* Merge SUSE's coreutils-5.0-pam-env.patch so that PAM modules can

pass environment variables (notably DISPLAY and XAUTHORITY) to the child shell. svn path=/nixpkgs/trunk/; revision=7701
2007-01-16 22:24:03 +00:00 · 2007-01-16 22:24:03 +00:00 · a71003612b
commit a71003612b
parent 4d2519baad
2 changed files with 1018 additions and 623 deletions
--- a/pkgs/tools/misc/su/default.nix
+++ b/pkgs/tools/misc/su/default.nix
@ -14,7 +14,6 @@ stdenv.mkDerivation {
    # PAM patch taken from SUSE's coreutils-6.7-5.src.rpm.
    ./su-pam.patch
  ];
-  patchFlags = "-p0";
  buildInputs = [pam];
  buildPhase = "
    make -C lib
--- a/pkgs/tools/misc/su/su-pam.patch
+++ b/pkgs/tools/misc/su/su-pam.patch
@ -1,6 +1,9 @@
--- src/getdef.c
-+++ src/getdef.c
-@@ -0,0 +1,257 @@
+diff -rcN coreutils-6.7-orig/getdef.c coreutils-6.7/getdef.c
+*** coreutils-6.7-orig/getdef.c	Thu Jan  1 00:00:00 1970
+--- coreutils-6.7/getdef.c	Tue Jan 16 22:18:41 2007
+***************
+*** 0 ****
+--- 1,257 ----
 + /* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk
 +    Author: Thorsten Kukuk <kukuk@suse.de>
 + 
@ -258,9 +261,12 @@
 + }
 + 
 + #endif
--- src/getdef.h
-+++ src/getdef.h
-@@ -0,0 +1,29 @@
+diff -rcN coreutils-6.7-orig/getdef.h coreutils-6.7/getdef.h
+*** coreutils-6.7-orig/getdef.h	Thu Jan  1 00:00:00 1970
+--- coreutils-6.7/getdef.h	Tue Jan 16 22:18:41 2007
+***************
+*** 0 ****
+--- 1,29 ----
 + /* Copyright (C) 2003, 2005 Thorsten Kukuk
 +    Author: Thorsten Kukuk <kukuk@suse.de>
 + 
@ -290,9 +296,310 @@
 + extern void free_getdef_data (void);
 + 
 + #endif /* _GETDEF_H_ */
--- src/su.c
-+++ src/su.c
-@@ -38,6 +38,12 @@
+diff -rcN coreutils-6.7-orig/src/getdef.c coreutils-6.7/src/getdef.c
+*** coreutils-6.7-orig/src/getdef.c	Thu Jan  1 00:00:00 1970
+--- coreutils-6.7/src/getdef.c	Tue Jan 16 22:18:57 2007
+***************
+*** 0 ****
+--- 1,257 ----
+ /* Copyright (C) 2003, 2004, 2005 Thorsten Kukuk
+    Author: Thorsten Kukuk <kukuk@suse.de>
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License version 2 as
+    published by the Free Software Foundation.
+ 
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+ 
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software Foundation,
+    Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
+ 
+ #ifdef HAVE_CONFIG_H
+ #include <config.h>
+ #endif
+ 
+ #define _GNU_SOURCE
+ 
+ #include <errno.h>
+ #include <ctype.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ #include <limits.h>
+ 
+ #include "getdef.h"
+ 
+ struct item {
+   char *name;         /* name of the option.  */
+   char *value;        /* value of the option.  */
+   struct item *next;  /* pointer to next option.  */
+ };
+ 
+ static struct item *list = NULL;
+ 
+ void
+ free_getdef_data (void)
+ {
+   struct item *ptr;
+ 
+   ptr = list;
+   while (ptr != NULL)
+     {
+       struct item *tmp;
+       tmp = ptr->next;
+       free (ptr->name);
+       free (ptr->value);
+       free (ptr);
+       ptr = tmp;
+     }
+ 
+   list = NULL;
+ }
+ 
+ /* Add a new entry to the list.  */
+ static void
+ store (const char *name, const char *value)
+ {
+   struct item *new = malloc (sizeof (struct item));
+ 
+   if (new == NULL)
+     abort ();
+ 
+   if (name == NULL)
+     abort ();
+ 
+   new->name = strdup (name);
+   new->value = strdup (value?:"");
+   new->next = list;
+   list = new;
+ }
+ 
+ /* search a special entry in the list and return the value.  */
+ static const char *
+ search (const char *name)
+ {
+   struct item *ptr;
+ 
+   ptr = list;
+   while (ptr != NULL)
+     {
+       if (strcasecmp (name, ptr->name) == 0)
+ 	return ptr->value;
+       ptr = ptr->next;
+     }
+ 
+   return NULL;
+ }
+ 
+ /* Load the login.defs file (/etc/login.defs)  */
+ static void
+ load_defaults_internal (const char *filename)
+ {
+   FILE *fp;
+   char *buf = NULL;
+   size_t buflen = 0;
+ 
+   fp = fopen (filename, "r");
+   if (NULL == fp)
+     return;
+ 
+   while (!feof (fp))
+     {
+       char *tmp, *cp;
+ #if defined(HAVE_GETLINE)
+       ssize_t n = getline (&buf, &buflen, fp);
+ #elif defined (HAVE_GETDELIM)
+       ssize_t n = getdelim (&buf, &buflen, '\n', fp);
+ #else
+       ssize_t n;
+ 
+       if (buf == NULL)
+         {
+           buflen = 8096;
+           buf = malloc (buflen);
+         }
+       buf[0] = '\0';
+       fgets (buf, buflen - 1, fp);
+       if (buf != NULL)
+         n = strlen (buf);
+       else
+         n = 0;
+ #endif /* HAVE_GETLINE / HAVE_GETDELIM */
+       cp = buf;
+ 
+       if (n < 1)
+         break;
+ 
+       tmp = strchr (cp, '#');  /* remove comments */
+       if (tmp)
+         *tmp = '\0';
+       while (isspace ((int)*cp))    /* remove spaces and tabs */
+         ++cp;
+       if (*cp == '\0')        /* ignore empty lines */
+         continue;
+ 
+       if (cp[strlen (cp) - 1] == '\n')
+         cp[strlen (cp) - 1] = '\0';
+ 
+       tmp = strsep (&cp, " \t=");
+       if (cp != NULL)
+ 	while (isspace ((int)*cp) || *cp == '=')
+ 	  ++cp;
+ 
+       store (tmp, cp);
+     }
+   fclose (fp);
+ 
+   if (buf)
+     free (buf);
+ }
+ 
+ static void
+ load_defaults (void)
+ {
+   load_defaults_internal ("/etc/default/su");
+   load_defaults_internal ("/etc/login.defs");
+ }
+ 
+ int
+ getdef_bool (const char *name, int dflt)
+ {
+   const char *val;
+ 
+   if (list == NULL)
+     load_defaults ();
+ 
+   val = search (name);
+ 
+   if (val == NULL)
+     return dflt;
+ 
+   return (strcasecmp (val, "yes") == 0);
+ }
+ 
+ long
+ getdef_num (const char *name, long dflt)
+ {
+   const char *val;
+   char *cp;
+   long retval;
+ 
+   if (list == NULL)
+     load_defaults ();
+ 
+   val = search (name);
+ 
+   if (val == NULL)
+     return dflt;
+ 
+   retval = strtol (val, &cp, 0);
+   if (*cp != '\0' ||
+       ((retval == LONG_MAX || retval == LONG_MIN) && errno == ERANGE))
+     {
+       fprintf (stderr,
+ 	       "%s contains invalid numerical value: %s!\n",
+ 	       name, val);
+       retval = dflt;
+     }
+   return retval;
+ }
+ 
+ unsigned long
+ getdef_unum (const char *name, unsigned long dflt)
+ {
+   const char *val;
+   char *cp;
+   unsigned long retval;
+ 
+   if (list == NULL)
+     load_defaults ();
+ 
+   val = search (name);
+ 
+   if (val == NULL)
+     return dflt;
+ 
+   retval = strtoul (val, &cp, 0);
+   if (*cp != '\0' || (retval == ULONG_MAX && errno == ERANGE))
+     {
+       fprintf (stderr,
+ 	       "%s contains invalid numerical value: %s!\n",
+ 	       name, val);
+       retval = dflt;
+     }
+   return retval;
+ }
+ 
+ const char *
+ getdef_str (const char *name, const char *dflt)
+ {
+   const char *retval;
+ 
+   if (list == NULL)
+     load_defaults ();
+ 
+   retval = search (name);
+ 
+   return retval ?: dflt;
+ }
+ 
+ #if defined(TEST)
+ 
+ int
+ main ()
+ {
+   printf ("CYPT=%s\n", getdef_str ("cRypt", "no"));
+   printf ("LOG_UNKFAIL_ENAB=%s\n", getdef_str ("log_unkfail_enab",""));
+   printf ("DOESNOTEXIST=%s\n", getdef_str ("DOESNOTEXIST","yes"));
+   return 0;
+ }
+ 
+ #endif
+diff -rcN coreutils-6.7-orig/src/getdef.h coreutils-6.7/src/getdef.h
+*** coreutils-6.7-orig/src/getdef.h	Thu Jan  1 00:00:00 1970
+--- coreutils-6.7/src/getdef.h	Tue Jan 16 22:18:57 2007
+***************
+*** 0 ****
+--- 1,29 ----
+ /* Copyright (C) 2003, 2005 Thorsten Kukuk
+    Author: Thorsten Kukuk <kukuk@suse.de>
+ 
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License version 2 as
+    published by the Free Software Foundation.
+ 
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+ 
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software Foundation,
+    Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */
+ 
+ #ifndef _GETDEF_H_
+ 
+ #define _GETDEF_H_ 1
+ 
+ extern int getdef_bool (const char *name, int dflt);
+ extern long getdef_num (const char *name, long dflt);
+ extern unsigned long getdef_unum (const char *name, unsigned long dflt);
+ extern const char *getdef_str (const char *name, const char *dflt);
+ 
+ /* Free all data allocated by getdef_* calls before.  */
+ extern void free_getdef_data (void);
+ 
+ #endif /* _GETDEF_H_ */
+diff -rcN coreutils-6.7-orig/src/su.c coreutils-6.7/src/su.c
+*** coreutils-6.7-orig/src/su.c	Sun Oct 22 16:54:15 2006
+--- coreutils-6.7/src/su.c	Tue Jan 16 22:19:02 2007
+***************
+*** 38,43 ****
+--- 38,49 ----
     restricts who can su to UID 0 accounts.  RMS considers that to
     be fascist.
  
@ -305,7 +612,9 @@
     Compile-time options:
     -DSYSLOG_SUCCESS	Log successful su's (by default, to root) with syslog.
     -DSYSLOG_FAILURE	Log failed su's (by default, to root) with syslog.
-@@ -53,6 +59,13 @@
+***************
+*** 53,58 ****
+--- 59,71 ----
  #include <sys/types.h>
  #include <pwd.h>
  #include <grp.h>
@ -319,7 +628,9 @@
  
  /* Hide any system prototype for getusershell.
     This is necessary because some Cray systems have a conflicting
-@@ -66,6 +79,9 @@
+***************
+*** 66,71 ****
+--- 79,87 ----
  
  #if HAVE_SYSLOG_H && HAVE_SYSLOG
  # include <syslog.h>
@ -329,31 +640,44 @@
  #else
  # undef SYSLOG_SUCCESS
  # undef SYSLOG_FAILURE
-@@ -99,19 +115,13 @@
+***************
+*** 99,117 ****
+  # include <paths.h>
+  #endif
+  
+  /* The default PATH for simulated logins to non-superuser accounts.  */
+! #ifdef _PATH_DEFPATH
+! # define DEFAULT_LOGIN_PATH _PATH_DEFPATH
+! #else
+! # define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin"
+! #endif
+  
+  /* The default PATH for simulated logins to superuser accounts.  */
+! #ifdef _PATH_DEFPATH_ROOT
+! # define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT
+! #else
+! # define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc"
+! #endif
+  
+  /* The shell to run if none is given in the user's passwd entry.  */
+  #define DEFAULT_SHELL "/bin/sh"
+--- 115,127 ----
  # include <paths.h>
  #endif
  
 + #include "getdef.h"
 + 
  /* The default PATH for simulated logins to non-superuser accounts.  */
-#ifdef _PATH_DEFPATH
-# define DEFAULT_LOGIN_PATH _PATH_DEFPATH
-#else
-# define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin"
-#endif
-+#define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin"
+! #define DEFAULT_LOGIN_PATH "/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin"
  
  /* The default PATH for simulated logins to superuser accounts.  */
-#ifdef _PATH_DEFPATH_ROOT
-# define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT
-#else
-# define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc"
-#endif
-+#define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin:/usr/X11R6/bin"
+! #define DEFAULT_ROOT_LOGIN_PATH "/usr/sbin:/bin:/usr/bin:/sbin:/usr/X11R6/bin"
  
  /* The shell to run if none is given in the user's passwd entry.  */
  #define DEFAULT_SHELL "/bin/sh"
-@@ -119,7 +129,9 @@
+***************
+*** 119,125 ****
+--- 129,137 ----
  /* The user to become if none is specified.  */
  #define DEFAULT_USER "root"
  
@ -363,7 +687,9 @@
  char *getusershell ();
  void endusershell ();
  void setusershell ();
-@@ -216,7 +228,26 @@
+***************
+*** 216,222 ****
+--- 228,253 ----
  }
  #endif
  
@ -390,7 +716,19 @@
     Return true if the user gives the correct password for entry PW,
     false if not.  Return true without asking for a password if run by UID 0
     or if PW has an empty password.  */
-@@ -224,10 +255,49 @@
+***************
+*** 224,233 ****
+  static bool
+  correct_password (const struct passwd *pw)
+  {
+    char *unencrypted, *encrypted, *correct;
+  #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
+    /* Shadow passwd stuff for SVR3 and maybe other systems.  */
+!   struct spwd *sp = getspnam (pw->pw_name);
+  
+    endspent ();
+    if (sp)
+--- 255,303 ----
  static bool
  correct_password (const struct passwd *pw)
  {
@ -436,12 +774,13 @@
    char *unencrypted, *encrypted, *correct;
  #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
    /* Shadow passwd stuff for SVR3 and maybe other systems.  */
-  struct spwd *sp = getspnam (pw->pw_name);
-+  const struct spwd *sp = getspnam (pw->pw_name);
+!   const struct spwd *sp = getspnam (pw->pw_name);
  
    endspent ();
    if (sp)
-@@ -248,6 +318,7 @@
+***************
+*** 248,253 ****
+--- 318,324 ----
    encrypted = crypt (unencrypted, correct);
    memset (unencrypted, 0, strlen (unencrypted));
    return STREQ (encrypted, correct);
@ -449,18 +788,28 @@
  }
  
  /* Update `environ' for the new shell based on PW, with SHELL being
-@@ -272,8 +343,8 @@
+***************
+*** 272,279 ****
        xsetenv ("USER", pw->pw_name);
        xsetenv ("LOGNAME", pw->pw_name);
        xsetenv ("PATH", (pw->pw_uid
-			? DEFAULT_LOGIN_PATH
-			: DEFAULT_ROOT_LOGIN_PATH));
-+			? getdef_str ("PATH", DEFAULT_LOGIN_PATH)
-+			: getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH)));
+! 			? DEFAULT_LOGIN_PATH
+! 			: DEFAULT_ROOT_LOGIN_PATH));
      }
    else
      {
-@@ -283,6 +354,12 @@
+--- 343,350 ----
+        xsetenv ("USER", pw->pw_name);
+        xsetenv ("LOGNAME", pw->pw_name);
+        xsetenv ("PATH", (pw->pw_uid
+! 			? getdef_str ("PATH", DEFAULT_LOGIN_PATH)
+! 			: getdef_str ("SUPATH", DEFAULT_ROOT_LOGIN_PATH)));
+      }
+    else
+      {
+***************
+*** 283,288 ****
+--- 354,365 ----
  	{
  	  xsetenv ("HOME", pw->pw_dir);
  	  xsetenv ("SHELL", shell);
@ -473,7 +822,9 @@
  	  if (pw->pw_uid)
  	    {
  	      xsetenv ("USER", pw->pw_name);
-@@ -303,12 +380,35 @@
+***************
+*** 303,314 ****
+--- 380,414 ----
      error (EXIT_FAIL, errno, _("cannot set groups"));
    endgrent ();
  #endif
@ -509,7 +860,9 @@
  /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
     If COMMAND is nonzero, pass it to the shell with the -c option.
     Pass ADDITIONAL_ARGS to the shell as more arguments; there
-@@ -321,6 +421,88 @@
+***************
+*** 321,326 ****
+--- 421,523 ----
    size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1;
    char const **args = xnmalloc (n_args, sizeof *args);
    size_t argno = 1;
@ -593,12 +946,29 @@
 +     }
 + 
 +   /* child shell */
+ 
+   /* Export env variables declared by PAM modules */
+   {
+     const char *const *env;
+ 
+     env = (const char *const *) pam_getenvlist (pamh);
+     while (env && *env)
+       {
+ 	
+ 	if (putenv (*env) != 0)
+ 	  xalloc_die ();
+         env++;
+       }
+   }
+ 
 +   pam_end (pamh, 0);
 + #endif
  
    if (simulate_login)
      {
-@@ -339,6 +521,11 @@
+***************
+*** 339,344 ****
+--- 536,546 ----
      args[argno++] = "-f";
    if (command)
      {
@ -610,7 +980,9 @@
        args[argno++] = "-c";
        args[argno++] = command;
      }
-@@ -495,6 +682,9 @@
+***************
+*** 495,500 ****
+--- 697,705 ----
  #ifdef SYSLOG_FAILURE
        log_su (pw, false);
  #endif
@ -620,3 +992,27 @@
        error (EXIT_FAIL, 0, _("incorrect password"));
      }
  #ifdef SYSLOG_SUCCESS
+***************
+*** 516,524 ****
+        shell = NULL;
+      }
+    shell = xstrdup (shell ? shell : pw->pw_shell);
+    modify_environment (pw, shell);
+  
+-   change_identity (pw);
+    if (simulate_login && chdir (pw->pw_dir) != 0)
+      error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+  
+--- 721,732 ----
+        shell = NULL;
+      }
+    shell = xstrdup (shell ? shell : pw->pw_shell);
+   change_identity (pw);
+ 
+   /* Set environment after pam_open_session, which may put KRB5CCNAME
+      into the pam_env, etc.  */
+    modify_environment (pw, shell);
+  
+    if (simulate_login && chdir (pw->pw_dir) != 0)
+      error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
+