* src/su.c: Cleanup check_perms_nopam().
This commit is contained in:
nekral-guest
parent
927c2f06a3
commit
b63c830547
@ -4,6 +4,7 @@
|
|||||||
used to save the caller's context.
|
used to save the caller's context.
|
||||||
* src/su.c: Split check_perms() in to a PAM (check_perms_pam) and
|
* src/su.c: Split check_perms() in to a PAM (check_perms_pam) and
|
||||||
a non-PAM (check_perms_nopam) version.
|
a non-PAM (check_perms_nopam) version.
|
||||||
|
* src/su.c: Cleanup check_perms_nopam().
|
||||||
|
|
||||||
2011-06-10 Nicolas François <nicolas.francois@centraliens.net>
|
2011-06-10 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
|||||||
17
src/su.c
17
src/su.c
@ -462,11 +462,13 @@ static void check_perms_pam (struct passwd *pw)
|
|||||||
#else /* !USE_PAM */
|
#else /* !USE_PAM */
|
||||||
static void check_perms_nopam (struct passwd *pw)
|
static void check_perms_nopam (struct passwd *pw)
|
||||||
{
|
{
|
||||||
#ifdef SU_ACCESS
|
|
||||||
struct spwd *spwd = NULL;
|
struct spwd *spwd = NULL;
|
||||||
#endif /* SU_ACCESS */
|
|
||||||
RETSIGTYPE (*oldsig) (int);
|
RETSIGTYPE (*oldsig) (int);
|
||||||
|
|
||||||
|
if (caller_is_root) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* BSD systems only allow "wheel" to SU to root. USG systems don't,
|
* BSD systems only allow "wheel" to SU to root. USG systems don't,
|
||||||
* so we make this a configurable option.
|
* so we make this a configurable option.
|
||||||
@ -485,7 +487,6 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
* to Chris Evans <lady0110@sable.ox.ac.uk>.
|
* to Chris Evans <lady0110@sable.ox.ac.uk>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if (!caller_is_root) {
|
|
||||||
if ( (0 == pw->pw_uid)
|
if ( (0 == pw->pw_uid)
|
||||||
&& getdef_bool ("SU_WHEEL_ONLY")
|
&& getdef_bool ("SU_WHEEL_ONLY")
|
||||||
&& !iswheel (caller_name)) {
|
&& !iswheel (caller_name)) {
|
||||||
@ -494,8 +495,8 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
name);
|
name);
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
#ifdef SU_ACCESS
|
|
||||||
spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
|
spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
|
||||||
|
#ifdef SU_ACCESS
|
||||||
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
|
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
|
||||||
if (NULL != spwd) {
|
if (NULL != spwd) {
|
||||||
pw->pw_passwd = spwd->sp_pwdp;
|
pw->pw_passwd = spwd->sp_pwdp;
|
||||||
@ -519,7 +520,6 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
exit (1);
|
exit (1);
|
||||||
}
|
}
|
||||||
#endif /* SU_ACCESS */
|
#endif /* SU_ACCESS */
|
||||||
}
|
|
||||||
/*
|
/*
|
||||||
* Set up a signal handler in case the user types QUIT.
|
* Set up a signal handler in case the user types QUIT.
|
||||||
*/
|
*/
|
||||||
@ -531,8 +531,7 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
* The first character of an administrator defined method is an '@'
|
* The first character of an administrator defined method is an '@'
|
||||||
* character.
|
* character.
|
||||||
*/
|
*/
|
||||||
if ( !caller_is_root
|
if (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0) {
|
||||||
&& (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0)) {
|
|
||||||
SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN,
|
SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN,
|
||||||
"Authentication failed for %s", name));
|
"Authentication failed for %s", name));
|
||||||
fprintf(stderr, _("%s: Authentication failure\n"), Prog);
|
fprintf(stderr, _("%s: Authentication failure\n"), Prog);
|
||||||
@ -545,7 +544,7 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
* expired accounts, but normal users can't become a user with an
|
* expired accounts, but normal users can't become a user with an
|
||||||
* expired password.
|
* expired password.
|
||||||
*/
|
*/
|
||||||
if ((!caller_is_root) && (NULL != spwd)) {
|
if (NULL != spwd) {
|
||||||
(void) expire (pw, spwd);
|
(void) expire (pw, spwd);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -555,7 +554,6 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
* there is a "SU" entry in the /etc/porttime file denying access to
|
* there is a "SU" entry in the /etc/porttime file denying access to
|
||||||
* the account.
|
* the account.
|
||||||
*/
|
*/
|
||||||
if (!caller_is_root) {
|
|
||||||
if (!isttytime (name, "SU", time ((time_t *) 0))) {
|
if (!isttytime (name, "SU", time ((time_t *) 0))) {
|
||||||
SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT,
|
SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT,
|
||||||
"SU by %s to restricted account %s",
|
"SU by %s to restricted account %s",
|
||||||
@ -566,7 +564,6 @@ static void check_perms_nopam (struct passwd *pw)
|
|||||||
su_failure (caller_tty, 0 == pw->pw_uid);
|
su_failure (caller_tty, 0 == pw->pw_uid);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
#endif /* !USE_PAM */
|
#endif /* !USE_PAM */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user