Annotation of src/usr.bin/su/su.c, Revision 1.58
1.58 ! deraadt 1: /* $OpenBSD: su.c,v 1.57 2007/10/19 21:03:51 deraadt Exp $ */
1.4 deraadt 2:
1.1 deraadt 3: /*
4: * Copyright (c) 1988 The Regents of the University of California.
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
1.52 millert 15: * 3. Neither the name of the University nor the names of its contributors
1.1 deraadt 16: * may be used to endorse or promote products derived from this software
17: * without specific prior written permission.
18: *
19: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29: * SUCH DAMAGE.
30: */
31:
32: #include <sys/param.h>
33: #include <sys/time.h>
34: #include <sys/resource.h>
1.8 millert 35:
36: #include <err.h>
37: #include <errno.h>
38: #include <grp.h>
1.33 millert 39: #include <login_cap.h>
1.8 millert 40: #include <paths.h>
41: #include <pwd.h>
1.1 deraadt 42: #include <stdio.h>
43: #include <stdlib.h>
44: #include <string.h>
1.8 millert 45: #include <syslog.h>
1.1 deraadt 46: #include <unistd.h>
1.47 millert 47: #include <utmp.h>
1.36 millert 48: #include <stdarg.h>
49: #include <bsd_auth.h>
50:
1.47 millert 51: char *getloginname(void);
1.43 millert 52: char *ontty(void);
1.53 millert 53: int chshell(const char *);
1.47 millert 54: int verify_user(char *, struct passwd *, char *, login_cap_t *,
55: auth_session_t *);
1.43 millert 56: void usage(void);
57: void auth_err(auth_session_t *, int, const char *, ...);
58: void auth_errx(auth_session_t *, int, const char *, ...);
1.1 deraadt 59:
60: int
1.47 millert 61: main(int argc, char **argv)
1.1 deraadt 62: {
1.54 deraadt 63: int asme = 0, asthem = 0, ch, fastlogin = 0, emlogin = 0, prio;
1.45 deraadt 64: char *user, *shell = NULL, *avshell, *username, **np;
1.47 millert 65: char *class = NULL, *style = NULL, *p;
1.45 deraadt 66: enum { UNSET, YES, NO } iscsh = UNSET;
67: char avshellbuf[MAXPATHLEN];
1.1 deraadt 68: extern char **environ;
1.45 deraadt 69: auth_session_t *as;
1.36 millert 70: struct passwd *pwd;
1.45 deraadt 71: login_cap_t *lc;
1.9 millert 72: uid_t ruid;
1.54 deraadt 73: u_int flags;
1.1 deraadt 74:
1.50 millert 75: while ((ch = getopt(argc, argv, "a:c:fKLlm-")) != -1)
1.45 deraadt 76: switch (ch) {
1.36 millert 77: case 'a':
78: if (style)
79: usage();
80: style = optarg;
1.1 deraadt 81: break;
1.33 millert 82: case 'c':
1.36 millert 83: if (class)
84: usage();
1.33 millert 85: class = optarg;
86: break;
1.1 deraadt 87: case 'f':
88: fastlogin = 1;
89: break;
1.36 millert 90: case 'K':
91: if (style)
92: usage();
93: style = "passwd";
94: break;
1.47 millert 95: case 'L':
96: emlogin = 1;
97: break;
98: case 'l':
1.1 deraadt 99: case '-':
100: asme = 0;
101: asthem = 1;
102: break;
103: case 'm':
104: asme = 1;
105: asthem = 0;
106: break;
107: default:
1.36 millert 108: usage();
1.1 deraadt 109: }
110: argv += optind;
111:
112: errno = 0;
113: prio = getpriority(PRIO_PROCESS, 0);
114: if (errno)
115: prio = 0;
116: (void)setpriority(PRIO_PROCESS, 0, -2);
117: openlog("su", LOG_CONS, 0);
118:
1.36 millert 119: if ((as = auth_open()) == NULL) {
120: syslog(LOG_ERR, "auth_open: %m");
1.39 millert 121: err(1, "unable to initialize BSD authentication");
1.36 millert 122: }
1.39 millert 123: auth_setoption(as, "login", "yes");
1.36 millert 124:
1.1 deraadt 125: /* get current login name and shell */
126: ruid = getuid();
127: username = getlogin();
1.40 hin 128:
1.47 millert 129: if (ruid && class)
130: auth_errx(as, 1, "only the superuser may specify a login class");
131:
1.41 millert 132: if (username != NULL)
1.40 hin 133: auth_setoption(as, "invokinguser", username);
134:
1.1 deraadt 135: if (username == NULL || (pwd = getpwnam(username)) == NULL ||
136: pwd->pw_uid != ruid)
137: pwd = getpwuid(ruid);
1.8 millert 138: if (pwd == NULL)
1.36 millert 139: auth_errx(as, 1, "who are you?");
1.9 millert 140: if ((username = strdup(pwd->pw_name)) == NULL)
1.41 millert 141: auth_errx(as, 1, "can't allocate memory");
1.31 art 142: if (asme) {
1.10 millert 143: if (pwd->pw_shell && *pwd->pw_shell) {
1.42 millert 144: if ((shell = strdup(pwd->pw_shell)) == NULL)
145: auth_errx(as, 1, "can't allocate memory");
1.10 millert 146: } else {
1.1 deraadt 147: shell = _PATH_BSHELL;
148: iscsh = NO;
149: }
1.31 art 150: }
1.1 deraadt 151:
1.47 millert 152: for (;;) {
153: /* get target user, default to root unless in -L mode */
154: if (*argv) {
155: user = *argv;
156: } else if (emlogin) {
157: if ((user = getloginname()) == NULL) {
158: auth_close(as);
159: exit(1);
160: }
161: } else {
162: user = "root";
163: }
164: /* style may be specified as part of the username */
165: if ((p = strchr(user, ':')) != NULL) {
166: *p++ = '\0';
1.49 millert 167: style = p; /* XXX overrides -a flag */
168: }
1.47 millert 169:
1.36 millert 170: /*
1.47 millert 171: * Clean and setup our current authentication session.
172: * Note that options *are* not cleared.
1.36 millert 173: */
1.47 millert 174: auth_clean(as);
175: if (auth_setitem(as, AUTHV_INTERACTIVE, "True") != 0 ||
176: auth_setitem(as, AUTHV_NAME, user) != 0)
177: auth_errx(as, 1, "can't allocate memory");
178: if ((user = auth_getitem(as, AUTHV_NAME)) == NULL)
179: auth_errx(as, 1, "internal error");
180: if (auth_setpwd(as, NULL) || (pwd = auth_getpwd(as)) == NULL) {
181: if (emlogin)
182: pwd = NULL;
183: else
184: auth_errx(as, 1, "unknown login %s", user);
1.1 deraadt 185: }
1.36 millert 186:
1.47 millert 187: /* If the user specified a login class, use it */
188: if (!class && pwd && pwd->pw_class && pwd->pw_class[0] != '\0')
189: class = pwd->pw_class;
190: if ((lc = login_getclass(class)) == NULL)
191: auth_errx(as, 1, "no such login class: %s",
192: class ? class : LOGIN_DEFCLASS);
193:
194: if ((ruid == 0 && !emlogin) ||
195: verify_user(username, pwd, style, lc, as) == 0)
196: break;
197: syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s",
198: username, user, ontty());
199: if (!emlogin) {
1.36 millert 200: fprintf(stderr, "Sorry\n");
201: auth_close(as);
202: exit(1);
1.1 deraadt 203: }
1.47 millert 204: fprintf(stderr, "Login incorrect\n");
1.1 deraadt 205: }
206:
207: if (asme) {
208: /* if asme and non-standard target shell, must be root */
1.8 millert 209: if (!chshell(pwd->pw_shell) && ruid)
1.36 millert 210: auth_errx(as, 1, "permission denied (shell).");
1.1 deraadt 211: } else if (pwd->pw_shell && *pwd->pw_shell) {
1.47 millert 212: if ((shell = strdup(pwd->pw_shell)) == NULL)
213: auth_errx(as, 1, "can't allocate memory");
1.1 deraadt 214: iscsh = UNSET;
215: } else {
216: shell = _PATH_BSHELL;
217: iscsh = NO;
218: }
219:
1.30 deraadt 220: if ((p = strrchr(shell, '/')))
1.1 deraadt 221: avshell = p+1;
222: else
223: avshell = shell;
224:
225: /* if we're forking a csh, we want to slightly muck the args */
226: if (iscsh == UNSET)
227: iscsh = strcmp(avshell, "csh") ? NO : YES;
228:
229: if (!asme) {
230: if (asthem) {
231: p = getenv("TERM");
1.23 deraadt 232: if ((environ = calloc(1, sizeof (char *))) == NULL)
1.36 millert 233: auth_errx(as, 1, "calloc");
1.33 millert 234: if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH))
1.36 millert 235: auth_err(as, 1, "unable to set user context");
236: if (p && setenv("TERM", p, 1) == -1)
237: auth_err(as, 1, "unable to set environment");
1.5 deraadt 238:
1.57 deraadt 239: setegid(pwd->pw_gid);
1.5 deraadt 240: seteuid(pwd->pw_uid);
1.8 millert 241: if (chdir(pwd->pw_dir) < 0)
1.36 millert 242: auth_err(as, 1, "%s", pwd->pw_dir);
1.57 deraadt 243: setegid(0); /* XXX use a saved gid instead? */
1.5 deraadt 244: seteuid(0);
1.33 millert 245: } else if (pwd->pw_uid == 0) {
246: if (setusercontext(lc,
247: pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK))
1.36 millert 248: auth_err(as, 1, "unable to set user context");
1.1 deraadt 249: }
1.15 millert 250: if (asthem || pwd->pw_uid) {
1.34 deraadt 251: if (setenv("LOGNAME", pwd->pw_name, 1) == -1 ||
252: setenv("USER", pwd->pw_name, 1) == -1)
1.36 millert 253: auth_err(as, 1, "unable to set environment");
1.15 millert 254: }
1.34 deraadt 255: if (setenv("HOME", pwd->pw_dir, 1) == -1 ||
256: setenv("SHELL", shell, 1) == -1)
1.36 millert 257: auth_err(as, 1, "unable to set environment");
1.34 deraadt 258: }
1.28 deraadt 259:
1.47 millert 260: np = *argv ? argv : argv - 1;
1.1 deraadt 261: if (iscsh == YES) {
262: if (fastlogin)
263: *np-- = "-f";
264: if (asme)
265: *np-- = "-m";
266: }
267:
268: if (asthem) {
269: avshellbuf[0] = '-';
1.36 millert 270: strlcpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 1);
1.1 deraadt 271: avshell = avshellbuf;
272: } else if (iscsh == YES) {
273: /* csh strips the first character... */
274: avshellbuf[0] = '_';
1.36 millert 275: strlcpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 1);
1.1 deraadt 276: avshell = avshellbuf;
277: }
1.45 deraadt 278:
1.1 deraadt 279: *np = avshell;
280:
281: if (ruid != 0)
282: syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s",
283: username, user, ontty());
284:
285: (void)setpriority(PRIO_PROCESS, 0, prio);
1.51 millert 286: if (emlogin) {
1.48 millert 287: flags = LOGIN_SETALL & ~LOGIN_SETPATH;
1.51 millert 288: /*
1.55 miod 289: * Only call setlogin() if this process is a session leader.
1.51 millert 290: * In practice, this means the login name will be set only if
291: * we are exec'd by a shell. This is important because
292: * otherwise the parent shell's login name would change too.
293: */
294: if (getsid(0) != getpid())
295: flags &= ~LOGIN_SETLOGIN;
296: } else
1.48 millert 297: flags = (asthem ? (LOGIN_SETPRIORITY | LOGIN_SETUMASK) : 0) |
298: LOGIN_SETRESOURCES | LOGIN_SETGROUP | LOGIN_SETUSER;
299: if (setusercontext(lc, pwd, pwd->pw_uid, flags) != 0)
1.36 millert 300: auth_err(as, 1, "unable to set user context");
301: if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
302: auth_err(as, 1, "approval failure");
303: auth_close(as);
1.1 deraadt 304:
305: execv(shell, np);
1.32 millert 306: err(1, "%s", shell);
1.1 deraadt 307: }
308:
309: int
1.47 millert 310: verify_user(char *from, struct passwd *pwd, char *style,
311: login_cap_t *lc, auth_session_t *as)
312: {
313: struct group *gr;
314: char **g, *cp;
315: int authok;
316:
317: /*
318: * If we are trying to become root and the default style
319: * is being used, don't bother to look it up (we might be
320: * be su'ing up to fix /etc/login.conf)
321: */
322: if ((pwd == NULL || pwd->pw_uid != 0 || style == NULL ||
323: strcmp(style, LOGIN_DEFSTYLE) != 0) &&
324: (style = login_getstyle(lc, style, "auth-su")) == NULL)
325: auth_errx(as, 1, "invalid authentication type");
326:
327: /*
328: * Let the authentication program know whether they are
329: * in group wheel or not (if trying to become super user)
330: */
331: if (pwd != NULL && pwd->pw_uid == 0 && (gr = getgrgid(0)) != NULL &&
332: gr->gr_mem != NULL && *(gr->gr_mem) != NULL) {
333: for (g = gr->gr_mem; *g; ++g) {
334: if (strcmp(from, *g) == 0) {
335: auth_setoption(as, "wheel", "yes");
336: break;
337: }
338: }
339: if (!*g)
340: auth_setoption(as, "wheel", "no");
341: }
342:
343: auth_verify(as, style, NULL, lc->lc_class, (char *)NULL);
344: authok = auth_getstate(as);
345: if ((authok & AUTH_ALLOW) == 0) {
346: if ((cp = auth_getvalue(as, "errormsg")) != NULL)
347: fprintf(stderr, "%s\n", cp);
348: return(1);
349: }
350: return(0);
351: }
352:
353: int
1.53 millert 354: chshell(const char *sh)
1.1 deraadt 355: {
1.36 millert 356: char *cp;
1.53 millert 357: int found = 0;
1.1 deraadt 358:
1.53 millert 359: setusershell();
360: while ((cp = getusershell()) != NULL) {
361: if (strcmp(cp, sh) == 0) {
362: found = 1;
363: break;
364: }
365: }
366: endusershell();
367: return (found);
1.1 deraadt 368: }
369:
370: char *
1.47 millert 371: ontty(void)
1.1 deraadt 372: {
373: static char buf[MAXPATHLEN + 4];
1.36 millert 374: char *p;
1.1 deraadt 375:
376: buf[0] = 0;
1.30 deraadt 377: if ((p = ttyname(STDERR_FILENO)))
1.8 millert 378: snprintf(buf, sizeof(buf), " on %s", p);
1.1 deraadt 379: return (buf);
380: }
381:
1.47 millert 382: /*
383: * Allow for a '.' and 16 characters for any instance as well as
1.56 otto 384: * space for a ':' and 16 characters defining the authentication type.
1.47 millert 385: */
386: #define NBUFSIZ (UT_NAMESIZE + 1 + 16 + 1 + 16)
387:
388: char *
389: getloginname(void)
390: {
391: static char nbuf[NBUFSIZ], *p;
392: int ch;
393:
394: for (;;) {
395: (void)printf("login: ");
396: for (p = nbuf; (ch = getchar()) != '\n'; ) {
397: if (ch == EOF)
398: return (NULL);
399: if (p < nbuf + (NBUFSIZ - 1))
400: *p++ = ch;
401: }
402: if (p > nbuf) {
403: if (nbuf[0] == '-') {
404: (void)fprintf(stderr,
405: "login names may not start with '-'.\n");
406: } else {
407: *p = '\0';
408: break;
409: }
410: }
411: }
412: return (nbuf);
413: }
414:
1.36 millert 415: void
1.47 millert 416: usage(void)
1.1 deraadt 417: {
1.36 millert 418: extern char *__progname;
1.1 deraadt 419:
1.47 millert 420: fprintf(stderr, "usage: %s [-fKLlm] [-a auth-type] [-c login-class] "
421: "[login [shell arguments]]\n", __progname);
1.36 millert 422: exit(1);
1.1 deraadt 423: }
424:
1.36 millert 425: void
426: auth_err(auth_session_t *as, int eval, const char *fmt, ...)
1.1 deraadt 427: {
1.36 millert 428: va_list ap;
1.46 millert 429:
1.36 millert 430: va_start(ap, fmt);
1.46 millert 431: vwarn(fmt, ap);
432: va_end(ap);
1.36 millert 433: auth_close(as);
1.46 millert 434: exit(eval);
1.28 deraadt 435: }
436:
1.36 millert 437: void
438: auth_errx(auth_session_t *as, int eval, const char *fmt, ...)
1.28 deraadt 439: {
1.36 millert 440: va_list ap;
1.46 millert 441:
1.36 millert 442: va_start(ap, fmt);
1.46 millert 443: vwarnx(fmt, ap);
444: va_end(ap);
1.36 millert 445: auth_close(as);
1.46 millert 446: exit(eval);
1.1 deraadt 447: }