Hello,
----- Original Message -----
> @@ -148,9 +170,11 @@ int main(int argc, char **argv)
>
> printf(_("Changing shell for %s.\n"), pw->pw_name);
>
> +#ifndef HAVE_LIBUSER
> if(!auth_pam(uid, pw)) {
> return EXIT_FAILURE;
> }
> +#endif
>
> if (!shell) {
> shell = prompt(_("New shell"), oldshell);
> @@ -163,15 +187,72 @@ int main(int argc, char **argv)
>
> if (strcmp(oldshell, shell) == 0)
> errx(EXIT_SUCCESS, _("Shell not changed."));
> +
> +#ifdef HAVE_LIBUSER
> + ctx = lu_start(pw->pw_name, lu_user, NULL, NULL, NULL, NULL,
> &error);
AFAICS the "prompter" argument must not be NULL for LDAP to work. lu_prompt_console_quiet (not lu_prompt_console) is a good value.
> + memset(&val, 0, sizeof(val));
> + g_value_init(&val, G_TYPE_STRING);
> + g_value_set_string(&val, shell);
> +
> + lu_ent_clear(ent, LU_LOGINSHELL);
> + lu_ent_add(ent, LU_LOGINSHELL, &val);
If you don't mind depending on libuser >= 0.58, all of the above can be replaced with
> lu_ent_set_string(ent, LU_LOGINSHELL, shell);
and you can drop the "g_value_unset" calls as well.
> +#ifdef HAVE_LIBUSER
> +static int auth_lu(struct lu_context *ctx, uid_t uid, struct passwd
> *pw) {
> + if(!lu_uses_elevated_privileges(ctx)) {
> + /* Drop privileges */
"initgroups" needs to be called here to drop supplementar group memberships.
> + if (setegid(getgid()) == -1) {
> + errx(EXIT_FAILURE, _("Couldn't drop group privileges"));
> + return FALSE;
> + }
> + if (seteuid(getuid()) == -1) {
> + errx(EXIT_FAILURE, _("Couldn't drop group privileges"));
> + return FALSE;
> + }
> + return TRUE;
> + }
> +
> + return auth_pam(uid, pw);
> +}
> +#endif
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
