auth: reworked pam auth, added pam_setcred

xJayMorex · xJayMorex · commit ea64d174b356 · 2025-11-17T16:18:12.000+01:00
diff --git a/src/auth/Pam.cpp b/src/auth/Pam.cpp
@@ -111,27 +111,43 @@ bool CPam::auth() {
     auto           uidPassword = getpwuid(getuid());
     RASSERT(uidPassword && uidPassword->pw_name, "Failed to get username (getpwuid)");
 
-    int ret = pam_start(m_sPamModule.c_str(), uidPassword->pw_name, &localConv, &handle);
+    int ret;
+    std::string primaryMessage;
+    std::string secondaryMessage;
+
+    for (int i = 0; i < 4; i++) {
+        switch (i) {
+            case 0:
+                ret = pam_start(m_sPamModule.c_str(), uidPassword->pw_name, &localConv, &handle);
+                primaryMessage = secondaryMessage = "pam_start failed";
+                break;
+            case 1:
+                ret = pam_authenticate(handle, 0);
+                primaryMessage = "Authentication failed";
+                secondaryMessage = "pam_authenticate failed";
+                break;
+            case 2:
+                ret = pam_setcred(handle, PAM_REFRESH_CRED);
+                primaryMessage = "Setting credentials failed";
+                secondaryMessage = "pam_setcred failed";
+                break;
+            case 3:
+                ret = pam_end(handle, ret);
+                primaryMessage = secondaryMessage = "pam_end failed";
+                break;
+        }
 
-    if (ret != PAM_SUCCESS) {
-        m_sConversationState.failText = "pam_start failed";
-        Debug::log(ERR, "auth: pam_start failed for {}", m_sPamModule);
-        return false;
+        if (ret != PAM_SUCCESS) {
+            handle = nullptr;
+            if (!m_sConversationState.failTextFromPam)
+                m_sConversationState.failText = ret == PAM_AUTH_ERR ? primaryMessage : secondaryMessage;
+            Debug::log(ERR, "auth: {} for {}", m_sConversationState.failText, m_sPamModule);
+            return false;
+        }
     }
 
-    ret = pam_authenticate(handle, 0);
-    pam_end(handle, ret);
     handle = nullptr;
-
     m_sConversationState.waitingForPamAuth = false;
-
-    if (ret != PAM_SUCCESS) {
-        if (!m_sConversationState.failTextFromPam)
-            m_sConversationState.failText = ret == PAM_AUTH_ERR ? "Authentication failed" : "pam_authenticate failed";
-        Debug::log(ERR, "auth: {} for {}", m_sConversationState.failText, m_sPamModule);
-        return false;
-    }
-
     m_sConversationState.failText = "Successfully authenticated";
     Debug::log(LOG, "auth: authenticated for {}", m_sPamModule);
 
