From 3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Wed, 30 Jul 2014 17:12:31 -0400
Subject: [PATCH] In ksu, without the -e flag, also check .k5users

When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.

When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.

This doesn't impact the authorization checks which we perform later.

ticket: 7983 (new)
---
 src/clients/ksu/heuristic.c | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index c7e691c..99b54e5 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -264,20 +264,13 @@ get_authorized_princ_names(luser, cmd, princ_list)
 
     close_time(k5users_flag,users_fp, k5login_flag, login_fp);
 
-    if (cmd) {
-        retval = list_union(k5login_list, k5users_filt_list, &combined_list);
-        if (retval){
-            close_time(k5users_flag,users_fp, k5login_flag,login_fp);
-            return retval;
-        }
-        *princ_list = combined_list;
-        return 0;
-    } else {
-        if (k5users_filt_list != NULL)
-            free(k5users_filt_list);
-        *princ_list = k5login_list;
-        return 0;
+    retval = list_union(k5login_list, k5users_filt_list, &combined_list);
+    if (retval){
+        close_time(k5users_flag,users_fp, k5login_flag,login_fp);
+        return retval;
     }
+    *princ_list = combined_list;
+    return 0;
 }
 
 static void close_time(k5users_flag, users_fp, k5login_flag, login_fp)