- if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
- LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
- LOGIN_SETUSER) != 0)
- errx(1, "failed to set user context for target");
-
- syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command as %s: %s",
- myname, pw->pw_name, cmdline);
- if (setenv("PATH", safepath, 1) == -1)
- err(1, "failed to set PATH '%s'", safepath);
+
+#if defined(USE_PAM)
+ pamauth(targpw->pw_name, mypw->pw_name, !nflag, rule->options & NOPASS,
+ rule->options & PERSIST);
+#endif
+
+ if (setresgid(targpw->pw_gid, targpw->pw_gid, targpw->pw_gid) != 0)
+ err(1, "setresgid");
+ if (initgroups(targpw->pw_name, targpw->pw_gid) != 0)
+ err(1, "initgroups");
+ if (setresuid(target, target, target) != 0)
+ err(1, "setresuid");
+
+ if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
+ cwd = "(failed)";
+ else
+ cwd = cwdpath;
+
+ syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
+ mypw->pw_name, cmdline, targpw->pw_name, cwd);
+
+ envp = prepenv(rule, mypw, targpw);
+
+ /* setusercontext set path for the next process, so reset it for us */
+ if (rule->cmd) {
+ if (setenv("PATH", safepath, 1) == -1)
+ err(1, "failed to set PATH '%s'", safepath);
+ } else {
+ if (setenv("PATH", formerpath, 1) == -1)
+ err(1, "failed to set PATH '%s'", formerpath);
+ }