[PATCH] Improve _su

[PATCH] Improve _su

[dana]

I was looking at _su for workers/45410 and noticed a few things:

* Fetching the user's shell often doesn't work on macOS, because normal users
  don't appear in passwd; we can use Directory Service for this

* We try to use -s to set the shell even for implementations that don't
  support that; we should skip those

* For the getent passwd case, we weren't escaping the user name before passing
  it to eval

* For the non-getent passwd case, we were doing a prefix match on the user
  name (i don't think that was intended?)

dana


diff --git a/Completion/Unix/Command/_su b/Completion/Unix/Command/_su
index 900905632..ea0beab94 100644
--- a/Completion/Unix/Command/_su
+++ b/Completion/Unix/Command/_su
@@ -58,12 +58,22 @@ fi
 _arguments $args ${(e)first} "*:shell arguments:= ->rest" && return
 
 usr=${line[norm]/--/root}
-if (( $#opt_args[(i)-(s|-shell)] )); then
+
+# Normal users generally don't appear in passwd on macOS; try the Directory
+# Service first
+if [[ $OSTYPE == darwin* ]] && (( $+commands[dscl] )); then
+  shell=${"$(
+    _call_program shells dscl . -read /Users/${(q)usr} UserShell
+  )"#UserShell: }
+fi
+
+[[ -z $shell ]] &&
+if (( ${#${(@M)args:#*-s\[*\]:*}} && $#opt_args[(i)-(s|-shell)] )); then
   shell=${(v)opt_args[(i)-(s|-shell)]}
 elif (( ${+commands[getent]} )); then
-  shell="${$(_call_program shells getent passwd $usr)##*:}"
+  shell="${$(_call_program shells getent passwd ${(q)usr})##*:}"
 else
-  shell="${${(M@)${(@f)$(</etc/passwd)}:#$usr*}##*:}"
+  shell="${${(M@)${(@f)$(</etc/passwd)}:#${usr}:*}##*:}"
 fi
 
 case $state in

Re: [PATCH] Improve _su

[dana]

On 12 Feb 2020, at 15:26, dana <dana@dana.is> wrote:
> I was looking at _su for workers/45410 and noticed a few things:

Sorry, noticed more things:

* Short options that take optargs should use -x+ form

* $_comp_priv_prefix can be used to show util-linux group options

* macOS doesn't support -c

* OpenBSD supports adding a log-in method after the user name; it should be
  removed before looking up the shell

* OpenBSD log-in methods are listed in login.conf (though i think there are
  others too)

dana


diff --git a/Completion/Unix/Command/_su b/Completion/Unix/Command/_su
index 900905632..8233296a2 100644
--- a/Completion/Unix/Command/_su
+++ b/Completion/Unix/Command/_su
@@ -9,36 +9,44 @@ local shell usr
 (( $words[(i)-(l|-login)] < CURRENT )) || args=( '-[use a login shell]' )
 case $OSTYPE in
   linux*)
+    # Some of these options only apply to util-linux, not shadow-utils
     args=( -S $args
-      '(-c --command --session-command *)'{-c,--command=}'[pass command to shell]:command string:_cmdstring'
+      '(-c --command --session-command *)'{-c+,--command=}'[pass command to shell]:command string:_cmdstring'
       "(-c --command *)--session-command=[pass command to shell and don't create a new session]:command string:_cmdstring"
       '(--fast -f)'{-f,--fast}'[pass -f to shell]'
       '(-l --login -m -p --preserve-environment)'{-l,--login}'[use a login shell]'
       '(-l --login -m -p --preserve-environment)'{-m,-p,--preserve-environment}"[don't reset environment]"
-      '(-s --shell)'{-s,--shell=}'[run the specified shell]:shell:->shells'
+      '(-s --shell)'{-s+,--shell=}'[run the specified shell]:shell:->shells'
       '(-)--help[display help information]'
       '(-)--version[display version information]'
     )
-    (( EUID )) || args+=(
-      '(-g --group)'{-g,--group=}'[specify primary group]:group:_groups'
-      \*{-G,--supp-group=}'[specify supplemental group]:group:_groups'
+    (( $#_comp_priv_prefix || EUID == 0 )) && args+=(
+      '(-g --group)'{-g+,--group=}'[specify primary group]:group:_groups'
+      \*{-G+,--supp-group=}'[specify supplemental group]:group:_groups'
     )
     first="(--help --version)${first#???}"
   ;;
   *bsd*|darwin*|dragonfly*)
     args+=(
-      '-c[use settings from specified login class]:class'
       '-f[if the invoked shell is csh, prevent it from reading .cshrc]'
       '(-m)-l[use a login shell]'
       "(-l)-m[don't reset environment]"
     )
   ;|
+  *bsd*|dragonfly*)
+    args+=(
+      '-c+[use settings from specified login class]:class'
+    )
+  ;|
   freebsd*) args+=( '-s[set the MAC label]' ) ;;
   openbsd*)
     args+=(
-      '(-K)-a[specify authentication type]:authentication type'
+      # See login.conf(5)
+      '(-K)-a+[specify authentication type]:authentication type:(
+        activ chpass crypto lchpass passwd radius reject skey snk token yubikey
+      )'
       '(-a)-K[shorthand for -a passwd]'
-      '-s[run the specified shell]:shell:->shells'
+      '-s+[run the specified shell]:shell:->shells'
       '-L[loop until login succeeds]'
     )
   ;;
@@ -58,12 +66,24 @@ fi
 _arguments $args ${(e)first} "*:shell arguments:= ->rest" && return
 
 usr=${line[norm]/--/root}
-if (( $#opt_args[(i)-(s|-shell)] )); then
+# OpenBSD supports appending a log-in method to the user name, as in usr:radius
+[[ $OSTYPE == openbsd* ]] && usr=${usr%:*}
+
+# Normal users generally don't appear in passwd on macOS; try the Directory
+# Service first
+if [[ $OSTYPE == darwin* ]] && (( $+commands[dscl] )); then
+  shell=${"$(
+    _call_program shells dscl . -read /Users/${(q)usr} UserShell
+  )"#UserShell: }
+fi
+
+[[ -z $shell ]] &&
+if (( ${#${(@M)args:#*-s[+\[]*:*}} && $#opt_args[(i)-(s|-shell)] )); then
   shell=${(v)opt_args[(i)-(s|-shell)]}
 elif (( ${+commands[getent]} )); then
-  shell="${$(_call_program shells getent passwd $usr)##*:}"
+  shell="${$(_call_program shells getent passwd ${(q)usr})##*:}"
 else
-  shell="${${(M@)${(@f)$(</etc/passwd)}:#$usr*}##*:}"
+  shell="${${(M@)${(@f)$(</etc/passwd)}:#${usr}:*}##*:}"
 fi
 
 case $state in