Propagate all error kinds from pam::converse not just timeouts

bjorn3 · bjorn3 · commit 48fad5f21a66 · 2025-11-19T13:34:34.000+01:00
This way they rather than silently discarding the error message and
doing another authentication attempt, they properly report the error
message and cause sudo to exit. This way for example pam_faillock won't
cause a persistent error like incorrect SUDO_ASKPASS value (once
implemented) to be treated as multiple successive failed password
attempts.
diff --git a/src/pam/converse.rs b/src/pam/converse.rs
@@ -186,7 +186,7 @@ pub(super) struct ConverserData<C> {
     // pam_authenticate does not return error codes returned by the conversation
     // function; these are set by the conversation function instead of returning
     // multiple error codes.
-    pub(super) timed_out: bool,
+    pub(super) error: Option<PamError>,
     pub(super) panicked: bool,
 }
 
@@ -236,11 +236,10 @@ pub(super) unsafe extern "C" fn converse<C: Converser>(
                 Ok(resp_buf) => {
                     resp_bufs.push(resp_buf);
                 }
-                Err(PamError::TimedOut) => {
-                    app_data.timed_out = true;
+                Err(err) => {
+                    app_data.error = Some(err);
                     return PamErrorType::ConversationError;
                 }
-                Err(_) => return PamErrorType::ConversationError,
             }
         }
 
@@ -417,7 +416,7 @@ mod test {
             converser_name: "tux".to_string(),
             no_interact: false,
             auth_prompt: Some("authenticate".to_owned()),
-            timed_out: false,
+            error: None,
             panicked: false,
         });
         let cookie = PamConvBorrow::new(hello.as_mut());
diff --git a/src/pam/mod.rs b/src/pam/mod.rs
@@ -80,7 +80,7 @@ impl PamContext {
             converser_name: converser_name.to_owned(),
             no_interact,
             auth_prompt: Some("authenticate".to_owned()),
-            timed_out: false,
+            error: None,
             panicked: false,
         }));
 
@@ -176,8 +176,8 @@ impl PamContext {
         }
 
         // SAFETY: self.data_ptr was created by Box::into_raw
-        if unsafe { (*self.data_ptr).timed_out } {
-            return Err(PamError::TimedOut);
+        if let Some(error) = unsafe { (*self.data_ptr).error.take() } {
+            return Err(error);
         }
 
         #[allow(clippy::question_mark)]

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ pub(super) struct ConverserData<C> {`
`186`	`186`	`// pam_authenticate does not return error codes returned by the conversation`
`187`	`187`	`// function; these are set by the conversation function instead of returning`
`188`	`188`	`// multiple error codes.`
`189`		`- pub(super) timed_out: bool,`
	`189`	`+ pub(super) error: Option<PamError>,`
`190`	`190`	`pub(super) panicked: bool,`
`191`	`191`	`}`
`192`	`192`
`@@ -236,11 +236,10 @@ pub(super) unsafe extern "C" fn converse<C: Converser>(`
`236`	`236`	`Ok(resp_buf) => {`
`237`	`237`	`resp_bufs.push(resp_buf);`
`238`	`238`	`}`
`239`		`- Err(PamError::TimedOut) => {`
`240`		`- app_data.timed_out = true;`
	`239`	`+ Err(err) => {`
	`240`	`+ app_data.error = Some(err);`
`241`	`241`	`return PamErrorType::ConversationError;`
`242`	`242`	`}`
`243`		`- Err(_) => return PamErrorType::ConversationError,`
`244`	`243`	`}`
`245`	`244`	`}`
`246`	`245`
`@@ -417,7 +416,7 @@ mod test {`
`417`	`416`	`converser_name: "tux".to_string(),`
`418`	`417`	`no_interact: false,`
`419`	`418`	`auth_prompt: Some("authenticate".to_owned()),`
`420`		`- timed_out: false,`
	`419`	`+ error: None,`
`421`	`420`	`panicked: false,`
`422`	`421`	`});`
`423`	`422`	`let cookie = PamConvBorrow::new(hello.as_mut());`