isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Do not return without restoring permissions.

Browse Source
This commit is contained in:
Todd C. Miller
2011-09-27 15:22:08 -04:00
parent de684e5d2c
commit 4540a7525e
1 changed files with 29 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
plugins/sudoers/auth/sudo_auth.c
View File

@@ -107,6 +107,7 @@ int
sudo_auth_init(struct passwd *pw) sudo_auth_init(struct passwd *pw)
{ {
sudo_auth *auth; sudo_auth *auth;
int status;
if (auth_switch[0].name == NULL) if (auth_switch[0].name == NULL)
return AUTH_SUCCESS; return AUTH_SUCCESS;
@@ -130,18 +131,18 @@ sudo_auth_init(struct passwd *pw)
if (NEEDS_USER(auth)) if (NEEDS_USER(auth))
set_perms(PERM_USER); set_perms(PERM_USER);
switch ((auth->init)(pw, auth)) { status = (auth->init)(pw, auth);
case AUTH_FAILURE:
if (NEEDS_USER(auth))
restore_perms();
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED); SET(auth->flags, FLAG_DISABLED);
break; else if (status == AUTH_FATAL) {
case AUTH_FATAL:
/* XXX log */ /* XXX log */
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
if (NEEDS_USER(auth))
restore_perms();
} }
} }
return AUTH_SUCCESS; return AUTH_SUCCESS;
@@ -151,6 +152,7 @@ int
sudo_auth_cleanup(struct passwd *pw) sudo_auth_cleanup(struct passwd *pw)
{ {
sudo_auth *auth; sudo_auth *auth;
int status;
/* Call cleanup routines. */ /* Call cleanup routines. */
for (auth = auth_switch; auth->name; auth++) { for (auth = auth_switch; auth->name; auth++) {
@@ -158,14 +160,16 @@ sudo_auth_cleanup(struct passwd *pw)
if (NEEDS_USER(auth)) if (NEEDS_USER(auth))
set_perms(PERM_USER); set_perms(PERM_USER);
if ((auth->cleanup)(pw, auth) == AUTH_FATAL) { status = (auth->cleanup)(pw, auth);
if (NEEDS_USER(auth))
restore_perms();
if (status == AUTH_FATAL) {
/* XXX log */ /* XXX log */
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
if (NEEDS_USER(auth))
restore_perms();
} }
} }
return AUTH_SUCCESS; return AUTH_SUCCESS;
@@ -206,15 +210,17 @@ verify_user(struct passwd *pw, char *prompt)
set_perms(PERM_USER); set_perms(PERM_USER);
status = (auth->setup)(pw, &prompt, auth); status = (auth->setup)(pw, &prompt, auth);
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED);
else if (status == AUTH_FATAL) {/* XXX log */
audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */
}
if (NEEDS_USER(auth)) if (NEEDS_USER(auth))
restore_perms(); restore_perms();
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED);
else if (status == AUTH_FATAL) {
/* XXX log */
audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */
}
} }
} }
@@ -288,7 +294,8 @@ sudo_auth_begin_session(struct passwd *pw)
for (auth = auth_switch; auth->name; auth++) { for (auth = auth_switch; auth->name; auth++) {
if (auth->begin_session && !IS_DISABLED(auth)) { if (auth->begin_session && !IS_DISABLED(auth)) {
status = (auth->begin_session)(pw, auth); status = (auth->begin_session)(pw, auth);
if (status == AUTH_FATAL) { /* XXX log */ if (status == AUTH_FATAL) {
/* XXX log */
audit_failure(NewArgv, "authentication failure"); audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
@@ -306,7 +313,8 @@ sudo_auth_end_session(struct passwd *pw)
for (auth = auth_switch; auth->name; auth++) { for (auth = auth_switch; auth->name; auth++) {
if (auth->end_session && !IS_DISABLED(auth)) { if (auth->end_session && !IS_DISABLED(auth)) {
status = (auth->end_session)(pw, auth); status = (auth->end_session)(pw, auth);
if (status == AUTH_FATAL) { /* XXX log */ if (status == AUTH_FATAL) {
/* XXX log */
return -1; /* assume error msg already printed */ return -1; /* assume error msg already printed */
} }
} }