1 diff -Nur coreutils-5.2.1.orig/configure.ac coreutils-5.2.1/configure.ac
2 --- coreutils-5.2.1.orig/configure.ac Tue Mar 2 23:47:31 2004
3 +++ coreutils-5.2.1/configure.ac Thu Mar 18 17:06:38 2004
6 AM_INIT_AUTOMAKE([1.8 gnits dist-bzip2])
8 +dnl Give the chance to enable PAM
9 +AC_ARG_ENABLE(pam, dnl
10 +[ --enable-pam Enable use of the PAM libraries],
11 +AC_DEFINE(USE_PAM,,[Use PAM?])
12 +LIB_PAM="-ldl -lpam -lpam_misc"
15 gl_DEFAULT_POSIX2_VERSION
16 gl_USE_SYSTEM_EXTENSIONS
19 AM_GNU_GETTEXT([external], [need-ngettext])
20 AM_GNU_GETTEXT_VERSION(0.13.1)
22 +# just in case we want PAM
24 +# with PAM su doesn't need libcrypt
25 +if test -n "$LIB_PAM" ; then
32 diff -Nur coreutils-5.2.1.orig/doc/coreutils.texi coreutils-5.2.1/doc/coreutils.texi
33 --- coreutils-5.2.1.orig/doc/coreutils.texi Thu Mar 18 16:58:54 2004
34 +++ coreutils-5.2.1/doc/coreutils.texi Thu Mar 18 17:08:08 2004
35 @@ -11892,32 +11892,6 @@
36 the exit status of the subshell otherwise
39 -@cindex wheel group, not supported
40 -@cindex group wheel, not supported
42 -@subsection Why GNU @command{su} does not support the @samp{wheel} group
44 -(This section is by Richard Stallman.)
48 -Sometimes a few of the users try to hold total power over all the
49 -rest. For example, in 1984, a few users at the MIT AI lab decided to
50 -seize power by changing the operator password on the Twenex system and
51 -keeping it secret from everyone else. (I was able to thwart this coup
52 -and give power back to the users by patching the kernel, but I
53 -wouldn't know how to do that in Unix.)
55 -However, occasionally the rulers do tell someone. Under the usual
56 -@command{su} mechanism, once someone learns the root password who
57 -sympathizes with the ordinary users, he or she can tell the rest. The
58 -``wheel group'' feature would make this impossible, and thus cement the
61 -I'm on the side of the masses, not that of the rulers. If you are
62 -used to supporting the bosses and sysadmins in whatever they do, you
63 -might find this idea strange at first.
68 diff -Nur coreutils-5.2.1.orig/man/es/su.1 coreutils-5.2.1/man/es/su.1
69 --- coreutils-5.2.1.orig/man/es/su.1 Mon Apr 12 14:26:19 1999
70 +++ coreutils-5.2.1/man/es/su.1 Thu Mar 18 17:05:55 2004
72 puede ser compilado para reportar fallo, y opcionalmente éxito en syslog.
74 intentará utilizar syslog.
76 -Este programa no soporta el grupo "wheel", el cual restringe quien podrá
79 -hacia la cuenta de root (el superusuario) ya que esta política podría
80 -ayudar a los administradores de máquinas a facilitar un uso inadecuado a otros
84 .I "\-c COMANDO, \-\-command=COMANDO"
87 Escribe información sobre la versión en la salida estándar y acaba sin
90 -.SH Por que GNU no soporta el grupo "wheel" (por Richard Stallman)
91 -A veces, algunos listillos intentan hacerse con el poder total
92 -sobre el resto de usuarios. Por ejemplo, en 1984, un grupo de usuarios del
93 -laboratorio de Inteligencia Artificial del MIT decidieron tomar el poder
94 -cambiando el password de operador del sistema Twenex y manteniendolo secreto
95 -para el resto de usuarios. (De todas maneras, hubiera sido posible desbaratar
96 -la situación y devolver el control a los usuarios legítimos parcheando el
97 -kernel, pero no sabría como realizar esta operación en un sistema Unix.)
99 -Sin embargo, casualmente alguien contó el secreto. Mediante el uso habitual de
101 -una vez que alguien conoce el password de root puede contarselo al resto de
102 -usuarios. El grupo "wheel" hará que esto sea imposible, protegiendo así el poder
103 -de los superusuarios.
105 -Yo estoy del lado de las masas, no de los superusuarios. Si eres de los que
106 -estan de acuerdo con los jefes y los administradores de sistemas en cualquier
107 -cosa que hagan, al principio encontrarás esta idea algo extraña.
108 diff -Nur coreutils-5.2.1.orig/man/fr/su.1 coreutils-5.2.1/man/fr/su.1
109 --- coreutils-5.2.1.orig/man/fr/su.1 Sun Aug 10 12:00:00 2003
110 +++ coreutils-5.2.1/man/fr/su.1 Thu Mar 18 17:05:55 2004
112 peut être compilé afin de fournir des rapports d'échec, et éventuellement
113 de réussite des tentatives d'utilisation de
116 -Ce programme ne gère pas le "groupe wheel" utilisé pour restreindre
119 -au compte Super-Utilisateur, car il pourrait aider des administrateurs
120 -système fascistes à disposer d'un pouvoir incontrôlé
121 -sur les autres utilisateurs.
124 .I "\-c COMMANDE, \-\-command=COMMANDE"
127 Afficher un numéro de version sur la sortie standard et se terminer normalement.
129 -.SH Pourquoi GNU SU ne gère-t-il pas le groupe `wheel' (par Richard Stallman)
130 -Il peut arriver qu'un petit groupe d'utilisateurs essayent de s'approprier
131 -l'ensemble du système. Par exemple, en 1984, quelques utilisateurs du
132 -laboratoire d'I.A du MIT ont tentés de prendre le pouvoir en modifiant
133 -le mot de passe de l'opérateur sur le système Twenex, et en
134 -gardant ce mot de passe secret. (J'ai pu les en empêcher en modifiant le noyau, et
135 -restaurer ainsi les autres accès, mais je ne saurais pas en faire autant
138 -Néanmoins, il arrive parfois que les chefs fournissent le mot
139 -de passe de root à un utilisateur ordinaire.
140 -Avec le mécanisme habituel de \fBsu\fP,
141 -une fois que quelqu'un connaît ce mot de passe, il peut le transmettre
142 -à ses amis. Le principe du "groupe wheel" rend ce partage impossible,
143 -ce qui renforce la puissance des chefs.
145 -Je me situe du cote du peuple, pas du côté des chefs. Si vous avez l'habitude
146 -de soutenir les patrons et les administrateurs systèmes quoi qu'ils fassent,
147 -cette idée peut vous paraître étrange au premier abord.
150 Christophe Blaess, 1997-2003.
151 diff -Nur coreutils-5.2.1.orig/man/hu/su.1 coreutils-5.2.1/man/hu/su.1
152 --- coreutils-5.2.1.orig/man/hu/su.1 Sun Jul 9 14:19:12 2000
153 +++ coreutils-5.2.1/man/hu/su.1 Thu Mar 18 17:05:55 2004
156 A program verziójáról ír ki információt a standard kimenetre, majd
157 sikeres visszatérési értékkel kilép.
158 -.SH Miért nem támogatja a GNU su a wheel csoportot? (Richard Stallman)
160 -Néha a rendszer fölötti teljes ellenõrzést egy néhány emberbõl
161 -álló csoport akarja kézbe venni. Például 1984-ben pár user a MIT AI
162 -laborban úgy döntött, hogy átveszik az irányítást a Twenex rendszer
163 -operátori jelszavának megváltoztatásával, és annak titokban tartásával.
164 -(A puccsot sikerült leverni, és a felhasználókat jogaikba visszahelyezni
165 -egy kernel patch segítségével, de Unix alatt ezt nem tudtam volna megcsinálni.)
166 -(A fordító megj.: a wheel csoportot ezzel a módszerrel könnyen
167 -önkényesen is leszûkíthetik a csoporttagok , így tulajdonképpen nincs sok értelme.)
169 -Néha az uralmon levõk elárulják a root jelszót. A szokásos su
170 -mechanizmus szerint, ha valaki megtudja a root jelszót, és
171 -szimpatizál a többi közönséges felhasználóval, elárulhatja nekik
172 -is. A wheel csoport ezt lehetetlenné tenné, és így bebetonozná az
173 -uralmon levõ hatalmát.
175 -Én a tömegek oldalán állok, nem az uralkodókén. Ha te mindig a
176 -fõnökök és a rendszergazdák oldalán állsz, bármit is tesznek, akkor
177 -valószínûleg furcsálni fogod ezt a hozzáállást.
179 -A fordító megjegyzése:
180 -Valami jó azért mégis lenne a wheel csoportban: az, hogy ha a root
181 -jelszó kitudódna azzal nem tudna bármelyik felhasználó közvetlenül
182 -visszaélni. A wheel csoporthoz hasonló dolgot lehet elérni a
186 A hibákat a bug-sh-utils@gnu.org címen lehet jelenteni.
187 Az oldalt Ragnar Hojland Espinosa <ragnar@macula.net> frissítette.
188 diff -Nur coreutils-5.2.1.orig/man/it/su.1 coreutils-5.2.1/man/it/su.1
189 --- coreutils-5.2.1.orig/man/it/su.1 Mon Jul 1 23:09:38 2002
190 +++ coreutils-5.2.1/man/it/su.1 Thu Mar 18 17:05:55 2004
193 può essere compilato per riportare tramite syslog gli errori, ed
194 eventualmente anche i successi che ottiene.
196 -Questo programma non supporta un "gruppo wheel" che limita chi può fare
198 -agli account del superuser, poiché ciò può aiutare amministratori di
199 -sistema "fascisti" a tenere un potere inautorizzato sugli altri utenti.
202 .I "\-c COMANDO, \-\-command=COMANDO"
205 Stampa in standard output informazioni sulla versione e esce (con
207 -.SH Perché GNU su non supporta il gruppo wheel (di Richard Stallman)
208 -Qualche volta pochi utenti provano a tenere il potere assoluto sul
209 -resto degli utenti. Per esempio, nel 1984, alcuni utenti nel
210 -laboratorio di AI del MIT decisero impossessarsi del potere cambiando
211 -la password dell'operatore su un sistema Twenex e tenendola segreta a
212 -tutti gli altri (fui in grado di contrastare questo colpaccio e
213 -restituire il potere agli utenti ``patch-ando'' il kernel, ma non
214 -saprei come fare ciò in Unix).
216 -Comunque, occasionalmente i sovrani lo fanno. Tramite l'usuale
217 -meccanismo su, una volta che qualcuno che simpatizzi con gli
218 -utenti normali, abbia imparato la password di root può dirla anche
219 -agli altri. La caratteristica del "gruppo wheel" renderebbe ciò
220 -impossibile, consolidando quindi il potere dei sovrani.
222 -Io sono dalla parte delle masse, non da quella dei sovrani. Se tu sei
223 -abituato a sostenere i capi e gli amministratori di sistema in tutto
224 -quello che fanno, potresti trovare questa idea strana all'inizio.
225 diff -Nur coreutils-5.2.1.orig/man/ja/su.1 coreutils-5.2.1/man/ja/su.1
226 --- coreutils-5.2.1.orig/man/ja/su.1 Sun Dec 14 16:06:54 2003
227 +++ coreutils-5.2.1/man/ja/su.1 Thu Mar 18 17:05:55 2004
230 ¤¬¼ºÇÔ¤·¤¿¤È¤ syslog ¤Ë¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¥³¥ó¥Ñ¥¤¥ë¤¹¤ë¤³¤È
231 ¤¬¤Ç¤¤ë¡ÊÀ®¸ù¤ò¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¤â¤Ç¤¤ë¡Ë¡£
233 -¤³¤Î¥×¥í¥°¥é¥à¤Ï "wheel group" ¤Îµ¡Ç½¡Ê
235 -¤Ë¤è¤Ã¤Æ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¡¼¥¢¥«¥¦¥ó¥È¤Ë¤Ê¤ì¤ë¥æ¡¼¥¶¤òÀ©¸Â¤¹¤ëµ¡Ç½¡Ë¤ò¥µ¥Ý¡¼
236 -¥È¤·¤Ê¤¤¡£¤³¤ì¤ÏÀìÀ©Åª¤Ê¥·¥¹¥Æ¥à´ÉÍý¼Ô¤¬Â¾¤Î¥æ¡¼¥¶¡¼¤ËÉÔÅö¤Ê¸¢ÎϤò¿¶¤ë
237 -¤¨¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ç¤¢¤ë¡£
240 .I "\-c COMMAND, \-\-command=COMMAND"
244 ¥Ð¡¼¥¸¥ç¥ó¾ðÊó¤òɸ½à½ÐÎϤËɽ¼¨¤·¡¢¼Â¹ÔÀ®¸ù¤òÊÖ¤·¤Æ½ªÎ»¤¹¤ë¡£
245 -.SH GNU su ¤Ç wheel ¥°¥ë¡¼¥×¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¤ï¤±¡ÊRichard Stallman¡Ë
246 -¤È¤¤ª¤ê¡¢¾¯¿ô¤Î¥æ¡¼¥¶¡¼¤Ë¤è¤Ã¤Æ¡¢Â¾¤Î¥æ¡¼¥¶¡¼¤ËÂФ¹¤ëÁ´¸¢¤ò¾¸°®¤·¤è¤¦
247 -¤È¤¹¤ë»î¤ß¤¬¤Ê¤µ¤ì¤ë¤³¤È¤¬¤¢¤ë¡£Î㤨¤Ð 1984 ǯ¡¢ MIT AI ¥é¥Ü¤Î¾¯¿ô¤Î¥æ¡¼
248 -¥¶¡¼¤Ï Twenex ¥·¥¹¥Æ¥à¤Î¥ª¥Ú¥ì¡¼¥¿¡¼¥Ñ¥¹¥ï¡¼¥É¤ÎÊѹ¹¸¢¸Â¤ò¶¯Ã¥¤·¡¢¤³¤ì
249 -¤ò¾¤Î¥æ¡¼¥¶¡¼¤«¤éÈëÆ¿¤¹¤ë¤³¤È¤Ë·èÄꤷ¤¿¡Ê¤³¤ÎºÝ¤Ë¤Ï»ä¤Ï¤³¤Î¥¯¡¼¥Ç¥¿¡¼
250 -¤Î΢¤ò¤«¤¡¢¥«¡¼¥Í¥ë¤Ë¥Ñ¥Ã¥Á¤òÅö¤Æ¤Æ¸¢¸Â¤ò¼è¤êÊÖ¤¹¤³¤È¤ËÀ®¸ù¤·¤¿¡£¤·¤«
251 -¤·¤³¤ì¤¬ Unix ¤Ç¤¢¤Ã¤¿¤é¡¢»ä¤Ë¤Ï¤É¤¦¤¹¤ì¤Ð¤è¤¤¤«¤ï¤«¤é¤Ê¤«¤Ã¤¿¤À¤í¤¦¡Ë¡£
253 -¤·¤«¤·¤Ê¤¬¤é¡¢»þ¤Ë¤ÏÀìÀ©¼Ô¤âÈëÌ©¤òϳ¤é¤¹¤â¤Î¤Ç¤¢¤ë¡£Ä̾ï¤Î su ¤Î¥á¥«¥Ë
254 -¥º¥à¤Ç¤Ï¡¢°ìÈ̥桼¥¶¡¼¤Î¦¤ËΩ¤Ä¼Ô¤¬ root ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÃΤì¤Ð¡¢¤³¤ì¤ò
255 -¾¤Î¥æ¡¼¥¶¡¼¤Ë¤âÃΤ餻¤ë¤³¤È¤¬¤Ç¤¤ë¡£¤·¤«¤· "wheel group" µ¡Ç½¤Ï¤³¤ì
256 -¤òÉÔ²Äǽ¤Ë¤·¡¢·ë²Ì¤È¤·¤ÆÀìÀ©¼Ôã¤Î¸¢¸Â¤ò¶¯¸Ç¤¿¤ë¤â¤Î¤Ë¤·¤Æ¤·¤Þ¤¦¡£
258 -»ä¤ÏÂç½°¤Î¦¤ËΩ¤Ä¤â¤Î¤Ç¤¢¤ê¡¢ÀìÀ©Åª¤ÊΩ¾ì¤Ë¤ÏÈ¿ÂФ¹¤ë¡£¤¢¤Ê¤¿¤Ï¥Ü¥¹¤ä
259 -¥·¥¹¥Æ¥à´ÉÍý¼Ô¤Î¤ä¤ê¸ý¤Ë½¾¤¦¤³¤È¤Ë´·¤ì¤Æ¤¤¤ë¤«¤âÃΤì¤Ê¤¤¤¬¡¢¤½¤Î¾ì¹ç¤Ï
260 -¤Þ¤º¤½¤Î¤³¤È¼«¿È¤òÉԻ׵Ĥ˻פ¦¤Ù¤¤Ç¤Ï¤Ê¤¤¤À¤í¤¦¤«¡£
261 diff -Nur coreutils-5.2.1.orig/man/pl/su.1 coreutils-5.2.1/man/pl/su.1
262 --- coreutils-5.2.1.orig/man/pl/su.1 Tue Jun 20 16:07:31 2000
263 +++ coreutils-5.2.1/man/pl/su.1 Thu Mar 18 17:05:55 2004
265 mo¿e zostaæ tak skompilowane, by raportowa³o nieudane, lub opcjonalnie
266 równie¿ udane próby zmiany id przy u¿yciu
268 -Jednak \fBsu\fP w wersji GNU nie sprawdza czy u¿ytkownik jest cz³onkiem grupy
269 -`wheel' -- patrz poni¿ej.
272 .BR \-c " \fIpolecenie\fP, " \-\-command= \fIpolecenie
276 Wy¶wietla numer wersji programu i koñczy pracê.
277 -.SH Dlaczego GNU `su' nie obs³uguje grupy `wheel'
279 -(Sekcjê tê napisa³ Richard Stallman)
281 -Czasami kilku u¿ytkowników usi³uje sprawowaæ nieograniczon± w³adzê nad
282 -pozosta³ymi. Na przyk³ad, w 1984, kilku u¿ytkowników w laboratorium AI MIT
283 -zdecydowa³o siê `przej±æ w³adzê' zmieniaj±c has³o operatora systemu Twenex
284 -i trzymaj±c je w tajemnicy przed wszystkimi innymi. (Uda³o mi siê
285 -udaremniæ ten zamach i przywróciæ w³adzê u¿ytkownikom ³ataj±c j±dro, lecz
286 -nie wiedzia³bym jak zrobiæ to w Uniksie.)
288 -Jednak, od czasu do czasu panuj±cy wyjawiaj± komu¶. Przy zwyk³ym
289 -mechanizmie `su', kto¶, kto pozna³ has³o root'a i sympatyzuje ze zwyk³ymi
290 -u¿ytkownikami, mo¿e przekazaæ je pozosta³ym. Funkcja "grupy wheel"
291 -uniemo¿liwia³aby to, i w ten sposób umacnia³a w³adzê rz±dz±cych.
293 -Jestem po stronie mas, nie po stronie rz±dz±cych. Je¿eli zwyk³e¶ popieraæ
294 -szefów i administratorów systemów we wszystkim, co robi±, podej¶cie to mo¿e
295 -pocz±tkowo wydaæ Ci siê dziwne.
296 .SH "ZG£ASZANIE B£ÊDÓW"
297 B³êdy proszê zg³aszaæ, w jêz.ang., do <bug-sh-utils@gnu.org>.
299 diff -Nur coreutils-5.2.1.orig/po/pl.po coreutils-5.2.1/po/pl.po
300 --- coreutils-5.2.1.orig/po/pl.po Thu Mar 18 16:58:54 2004
301 +++ coreutils-5.2.1/po/pl.po Thu Mar 18 17:05:55 2004
302 @@ -7332,6 +7332,41 @@
303 msgid "Usage: %s [OPTION]... [-] [USER [ARG]...]\n"
304 msgstr "Sk³adnia: %s [OPCJA]... [-] [U¯YTKOWNIK [ARGUMENT]...]\n"
307 +msgid "could not open session\n"
308 +msgstr "nie mo¿na otworzyæ sesji\n"
311 +msgid "error copying PAM environment\n"
312 +msgstr "b³±d podczas kopiowania ¶rodowiska PAM\n"
316 +msgid "cannot fork user shell: %s"
317 +msgstr "nie mo¿na utworzyæ procesu pow³oki u¿ytkownika: %s"
321 +msgid "%s: signal malfunction\n"
322 +msgstr "%s: b³êdne dzia³anie sygna³ów\n"
326 +msgid "%s: signal masking malfunction\n"
327 +msgstr "%s: b³êdne dzia³anie maskowania sygna³ów\n"
332 +"Session terminated, killing shell..."
335 +"Sesja zakoñczona, zabijanie pow³oki..."
343 "Change the effective user id and group id to that of USER.\n"
344 diff -Nur coreutils-5.2.1.orig/src/Makefile.am coreutils-5.2.1/src/Makefile.am
345 --- coreutils-5.2.1.orig/src/Makefile.am Mon Feb 2 09:12:57 2004
346 +++ coreutils-5.2.1/src/Makefile.am Thu Mar 18 17:08:45 2004
349 uptime_LDADD = $(LDADD) $(GETLOADAVG_LIBS)
351 -su_LDADD = $(LDADD) $(LIB_CRYPT)
352 +su_LDADD = $(LDADD) $(LIB_CRYPT) $(LIB_PAM)
354 $(PROGRAMS): ../lib/libfetish.a
356 diff -Nur coreutils-5.2.1.orig/src/su.c coreutils-5.2.1/src/su.c
357 --- coreutils-5.2.1.orig/src/su.c Wed Jan 21 23:27:02 2004
358 +++ coreutils-5.2.1/src/su.c Thu Mar 18 17:11:21 2004
360 restricts who can su to UID 0 accounts. RMS considers that to
365 + Actually, with PAM, su has nothing to do with whether or not a
366 + wheel group is enforced by su. RMS tries to restrict your access
367 + to a su which implements the wheel group, but PAM considers that
368 + to be fascist, and gives the user/sysadmin the opportunity to
369 + enforce a wheel group by proper editing of /etc/pam.conf
374 -, -l, --login Make the subshell a login shell.
375 Unset all environment variables except
377 prototype (returning `int') in <unistd.h>. */
378 #define getusershell _getusershell_sys_proto_
381 +# include <security/pam_appl.h>
382 +# include <security/pam_misc.h>
383 +# include <signal.h>
384 +# include <sys/wait.h>
385 +# include <sys/fsuid.h>
386 +#endif /* USE_PAM */
392 /* The user to become if none is specified. */
393 #define DEFAULT_USER "root"
399 char *getusershell ();
400 void endusershell ();
403 extern char **environ;
405 -static void run_shell (const char *, const char *, char **)
406 +static void run_shell (const char *, const char *, char **, const struct passwd *)
409 /* The name this program was run with. */
415 +static pam_handle_t *pamh = NULL;
417 +static struct pam_conv conv = {
422 +#define PAM_BAIL_P if (retval) { \
423 + pam_end(pamh, PAM_SUCCESS); \
428 /* Ask the user for a password.
429 + If PAM is in use, let PAM ask for the password if necessary.
430 Return 1 if the user gives the correct password for entry PW,
431 0 if not. Return 1 without asking for a password if run by UID 0
432 or if PW has an empty password. */
435 correct_password (const struct passwd *pw)
438 + /* root always succeeds; this isn't an authentication question (no
439 + * extra privs are being granted) so it shouldn't authenticate with PAM.
440 + * However, we want to create the pam_handle so that proper credentials
441 + * are created later with pam_setcred(). */
442 + retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
445 + retval = pam_authenticate(pamh, 0);
448 + retval = pam_acct_mgmt(pamh, 0);
449 + if (retval == PAM_NEW_AUTHTOK_REQD) {
450 + /* password has expired. Offer option to change it. */
452 + retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
454 + } else retval = PAM_SUCCESS;
457 + /* must be authenticated if this point was reached */
459 +#else /* !USE_PAM */
460 char *unencrypted, *encrypted, *correct;
461 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
462 /* Shadow passwd stuff for SVR3 and maybe other systems. */
464 encrypted = crypt (unencrypted, correct);
465 memset (unencrypted, 0, strlen (unencrypted));
466 return strcmp (encrypted, correct) == 0;
467 +#endif /* !USE_PAM */
470 /* Update `environ' for the new shell based on PW, with SHELL being
471 @@ -303,16 +362,20 @@
472 modify_environment (const struct passwd *pw, const char *shell)
479 - /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
480 + /* Leave TERM, DISPLAY unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
481 Unset all other environment variables. */
482 term = getenv ("TERM");
483 + display = getenv ("DISPLAY");
484 environ = xmalloc (2 * sizeof (char *));
487 xputenv (concat ("TERM", "=", term));
489 + xputenv (concat ("DISPLAY", "=", display));
490 xputenv (concat ("HOME", "=", pw->pw_dir));
491 xputenv (concat ("SHELL", "=", shell));
492 xputenv (concat ("USER", "=", pw->pw_name));
493 @@ -349,23 +412,74 @@
494 error (EXIT_FAIL, errno, _("cannot set groups"));
498 + retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
499 + if (retval != PAM_SUCCESS)
500 + error (1, 0, pam_strerror(pamh, retval));
501 +#endif /* USE_PAM */
502 if (setgid (pw->pw_gid))
503 error (EXIT_FAIL, errno, _("cannot set group id"));
504 if (setuid (pw->pw_uid))
505 error (EXIT_FAIL, errno, _("cannot set user id"));
509 +static int caught=0;
510 +/* Signal handler for parent process later */
511 +static void su_catch_sig(int sig)
517 +pam_copyenv (pam_handle_t *pamh)
521 + env = pam_getenvlist(pamh);
532 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
533 If COMMAND is nonzero, pass it to the shell with the -c option.
534 If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
538 -run_shell (const char *shell, const char *command, char **additional_args)
539 +run_shell (const char *shell, const char *command, char **additional_args, const struct passwd *pw)
549 + retval = pam_open_session(pamh,0);
550 + if (retval != PAM_SUCCESS) {
551 + fprintf (stderr, _("could not open session\n"));
555 +/* do this at the last possible moment, because environment variables may
556 + be passed even in the session phase
558 + if(pam_copyenv(pamh) != PAM_SUCCESS)
559 + fprintf (stderr, _("error copying PAM environment\n"));
562 + if (child == 0) { /* child shell */
563 + change_identity (pw);
567 args = xmalloc (sizeof (char *)
568 * (10 + elements (additional_args)));
570 error (0, errno, "%s", shell);
574 + } else if (child == -1) {
575 + fprintf(stderr, _("cannot fork user shell: %s"), strerror(errno));
579 + sigfillset(&ourset);
580 + if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
581 + fprintf(stderr, _("%s: signal malfunction\n"), PROGRAM_NAME);
585 + struct sigaction action;
586 + action.sa_handler = su_catch_sig;
587 + sigemptyset(&action.sa_mask);
588 + action.sa_flags = 0;
589 + sigemptyset(&ourset);
590 + if (sigaddset(&ourset, SIGTERM)
591 + || sigaddset(&ourset, SIGALRM)
592 + || sigaction(SIGTERM, &action, NULL)
593 + || sigprocmask(SIG_UNBLOCK, &ourset, NULL)) {
594 + fprintf(stderr, _("%s: signal masking malfunction\n"), PROGRAM_NAME);
602 + pid = waitpid(-1, &status, WUNTRACED);
604 + if (WIFSTOPPED(status)) {
605 + kill(getpid(), SIGSTOP);
606 + /* once we get here, we must have resumed */
607 + kill(pid, SIGCONT);
609 + } while (WIFSTOPPED(status));
613 + fprintf(stderr, _("\nSession terminated, killing shell..."));
614 + kill (child, SIGTERM);
616 + retval = pam_close_session(pamh, 0);
618 + retval = pam_end(pamh, PAM_SUCCESS);
622 + kill(child, SIGKILL);
623 + fprintf(stderr, _(" killed.\n"));
626 + exit (WEXITSTATUS(status));
627 +#endif /* USE_PAM */
630 /* Return 1 if SHELL is a restricted shell (one not returned by
633 modify_environment (pw, shell);
637 + setfsuid(pw->pw_uid);
639 change_identity (pw);
641 if (simulate_login && chdir (pw->pw_dir))
642 error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
644 - run_shell (shell, command, additional_args);
645 + run_shell (shell, command, additional_args, pw);