pam/go-exec/module: More consistent behavior for fatal signals

3v1n0 · 3v1n0 · commit 2e5b3dd47d0e · 2025-03-12T18:48:40.000Z
Sadly some signals such as SIGABRT or SIGSEGV are handled by go and in the wrong way because it never redirects them as expected, so in such cases we just fail with a normal exit error instead of because of a signal. Reported this upstream and adding comments about. See: golang/go#72084
diff --git a/pam/go-exec/module.c b/pam/go-exec/module.c
@@ -436,6 +436,17 @@ wait_child_thread (gpointer data)
 
       if (ret == child_pid && WIFEXITED (status))
         {
+          /* Sadly go childs that exits because of SIGABRT or SIGSEGV do not
+           * have a WIFSIGNALED status, but instead exit with 2 exit status.
+           * See: https://pkg.go.dev/runtime
+           * So in such case we just return a generic system error, to be
+           * consistent with signals (plus, we never return pam.ErrSymbol).
+           * This is an upstream bug, but they refuse to fix or allow a
+           * better handling: https://github.com/golang/go/issues/72084
+           */
+          if (WEXITSTATUS (status) == 2)
+            break;
+
           exit_status = WEXITSTATUS (status);
           break;
         }
diff --git a/pam/integration-tests/exec_test.go b/pam/integration-tests/exec_test.go
@@ -226,7 +226,7 @@ func TestExecModule(t *testing.T) {
 		},
 		"Error_when_client_fails_panicking": {
 			methodCalls: []cliMethodCall{{m: "SimulateClientPanic", args: []any{"Client panicked! (As expected)"}}},
-			wantError:   pam.ErrSymbol,
+			wantError:   pam.ErrSystem,
 		},
 		"Error_when_client_fails_because_an_unhandled_error": {
 			methodCalls: []cliMethodCall{{m: "SimulateClientError", args: []any{"Client error!"}}},
@@ -240,6 +240,14 @@ func TestExecModule(t *testing.T) {
 			methodCalls: []cliMethodCall{{m: "SimulateClientSignal", args: []any{syscall.SIGKILL, true}}},
 			wantError:   pam.ErrSystem,
 		},
+		"Error_when_client_fails_because_a_client_SIGSEGV_signal": {
+			methodCalls: []cliMethodCall{{m: "SimulateClientSignal", args: []any{syscall.SIGSEGV, true}}},
+			wantError:   pam.ErrSystem,
+		},
+		"Error_when_client_fails_because_a_client_SIGABRT_signal": {
+			methodCalls: []cliMethodCall{{m: "SimulateClientSignal", args: []any{syscall.SIGABRT, true}}},
+			wantError:   pam.ErrSystem,
+		},
 	}
 	for name, tc := range cliTests {
 		t.Run("Client "+name, func(t *testing.T) {
