2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
* Copyright 1989 - 1994, Julianne Frances Haugh
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. Neither the name of Julianne F. Haugh nor the names of its contributors
|
|
|
|
* may be used to endorse or promote products derived from this software
|
|
|
|
* without specific prior written permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
2007-10-07 17:14:59 +05:30
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
|
2007-10-07 17:14:02 +05:30
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
2007-10-27 19:20:40 +05:30
|
|
|
/* Some parts substantially derived from an ancestor of: */
|
|
|
|
/* su for GNU. Run a shell with substitute user and group IDs.
|
|
|
|
Copyright (C) 1992-2003 Free Software Foundation, Inc.
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
the Free Software Foundation; either version 2, or (at your option)
|
|
|
|
any later version.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program; if not, write to the Free Software Foundation,
|
|
|
|
Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
2007-11-11 05:16:11 +05:30
|
|
|
#ident "$Id$"
|
2007-10-07 17:17:01 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
#include <getopt.h>
|
2007-10-07 17:16:34 +05:30
|
|
|
#include <grp.h>
|
|
|
|
#include <pwd.h>
|
|
|
|
#include <signal.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include <stdio.h>
|
2007-10-07 17:16:34 +05:30
|
|
|
#include <sys/types.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include "prototypes.h"
|
|
|
|
#include "defines.h"
|
2007-10-07 17:17:11 +05:30
|
|
|
#include "exitcodes.h"
|
2007-10-07 17:14:02 +05:30
|
|
|
#include "pwauth.h"
|
|
|
|
#include "getdef.h"
|
2007-10-07 17:16:34 +05:30
|
|
|
#ifdef USE_PAM
|
|
|
|
#include "pam_defs.h"
|
|
|
|
#endif
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
* Assorted #defines to control su's behavior
|
|
|
|
*/
|
|
|
|
/*
|
|
|
|
* Global variables
|
|
|
|
*/
|
2007-10-07 17:14:14 +05:30
|
|
|
/* not needed by sulog.c anymore */
|
|
|
|
static char name[BUFSIZ];
|
|
|
|
static char oldname[BUFSIZ];
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/* If nonzero, change some environment vars to indicate the user su'd to. */
|
|
|
|
static int change_environment;
|
2007-10-07 17:16:34 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
#ifdef USE_PAM
|
2007-10-07 17:16:34 +05:30
|
|
|
static pam_handle_t *pamh = NULL;
|
|
|
|
static int caught = 0;
|
|
|
|
#endif
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:16:34 +05:30
|
|
|
static char *Prog;
|
2007-10-07 17:15:14 +05:30
|
|
|
extern struct passwd pwent;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
/*
|
|
|
|
* External identifiers
|
|
|
|
*/
|
|
|
|
|
|
|
|
extern char **newenvp;
|
|
|
|
extern char **environ;
|
2007-10-07 17:16:34 +05:30
|
|
|
extern size_t newenvc;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
/* local function prototypes */
|
|
|
|
|
|
|
|
#ifndef USE_PAM
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
static RETSIGTYPE die (int);
|
|
|
|
static int iswheel (const char *);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
/*
|
|
|
|
* die - set or reset termio modes.
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* die() is called before processing begins. signal() is then called
|
|
|
|
* with die() as the signal handler. If signal later calls die() with a
|
|
|
|
* signal number, the terminal modes are then reset.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
static RETSIGTYPE die (int killed)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
static TERMIO sgtty;
|
|
|
|
|
|
|
|
if (killed)
|
2007-10-07 17:14:59 +05:30
|
|
|
STTY (0, &sgtty);
|
2007-10-07 17:14:02 +05:30
|
|
|
else
|
2007-10-07 17:14:59 +05:30
|
|
|
GTTY (0, &sgtty);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
if (killed) {
|
2007-10-07 17:14:59 +05:30
|
|
|
closelog ();
|
|
|
|
exit (killed);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
static int iswheel (const char *username)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
|
|
|
struct group *grp;
|
|
|
|
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
grp = getgrnam ("wheel"); /* !USE_PAM, no need for xgetgrnam */
|
2007-10-07 17:14:02 +05:30
|
|
|
if (!grp || !grp->gr_mem)
|
|
|
|
return 0;
|
2007-10-07 17:14:59 +05:30
|
|
|
return is_on_list (grp->gr_mem, username);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/* borrowed from GNU sh-utils' "su.c" */
|
|
|
|
static int restricted_shell (const char *shellstr)
|
|
|
|
{
|
|
|
|
char *line;
|
|
|
|
|
|
|
|
setusershell ();
|
|
|
|
while ((line = getusershell ()) != NULL) {
|
|
|
|
if (*line != '#' && strcmp (line, shellstr) == 0) {
|
|
|
|
endusershell ();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
endusershell ();
|
|
|
|
return 1;
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
static void su_failure (const char *tty)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:14:59 +05:30
|
|
|
sulog (tty, 0, oldname, name); /* log failed attempt */
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef USE_SYSLOG
|
2007-10-07 17:14:59 +05:30
|
|
|
if (getdef_bool ("SYSLOG_SU_ENAB"))
|
|
|
|
SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
|
2007-10-07 17:16:25 +05:30
|
|
|
"- %s %s:%s", tty,
|
2007-10-07 17:16:07 +05:30
|
|
|
oldname[0] ? oldname : "???", name[0] ? name : "???"));
|
2007-10-07 17:14:59 +05:30
|
|
|
closelog ();
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:40 +05:30
|
|
|
|
2007-10-07 17:16:34 +05:30
|
|
|
#ifdef USE_PAM
|
2007-10-07 17:15:40 +05:30
|
|
|
/* Signal handler for parent process later */
|
2007-10-07 17:17:22 +05:30
|
|
|
static void catch_signals (int sig)
|
2007-10-07 17:15:40 +05:30
|
|
|
{
|
|
|
|
++caught;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This I ripped out of su.c from sh-utils after the Mandrake pam patch
|
|
|
|
* have been applied. Some work was needed to get it integrated into
|
|
|
|
* su.c from shadow.
|
|
|
|
*/
|
2007-10-07 17:17:22 +05:30
|
|
|
static void run_shell (const char *shellstr, char *args[], int doshell,
|
|
|
|
char *const envp[])
|
2007-10-07 17:15:40 +05:30
|
|
|
{
|
|
|
|
int child;
|
|
|
|
sigset_t ourset;
|
|
|
|
int status;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
child = fork ();
|
|
|
|
if (child == 0) { /* child shell */
|
2007-11-17 22:49:44 +05:30
|
|
|
/*
|
|
|
|
* PAM_DATA_SILENT is not supported by some modules, and
|
|
|
|
* there is no strong need to clean up the process space's
|
|
|
|
* memory since we will either call exec or exit.
|
|
|
|
pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
|
|
|
|
*/
|
2007-10-07 17:15:40 +05:30
|
|
|
|
|
|
|
if (doshell)
|
2007-10-07 17:17:22 +05:30
|
|
|
(void) shell (shellstr, (char *) args[0], envp);
|
2007-10-07 17:15:40 +05:30
|
|
|
else
|
2007-10-07 17:17:22 +05:30
|
|
|
(void) execve (shellstr, (char **) args, envp);
|
|
|
|
exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
2007-10-07 17:15:40 +05:30
|
|
|
} else if (child == -1) {
|
2007-10-07 17:16:07 +05:30
|
|
|
(void) fprintf (stderr, "%s: Cannot fork user shell\n", Prog);
|
2007-10-07 17:17:11 +05:30
|
|
|
SYSLOG ((LOG_WARN, "Cannot execute %s", shellstr));
|
2007-10-07 17:15:40 +05:30
|
|
|
closelog ();
|
|
|
|
exit (1);
|
|
|
|
}
|
|
|
|
/* parent only */
|
|
|
|
sigfillset (&ourset);
|
|
|
|
if (sigprocmask (SIG_BLOCK, &ourset, NULL)) {
|
|
|
|
(void) fprintf (stderr, "%s: signal malfunction\n", Prog);
|
|
|
|
caught = 1;
|
|
|
|
}
|
|
|
|
if (!caught) {
|
|
|
|
struct sigaction action;
|
|
|
|
|
2007-10-07 17:17:22 +05:30
|
|
|
action.sa_handler = catch_signals;
|
2007-10-07 17:15:40 +05:30
|
|
|
sigemptyset (&action.sa_mask);
|
|
|
|
action.sa_flags = 0;
|
|
|
|
sigemptyset (&ourset);
|
|
|
|
|
|
|
|
if (sigaddset (&ourset, SIGTERM)
|
|
|
|
|| sigaddset (&ourset, SIGALRM)
|
|
|
|
|| sigaction (SIGTERM, &action, NULL)
|
|
|
|
|| sigprocmask (SIG_UNBLOCK, &ourset, NULL)
|
|
|
|
) {
|
|
|
|
fprintf (stderr,
|
|
|
|
"%s: signal masking malfunction\n", Prog);
|
|
|
|
caught = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!caught) {
|
|
|
|
do {
|
|
|
|
int pid;
|
|
|
|
|
|
|
|
pid = waitpid (-1, &status, WUNTRACED);
|
|
|
|
|
|
|
|
if (WIFSTOPPED (status)) {
|
|
|
|
kill (getpid (), SIGSTOP);
|
|
|
|
/* once we get here, we must have resumed */
|
|
|
|
kill (pid, SIGCONT);
|
|
|
|
}
|
|
|
|
} while (WIFSTOPPED (status));
|
|
|
|
}
|
|
|
|
|
|
|
|
if (caught) {
|
|
|
|
fprintf (stderr, "\nSession terminated, killing shell...");
|
|
|
|
kill (child, SIGTERM);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = pam_close_session (pamh, 0);
|
|
|
|
if (ret != PAM_SUCCESS) {
|
|
|
|
SYSLOG ((LOG_ERR, "pam_close_session: %s",
|
|
|
|
pam_strerror (pamh, ret)));
|
2007-10-07 17:17:01 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
|
2007-10-07 17:15:40 +05:30
|
|
|
pam_end (pamh, ret);
|
|
|
|
exit (1);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = pam_end (pamh, PAM_SUCCESS);
|
|
|
|
|
|
|
|
if (caught) {
|
|
|
|
sleep (2);
|
|
|
|
kill (child, SIGKILL);
|
|
|
|
fprintf (stderr, " ...killed.\n");
|
|
|
|
exit (-1);
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:17:33 +05:30
|
|
|
exit (WIFEXITED (status)
|
|
|
|
? WEXITSTATUS (status)
|
|
|
|
: WTERMSIG (status) + 128);
|
2007-10-07 17:15:40 +05:30
|
|
|
}
|
|
|
|
#endif
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/*
|
|
|
|
* usage - print command line syntax and exit
|
|
|
|
*/
|
|
|
|
static void usage (void)
|
|
|
|
{
|
2007-10-07 17:17:57 +05:30
|
|
|
fprintf (stderr, _("Usage: su [options] [LOGIN]\n"
|
2007-10-07 17:17:11 +05:30
|
|
|
"\n"
|
|
|
|
"Options:\n"
|
2007-11-25 04:11:24 +05:30
|
|
|
" -c, --command COMMAND pass COMMAND to the invoked shell\n"
|
|
|
|
" -h, --help display this help message and exit\n"
|
|
|
|
" -, -l, --login make the shell a login shell\n"
|
2007-10-07 17:17:11 +05:30
|
|
|
" -m, -p,\n"
|
2007-11-25 04:11:24 +05:30
|
|
|
" --preserve-environment do not reset environment variables, and\n"
|
|
|
|
" keep the same shell\n"
|
|
|
|
" -s, --shell SHELL use SHELL instead of the default in passwd\n"
|
2007-10-07 17:17:45 +05:30
|
|
|
"\n"));
|
2007-10-07 17:17:11 +05:30
|
|
|
exit (E_USAGE);
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
* su - switch user id
|
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* su changes the user's ids to the values for the specified user. if
|
|
|
|
* no new user name is specified, "root" is used by default.
|
2007-10-07 17:14:02 +05:30
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Any additional arguments are passed to the user's shell. In
|
|
|
|
* particular, the argument "-c" will cause the next argument to be
|
|
|
|
* interpreted as a command by the common shell programs.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
int main (int argc, char **argv)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:14:59 +05:30
|
|
|
char *cp;
|
|
|
|
const char *tty = 0; /* Name of tty SU is run from */
|
|
|
|
int doshell = 0;
|
|
|
|
int fakelogin = 0;
|
|
|
|
int amroot = 0;
|
2007-10-07 17:14:02 +05:30
|
|
|
uid_t my_uid;
|
2007-10-07 17:14:59 +05:30
|
|
|
struct passwd *pw = 0;
|
|
|
|
char **envp = environ;
|
2007-10-07 17:17:22 +05:30
|
|
|
char *shellstr = 0, *command = 0;
|
2007-10-07 17:14:59 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef USE_PAM
|
2007-10-07 17:17:57 +05:30
|
|
|
char **envcp;
|
2007-10-07 17:14:02 +05:30
|
|
|
int ret;
|
2007-10-07 17:14:59 +05:30
|
|
|
#else /* !USE_PAM */
|
2007-10-07 17:17:22 +05:30
|
|
|
int err = 0;
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
RETSIGTYPE (*oldsig) ();
|
2007-10-07 17:14:02 +05:30
|
|
|
int is_console = 0;
|
2007-10-07 17:14:59 +05:30
|
|
|
|
|
|
|
struct spwd *spwd = 0;
|
2007-10-07 17:16:25 +05:30
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef SU_ACCESS
|
|
|
|
char *oldpass;
|
|
|
|
#endif
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
sanitize_env ();
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
setlocale (LC_ALL, "");
|
|
|
|
bindtextdomain (PACKAGE, LOCALEDIR);
|
|
|
|
textdomain (PACKAGE);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
change_environment = 1;
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Get the program name. The program name is used as a prefix to
|
|
|
|
* most error messages.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
Prog = Basename (argv[0]);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
OPENLOG ("su");
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/*
|
|
|
|
* Process the command line arguments.
|
|
|
|
*/
|
|
|
|
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Parse the command line options.
|
|
|
|
*/
|
|
|
|
int option_index = 0;
|
|
|
|
int c;
|
|
|
|
static struct option long_options[] = {
|
2007-10-07 17:17:22 +05:30
|
|
|
{"command", required_argument, NULL, 'c'},
|
2007-10-07 17:17:11 +05:30
|
|
|
{"help", no_argument, NULL, 'h'},
|
|
|
|
{"login", no_argument, NULL, 'l'},
|
|
|
|
{"preserve-environment", no_argument, NULL, 'p'},
|
|
|
|
{"shell", required_argument, NULL, 's'},
|
|
|
|
{NULL, 0, NULL, '\0'}
|
|
|
|
};
|
|
|
|
|
|
|
|
while ((c =
|
2007-10-07 17:17:22 +05:30
|
|
|
getopt_long (argc, argv, "-c:hlmps:", long_options,
|
2007-10-07 17:17:11 +05:30
|
|
|
&option_index)) != -1) {
|
|
|
|
switch (c) {
|
|
|
|
case 1:
|
|
|
|
/* this is not an su option */
|
|
|
|
/* The next arguments are either '-', the
|
|
|
|
* target name, or arguments to be passed
|
|
|
|
* to the shell.
|
|
|
|
*/
|
|
|
|
/* rewind the (not yet handled) option */
|
|
|
|
optind--;
|
|
|
|
goto end_su_options;
|
|
|
|
break; /* NOT REACHED */
|
2007-10-07 17:17:22 +05:30
|
|
|
case 'c':
|
|
|
|
command = optarg;
|
|
|
|
break;
|
2007-10-07 17:17:11 +05:30
|
|
|
case 'h':
|
|
|
|
usage ();
|
|
|
|
break;
|
|
|
|
case 'l':
|
|
|
|
fakelogin = 1;
|
|
|
|
break;
|
|
|
|
case 'm':
|
|
|
|
case 'p':
|
|
|
|
/* This will only have an effect if the target
|
|
|
|
* user do not have a restricted shell, or if
|
|
|
|
* su is called by root.
|
|
|
|
*/
|
|
|
|
change_environment = 0;
|
|
|
|
break;
|
|
|
|
case 's':
|
|
|
|
shellstr = optarg;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
usage (); /* NOT REACHED */
|
|
|
|
}
|
|
|
|
}
|
|
|
|
end_su_options:
|
|
|
|
if (optind < argc && !strcmp (argv[optind], "-")) {
|
|
|
|
fakelogin = 1;
|
|
|
|
optind++;
|
|
|
|
if (optind < argc && !strcmp (argv[optind], "--"))
|
|
|
|
optind++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
initenv ();
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
my_uid = getuid ();
|
2007-10-07 17:14:02 +05:30
|
|
|
amroot = (my_uid == 0);
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Get the tty name. Entries will be logged indicating that the user
|
|
|
|
* tried to change to the named new user from the current terminal.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
if (isatty (0) && (cp = ttyname (0))) {
|
2007-10-07 17:14:02 +05:30
|
|
|
if (strncmp (cp, "/dev/", 5) == 0)
|
|
|
|
tty = cp + 5;
|
|
|
|
else
|
|
|
|
tty = cp;
|
|
|
|
#ifndef USE_PAM
|
2007-10-07 17:14:59 +05:30
|
|
|
is_console = console (tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* Be more paranoid, like su from SimplePAMApps. --marekm
|
|
|
|
*/
|
|
|
|
if (!amroot) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr,
|
2007-10-07 17:16:07 +05:30
|
|
|
_("%s: must be run from a terminal\n"), Prog);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
tty = "???";
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* The next argument must be either a user ID, or some flag to a
|
|
|
|
* subshell. Pretty sticky since you can't have an argument which
|
|
|
|
* doesn't start with a "-" unless you specify the new user name.
|
|
|
|
* Any remaining arguments will be passed to the user's login shell.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:17:11 +05:30
|
|
|
if (optind < argc && argv[optind][0] != '-') {
|
|
|
|
STRFCPY (name, argv[optind++]); /* use this login id */
|
|
|
|
if (optind < argc && !strcmp (argv[optind], "--"))
|
|
|
|
optind++;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
if (!name[0]) /* use default user ID */
|
2007-10-07 17:14:02 +05:30
|
|
|
(void) strcpy (name, "root");
|
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
doshell = argc == optind; /* any arguments remaining? */
|
2007-10-07 17:17:22 +05:30
|
|
|
if (command)
|
|
|
|
doshell = 0;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Get the user's real name. The current UID is used to determine
|
|
|
|
* who has executed su. That user ID must exist.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
pw = get_my_pwent ();
|
2007-10-07 17:14:02 +05:30
|
|
|
if (!pw) {
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_CRIT, "Unknown UID: %u", my_uid));
|
|
|
|
su_failure (tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
STRFCPY (oldname, pw->pw_name);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
#ifndef USE_PAM
|
|
|
|
#ifdef SU_ACCESS
|
|
|
|
/*
|
|
|
|
* Sort out the password of user calling su, in case needed later
|
|
|
|
* -- chris
|
|
|
|
*/
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
if ((spwd = getspnam (oldname))) /* !USE_PAM, no need for xgetspnam */
|
2007-10-07 17:14:02 +05:30
|
|
|
pw->pw_passwd = spwd->sp_pwdp;
|
2007-10-07 17:14:59 +05:30
|
|
|
oldpass = xstrdup (pw->pw_passwd);
|
|
|
|
#endif /* SU_ACCESS */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
#else /* USE_PAM */
|
|
|
|
ret = pam_start ("su", name, &conv, &pamh);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (ret != PAM_SUCCESS) {
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_ERR, "pam_start: error %d", ret);
|
|
|
|
fprintf (stderr, _("%s: pam_start: error %d\n"),
|
|
|
|
Prog, ret));
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
ret = pam_set_item (pamh, PAM_TTY, (const void *) tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (ret == PAM_SUCCESS)
|
2007-10-07 17:16:07 +05:30
|
|
|
ret = pam_set_item (pamh, PAM_RUSER, (const void *) oldname);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (ret != PAM_SUCCESS) {
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_ERR, "pam_set_item: %s",
|
|
|
|
pam_strerror (pamh, ret)));
|
2007-10-07 17:17:01 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
|
2007-10-07 17:14:59 +05:30
|
|
|
pam_end (pamh, ret);
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
top:
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* This is the common point for validating a user whose name is
|
|
|
|
* known. It will be reached either by normal processing, or if the
|
|
|
|
* user is to be logged into a subsystem root.
|
2007-10-07 17:14:02 +05:30
|
|
|
*
|
2007-10-07 17:14:59 +05:30
|
|
|
* The password file entries for the user is gotten and the account
|
|
|
|
* validated.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
if (!(pw = xgetpwnam (name))) {
|
2007-10-07 17:14:02 +05:30
|
|
|
(void) fprintf (stderr, _("Unknown id: %s\n"), name);
|
2007-10-07 17:14:59 +05:30
|
|
|
closelog ();
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
#ifndef USE_PAM
|
|
|
|
spwd = NULL;
|
2007-10-07 17:14:59 +05:30
|
|
|
if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
&& (spwd = getspnam (name))) /* !USE_PAM, no need for xgetspnam */
|
2007-10-07 17:14:02 +05:30
|
|
|
pw->pw_passwd = spwd->sp_pwdp;
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
pwent = *pw;
|
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/* If su is not called by root, and the target user has a restricted
|
|
|
|
* shell, the environment must be changed.
|
|
|
|
*/
|
|
|
|
change_environment |= (restricted_shell (pwent.pw_shell) && !amroot);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If a new login is being set up, the old environment will be
|
|
|
|
* ignored and a new one created later on.
|
|
|
|
* (note: in the case of a subsystem, the shell will be restricted,
|
|
|
|
* and this won't be executed on the first pass)
|
|
|
|
*/
|
|
|
|
if (fakelogin && change_environment) {
|
|
|
|
/*
|
|
|
|
* The terminal type will be left alone if it is present in
|
|
|
|
* the environment already.
|
|
|
|
*/
|
|
|
|
if ((cp = getenv ("TERM")))
|
|
|
|
addenv ("TERM", cp);
|
|
|
|
#ifndef USE_PAM
|
|
|
|
if ((cp = getdef_str ("ENV_TZ")))
|
|
|
|
addenv (*cp == '/' ? tz (cp) : cp, NULL);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The clock frequency will be reset to the login value if required
|
|
|
|
*/
|
|
|
|
if ((cp = getdef_str ("ENV_HZ")))
|
|
|
|
addenv (cp, NULL); /* set the default $HZ, if one */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Also leave DISPLAY and XAUTHORITY if present, else
|
|
|
|
* pam_xauth will not work.
|
|
|
|
*/
|
|
|
|
if ((cp = getenv ("DISPLAY")))
|
|
|
|
addenv ("DISPLAY", cp);
|
|
|
|
if ((cp = getenv ("XAUTHORITY")))
|
|
|
|
addenv ("XAUTHORITY", cp);
|
|
|
|
#endif /* !USE_PAM */
|
|
|
|
} else {
|
|
|
|
while (*envp)
|
|
|
|
addenv (*envp++, NULL);
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifndef USE_PAM
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* BSD systems only allow "wheel" to SU to root. USG systems don't,
|
|
|
|
* so we make this a configurable option.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
/* The original Shadow 3.3.2 did this differently. Do it like BSD:
|
|
|
|
*
|
2007-10-07 17:16:25 +05:30
|
|
|
* - check for UID 0 instead of name "root" - there are systems with
|
2007-10-07 17:14:59 +05:30
|
|
|
* several root accounts under different names,
|
|
|
|
*
|
|
|
|
* - check the contents of /etc/group instead of the current group
|
|
|
|
* set (you must be listed as a member, GID 0 is not sufficient).
|
|
|
|
*
|
|
|
|
* In addition to this traditional feature, we now have complete su
|
|
|
|
* access control (allow, deny, no password, own password). Thanks
|
|
|
|
* to Chris Evans <lady0110@sable.ox.ac.uk>.
|
|
|
|
*/
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
if (!amroot) {
|
2007-10-07 17:14:59 +05:30
|
|
|
if (pwent.pw_uid == 0 && getdef_bool ("SU_WHEEL_ONLY")
|
|
|
|
&& !iswheel (oldname)) {
|
|
|
|
fprintf (stderr,
|
2007-10-07 17:16:07 +05:30
|
|
|
_("You are not authorized to su %s\n"), name);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
#ifdef SU_ACCESS
|
2007-10-07 17:14:59 +05:30
|
|
|
switch (check_su_auth (oldname, name)) {
|
|
|
|
case 0: /* normal su, require target user's password */
|
2007-10-07 17:14:02 +05:30
|
|
|
break;
|
2007-10-07 17:14:59 +05:30
|
|
|
case 1: /* require no password */
|
|
|
|
pwent.pw_passwd = ""; /* XXX warning: const */
|
2007-10-07 17:14:02 +05:30
|
|
|
break;
|
2007-10-07 17:14:59 +05:30
|
|
|
case 2: /* require own password */
|
2007-10-07 17:17:11 +05:30
|
|
|
puts (_("(Enter your own password)"));
|
2007-10-07 17:14:02 +05:30
|
|
|
pwent.pw_passwd = oldpass;
|
|
|
|
break;
|
2007-10-07 17:14:59 +05:30
|
|
|
default: /* access denied (-1) or unexpected value */
|
|
|
|
fprintf (stderr,
|
2007-10-07 17:16:07 +05:30
|
|
|
_("You are not authorized to su %s\n"), name);
|
2007-10-07 17:14:59 +05:30
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* SU_ACCESS */
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/* If the user do not want to change the environment,
|
|
|
|
* use the current SHELL.
|
|
|
|
* (unless another shell is required by the command line)
|
|
|
|
*/
|
|
|
|
if (shellstr == NULL && change_environment == 0)
|
|
|
|
shellstr = getenv ("SHELL");
|
|
|
|
/* For users with non null UID, if this user has a restricted
|
|
|
|
* shell, the shell must be the one specified in /etc/passwd
|
|
|
|
*/
|
|
|
|
if (shellstr != NULL && !amroot && restricted_shell (pwent.pw_shell))
|
|
|
|
shellstr = NULL;
|
|
|
|
/* If the shell is not set at this time, use the shell specified
|
|
|
|
* in /etc/passwd.
|
|
|
|
*/
|
|
|
|
if (shellstr == NULL)
|
|
|
|
shellstr = (char *) strdup (pwent.pw_shell);
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
* Set the default shell.
|
|
|
|
*/
|
2007-10-07 17:17:11 +05:30
|
|
|
if (shellstr == NULL || shellstr[0] == '\0')
|
|
|
|
shellstr = "/bin/sh";
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:16:34 +05:30
|
|
|
signal (SIGINT, SIG_IGN);
|
|
|
|
signal (SIGQUIT, SIG_IGN);
|
2007-10-07 17:14:02 +05:30
|
|
|
#ifdef USE_PAM
|
2007-10-07 17:14:59 +05:30
|
|
|
ret = pam_authenticate (pamh, 0);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (ret != PAM_SUCCESS) {
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_ERR, "pam_authenticate: %s",
|
|
|
|
pam_strerror (pamh, ret)));
|
2007-10-07 17:17:01 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
|
2007-10-07 17:14:59 +05:30
|
|
|
pam_end (pamh, ret);
|
|
|
|
su_failure (tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
ret = pam_acct_mgmt (pamh, 0);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (ret != PAM_SUCCESS) {
|
|
|
|
if (amroot) {
|
2007-10-07 17:14:59 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog,
|
|
|
|
pam_strerror (pamh, ret));
|
2007-10-07 17:17:11 +05:30
|
|
|
} else if (ret == PAM_NEW_AUTHTOK_REQD) {
|
|
|
|
ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
|
|
if (ret != PAM_SUCCESS) {
|
|
|
|
SYSLOG ((LOG_ERR, "pam_chauthtok: %s",
|
|
|
|
pam_strerror (pamh, ret)));
|
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog,
|
|
|
|
pam_strerror (pamh, ret));
|
|
|
|
pam_end (pamh, ret);
|
|
|
|
su_failure (tty);
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
} else {
|
2007-10-07 17:14:59 +05:30
|
|
|
SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
|
|
|
|
pam_strerror (pamh, ret)));
|
2007-10-07 17:17:01 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog,
|
2007-10-07 17:14:59 +05:30
|
|
|
pam_strerror (pamh, ret));
|
|
|
|
pam_end (pamh, ret);
|
|
|
|
su_failure (tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#else /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
* Set up a signal handler in case the user types QUIT.
|
|
|
|
*/
|
|
|
|
die (0);
|
|
|
|
oldsig = signal (SIGQUIT, die);
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* See if the system defined authentication method is being used.
|
|
|
|
* The first character of an administrator defined method is an '@'
|
|
|
|
* character.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
if (!amroot && pw_auth (pwent.pw_passwd, name, PW_SU, (char *) 0)) {
|
|
|
|
SYSLOG ((pwent.pw_uid ? LOG_NOTICE : LOG_WARN,
|
|
|
|
"Authentication failed for %s", name));
|
|
|
|
su_failure (tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
signal (SIGQUIT, oldsig);
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Check to see if the account is expired. root gets to ignore any
|
|
|
|
* expired accounts, but normal users can't become a user with an
|
|
|
|
* expired password.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
if (!amroot) {
|
2007-10-07 17:14:02 +05:30
|
|
|
if (!spwd)
|
2007-10-07 17:14:59 +05:30
|
|
|
spwd = pwd_to_spwd (&pwent);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
if (expire (&pwent, spwd)) {
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
/* !USE_PAM, no need for xgetpwnam */
|
2007-10-07 17:17:11 +05:30
|
|
|
struct passwd *pwd = getpwnam (name);
|
|
|
|
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
/* !USE_PAM, no need for xgetspnam */
|
2007-10-07 17:17:11 +05:30
|
|
|
spwd = getspnam (name);
|
|
|
|
if (pwd)
|
|
|
|
pwent = *pwd;
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* Check to see if the account permits "su". root gets to ignore any
|
|
|
|
* restricted accounts, but normal users can't become a user if
|
|
|
|
* there is a "SU" entry in the /etc/porttime file denying access to
|
|
|
|
* the account.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
if (!amroot) {
|
|
|
|
if (!isttytime (pwent.pw_name, "SU", time ((time_t *) 0))) {
|
|
|
|
SYSLOG ((pwent.pw_uid ? LOG_WARN : LOG_CRIT,
|
|
|
|
"SU by %s to restricted account %s",
|
|
|
|
oldname, name));
|
|
|
|
su_failure (tty);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#endif /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
signal (SIGINT, SIG_DFL);
|
2007-10-07 17:16:52 +05:30
|
|
|
signal (SIGQUIT, SIG_DFL);
|
2007-10-07 17:15:23 +05:30
|
|
|
|
2007-10-07 17:16:52 +05:30
|
|
|
cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
|
2007-10-07 17:14:14 +05:30
|
|
|
if (!cp) {
|
2007-10-07 17:14:59 +05:30
|
|
|
addenv ("PATH=/bin:/usr/bin", NULL);
|
|
|
|
} else if (strchr (cp, '=')) {
|
|
|
|
addenv (cp, NULL);
|
2007-10-07 17:14:14 +05:30
|
|
|
} else {
|
2007-10-07 17:14:59 +05:30
|
|
|
addenv ("PATH", cp);
|
2007-10-07 17:14:14 +05:30
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
if (getenv ("IFS")) /* don't export user IFS ... */
|
|
|
|
addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
/*
|
|
|
|
* Even if --shell is specified, the subsystem login test is based on
|
|
|
|
* the shell specified in /etc/passwd (not the one specified with
|
|
|
|
* --shell, which will be the one executed in the chroot later).
|
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
if (pwent.pw_shell[0] == '*') { /* subsystem root required */
|
2007-10-07 17:14:51 +05:30
|
|
|
pwent.pw_shell++; /* skip the '*' */
|
2007-10-07 17:14:02 +05:30
|
|
|
subsystem (&pwent); /* figure out what to execute */
|
|
|
|
endpwent ();
|
|
|
|
endspent ();
|
|
|
|
goto top;
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
sulog (tty, 1, oldname, name); /* save SU information */
|
2007-10-07 17:14:02 +05:30
|
|
|
endpwent ();
|
|
|
|
endspent ();
|
|
|
|
#ifdef USE_SYSLOG
|
2007-10-07 17:14:59 +05:30
|
|
|
if (getdef_bool ("SYSLOG_SU_ENAB"))
|
2007-10-07 17:16:25 +05:30
|
|
|
SYSLOG ((LOG_INFO, "+ %s %s:%s", tty,
|
2007-10-07 17:16:07 +05:30
|
|
|
oldname[0] ? oldname : "???", name[0] ? name : "???"));
|
2007-10-07 17:14:02 +05:30
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef USE_PAM
|
|
|
|
/* set primary group id and supplementary groups */
|
2007-10-07 17:14:59 +05:30
|
|
|
if (setup_groups (&pwent)) {
|
|
|
|
pam_end (pamh, PAM_ABORT);
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
/*
|
|
|
|
* pam_setcred() may do things like resource limits, console groups,
|
|
|
|
* and much more, depending on the configured modules
|
|
|
|
*/
|
|
|
|
ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
|
2007-10-07 17:14:02 +05:30
|
|
|
if (ret != PAM_SUCCESS) {
|
2007-10-07 17:16:07 +05:30
|
|
|
SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
|
2007-10-07 17:17:01 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
|
2007-10-07 17:14:59 +05:30
|
|
|
pam_end (pamh, ret);
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:40 +05:30
|
|
|
ret = pam_open_session (pamh, 0);
|
|
|
|
if (ret != PAM_SUCCESS) {
|
|
|
|
SYSLOG ((LOG_ERR, "pam_open_session: %s",
|
|
|
|
pam_strerror (pamh, ret)));
|
2007-10-07 17:17:01 +05:30
|
|
|
fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
|
2007-10-07 17:17:33 +05:30
|
|
|
pam_setcred (pamh, PAM_DELETE_CRED);
|
2007-10-07 17:15:40 +05:30
|
|
|
pam_end (pamh, ret);
|
|
|
|
exit (1);
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
if (change_environment) {
|
|
|
|
/* we need to setup the environment *after* pam_open_session(),
|
|
|
|
* else the UID is changed before stuff like pam_xauth could
|
|
|
|
* run, and we cannot access /etc/shadow and co
|
|
|
|
*/
|
|
|
|
environ = newenvp; /* make new environment active */
|
|
|
|
|
|
|
|
/* update environment with all pam set variables */
|
|
|
|
envcp = pam_getenvlist (pamh);
|
|
|
|
if (envcp) {
|
|
|
|
while (*envcp) {
|
|
|
|
addenv (*envcp, NULL);
|
|
|
|
envcp++;
|
|
|
|
}
|
2007-10-07 17:15:40 +05:30
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/* become the new user */
|
2007-10-07 17:14:59 +05:30
|
|
|
if (change_uid (&pwent)) {
|
2007-10-07 17:17:33 +05:30
|
|
|
pam_close_session (pamh, 0);
|
2007-10-07 17:14:59 +05:30
|
|
|
pam_setcred (pamh, PAM_DELETE_CRED);
|
|
|
|
pam_end (pamh, PAM_ABORT);
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:14:59 +05:30
|
|
|
#else /* !USE_PAM */
|
2007-10-07 17:17:57 +05:30
|
|
|
environ = newenvp; /* make new environment active */
|
2007-10-13 04:06:26 +05:30
|
|
|
|
|
|
|
/* no limits if su from root (unless su must fake login's behavior) */
|
|
|
|
if (!amroot || fakelogin)
|
2007-10-07 17:14:59 +05:30
|
|
|
setup_limits (&pwent);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
if (setup_uid_gid (&pwent, is_console))
|
|
|
|
exit (1);
|
|
|
|
#endif /* !USE_PAM */
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:17:11 +05:30
|
|
|
if (change_environment) {
|
|
|
|
if (fakelogin) {
|
|
|
|
pwent.pw_shell = shellstr;
|
|
|
|
setup_env (&pwent);
|
|
|
|
} else {
|
|
|
|
addenv ("HOME", pwent.pw_dir);
|
|
|
|
addenv ("USER", pwent.pw_name);
|
|
|
|
addenv ("LOGNAME", pwent.pw_name);
|
|
|
|
addenv ("SHELL", shellstr);
|
|
|
|
}
|
|
|
|
}
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
/*
|
|
|
|
* This is a workaround for Linux libc bug/feature (?) - the
|
2007-10-07 17:14:59 +05:30
|
|
|
* /dev/log file descriptor is open without the close-on-exec flag
|
|
|
|
* and used to be passed to the new shell. There is "fcntl(LogFile,
|
|
|
|
* F_SETFD, 1)" in libc/misc/syslog.c, but it is commented out (at
|
|
|
|
* least in 5.4.33). Why? --marekm
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
2007-10-07 17:14:59 +05:30
|
|
|
closelog ();
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
/*
|
2007-10-07 17:14:59 +05:30
|
|
|
* See if the user has extra arguments on the command line. In that
|
|
|
|
* case they will be provided to the new user's shell as arguments.
|
2007-10-07 17:14:02 +05:30
|
|
|
*/
|
|
|
|
if (fakelogin) {
|
|
|
|
char *arg0;
|
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
cp = getdef_str ("SU_NAME");
|
2007-10-07 17:14:02 +05:30
|
|
|
if (!cp)
|
2007-10-07 17:17:11 +05:30
|
|
|
cp = Basename (shellstr);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
arg0 = xmalloc (strlen (cp) + 2);
|
2007-10-07 17:14:02 +05:30
|
|
|
arg0[0] = '-';
|
2007-10-07 17:14:59 +05:30
|
|
|
strcpy (arg0 + 1, cp);
|
2007-10-07 17:14:02 +05:30
|
|
|
cp = arg0;
|
|
|
|
} else
|
2007-10-07 17:17:11 +05:30
|
|
|
cp = Basename (shellstr);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:14:59 +05:30
|
|
|
if (!doshell) {
|
2007-10-07 17:17:11 +05:30
|
|
|
/* Position argv to the remaining arguments */
|
|
|
|
argv += optind;
|
2007-10-07 17:17:22 +05:30
|
|
|
if (command) {
|
|
|
|
argv -= 2;
|
|
|
|
argv[0] = "-c";
|
|
|
|
argv[1] = command;
|
|
|
|
}
|
2007-10-07 17:14:14 +05:30
|
|
|
/*
|
2007-10-07 17:17:11 +05:30
|
|
|
* Use the shell and create an argv
|
2007-10-07 17:14:59 +05:30
|
|
|
* with the rest of the command line included.
|
2007-10-07 17:14:14 +05:30
|
|
|
*/
|
2007-10-07 17:17:11 +05:30
|
|
|
argv[-1] = shellstr;
|
2007-10-07 17:15:40 +05:30
|
|
|
#ifndef USE_PAM
|
2007-10-07 17:17:22 +05:30
|
|
|
(void) execve (shellstr, &argv[-1], environ);
|
|
|
|
err = errno;
|
2007-10-07 17:14:14 +05:30
|
|
|
(void) fprintf (stderr, _("No shell\n"));
|
2007-10-07 17:17:11 +05:30
|
|
|
SYSLOG ((LOG_WARN, "Cannot execute %s", shellstr));
|
2007-10-07 17:14:59 +05:30
|
|
|
closelog ();
|
2007-10-07 17:17:22 +05:30
|
|
|
exit (err == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
|
|
|
#else
|
|
|
|
run_shell (shellstr, &argv[-1], 0, environ); /* no return */
|
|
|
|
#endif
|
2007-10-07 17:14:14 +05:30
|
|
|
}
|
2007-10-07 17:15:40 +05:30
|
|
|
#ifndef USE_PAM
|
2007-10-07 17:17:22 +05:30
|
|
|
err = shell (shellstr, cp, environ);
|
|
|
|
exit (err == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
|
2007-10-07 17:15:40 +05:30
|
|
|
#else
|
2007-10-07 17:17:22 +05:30
|
|
|
run_shell (shellstr, &cp, 1, environ);
|
2007-10-07 17:15:40 +05:30
|
|
|
#endif
|
2007-10-07 17:15:23 +05:30
|
|
|
/* NOT REACHED */
|
|
|
|
exit (1);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|