From e36b245ca8b11e0f3f5533df44c552c37b3b76b0 Mon Sep 17 00:00:00 2001 From: "Andrey A. Chernov" Date: Tue, 25 Sep 2001 11:07:26 +0000 Subject: [PATCH] 1) Back out ~/.login_conf disable 2) Pick only "me" class from ~/.login_conf as documented --- lib/libutil/login.conf.5 | 2 -- lib/libutil/login_cap.c | 11 +++++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5 index f27063076bad..37580b6f5700 100644 --- a/lib/libutil/login.conf.5 +++ b/lib/libutil/login.conf.5 @@ -60,8 +60,6 @@ to set user-defined environment settings which override those specified in the system login capabilities database. Only a subset of login capabilities may be overridden, typically those which do not involve authentication, resource limits and accounting. -NOTE: this feature is compile-time disabled by default due to potential -security risks. .Pp Records in a class capabilities database consist of a number of colon-separated fields. diff --git a/lib/libutil/login_cap.c b/lib/libutil/login_cap.c index bb4c080ed39f..f84196138419 100644 --- a/lib/libutil/login_cap.c +++ b/lib/libutil/login_cap.c @@ -184,18 +184,17 @@ login_getclassbyname(char const *name, const struct passwd *pwd) login_cap_t *lc; if ((lc = malloc(sizeof(login_cap_t))) != NULL) { - int r, i = 0; + int r, me, i = 0; uid_t euid = 0; gid_t egid = 0; const char *msg = NULL; - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; + const char *dir; char userpath[MAXPATHLEN]; static char *login_dbarray[] = { NULL, NULL, NULL }; -#ifndef _FILE_LOGIN_CONF_WORKS - dir = NULL; -#endif + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; /* * Switch to user mode before checking/reading its ~/.login_conf * - some NFSes have root read access disabled. @@ -227,7 +226,7 @@ login_getclassbyname(char const *name, const struct passwd *pwd) switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { case -1: /* Failed, entry does not exist */ - if (strcmp(name, LOGIN_MECLASS) == 0) + if (me) break; /* Don't retry default on 'me' */ if (i == 0) r = -1;