From c8a3d8ce02d7b30653752539a956a80365b2c892 Mon Sep 17 00:00:00 2001 From: ache Date: Tue, 25 Sep 2001 11:07:26 +0000 Subject: 1) Back out ~/.login_conf disable 2) Pick only "me" class from ~/.login_conf as documented --- lib/libutil/login.conf.5 | 2 -- lib/libutil/login_cap.c | 11 +++++------ 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/lib/libutil/login.conf.5 b/lib/libutil/login.conf.5 index f270630..37580b6 100644 --- a/lib/libutil/login.conf.5 +++ b/lib/libutil/login.conf.5 @@ -60,8 +60,6 @@ to set user-defined environment settings which override those specified in the system login capabilities database. Only a subset of login capabilities may be overridden, typically those which do not involve authentication, resource limits and accounting. -NOTE: this feature is compile-time disabled by default due to potential -security risks. .Pp Records in a class capabilities database consist of a number of colon-separated fields. diff --git a/lib/libutil/login_cap.c b/lib/libutil/login_cap.c index bb4c080..f841961 100644 --- a/lib/libutil/login_cap.c +++ b/lib/libutil/login_cap.c @@ -184,18 +184,17 @@ login_getclassbyname(char const *name, const struct passwd *pwd) login_cap_t *lc; if ((lc = malloc(sizeof(login_cap_t))) != NULL) { - int r, i = 0; + int r, me, i = 0; uid_t euid = 0; gid_t egid = 0; const char *msg = NULL; - const char *dir = (pwd == NULL) ? NULL : pwd->pw_dir; + const char *dir; char userpath[MAXPATHLEN]; static char *login_dbarray[] = { NULL, NULL, NULL }; -#ifndef _FILE_LOGIN_CONF_WORKS - dir = NULL; -#endif + me = (name != NULL && strcmp(name, LOGIN_MECLASS) == 0); + dir = (!me || pwd == NULL) ? NULL : pwd->pw_dir; /* * Switch to user mode before checking/reading its ~/.login_conf * - some NFSes have root read access disabled. @@ -227,7 +226,7 @@ login_getclassbyname(char const *name, const struct passwd *pwd) switch (cgetent(&lc->lc_cap, login_dbarray, (char*)name)) { case -1: /* Failed, entry does not exist */ - if (strcmp(name, LOGIN_MECLASS) == 0) + if (me) break; /* Don't retry default on 'me' */ if (i == 0) r = -1; -- cgit v1.1