From 3a32e1e6e644c6092f48cf6b6f2d0b8635b3dd52 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 30 Jul 2014 17:12:31 -0400 Subject: [PATCH] In ksu, without the -e flag, also check .k5users When ksu was explicitly told to spawn a shell, a line in .k5users which listed "*" as the allowed command would cause the principal named on the line to be considered as a candidate for authentication. When ksu was not passed a command to run, which implicitly meant that the invoking user wanted to run the target user's login shell, knowledge that the principal was a valid candidate was ignored, which could cause a less optimal choice of the default target principal. This doesn't impact the authorization checks which we perform later. ticket: 7983 (new) --- src/clients/ksu/heuristic.c | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index c7e691c..99b54e5 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -264,20 +264,13 @@ get_authorized_princ_names(luser, cmd, princ_list) close_time(k5users_flag,users_fp, k5login_flag, login_fp); - if (cmd) { - retval = list_union(k5login_list, k5users_filt_list, &combined_list); - if (retval){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); - return retval; - } - *princ_list = combined_list; - return 0; - } else { - if (k5users_filt_list != NULL) - free(k5users_filt_list); - *princ_list = k5login_list; - return 0; + retval = list_union(k5login_list, k5users_filt_list, &combined_list); + if (retval){ + close_time(k5users_flag,users_fp, k5login_flag,login_fp); + return retval; } + *princ_list = combined_list; + return 0; } static void close_time(k5users_flag, users_fp, k5login_flag, login_fp)