emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

* src/su.c: Cleanup check_perms_nopam().

Browse Source
This commit is contained in:
nekral-guest 2011-06-13 18:27:06 +00:00
parent 927c2f06a3
commit b63c830547
2 changed files with 48 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -4,6 +4,7 @@
used to save the caller's context. used to save the caller's context.
* src/su.c: Split check_perms() in to a PAM (check_perms_pam) and * src/su.c: Split check_perms() in to a PAM (check_perms_pam) and
a non-PAM (check_perms_nopam) version. a non-PAM (check_perms_nopam) version.
* src/su.c: Cleanup check_perms_nopam().
2011-06-10 Nicolas François <nicolas.francois@centraliens.net> 2011-06-10 Nicolas François <nicolas.francois@centraliens.net>

97
src/su.c
View File

@ -450,7 +450,7 @@ static void check_perms_pam (struct passwd *pw)
} }
} else { } else {
SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s", SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
pam_strerror (pamh, ret))); pam_strerror (pamh, ret)));
fprintf (stderr, fprintf (stderr,
_("%s: %s\n"), _("%s: %s\n"),
Prog, pam_strerror (pamh, ret)); Prog, pam_strerror (pamh, ret));
@ -462,11 +462,13 @@ static void check_perms_pam (struct passwd *pw)
#else /* !USE_PAM */ #else /* !USE_PAM */
static void check_perms_nopam (struct passwd *pw) static void check_perms_nopam (struct passwd *pw)
{ {
#ifdef SU_ACCESS
struct spwd *spwd = NULL; struct spwd *spwd = NULL;
#endif /* SU_ACCESS */
RETSIGTYPE (*oldsig) (int); RETSIGTYPE (*oldsig) (int);
if (caller_is_root) {
return;
}
/* /*
* BSD systems only allow "wheel" to SU to root. USG systems don't, * BSD systems only allow "wheel" to SU to root. USG systems don't,
* so we make this a configurable option. * so we make this a configurable option.
@ -485,41 +487,39 @@ static void check_perms_nopam (struct passwd *pw)
* to Chris Evans <lady0110@sable.ox.ac.uk>. * to Chris Evans <lady0110@sable.ox.ac.uk>.
*/ */
if (!caller_is_root) { if ( (0 == pw->pw_uid)
if ( (0 == pw->pw_uid) && getdef_bool ("SU_WHEEL_ONLY")
&& getdef_bool ("SU_WHEEL_ONLY") && !iswheel (caller_name)) {
&& !iswheel (caller_name)) { fprintf (stderr,
fprintf (stderr, _("You are not authorized to su %s\n"),
_("You are not authorized to su %s\n"), name);
name); exit (1);
exit (1);
}
#ifdef SU_ACCESS
spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
if (NULL != spwd) {
pw->pw_passwd = spwd->sp_pwdp;
}
}
switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) {
case 0: /* normal su, require target user's password */
break;
case 1: /* require no password */
pw->pw_passwd = ""; /* XXX warning: const */
break;
case 2: /* require own password */
puts (_("(Enter your own password)"));
pw->pw_passwd = caller_pass;
break;
default: /* access denied (-1) or unexpected value */
fprintf (stderr,
_("You are not authorized to su %s\n"),
name);
exit (1);
}
#endif /* SU_ACCESS */
} }
spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
#ifdef SU_ACCESS
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
if (NULL != spwd) {
pw->pw_passwd = spwd->sp_pwdp;
}
}
switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) {
case 0: /* normal su, require target user's password */
break;
case 1: /* require no password */
pw->pw_passwd = ""; /* XXX warning: const */
break;
case 2: /* require own password */
puts (_("(Enter your own password)"));
pw->pw_passwd = caller_pass;
break;
default: /* access denied (-1) or unexpected value */
fprintf (stderr,
_("You are not authorized to su %s\n"),
name);
exit (1);
}
#endif /* SU_ACCESS */
/* /*
* Set up a signal handler in case the user types QUIT. * Set up a signal handler in case the user types QUIT.
*/ */
@ -531,8 +531,7 @@ static void check_perms_nopam (struct passwd *pw)
* The first character of an administrator defined method is an '@' * The first character of an administrator defined method is an '@'
* character. * character.
*/ */
if ( !caller_is_root if (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0) {
&& (pw_auth (pw->pw_passwd, name, PW_SU, (char *) 0) != 0)) {
SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN, SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN,
"Authentication failed for %s", name)); "Authentication failed for %s", name));
fprintf(stderr, _("%s: Authentication failure\n"), Prog); fprintf(stderr, _("%s: Authentication failure\n"), Prog);
@ -545,7 +544,7 @@ static void check_perms_nopam (struct passwd *pw)
* expired accounts, but normal users can't become a user with an * expired accounts, but normal users can't become a user with an
* expired password. * expired password.
*/ */
if ((!caller_is_root) && (NULL != spwd)) { if (NULL != spwd) {
(void) expire (pw, spwd); (void) expire (pw, spwd);
} }
@ -555,16 +554,14 @@ static void check_perms_nopam (struct passwd *pw)
* there is a "SU" entry in the /etc/porttime file denying access to * there is a "SU" entry in the /etc/porttime file denying access to
* the account. * the account.
*/ */
if (!caller_is_root) { if (!isttytime (name, "SU", time ((time_t *) 0))) {
if (!isttytime (name, "SU", time ((time_t *) 0))) { SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT,
SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT, "SU by %s to restricted account %s",
"SU by %s to restricted account %s", caller_name, name));
caller_name, name)); fprintf (stderr,
fprintf (stderr, _("%s: You are not authorized to su at that time\n"),
_("%s: You are not authorized to su at that time\n"), Prog);
Prog); su_failure (caller_tty, 0 == pw->pw_uid);
su_failure (caller_tty, 0 == pw->pw_uid);
}
} }
} }
#endif /* !USE_PAM */ #endif /* !USE_PAM */