home: Report PAM_USER_UNKNOWN as PAM_IGNORE instead of PAM_SUCCESS

[chandradeepdey]

Currently pam_sm_acct_mgmt() and pam_sm_open_session() both ignore PAM_USER_UNKNOWN and instead return PAM_SUCCESS

It would be nice if the functions just returned PAM_USER_UNKNOWN. This would allow things like -

session   [success=1 new_authtok_reqd=1 ignore=ignore user_unknown=ignore default=bad]  pam_systemd_home.so
session   required  pam_unix.so

Basically, this would allow testing against user_unknown in pam.conf(5).

[chandradeepdey]

I don't think there is much to do with a user_unknown from homed other than ignoring it in the configuration files. This is hard if it returns success as it is currently doing. However, we achieve the same goal by returning ignore instead of user_unknown.

This would make my example more elegant since it would become:
[success=1 new_authtok_reqd=1 ignore=ignore default=bad]

This almost mirrors the required control:
[success=ok new_authtok_reqd=ok ignore=ignore default=bad]

[chandradeepdey]

Further, relying on the current PAM_SUCCESS value could lead to segfault on trying to use sudo. While this might be obvious to someone reading the code, the documentation doesn't mention that "success" doesn't really mean success and that we should not depend on its return value.

I realise that this is a configuration issue and it can be avoided by some combination of using pam_deny.so, changing the controls, and changing the order of pam_systemd_home and pam_unix. Just reporting the observation anyway.

[chandradeepdey]

#15118 (comment)