Date: Tue, 13 May 2003 05:41:10 -0700 (PDT) From: Dag-Erling Smorgrav <des@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 31067 for review Message-ID: <200305131241.h4DCfAlU006645@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=31067 Change 31067 by des@des.at.des.thinksec.com on 2003/05/13 05:40:18 Support su'ing to another user with arguments. Drop privs in the child rather than in the parent so that pam_close_session(3) will be called with privs. Simplify some of the error handling. Based on patches received from Mike Petullo <mike@flyn.org>. Affected files ... .. //depot/projects/openpam/bin/su/su.c#9 edit Differences ... ==== //depot/projects/openpam/bin/su/su.c#9 (text+ko) ==== @@ -31,7 +31,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $P4: //depot/projects/openpam/bin/su/su.c#8 $ + * $P4: //depot/projects/openpam/bin/su/su.c#9 $ */ #include <sys/param.h> @@ -81,9 +81,17 @@ argc -= optind; argv += optind; + if (argc > 0) { + user = *argv; + --argc; + ++argv; + } else { + user = "root"; + } + /* initialize PAM */ pamc.conv = &openpam_ttyconv; - pam_start("su", argc ? *argv : "root", &pamc, &pamh); + pam_start("su", user, &pamc, &pamh); /* set some items */ gethostname(hostname, sizeof(hostname)); @@ -117,20 +125,6 @@ if (pam_err != PAM_SUCCESS || (pwd = getpwnam(user)) == NULL) goto pamerr; - /* set uid and groups */ - if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) { - warn("initgroups()"); - goto err; - } - if (setgid(pwd->pw_gid) == -1) { - warn("setgid()"); - goto err; - } - if (setuid(pwd->pw_uid) == -1) { - warn("setuid()"); - goto err; - } - /* export PAM environment */ if ((pam_envlist = pam_getenvlist(pamh)) != NULL) { for (pam_env = pam_envlist; *pam_env != NULL; ++pam_env) { @@ -154,7 +148,21 @@ warn("fork()"); goto err; case 0: - /* child: start a shell */ + /* child: give up privs and start a shell */ + + /* set uid and groups */ + if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) { + warn("initgroups()"); + _exit(1); + } + if (setgid(pwd->pw_gid) == -1) { + warn("setgid()"); + _exit(1); + } + if (setuid(pwd->pw_uid) == -1) { + warn("setuid()"); + _exit(1); + } execve(*args, args, environ); warn("execve()"); _exit(1); @@ -170,9 +178,7 @@ } pamerr: - pam_end(pamh, pam_err); fprintf(stderr, "Sorry\n"); - exit(1); err: pam_end(pamh, pam_err); exit(1);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200305131241.h4DCfAlU006645>