}
}
+static void supam_authenticate(struct su_context *su, const struct passwd *pw)
+{
+ const struct passwd *lpw = NULL;
+ const char *cp, *srvname = NULL;
+ int retval;
+
+ srvname = su->runuser ?
+ (su->simulate_login ? PAM_SRVNAME_RUNUSER_L : PAM_SRVNAME_RUNUSER) :
+ (su->simulate_login ? PAM_SRVNAME_SU_L : PAM_SRVNAME_SU);
+
+ retval = pam_start(srvname, pw->pw_name, &su->conv, &su->pamh);
+ if (is_pam_failure(retval))
+ goto done;
+
+ if (isatty(0) && (cp = ttyname(0)) != NULL) {
+ const char *tty;
+
+ if (strncmp(cp, "/dev/", 5) == 0)
+ tty = cp + 5;
+ else
+ tty = cp;
+ retval = pam_set_item(su->pamh, PAM_TTY, tty);
+ if (is_pam_failure(retval))
+ goto done;
+ }
+
+ lpw = current_getpwuid();
+ if (lpw && lpw->pw_name) {
+ retval = pam_set_item(su->pamh, PAM_RUSER, (const void *)lpw->pw_name);
+ if (is_pam_failure(retval))
+ goto done;
+ }
+
+ if (su->runuser) {
+ /*
+ * This is the only difference between runuser(1) and su(1). The command
+ * runuser(1) does not required authentication, because user is root.
+ */
+ if (su->restricted)
+ errx(EXIT_FAILURE, _("may not be used by non-root users"));
+ return;
+ }
+
+ retval = pam_authenticate(su->pamh, 0);
+ if (is_pam_failure(retval))
+ goto done;
+
+ retval = pam_acct_mgmt(su->pamh, 0);
+ if (retval == PAM_NEW_AUTHTOK_REQD) {
+ /* Password has expired. Offer option to change it. */
+ retval = pam_chauthtok(su->pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ }
+
+ done:
+
+ log_syslog(su, pw, !is_pam_failure(retval));
+
+ if (is_pam_failure(retval)) {
+ const char *msg;
+
+ log_btmp(pw);
+
+ msg = pam_strerror(su->pamh, retval);
+ pam_end(su->pamh, retval);
+ sleep(getlogindefs_num("FAIL_DELAY", 1));
+ errx(EXIT_FAILURE, "%s", msg ? msg : _("incorrect password"));
+ }
+}
+
static void
create_watching_parent(struct su_context *su)
{
exit(status);
}
-static void
-authenticate(struct su_context *su, const struct passwd *pw)
-{
- const struct passwd *lpw = NULL;
- const char *cp, *srvname = NULL;
- int retval;
-
- srvname = su->runuser ?
- (su->simulate_login ? PAM_SRVNAME_RUNUSER_L : PAM_SRVNAME_RUNUSER) :
- (su->simulate_login ? PAM_SRVNAME_SU_L : PAM_SRVNAME_SU);
-
- retval = pam_start(srvname, pw->pw_name, &su->conv, &su->pamh);
- if (is_pam_failure(retval))
- goto done;
-
- if (isatty(0) && (cp = ttyname(0)) != NULL) {
- const char *tty;
-
- if (strncmp(cp, "/dev/", 5) == 0)
- tty = cp + 5;
- else
- tty = cp;
- retval = pam_set_item(su->pamh, PAM_TTY, tty);
- if (is_pam_failure(retval))
- goto done;
- }
-
- lpw = current_getpwuid();
- if (lpw && lpw->pw_name) {
- retval = pam_set_item(su->pamh, PAM_RUSER, (const void *)lpw->pw_name);
- if (is_pam_failure(retval))
- goto done;
- }
-
- if (su->runuser) {
- /*
- * This is the only difference between runuser(1) and su(1). The command
- * runuser(1) does not required authentication, because user is root.
- */
- if (su->restricted)
- errx(EXIT_FAILURE, _("may not be used by non-root users"));
- return;
- }
-
- retval = pam_authenticate(su->pamh, 0);
- if (is_pam_failure(retval))
- goto done;
-
- retval = pam_acct_mgmt(su->pamh, 0);
- if (retval == PAM_NEW_AUTHTOK_REQD) {
- /* Password has expired. Offer option to change it. */
- retval = pam_chauthtok(su->pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
- }
-
- done:
-
- log_syslog(su, pw, !is_pam_failure(retval));
-
- if (is_pam_failure(retval)) {
- const char *msg;
-
- log_btmp(pw);
-
- msg = pam_strerror(su->pamh, retval);
- pam_end(su->pamh, retval);
- sleep(getlogindefs_num("FAIL_DELAY", 1));
- errx(EXIT_FAILURE, "%s", msg ? msg : _("incorrect password"));
- }
-}
static void
set_path(const struct passwd * const pw)
else if (use_gid)
pw->pw_gid = gid;
- authenticate(su, pw);
+ supam_authenticate(su, pw);
if (request_same_session || !command || !pw->pw_uid)
su->same_session = 1;
projects / thirdparty / util-linux.git / commitdiff
