Base the comparison on UIDs, not on user names.

Sponsored by:	DARPA, NAI Labs

lib/libpam/modules/pam_self/pam_self.8

@@ -61,8 +61,8 @@ It also provides a null function for session management.
 .Ss Self Authentication Module
 The Self authentication component
 .Pq Fn pam_sm_authenticate ,
-returns success if and only if the source and target user names are
+returns success if and only if the target user's user ID is identical
-identical.
+with the current real user ID.
 .Pp
 The following options may be passed to the authentication module:
 .Bl -tag -width ".Cm no_warn"

lib/libpam/modules/pam_self/pam_self.c

@@ -39,6 +39,7 @@ __FBSDID("$FreeBSD$");
 
 #define _BSD_SOURCE
 
+#include <pwd.h>
 #include <unistd.h>
 #include <syslog.h>
 
@@ -54,24 +55,21 @@ PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
 	struct options options;
-	const char *luser, *ruser;
+	struct passwd *pwd;
-	int r;
+	const char *luser;
+	int pam_err;
 
 	pam_std_option(&options, NULL, argc, argv);
 
 	PAM_LOG("Options processed");
 
-	r = pam_get_item(pamh, PAM_USER, (const void **)&luser);
+	pam_err = pam_get_item(pamh, PAM_USER, (const void **)&luser);
-	if (r != PAM_SUCCESS)
+	if (pam_err != PAM_SUCCESS)
-		PAM_RETURN(r);
+		PAM_RETURN(pam_err);
-	if (luser == NULL)
+	if (luser == NULL || (pwd = getpwnam(luser)) == NULL)
-		PAM_RETURN(PAM_USER_UNKNOWN);
+		PAM_RETURN(PAM_AUTH_ERR);
-	
-	r = pam_get_item(pamh, PAM_RUSER, (const void **)&ruser);
-	if (r != PAM_SUCCESS)
-		PAM_RETURN(r);
 
-	if (strcmp(luser, ruser) == 0)
+	if (getuid() == (uid_t)pwd->pw_uid)
 		PAM_RETURN(PAM_SUCCESS);
 	
 	PAM_VERBOSE_ERROR("Refused; source and target users differ");