1 --- coreutils-6.3/configure.ac.orig 2006-09-30 09:37:48.000000000 +0200
2 +++ coreutils-6.3/configure.ac 2006-10-10 21:51:42.565887000 +0200
5 AM_INIT_AUTOMAKE([1.9.6 gnits dist-bzip2])
7 +dnl Give the chance to enable PAM
8 +AC_ARG_ENABLE(pam, dnl
9 +[ --enable-pam Enable use of the PAM libraries],
10 +AC_DEFINE(USE_PAM,,[Use PAM?])
11 +LIB_PAM="-ldl -lpam -lpam_misc"
18 AM_GNU_GETTEXT([external], [need-formatstring-macros])
19 AM_GNU_GETTEXT_VERSION([0.15])
21 +# just in case we want PAM
23 +# with PAM su doesn't need libcrypt
24 +if test -n "$LIB_PAM" ; then
31 diff -Nur coreutils-5.2.1.orig/doc/coreutils.texi coreutils-5.2.1/doc/coreutils.texi
32 --- coreutils-5.2.1.orig/doc/coreutils.texi Thu Mar 18 16:58:54 2004
33 +++ coreutils-5.2.1/doc/coreutils.texi Thu Mar 18 17:08:08 2004
34 @@ -11892,32 +11892,6 @@
35 the exit status of the subshell otherwise
38 -@cindex wheel group, not supported
39 -@cindex group wheel, not supported
41 -@subsection Why GNU @command{su} does not support the @samp{wheel} group
43 -(This section is by Richard Stallman.)
47 -Sometimes a few of the users try to hold total power over all the
48 -rest. For example, in 1984, a few users at the MIT AI lab decided to
49 -seize power by changing the operator password on the Twenex system and
50 -keeping it secret from everyone else. (I was able to thwart this coup
51 -and give power back to the users by patching the kernel, but I
52 -wouldn't know how to do that in Unix.)
54 -However, occasionally the rulers do tell someone. Under the usual
55 -@command{su} mechanism, once someone learns the root password who
56 -sympathizes with the ordinary users, he or she can tell the rest. The
57 -``wheel group'' feature would make this impossible, and thus cement the
60 -I'm on the side of the masses, not that of the rulers. If you are
61 -used to supporting the bosses and sysadmins in whatever they do, you
62 -might find this idea strange at first.
67 diff -Nur coreutils-5.2.1.orig/man/es/su.1 coreutils-5.2.1/man/es/su.1
68 --- coreutils-5.2.1.orig/man/es/su.1 Mon Apr 12 14:26:19 1999
69 +++ coreutils-5.2.1/man/es/su.1 Thu Mar 18 17:05:55 2004
71 puede ser compilado para reportar fallo, y opcionalmente éxito en syslog.
73 intentará utilizar syslog.
75 -Este programa no soporta el grupo "wheel", el cual restringe quien podrá
78 -hacia la cuenta de root (el superusuario) ya que esta política podría
79 -ayudar a los administradores de máquinas a facilitar un uso inadecuado a otros
83 .I "\-c COMANDO, \-\-command=COMANDO"
86 Escribe información sobre la versión en la salida estándar y acaba sin
89 -.SH Por que GNU no soporta el grupo "wheel" (por Richard Stallman)
90 -A veces, algunos listillos intentan hacerse con el poder total
91 -sobre el resto de usuarios. Por ejemplo, en 1984, un grupo de usuarios del
92 -laboratorio de Inteligencia Artificial del MIT decidieron tomar el poder
93 -cambiando el password de operador del sistema Twenex y manteniendolo secreto
94 -para el resto de usuarios. (De todas maneras, hubiera sido posible desbaratar
95 -la situación y devolver el control a los usuarios legítimos parcheando el
96 -kernel, pero no sabría como realizar esta operación en un sistema Unix.)
98 -Sin embargo, casualmente alguien contó el secreto. Mediante el uso habitual de
100 -una vez que alguien conoce el password de root puede contarselo al resto de
101 -usuarios. El grupo "wheel" hará que esto sea imposible, protegiendo así el poder
102 -de los superusuarios.
104 -Yo estoy del lado de las masas, no de los superusuarios. Si eres de los que
105 -estan de acuerdo con los jefes y los administradores de sistemas en cualquier
106 -cosa que hagan, al principio encontrarás esta idea algo extraña.
107 diff -Nur coreutils-5.2.1.orig/man/fr/su.1 coreutils-5.2.1/man/fr/su.1
108 --- coreutils-5.2.1.orig/man/fr/su.1 Sun Aug 10 12:00:00 2003
109 +++ coreutils-5.2.1/man/fr/su.1 Thu Mar 18 17:05:55 2004
111 peut être compilé afin de fournir des rapports d'échec, et éventuellement
112 de réussite des tentatives d'utilisation de
115 -Ce programme ne gère pas le "groupe wheel" utilisé pour restreindre
118 -au compte Super-Utilisateur, car il pourrait aider des administrateurs
119 -système fascistes à disposer d'un pouvoir incontrôlé
120 -sur les autres utilisateurs.
123 .I "\-c COMMANDE, \-\-command=COMMANDE"
126 Afficher un numéro de version sur la sortie standard et se terminer normalement.
128 -.SH Pourquoi GNU SU ne gère-t-il pas le groupe `wheel' (par Richard Stallman)
129 -Il peut arriver qu'un petit groupe d'utilisateurs essayent de s'approprier
130 -l'ensemble du système. Par exemple, en 1984, quelques utilisateurs du
131 -laboratoire d'I.A du MIT ont tentés de prendre le pouvoir en modifiant
132 -le mot de passe de l'opérateur sur le système Twenex, et en
133 -gardant ce mot de passe secret. (J'ai pu les en empêcher en modifiant le noyau, et
134 -restaurer ainsi les autres accès, mais je ne saurais pas en faire autant
137 -Néanmoins, il arrive parfois que les chefs fournissent le mot
138 -de passe de root à un utilisateur ordinaire.
139 -Avec le mécanisme habituel de \fBsu\fP,
140 -une fois que quelqu'un connaît ce mot de passe, il peut le transmettre
141 -à ses amis. Le principe du "groupe wheel" rend ce partage impossible,
142 -ce qui renforce la puissance des chefs.
144 -Je me situe du cote du peuple, pas du côté des chefs. Si vous avez l'habitude
145 -de soutenir les patrons et les administrateurs systèmes quoi qu'ils fassent,
146 -cette idée peut vous paraître étrange au premier abord.
149 Christophe Blaess, 1997-2003.
150 diff -Nur coreutils-5.2.1.orig/man/hu/su.1 coreutils-5.2.1/man/hu/su.1
151 --- coreutils-5.2.1.orig/man/hu/su.1 Sun Jul 9 14:19:12 2000
152 +++ coreutils-5.2.1/man/hu/su.1 Thu Mar 18 17:05:55 2004
155 A program verziójáról ír ki információt a standard kimenetre, majd
156 sikeres visszatérési értékkel kilép.
157 -.SH Miért nem támogatja a GNU su a wheel csoportot? (Richard Stallman)
159 -Néha a rendszer fölötti teljes ellenõrzést egy néhány emberbõl
160 -álló csoport akarja kézbe venni. Például 1984-ben pár user a MIT AI
161 -laborban úgy döntött, hogy átveszik az irányítást a Twenex rendszer
162 -operátori jelszavának megváltoztatásával, és annak titokban tartásával.
163 -(A puccsot sikerült leverni, és a felhasználókat jogaikba visszahelyezni
164 -egy kernel patch segítségével, de Unix alatt ezt nem tudtam volna megcsinálni.)
165 -(A fordító megj.: a wheel csoportot ezzel a módszerrel könnyen
166 -önkényesen is leszûkíthetik a csoporttagok , így tulajdonképpen nincs sok értelme.)
168 -Néha az uralmon levõk elárulják a root jelszót. A szokásos su
169 -mechanizmus szerint, ha valaki megtudja a root jelszót, és
170 -szimpatizál a többi közönséges felhasználóval, elárulhatja nekik
171 -is. A wheel csoport ezt lehetetlenné tenné, és így bebetonozná az
172 -uralmon levõ hatalmát.
174 -Én a tömegek oldalán állok, nem az uralkodókén. Ha te mindig a
175 -fõnökök és a rendszergazdák oldalán állsz, bármit is tesznek, akkor
176 -valószínûleg furcsálni fogod ezt a hozzáállást.
178 -A fordító megjegyzése:
179 -Valami jó azért mégis lenne a wheel csoportban: az, hogy ha a root
180 -jelszó kitudódna azzal nem tudna bármelyik felhasználó közvetlenül
181 -visszaélni. A wheel csoporthoz hasonló dolgot lehet elérni a
185 A hibákat a bug-sh-utils@gnu.org címen lehet jelenteni.
186 Az oldalt Ragnar Hojland Espinosa <ragnar@macula.net> frissítette.
187 diff -Nur coreutils-5.2.1.orig/man/it/su.1 coreutils-5.2.1/man/it/su.1
188 --- coreutils-5.2.1.orig/man/it/su.1 Mon Jul 1 23:09:38 2002
189 +++ coreutils-5.2.1/man/it/su.1 Thu Mar 18 17:05:55 2004
192 può essere compilato per riportare tramite syslog gli errori, ed
193 eventualmente anche i successi che ottiene.
195 -Questo programma non supporta un "gruppo wheel" che limita chi può fare
197 -agli account del superuser, poiché ciò può aiutare amministratori di
198 -sistema "fascisti" a tenere un potere inautorizzato sugli altri utenti.
201 .I "\-c COMANDO, \-\-command=COMANDO"
204 Stampa in standard output informazioni sulla versione e esce (con
206 -.SH Perché GNU su non supporta il gruppo wheel (di Richard Stallman)
207 -Qualche volta pochi utenti provano a tenere il potere assoluto sul
208 -resto degli utenti. Per esempio, nel 1984, alcuni utenti nel
209 -laboratorio di AI del MIT decisero impossessarsi del potere cambiando
210 -la password dell'operatore su un sistema Twenex e tenendola segreta a
211 -tutti gli altri (fui in grado di contrastare questo colpaccio e
212 -restituire il potere agli utenti ``patch-ando'' il kernel, ma non
213 -saprei come fare ciò in Unix).
215 -Comunque, occasionalmente i sovrani lo fanno. Tramite l'usuale
216 -meccanismo su, una volta che qualcuno che simpatizzi con gli
217 -utenti normali, abbia imparato la password di root può dirla anche
218 -agli altri. La caratteristica del "gruppo wheel" renderebbe ciò
219 -impossibile, consolidando quindi il potere dei sovrani.
221 -Io sono dalla parte delle masse, non da quella dei sovrani. Se tu sei
222 -abituato a sostenere i capi e gli amministratori di sistema in tutto
223 -quello che fanno, potresti trovare questa idea strana all'inizio.
224 diff -Nur coreutils-5.2.1.orig/man/ja/su.1 coreutils-5.2.1/man/ja/su.1
225 --- coreutils-5.2.1.orig/man/ja/su.1 Sun Dec 14 16:06:54 2003
226 +++ coreutils-5.2.1/man/ja/su.1 Thu Mar 18 17:05:55 2004
229 ¤¬¼ºÇÔ¤·¤¿¤È¤ syslog ¤Ë¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¥³¥ó¥Ñ¥¤¥ë¤¹¤ë¤³¤È
230 ¤¬¤Ç¤¤ë¡ÊÀ®¸ù¤ò¥ì¥Ý¡¼¥È¤¹¤ë¤è¤¦¤Ë¤â¤Ç¤¤ë¡Ë¡£
232 -¤³¤Î¥×¥í¥°¥é¥à¤Ï "wheel group" ¤Îµ¡Ç½¡Ê
234 -¤Ë¤è¤Ã¤Æ¥¹¡¼¥Ñ¡¼¥æ¡¼¥¶¡¼¥¢¥«¥¦¥ó¥È¤Ë¤Ê¤ì¤ë¥æ¡¼¥¶¤òÀ©¸Â¤¹¤ëµ¡Ç½¡Ë¤ò¥µ¥Ý¡¼
235 -¥È¤·¤Ê¤¤¡£¤³¤ì¤ÏÀìÀ©Åª¤Ê¥·¥¹¥Æ¥à´ÉÍý¼Ô¤¬Â¾¤Î¥æ¡¼¥¶¡¼¤ËÉÔÅö¤Ê¸¢ÎϤò¿¶¤ë
236 -¤¨¤Ê¤¤¤è¤¦¤Ë¤¹¤ë¤¿¤á¤Ç¤¢¤ë¡£
239 .I "\-c COMMAND, \-\-command=COMMAND"
243 ¥Ð¡¼¥¸¥ç¥ó¾ðÊó¤òɸ½à½ÐÎϤËɽ¼¨¤·¡¢¼Â¹ÔÀ®¸ù¤òÊÖ¤·¤Æ½ªÎ»¤¹¤ë¡£
244 -.SH GNU su ¤Ç wheel ¥°¥ë¡¼¥×¤ò¥µ¥Ý¡¼¥È¤·¤Ê¤¤¤ï¤±¡ÊRichard Stallman¡Ë
245 -¤È¤¤ª¤ê¡¢¾¯¿ô¤Î¥æ¡¼¥¶¡¼¤Ë¤è¤Ã¤Æ¡¢Â¾¤Î¥æ¡¼¥¶¡¼¤ËÂФ¹¤ëÁ´¸¢¤ò¾¸°®¤·¤è¤¦
246 -¤È¤¹¤ë»î¤ß¤¬¤Ê¤µ¤ì¤ë¤³¤È¤¬¤¢¤ë¡£Î㤨¤Ð 1984 ǯ¡¢ MIT AI ¥é¥Ü¤Î¾¯¿ô¤Î¥æ¡¼
247 -¥¶¡¼¤Ï Twenex ¥·¥¹¥Æ¥à¤Î¥ª¥Ú¥ì¡¼¥¿¡¼¥Ñ¥¹¥ï¡¼¥É¤ÎÊѹ¹¸¢¸Â¤ò¶¯Ã¥¤·¡¢¤³¤ì
248 -¤ò¾¤Î¥æ¡¼¥¶¡¼¤«¤éÈëÆ¿¤¹¤ë¤³¤È¤Ë·èÄꤷ¤¿¡Ê¤³¤ÎºÝ¤Ë¤Ï»ä¤Ï¤³¤Î¥¯¡¼¥Ç¥¿¡¼
249 -¤Î΢¤ò¤«¤¡¢¥«¡¼¥Í¥ë¤Ë¥Ñ¥Ã¥Á¤òÅö¤Æ¤Æ¸¢¸Â¤ò¼è¤êÊÖ¤¹¤³¤È¤ËÀ®¸ù¤·¤¿¡£¤·¤«
250 -¤·¤³¤ì¤¬ Unix ¤Ç¤¢¤Ã¤¿¤é¡¢»ä¤Ë¤Ï¤É¤¦¤¹¤ì¤Ð¤è¤¤¤«¤ï¤«¤é¤Ê¤«¤Ã¤¿¤À¤í¤¦¡Ë¡£
252 -¤·¤«¤·¤Ê¤¬¤é¡¢»þ¤Ë¤ÏÀìÀ©¼Ô¤âÈëÌ©¤òϳ¤é¤¹¤â¤Î¤Ç¤¢¤ë¡£Ä̾ï¤Î su ¤Î¥á¥«¥Ë
253 -¥º¥à¤Ç¤Ï¡¢°ìÈ̥桼¥¶¡¼¤Î¦¤ËΩ¤Ä¼Ô¤¬ root ¤Î¥Ñ¥¹¥ï¡¼¥É¤òÃΤì¤Ð¡¢¤³¤ì¤ò
254 -¾¤Î¥æ¡¼¥¶¡¼¤Ë¤âÃΤ餻¤ë¤³¤È¤¬¤Ç¤¤ë¡£¤·¤«¤· "wheel group" µ¡Ç½¤Ï¤³¤ì
255 -¤òÉÔ²Äǽ¤Ë¤·¡¢·ë²Ì¤È¤·¤ÆÀìÀ©¼Ôã¤Î¸¢¸Â¤ò¶¯¸Ç¤¿¤ë¤â¤Î¤Ë¤·¤Æ¤·¤Þ¤¦¡£
257 -»ä¤ÏÂç½°¤Î¦¤ËΩ¤Ä¤â¤Î¤Ç¤¢¤ê¡¢ÀìÀ©Åª¤ÊΩ¾ì¤Ë¤ÏÈ¿ÂФ¹¤ë¡£¤¢¤Ê¤¿¤Ï¥Ü¥¹¤ä
258 -¥·¥¹¥Æ¥à´ÉÍý¼Ô¤Î¤ä¤ê¸ý¤Ë½¾¤¦¤³¤È¤Ë´·¤ì¤Æ¤¤¤ë¤«¤âÃΤì¤Ê¤¤¤¬¡¢¤½¤Î¾ì¹ç¤Ï
259 -¤Þ¤º¤½¤Î¤³¤È¼«¿È¤òÉԻ׵Ĥ˻פ¦¤Ù¤¤Ç¤Ï¤Ê¤¤¤À¤í¤¦¤«¡£
260 diff -Nur coreutils-5.2.1.orig/man/pl/su.1 coreutils-5.2.1/man/pl/su.1
261 --- coreutils-5.2.1.orig/man/pl/su.1 Tue Jun 20 16:07:31 2000
262 +++ coreutils-5.2.1/man/pl/su.1 Thu Mar 18 17:05:55 2004
264 mo¿e zostaæ tak skompilowane, by raportowa³o nieudane, lub opcjonalnie
265 równie¿ udane próby zmiany id przy u¿yciu
267 -Jednak \fBsu\fP w wersji GNU nie sprawdza czy u¿ytkownik jest cz³onkiem grupy
268 -`wheel' -- patrz poni¿ej.
271 .BR \-c " \fIpolecenie\fP, " \-\-command= \fIpolecenie
275 Wy¶wietla numer wersji programu i koñczy pracê.
276 -.SH Dlaczego GNU `su' nie obs³uguje grupy `wheel'
278 -(Sekcjê tê napisa³ Richard Stallman)
280 -Czasami kilku u¿ytkowników usi³uje sprawowaæ nieograniczon± w³adzê nad
281 -pozosta³ymi. Na przyk³ad, w 1984, kilku u¿ytkowników w laboratorium AI MIT
282 -zdecydowa³o siê `przej±æ w³adzê' zmieniaj±c has³o operatora systemu Twenex
283 -i trzymaj±c je w tajemnicy przed wszystkimi innymi. (Uda³o mi siê
284 -udaremniæ ten zamach i przywróciæ w³adzê u¿ytkownikom ³ataj±c j±dro, lecz
285 -nie wiedzia³bym jak zrobiæ to w Uniksie.)
287 -Jednak, od czasu do czasu panuj±cy wyjawiaj± komu¶. Przy zwyk³ym
288 -mechanizmie `su', kto¶, kto pozna³ has³o root'a i sympatyzuje ze zwyk³ymi
289 -u¿ytkownikami, mo¿e przekazaæ je pozosta³ym. Funkcja "grupy wheel"
290 -uniemo¿liwia³aby to, i w ten sposób umacnia³a w³adzê rz±dz±cych.
292 -Jestem po stronie mas, nie po stronie rz±dz±cych. Je¿eli zwyk³e¶ popieraæ
293 -szefów i administratorów systemów we wszystkim, co robi±, podej¶cie to mo¿e
294 -pocz±tkowo wydaæ Ci siê dziwne.
295 .SH "ZG£ASZANIE B£ÊDÓW"
296 B³êdy proszê zg³aszaæ, w jêz.ang., do <bug-sh-utils@gnu.org>.
298 --- coreutils-6.3/po/pl.po.orig 2006-09-30 11:11:04.000000000 +0200
299 +++ coreutils-6.3/po/pl.po 2006-10-10 22:07:14.416124000 +0200
300 @@ -8149,6 +8149,41 @@
301 msgid "Usage: %s [OPTION]... [-] [USER [ARG]...]\n"
302 msgstr "Sk³adnia: %s [OPCJA]... [-] [U¯YTKOWNIK [ARGUMENT]...]\n"
305 +msgid "could not open session\n"
306 +msgstr "nie mo¿na otworzyæ sesji\n"
309 +msgid "error copying PAM environment\n"
310 +msgstr "b³±d podczas kopiowania ¶rodowiska PAM\n"
314 +msgid "cannot fork user shell: %s"
315 +msgstr "nie mo¿na utworzyæ procesu pow³oki u¿ytkownika: %s"
319 +msgid "%s: signal malfunction\n"
320 +msgstr "%s: b³êdne dzia³anie sygna³ów\n"
324 +msgid "%s: signal masking malfunction\n"
325 +msgstr "%s: b³êdne dzia³anie maskowania sygna³ów\n"
330 +"Session terminated, killing shell..."
333 +"Sesja zakoñczona, zabijanie pow³oki..."
342 diff -Nur coreutils-5.2.1.orig/src/Makefile.am coreutils-5.2.1/src/Makefile.am
343 --- coreutils-5.2.1.orig/src/Makefile.am Mon Feb 2 09:12:57 2004
344 +++ coreutils-5.2.1/src/Makefile.am Thu Mar 18 17:08:45 2004
347 uptime_LDADD = $(LDADD) $(GETLOADAVG_LIBS)
349 -su_LDADD = $(LDADD) $(LIB_CRYPT)
350 +su_LDADD = $(LDADD) $(LIB_CRYPT) $(LIB_PAM)
352 $(PROGRAMS): ../lib/libfetish.a
354 --- coreutils-6.3/src/su.c.orig 2006-09-03 08:38:55.000000000 +0200
355 +++ coreutils-6.3/src/su.c 2006-10-10 22:05:23.661202250 +0200
357 restricts who can su to UID 0 accounts. RMS considers that to
362 + Actually, with PAM, su has nothing to do with whether or not a
363 + wheel group is enforced by su. RMS tries to restrict your access
364 + to a su which implements the wheel group, but PAM considers that
365 + to be fascist, and gives the user/sysadmin the opportunity to
366 + enforce a wheel group by proper editing of /etc/pam.conf
370 Compile-time options:
371 -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog.
372 -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog.
374 prototype (returning `int') in <unistd.h>. */
375 #define getusershell _getusershell_sys_proto_
378 +# include <security/pam_appl.h>
379 +# include <security/pam_misc.h>
380 +# include <signal.h>
381 +# include <sys/wait.h>
382 +# include <sys/fsuid.h>
383 +#endif /* USE_PAM */
388 @@ -119,14 +137,16 @@
389 /* The user to become if none is specified. */
390 #define DEFAULT_USER "root"
395 char *getusershell ();
396 void endusershell ();
397 void setusershell ();
399 extern char **environ;
401 -static void run_shell (char const *, char const *, char **, size_t)
402 +static void run_shell (char const *, char const *, char **, size_t, const struct passwd *)
405 /* The name this program was run with. */
411 +static pam_handle_t *pamh = NULL;
413 +static struct pam_conv conv = {
418 +#define PAM_BAIL_P if (retval) { \
419 + pam_end(pamh, PAM_SUCCESS); \
424 /* Ask the user for a password.
425 + If PAM is in use, let PAM ask for the password if necessary.
426 Return true if the user gives the correct password for entry PW,
427 false if not. Return true without asking for a password if run by UID 0
428 or if PW has an empty password. */
431 correct_password (const struct passwd *pw)
434 + /* root always succeeds; this isn't an authentication question (no
435 + * extra privs are being granted) so it shouldn't authenticate with PAM.
436 + * However, we want to create the pam_handle so that proper credentials
437 + * are created later with pam_setcred(). */
438 + retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
441 + retval = pam_authenticate(pamh, 0);
444 + retval = pam_acct_mgmt(pamh, 0);
445 + if (retval == PAM_NEW_AUTHTOK_REQD) {
446 + /* password has expired. Offer option to change it. */
448 + retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
450 + } else retval = PAM_SUCCESS;
453 + /* must be authenticated if this point was reached */
455 +#else /* !USE_PAM */
456 char *unencrypted, *encrypted, *correct;
457 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
458 /* Shadow passwd stuff for SVR3 and maybe other systems. */
460 encrypted = crypt (unencrypted, correct);
461 memset (unencrypted, 0, strlen (unencrypted));
462 return STREQ (encrypted, correct);
463 +#endif /* !USE_PAM */
466 /* Update `environ' for the new shell based on PW, with SHELL being
467 @@ -258,15 +317,20 @@
471 - /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
472 + /* Leave TERM, DISPLAY unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
473 Unset all other environment variables. */
474 char const *term = getenv ("TERM");
475 + char const *display = getenv ("DISPLAY");
477 term = xstrdup (term);
478 - environ = xmalloc ((6 + !!term) * sizeof (char *));
480 + display = xstrdup (display);
481 + environ = xmalloc ((6 + !!term + !!display) * sizeof (char *));
484 xsetenv ("TERM", term);
486 + xsetenv ("DISPLAY", display);
487 xsetenv ("HOME", pw->pw_dir);
488 xsetenv ("SHELL", shell);
489 xsetenv ("USER", pw->pw_name);
490 @@ -303,12 +367,41 @@
491 error (EXIT_FAIL, errno, _("cannot set groups"));
495 + retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
496 + if (retval != PAM_SUCCESS)
497 + error (1, 0, pam_strerror(pamh, retval));
498 +#endif /* USE_PAM */
499 if (setgid (pw->pw_gid))
500 error (EXIT_FAIL, errno, _("cannot set group id"));
501 if (setuid (pw->pw_uid))
502 error (EXIT_FAIL, errno, _("cannot set user id"));
506 +static int caught=0;
507 +/* Signal handler for parent process later */
508 +static void su_catch_sig(int sig)
514 +pam_copyenv (pam_handle_t *pamh)
518 + env = pam_getenvlist(pamh);
521 + if (putenv (*env) != 0) xalloc_die ();
529 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
530 If COMMAND is nonzero, pass it to the shell with the -c option.
531 Pass ADDITIONAL_ARGS to the shell as more arguments; there
532 @@ -316,12 +409,34 @@
535 run_shell (char const *shell, char const *command, char **additional_args,
536 - size_t n_additional_args)
537 + size_t n_additional_args, const struct passwd *pw)
539 size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1;
540 char const **args = xnmalloc (n_args, sizeof *args);
548 + retval = pam_open_session(pamh,0);
549 + if (retval != PAM_SUCCESS) {
550 + fprintf (stderr, _("could not open session\n"));
554 +/* do this at the last possible moment, because environment variables may
555 + be passed even in the session phase
557 + if(pam_copyenv(pamh) != PAM_SUCCESS)
558 + fprintf (stderr, _("error copying PAM environment\n"));
561 + if (child == 0) { /* child shell */
562 + change_identity (pw);
569 error (0, errno, "%s", shell);
573 + } else if (child == -1) {
574 + fprintf(stderr, _("cannot fork user shell: %s"), strerror(errno));
578 + sigfillset(&ourset);
579 + if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
580 + fprintf(stderr, _("%s: signal malfunction\n"), PROGRAM_NAME);
584 + struct sigaction action;
585 + action.sa_handler = su_catch_sig;
586 + sigemptyset(&action.sa_mask);
587 + action.sa_flags = 0;
588 + sigemptyset(&ourset);
589 + if (sigaddset(&ourset, SIGTERM)
590 + || sigaddset(&ourset, SIGALRM)
591 + || sigaction(SIGTERM, &action, NULL)
592 + || sigprocmask(SIG_UNBLOCK, &ourset, NULL)) {
593 + fprintf(stderr, _("%s: signal masking malfunction\n"), PROGRAM_NAME);
601 + pid = waitpid(-1, &status, WUNTRACED);
603 + if (WIFSTOPPED(status)) {
604 + kill(getpid(), SIGSTOP);
605 + /* once we get here, we must have resumed */
606 + kill(pid, SIGCONT);
608 + } while (WIFSTOPPED(status));
612 + fprintf(stderr, _("\nSession terminated, killing shell..."));
613 + kill (child, SIGTERM);
615 + retval = pam_close_session(pamh, 0);
617 + retval = pam_end(pamh, PAM_SUCCESS);
621 + kill(child, SIGKILL);
622 + fprintf(stderr, _(" killed.\n"));
625 + exit (WEXITSTATUS(status));
626 +#endif /* USE_PAM */
629 /* Return true if SHELL is a restricted shell (one not returned by
631 shell = xstrdup (shell ? shell : pw->pw_shell);
632 modify_environment (pw, shell);
635 + setfsgid(pw->pw_gid);
636 + setfsuid(pw->pw_uid);
638 change_identity (pw);
640 if (simulate_login && chdir (pw->pw_dir) != 0)
641 error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
643 - run_shell (shell, command, argv + optind, MAX (0, argc - optind));
644 + run_shell (shell, command, argv + optind, MAX (0, argc - optind), pw);