From 5d6f4f8ea4d3cd53cac986fb8551d212e615a6a3 Mon Sep 17 00:00:00 2001
From: nekral-guest <nekral-guest@5a98b0ae-9ef6-0310-add3-de5d479b70d7>
Date: Mon, 13 Jun 2011 18:27:12 +0000
Subject: [PATCH] 	* src/su.c: Merge environment setting blocks after the
 creation of 	the session.

---
 ChangeLog |   2 +
 src/su.c  | 113 ++++++++++++++++++++++++++++--------------------------
 2 files changed, 60 insertions(+), 55 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 662cc08f..9f00f94d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
 	* src/su.c: Split check_perms() in to a PAM (check_perms_pam) and
 	a non-PAM (check_perms_nopam) version.
 	* src/su.c: Cleanup check_perms_nopam().
+	* src/su.c: Merge environment setting blocks after the creation of
+	the session.
 
 2011-06-10  Nicolas François  <nicolas.francois@centraliens.net>
 
diff --git a/src/su.c b/src/su.c
index ad566380..3ec46c47 100644
--- a/src/su.c
+++ b/src/su.c
@@ -867,6 +867,64 @@ int main (int argc, char **argv)
 		shellstr = SHELL;
 	}
 
+	sulog (caller_tty, true, caller_name, name);	/* save SU information */
+	endpwent ();
+	endspent ();
+#ifdef USE_SYSLOG
+	if (getdef_bool ("SYSLOG_SU_ENAB")) {
+		SYSLOG ((LOG_INFO, "+ %s %s:%s", caller_tty,
+		         ('\0' != caller_name[0]) ? caller_name : "???",
+		         ('\0' != name[0]) ? name : "???"));
+	}
+#endif
+
+#ifdef USE_PAM
+	/* set primary group id and supplementary groups */
+	if (setup_groups (pw) != 0) {
+		pam_end (pamh, PAM_ABORT);
+		exit (1);
+	}
+
+	/*
+	 * pam_setcred() may do things like resource limits, console groups,
+	 * and much more, depending on the configured modules
+	 */
+	ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+	if (PAM_SUCCESS != ret) {
+		SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
+		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
+		(void) pam_end (pamh, ret);
+		exit (1);
+	}
+
+	ret = pam_open_session (pamh, 0);
+	if (PAM_SUCCESS != ret) {
+		SYSLOG ((LOG_ERR, "pam_open_session: %s",
+			 pam_strerror (pamh, ret)));
+		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
+		pam_setcred (pamh, PAM_DELETE_CRED);
+		(void) pam_end (pamh, ret);
+		exit (1);
+	}
+
+	/* become the new user */
+	if (change_uid (pw) != 0) {
+		pam_close_session (pamh, 0);
+		pam_setcred (pamh, PAM_DELETE_CRED);
+		(void) pam_end (pamh, PAM_ABORT);
+		exit (1);
+	}
+#else				/* !USE_PAM */
+	/* no limits if su from root (unless su must fake login's behavior) */
+	if (!caller_is_root || fakelogin) {
+		setup_limits (pw);
+	}
+
+	if (setup_uid_gid (pw, caller_on_console) != 0) {
+		exit (1);
+	}
+#endif				/* !USE_PAM */
+
 	/*
 	 * If a new login is being set up, the old environment will be
 	 * ignored and a new one created later on.
@@ -942,46 +1000,7 @@ int main (int argc, char **argv)
 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
 	}
 
-	sulog (caller_tty, true, caller_name, name);	/* save SU information */
-	endpwent ();
-	endspent ();
-#ifdef USE_SYSLOG
-	if (getdef_bool ("SYSLOG_SU_ENAB")) {
-		SYSLOG ((LOG_INFO, "+ %s %s:%s", caller_tty,
-		         ('\0' != caller_name[0]) ? caller_name : "???",
-		         ('\0' != name[0]) ? name : "???"));
-	}
-#endif
-
 #ifdef USE_PAM
-	/* set primary group id and supplementary groups */
-	if (setup_groups (pw) != 0) {
-		pam_end (pamh, PAM_ABORT);
-		exit (1);
-	}
-
-	/*
-	 * pam_setcred() may do things like resource limits, console groups,
-	 * and much more, depending on the configured modules
-	 */
-	ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
-	if (PAM_SUCCESS != ret) {
-		SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
-		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
-		(void) pam_end (pamh, ret);
-		exit (1);
-	}
-
-	ret = pam_open_session (pamh, 0);
-	if (PAM_SUCCESS != ret) {
-		SYSLOG ((LOG_ERR, "pam_open_session: %s",
-			 pam_strerror (pamh, ret)));
-		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
-		pam_setcred (pamh, PAM_DELETE_CRED);
-		(void) pam_end (pamh, ret);
-		exit (1);
-	}
-
 	/* we need to setup the environment *after* pam_open_session(),
 	 * else the UID is changed before stuff like pam_xauth could
 	 * run, and we cannot access /etc/shadow and co
@@ -999,24 +1018,8 @@ int main (int argc, char **argv)
 		}
 	}
 
-	/* become the new user */
-	if (change_uid (pw) != 0) {
-		pam_close_session (pamh, 0);
-		pam_setcred (pamh, PAM_DELETE_CRED);
-		(void) pam_end (pamh, PAM_ABORT);
-		exit (1);
-	}
 #else				/* !USE_PAM */
 	environ = newenvp;	/* make new environment active */
-
-	/* no limits if su from root (unless su must fake login's behavior) */
-	if (!caller_is_root || fakelogin) {
-		setup_limits (pw);
-	}
-
-	if (setup_uid_gid (pw, caller_on_console) != 0) {
-		exit (1);
-	}
 #endif				/* !USE_PAM */
 
 	if (change_environment) {