authorize_user_token: Don't drop privs for system-wide file.

pam_yubico.c

@@ -206,6 +206,18 @@ authorize_user_token (struct cfg *cfg,
 		      pam_handle_t *pamh)
 {
   int retval;
+
+  if (cfg->auth_file)
+    {
+      /* Administrator had configured the file and specified is name
+         as an argument for this module.
+       */
+      DBG (("Using system-wide auth_file %s", cfg->auth_file));
+      retval = check_user_token (cfg, cfg->auth_file, username, otp_id);
+    }
+  else
+    {
+      char *userfile = NULL;
       struct passwd *p;
 
       p = getpwnam (username);
@@ -214,39 +226,32 @@ authorize_user_token (struct cfg *cfg,
 	return 0;
       }
 
+      /* Getting file from user home directory
+         ..... i.e. ~/.yubico/authorized_yubikeys
+       */
+      if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile)) {
+	D (("Failed figuring out per-user cfgfile"));
+	return 0;
+      }
+
+      DBG (("Dropping privileges"));
+
       if (drop_privileges(p, pamh) < 0) {
 	D (("could not drop privileges"));
 	return 0;
       }
 
-  if (cfg->auth_file)
-    {
-      /* Administrator had configured the file and specified is name
-         as an argument for this module.
-       */
-      retval = check_user_token (cfg, cfg->auth_file, username, otp_id);
-    }
-  else
-    {
-      char *userfile = NULL;
-
-      /* Getting file from user home directory
-         ..... i.e. ~/.yubico/authorized_yubikeys
-       */
-      if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", username, &userfile))
-	return 0;
-
       retval = check_user_token (cfg, userfile, username, otp_id);
 
-      free (userfile);
-    }
-
       if (restore_privileges(pamh) < 0)
 	{
 	  DBG (("could not restore privileges"));
 	  return 0;
 	}
 
+      free (userfile);
+    }
+
   return retval;
 }