mirror of
https://github.com/github/codeql.git
synced 2025-12-18 01:33:15 +01:00
85c751cb7f
This PR is similar to my other PRs for [Python](https://github.com/github/codeql/pull/8595) and [Golang](https://github.com/github/codeql-go/pull/709). This PR aims to detect instances were an initiated PAM Transaction invokes the `pam_authenticate` method but does not invoke a call to the pam_acct_mgmt` method. This is bad as a call to `pam_authenticate` only verifies the users credentials. It does not check if the user account is still is a valid state. If only a call to `pam_authenticate` is used to verify the user, a user with an expired account password would still be able to login. This can be prevented by calling the `pam_acct_mgmt` function after a `pam_authenticate` function.