Annotation of src/usr.bin/su/su.c, Revision 1.34.2.1
1.34.2.1! hin 1: /* $OpenBSD: su.c,v 1.35 2000/12/02 22:44:49 hin Exp $ */
1.4 deraadt 2:
1.1 deraadt 3: /*
4: * Copyright (c) 1988 The Regents of the University of California.
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: * 3. All advertising materials mentioning features or use of this software
16: * must display the following acknowledgement:
17: * This product includes software developed by the University of
18: * California, Berkeley and its contributors.
19: * 4. Neither the name of the University nor the names of its contributors
20: * may be used to endorse or promote products derived from this software
21: * without specific prior written permission.
22: *
23: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33: * SUCH DAMAGE.
34: */
35:
36: #ifndef lint
37: char copyright[] =
38: "@(#) Copyright (c) 1988 The Regents of the University of California.\n\
39: All rights reserved.\n";
40: #endif /* not lint */
41:
42: #ifndef lint
43: /*static char sccsid[] = "from: @(#)su.c 5.26 (Berkeley) 7/6/91";*/
1.34.2.1! hin 44: static char rcsid[] = "$OpenBSD: su.c,v 1.35 2000/12/02 22:44:49 hin Exp $";
1.1 deraadt 45: #endif /* not lint */
46:
47: #include <sys/param.h>
48: #include <sys/time.h>
49: #include <sys/resource.h>
1.8 millert 50:
51: #include <err.h>
52: #include <errno.h>
53: #include <grp.h>
1.33 millert 54: #include <login_cap.h>
1.8 millert 55: #include <paths.h>
56: #include <pwd.h>
1.1 deraadt 57: #include <stdio.h>
58: #include <stdlib.h>
59: #include <string.h>
1.8 millert 60: #include <syslog.h>
1.1 deraadt 61: #include <unistd.h>
1.34.2.1! hin 62: #include <fcntl.h>
1.8 millert 63:
64: #ifdef SKEY
65: #include <skey.h>
66: #endif
1.1 deraadt 67:
68: #ifdef KERBEROS
1.29 provos 69: #include <des.h>
1.1 deraadt 70: #include <kerberosIV/krb.h>
71: #include <netdb.h>
72:
1.30 deraadt 73: int kerberos __P((char *username, char *user, int uid));
74:
1.33 millert 75: #define ARGSTR "-Kc:flm"
1.1 deraadt 76:
77: int use_kerberos = 1;
1.28 deraadt 78: char krbtkfile[MAXPATHLEN];
79: char lrealm[REALM_SZ];
80: int ksettkfile(char *);
1.1 deraadt 81: #else
1.33 millert 82: #define ARGSTR "-c:flm"
1.1 deraadt 83: #endif
84:
1.8 millert 85: char *ontty __P((void));
86: int chshell __P((char *));
1.1 deraadt 87:
88: int
89: main(argc, argv)
90: int argc;
91: char **argv;
92: {
93: extern char **environ;
94: register struct passwd *pwd;
95: register char *p, **g;
96: struct group *gr;
1.9 millert 97: uid_t ruid;
1.33 millert 98: login_cap_t *lc;
1.1 deraadt 99: int asme, ch, asthem, fastlogin, prio;
1.33 millert 100: enum { UNSET, YES, NO } iscsh;
101: char *user, *shell, *avshell, *username, *class, **np;
1.1 deraadt 102: char shellbuf[MAXPATHLEN], avshellbuf[MAXPATHLEN];
103:
1.33 millert 104: iscsh = UNSET;
105: shell = class = NULL;
1.1 deraadt 106: asme = asthem = fastlogin = 0;
1.18 millert 107: while ((ch = getopt(argc, argv, ARGSTR)) != -1)
1.1 deraadt 108: switch((char)ch) {
109: #ifdef KERBEROS
110: case 'K':
111: use_kerberos = 0;
112: break;
113: #endif
1.33 millert 114: case 'c':
115: class = optarg;
116: break;
1.1 deraadt 117: case 'f':
118: fastlogin = 1;
119: break;
120: case '-':
121: case 'l':
122: asme = 0;
123: asthem = 1;
124: break;
125: case 'm':
126: asme = 1;
127: asthem = 0;
128: break;
129: case '?':
130: default:
1.7 millert 131: (void)fprintf(stderr,
132: "usage: su [%s] [login [shell arguments]]\n",
1.1 deraadt 133: ARGSTR);
134: exit(1);
135: }
136: argv += optind;
137:
138: errno = 0;
139: prio = getpriority(PRIO_PROCESS, 0);
140: if (errno)
141: prio = 0;
142: (void)setpriority(PRIO_PROCESS, 0, -2);
143: openlog("su", LOG_CONS, 0);
144:
145: /* get current login name and shell */
146: ruid = getuid();
147: username = getlogin();
148: if (username == NULL || (pwd = getpwnam(username)) == NULL ||
149: pwd->pw_uid != ruid)
150: pwd = getpwuid(ruid);
1.8 millert 151: if (pwd == NULL)
152: errx(1, "who are you?");
1.9 millert 153: if ((username = strdup(pwd->pw_name)) == NULL)
154: err(1, "can't allocate memory");
1.31 art 155: if (asme) {
1.10 millert 156: if (pwd->pw_shell && *pwd->pw_shell) {
1.11 millert 157: shell = strncpy(shellbuf, pwd->pw_shell, sizeof(shellbuf) - 1);
1.10 millert 158: shellbuf[sizeof(shellbuf) - 1] = '\0';
159: } else {
1.1 deraadt 160: shell = _PATH_BSHELL;
161: iscsh = NO;
162: }
1.31 art 163: }
1.1 deraadt 164:
165: /* get target login information, default to root */
166: user = *argv ? *argv : "root";
167: np = *argv ? argv : argv-1;
168:
1.8 millert 169: if ((pwd = getpwnam(user)) == NULL)
170: errx(1, "unknown login %s", user);
1.16 millert 171: if ((user = strdup(pwd->pw_name)) == NULL)
172: err(1, "can't allocate memory");
1.1 deraadt 173:
1.33 millert 174: /* If the user specified a login class and we are root, use it */
175: if (ruid && class)
176: errx(1, "only the superuser may specify a login class");
177: if (class)
178: pwd->pw_class = class;
179: if ((lc = login_getclass(pwd->pw_class)) == NULL)
180: errx(1, "no such login class: %s",
181: class ? class : LOGIN_DEFCLASS);
182:
1.28 deraadt 183: #if KERBEROS
184: if (ksettkfile(user))
185: use_kerberos = 0;
186: #endif
187:
1.1 deraadt 188: if (ruid) {
189: #ifdef KERBEROS
1.21 tholo 190: if (!use_kerberos || kerberos(username, user, pwd->pw_uid))
1.1 deraadt 191: #endif
192: {
193: /* only allow those in group zero to su to root. */
1.3 deraadt 194: if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0))
195: && gr->gr_mem && *(gr->gr_mem))
1.1 deraadt 196: for (g = gr->gr_mem;; ++g) {
1.8 millert 197: if (!*g)
198: errx(1, "you are not in the correct group to su %s.", user);
199: if (strcmp(username, *g) == 0)
1.1 deraadt 200: break;
201: }
202: /* if target requires a password, verify it */
203: if (*pwd->pw_passwd) {
204: p = getpass("Password:");
205: #ifdef SKEY
206: if (strcasecmp(p, "s/key") == 0) {
1.14 millert 207: if (skey_authenticate(user))
1.8 millert 208: goto badlogin;
1.1 deraadt 209: } else
210: #endif
211: if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) {
212: badlogin:
213: fprintf(stderr, "Sorry\n");
214: syslog(LOG_AUTH|LOG_WARNING,
215: "BAD SU %s to %s%s", username,
216: user, ontty());
217: exit(1);
218: }
219: }
220: }
1.8 millert 221: if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) {
222: fprintf(stderr, "Sorry - account expired\n");
223: syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username,
224: user, ontty());
225: exit(1);
226: }
1.1 deraadt 227: }
228:
229: if (asme) {
230: /* if asme and non-standard target shell, must be root */
1.8 millert 231: if (!chshell(pwd->pw_shell) && ruid)
232: errx(1, "permission denied (shell).");
1.1 deraadt 233: } else if (pwd->pw_shell && *pwd->pw_shell) {
234: shell = pwd->pw_shell;
235: iscsh = UNSET;
236: } else {
237: shell = _PATH_BSHELL;
238: iscsh = NO;
239: }
240:
1.30 deraadt 241: if ((p = strrchr(shell, '/')))
1.1 deraadt 242: avshell = p+1;
243: else
244: avshell = shell;
245:
246: /* if we're forking a csh, we want to slightly muck the args */
247: if (iscsh == UNSET)
248: iscsh = strcmp(avshell, "csh") ? NO : YES;
249:
250: if (!asme) {
251: if (asthem) {
252: p = getenv("TERM");
1.23 deraadt 253: if ((environ = calloc(1, sizeof (char *))) == NULL)
1.22 deraadt 254: errx(1, "calloc");
1.33 millert 255: if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH))
256: err(1, "unable to set user context");
1.34 deraadt 257: if (p) {
258: if (setenv("TERM", p, 1) == -1)
259: err(1, "unable to set environment");
260: }
1.5 deraadt 261:
262: seteuid(pwd->pw_uid);
263: setegid(pwd->pw_gid);
1.8 millert 264: if (chdir(pwd->pw_dir) < 0)
1.33 millert 265: err(1, "%s", pwd->pw_dir);
1.5 deraadt 266: seteuid(0);
267: setegid(0); /* XXX use a saved gid instead? */
1.33 millert 268: } else if (pwd->pw_uid == 0) {
269: /* XXX - this seems questionable to me */
270: if (setusercontext(lc,
271: pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK))
272: err(1, "unable to set user context");
1.1 deraadt 273: }
1.15 millert 274: if (asthem || pwd->pw_uid) {
1.34 deraadt 275: if (setenv("LOGNAME", pwd->pw_name, 1) == -1 ||
276: setenv("USER", pwd->pw_name, 1) == -1)
277: err(1, "unable to set environment");
1.15 millert 278: }
1.34 deraadt 279: if (setenv("HOME", pwd->pw_dir, 1) == -1 ||
280: setenv("SHELL", shell, 1) == -1)
281: err(1, "unable to set environment");
1.1 deraadt 282: }
283:
1.28 deraadt 284: #ifdef KERBEROS
1.34 deraadt 285: if (*krbtkfile) {
286: if (setenv("KRBTKFILE", krbtkfile, 1) == -1)
287: err(1, "unable to set environment");
288: }
1.28 deraadt 289: #endif
290:
1.1 deraadt 291: if (iscsh == YES) {
292: if (fastlogin)
293: *np-- = "-f";
294: if (asme)
295: *np-- = "-m";
296: }
297:
298: if (asthem) {
299: avshellbuf[0] = '-';
1.11 millert 300: strncpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 2);
1.10 millert 301: avshellbuf[sizeof(avshellbuf) - 1] = '\0';
1.1 deraadt 302: avshell = avshellbuf;
303: } else if (iscsh == YES) {
304: /* csh strips the first character... */
305: avshellbuf[0] = '_';
1.11 millert 306: strncpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 2);
1.10 millert 307: avshellbuf[sizeof(avshellbuf) - 1] = '\0';
1.1 deraadt 308: avshell = avshellbuf;
309: }
310:
311: *np = avshell;
312:
313: if (ruid != 0)
314: syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s",
315: username, user, ontty());
316:
317: (void)setpriority(PRIO_PROCESS, 0, prio);
1.33 millert 318: if (setusercontext(lc, pwd, pwd->pw_uid,
319: (asthem ? (LOGIN_SETPRIORITY | LOGIN_SETUMASK) : 0) |
320: LOGIN_SETRESOURCES | LOGIN_SETGROUP | LOGIN_SETUSER))
321: err(1, "unable to set user context");
1.1 deraadt 322:
323: execv(shell, np);
1.32 millert 324: err(1, "%s", shell);
1.1 deraadt 325: }
326:
327: int
328: chshell(sh)
329: char *sh;
330: {
331: register char *cp;
332:
333: while ((cp = getusershell()) != NULL)
1.8 millert 334: if (strcmp(cp, sh) == 0)
1.1 deraadt 335: return (1);
336: return (0);
337: }
338:
339: char *
340: ontty()
341: {
342: char *p, *ttyname();
343: static char buf[MAXPATHLEN + 4];
344:
345: buf[0] = 0;
1.30 deraadt 346: if ((p = ttyname(STDERR_FILENO)))
1.8 millert 347: snprintf(buf, sizeof(buf), " on %s", p);
1.1 deraadt 348: return (buf);
349: }
350:
351: #ifdef KERBEROS
1.31 art 352: int koktologin __P((char *, char *, char *));
353:
1.30 deraadt 354: int
1.1 deraadt 355: kerberos(username, user, uid)
356: char *username, *user;
357: int uid;
358: {
359: KTEXT_ST ticket;
360: AUTH_DAT authdata;
361: struct hostent *hp;
1.34.2.1! hin 362: int kerno, fd;
1.27 deraadt 363: in_addr_t faddr;
1.1 deraadt 364: char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN];
365: char *ontty(), *krb_get_phost();
366:
1.34.2.1! hin 367: /* Don't bother with Kerberos if there is no srvtab file */
! 368: if ((fd = open(KEYFILE, O_RDONLY, 0)) < 0)
! 369: return (1);
! 370: close(fd);
! 371:
1.1 deraadt 372: if (koktologin(username, lrealm, user) && !uid) {
373: (void)fprintf(stderr, "kerberos su: not in %s's ACL.\n", user);
374: return (1);
375: }
1.28 deraadt 376: (void)krb_set_tkt_string(krbtkfile);
1.1 deraadt 377:
378: /*
379: * Set real as well as effective ID to 0 for the moment,
380: * to make the kerberos library do the right thing.
381: */
382: if (setuid(0) < 0) {
1.8 millert 383: warn("setuid");
1.1 deraadt 384: return (1);
385: }
386:
387: /*
388: * Little trick here -- if we are su'ing to root,
389: * we need to get a ticket for "xxx.root", where xxx represents
390: * the name of the person su'ing. Otherwise (non-root case),
391: * we need to get a ticket for "yyy.", where yyy represents
392: * the name of the person being su'd to, and the instance is null
393: */
1.31 art 394:
395: printf("%s%s@%s's ", (uid == 0 ? username : user),
396: (uid == 0 ? ".root" : ""), lrealm);
397: fflush(stdout);
1.1 deraadt 398: kerno = krb_get_pw_in_tkt((uid == 0 ? username : user),
399: (uid == 0 ? "root" : ""), lrealm,
400: "krbtgt", lrealm, DEFAULT_TKT_LIFE, 0);
401:
402: if (kerno != KSUCCESS) {
403: if (kerno == KDC_PR_UNKNOWN) {
1.8 millert 404: warnx("kerberos principal unknown: %s.%s@%s",
1.1 deraadt 405: (uid == 0 ? username : user),
406: (uid == 0 ? "root" : ""), lrealm);
407: return (1);
408: }
1.8 millert 409: warnx("unable to su: %s", krb_err_txt[kerno]);
1.1 deraadt 410: syslog(LOG_NOTICE|LOG_AUTH,
411: "BAD Kerberos SU: %s to %s%s: %s",
412: username, user, ontty(), krb_err_txt[kerno]);
413: return (1);
414: }
415:
1.34.2.1! hin 416: /*
! 417: * Set the owner of the ticket file to root but bail if someone
! 418: * has nefariously swapped a link in place of the file.
! 419: */
! 420: fd = open(krbtkfile, O_RDWR|O_NOFOLLOW, 0);
! 421: if (fd == -1) {
! 422: warn("unable to open ticket file");
! 423: (void)unlink(krbtkfile);
! 424: return (1);
! 425: }
! 426: if (fchown(fd, uid, -1) < 0) {
! 427: warn("fchown");
1.1 deraadt 428: (void)unlink(krbtkfile);
429: return (1);
430: }
1.34.2.1! hin 431: close(fd);
1.1 deraadt 432:
433: (void)setpriority(PRIO_PROCESS, 0, -2);
434:
435: if (gethostname(hostname, sizeof(hostname)) == -1) {
1.8 millert 436: warn("gethostname");
1.1 deraadt 437: dest_tkt();
438: return (1);
439: }
440:
1.11 millert 441: (void)strncpy(savehost, krb_get_phost(hostname), sizeof(savehost) - 1);
1.1 deraadt 442: savehost[sizeof(savehost) - 1] = '\0';
443:
444: kerno = krb_mk_req(&ticket, "rcmd", savehost, lrealm, 33);
445:
446: if (kerno == KDC_PR_UNKNOWN) {
1.8 millert 447: warnx("Warning: TGT not verified.");
1.1 deraadt 448: syslog(LOG_NOTICE|LOG_AUTH,
449: "%s to %s%s, TGT not verified (%s); %s.%s not registered?",
450: username, user, ontty(), krb_err_txt[kerno],
451: "rcmd", savehost);
452: } else if (kerno != KSUCCESS) {
1.8 millert 453: warnx("Unable to use TGT: %s", krb_err_txt[kerno]);
1.1 deraadt 454: syslog(LOG_NOTICE|LOG_AUTH, "failed su: %s to %s%s: %s",
455: username, user, ontty(), krb_err_txt[kerno]);
456: dest_tkt();
457: return (1);
458: } else {
459: if (!(hp = gethostbyname(hostname))) {
1.8 millert 460: warnx("can't get addr of %s", hostname);
1.1 deraadt 461: dest_tkt();
462: return (1);
463: }
1.10 millert 464: (void)memcpy((void *)&faddr, (void *)hp->h_addr, sizeof(faddr));
1.1 deraadt 465:
466: if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr,
467: &authdata, "")) != KSUCCESS) {
1.8 millert 468: warnx("unable to verify rcmd ticket: %s",
469: krb_err_txt[kerno]);
1.1 deraadt 470: syslog(LOG_NOTICE|LOG_AUTH,
471: "failed su: %s to %s%s: %s", username,
472: user, ontty(), krb_err_txt[kerno]);
473: dest_tkt();
474: return (1);
475: }
476: }
477: return (0);
478: }
479:
1.31 art 480: int
1.1 deraadt 481: koktologin(name, realm, toname)
482: char *name, *realm, *toname;
483: {
484: register AUTH_DAT *kdata;
485: AUTH_DAT kdata_st;
486:
1.13 deraadt 487: memset((void *)&kdata_st, 0, sizeof(kdata_st));
1.1 deraadt 488: kdata = &kdata_st;
1.10 millert 489:
1.11 millert 490: (void)strncpy(kdata->pname, name, sizeof(kdata->pname) - 1);
1.10 millert 491: kdata->pname[sizeof(kdata->pname) - 1] = '\0';
492:
493: (void)strncpy(kdata->pinst,
1.11 millert 494: ((strcmp(toname, "root") == 0) ? "root" : ""), sizeof(kdata->pinst) - 1);
1.13 deraadt 495: kdata->pinst[sizeof(kdata->pinst) -1] = '\0';
1.10 millert 496:
1.11 millert 497: (void)strncpy(kdata->prealm, realm, sizeof(kdata->prealm) - 1);
1.10 millert 498: kdata->prealm[sizeof(kdata->prealm) -1] = '\0';
499:
1.1 deraadt 500: return (kuserok(kdata, toname));
1.28 deraadt 501: }
502:
503: int
504: ksettkfile(user)
505: char *user;
506: {
507: if (krb_get_lrealm(lrealm, 1) != KSUCCESS)
508: return (1);
509: (void)snprintf(krbtkfile, sizeof(krbtkfile), "%s_%s_%u", TKT_ROOT,
510: user, getuid());
511: return (0);
1.1 deraadt 512: }
513: #endif