From 256ee25ab5724de1f27461dce5401f796796236f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sat, 21 Aug 2010 08:48:35 -0400
Subject: [PATCH] Move get_auth() into check.c where it is actually used.

---
 plugins/sudoers/check.c   | 39 +++++++++++++++++++++++++++++++++++----
 plugins/sudoers/sudoers.c | 36 +-----------------------------------
 2 files changed, 36 insertions(+), 39 deletions(-)

diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
index 1bddeaadf..e06b2cd37 100644
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -90,6 +90,7 @@ static char *expand_prompt(char *, char *, char *);
 static void  lecture(int);
 static void  update_timestamp(char *, char *);
 static int   tty_is_devpts(const char *);
+static struct passwd *get_authpw(void);
 
 /*
  * Returns TRUE if the user successfully authenticates, else FALSE.
@@ -127,6 +128,8 @@ check_user(int validated, int mode)
 	TS_MAKE_DIRS);
 
     if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
+	struct passwd *auth_pw;
+
 	/* Bail out if we are non-interactive and a password is required */
 	if (ISSET(mode, MODE_NONINTERACTIVE)) {
 	    warningx("sorry, a password is required to run %s", getprogname());
@@ -140,7 +143,9 @@ check_user(int validated, int mode)
 	prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
 	    user_name, user_shost);
 
+	auth_pw = get_authpw();
 	rval = verify_user(auth_pw, prompt);
+	pw_delref(auth_pw);
     }
     /* Only update timestamp if user was validated. */
     if (rval == TRUE && ISSET(validated, VALIDATE_OK) &&
@@ -148,10 +153,6 @@ check_user(int validated, int mode)
 	update_timestamp(timestampdir, timestampfile);
     efree(timestampdir);
     efree(timestampfile);
-    if (auth_pw) {
-	pw_delref(auth_pw);
-	auth_pw = NULL;
-    }
 
     return rval;
 }
@@ -688,3 +689,33 @@ tty_is_devpts(const char *tty)
 #endif /* __linux__ */
     return retval;
 }
+
+/*
+ * Get passwd entry for the user we are going to authenticate as.
+ * By default, this is the user invoking sudo.  In the most common
+ * case, this matches sudo_user.pw or runas_pw.
+ */
+static struct passwd *
+get_authpw(void)
+{
+    struct passwd *pw;
+
+    if (def_rootpw) {
+	if ((pw = sudo_getpwuid(0)) == NULL)
+	    log_error(0, "unknown uid: 0");
+    } else if (def_runaspw) {
+	if ((pw = sudo_getpwnam(def_runas_default)) == NULL)
+	    log_error(0, "unknown user: %s", def_runas_default);
+    } else if (def_targetpw) {
+	if (runas_pw->pw_name == NULL)
+	    log_error(NO_MAIL|MSG_ONLY, "unknown uid: %lu",
+		(unsigned long) runas_pw->pw_uid);
+	pw_addref(runas_pw);
+	pw = runas_pw;
+    } else {
+	pw_addref(sudo_user.pw);
+	pw = sudo_user.pw;
+    }
+
+    return(pw);
+}
diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index e3c7f1092..7e09932b9 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -108,7 +108,6 @@ static void set_project(struct passwd *);
 static void set_runasgr(char *);
 static void set_runaspw(char *);
 static int sudoers_policy_version(int verbose);
-static struct passwd *get_authpw(void);
 static int deserialize_info(char * const settings[], char * const user_info[]);
 static char *find_editor(int nfiles, char **files, char ***argv_out);
 static void create_admin_success_flag(void);
@@ -122,7 +121,7 @@ extern GETGROUPS_T *runas_groups;
  */
 char *prev_user;
 struct sudo_user sudo_user;
-struct passwd *auth_pw, *list_pw;
+struct passwd *list_pw;
 struct interface *interfaces;
 int num_interfaces;
 int long_list;
@@ -440,9 +439,6 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     /* Build a new environment that avoids any nasty bits. */
     rebuild_env(def_noexec);
 
-    /* Fill in passwd struct based on user we are authenticating as.  */
-    auth_pw = get_authpw();
-
     /* Require a password if sudoers says so.  */
     if (def_authenticate) {
 	int rc = check_user(validated, sudo_mode);
@@ -1112,36 +1108,6 @@ set_runasgr(char *group)
     }
 }
 
-/*
- * Get passwd entry for the user we are going to authenticate as.
- * By default, this is the user invoking sudo.  In the most common
- * case, this matches sudo_user.pw or runas_pw.
- */
-static struct passwd *
-get_authpw(void)
-{
-    struct passwd *pw;
-
-    if (def_rootpw) {
-	if ((pw = sudo_getpwuid(0)) == NULL)
-	    log_error(0, "unknown uid: 0");
-    } else if (def_runaspw) {
-	if ((pw = sudo_getpwnam(def_runas_default)) == NULL)
-	    log_error(0, "unknown user: %s", def_runas_default);
-    } else if (def_targetpw) {
-	if (runas_pw->pw_name == NULL)
-	    log_error(NO_MAIL|MSG_ONLY, "unknown uid: %lu",
-		(unsigned long) runas_pw->pw_uid);
-	pw_addref(runas_pw);
-	pw = runas_pw;
-    } else {
-	pw_addref(sudo_user.pw);
-	pw = sudo_user.pw;
-    }
-
-    return(pw);
-}
-
 /*
  * Cleanup hook for error()/errorx()
  */
-- 
2.40.0