shadow/libmisc/chowntty.c

/*
 * SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh
 * SPDX-FileCopyrightText: 1996 - 2001, Marek Michałkiewicz
 * SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko
 * SPDX-FileCopyrightText: 2007 - 2009, Nicolas François
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */

#include <config.h>

#ident "$Id$"

#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <errno.h>
#include <grp.h>
#include "prototypes.h"
#include "defines.h"
#include <pwd.h>
#include "getdef.h"
#include "shadowlog.h"

/*
 *	chown_tty() sets the login tty to be owned by the new user ID
 *	with TTYPERM modes
 */

void chown_tty (const struct passwd *info)
{
	struct group *grent;
	gid_t gid;

	/*
	 * See if login.defs has some value configured for the port group
	 * ID.  Otherwise, use the user's primary group ID.
	 */

	grent = getgr_nam_gid (getdef_str ("TTYGROUP"));
	if (NULL != grent) {
		gid = grent->gr_gid;
		gr_free (grent);
	} else {
		gid = info->pw_gid;
	}

	/*
	 * Change the permissions on the TTY to be owned by the user with
	 * the group as determined above.
	 */

	if (   (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)
	    || (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {
		int err = errno;
		FILE *shadow_logfd = log_get_logfd();

		fprintf (shadow_logfd,
		         _("Unable to change owner or mode of tty stdin: %s"),
		         strerror (err));
		SYSLOG ((LOG_WARN,
		         "unable to change owner or mode of tty stdin for user `%s': %s\n",
		         info->pw_name, strerror (err)));
		if (EROFS != err) {
			closelog ();
			exit (EXIT_FAILURE);
		}
	}
#ifdef __linux__
	/*
	 * Please don't add code to chown /dev/vcs* to the user logging in -
	 * it's a potential security hole.  I wouldn't like the previous user
	 * to hold the file descriptor open and watch my screen.  We don't
	 * have the *BSD revoke() system call yet, and vhangup() only works
	 * for tty devices (which vcs* is not).  --marekm
	 */
#endif
}
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`/*`
Update licensing info Closes #238 Update all files to list SPDX license shortname. Most files are BSD 3 clause license. The exceptions are: serge@sl ~/src/shadow$ git grep SPDX-License \| grep -v BSD-3-Clause contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD libmisc/salt.c: * SPDX-License-Identifier: Unlicense src/login_nopam.c: * SPDX-License-Identifier: Unlicense src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later Signed-off-by: Serge Hallyn <serge@hallyn.com> 2021-12-05 21:05:27 +05:30			`* SPDX-FileCopyrightText: 1989 - 1994, Julianne Frances Haugh`
			`* SPDX-FileCopyrightText: 1996 - 2001, Marek Michałkiewicz`
			`* SPDX-FileCopyrightText: 2003 - 2005, Tomasz Kłoczko`
			`* SPDX-FileCopyrightText: 2007 - 2009, Nicolas François`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`*`
Update licensing info Closes #238 Update all files to list SPDX license shortname. Most files are BSD 3 clause license. The exceptions are: serge@sl ~/src/shadow$ git grep SPDX-License \| grep -v BSD-3-Clause contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD libmisc/salt.c: * SPDX-License-Identifier: Unlicense src/login_nopam.c: * SPDX-License-Identifier: Unlicense src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later Signed-off-by: Serge Hallyn <serge@hallyn.com> 2021-12-05 21:05:27 +05:30			`* SPDX-License-Identifier: BSD-3-Clause`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`*/`

			`#include <config.h>`

Added the subversion svn:keywords property (Id) for proper identification. 2007-11-11 05:16:11 +05:30			`#ident "$Id$"`
[svn-upgrade] Integrating new upstream version, shadow (4.0.13) 2007-10-07 17:17:01 +05:30
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`#include <sys/types.h>`
			`#include <sys/stat.h>`
			`#include <stdio.h>`
[svn-upgrade] Integrating new upstream version, shadow (4.0.0) 2007-10-07 17:14:51 +05:30			`#include <errno.h>`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`#include <grp.h>`
			`#include "prototypes.h"`
			`#include "defines.h"`
			`#include <pwd.h>`
			`#include "getdef.h"`
Make shadow_logfd and Prog not extern Closes #444 Closes #465 Signed-off-by: Serge Hallyn <serge@hallyn.com> 2021-11-29 05:07:53 +05:30			`#include "shadowlog.h"`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30
			`/*`
			`* chown_tty() sets the login tty to be owned by the new user ID`
			`* with TTYPERM modes`
			`*/`

* NEWS, libmisc/chowntty.c, libmisc/utmp.c: is_my_tty() moved from utmp.c to chowntty.c. checkutmp() now only uses an existing utmp entry if the pid matches and ut_line matches with the current tty. This fixes a possible DOS when entries can be forged in the utmp file. * libmisc/chowntty.c, src/login.c, lib/prototypes.h: Remove the tty argument from chown_tty. chown_tty always changes stdin and does not need this argument anymore. 2008-11-23 05:26:11 +05:30			`void chown_tty (const struct passwd *info)`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`{`
[svn-upgrade] Integrating new upstream version, shadow (4.0.4) 2007-10-07 17:15:23 +05:30			`struct group *grent;`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`gid_t gid;`

			`/*`
			`* See if login.defs has some value configured for the port group`
			`* ID. Otherwise, use the user's primary group ID.`
			`*/`

* libmisc/getgr_nam_gid.c: Added support for NULL argument. * libmisc/chowntty.c: Reuse getgr_nam_gid(), and get rid of atol(). 2009-04-11 21:53:21 +05:30			`grent = getgr_nam_gid (getdef_str ("TTYGROUP"));`
			`if (NULL != grent) {`
			`gid = grent->gr_gid;`
Fix covscan RESOURCE_LEAK Error: RESOURCE_LEAK (CWE-772): [#def1] shadow-4.8.1/lib/commonio.c:320: alloc_fn: Storage is returned from allocation function "fopen_set_perms". shadow-4.8.1/lib/commonio.c:320: var_assign: Assigning: "bkfp" = storage returned from "fopen_set_perms(backup, "w", &sb)". shadow-4.8.1/lib/commonio.c:329: noescape: Resource "bkfp" is not freed or pointed-to in "putc". shadow-4.8.1/lib/commonio.c:334: noescape: Resource "bkfp" is not freed or pointed-to in "fflush". shadow-4.8.1/lib/commonio.c:339: noescape: Resource "bkfp" is not freed or pointed-to in "fileno". shadow-4.8.1/lib/commonio.c:342: leaked_storage: Variable "bkfp" going out of scope leaks the storage it points to. 340\| \|\| (fclose (bkfp) != 0)) { 341\| /* FIXME: unlink the backup file? / 342\|-> return -1; 343\| } 344\| Error: RESOURCE_LEAK (CWE-772): [#def2] shadow-4.8.1/libmisc/addgrps.c:69: alloc_fn: Storage is returned from allocation function "malloc". shadow-4.8.1/libmisc/addgrps.c:69: var_assign: Assigning: "grouplist" = storage returned from "malloc(i 4UL)". shadow-4.8.1/libmisc/addgrps.c:73: noescape: Resource "grouplist" is not freed or pointed-to in "getgroups". [Note: The source code implementation of the function has been overridden by a builtin model.] shadow-4.8.1/libmisc/addgrps.c:126: leaked_storage: Variable "grouplist" going out of scope leaks the storage it points to. 124\| } 125\| 126\|-> return 0; 127\| } 128\| #else /* HAVE_SETGROUPS && !USE_PAM / Error: RESOURCE_LEAK (CWE-772): [#def3] shadow-4.8.1/libmisc/chowntty.c:62: alloc_fn: Storage is returned from allocation function "getgr_nam_gid". shadow-4.8.1/libmisc/chowntty.c:62: var_assign: Assigning: "grent" = storage returned from "getgr_nam_gid(getdef_str("TTYGROUP"))". shadow-4.8.1/libmisc/chowntty.c:98: leaked_storage: Variable "grent" going out of scope leaks the storage it points to. 96\| / 97\| #endif 98\|-> } 99\| Error: RESOURCE_LEAK (CWE-772): [#def4] shadow-4.8.1/libmisc/copydir.c:742: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] shadow-4.8.1/libmisc/copydir.c:742: var_assign: Assigning: "ifd" = handle returned from "open(src, 0)". shadow-4.8.1/libmisc/copydir.c:748: leaked_handle: Handle variable "ifd" going out of scope leaks the handle. 746\| #ifdef WITH_SELINUX 747\| if (set_selinux_file_context (dst, NULL) != 0) { 748\|-> return -1; 749\| } 750\| #endif /* WITH_SELINUX / Error: RESOURCE_LEAK (CWE-772): [#def5] shadow-4.8.1/libmisc/copydir.c:751: open_fn: Returning handle opened by "open". [Note: The source code implementation of the function has been overridden by a user model.] shadow-4.8.1/libmisc/copydir.c:751: var_assign: Assigning: "ofd" = handle returned from "open(dst, 577, statp->st_mode & 0xfffU)". shadow-4.8.1/libmisc/copydir.c:752: noescape: Resource "ofd" is not freed or pointed-to in "fchown_if_needed". shadow-4.8.1/libmisc/copydir.c:775: leaked_handle: Handle variable "ofd" going out of scope leaks the handle. 773\| ) { 774\| (void) close (ifd); 775\|-> return -1; 776\| } 777\| Error: RESOURCE_LEAK (CWE-772): [#def7] shadow-4.8.1/libmisc/idmapping.c:188: alloc_fn: Storage is returned from allocation function "xmalloc". shadow-4.8.1/libmisc/idmapping.c:188: var_assign: Assigning: "buf" = storage returned from "xmalloc(bufsize)". shadow-4.8.1/libmisc/idmapping.c:188: var_assign: Assigning: "pos" = "buf". shadow-4.8.1/libmisc/idmapping.c:213: noescape: Resource "buf" is not freed or pointed-to in "write". shadow-4.8.1/libmisc/idmapping.c:219: leaked_storage: Variable "pos" going out of scope leaks the storage it points to. shadow-4.8.1/libmisc/idmapping.c:219: leaked_storage: Variable "buf" going out of scope leaks the storage it points to. 217\| } 218\| close(fd); 219\|-> } Error: RESOURCE_LEAK (CWE-772): [#def8] shadow-4.8.1/libmisc/list.c:211: alloc_fn: Storage is returned from allocation function "xstrdup". shadow-4.8.1/libmisc/list.c:211: var_assign: Assigning: "members" = storage returned from "xstrdup(comma)". shadow-4.8.1/libmisc/list.c:217: var_assign: Assigning: "cp" = "members". shadow-4.8.1/libmisc/list.c:218: noescape: Resource "cp" is not freed or pointed-to in "strchr". shadow-4.8.1/libmisc/list.c:244: leaked_storage: Variable "cp" going out of scope leaks the storage it points to. shadow-4.8.1/libmisc/list.c:244: leaked_storage: Variable "members" going out of scope leaks the storage it points to. 242\| if ('\0' == members) { 243\| array = (char ) 0; 244\|-> return array; 245\| } 246\| Error: RESOURCE_LEAK (CWE-772): [#def11] shadow-4.8.1/libmisc/myname.c:61: alloc_fn: Storage is returned from allocation function "xgetpwnam". shadow-4.8.1/libmisc/myname.c:61: var_assign: Assigning: "pw" = storage returned from "xgetpwnam(cp)". shadow-4.8.1/libmisc/myname.c:67: leaked_storage: Variable "pw" going out of scope leaks the storage it points to. 65\| } 66\| 67\|-> return xgetpwuid (ruid); 68\| } 69\| Error: RESOURCE_LEAK (CWE-772): [#def12] shadow-4.8.1/libmisc/user_busy.c:260: alloc_fn: Storage is returned from allocation function "opendir". shadow-4.8.1/libmisc/user_busy.c:260: var_assign: Assigning: "task_dir" = storage returned from "opendir(task_path)". shadow-4.8.1/libmisc/user_busy.c:262: noescape: Resource "task_dir" is not freed or pointed-to in "readdir". shadow-4.8.1/libmisc/user_busy.c:278: leaked_storage: Variable "task_dir" going out of scope leaks the storage it points to. 276\| _("%s: user %s is currently used by process %d\n"), 277\| Prog, name, pid); 278\|-> return 1; 279\| } 280\| } Error: RESOURCE_LEAK (CWE-772): [#def20] shadow-4.8.1/src/newgrp.c:162: alloc_fn: Storage is returned from allocation function "xgetspnam". shadow-4.8.1/src/newgrp.c:162: var_assign: Assigning: "spwd" = storage returned from "xgetspnam(pwd->pw_name)". shadow-4.8.1/src/newgrp.c:234: leaked_storage: Variable "spwd" going out of scope leaks the storage it points to. 232\| } 233\| 234\|-> return; 235\| 236\| failure: Error: RESOURCE_LEAK (CWE-772): [#def21] shadow-4.8.1/src/passwd.c:530: alloc_fn: Storage is returned from allocation function "xstrdup". shadow-4.8.1/src/passwd.c:530: var_assign: Assigning: "cp" = storage returned from "xstrdup(crypt_passwd)". shadow-4.8.1/src/passwd.c:551: noescape: Resource "cp" is not freed or pointed-to in "strlen". shadow-4.8.1/src/passwd.c:554: noescape: Resource "cp" is not freed or pointed-to in "strcat". [Note: The source code implementation of the function has been overridden by a builtin model.] shadow-4.8.1/src/passwd.c:555: overwrite_var: Overwriting "cp" in "cp = newpw" leaks the storage that "cp" points to. 553\| strcpy (newpw, "!"); 554\| strcat (newpw, cp); 555\|-> cp = newpw; 556\| } 557\| return cp; 2021-06-14 16:09:48 +05:30			`gr_free (grent);`
* libmisc/chowntty.c: Avoid assignments in comparisons. * libmisc/chowntty.c: Avoid implicit conversion of pointers to booleans. * libmisc/chowntty.c: Add brackets and parenthesis. 2008-06-13 23:59:02 +05:30			`} else {`
* libmisc/getgr_nam_gid.c: Added support for NULL argument. * libmisc/chowntty.c: Reuse getgr_nam_gid(), and get rid of atol(). 2009-04-11 21:53:21 +05:30			`gid = info->pw_gid;`
* libmisc/chowntty.c: Avoid assignments in comparisons. * libmisc/chowntty.c: Avoid implicit conversion of pointers to booleans. * libmisc/chowntty.c: Add brackets and parenthesis. 2008-06-13 23:59:02 +05:30			`}`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30
			`/*`
			`* Change the permissions on the TTY to be owned by the user with`
			`* the group as determined above.`
			`*/`

* NEWS, libmisc/chowntty.c: Fix a race condition that could lead to gaining ownership or changing mode of arbitrary files. 2008-11-23 04:52:16 +05:30			`if ( (fchown (STDIN_FILENO, info->pw_uid, gid) != 0)`
Remove superfluous casts - Every non-const pointer converts automatically to void . - Every pointer converts automatically to void . - void * converts to any other pointer. - const void * converts to any other const pointer. - Integer variables convert to each other. I changed the declaration of a few variables in order to allow removing a cast. However, I didn't attempt to edit casts inside comparisons, since they are very delicate. I also kept casts in variadic functions, since they are necessary, and in allocation functions, because I have other plans for them. I also changed a few casts to int that are better as ptrdiff_t. This change has triggered some warnings about const correctness issues, which have also been fixed in this patch (see for example src/login.c). Signed-off-by: Alejandro Colomar <alx@kernel.org> 2023-02-01 18:20:48 +05:30			`\|\| (fchmod (STDIN_FILENO, getdef_num ("TTYPERM", 0600)) != 0)) {`
[svn-upgrade] Integrating new upstream version, shadow (4.0.0) 2007-10-07 17:14:51 +05:30			`int err = errno;`
Make shadow_logfd and Prog not extern Closes #444 Closes #465 Signed-off-by: Serge Hallyn <serge@hallyn.com> 2021-11-29 05:07:53 +05:30			`FILE *shadow_logfd = log_get_logfd();`
[svn-upgrade] Integrating new upstream version, shadow (4.0.0) 2007-10-07 17:14:51 +05:30
libsubid: don't print error messages on stderr by default Closes #325 Add a new subid_init() function which can be used to specify the stream on which error messages should be printed. (If you want to get fancy you can redirect that to memory :) If subid_init() is not called, use stderr. If NULL is passed, then /dev/null will be used. This patch also fixes up the 'Prog', which previously had to be defined by any program linking against libsubid. Now, by default in libsubid it will show (subid). Once subid_init() is called, it will use the first variable passed to subid_init(). Signed-off-by: Serge Hallyn <serge@hallyn.com> 2021-05-09 04:12:14 +05:30			`fprintf (shadow_logfd,`
* libmisc/chowntty.c: Improve the logs for fchown and fchmod failures. 2008-11-23 05:35:39 +05:30			`_("Unable to change owner or mode of tty stdin: %s"),`
			`strerror (err));`
[svn-upgrade] Integrating new upstream version, shadow (4.0.4) 2007-10-07 17:15:23 +05:30			`SYSLOG ((LOG_WARN,`
* libmisc/chowntty.c: Improve the logs for fchown and fchmod failures. 2008-11-23 05:35:39 +05:30			"unable to change owner or mode of tty stdin for user `%s': %s\n",
			`info->pw_name, strerror (err)));`
* libmisc/chowntty.c: Avoid assignments in comparisons. * libmisc/chowntty.c: Avoid implicit conversion of pointers to booleans. * libmisc/chowntty.c: Add brackets and parenthesis. 2008-06-13 23:59:02 +05:30			`if (EROFS != err) {`
* libmisc/chowntty.c: Only closelog() when failure cause an exit. 2008-11-23 05:36:56 +05:30			`closelog ();`
* lib/exitcodes.h: Define E_SUCCESS as EXIT_SUCCESS. Added FIXMEs. * libmisc/chowntty.c, libmisc/rlogin.c, libmisc/sub.c, src/newusers.c, libmisc/sulog.c, libmisc/system.c, src/logoutd.c, src/groups.c, src/id.c, lib/encrypt.c, libmisc/audit_help.c, libmisc/limits.c: Return EXIT_FAILURE instead of 1, and EXIT_SUCCESS instead of 0. * libmisc/audit_help.c: Replace an fprintf() by fputs(). * libmisc/audit_help.c: Remove documentation of the audit_logger returned values. The function returns void. * libmisc/system.c: Only return status if waitpid succeeded. Return -1 otherwise. 2009-05-01 02:38:49 +05:30			`exit (EXIT_FAILURE);`
* libmisc/chowntty.c: Avoid assignments in comparisons. * libmisc/chowntty.c: Avoid implicit conversion of pointers to booleans. * libmisc/chowntty.c: Add brackets and parenthesis. 2008-06-13 23:59:02 +05:30			`}`
[svn-upgrade] Integrating new upstream version, shadow (19990709) 2007-10-07 17:14:02 +05:30			`}`
			`#ifdef __linux__`
			`/*`
			`* Please don't add code to chown /dev/vcs* to the user logging in -`
			`* it's a potential security hole. I wouldn't like the previous user`
			`* to hold the file descriptor open and watch my screen. We don't`
			`* have the *BSD revoke() system call yet, and vhangup() only works`
			`* for tty devices (which vcs* is not). --marekm`
			`*/`
			`#endif`
			`}`
Make sure every source files are distributed with a copyright and license. Files with no license use the default 3-clauses BSD license. The copyright were mostly not recorded; they were updated according to the Changelog. "Julianne Frances Haugh and contributors" changed to "copyright holders and contributors". 2008-04-27 06:10:09 +05:30