PERFORCE change 31067 for review

Dag-Erling Smorgrav des at FreeBSD.org
Tue May 13 05:41:12 PDT 2003 

http://perforce.freebsd.org/chv.cgi?CH=31067

Change 31067 by des at des.at.des.thinksec.com on 2003/05/13 05:40:18

	Support su'ing to another user with arguments.  Drop privs in the
	child rather than in the parent so that pam_close_session(3) will be
	called with privs.  Simplify some of the error handling.
	
	Based on patches received from Mike Petullo <mike at flyn.org>.

Affected files ...

.. //depot/projects/openpam/bin/su/su.c#9 edit

Differences ...

==== //depot/projects/openpam/bin/su/su.c#9 (text+ko) ====

@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $P4: //depot/projects/openpam/bin/su/su.c#8 $
+ * $P4: //depot/projects/openpam/bin/su/su.c#9 $
  */
 
 #include <sys/param.h>
@@ -81,9 +81,17 @@
 	argc -= optind;
 	argv += optind;
 
+	if (argc > 0) {
+		user = *argv;
+		--argc;
+		++argv;
+	} else {
+		user = "root";
+	}
+
 	/* initialize PAM */
 	pamc.conv = &openpam_ttyconv;
-	pam_start("su", argc ? *argv : "root", &pamc, &pamh);
+	pam_start("su", user, &pamc, &pamh);
 
 	/* set some items */
 	gethostname(hostname, sizeof(hostname));
@@ -117,20 +125,6 @@
 	if (pam_err != PAM_SUCCESS || (pwd = getpwnam(user)) == NULL)
 		goto pamerr;
 
-	/* set uid and groups */
-	if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
-		warn("initgroups()");
-		goto err;
-	}
-	if (setgid(pwd->pw_gid) == -1) {
-		warn("setgid()");
-		goto err;
-	}
-	if (setuid(pwd->pw_uid) == -1) {
-		warn("setuid()");
-		goto err;
-	}
-
 	/* export PAM environment */
 	if ((pam_envlist = pam_getenvlist(pamh)) != NULL) {
 		for (pam_env = pam_envlist; *pam_env != NULL; ++pam_env) {
@@ -154,7 +148,21 @@
 		warn("fork()");
 		goto err;
 	case 0:
-		/* child: start a shell */
+		/* child: give up privs and start a shell */
+
+		/* set uid and groups */
+		if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
+			warn("initgroups()");
+			_exit(1);
+		}
+		if (setgid(pwd->pw_gid) == -1) {
+			warn("setgid()");
+			_exit(1);
+		}
+		if (setuid(pwd->pw_uid) == -1) {
+			warn("setuid()");
+			_exit(1);
+		}
 		execve(*args, args, environ);
 		warn("execve()");
 		_exit(1);
@@ -170,9 +178,7 @@
 	}
 
 pamerr:
-	pam_end(pamh, pam_err);
 	fprintf(stderr, "Sorry\n");
-	exit(1);
 err:
 	pam_end(pamh, pam_err);
 	exit(1);

More information about the p4-projects mailing list