Annotation of src/usr.bin/su/su.c, Revision 1.89
1.89 ! kn 1: /* $OpenBSD: su.c,v 1.88 2022/03/23 02:18:22 deraadt Exp $ */
1.4 deraadt 2:
1.1 deraadt 3: /*
4: * Copyright (c) 1988 The Regents of the University of California.
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
1.52 millert 15: * 3. Neither the name of the University nor the names of its contributors
1.1 deraadt 16: * may be used to endorse or promote products derived from this software
17: * without specific prior written permission.
18: *
19: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29: * SUCH DAMAGE.
30: */
31:
32: #include <sys/time.h>
33: #include <sys/resource.h>
1.8 millert 34:
35: #include <err.h>
36: #include <errno.h>
37: #include <grp.h>
1.33 millert 38: #include <login_cap.h>
1.8 millert 39: #include <paths.h>
40: #include <pwd.h>
1.1 deraadt 41: #include <stdio.h>
42: #include <stdlib.h>
43: #include <string.h>
1.8 millert 44: #include <syslog.h>
1.1 deraadt 45: #include <unistd.h>
1.66 deraadt 46: #include <limits.h>
1.47 millert 47: #include <utmp.h>
1.36 millert 48: #include <stdarg.h>
49: #include <bsd_auth.h>
50:
1.47 millert 51: char *getloginname(void);
1.43 millert 52: char *ontty(void);
1.53 millert 53: int chshell(const char *);
1.47 millert 54: int verify_user(char *, struct passwd *, char *, login_cap_t *,
55: auth_session_t *);
1.43 millert 56: void usage(void);
57: void auth_err(auth_session_t *, int, const char *, ...);
58: void auth_errx(auth_session_t *, int, const char *, ...);
1.1 deraadt 59:
60: int
1.47 millert 61: main(int argc, char **argv)
1.1 deraadt 62: {
1.54 deraadt 63: int asme = 0, asthem = 0, ch, fastlogin = 0, emlogin = 0, prio;
1.65 robert 64: int altshell = 0, homeless = 0;
1.45 deraadt 65: char *user, *shell = NULL, *avshell, *username, **np;
1.47 millert 66: char *class = NULL, *style = NULL, *p;
1.45 deraadt 67: enum { UNSET, YES, NO } iscsh = UNSET;
1.66 deraadt 68: char avshellbuf[PATH_MAX];
1.1 deraadt 69: extern char **environ;
1.45 deraadt 70: auth_session_t *as;
1.36 millert 71: struct passwd *pwd;
1.45 deraadt 72: login_cap_t *lc;
1.9 millert 73: uid_t ruid;
1.54 deraadt 74: u_int flags;
1.1 deraadt 75:
1.71 deraadt 76: if (pledge("stdio unveil rpath getpw proc exec id", NULL) == -1)
1.68 deraadt 77: err(1, "pledge");
78:
1.59 millert 79: while ((ch = getopt(argc, argv, "a:c:fKLlms:-")) != -1)
1.45 deraadt 80: switch (ch) {
1.36 millert 81: case 'a':
82: if (style)
83: usage();
84: style = optarg;
1.1 deraadt 85: break;
1.33 millert 86: case 'c':
1.36 millert 87: if (class)
88: usage();
1.33 millert 89: class = optarg;
90: break;
1.1 deraadt 91: case 'f':
92: fastlogin = 1;
93: break;
1.36 millert 94: case 'K':
95: if (style)
96: usage();
97: style = "passwd";
98: break;
1.47 millert 99: case 'L':
100: emlogin = 1;
101: break;
102: case 'l':
1.1 deraadt 103: case '-':
104: asme = 0;
105: asthem = 1;
106: break;
107: case 'm':
108: asme = 1;
109: asthem = 0;
110: break;
1.59 millert 111: case 's':
112: altshell = 1;
113: shell = optarg;
114: break;
1.1 deraadt 115: default:
1.36 millert 116: usage();
1.1 deraadt 117: }
118: argv += optind;
119:
120: errno = 0;
121: prio = getpriority(PRIO_PROCESS, 0);
122: if (errno)
123: prio = 0;
1.67 deraadt 124: setpriority(PRIO_PROCESS, 0, -2);
1.1 deraadt 125: openlog("su", LOG_CONS, 0);
126:
1.36 millert 127: if ((as = auth_open()) == NULL) {
128: syslog(LOG_ERR, "auth_open: %m");
1.39 millert 129: err(1, "unable to initialize BSD authentication");
1.36 millert 130: }
1.39 millert 131: auth_setoption(as, "login", "yes");
1.36 millert 132:
1.1 deraadt 133: /* get current login name and shell */
134: ruid = getuid();
135: username = getlogin();
1.40 hin 136:
1.47 millert 137: if (ruid && class)
138: auth_errx(as, 1, "only the superuser may specify a login class");
139:
1.59 millert 140: if (ruid && altshell)
141: auth_errx(as, 1, "only the superuser may specify a login shell");
142:
1.41 millert 143: if (username != NULL)
1.40 hin 144: auth_setoption(as, "invokinguser", username);
145:
1.1 deraadt 146: if (username == NULL || (pwd = getpwnam(username)) == NULL ||
147: pwd->pw_uid != ruid)
148: pwd = getpwuid(ruid);
1.8 millert 149: if (pwd == NULL)
1.36 millert 150: auth_errx(as, 1, "who are you?");
1.9 millert 151: if ((username = strdup(pwd->pw_name)) == NULL)
1.78 deraadt 152: auth_err(as, 1, NULL);
1.59 millert 153: if (asme && !altshell) {
1.10 millert 154: if (pwd->pw_shell && *pwd->pw_shell) {
1.42 millert 155: if ((shell = strdup(pwd->pw_shell)) == NULL)
1.78 deraadt 156: auth_err(as, 1, NULL);
1.10 millert 157: } else {
1.1 deraadt 158: shell = _PATH_BSHELL;
159: iscsh = NO;
160: }
1.31 art 161: }
1.1 deraadt 162:
1.71 deraadt 163: if (unveil(_PATH_LOGIN_CONF, "r") == -1)
1.84 beck 164: err(1, "unveil %s", _PATH_LOGIN_CONF);
1.77 semarie 165: if (unveil(_PATH_LOGIN_CONF ".db", "r") == -1)
1.84 beck 166: err(1, "unveil %s.db", _PATH_LOGIN_CONF);
1.85 robert 167: if (unveil(_PATH_LOGIN_CONF_D, "r") == -1)
168: err(1, "unveil %s", _PATH_LOGIN_CONF_D);
1.71 deraadt 169: if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
1.84 beck 170: err(1, "unveil %s", _PATH_AUTHPROGDIR);
1.72 deraadt 171: if (unveil(_PATH_SHELLS, "r") == -1)
1.84 beck 172: err(1, "unveil %s", _PATH_SHELLS);
1.73 deraadt 173: if (unveil(_PATH_DEVDB, "r") == -1)
1.84 beck 174: err(1, "unveil %s", _PATH_DEVDB);
1.82 semarie 175: if (unveil(_PATH_NOLOGIN, "r") == -1)
1.84 beck 176: err(1, "unveil %s", _PATH_NOLOGIN);
1.71 deraadt 177:
1.47 millert 178: for (;;) {
1.79 millert 179: char *pw_class = class;
180:
1.47 millert 181: /* get target user, default to root unless in -L mode */
182: if (*argv) {
183: user = *argv;
184: } else if (emlogin) {
185: if ((user = getloginname()) == NULL) {
186: auth_close(as);
187: exit(1);
188: }
189: } else {
190: user = "root";
191: }
192: /* style may be specified as part of the username */
193: if ((p = strchr(user, ':')) != NULL) {
194: *p++ = '\0';
1.49 millert 195: style = p; /* XXX overrides -a flag */
196: }
1.65 robert 197:
1.36 millert 198: /*
1.47 millert 199: * Clean and setup our current authentication session.
200: * Note that options *are* not cleared.
1.36 millert 201: */
1.47 millert 202: auth_clean(as);
203: if (auth_setitem(as, AUTHV_INTERACTIVE, "True") != 0 ||
204: auth_setitem(as, AUTHV_NAME, user) != 0)
1.78 deraadt 205: auth_err(as, 1, NULL);
1.47 millert 206: if ((user = auth_getitem(as, AUTHV_NAME)) == NULL)
207: auth_errx(as, 1, "internal error");
208: if (auth_setpwd(as, NULL) || (pwd = auth_getpwd(as)) == NULL) {
209: if (emlogin)
210: pwd = NULL;
211: else
212: auth_errx(as, 1, "unknown login %s", user);
1.1 deraadt 213: }
1.36 millert 214:
1.47 millert 215: /* If the user specified a login class, use it */
1.79 millert 216: if (pw_class == NULL && pwd != NULL)
217: pw_class = pwd->pw_class;
218: if ((lc = login_getclass(pw_class)) == NULL)
1.47 millert 219: auth_errx(as, 1, "no such login class: %s",
1.79 millert 220: pw_class ? pw_class : LOGIN_DEFCLASS);
1.47 millert 221:
222: if ((ruid == 0 && !emlogin) ||
223: verify_user(username, pwd, style, lc, as) == 0)
224: break;
225: syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s",
226: username, user, ontty());
227: if (!emlogin) {
1.36 millert 228: fprintf(stderr, "Sorry\n");
229: auth_close(as);
230: exit(1);
1.1 deraadt 231: }
1.47 millert 232: fprintf(stderr, "Login incorrect\n");
1.1 deraadt 233: }
1.78 deraadt 234: if (pwd == NULL)
235: auth_errx(as, 1, "internal error");
1.1 deraadt 236:
1.71 deraadt 237: if (pledge("stdio unveil rpath getpw exec id", NULL) == -1)
1.70 miod 238: err(1, "pledge");
239:
1.59 millert 240: if (!altshell) {
241: if (asme) {
1.74 millert 242: /* must be root to override non-std target shell */
243: if (ruid && !chshell(pwd->pw_shell))
1.59 millert 244: auth_errx(as, 1, "permission denied (shell).");
245: } else if (pwd->pw_shell && *pwd->pw_shell) {
246: if ((shell = strdup(pwd->pw_shell)) == NULL)
1.78 deraadt 247: auth_err(as, 1, NULL);
1.59 millert 248: iscsh = UNSET;
249: } else {
250: shell = _PATH_BSHELL;
251: iscsh = NO;
252: }
1.1 deraadt 253: }
254:
1.71 deraadt 255: if (unveil(shell, "x") == -1)
1.84 beck 256: err(1, "unveil %s", shell);
1.71 deraadt 257: if (unveil(pwd->pw_dir, "r") == -1)
1.84 beck 258: err(1, "unveil %s", pwd->pw_dir);
1.71 deraadt 259:
1.30 deraadt 260: if ((p = strrchr(shell, '/')))
1.1 deraadt 261: avshell = p+1;
262: else
263: avshell = shell;
264:
265: /* if we're forking a csh, we want to slightly muck the args */
266: if (iscsh == UNSET)
267: iscsh = strcmp(avshell, "csh") ? NO : YES;
268:
269: if (!asme) {
270: if (asthem) {
271: p = getenv("TERM");
1.23 deraadt 272: if ((environ = calloc(1, sizeof (char *))) == NULL)
1.36 millert 273: auth_errx(as, 1, "calloc");
1.33 millert 274: if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH))
1.36 millert 275: auth_err(as, 1, "unable to set user context");
276: if (p && setenv("TERM", p, 1) == -1)
277: auth_err(as, 1, "unable to set environment");
1.5 deraadt 278:
1.57 deraadt 279: setegid(pwd->pw_gid);
1.5 deraadt 280: seteuid(pwd->pw_uid);
1.65 robert 281:
282: homeless = chdir(pwd->pw_dir);
1.76 deraadt 283: if (homeless == -1) {
1.65 robert 284: if (login_getcapbool(lc, "requirehome", 0)) {
285: auth_err(as, 1, "%s", pwd->pw_dir);
286: } else {
1.71 deraadt 287: if (unveil("/", "r") == -1)
1.84 beck 288: err(1, "unveil /");
1.67 deraadt 289: printf("No home directory %s!\n", pwd->pw_dir);
290: printf("Logging in with home = \"/\".\n");
1.76 deraadt 291: if (chdir("/") == -1)
1.65 robert 292: auth_err(as, 1, "/");
293: }
294: }
1.57 deraadt 295: setegid(0); /* XXX use a saved gid instead? */
1.5 deraadt 296: seteuid(0);
1.33 millert 297: } else if (pwd->pw_uid == 0) {
298: if (setusercontext(lc,
299: pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK))
1.36 millert 300: auth_err(as, 1, "unable to set user context");
1.1 deraadt 301: }
1.15 millert 302: if (asthem || pwd->pw_uid) {
1.34 deraadt 303: if (setenv("LOGNAME", pwd->pw_name, 1) == -1 ||
304: setenv("USER", pwd->pw_name, 1) == -1)
1.36 millert 305: auth_err(as, 1, "unable to set environment");
1.15 millert 306: }
1.65 robert 307: if (setenv("HOME", homeless ? "/" : pwd->pw_dir, 1) == -1 ||
1.34 deraadt 308: setenv("SHELL", shell, 1) == -1)
1.59 millert 309: auth_err(as, 1, "unable to set environment");
310: } else if (altshell) {
311: if (setenv("SHELL", shell, 1) == -1)
1.36 millert 312: auth_err(as, 1, "unable to set environment");
1.34 deraadt 313: }
1.71 deraadt 314: if (pledge("stdio rpath getpw exec id", NULL) == -1)
315: err(1, "pledge");
1.28 deraadt 316:
1.47 millert 317: np = *argv ? argv : argv - 1;
1.81 jca 318:
1.1 deraadt 319: if (iscsh == YES) {
320: if (fastlogin)
321: *np-- = "-f";
322: if (asme)
323: *np-- = "-m";
324:
1.81 jca 325: if (asthem)
1.80 jca 326: avshellbuf[0] = '-';
1.81 jca 327: else {
328: /* csh strips the first character... */
329: avshellbuf[0] = '_';
1.80 jca 330: }
1.81 jca 331: strlcpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 1);
332: avshell = avshellbuf;
333: } else if (asthem && !fastlogin) {
334: avshellbuf[0] = '-';
1.36 millert 335: strlcpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 1);
1.1 deraadt 336: avshell = avshellbuf;
337: }
1.45 deraadt 338:
1.1 deraadt 339: *np = avshell;
340:
341: if (ruid != 0)
342: syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s",
343: username, user, ontty());
344:
1.67 deraadt 345: setpriority(PRIO_PROCESS, 0, prio);
1.51 millert 346: if (emlogin) {
1.48 millert 347: flags = LOGIN_SETALL & ~LOGIN_SETPATH;
1.51 millert 348: /*
1.55 miod 349: * Only call setlogin() if this process is a session leader.
1.51 millert 350: * In practice, this means the login name will be set only if
351: * we are exec'd by a shell. This is important because
352: * otherwise the parent shell's login name would change too.
353: */
354: if (getsid(0) != getpid())
355: flags &= ~LOGIN_SETLOGIN;
1.64 millert 356: } else {
357: flags = LOGIN_SETRESOURCES|LOGIN_SETGROUP|LOGIN_SETUSER;
1.88 deraadt 358: if (!asme)
359: flags |= LOGIN_SETRTABLE;
1.64 millert 360: if (asthem)
361: flags |= LOGIN_SETENV|LOGIN_SETPRIORITY|LOGIN_SETUMASK;
362: }
1.48 millert 363: if (setusercontext(lc, pwd, pwd->pw_uid, flags) != 0)
1.36 millert 364: auth_err(as, 1, "unable to set user context");
1.68 deraadt 365:
366: if (pledge("stdio rpath exec", NULL) == -1)
367: err(1, "pledge");
368:
1.75 deraadt 369: if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") == 0)
1.83 millert 370: auth_errx(as, 1, "approval failure");
1.36 millert 371: auth_close(as);
1.1 deraadt 372:
373: execv(shell, np);
1.32 millert 374: err(1, "%s", shell);
1.1 deraadt 375: }
376:
377: int
1.47 millert 378: verify_user(char *from, struct passwd *pwd, char *style,
379: login_cap_t *lc, auth_session_t *as)
380: {
381: struct group *gr;
382: char **g, *cp;
383: int authok;
384:
385: /*
386: * If we are trying to become root and the default style
387: * is being used, don't bother to look it up (we might be
388: * be su'ing up to fix /etc/login.conf)
389: */
390: if ((pwd == NULL || pwd->pw_uid != 0 || style == NULL ||
391: strcmp(style, LOGIN_DEFSTYLE) != 0) &&
392: (style = login_getstyle(lc, style, "auth-su")) == NULL)
393: auth_errx(as, 1, "invalid authentication type");
394:
395: /*
396: * Let the authentication program know whether they are
397: * in group wheel or not (if trying to become super user)
398: */
399: if (pwd != NULL && pwd->pw_uid == 0 && (gr = getgrgid(0)) != NULL &&
400: gr->gr_mem != NULL && *(gr->gr_mem) != NULL) {
401: for (g = gr->gr_mem; *g; ++g) {
402: if (strcmp(from, *g) == 0) {
403: auth_setoption(as, "wheel", "yes");
404: break;
405: }
406: }
407: if (!*g)
408: auth_setoption(as, "wheel", "no");
409: }
410:
411: auth_verify(as, style, NULL, lc->lc_class, (char *)NULL);
412: authok = auth_getstate(as);
413: if ((authok & AUTH_ALLOW) == 0) {
414: if ((cp = auth_getvalue(as, "errormsg")) != NULL)
415: fprintf(stderr, "%s\n", cp);
416: return(1);
417: }
418: return(0);
419: }
420:
421: int
1.53 millert 422: chshell(const char *sh)
1.1 deraadt 423: {
1.36 millert 424: char *cp;
1.53 millert 425: int found = 0;
1.1 deraadt 426:
1.53 millert 427: setusershell();
428: while ((cp = getusershell()) != NULL) {
429: if (strcmp(cp, sh) == 0) {
430: found = 1;
431: break;
432: }
433: }
434: endusershell();
435: return (found);
1.1 deraadt 436: }
437:
438: char *
1.47 millert 439: ontty(void)
1.1 deraadt 440: {
1.66 deraadt 441: static char buf[PATH_MAX + 4];
1.36 millert 442: char *p;
1.1 deraadt 443:
444: buf[0] = 0;
1.30 deraadt 445: if ((p = ttyname(STDERR_FILENO)))
1.8 millert 446: snprintf(buf, sizeof(buf), " on %s", p);
1.1 deraadt 447: return (buf);
448: }
449:
1.47 millert 450: /*
451: * Allow for a '.' and 16 characters for any instance as well as
1.56 otto 452: * space for a ':' and 16 characters defining the authentication type.
1.47 millert 453: */
454: #define NBUFSIZ (UT_NAMESIZE + 1 + 16 + 1 + 16)
455:
456: char *
457: getloginname(void)
458: {
459: static char nbuf[NBUFSIZ], *p;
460: int ch;
461:
462: for (;;) {
1.67 deraadt 463: printf("login: ");
1.47 millert 464: for (p = nbuf; (ch = getchar()) != '\n'; ) {
465: if (ch == EOF)
466: return (NULL);
467: if (p < nbuf + (NBUFSIZ - 1))
468: *p++ = ch;
469: }
470: if (p > nbuf) {
471: if (nbuf[0] == '-') {
1.67 deraadt 472: fprintf(stderr,
1.47 millert 473: "login names may not start with '-'.\n");
474: } else {
475: *p = '\0';
476: break;
477: }
478: }
479: }
480: return (nbuf);
481: }
482:
1.36 millert 483: void
1.47 millert 484: usage(void)
1.1 deraadt 485: {
1.36 millert 486: extern char *__progname;
1.1 deraadt 487:
1.47 millert 488: fprintf(stderr, "usage: %s [-fKLlm] [-a auth-type] [-c login-class] "
1.61 sobrado 489: "[-s login-shell]\n"
1.89 ! kn 490: "%-*s[login [shell-argument ...]]\n", __progname,
1.62 sobrado 491: (int)strlen(__progname) + 8, "");
1.36 millert 492: exit(1);
1.1 deraadt 493: }
494:
1.36 millert 495: void
496: auth_err(auth_session_t *as, int eval, const char *fmt, ...)
1.1 deraadt 497: {
1.36 millert 498: va_list ap;
1.46 millert 499:
1.36 millert 500: va_start(ap, fmt);
1.46 millert 501: vwarn(fmt, ap);
502: va_end(ap);
1.36 millert 503: auth_close(as);
1.46 millert 504: exit(eval);
1.28 deraadt 505: }
506:
1.36 millert 507: void
508: auth_errx(auth_session_t *as, int eval, const char *fmt, ...)
1.28 deraadt 509: {
1.36 millert 510: va_list ap;
1.46 millert 511:
1.36 millert 512: va_start(ap, fmt);
1.46 millert 513: vwarnx(fmt, ap);
514: va_end(ap);
1.36 millert 515: auth_close(as);
1.46 millert 516: exit(eval);
1.1 deraadt 517: }