In ksu, without the -e flag, also check .k5users
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
Author: Nalin Dahyabhai <firstname.lastname@example.org>
Committer: Greg Hudson <email@example.com>
src/clients/ksu/heuristic.c | 19 ++++++-------------
1 files changed, 6 insertions(+), 13 deletions(-)