[Pkg-shadow-commits] r3353 - in upstream/trunk: . src

Mon Jun 13 18:27:12 UTC 2011

Author: nekral-guest
Date: 2011-06-13 18:27:12 +0000 (Mon, 13 Jun 2011)
New Revision: 3353

Modified:
   upstream/trunk/ChangeLog
   upstream/trunk/src/su.c
Log:
	* src/su.c: Merge environment setting blocks after the creation of
	the session.

Modified: upstream/trunk/ChangeLog
===================================================================

--- upstream/trunk/ChangeLog	2011-06-13 18:27:06 UTC (rev 3352)
+++ upstream/trunk/ChangeLog	2011-06-13 18:27:12 UTC (rev 3353)
@@ -5,6 +5,8 @@
 	* src/su.c: Split check_perms() in to a PAM (check_perms_pam) and
 	a non-PAM (check_perms_nopam) version.
 	* src/su.c: Cleanup check_perms_nopam().
+	* src/su.c: Merge environment setting blocks after the creation of
+	the session.
 
 2011-06-10  Nicolas François  <nicolas.francois at centraliens.net>
 

Modified: upstream/trunk/src/su.c
===================================================================
--- upstream/trunk/src/su.c	2011-06-13 18:27:06 UTC (rev 3352)
+++ upstream/trunk/src/su.c	2011-06-13 18:27:12 UTC (rev 3353)
@@ -867,7 +867,65 @@
 		shellstr = SHELL;
 	}
 
+	sulog (caller_tty, true, caller_name, name);	/* save SU information */
+	endpwent ();
+	endspent ();
+#ifdef USE_SYSLOG
+	if (getdef_bool ("SYSLOG_SU_ENAB")) {
+		SYSLOG ((LOG_INFO, "+ %s %s:%s", caller_tty,
+		         ('\0' != caller_name[0]) ? caller_name : "???",
+		         ('\0' != name[0]) ? name : "???"));
+	}
+#endif
+
+#ifdef USE_PAM
+	/* set primary group id and supplementary groups */
+	if (setup_groups (pw) != 0) {
+		pam_end (pamh, PAM_ABORT);
+		exit (1);
+	}
+
 	/*
+	 * pam_setcred() may do things like resource limits, console groups,
+	 * and much more, depending on the configured modules
+	 */
+	ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+	if (PAM_SUCCESS != ret) {
+		SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
+		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
+		(void) pam_end (pamh, ret);
+		exit (1);
+	}
+
+	ret = pam_open_session (pamh, 0);
+	if (PAM_SUCCESS != ret) {
+		SYSLOG ((LOG_ERR, "pam_open_session: %s",
+			 pam_strerror (pamh, ret)));
+		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
+		pam_setcred (pamh, PAM_DELETE_CRED);
+		(void) pam_end (pamh, ret);
+		exit (1);
+	}
+
+	/* become the new user */
+	if (change_uid (pw) != 0) {
+		pam_close_session (pamh, 0);
+		pam_setcred (pamh, PAM_DELETE_CRED);
+		(void) pam_end (pamh, PAM_ABORT);
+		exit (1);
+	}
+#else				/* !USE_PAM */
+	/* no limits if su from root (unless su must fake login's behavior) */
+	if (!caller_is_root || fakelogin) {
+		setup_limits (pw);
+	}
+
+	if (setup_uid_gid (pw, caller_on_console) != 0) {
+		exit (1);
+	}
+#endif				/* !USE_PAM */
+
+	/*
 	 * If a new login is being set up, the old environment will be
 	 * ignored and a new one created later on.
 	 */
@@ -942,46 +1000,7 @@
 		addenv ("IFS= \t\n", NULL);	/* ... instead, set a safe IFS */
 	}
 
-	sulog (caller_tty, true, caller_name, name);	/* save SU information */
-	endpwent ();
-	endspent ();
-#ifdef USE_SYSLOG
-	if (getdef_bool ("SYSLOG_SU_ENAB")) {
-		SYSLOG ((LOG_INFO, "+ %s %s:%s", caller_tty,
-		         ('\0' != caller_name[0]) ? caller_name : "???",
-		         ('\0' != name[0]) ? name : "???"));
-	}
-#endif
-
 #ifdef USE_PAM
-	/* set primary group id and supplementary groups */
-	if (setup_groups (pw) != 0) {
-		pam_end (pamh, PAM_ABORT);
-		exit (1);
-	}
-
-	/*
-	 * pam_setcred() may do things like resource limits, console groups,
-	 * and much more, depending on the configured modules
-	 */
-	ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
-	if (PAM_SUCCESS != ret) {
-		SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
-		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
-		(void) pam_end (pamh, ret);
-		exit (1);
-	}
-
-	ret = pam_open_session (pamh, 0);
-	if (PAM_SUCCESS != ret) {
-		SYSLOG ((LOG_ERR, "pam_open_session: %s",
-			 pam_strerror (pamh, ret)));
-		fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
-		pam_setcred (pamh, PAM_DELETE_CRED);
-		(void) pam_end (pamh, ret);
-		exit (1);
-	}
-
 	/* we need to setup the environment *after* pam_open_session(),
 	 * else the UID is changed before stuff like pam_xauth could
 	 * run, and we cannot access /etc/shadow and co
@@ -999,24 +1018,8 @@
 		}
 	}
 
-	/* become the new user */
-	if (change_uid (pw) != 0) {
-		pam_close_session (pamh, 0);
-		pam_setcred (pamh, PAM_DELETE_CRED);
-		(void) pam_end (pamh, PAM_ABORT);
-		exit (1);
-	}
 #else				/* !USE_PAM */
 	environ = newenvp;	/* make new environment active */
-
-	/* no limits if su from root (unless su must fake login's behavior) */
-	if (!caller_is_root || fakelogin) {
-		setup_limits (pw);
-	}
-
-	if (setup_uid_gid (pw, caller_on_console) != 0) {
-		exit (1);
-	}
 #endif				/* !USE_PAM */
 
 	if (change_environment) {


