From 68116faceb731829569ab4f2e21d2c62682107ef Mon Sep 17 00:00:00 2001
From: Luke Shumaker <LukeShu@sbcglobal.net>
Date: Tue, 24 Jun 2014 17:20:11 -0400
Subject: I stand by my last statement

---
 Makefile                           |  2 +-
 parabolaweb-changepassword.c       | 46 +++++++++++++++++++++++---------------
 parabolaweb-changepassword.real.in | 25 ++++++++++++++++-----
 3 files changed, 48 insertions(+), 25 deletions(-)

diff --git a/Makefile b/Makefile
index 5dd9009..a93d024 100644
--- a/Makefile
+++ b/Makefile
@@ -58,7 +58,7 @@ depends.txt: list-depends depends_static.txt
 	./$< > $@
 
 $(DESTDIR)$(sbindir)/parabolaweb-changepassword: parabolaweb-changepassword
-	install -Dm6755 $< $@
+	install -Dm4755 $< $@
 
 $(DESTDIR)$(pkgconffile): parabolaweb.conf
 	install -Dm644 $< $@
diff --git a/parabolaweb-changepassword.c b/parabolaweb-changepassword.c
index 29637da..96c89ed 100644
--- a/parabolaweb-changepassword.c
+++ b/parabolaweb-changepassword.c
@@ -56,27 +56,37 @@ sanitize_environment()
 	char *a = NULL;
 	struct passwd *user = NULL;
 
-	const char *env_term        = getenv("TERM");
-	const char *env_lang        = getenv("LANG");
-	const char *env_lc_all      = getenv("LC_ALL");
-	const char *env_lc_collate  = getenv("LC_COLLATE");
-	const char *env_lc_ctype    = getenv("LC_CTIME");
-	const char *env_lc_messages = getenv("LC_MESSAGES");
-	const char *env_lc_monetary = getenv("LC_MONETARY");
-	const char *env_lc_numeric  = getenv("LC_NUMERIC");
-	const char *env_lc_time     = getenv("LC_TIME");
+	const char *env_term         = getenv("TERM"        );
+	const char *env_lang         = getenv("LANG"        );
+	const char *env_lc_all       = getenv("LC_ALL"      );
+	const char *env_lc_collate   = getenv("LC_COLLATE"  );
+	const char *env_lc_ctype     = getenv("LC_CTYPE"    );
+	const char *env_lc_messages  = getenv("LC_MESSAGES" );
+	const char *env_lc_monetary  = getenv("LC_MONETARY" );
+	const char *env_lc_numeric   = getenv("LC_NUMERIC"  );
+	const char *env_lc_time      = getenv("LC_TIME"     );
+	/* NOTE: In the main program, make sure that SUID_USER is priveleged
+	   before trusting SUDO_* */
+	const char *env_sudo_user    = getenv("SUDO_USER"   );
+	const char *env_sudo_uid     = getenv("SUDO_UID"    );
+	const char *env_sudo_gid     = getenv("SUDO_GID"    );
+	const char *env_sudo_command = getenv("SUDO_COMMAND");
 
 	clearenv();
 
-	mysetenv("TERM"       , env_term       );
-	mysetenv("LANG"       , env_lang       );
-	mysetenv("LC_ALL"     , env_lc_all     );
-	mysetenv("LC_COLLATE" , env_lc_collate );
-	mysetenv("LC_CTIME"   , env_lc_ctype   );
-	mysetenv("LC_MESSAGES", env_lc_messages);
-	mysetenv("LC_MONETARY", env_lc_monetary);
-	mysetenv("LC_NUMERIC" , env_lc_numeric );
-	mysetenv("LC_TIME"    , env_lc_time    );
+	mysetenv("TERM"        , env_term        );
+	mysetenv("LANG"        , env_lang        );
+	mysetenv("LC_ALL"      , env_lc_all      );
+	mysetenv("LC_COLLATE"  , env_lc_collate  );
+	mysetenv("LC_CTYPE"    , env_lc_ctype    );
+	mysetenv("LC_MESSAGES" , env_lc_messages );
+	mysetenv("LC_MONETARY" , env_lc_monetary );
+	mysetenv("LC_NUMERIC"  , env_lc_numeric  );
+	mysetenv("LC_TIME"     , env_lc_time     );
+	mysetenv("SUDO_USER"   , env_sudo_user   );
+	mysetenv("SUDO_UID"    , env_sudo_uid    );
+	mysetenv("SUDO_GID"    , env_sudo_gid    );
+	mysetenv("SUDO_COMMAND", env_sudo_command);
 
 	user = getpwuid(getuid());
 	/* similar to SUDO_* */
diff --git a/parabolaweb-changepassword.real.in b/parabolaweb-changepassword.real.in
index 942ec66..e2f6437 100644
--- a/parabolaweb-changepassword.real.in
+++ b/parabolaweb-changepassword.real.in
@@ -24,25 +24,38 @@ usage() {
 
 main() {
 	. @pkgconffile@
-
 	[[ -e "${WEBDIR}/manage.py" ]]
 	[[ -n "${WEBUSER}" ]]
 
-	RUSER=${SUDO_USER:-${SUID_USER:-$USER}}
-	EUSER=${USER}
+	REAL_USER=$USER
+	if ! { [[ $SUID_USER == root ]] || $SUID_USER == "$WEBUSER" ]]; }; then
+		unset SUDO_USER SUDO_UID SUDO_GID SUDO_COMMAND
+	fi
+
+	# The use-cases I want to handle:
+	#                                  REAL SUID SUDO | NAME_OF others?
+	# user$ changepassword             root user -    | user    no
+	# user$ sudo changepassword        root root user | user    yes
+	# user$ sudo -u web changepassword root web  user | user    yes
+	# web$ changepassword              root web  -    | web     yes
+	# root# changepassword             root root -    | root    yes
+	# user$ /lib/.../changepasswoed    user -    -    | user    no
+	local NAME_OF=${SUDO_USER:-${SUID_USER:-$REAL_USER}}
+	local PERM_OF=${SUID_USER:-$REAL_USER}
 
-	if [[ $EUSER == root ]] || [[ $EUSER == "$WEBUSER" ]]; then
+	local username
+	if [[ $PERM_OF == root ]] || [[ $PERM_OF == "$WEBUSER" ]]; then
 		if [[ $# -gt 1 ]]; then
 			usage >&2
 			return 1
 		fi
-		username=${1:-$RUSER}
+		username=${1:-$NAME_OF}
 	else
 		if [[ $# -gt 0 ]]; then
 			usage >&2
 			return 1
 		fi
-		username=$RUSER
+		username=$NAME_OF
 	fi
 
 	sudo -u "${WEBUSER}" python2 "${WEBDIR}/manage.py" changepassword "${username}"
-- 
cgit v1.2.3