Attachment 290579 Details for Bug 427098 – Patch to policycoreutils-1.34.11

[patch] Patch to policycoreutils-1.34.11

newrole_no_tty_4.patch (text/plain), 19.13 KB, created by Timothy Reed on 2007-12-31 15:41:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Timothy Reed

Created: 2007-12-31 15:41:43 UTC

Size: 19.13 KB

patch

obsolete

>diff -Naur policycoreutils-1.34.11-orig/newrole/newrole.c policycoreutils-1.34.11/newrole/newrole.c
>--- policycoreutils-1.34.11-orig/newrole/newrole.c	2007-12-31 10:34:29.000000000 -0500
>+++ policycoreutils-1.34.11/newrole/newrole.c	2007-12-31 10:37:23.000000000 -0500
>@@ -182,15 +182,17 @@
> 	int pam_rc;		/* pam return code */
> 	const char *tty_name;
> 
>-	if (strncmp(ttyn, "/dev/", 5) == 0)
>-		tty_name = ttyn + 5;
>-	else
>-		tty_name = ttyn;
>-
>-	pam_rc = pam_set_item(pam_handle, PAM_TTY, tty_name);
>-	if (pam_rc != PAM_SUCCESS) {
>-		fprintf(stderr, _("failed to set PAM_TTY\n"));
>-		goto out;
>+	if (ttyn) {
>+		if (strncmp(ttyn, "/dev/", 5) == 0)
>+			tty_name = ttyn + 5;
>+		else
>+			tty_name = ttyn;
>+
>+		pam_rc = pam_set_item(pam_handle, PAM_TTY, tty_name);
>+		if (pam_rc != PAM_SUCCESS) {
>+			fprintf(stderr, _("failed to set PAM_TTY\n"));
>+			goto out;
>+		}
> 	}
> 
> 	/* Ask PAM to authenticate the user running this program */
>@@ -635,6 +637,9 @@
> 	security_context_t tty_con = NULL;
> 	security_context_t new_tty_con = NULL;
> 
>+	if (!ttyn)
>+		return 0;
>+
> 	if (enforcing < 0) {
> 		fprintf(stderr, _("Could not determine enforcing mode.\n"));
> 		return -1;
>@@ -703,6 +708,9 @@
> 	int rc = 0;
> 	security_context_t chk_tty_context = NULL;
> 
>+	if (!ttyn)
>+		goto skip_relabel;
>+
> 	if (!new_tty_context)
> 		goto skip_relabel;
> 
>@@ -800,12 +808,16 @@
> 						  "specified\n"));
> 				return -1;
> 			}
>-			if (fgetfilecon(0, &tty_con) >= 0) {
>-				if (selinux_check_securetty_context(tty_con) <
>-				    0) {
>-					fprintf(stderr,
>-						_
>-						("Error: you are not allowed to change levels on a non secure terminal\n"));
>+			if (ttyn) {
>+				if (fgetfilecon(0, &tty_con) >= 0) {
>+					if (selinux_check_securetty_context
>+					    (tty_con) < 0) {
>+						fprintf(stderr,
>+							_
>+							("Error: you are not allowed to change levels on a non secure terminal \n"));
>+						freecon(tty_con);
>+						return -1;
>+					}
> 					freecon(tty_con);
> 					return -1;
> 				}
>@@ -951,7 +963,7 @@
> 
> 	int fd;
> 	pid_t childPid = 0;
>-	char *shell_argv0 = NULL;
>+	char *shell_argv[4];
> 
> #ifdef USE_PAM
> 	int rc;
>@@ -1010,12 +1022,7 @@
> 		return -1;
> 	}
> 
>-	ttyn = ttyname(0);
>-	if (!ttyn || *ttyn == '\0') {
>-		fprintf(stderr,
>-			_("Error!  Could not retrieve tty information.\n"));
>-		return -1;
>-	}
>+	ttyn = ttyname(STDIN_FILENO);
> 
> 	if (parse_command_line_arguments(argc, argv, ttyn, old_context,
> 					 &new_context, &preserve_environment))
>@@ -1127,29 +1134,30 @@
> 		free(pw.pw_name);
> 		free(pw.pw_dir);
> 		free(pw.pw_shell);
>-		free(shell_argv0);
> 		return exit_code;
> 	}
> 
> 	/* CHILD */
> 	/* Close the tty and reopen descriptors 0 through 2 */
>-	if (close(fd) || close(0) || close(1) || close(2)) {
>-		fprintf(stderr, _("Could not close descriptors.\n"));
>-		goto err_close_pam;
>-	}
>-	fd = open(ttyn, O_RDONLY | O_NONBLOCK);
>-	if (fd != 0)
>-		goto err_close_pam;
>-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>-	fd = open(ttyn, O_RDWR | O_NONBLOCK);
>-	if (fd != 1)
>-		goto err_close_pam;
>-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>-	fd = open(ttyn, O_RDWR | O_NONBLOCK);
>-	if (fd != 2)
>-		goto err_close_pam;
>-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>+	if (ttyn) {
>+		if (close(fd) || close(0) || close(1) || close(2)) {
>+			fprintf(stderr, _("Could not close descriptors.\n"));
>+			goto err_close_pam;
>+		}
>+		fd = open(ttyn, O_RDONLY | O_NONBLOCK);
>+		if (fd != 0)
>+			goto err_close_pam;
>+		fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>+		fd = open(ttyn, O_RDWR | O_NONBLOCK);
>+		if (fd != 1)
>+			goto err_close_pam;
>+		fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>+		fd = open(ttyn, O_RDWR | O_NONBLOCK);
>+		if (fd != 2)
>+			goto err_close_pam;
>+		fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
> 
>+	}
> 	/*
> 	 * Step 5:  Execute a new shell with the new context in `new_context'. 
> 	 *
>@@ -1158,14 +1166,6 @@
> 	if (optind < 1)
> 		optind = 1;
> 
>-	/* This is ugly, but use newrole's argv for the exec'd shells argv */
>-	if (asprintf(&shell_argv0, "-%s", pw.pw_shell) < 0) {
>-		fprintf(stderr, _("Error allocating shell's argv0.\n"));
>-		shell_argv0 = NULL;
>-		goto err_close_pam;
>-	}
>-	argv[optind - 1] = shell_argv0;
>-
> 	if (setexeccon(new_context)) {
> 		fprintf(stderr, _("Could not set exec context to %s.\n"),
> 			new_context);
>@@ -1196,7 +1196,37 @@
> 				  "aborting\n"));
> 		goto err_close_pam_session;
> 	}
>-	execv(pw.pw_shell, argv + optind - 1);
>+
>+	/* 
>+	 * Build up the command line to pass to exec
>+	 */
>+	asprintf(&shell_argv[0], "%s", pw.pw_shell);
>+
>+	/*
>+	 * If there is a -c in the command line then build the new 
>+	 * command line to the shell
>+	 */
>+	if (optind < argc) {
>+		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
>+			asprintf(&shell_argv[1], "%s", argv[optind]);
>+
>+			/*
>+			 * Grab each of the command line args and build ONE
>+			 * argument out of it.
>+			 *
>+			 */
>+			asprintf(&shell_argv[2], "%s", argv[optind + 1]);
>+			int k;
>+			for (k = optind + 2; k < argc; k++) {
>+				asprintf(&shell_argv[2], "%s %s", 
>+					 shell_argv[2], argv[k]);
>+			}
>+			shell_argv[3] = NULL;
>+		}
>+	} else
>+		shell_argv[1] = NULL;
>+
>+	execv(shell_argv[0], shell_argv);
> 
> 	/*
> 	 * Error path cleanup
>@@ -1226,6 +1256,5 @@
> 	free(pw.pw_name);
> 	free(pw.pw_dir);
> 	free(pw.pw_shell);
>-	free(shell_argv0);
> 	return -1;
> }				/* main() */
>diff -Naur policycoreutils-1.34.11-orig/newrole/newrole.c~ policycoreutils-1.34.11/newrole/newrole.c~
>--- policycoreutils-1.34.11-orig/newrole/newrole.c~	2007-02-22 11:08:19.000000000 -0500
>+++ policycoreutils-1.34.11/newrole/newrole.c~	2007-12-31 10:32:22.000000000 -0500
>@@ -175,22 +175,24 @@
>  * program.  This is the only function in this program that makes PAM
>  * calls.
>  */
>-int authenticate_via_pam(const char *ttyn, pam_handle_t *pam_handle)
>+int authenticate_via_pam(const char *ttyn, pam_handle_t * pam_handle)
> {
> 
> 	int result = 0;		/* set to 0 (not authenticated) by default */
> 	int pam_rc;		/* pam return code */
> 	const char *tty_name;
> 
>-	if (strncmp(ttyn, "/dev/", 5) == 0)
>-		tty_name = ttyn + 5;
>-	else
>-		tty_name = ttyn;
>-
>-	pam_rc = pam_set_item(pam_handle, PAM_TTY, tty_name);
>-	if (pam_rc != PAM_SUCCESS) {
>-		fprintf(stderr, _("failed to set PAM_TTY\n"));
>-		goto out;
>+	if (ttyn) {
>+		if (strncmp(ttyn, "/dev/", 5) == 0)
>+			tty_name = ttyn + 5;
>+		else
>+			tty_name = ttyn;
>+
>+		pam_rc = pam_set_item(pam_handle, PAM_TTY, tty_name);
>+		if (pam_rc != PAM_SUCCESS) {
>+			fprintf(stderr, _("failed to set PAM_TTY\n"));
>+			goto out;
>+		}
> 	}
> 
> 	/* Ask PAM to authenticate the user running this program */
>@@ -245,7 +247,7 @@
> 	endspent();
> 	if (!(p_shadow_line)) {
> 		fprintf(stderr, _("Cannot find your entry in the shadow "
>-			"passwd file.\n"));
>+				  "passwd file.\n"));
> 		return 0;
> 	}
> 
>@@ -272,7 +274,7 @@
> 	int found = 0;
> 	const char *buf;
> 
>-	if (! (shell_name && shell_name[0]))
>+	if (!(shell_name && shell_name[0]))
> 		return found;
> 
> 	while ((buf = getusershell()) != NULL) {
>@@ -327,7 +329,7 @@
> 	pw->pw_dir = strdup(pw->pw_dir);
> 	pw->pw_shell = strdup(pw->pw_shell);
> 
>-	if (! (pw->pw_name && pw->pw_dir && pw->pw_shell)) {
>+	if (!(pw->pw_name && pw->pw_dir && pw->pw_shell)) {
> 		fprintf(stderr, _("Out of memory!\n"));
> 		goto out_free;
> 	}
>@@ -338,7 +340,7 @@
> 	}
> 	return 0;
> 
>-out_free:
>+      out_free:
> 	free(pw->pw_name);
> 	free(pw->pw_dir);
> 	free(pw->pw_shell);
>@@ -361,8 +363,8 @@
> 	char const *term_env;
> 	char const *display_env;
> 	char const *xauthority_env;
>-	char *term = NULL;		/* temporary container */
>-	char *display = NULL;		/* temporary container */
>+	char *term = NULL;	/* temporary container */
>+	char *display = NULL;	/* temporary container */
> 	char *xauthority = NULL;	/* temporary container */
> 	int rc;
> 
>@@ -383,7 +385,7 @@
> 	if (xauthority_env)
> 		xauthority = strdup(xauthority_env);
> 	if ((term_env && !term) || (display_env && !display) ||
>-	     (xauthority_env && !xauthority)) {
>+	    (xauthority_env && !xauthority)) {
> 		rc = -1;
> 		goto out;
> 	}
>@@ -406,7 +408,7 @@
> 	rc |= setenv("USER", pw->pw_name, 1);
> 	rc |= setenv("LOGNAME", pw->pw_name, 1);
> 	rc |= setenv("PATH", DEFAULT_PATH, 1);
>-out:
>+      out:
> 	free(term);
> 	free(display);
> 	free(xauthority);
>@@ -481,7 +483,7 @@
> 			_("Error dropping SETUID capability, aborting\n"));
> 		goto out;
> 	}
>-out:
>+      out:
> 	if (cap_free(tmp_caps) || cap_free(new_caps))
> 		fprintf(stderr, _("Error freeing caps\n"));
> 	return rc;
>@@ -505,8 +507,9 @@
> 	int rc = 0;
> 	cap_t new_caps;
> 	cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
>-				   CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
>-				   CAP_DAC_OVERRIDE };
>+		CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
>+		CAP_DAC_OVERRIDE
>+	};
> 
> 	if (!getuid())
> 		return 0;
>@@ -535,7 +538,7 @@
> 		fprintf(stderr, _("Error dropping capabilities, aborting\n"));
> 		goto out;
> 	}
>-out:
>+      out:
> 	if (cap_free(new_caps))
> 		fprintf(stderr, _("Error freeing caps\n"));
> 	return rc;
>@@ -626,21 +629,24 @@
>  * in permissive mode.
>  */
> static int relabel_tty(const char *ttyn, security_context_t new_context,
>-			security_context_t *tty_context,
>-			security_context_t *new_tty_context)
>+		       security_context_t * tty_context,
>+		       security_context_t * new_tty_context)
> {
> 	int fd;
> 	int enforcing = security_getenforce();
> 	security_context_t tty_con = NULL;
> 	security_context_t new_tty_con = NULL;
> 
>+	if (!ttyn)
>+		return 0;
>+
> 	if (enforcing < 0) {
> 		fprintf(stderr, _("Could not determine enforcing mode.\n"));
> 		return -1;
> 	}
> 
> 	/* Re-open TTY descriptor */
>-	fd = open(ttyn, O_RDWR|O_NONBLOCK);
>+	fd = open(ttyn, O_RDWR | O_NONBLOCK);
> 	if (fd < 0) {
> 		fprintf(stderr, _("Error!  Could not open %s.\n"), ttyn);
> 		return fd;
>@@ -649,7 +655,7 @@
> 
> 	if (fgetfilecon(fd, &tty_con) < 0) {
> 		fprintf(stderr, _("%s!  Could not get current context "
>-			"for %s, not relabeling tty.\n"),
>+				  "for %s, not relabeling tty.\n"),
> 			enforcing ? "Error" : "Warning", ttyn);
> 		if (enforcing)
> 			goto close_fd;
>@@ -658,8 +664,8 @@
> 	if (tty_con &&
> 	    (security_compute_relabel(new_context, tty_con,
> 				      SECCLASS_CHR_FILE, &new_tty_con) < 0)) {
>-		fprintf(stderr,	_("%s!  Could not get new context for %s, "
>-			"not relabeling tty.\n"),
>+		fprintf(stderr, _("%s!  Could not get new context for %s, "
>+				  "not relabeling tty.\n"),
> 			enforcing ? "Error" : "Warning", ttyn);
> 		if (enforcing)
> 			goto close_fd;
>@@ -680,7 +686,7 @@
> 	*new_tty_context = new_tty_con;
> 	return fd;
> 
>-close_fd:
>+      close_fd:
> 	freecon(tty_con);
> 	close(fd);
> 	return -1;
>@@ -702,6 +708,9 @@
> 	int rc = 0;
> 	security_context_t chk_tty_context = NULL;
> 
>+	if (!ttyn)
>+		goto skip_relabel;
>+
> 	if (!new_tty_context)
> 		goto skip_relabel;
> 
>@@ -719,7 +728,7 @@
> 	if ((rc = fsetfilecon(fd, tty_context)) < 0)
> 		fprintf(stderr,
> 			_("Warning! Could not restore context for %s\n"), ttyn);
>-skip_relabel:
>+      skip_relabel:
> 	freecon(chk_tty_context);
> 	return rc;
> }
>@@ -735,7 +744,7 @@
>  */
> static int parse_command_line_arguments(int argc, char **argv, char *ttyn,
> 					security_context_t old_context,
>-					security_context_t *new_context,
>+					security_context_t * new_context,
> 					int *preserve_environment)
> {
> 	int flag_index;		/* flag index in argv[] */
>@@ -747,7 +756,7 @@
> 	char *range_ptr = NULL;
> 	security_context_t new_con = NULL;
> 	security_context_t tty_con = NULL;
>-	context_t context = NULL; /* manipulatable form of new_context */
>+	context_t context = NULL;	/* manipulatable form of new_context */
> 	const struct option long_options[] = {
> 		{"role", 1, 0, 'r'},
> 		{"type", 1, 0, 't'},
>@@ -791,17 +800,24 @@
> 		case 'l':
> 			if (!is_selinux_mls_enabled()) {
> 				fprintf(stderr, _("Sorry, -l may be used with "
>-					"SELinux MLS support.\n"));
>+						  "SELinux MLS support.\n"));
> 				return -1;
> 			}
> 			if (level_s) {
> 				fprintf(stderr, _("Error: multiple levels "
>-					"specified\n"));
>+						  "specified\n"));
> 				return -1;
> 			}
>-			if (fgetfilecon(0,&tty_con) >= 0) {
>-				if (selinux_check_securetty_context(tty_con) < 0) {
>-					fprintf(stderr, _("Error: you are not allowed to change levels on a non secure terminal\n"));
>+			if (ttyn) {
>+				if (fgetfilecon(0, &tty_con) >= 0) {
>+					if (selinux_check_securetty_context
>+					    (tty_con) < 0) {
>+						fprintf(stderr,
>+							_
>+							("Error: you are not allowed to change levels on a non secure terminal \n"));
>+						freecon(tty_con);
>+						return -1;
>+					}
> 					freecon(tty_con);
> 					return -1;
> 				}
>@@ -824,7 +840,7 @@
> 
> 	/* Fill in a default type if one hasn't been specified. */
> 	if (role_s && !type_s) {
>-	 	/* get_default_type() returns malloc'd memory */
>+		/* get_default_type() returns malloc'd memory */
> 		if (get_default_type(role_s, &type_ptr)) {
> 			fprintf(stderr, _("Couldn't get default type.\n"));
> 			send_audit_message(0, old_context, new_con, ttyn);
>@@ -856,7 +872,8 @@
> 		}
> 
> 	if (level_s) {
>-		range_ptr = build_new_range(level_s,context_range_get(context));
>+		range_ptr =
>+		    build_new_range(level_s, context_range_get(context));
> 		if (!range_ptr) {
> 			fprintf(stderr,
> 				_("failed to build new range with level %s\n"),
>@@ -893,7 +910,7 @@
> 	context_free(context);
> 	return 0;
> 
>-err_free:
>+      err_free:
> 	free(type_ptr);
> 	free(range_ptr);
> 	/* Don't free new_con, context_free(context) handles this */
>@@ -936,7 +953,7 @@
> 	security_context_t new_context = NULL;	/* target security context */
> 	security_context_t old_context = NULL;	/* original securiy context */
> 	security_context_t tty_context = NULL;	/* current context of tty */
>-	security_context_t new_tty_context = NULL; /* new context of tty */
>+	security_context_t new_tty_context = NULL;	/* new context of tty */
> 
> 	struct passwd pw;	/* struct derived from passwd file line */
> 	char *ttyn = NULL;	/* tty path */
>@@ -946,12 +963,12 @@
> 
> 	int fd;
> 	pid_t childPid = 0;
>-	char *shell_argv0 = NULL;
>+	char *shell_argv[4];
> 
> #ifdef USE_PAM
> 	int rc;
>-	int pam_status;		   /* pam return code */
>-	pam_handle_t *pam_handle;  /* opaque handle used by all PAM functions */
>+	int pam_status;		/* pam return code */
>+	pam_handle_t *pam_handle;	/* opaque handle used by all PAM functions */
> 
> 	/* This is a jump table of functions for PAM to use when it wants to *
> 	 * communicate with the user.  We'll be using misc_conv(), which is  *
>@@ -985,7 +1002,7 @@
> 
> 	if (!is_selinux_enabled()) {
> 		fprintf(stderr, _("Sorry, newrole may be used only on "
>-			"a SELinux kernel.\n"));
>+				  "a SELinux kernel.\n"));
> 		return -1;
> 	}
> 
>@@ -1005,13 +1022,14 @@
> 		return -1;
> 	}
> 
>-	ttyn = ttyname(0);
>-	if (!ttyn || *ttyn == '\0') {
>-		fprintf(stderr,
>-			_("Error!  Could not retrieve tty information.\n"));
>-		return -1;
>-	}
>-
>+	ttyn = ttyname(STDIN_FILENO);
>+	/*
>+	   if (!ttyn || *ttyn == '\0') 
>+	   {
>+	   fprintf(stderr,
>+	   _("Warning!  Could not retrieve tty information.\n"));
>+	   }
>+	 */
> 	if (parse_command_line_arguments(argc, argv, ttyn, old_context,
> 					 &new_context, &preserve_environment))
> 		return -1;
>@@ -1105,7 +1123,7 @@
> 		}
> #ifdef USE_PAM
> #ifdef NAMESPACE_PRIV
>-		pam_status = pam_close_session(pam_handle,0);
>+		pam_status = pam_close_session(pam_handle, 0);
> 		if (pam_status != PAM_SUCCESS) {
> 			fprintf(stderr, "pam_close_session failed with %s\n",
> 				pam_strerror(pam_handle, pam_status));
>@@ -1122,29 +1140,30 @@
> 		free(pw.pw_name);
> 		free(pw.pw_dir);
> 		free(pw.pw_shell);
>-		free(shell_argv0);
> 		return exit_code;
> 	}
> 
> 	/* CHILD */
> 	/* Close the tty and reopen descriptors 0 through 2 */
>-	if (close(fd) || close(0) || close(1) || close(2)) {
>-		fprintf(stderr, _("Could not close descriptors.\n"));
>-		goto err_close_pam;
>-	}
>-	fd = open(ttyn, O_RDONLY|O_NONBLOCK);
>-	if (fd != 0)
>-		goto err_close_pam;
>-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>-	fd = open(ttyn, O_RDWR|O_NONBLOCK);
>-	if (fd != 1)
>-		goto err_close_pam;
>-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>-	fd = open(ttyn, O_RDWR|O_NONBLOCK);
>-	if (fd != 2)
>-		goto err_close_pam;
>-	fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>+	if (ttyn) {
>+		if (close(fd) || close(0) || close(1) || close(2)) {
>+			fprintf(stderr, _("Could not close descriptors.\n"));
>+			goto err_close_pam;
>+		}
>+		fd = open(ttyn, O_RDONLY | O_NONBLOCK);
>+		if (fd != 0)
>+			goto err_close_pam;
>+		fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>+		fd = open(ttyn, O_RDWR | O_NONBLOCK);
>+		if (fd != 1)
>+			goto err_close_pam;
>+		fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
>+		fd = open(ttyn, O_RDWR | O_NONBLOCK);
>+		if (fd != 2)
>+			goto err_close_pam;
>+		fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
> 
>+	}
> 	/*
> 	 * Step 5:  Execute a new shell with the new context in `new_context'. 
> 	 *
>@@ -1153,23 +1172,14 @@
> 	if (optind < 1)
> 		optind = 1;
> 
>-	/* This is ugly, but use newrole's argv for the exec'd shells argv */
>-	if (asprintf(&shell_argv0, "-%s", pw.pw_shell) < 0) {
>-		fprintf(stderr, _("Error allocating shell's argv0.\n"));
>-		shell_argv0 = NULL;
>-		goto err_close_pam;
>-	}
>-	argv[optind-1] = shell_argv0;
>-
> 	if (setexeccon(new_context)) {
> 		fprintf(stderr, _("Could not set exec context to %s.\n"),
> 			new_context);
> 		goto err_close_pam;
> 	}
>-
> #ifdef NAMESPACE_PRIV
> 	/* Ask PAM to setup session for user running this program */
>-	pam_status = pam_open_session(pam_handle,0);
>+	pam_status = pam_open_session(pam_handle, 0);
> 	if (pam_status != PAM_SUCCESS) {
> 		fprintf(stderr, "pam_open_session failed with %s\n",
> 			pam_strerror(pam_handle, pam_status));
>@@ -1189,32 +1199,65 @@
> 	/* Handle environment changes */
> 	if (restore_environment(preserve_environment, old_environ, &pw)) {
> 		fprintf(stderr, _("Unable to restore the environment, "
>-			"aborting\n"));
>+				  "aborting\n"));
> 		goto err_close_pam_session;
> 	}
>-	execv(pw.pw_shell, argv + optind - 1);
> 
>+	/* 
>+	 * Build up the command line to pass to exec
>+	 */
>+	asprintf(&shell_argv[0], "%s", pw.pw_shell);
>+
>+	/*
>+	 * If there is a -c in the command line then build the new 
>+	 * command line to the shell
>+	 */
>+	if (optind < argc) {
>+		if (strcmp(argv[optind], "-c") == 0 && optind < (argc - 1)) {
>+			asprintf(&shell_argv[1], "%s", argv[optind]);
>+
>+			/*
>+			 * Grab each of the command line args and build ONE
>+			 * argument out of it.
>+			 *
>+			 */
>+			asprintf(&shell_argv[2], "%s", argv[optind + 1]);
>+			fprintf(stderr, "argv(%s}\n", shell_argv[2]);
>+			int k;
>+			for (k = optind + 2; k < argc; k++) {
>+				asprintf(&shell_argv[2], "%s %s", shell_argv[2],
>+					 argv[k]);
>+				fprintf(stderr, "argv(%s}\n", shell_argv[2]);
>+			}
>+			shell_argv[3] = NULL;
>+		}
>+	} else
>+		shell_argv[1] = NULL;
>+
>+	execv(shell_argv[0], shell_argv);
>+
>+	fprintf(stderr, "Shell Exited");
> 	/*
> 	 * Error path cleanup
> 	 *
> 	 * If we reach here, then we failed to exec the new shell.
> 	 */
> 	perror(_("failed to exec shell\n"));
>-err_close_pam_session:
>+      err_close_pam_session:
> #ifdef NAMESPACE_PRIV
>-	pam_status = pam_close_session(pam_handle,0);
>-	if(pam_status != PAM_SUCCESS)
>+	pam_status = pam_close_session(pam_handle, 0);
>+	if (pam_status != PAM_SUCCESS)
> 		fprintf(stderr, "pam_close_session failed with %s\n",
> 			pam_strerror(pam_handle, pam_status));
> #endif
>-err_close_pam:
>+      err_close_pam:
> #ifdef USE_PAM
> 	rc = pam_end(pam_handle, pam_status);
> 	if (rc != PAM_SUCCESS)
> 		fprintf(stderr, "pam_end failed with %s\n",
> 			pam_strerror(pam_handle, rc));
> #endif
>-err_free:
>+      err_free:
> 	freecon(tty_context);
> 	freecon(new_tty_context);
> 	freecon(old_context);
>@@ -1222,6 +1265,5 @@
> 	free(pw.pw_name);
> 	free(pw.pw_dir);
> 	free(pw.pw_shell);
>-	free(shell_argv0);
> 	return -1;
> }				/* main() */

Actions: View | Diff

Attachments on bug 427098: 290579