From fb4edda749e4c81e9ce713a017240ded8f521d07 Mon Sep 17 00:00:00 2001
From: Karel Zak
Date: Tue, 27 Aug 2013 11:23:54 +0200
Subject: su: suppress PAM info messages for -c or non-login sessions

The 'Last login:' messages from PAM lastlogin module is unexpected
for non-login sessions or when -c <command> executed.

For example:

  $ su - -c id
  Last login: Wed Jul 24 08:36:28 CEST 2013 from dhcp-25-161.brq.redhat.com on pts/18
  uid=0(root) gid=0(root) skupiny=0(root)

this makes 'su' useless in scripts.

This patch suppress all PAM_TEXT_INFO messages for -c and for
non-login session ('-' is not specified) after pam_authenticate() and
pam_acct_mgmt().

Note that the new PAM conversation function checks the first message
in the msg[] array only. It seems good enough as PAM internally uses
pam_info() function that does not use multiple messages for one conv
call.

References: https://bugzilla.redhat.com/show_bug.cgi?id=987787
Signed-off-by: Karel Zak <kzak@redhat.com>
---
 login-utils/su-common.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

(limited to 'login-utils/su-common.c')

diff --git a/login-utils/su-common.c b/login-utils/su-common.c
index 6df176382..ade5c9210 100644
--- a/login-utils/su-common.c
+++ b/login-utils/su-common.c
@@ -111,6 +111,9 @@ static int same_session = 0;
 /* SU_MODE_{RUNUSER,SU} */
 static int su_mode;
 
+/* Don't print PAM info messages (Last login, etc.). */
+static int suppress_pam_info;
+
 static bool _pam_session_opened;
 static bool _pam_cred_established;
 static sig_atomic_t volatile caught_signal = false;
@@ -208,10 +211,23 @@ static void log_btmp(struct passwd const *pw)
 	updwtmp(_PATH_BTMP, &ut);
 }
 
+
+static int su_pam_conv(int num_msg, const struct pam_message **msg,
+                       struct pam_response **resp, void *appdata_ptr)
+{
+	if (suppress_pam_info
+	    && num_msg == 1
+	    && msg
+	    && msg[0]->msg_style == PAM_TEXT_INFO)
+		return PAM_SUCCESS;
+
+	return misc_conv(num_msg, msg, resp, appdata_ptr);
+}
+
 static struct pam_conv conv =
 {
-  misc_conv,
-  NULL
+	su_pam_conv,
+	NULL
 };
 
 static void
@@ -927,6 +943,9 @@ su_main (int argc, char **argv, int mode)
 
   init_groups (pw, groups, num_supp_groups);
 
+  if (!simulate_login || command)
+    suppress_pam_info = 1;		/* don't print PAM info messages */
+
   create_watching_parent ();
   /* Now we're in the child.  */
 
-- 
cgit v1.2.3-55-g7522