1 diff -Nur sh-utils-2.0.12.orig/configure.ac sh-utils-2.0.12/configure.ac
2 --- sh-utils-2.0.12.orig/configure.ac Sun Apr 28 11:29:18 2002
3 +++ sh-utils-2.0.12/configure.ac Mon May 27 23:10:36 2002
6 AM_INIT_AUTOMAKE([1.6b gnits dist-bzip2])
8 +dnl Give the chance to enable PAM
9 +AC_ARG_ENABLE(pam, dnl
10 +[ --enable-pam Enable use of the PAM libraries],
11 +AC_DEFINE(USE_PAM,,[Use PAM?])
12 +LIB_PAM="-ldl -lpam -lpam_misc"
20 AM_GNU_GETTEXT([external])
22 +# just in case we want PAM
24 +# with PAM su doesn't need libcrypt
25 +if test -n "$LIB_PAM" ; then
32 diff -Nur sh-utils-2.0.12.orig/doc/coreutils.texi sh-utils-2.0.12/doc/coreutils.texi
33 --- sh-utils-2.0.12.orig/doc/coreutils.texi Sun Apr 28 23:55:31 2002
34 +++ sh-utils-2.0.12/doc/coreutils.texi Mon May 27 23:11:49 2002
35 @@ -10898,32 +10898,6 @@
39 -@cindex wheel group, not supported
40 -@cindex group wheel, not supported
42 -@heading Why GNU @command{su} does not support the @samp{wheel} group
44 -(This section is by Richard Stallman.)
48 -Sometimes a few of the users try to hold total power over all the
49 -rest. For example, in 1984, a few users at the MIT AI lab decided to
50 -seize power by changing the operator password on the Twenex system and
51 -keeping it secret from everyone else. (I was able to thwart this coup
52 -and give power back to the users by patching the kernel, but I
53 -wouldn't know how to do that in Unix.)
55 -However, occasionally the rulers do tell someone. Under the usual
56 -@command{su} mechanism, once someone learns the root password who
57 -sympathizes with the ordinary users, he or she can tell the rest. The
58 -``wheel group'' feature would make this impossible, and thus cement the
61 -I'm on the side of the masses, not that of the rulers. If you are
62 -used to supporting the bosses and sysadmins in whatever they do, you
63 -might find this idea strange at first.
67 @chapter Process control
68 diff -Nur sh-utils-2.0.12.orig/src/Makefile.am sh-utils-2.0.12/src/Makefile.am
69 --- sh-utils-2.0.12.orig/src/Makefile.am Mon May 27 23:06:24 2002
70 +++ sh-utils-2.0.12/src/Makefile.am Mon May 27 23:09:22 2002
73 uptime_LDADD = $(LDADD) @GETLOADAVG_LIBS@
75 -su_LDADD = $(LDADD) @LIB_CRYPT@
76 +su_LDADD = $(LDADD) @LIB_CRYPT@ @LIB_PAM@
78 $(PROGRAMS): ../lib/libfetish.a
80 diff -Nur sh-utils-2.0.12.orig/src/su.c sh-utils-2.0.12/src/su.c
81 --- sh-utils-2.0.12.orig/src/su.c Mon May 27 23:06:24 2002
82 +++ sh-utils-2.0.12/src/su.c Mon May 27 23:08:28 2002
84 restricts who can su to UID 0 accounts. RMS considers that to
89 + Actually, with PAM, su has nothing to do with whether or not a
90 + wheel group is enforced by su. RMS tries to restrict your access
91 + to a su which implements the wheel group, but PAM considers that
92 + to be fascist, and gives the user/sysadmin the opportunity to
93 + enforce a wheel group by proper editing of /etc/pam.conf
98 -, -l, --login Make the subshell a login shell.
99 Unset all environment variables except
101 prototype (returning `int') in <unistd.h>. */
102 #define getusershell _getusershell_sys_proto_
105 +# include <security/pam_appl.h>
106 +# include <security/pam_misc.h>
107 +# include <signal.h>
108 +# include <sys/wait.h>
109 +# include <sys/fsuid.h>
110 +#endif /* USE_PAM */
113 #include "closeout.h"
116 /* The user to become if none is specified. */
117 #define DEFAULT_USER "root"
123 char *getusershell ();
124 void endusershell ();
127 extern char **environ;
129 -static void run_shell (const char *, const char *, char **)
130 +static void run_shell (const char *, const char *, char **, const struct passwd *)
133 /* The name this program was run with. */
139 +static pam_handle_t *pamh = NULL;
141 +static struct pam_conv conv = {
146 +#define PAM_BAIL_P if (retval) { \
147 + pam_end(pamh, PAM_SUCCESS); \
152 /* Ask the user for a password.
153 + If PAM is in use, let PAM ask for the password if necessary.
154 Return 1 if the user gives the correct password for entry PW,
155 0 if not. Return 1 without asking for a password if run by UID 0
156 or if PW has an empty password. */
159 correct_password (const struct passwd *pw)
162 + /* root always succeeds; this isn't an authentication question (no
163 + * extra privs are being granted) so it shouldn't authenticate with PAM.
164 + * However, we want to create the pam_handle so that proper credentials
165 + * are created later with pam_setcred(). */
166 + retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
169 + retval = pam_authenticate(pamh, 0);
172 + retval = pam_acct_mgmt(pamh, 0);
173 + if (retval == PAM_NEW_AUTHTOK_REQD) {
174 + /* password has expired. Offer option to change it. */
176 + retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
178 + } else retval = PAM_SUCCESS;
181 + /* must be authenticated if this point was reached */
183 +#else /* !USE_PAM */
184 char *unencrypted, *encrypted, *correct;
185 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
186 /* Shadow passwd stuff for SVR3 and maybe other systems. */
188 encrypted = crypt (unencrypted, correct);
189 memset (unencrypted, 0, strlen (unencrypted));
190 return strcmp (encrypted, correct) == 0;
191 +#endif /* !USE_PAM */
194 /* Update `environ' for the new shell based on PW, with SHELL being
195 @@ -313,16 +372,20 @@
196 modify_environment (const struct passwd *pw, const char *shell)
203 - /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
204 + /* Leave TERM, DISPLAY unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
205 Unset all other environment variables. */
206 term = getenv ("TERM");
207 + display = getenv ("DISPLAY");
208 environ = (char **) xmalloc (2 * sizeof (char *));
211 xputenv (concat ("TERM", "=", term));
213 + xputenv (concat ("DISPLAY", "=", display));
214 xputenv (concat ("HOME", "=", pw->pw_dir));
215 xputenv (concat ("SHELL", "=", shell));
216 xputenv (concat ("USER", "=", pw->pw_name));
217 @@ -359,23 +422,73 @@
218 error (EXIT_FAILURE, errno, _("cannot set groups"));
222 + retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
223 + if (retval != PAM_SUCCESS)
224 + error (1, 0, pam_strerror(pamh, retval));
225 +#endif /* USE_PAM */
226 if (setgid (pw->pw_gid))
227 error (EXIT_FAILURE, errno, _("cannot set group id"));
228 if (setuid (pw->pw_uid))
229 error (EXIT_FAILURE, errno, _("cannot set user id"));
233 +static int caught=0;
234 +/* Signal handler for parent process later */
235 +static void su_catch_sig(int sig)
241 +pam_copyenv (pam_handle_t *pamh)
245 + env = pam_getenvlist(pamh);
256 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
257 If COMMAND is nonzero, pass it to the shell with the -c option.
258 If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
262 -run_shell (const char *shell, const char *command, char **additional_args)
263 +run_shell (const char *shell, const char *command, char **additional_args, const struct passwd *pw)
272 + retval = pam_open_session(pamh,0);
273 + if (retval != PAM_SUCCESS) {
274 + fprintf (stderr, _("could not open session\n"));
278 +/* do this at the last possible moment, because environment variables may
279 + be passed even in the session phase
281 + if(pam_copyenv(pamh) != PAM_SUCCESS)
282 + fprintf (stderr, _("error copying PAM environment\n"));
285 + if (child == 0) { /* child shell */
286 + change_identity (pw);
290 args = (const char **) xmalloc (sizeof (char *)
291 * (10 + elements (additional_args)));
293 error (0, errno, "%s", shell);
297 + } else if (child == -1) {
298 + fprintf(stderr, _("cannot fork user shell: %s"), strerror(errno));
302 + sigfillset(&ourset);
303 + if (sigprocmask(SIG_BLOCK, &ourset, NULL)) {
304 + fprintf(stderr, _("%s: signal malfunction\n"), PROGRAM_NAME);
308 + struct sigaction action;
309 + action.sa_handler = su_catch_sig;
310 + sigemptyset(&action.sa_mask);
311 + action.sa_flags = 0;
312 + sigemptyset(&ourset);
313 + if (sigaddset(&ourset, SIGTERM)
314 + || sigaddset(&ourset, SIGALRM)
315 + || sigaction(SIGTERM, &action, NULL)
316 + || sigprocmask(SIG_UNBLOCK, &ourset, NULL)) {
317 + fprintf(stderr, _("%s: signal masking malfunction\n"), PROGRAM_NAME);
325 + pid = waitpid(-1, &status, WUNTRACED);
327 + if (WIFSTOPPED(status)) {
328 + kill(getpid(), SIGSTOP);
329 + /* once we get here, we must have resumed */
330 + kill(pid, SIGCONT);
332 + } while (WIFSTOPPED(status));
336 + fprintf(stderr, _("\nSession terminated, killing shell..."));
337 + kill (child, SIGTERM);
339 + retval = pam_close_session(pamh, 0);
341 + retval = pam_end(pamh, PAM_SUCCESS);
345 + kill(child, SIGKILL);
346 + fprintf(stderr, _(" killed.\n"));
349 + exit (WEXITSTATUS(status));
350 +#endif /* USE_PAM */
353 /* Return 1 if SHELL is a restricted shell (one not returned by
356 modify_environment (pw, shell);
360 + setfsuid(pw->pw_uid);
362 change_identity (pw);
364 if (simulate_login && chdir (pw->pw_dir))
365 error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
367 - run_shell (shell, command, additional_args);
368 + run_shell (shell, command, additional_args, pw);
370 --- coreutils-4.5.3.orig/po/pl.po Fri Nov 1 01:55:42 2002
371 +++ coreutils-4.5.3/po/pl.po Fri Nov 1 02:11:20 2002
372 @@ -6491,6 +6491,41 @@
373 msgid "cannot set user id"
374 msgstr "nie mo¿na ustawiæ identyfikatora u¿ytkownika"
377 +msgid "could not open session\n"
378 +msgstr "nie mo¿na otworzyæ sesji\n"
381 +msgid "error copying PAM environment\n"
382 +msgstr "b³±d podczas kopiowania ¶rodowiska PAM\n"
386 +msgid "cannot fork user shell: %s"
387 +msgstr "nie mo¿na utworzyæ procesu pow³oki u¿ytkownika: %s"
391 +msgid "%s: signal malfunction\n"
392 +msgstr "%s: b³êdne dzia³anie sygna³ów\n"
396 +msgid "%s: signal masking malfunction\n"
397 +msgstr "%s: b³êdne dzia³anie maskowania sygna³ów\n"
402 +"Session terminated, killing shell..."
405 +"Sesja zakoñczona, zabijanie pow³oki..."
413 msgid "Usage: %s [OPTION]... [-] [USER [ARG]...]\n"