From 4540a7525edcb541cba52b6cab06314dc51a910a Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 27 Sep 2011 15:22:08 -0400 Subject: [PATCH] Do not return without restoring permissions. --- plugins/sudoers/auth/sudo_auth.c | 46 +++++++++++++++++++------------- 1 file changed, 27 insertions(+), 19 deletions(-) diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 6bd921696..7f49322d5 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -107,6 +107,7 @@ int sudo_auth_init(struct passwd *pw) { sudo_auth *auth; + int status; if (auth_switch[0].name == NULL) return AUTH_SUCCESS; @@ -130,18 +131,18 @@ sudo_auth_init(struct passwd *pw) if (NEEDS_USER(auth)) set_perms(PERM_USER); - switch ((auth->init)(pw, auth)) { - case AUTH_FAILURE: - SET(auth->flags, FLAG_DISABLED); - break; - case AUTH_FATAL: - /* XXX log */ - audit_failure(NewArgv, "authentication failure"); - return -1; /* assume error msg already printed */ - } + status = (auth->init)(pw, auth); if (NEEDS_USER(auth)) restore_perms(); + + if (status == AUTH_FAILURE) + SET(auth->flags, FLAG_DISABLED); + else if (status == AUTH_FATAL) { + /* XXX log */ + audit_failure(NewArgv, "authentication failure"); + return -1; /* assume error msg already printed */ + } } } return AUTH_SUCCESS; @@ -151,6 +152,7 @@ int sudo_auth_cleanup(struct passwd *pw) { sudo_auth *auth; + int status; /* Call cleanup routines. */ for (auth = auth_switch; auth->name; auth++) { @@ -158,14 +160,16 @@ sudo_auth_cleanup(struct passwd *pw) if (NEEDS_USER(auth)) set_perms(PERM_USER); - if ((auth->cleanup)(pw, auth) == AUTH_FATAL) { + status = (auth->cleanup)(pw, auth); + + if (NEEDS_USER(auth)) + restore_perms(); + + if (status == AUTH_FATAL) { /* XXX log */ audit_failure(NewArgv, "authentication failure"); return -1; /* assume error msg already printed */ } - - if (NEEDS_USER(auth)) - restore_perms(); } } return AUTH_SUCCESS; @@ -206,15 +210,17 @@ verify_user(struct passwd *pw, char *prompt) set_perms(PERM_USER); status = (auth->setup)(pw, &prompt, auth); + + if (NEEDS_USER(auth)) + restore_perms(); + if (status == AUTH_FAILURE) SET(auth->flags, FLAG_DISABLED); - else if (status == AUTH_FATAL) {/* XXX log */ + else if (status == AUTH_FATAL) { + /* XXX log */ audit_failure(NewArgv, "authentication failure"); return -1; /* assume error msg already printed */ } - - if (NEEDS_USER(auth)) - restore_perms(); } } @@ -288,7 +294,8 @@ sudo_auth_begin_session(struct passwd *pw) for (auth = auth_switch; auth->name; auth++) { if (auth->begin_session && !IS_DISABLED(auth)) { status = (auth->begin_session)(pw, auth); - if (status == AUTH_FATAL) { /* XXX log */ + if (status == AUTH_FATAL) { + /* XXX log */ audit_failure(NewArgv, "authentication failure"); return -1; /* assume error msg already printed */ } @@ -306,7 +313,8 @@ sudo_auth_end_session(struct passwd *pw) for (auth = auth_switch; auth->name; auth++) { if (auth->end_session && !IS_DISABLED(auth)) { status = (auth->end_session)(pw, auth); - if (status == AUTH_FATAL) { /* XXX log */ + if (status == AUTH_FATAL) { + /* XXX log */ return -1; /* assume error msg already printed */ } } -- 2.40.0