From 3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52 Mon Sep 17 00:00:00 2001

From: Nalin Dahyabhai <nalin@redhat.com>

Date: Wed, 30 Jul 2014 17:12:31 -0400

Subject: [PATCH] In ksu, without the -e flag, also check .k5users

When ksu was explicitly told to spawn a shell, a line in .k5users which

listed "*" as the allowed command would cause the principal named on the

line to be considered as a candidate for authentication.

When ksu was not passed a command to run, which implicitly meant that

the invoking user wanted to run the target user's login shell, knowledge

that the principal was a valid candidate was ignored, which could cause

a less optimal choice of the default target principal.

This doesn't impact the authorization checks which we perform later.

ticket: 7983 (new)

---

 src/clients/ksu/heuristic.c | 19 ++++++-------------

 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c

index c7e691c..99b54e5 100644

--- a/src/clients/ksu/heuristic.c

+++ b/src/clients/ksu/heuristic.c

@@ -264,20 +264,13 @@ get_authorized_princ_names(luser, cmd, princ_list)

     close_time(k5users_flag,users_fp, k5login_flag, login_fp);

-    if (cmd) {

-        retval = list_union(k5login_list, k5users_filt_list, &combined_list);

-        if (retval){

-            close_time(k5users_flag,users_fp, k5login_flag,login_fp);

-            return retval;

-        }

-        *princ_list = combined_list;

-        return 0;

-    } else {

-        if (k5users_filt_list != NULL)

-            free(k5users_filt_list);

-        *princ_list = k5login_list;

-        return 0;

+    retval = list_union(k5login_list, k5users_filt_list, &combined_list);

+    if (retval){

+        close_time(k5users_flag,users_fp, k5login_flag,login_fp);

+        return retval;

     }

+    *princ_list = combined_list;

+    return 0;

 }

 static void close_time(k5users_flag, users_fp, k5login_flag, login_fp)