
@@ -1406,6 +1406,14 @@ gdm_session_worker_authenticate_user (GdmSessionWorker *worker,
         if (error_code != PAM_SUCCESS) {
                 g_debug ("GdmSessionWorker: authentication returned %d: %s", error_code, pam_strerror (worker->priv->pam_handle, error_code));
 
+                /*
+                 * Do not display a different message for user unknown versus
+                 * a failed password for a valid user.
+                 */
+                if (error_code = PAM_USER_UNKNOWN) {
+                        error_code = PAM_AUTH_ERR;
+                }
+
                 g_set_error (error,
                              GDM_SESSION_WORKER_ERROR,
                              GDM_SESSION_WORKER_ERROR_AUTHENTICATING,



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]