diff options
| author | Luke Shumaker <LukeShu@sbcglobal.net> | 2014-06-24 17:20:11 -0400 |
|---|---|---|
| committer | Luke Shumaker <LukeShu@sbcglobal.net> | 2014-06-24 17:20:11 -0400 |
| commit | 68116faceb731829569ab4f2e21d2c62682107ef (patch) | |
| tree | 2f82b87adf342fb1f4833f2eddfad7790a244cfc | |
| parent | 0baf1c6fb8709add509ef4695048f4fcd4fd34bf (diff) | |
I stand by my last statementv20140624.2
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | parabolaweb-changepassword.c | 46 | ||||
| -rw-r--r-- | parabolaweb-changepassword.real.in | 25 |
3 files changed, 48 insertions, 25 deletions
@@ -58,7 +58,7 @@ depends.txt: list-depends depends_static.txt ./$< > $@ $(DESTDIR)$(sbindir)/parabolaweb-changepassword: parabolaweb-changepassword - install -Dm6755 $< $@ + install -Dm4755 $< $@ $(DESTDIR)$(pkgconffile): parabolaweb.conf install -Dm644 $< $@ diff --git a/parabolaweb-changepassword.c b/parabolaweb-changepassword.c index 29637da..96c89ed 100644 --- a/parabolaweb-changepassword.c +++ b/parabolaweb-changepassword.c @@ -56,27 +56,37 @@ sanitize_environment() char *a = NULL; struct passwd *user = NULL; - const char *env_term = getenv("TERM"); - const char *env_lang = getenv("LANG"); - const char *env_lc_all = getenv("LC_ALL"); - const char *env_lc_collate = getenv("LC_COLLATE"); - const char *env_lc_ctype = getenv("LC_CTIME"); - const char *env_lc_messages = getenv("LC_MESSAGES"); - const char *env_lc_monetary = getenv("LC_MONETARY"); - const char *env_lc_numeric = getenv("LC_NUMERIC"); - const char *env_lc_time = getenv("LC_TIME"); + const char *env_term = getenv("TERM" ); + const char *env_lang = getenv("LANG" ); + const char *env_lc_all = getenv("LC_ALL" ); + const char *env_lc_collate = getenv("LC_COLLATE" ); + const char *env_lc_ctype = getenv("LC_CTYPE" ); + const char *env_lc_messages = getenv("LC_MESSAGES" ); + const char *env_lc_monetary = getenv("LC_MONETARY" ); + const char *env_lc_numeric = getenv("LC_NUMERIC" ); + const char *env_lc_time = getenv("LC_TIME" ); + /* NOTE: In the main program, make sure that SUID_USER is priveleged + before trusting SUDO_* */ + const char *env_sudo_user = getenv("SUDO_USER" ); + const char *env_sudo_uid = getenv("SUDO_UID" ); + const char *env_sudo_gid = getenv("SUDO_GID" ); + const char *env_sudo_command = getenv("SUDO_COMMAND"); clearenv(); - mysetenv("TERM" , env_term ); - mysetenv("LANG" , env_lang ); - mysetenv("LC_ALL" , env_lc_all ); - mysetenv("LC_COLLATE" , env_lc_collate ); - mysetenv("LC_CTIME" , env_lc_ctype ); - mysetenv("LC_MESSAGES", env_lc_messages); - mysetenv("LC_MONETARY", env_lc_monetary); - mysetenv("LC_NUMERIC" , env_lc_numeric ); - mysetenv("LC_TIME" , env_lc_time ); + mysetenv("TERM" , env_term ); + mysetenv("LANG" , env_lang ); + mysetenv("LC_ALL" , env_lc_all ); + mysetenv("LC_COLLATE" , env_lc_collate ); + mysetenv("LC_CTYPE" , env_lc_ctype ); + mysetenv("LC_MESSAGES" , env_lc_messages ); + mysetenv("LC_MONETARY" , env_lc_monetary ); + mysetenv("LC_NUMERIC" , env_lc_numeric ); + mysetenv("LC_TIME" , env_lc_time ); + mysetenv("SUDO_USER" , env_sudo_user ); + mysetenv("SUDO_UID" , env_sudo_uid ); + mysetenv("SUDO_GID" , env_sudo_gid ); + mysetenv("SUDO_COMMAND", env_sudo_command); user = getpwuid(getuid()); /* similar to SUDO_* */ diff --git a/parabolaweb-changepassword.real.in b/parabolaweb-changepassword.real.in index 942ec66..e2f6437 100644 --- a/parabolaweb-changepassword.real.in +++ b/parabolaweb-changepassword.real.in @@ -24,25 +24,38 @@ usage() { main() { . @pkgconffile@ - [[ -e "${WEBDIR}/manage.py" ]] [[ -n "${WEBUSER}" ]] - RUSER=${SUDO_USER:-${SUID_USER:-$USER}} - EUSER=${USER} + REAL_USER=$USER + if ! { [[ $SUID_USER == root ]] || $SUID_USER == "$WEBUSER" ]]; }; then + unset SUDO_USER SUDO_UID SUDO_GID SUDO_COMMAND + fi + + # The use-cases I want to handle: + # REAL SUID SUDO | NAME_OF others? + # user$ changepassword root user - | user no + # user$ sudo changepassword root root user | user yes + # user$ sudo -u web changepassword root web user | user yes + # web$ changepassword root web - | web yes + # root# changepassword root root - | root yes + # user$ /lib/.../changepasswoed user - - | user no + local NAME_OF=${SUDO_USER:-${SUID_USER:-$REAL_USER}} + local PERM_OF=${SUID_USER:-$REAL_USER} - if [[ $EUSER == root ]] || [[ $EUSER == "$WEBUSER" ]]; then + local username + if [[ $PERM_OF == root ]] || [[ $PERM_OF == "$WEBUSER" ]]; then if [[ $# -gt 1 ]]; then usage >&2 return 1 fi - username=${1:-$RUSER} + username=${1:-$NAME_OF} else if [[ $# -gt 0 ]]; then usage >&2 return 1 fi - username=$RUSER + username=$NAME_OF fi sudo -u "${WEBUSER}" python2 "${WEBDIR}/manage.py" changepassword "${username}" |