When calling setauthdb(), save the old registry value so we can

restore it properly.  Previously we were setting the registry to
unrestricted instead of actually restoring it.

config.h.in

@@ -54,6 +54,9 @@
 /* Define to 1 if you have the `asprintf' function. */
 #undef HAVE_ASPRINTF
 
+/* Define to 1 if the system has the type `authdb_t'. */
+#undef HAVE_AUTHDB_T
+
 /* Define to 1 if you have the `authenticate' function. */
 #undef HAVE_AUTHENTICATE
 

configure

@@ -2201,52 +2201,6 @@ $as_echo "$ac_res" >&6; }
 
 } # ac_fn_c_check_func
 
-# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
-# ---------------------------------------------
-# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
-# accordingly.
-ac_fn_c_check_decl ()
-{
-  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
-  as_decl_name=`echo $2|sed 's/ *(.*//'`
-  as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
-  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
-$as_echo_n "checking whether $as_decl_name is declared... " >&6; }
-if eval \${$3+:} false; then :
-  $as_echo_n "(cached) " >&6
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-$4
-int
-main ()
-{
-#ifndef $as_decl_name
-#ifdef __cplusplus
-  (void) $as_decl_use;
-#else
-  (void) $as_decl_name;
-#endif
-#endif
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_compile "$LINENO"; then :
-  eval "$3=yes"
-else
-  eval "$3=no"
-fi
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
-fi
-eval ac_res=\$$3
-	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
-$as_echo "$ac_res" >&6; }
-  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
-
-} # ac_fn_c_check_decl
-
 # ac_fn_c_check_type LINENO TYPE VAR INCLUDES
 # -------------------------------------------
 # Tests whether TYPE exists after having included INCLUDES, setting cache
@@ -2301,6 +2255,52 @@ $as_echo "$ac_res" >&6; }
 
 } # ac_fn_c_check_type
 
+# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES
+# ---------------------------------------------
+# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR
+# accordingly.
+ac_fn_c_check_decl ()
+{
+  as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+  as_decl_name=`echo $2|sed 's/ *(.*//'`
+  as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'`
+  { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5
+$as_echo_n "checking whether $as_decl_name is declared... " >&6; }
+if eval \${$3+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+$4
+int
+main ()
+{
+#ifndef $as_decl_name
+#ifdef __cplusplus
+  (void) $as_decl_use;
+#else
+  (void) $as_decl_name;
+#endif
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  eval "$3=yes"
+else
+  eval "$3=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+eval ac_res=\$$3
+	       { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+$as_echo "$ac_res" >&6; }
+  eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+
+} # ac_fn_c_check_decl
+
 # ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES
 # ----------------------------------------------------
 # Tries to find if the field MEMBER exists in type AGGR, after including
@@ -14802,7 +14802,7 @@ fi
 		RC_LINK=/etc/rc.d/rc2.d/S90sudo
 
 		# AIX-specific functions
-		for ac_func in getuserattr setauthdb setrlimit64
+		for ac_func in getuserattr setrlimit64
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -14814,6 +14814,28 @@ _ACEOF
 fi
 done
 
+		for ac_func in setauthdb
+do :
+  ac_fn_c_check_func "$LINENO" "setauthdb" "ac_cv_func_setauthdb"
+if test "x$ac_cv_func_setauthdb" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SETAUTHDB 1
+_ACEOF
+ ac_fn_c_check_type "$LINENO" "authdb_t" "ac_cv_type_authdb_t" "#include <usersec.h>
+"
+if test "x$ac_cv_type_authdb_t" = xyes; then :
+
+cat >>confdefs.h <<_ACEOF
+#define HAVE_AUTHDB_T 1
+_ACEOF
+
+
+fi
+
+fi
+done
+
+
 		COMMON_OBJS="${COMMON_OBJS} aix.lo"
 
     for _sym in aix_prep_user_v1 aix_restoreauthdb_v1 aix_setauthdb_v1; do

configure.ac

@@ -1741,7 +1741,10 @@ case "$host" in
 		RC_LINK=/etc/rc.d/rc2.d/S90sudo
 
 		# AIX-specific functions
-		AC_CHECK_FUNCS([getuserattr setauthdb setrlimit64])
+		AC_CHECK_FUNCS([getuserattr setrlimit64])
+		AC_CHECK_FUNCS([setauthdb],
+		    [AC_CHECK_TYPES([authdb_t], [], [], [#include <usersec.h>])])
+
 		COMMON_OBJS="${COMMON_OBJS} aix.lo"
 		SUDO_APPEND_COMPAT_EXP(aix_prep_user_v1 aix_restoreauthdb_v1 aix_setauthdb_v1)
 

lib/util/aix.c

@@ -129,8 +129,15 @@ aix_setlimits(char *user)
 
 #ifdef HAVE_SETAUTHDB
 
+# ifndef HAVE_AUTHDB_T
+typedef char authdb_t[16];
+# endif
+
+/* The empty string means to access all defined administrative domains. */
+static authdb_t old_registry;
+
 # if defined(HAVE_DECL_SETAUTHDB) && !HAVE_DECL_SETAUTHDB
-int setauthdb(char *new, char *old);
+int setauthdb(authdb_t new, authdb_t old);
 # endif
 # if defined(HAVE_DECL_USRINFO) && !HAVE_DECL_USRINFO
 int usrinfo(int cmd, char *buf, int count);
@@ -156,7 +163,7 @@ aix_setauthdb_v1(char *user)
 	    goto done;
 	}
 	if (getuserattr(user, S_REGISTRY, &registry, SEC_CHAR) == 0) {
-	    if (setauthdb(registry, NULL) != 0) {
+	    if (setauthdb(registry, old_registry) != 0) {
 		sudo_warn(U_("unable to switch to registry \"%s\" for %s"),
 		    registry, user);
 		goto done;
@@ -181,7 +188,7 @@ aix_restoreauthdb_v1(void)
     int rval = 0;
     debug_decl(aix_setauthdb, SUDO_DEBUG_UTIL)
 
-    if (setauthdb(NULL, NULL) != 0) {
+    if (setauthdb(old_registry, NULL) != 0) {
 	sudo_warn(U_("unable to restore registry"));
 	rval = -1;
     }