From b63c830547f911ab1a4605089e80e08f2f415f83 Mon Sep 17 00:00:00 2001 From: nekral-guest Date: Mon, 13 Jun 2011 18:27:06 +0000 Subject: [PATCH] * src/su.c: Cleanup check_perms_nopam(). --- ChangeLog | 1 + src/su.c | 97 +++++++++++++++++++++++++++---------------------------- 2 files changed, 48 insertions(+), 50 deletions(-) diff --git a/ChangeLog b/ChangeLog index cd31be34..662cc08f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,7 @@ used to save the caller's context. * src/su.c: Split check_perms() in to a PAM (check_perms_pam) and a non-PAM (check_perms_nopam) version. + * src/su.c: Cleanup check_perms_nopam(). 2011-06-10 Nicolas François diff --git a/src/su.c b/src/su.c index 4f96c322..ad566380 100644 --- a/src/su.c +++ b/src/su.c @@ -450,7 +450,7 @@ static void check_perms_pam (struct passwd *pw) } } else { SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s", - pam_strerror (pamh, ret))); + pam_strerror (pamh, ret))); fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret)); @@ -462,11 +462,13 @@ static void check_perms_pam (struct passwd *pw) #else /* !USE_PAM */ static void check_perms_nopam (struct passwd *pw) { -#ifdef SU_ACCESS struct spwd *spwd = NULL; -#endif /* SU_ACCESS */ RETSIGTYPE (*oldsig) (int); + if (caller_is_root) { + return; + } + /* * BSD systems only allow "wheel" to SU to root. USG systems don't, * so we make this a configurable option. @@ -485,41 +487,39 @@ static void check_perms_nopam (struct passwd *pw) * to Chris Evans . */ - if (!caller_is_root) { - if ( (0 == pw->pw_uid) - && getdef_bool ("SU_WHEEL_ONLY") - && !iswheel (caller_name)) { - fprintf (stderr, - _("You are not authorized to su %s\n"), - name); - exit (1); - } -#ifdef SU_ACCESS - spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */ - if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) { - if (NULL != spwd) { - pw->pw_passwd = spwd->sp_pwdp; - } - } - - switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) { - case 0: /* normal su, require target user's password */ - break; - case 1: /* require no password */ - pw->pw_passwd = ""; /* XXX warning: const */ - break; - case 2: /* require own password */ - puts (_("(Enter your own password)")); - pw->pw_passwd = caller_pass; - break; - default: /* access denied (-1) or unexpected value */ - fprintf (stderr, - _("You are not authorized to su %s\n"), - name); - exit (1); - } -#endif /* SU_ACCESS */ + if ( (0 == pw->pw_uid) + && getdef_bool ("SU_WHEEL_ONLY") + && !iswheel (caller_name)) { + fprintf (stderr, + _("You are not authorized to su %s\n"), + name); + exit (1); } + spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */ +#ifdef SU_ACCESS + if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) { + if (NULL != spwd) { + pw->pw_passwd = spwd->sp_pwdp; + } + } + + switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) { + case 0: /* normal su, require target user's password */ + break; + case 1: /* require no password */ + pw->pw_passwd = ""; /* XXX warning: const */ + break; + case 2: /* require own password */ + puts (_("(Enter your own password)")); + pw->pw_passwd = caller_pass; + break; + default: /* access denied (-1) or unexpected value */ + fprintf (stderr, + _("You are not authorized to su %s\n"), + name); + exit (1); + } +#endif /* SU_ACCESS */ /* * Set up a signal handler in case the user types QUIT. */ @@ -531,8 +531,7 @@ static void check_perms_nopam (struct passwd *pw) * The first character of an administrator defined method is an '@' * character. */ - if ( !caller_is_root - && (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0)) { + if (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0) { SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN, "Authentication failed for %s", name)); fprintf(stderr, _("%s: Authentication failure\n"), Prog); @@ -545,7 +544,7 @@ static void check_perms_nopam (struct passwd *pw) * expired accounts, but normal users can't become a user with an * expired password. */ - if ((!caller_is_root) && (NULL != spwd)) { + if (NULL != spwd) { (void) expire (pw, spwd); } @@ -555,16 +554,14 @@ static void check_perms_nopam (struct passwd *pw) * there is a "SU" entry in the /etc/porttime file denying access to * the account. */ - if (!caller_is_root) { - if (!isttytime (name, "SU", time ((time_t *) 0))) { - SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT, - "SU by %s to restricted account %s", - caller_name, name)); - fprintf (stderr, - _("%s: You are not authorized to su at that time\n"), - Prog); - su_failure (caller_tty, 0 == pw->pw_uid); - } + if (!isttytime (name, "SU", time ((time_t *) 0))) { + SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT, + "SU by %s to restricted account %s", + caller_name, name)); + fprintf (stderr, + _("%s: You are not authorized to su at that time\n"), + Prog); + su_failure (caller_tty, 0 == pw->pw_uid); } } #endif /* !USE_PAM */