* src/su.c: Cleanup check_perms_nopam().

This commit is contained in:
nekral-guest 2011-06-13 18:27:06 +00:00
parent 927c2f06a3
commit b63c830547
2 changed files with 48 additions and 50 deletions

View File

@ -4,6 +4,7 @@
used to save the caller's context.
* src/su.c: Split check_perms() in to a PAM (check_perms_pam) and
a non-PAM (check_perms_nopam) version.
* src/su.c: Cleanup check_perms_nopam().
2011-06-10 Nicolas François <nicolas.francois@centraliens.net>

View File

@ -450,7 +450,7 @@ static void check_perms_pam (struct passwd *pw)
}
} else {
SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
pam_strerror (pamh, ret)));
pam_strerror (pamh, ret)));
fprintf (stderr,
_("%s: %s\n"),
Prog, pam_strerror (pamh, ret));
@ -462,11 +462,13 @@ static void check_perms_pam (struct passwd *pw)
#else /* !USE_PAM */
static void check_perms_nopam (struct passwd *pw)
{
#ifdef SU_ACCESS
struct spwd *spwd = NULL;
#endif /* SU_ACCESS */
RETSIGTYPE (*oldsig) (int);
if (caller_is_root) {
return;
}
/*
* BSD systems only allow "wheel" to SU to root. USG systems don't,
* so we make this a configurable option.
@ -485,41 +487,39 @@ static void check_perms_nopam (struct passwd *pw)
* to Chris Evans <lady0110@sable.ox.ac.uk>.
*/
if (!caller_is_root) {
if ( (0 == pw->pw_uid)
&& getdef_bool ("SU_WHEEL_ONLY")
&& !iswheel (caller_name)) {
fprintf (stderr,
_("You are not authorized to su %s\n"),
name);
exit (1);
}
#ifdef SU_ACCESS
spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
if (NULL != spwd) {
pw->pw_passwd = spwd->sp_pwdp;
}
}
switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) {
case 0: /* normal su, require target user's password */
break;
case 1: /* require no password */
pw->pw_passwd = ""; /* XXX warning: const */
break;
case 2: /* require own password */
puts (_("(Enter your own password)"));
pw->pw_passwd = caller_pass;
break;
default: /* access denied (-1) or unexpected value */
fprintf (stderr,
_("You are not authorized to su %s\n"),
name);
exit (1);
}
#endif /* SU_ACCESS */
if ( (0 == pw->pw_uid)
&& getdef_bool ("SU_WHEEL_ONLY")
&& !iswheel (caller_name)) {
fprintf (stderr,
_("You are not authorized to su %s\n"),
name);
exit (1);
}
spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
#ifdef SU_ACCESS
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
if (NULL != spwd) {
pw->pw_passwd = spwd->sp_pwdp;
}
}
switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) {
case 0: /* normal su, require target user's password */
break;
case 1: /* require no password */
pw->pw_passwd = ""; /* XXX warning: const */
break;
case 2: /* require own password */
puts (_("(Enter your own password)"));
pw->pw_passwd = caller_pass;
break;
default: /* access denied (-1) or unexpected value */
fprintf (stderr,
_("You are not authorized to su %s\n"),
name);
exit (1);
}
#endif /* SU_ACCESS */
/*
* Set up a signal handler in case the user types QUIT.
*/
@ -531,8 +531,7 @@ static void check_perms_nopam (struct passwd *pw)
* The first character of an administrator defined method is an '@'
* character.
*/
if ( !caller_is_root
&& (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0)) {
if (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0) {
SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN,
"Authentication failed for %s", name));
fprintf(stderr, _("%s: Authentication failure\n"), Prog);
@ -545,7 +544,7 @@ static void check_perms_nopam (struct passwd *pw)
* expired accounts, but normal users can't become a user with an
* expired password.
*/
if ((!caller_is_root) && (NULL != spwd)) {
if (NULL != spwd) {
(void) expire (pw, spwd);
}
@ -555,16 +554,14 @@ static void check_perms_nopam (struct passwd *pw)
* there is a "SU" entry in the /etc/porttime file denying access to
* the account.
*/
if (!caller_is_root) {
if (!isttytime (name, "SU", time ((time_t *) 0))) {
SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT,
"SU by %s to restricted account %s",
caller_name, name));
fprintf (stderr,
_("%s: You are not authorized to su at that time\n"),
Prog);
su_failure (caller_tty, 0 == pw->pw_uid);
}
if (!isttytime (name, "SU", time ((time_t *) 0))) {
SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT,
"SU by %s to restricted account %s",
caller_name, name));
fprintf (stderr,
_("%s: You are not authorized to su at that time\n"),
Prog);
su_failure (caller_tty, 0 == pw->pw_uid);
}
}
#endif /* !USE_PAM */