don't skip the PAM account check for root or the same user (more of

#477033)
2010-05-27 20:53:30 +00:00 · 2010-05-27 20:53:30 +00:00 · 17238354c3
commit 17238354c3
parent ccdc4a4228
2 changed files with 29 additions and 1 deletions
--- a/krb5-1.8-pam.patch
+++ b/krb5-1.8-pam.patch
@ -141,6 +141,33 @@ diff -up krb5-1.8/src/clients/ksu/main.c.pam krb5-1.8/src/clients/ksu/main.c
         /* Run authorization as target.*/
         if (krb5_seteuid(target_uid)) {
             com_err(prog_name, errno, "while switching to target for authorization check");
+@@ -651,6 +676,26 @@
+             sweep_up(ksu_context, cc_target);
+             exit(1);
+         }
+#ifdef USE_PAM
+    } else {
+        /* we always do PAM account management, even for root */
+        if (appl_pam_enabled(ksu_context, "ksu")) {
+            if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL,
+                                   NULL, source_user,
+                                   ttyname(STDERR_FILENO)) != 0) {
+                fprintf(stderr, "Access denied for %s.\n", target_user);
+                sweep_up(ksu_context, cc_target);
+                exit(1);
+            }
+            if (appl_pam_requires_chauthtok()) {
+                fprintf(stderr, "Password change required for %s.\n",
+                        target_user);
+                sweep_up(ksu_context, cc_target);
+                exit(1);
+            }
+            force_fork++;
+        }
+#endif
+     }
+ 
+     if( some_rest_copy){
@@ -720,6 +745,32 @@
         exit(1);
     }
--- a/krb5.spec
+++ b/krb5.spec
@ -627,7 +627,8 @@ exit 0
 %changelog
 * Thu May 27 2010 Nalin Dahyabhai <nalin@redhat.com>
 - ksu: move session management calls to before we drop privileges, like
-  su does (#596887)
+  su does (#596887), and don't skip the PAM account check for root or the
+  same user (more of #477033)

 * Mon May 24 2010 Nalin Dahyabhai <nalin@redhat.com> 1.8.1-6
 - make krb5-server-ldap also depend on the same version-release of krb5-libs,