check if user file exists before trying to open

and return AUTH_NO_TOKENS if file doesn't exist. This fixes issues in the nullok case where this user should just be skipped over, handle other issues with user file as an AUTH_ERROR. fixes #194
Yubico · Jun 24, 2019 · f300115 · f300115
1 parent fcfcba6
commit f300115
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/pam_yubico.c b/pam_yubico.c
@@ -181,6 +181,7 @@ authorize_user_token (struct cfg *cfg,
       size_t buflen = sizeof(buf);
       int pwres;
       PAM_MODUTIL_DEF_PRIVS(privs);
+      struct stat st;
 
       pwres = getpwnam_r (username, &pass, buf, buflen, &p);
       if (p == NULL) {
@@ -206,7 +207,11 @@ authorize_user_token (struct cfg *cfg,
         goto free_out;
       }
 
-      retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file);
+      if (stat (userfile, &st) != 0 && errno == ENOENT) {
+        retval = AUTH_NO_TOKENS;
+      } else {
+        retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file);
+      }
 
       if(pam_modutil_regain_priv(pamh, &privs)) {
         DBG ("could not restore privileges");