Create and use private versions of setpwent() and endpwent() that

set/end the shadow password file too.

getspwuid.c

@@ -80,7 +80,6 @@ static const char rcsid[] = "$Sudo$";
 int crypt_type = INT_MAX;
 #endif /* HAVE_GETPRPWNAM && __alpha */
 
-
 /*
  * Return a copy of the encrypted password for the user described by pw.
  * If shadow passwords are in use, look in the shadow file.
@@ -106,14 +105,12 @@ sudo_getepw(pw)
     {
 	struct pr_passwd *spw;
 
-	setprpwent();
 	if ((spw = getprpwnam(pw->pw_name)) && spw->ufld.fd_encrypt) {
 # ifdef __alpha
 	    crypt_type = spw->ufld.fd_oldcrypt;
 # endif /* __alpha */
 	    epw = estrdup(spw->ufld.fd_encrypt);
 	}
-	endprpwent();
 	if (epw)
 	    return(epw);
     }
@@ -122,10 +119,8 @@ sudo_getepw(pw)
     {
 	struct spwd *spw;
 
-	setspent();
 	if ((spw = getspnam(pw->pw_name)) && spw->sp_pwdp)
 	    epw = estrdup(spw->sp_pwdp);
-	endspent();
 	if (epw)
 	    return(epw);
     }
@@ -134,10 +129,8 @@ sudo_getepw(pw)
     {
 	struct s_passwd *spw;
 
-	setspwent();
 	if ((spw = getspwuid(pw->pw_uid)) && spw->pw_passwd)
 	    epw = estrdup(spw->pw_passwd);
-	endspwent();
 	if (epw)
 	    return(epw);
     }
@@ -146,10 +139,8 @@ sudo_getepw(pw)
     {
 	struct passwd_adjunct *spw;
 
-	setpwaent();
 	if ((spw = getpwanam(pw->pw_name)) && spw->pwa_passwd)
 	    epw = estrdup(spw->pwa_passwd);
-	endpwaent();
 	if (epw)
 	    return(epw);
     }
@@ -158,10 +149,8 @@ sudo_getepw(pw)
     {
 	AUTHORIZATION *spw;
 
-	setauthent();
 	if ((spw = getauthuid(pw->pw_uid)) && spw->a_password)
 	    epw = estrdup(spw->a_password);
-	endauthent();
 	if (epw)
 	    return(epw);
     }
@@ -298,3 +287,45 @@ sudo_getpwnam(name)
     else
 	return(sudo_pwdup(pw, 1));
 }
+
+void
+sudo_setpwent()
+{
+    setpwent();
+#ifdef HAVE_GETPRPWNAM
+    setprpwent();
+#endif
+#ifdef HAVE_GETSPNAM
+    setspent();
+#endif
+#ifdef HAVE_GETSPWUID
+    setspwent();
+#endif
+#ifdef HAVE_GETPWANAM
+    setpwaent();
+#endif
+#ifdef HAVE_GETAUTHUID
+    setauthent();
+#endif
+}
+
+void
+sudo_endpwent()
+{
+    endpwent();
+#ifdef HAVE_GETPRPWNAM
+    endprpwent();
+#endif
+#ifdef HAVE_GETSPNAM
+    endspent();
+#endif
+#ifdef HAVE_GETSPWUID
+    endspwent();
+#endif
+#ifdef HAVE_GETPWANAM
+    endpwaent();
+#endif
+#ifdef HAVE_GETAUTHUID
+    endauthent();
+#endif
+}

logging.c

@@ -53,6 +53,7 @@
 # include "emul/err.h"
 #endif /* HAVE_ERR_H */
 #include <pwd.h>
+#include <grp.h>
 #include <signal.h>
 #include <time.h>
 #include <errno.h>
@@ -494,8 +495,9 @@ send_mail(line)
 		}
 		argv[i] = NULL;
 
-		/* Close password file so we don't leak the fd. */
-		endpwent();
+		/* Close password and group files so we don't leak fds. */
+		sudo_endpwent();
+		endgrent();
 
 		/*
 		 * Depending on the config, either run the mailer as root

sudo.c

@@ -197,7 +197,7 @@ main(argc, argv, envp)
      * Turn off core dumps and close open files.
      */
     initial_setup();
-    setpwent();
+    sudo_setpwent();
 
     /* Parse our arguments. */
     sudo_mode = parse_args(Argc, Argv);
@@ -402,7 +402,7 @@ main(argc, argv, envp)
 	    set_perms(PERM_FULL_RUNAS);
 
 	/* Close the password and group files */
-	endpwent();
+	sudo_endpwent();
 	endgrent();
 
 	/* Install the real environment. */

sudo.h

@@ -237,6 +237,8 @@ void zero_bytes		__P((volatile VOID *, size_t));
 int gettime		__P((struct timespec *));
 FILE *open_sudoers	__P((const char *, int *));
 void display_privs      __P((struct passwd *));
+void sudo_setpwent	__P((void));
+void sudo_endpwent	__P((void));
 #ifdef HAVE_SYSTRACE
 void systrace_attach	__P((pid_t));
 #endif