Annotation of src/usr.bin/su/su.c, Revision 1.34
1.34 ! deraadt 1: /* $OpenBSD: su.c,v 1.33 2000/08/20 18:42:41 millert Exp $ */
1.4 deraadt 2:
1.1 deraadt 3: /*
4: * Copyright (c) 1988 The Regents of the University of California.
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: * 3. All advertising materials mentioning features or use of this software
16: * must display the following acknowledgement:
17: * This product includes software developed by the University of
18: * California, Berkeley and its contributors.
19: * 4. Neither the name of the University nor the names of its contributors
20: * may be used to endorse or promote products derived from this software
21: * without specific prior written permission.
22: *
23: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33: * SUCH DAMAGE.
34: */
35:
36: #ifndef lint
37: char copyright[] =
38: "@(#) Copyright (c) 1988 The Regents of the University of California.\n\
39: All rights reserved.\n";
40: #endif /* not lint */
41:
42: #ifndef lint
43: /*static char sccsid[] = "from: @(#)su.c 5.26 (Berkeley) 7/6/91";*/
1.34 ! deraadt 44: static char rcsid[] = "$OpenBSD: su.c,v 1.33 2000/08/20 18:42:41 millert Exp $";
1.1 deraadt 45: #endif /* not lint */
46:
47: #include <sys/param.h>
48: #include <sys/time.h>
49: #include <sys/resource.h>
1.8 millert 50:
51: #include <err.h>
52: #include <errno.h>
53: #include <grp.h>
1.33 millert 54: #include <login_cap.h>
1.8 millert 55: #include <paths.h>
56: #include <pwd.h>
1.1 deraadt 57: #include <stdio.h>
58: #include <stdlib.h>
59: #include <string.h>
1.8 millert 60: #include <syslog.h>
1.1 deraadt 61: #include <unistd.h>
1.8 millert 62:
63: #ifdef SKEY
64: #include <skey.h>
65: #endif
1.1 deraadt 66:
67: #ifdef KERBEROS
1.29 provos 68: #include <des.h>
1.1 deraadt 69: #include <kerberosIV/krb.h>
70: #include <netdb.h>
71:
1.30 deraadt 72: int kerberos __P((char *username, char *user, int uid));
73:
1.33 millert 74: #define ARGSTR "-Kc:flm"
1.1 deraadt 75:
76: int use_kerberos = 1;
1.28 deraadt 77: char krbtkfile[MAXPATHLEN];
78: char lrealm[REALM_SZ];
79: int ksettkfile(char *);
1.1 deraadt 80: #else
1.33 millert 81: #define ARGSTR "-c:flm"
1.1 deraadt 82: #endif
83:
1.8 millert 84: char *ontty __P((void));
85: int chshell __P((char *));
1.1 deraadt 86:
87: int
88: main(argc, argv)
89: int argc;
90: char **argv;
91: {
92: extern char **environ;
93: register struct passwd *pwd;
94: register char *p, **g;
95: struct group *gr;
1.9 millert 96: uid_t ruid;
1.33 millert 97: login_cap_t *lc;
1.1 deraadt 98: int asme, ch, asthem, fastlogin, prio;
1.33 millert 99: enum { UNSET, YES, NO } iscsh;
100: char *user, *shell, *avshell, *username, *class, **np;
1.1 deraadt 101: char shellbuf[MAXPATHLEN], avshellbuf[MAXPATHLEN];
102:
1.33 millert 103: iscsh = UNSET;
104: shell = class = NULL;
1.1 deraadt 105: asme = asthem = fastlogin = 0;
1.18 millert 106: while ((ch = getopt(argc, argv, ARGSTR)) != -1)
1.1 deraadt 107: switch((char)ch) {
108: #ifdef KERBEROS
109: case 'K':
110: use_kerberos = 0;
111: break;
112: #endif
1.33 millert 113: case 'c':
114: class = optarg;
115: break;
1.1 deraadt 116: case 'f':
117: fastlogin = 1;
118: break;
119: case '-':
120: case 'l':
121: asme = 0;
122: asthem = 1;
123: break;
124: case 'm':
125: asme = 1;
126: asthem = 0;
127: break;
128: case '?':
129: default:
1.7 millert 130: (void)fprintf(stderr,
131: "usage: su [%s] [login [shell arguments]]\n",
1.1 deraadt 132: ARGSTR);
133: exit(1);
134: }
135: argv += optind;
136:
137: errno = 0;
138: prio = getpriority(PRIO_PROCESS, 0);
139: if (errno)
140: prio = 0;
141: (void)setpriority(PRIO_PROCESS, 0, -2);
142: openlog("su", LOG_CONS, 0);
143:
144: /* get current login name and shell */
145: ruid = getuid();
146: username = getlogin();
147: if (username == NULL || (pwd = getpwnam(username)) == NULL ||
148: pwd->pw_uid != ruid)
149: pwd = getpwuid(ruid);
1.8 millert 150: if (pwd == NULL)
151: errx(1, "who are you?");
1.9 millert 152: if ((username = strdup(pwd->pw_name)) == NULL)
153: err(1, "can't allocate memory");
1.31 art 154: if (asme) {
1.10 millert 155: if (pwd->pw_shell && *pwd->pw_shell) {
1.11 millert 156: shell = strncpy(shellbuf, pwd->pw_shell, sizeof(shellbuf) - 1);
1.10 millert 157: shellbuf[sizeof(shellbuf) - 1] = '\0';
158: } else {
1.1 deraadt 159: shell = _PATH_BSHELL;
160: iscsh = NO;
161: }
1.31 art 162: }
1.1 deraadt 163:
164: /* get target login information, default to root */
165: user = *argv ? *argv : "root";
166: np = *argv ? argv : argv-1;
167:
1.8 millert 168: if ((pwd = getpwnam(user)) == NULL)
169: errx(1, "unknown login %s", user);
1.16 millert 170: if ((user = strdup(pwd->pw_name)) == NULL)
171: err(1, "can't allocate memory");
1.1 deraadt 172:
1.33 millert 173: /* If the user specified a login class and we are root, use it */
174: if (ruid && class)
175: errx(1, "only the superuser may specify a login class");
176: if (class)
177: pwd->pw_class = class;
178: if ((lc = login_getclass(pwd->pw_class)) == NULL)
179: errx(1, "no such login class: %s",
180: class ? class : LOGIN_DEFCLASS);
181:
1.28 deraadt 182: #if KERBEROS
183: if (ksettkfile(user))
184: use_kerberos = 0;
185: #endif
186:
1.1 deraadt 187: if (ruid) {
188: #ifdef KERBEROS
1.21 tholo 189: if (!use_kerberos || kerberos(username, user, pwd->pw_uid))
1.1 deraadt 190: #endif
191: {
192: /* only allow those in group zero to su to root. */
1.3 deraadt 193: if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0))
194: && gr->gr_mem && *(gr->gr_mem))
1.1 deraadt 195: for (g = gr->gr_mem;; ++g) {
1.8 millert 196: if (!*g)
197: errx(1, "you are not in the correct group to su %s.", user);
198: if (strcmp(username, *g) == 0)
1.1 deraadt 199: break;
200: }
201: /* if target requires a password, verify it */
202: if (*pwd->pw_passwd) {
203: p = getpass("Password:");
204: #ifdef SKEY
205: if (strcasecmp(p, "s/key") == 0) {
1.14 millert 206: if (skey_authenticate(user))
1.8 millert 207: goto badlogin;
1.1 deraadt 208: } else
209: #endif
210: if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) {
211: badlogin:
212: fprintf(stderr, "Sorry\n");
213: syslog(LOG_AUTH|LOG_WARNING,
214: "BAD SU %s to %s%s", username,
215: user, ontty());
216: exit(1);
217: }
218: }
219: }
1.8 millert 220: if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) {
221: fprintf(stderr, "Sorry - account expired\n");
222: syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username,
223: user, ontty());
224: exit(1);
225: }
1.1 deraadt 226: }
227:
228: if (asme) {
229: /* if asme and non-standard target shell, must be root */
1.8 millert 230: if (!chshell(pwd->pw_shell) && ruid)
231: errx(1, "permission denied (shell).");
1.1 deraadt 232: } else if (pwd->pw_shell && *pwd->pw_shell) {
233: shell = pwd->pw_shell;
234: iscsh = UNSET;
235: } else {
236: shell = _PATH_BSHELL;
237: iscsh = NO;
238: }
239:
1.30 deraadt 240: if ((p = strrchr(shell, '/')))
1.1 deraadt 241: avshell = p+1;
242: else
243: avshell = shell;
244:
245: /* if we're forking a csh, we want to slightly muck the args */
246: if (iscsh == UNSET)
247: iscsh = strcmp(avshell, "csh") ? NO : YES;
248:
249: if (!asme) {
250: if (asthem) {
251: p = getenv("TERM");
1.23 deraadt 252: if ((environ = calloc(1, sizeof (char *))) == NULL)
1.22 deraadt 253: errx(1, "calloc");
1.33 millert 254: if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH))
255: err(1, "unable to set user context");
1.34 ! deraadt 256: if (p) {
! 257: if (setenv("TERM", p, 1) == -1)
! 258: err(1, "unable to set environment");
! 259: }
1.5 deraadt 260:
261: seteuid(pwd->pw_uid);
262: setegid(pwd->pw_gid);
1.8 millert 263: if (chdir(pwd->pw_dir) < 0)
1.33 millert 264: err(1, "%s", pwd->pw_dir);
1.5 deraadt 265: seteuid(0);
266: setegid(0); /* XXX use a saved gid instead? */
1.33 millert 267: } else if (pwd->pw_uid == 0) {
268: /* XXX - this seems questionable to me */
269: if (setusercontext(lc,
270: pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK))
271: err(1, "unable to set user context");
1.1 deraadt 272: }
1.15 millert 273: if (asthem || pwd->pw_uid) {
1.34 ! deraadt 274: if (setenv("LOGNAME", pwd->pw_name, 1) == -1 ||
! 275: setenv("USER", pwd->pw_name, 1) == -1)
! 276: err(1, "unable to set environment");
1.15 millert 277: }
1.34 ! deraadt 278: if (setenv("HOME", pwd->pw_dir, 1) == -1 ||
! 279: setenv("SHELL", shell, 1) == -1)
! 280: err(1, "unable to set environment");
1.1 deraadt 281: }
282:
1.28 deraadt 283: #ifdef KERBEROS
1.34 ! deraadt 284: if (*krbtkfile) {
! 285: if (setenv("KRBTKFILE", krbtkfile, 1) == -1)
! 286: err(1, "unable to set environment");
! 287: }
1.28 deraadt 288: #endif
289:
1.1 deraadt 290: if (iscsh == YES) {
291: if (fastlogin)
292: *np-- = "-f";
293: if (asme)
294: *np-- = "-m";
295: }
296:
297: if (asthem) {
298: avshellbuf[0] = '-';
1.11 millert 299: strncpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 2);
1.10 millert 300: avshellbuf[sizeof(avshellbuf) - 1] = '\0';
1.1 deraadt 301: avshell = avshellbuf;
302: } else if (iscsh == YES) {
303: /* csh strips the first character... */
304: avshellbuf[0] = '_';
1.11 millert 305: strncpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 2);
1.10 millert 306: avshellbuf[sizeof(avshellbuf) - 1] = '\0';
1.1 deraadt 307: avshell = avshellbuf;
308: }
309:
310: *np = avshell;
311:
312: if (ruid != 0)
313: syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s",
314: username, user, ontty());
315:
316: (void)setpriority(PRIO_PROCESS, 0, prio);
1.33 millert 317: if (setusercontext(lc, pwd, pwd->pw_uid,
318: (asthem ? (LOGIN_SETPRIORITY | LOGIN_SETUMASK) : 0) |
319: LOGIN_SETRESOURCES | LOGIN_SETGROUP | LOGIN_SETUSER))
320: err(1, "unable to set user context");
1.1 deraadt 321:
322: execv(shell, np);
1.32 millert 323: err(1, "%s", shell);
1.1 deraadt 324: }
325:
326: int
327: chshell(sh)
328: char *sh;
329: {
330: register char *cp;
331:
332: while ((cp = getusershell()) != NULL)
1.8 millert 333: if (strcmp(cp, sh) == 0)
1.1 deraadt 334: return (1);
335: return (0);
336: }
337:
338: char *
339: ontty()
340: {
341: char *p, *ttyname();
342: static char buf[MAXPATHLEN + 4];
343:
344: buf[0] = 0;
1.30 deraadt 345: if ((p = ttyname(STDERR_FILENO)))
1.8 millert 346: snprintf(buf, sizeof(buf), " on %s", p);
1.1 deraadt 347: return (buf);
348: }
349:
350: #ifdef KERBEROS
1.31 art 351: int koktologin __P((char *, char *, char *));
352:
1.30 deraadt 353: int
1.1 deraadt 354: kerberos(username, user, uid)
355: char *username, *user;
356: int uid;
357: {
358: KTEXT_ST ticket;
359: AUTH_DAT authdata;
360: struct hostent *hp;
361: int kerno;
1.27 deraadt 362: in_addr_t faddr;
1.1 deraadt 363: char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN];
364: char *ontty(), *krb_get_phost();
365:
366: if (koktologin(username, lrealm, user) && !uid) {
367: (void)fprintf(stderr, "kerberos su: not in %s's ACL.\n", user);
368: return (1);
369: }
1.28 deraadt 370: (void)krb_set_tkt_string(krbtkfile);
1.1 deraadt 371:
372: /*
373: * Set real as well as effective ID to 0 for the moment,
374: * to make the kerberos library do the right thing.
375: */
376: if (setuid(0) < 0) {
1.8 millert 377: warn("setuid");
1.1 deraadt 378: return (1);
379: }
380:
381: /*
382: * Little trick here -- if we are su'ing to root,
383: * we need to get a ticket for "xxx.root", where xxx represents
384: * the name of the person su'ing. Otherwise (non-root case),
385: * we need to get a ticket for "yyy.", where yyy represents
386: * the name of the person being su'd to, and the instance is null
387: */
1.31 art 388:
389: printf("%s%s@%s's ", (uid == 0 ? username : user),
390: (uid == 0 ? ".root" : ""), lrealm);
391: fflush(stdout);
1.1 deraadt 392: kerno = krb_get_pw_in_tkt((uid == 0 ? username : user),
393: (uid == 0 ? "root" : ""), lrealm,
394: "krbtgt", lrealm, DEFAULT_TKT_LIFE, 0);
395:
396: if (kerno != KSUCCESS) {
397: if (kerno == KDC_PR_UNKNOWN) {
1.8 millert 398: warnx("kerberos principal unknown: %s.%s@%s",
1.1 deraadt 399: (uid == 0 ? username : user),
400: (uid == 0 ? "root" : ""), lrealm);
401: return (1);
402: }
1.8 millert 403: warnx("unable to su: %s", krb_err_txt[kerno]);
1.1 deraadt 404: syslog(LOG_NOTICE|LOG_AUTH,
405: "BAD Kerberos SU: %s to %s%s: %s",
406: username, user, ontty(), krb_err_txt[kerno]);
407: return (1);
408: }
409:
410: if (chown(krbtkfile, uid, -1) < 0) {
1.8 millert 411: warn("chown");
1.1 deraadt 412: (void)unlink(krbtkfile);
413: return (1);
414: }
415:
416: (void)setpriority(PRIO_PROCESS, 0, -2);
417:
418: if (gethostname(hostname, sizeof(hostname)) == -1) {
1.8 millert 419: warn("gethostname");
1.1 deraadt 420: dest_tkt();
421: return (1);
422: }
423:
1.11 millert 424: (void)strncpy(savehost, krb_get_phost(hostname), sizeof(savehost) - 1);
1.1 deraadt 425: savehost[sizeof(savehost) - 1] = '\0';
426:
427: kerno = krb_mk_req(&ticket, "rcmd", savehost, lrealm, 33);
428:
429: if (kerno == KDC_PR_UNKNOWN) {
1.8 millert 430: warnx("Warning: TGT not verified.");
1.1 deraadt 431: syslog(LOG_NOTICE|LOG_AUTH,
432: "%s to %s%s, TGT not verified (%s); %s.%s not registered?",
433: username, user, ontty(), krb_err_txt[kerno],
434: "rcmd", savehost);
435: } else if (kerno != KSUCCESS) {
1.8 millert 436: warnx("Unable to use TGT: %s", krb_err_txt[kerno]);
1.1 deraadt 437: syslog(LOG_NOTICE|LOG_AUTH, "failed su: %s to %s%s: %s",
438: username, user, ontty(), krb_err_txt[kerno]);
439: dest_tkt();
440: return (1);
441: } else {
442: if (!(hp = gethostbyname(hostname))) {
1.8 millert 443: warnx("can't get addr of %s", hostname);
1.1 deraadt 444: dest_tkt();
445: return (1);
446: }
1.10 millert 447: (void)memcpy((void *)&faddr, (void *)hp->h_addr, sizeof(faddr));
1.1 deraadt 448:
449: if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr,
450: &authdata, "")) != KSUCCESS) {
1.8 millert 451: warnx("unable to verify rcmd ticket: %s",
452: krb_err_txt[kerno]);
1.1 deraadt 453: syslog(LOG_NOTICE|LOG_AUTH,
454: "failed su: %s to %s%s: %s", username,
455: user, ontty(), krb_err_txt[kerno]);
456: dest_tkt();
457: return (1);
458: }
459: }
460: return (0);
461: }
462:
1.31 art 463: int
1.1 deraadt 464: koktologin(name, realm, toname)
465: char *name, *realm, *toname;
466: {
467: register AUTH_DAT *kdata;
468: AUTH_DAT kdata_st;
469:
1.13 deraadt 470: memset((void *)&kdata_st, 0, sizeof(kdata_st));
1.1 deraadt 471: kdata = &kdata_st;
1.10 millert 472:
1.11 millert 473: (void)strncpy(kdata->pname, name, sizeof(kdata->pname) - 1);
1.10 millert 474: kdata->pname[sizeof(kdata->pname) - 1] = '\0';
475:
476: (void)strncpy(kdata->pinst,
1.11 millert 477: ((strcmp(toname, "root") == 0) ? "root" : ""), sizeof(kdata->pinst) - 1);
1.13 deraadt 478: kdata->pinst[sizeof(kdata->pinst) -1] = '\0';
1.10 millert 479:
1.11 millert 480: (void)strncpy(kdata->prealm, realm, sizeof(kdata->prealm) - 1);
1.10 millert 481: kdata->prealm[sizeof(kdata->prealm) -1] = '\0';
482:
1.1 deraadt 483: return (kuserok(kdata, toname));
1.28 deraadt 484: }
485:
486: int
487: ksettkfile(user)
488: char *user;
489: {
490: if (krb_get_lrealm(lrealm, 1) != KSUCCESS)
491: return (1);
492: (void)snprintf(krbtkfile, sizeof(krbtkfile), "%s_%s_%u", TKT_ROOT,
493: user, getuid());
494: return (0);
1.1 deraadt 495: }
496: #endif