diff options
author | Karel Zak | 2016-10-14 12:02:53 +0200 |
---|---|---|
committer | Karel Zak | 2017-09-18 11:48:56 +0200 |
commit | dc5bfb71ff693a06f08a954e4235ca30fde132b8 (patch) | |
tree | 5d52e02bf20bcffb13187a485b4de2974c38af30 /login-utils | |
parent | su: cleanup PAM stuff (diff) | |
download | kernel-qcow2-util-linux-dc5bfb71ff693a06f08a954e4235ca30fde132b8.tar.gz kernel-qcow2-util-linux-dc5bfb71ff693a06f08a954e4235ca30fde132b8.tar.xz kernel-qcow2-util-linux-dc5bfb71ff693a06f08a954e4235ca30fde132b8.zip |
su: reorder functions
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils')
-rw-r--r-- | login-utils/su-common.c | 140 |
1 files changed, 70 insertions, 70 deletions
diff --git a/login-utils/su-common.c b/login-utils/su-common.c index 629451d13..c647d60ff 100644 --- a/login-utils/su-common.c +++ b/login-utils/su-common.c @@ -234,6 +234,75 @@ static void supam_export_environment(struct su_context *su) } } +static void supam_authenticate(struct su_context *su, const struct passwd *pw) +{ + const struct passwd *lpw = NULL; + const char *cp, *srvname = NULL; + int retval; + + srvname = su->runuser ? + (su->simulate_login ? PAM_SRVNAME_RUNUSER_L : PAM_SRVNAME_RUNUSER) : + (su->simulate_login ? PAM_SRVNAME_SU_L : PAM_SRVNAME_SU); + + retval = pam_start(srvname, pw->pw_name, &su->conv, &su->pamh); + if (is_pam_failure(retval)) + goto done; + + if (isatty(0) && (cp = ttyname(0)) != NULL) { + const char *tty; + + if (strncmp(cp, "/dev/", 5) == 0) + tty = cp + 5; + else + tty = cp; + retval = pam_set_item(su->pamh, PAM_TTY, tty); + if (is_pam_failure(retval)) + goto done; + } + + lpw = current_getpwuid(); + if (lpw && lpw->pw_name) { + retval = pam_set_item(su->pamh, PAM_RUSER, (const void *)lpw->pw_name); + if (is_pam_failure(retval)) + goto done; + } + + if (su->runuser) { + /* + * This is the only difference between runuser(1) and su(1). The command + * runuser(1) does not required authentication, because user is root. + */ + if (su->restricted) + errx(EXIT_FAILURE, _("may not be used by non-root users")); + return; + } + + retval = pam_authenticate(su->pamh, 0); + if (is_pam_failure(retval)) + goto done; + + retval = pam_acct_mgmt(su->pamh, 0); + if (retval == PAM_NEW_AUTHTOK_REQD) { + /* Password has expired. Offer option to change it. */ + retval = pam_chauthtok(su->pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + } + + done: + + log_syslog(su, pw, !is_pam_failure(retval)); + + if (is_pam_failure(retval)) { + const char *msg; + + log_btmp(pw); + + msg = pam_strerror(su->pamh, retval); + pam_end(su->pamh, retval); + sleep(getlogindefs_num("FAIL_DELAY", 1)); + errx(EXIT_FAILURE, "%s", msg ? msg : _("incorrect password")); + } +} + static void create_watching_parent(struct su_context *su) { @@ -371,75 +440,6 @@ create_watching_parent(struct su_context *su) exit(status); } -static void -authenticate(struct su_context *su, const struct passwd *pw) -{ - const struct passwd *lpw = NULL; - const char *cp, *srvname = NULL; - int retval; - - srvname = su->runuser ? - (su->simulate_login ? PAM_SRVNAME_RUNUSER_L : PAM_SRVNAME_RUNUSER) : - (su->simulate_login ? PAM_SRVNAME_SU_L : PAM_SRVNAME_SU); - - retval = pam_start(srvname, pw->pw_name, &su->conv, &su->pamh); - if (is_pam_failure(retval)) - goto done; - - if (isatty(0) && (cp = ttyname(0)) != NULL) { - const char *tty; - - if (strncmp(cp, "/dev/", 5) == 0) - tty = cp + 5; - else - tty = cp; - retval = pam_set_item(su->pamh, PAM_TTY, tty); - if (is_pam_failure(retval)) - goto done; - } - - lpw = current_getpwuid(); - if (lpw && lpw->pw_name) { - retval = pam_set_item(su->pamh, PAM_RUSER, (const void *)lpw->pw_name); - if (is_pam_failure(retval)) - goto done; - } - - if (su->runuser) { - /* - * This is the only difference between runuser(1) and su(1). The command - * runuser(1) does not required authentication, because user is root. - */ - if (su->restricted) - errx(EXIT_FAILURE, _("may not be used by non-root users")); - return; - } - - retval = pam_authenticate(su->pamh, 0); - if (is_pam_failure(retval)) - goto done; - - retval = pam_acct_mgmt(su->pamh, 0); - if (retval == PAM_NEW_AUTHTOK_REQD) { - /* Password has expired. Offer option to change it. */ - retval = pam_chauthtok(su->pamh, PAM_CHANGE_EXPIRED_AUTHTOK); - } - - done: - - log_syslog(su, pw, !is_pam_failure(retval)); - - if (is_pam_failure(retval)) { - const char *msg; - - log_btmp(pw); - - msg = pam_strerror(su->pamh, retval); - pam_end(su->pamh, retval); - sleep(getlogindefs_num("FAIL_DELAY", 1)); - errx(EXIT_FAILURE, "%s", msg ? msg : _("incorrect password")); - } -} static void set_path(const struct passwd * const pw) @@ -883,7 +883,7 @@ su_main(int argc, char **argv, int mode) else if (use_gid) pw->pw_gid = gid; - authenticate(su, pw); + supam_authenticate(su, pw); if (request_same_session || !command || !pw->pw_uid) su->same_session = 1; |