2007-10-07 17:14:02 +05:30
|
|
|
#include <config.h>
|
2007-10-07 17:17:01 +05:30
|
|
|
#include <errno.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include <grp.h>
|
2007-10-07 17:17:01 +05:30
|
|
|
#include <pwd.h>
|
|
|
|
#include <stdio.h>
|
2007-10-07 17:14:02 +05:30
|
|
|
#include <sys/types.h>
|
|
|
|
#include "defines.h"
|
2007-10-07 17:17:01 +05:30
|
|
|
#include "prototypes.h"
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
#ifndef SUAUTHFILE
|
|
|
|
#define SUAUTHFILE "/etc/suauth"
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#define NOACTION 0
|
|
|
|
#define NOPWORD 1
|
|
|
|
#define DENY -1
|
|
|
|
#define OWNPWORD 2
|
|
|
|
|
2007-10-07 17:17:01 +05:30
|
|
|
/*
|
|
|
|
* Global variables
|
|
|
|
*/
|
2007-10-07 17:15:14 +05:30
|
|
|
struct passwd pwent;
|
|
|
|
|
|
|
|
#ifdef SU_ACCESS
|
|
|
|
|
2007-10-07 17:14:02 +05:30
|
|
|
/* Really, I could do with a few const char's here defining all the
|
|
|
|
* strings output to the user or the syslog. -- chris
|
|
|
|
*/
|
2007-10-07 17:15:23 +05:30
|
|
|
static int applies (const char *, char *);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
int check_su_auth (const char *, const char *);
|
|
|
|
int isgrp (const char *, const char *);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
static int lines = 0;
|
|
|
|
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
int check_su_auth (const char *actual_id, const char *wanted_id)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:15:23 +05:30
|
|
|
int posn, endline;
|
|
|
|
const char field[] = ":";
|
|
|
|
FILE *authfile_fd;
|
|
|
|
char temp[1024];
|
|
|
|
char *to_users;
|
|
|
|
char *from_users;
|
|
|
|
char *action;
|
|
|
|
|
|
|
|
if (!(authfile_fd = fopen (SUAUTHFILE, "r"))) {
|
2007-10-07 17:14:02 +05:30
|
|
|
/*
|
|
|
|
* If the file doesn't exist - default to the standard su
|
|
|
|
* behaviour (no access control). If open fails for some
|
|
|
|
* other reason - maybe someone is trying to fool us with
|
|
|
|
* file descriptors limit etc., so deny access. --marekm
|
|
|
|
*/
|
|
|
|
if (errno == ENOENT)
|
|
|
|
return NOACTION;
|
2007-10-07 17:15:23 +05:30
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"could not open/read config file '%s': %m\n",
|
|
|
|
SUAUTHFILE));
|
2007-10-07 17:14:02 +05:30
|
|
|
return DENY;
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
while (fgets (temp, sizeof (temp), authfile_fd) != NULL) {
|
2007-10-07 17:14:02 +05:30
|
|
|
lines++;
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
if (temp[endline = strlen (temp) - 1] != '\n') {
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d: line too long or missing newline",
|
|
|
|
SUAUTHFILE, lines));
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
while (endline > 0 && (temp[endline - 1] == ' '
|
|
|
|
|| temp[endline - 1] == '\t'
|
|
|
|
|| temp[endline - 1] == '\n'))
|
2007-10-07 17:14:02 +05:30
|
|
|
endline--;
|
|
|
|
temp[endline] = '\0';
|
|
|
|
|
|
|
|
posn = 0;
|
|
|
|
while (temp[posn] == ' ' || temp[posn] == '\t')
|
|
|
|
posn++;
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
if (temp[posn] == '\n' || temp[posn] == '#'
|
|
|
|
|| temp[posn] == '\0') {
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
|
|
|
}
|
2007-10-07 17:15:23 +05:30
|
|
|
if (!(to_users = strtok (temp + posn, field))
|
|
|
|
|| !(from_users = strtok ((char *) NULL, field))
|
|
|
|
|| !(action = strtok ((char *) NULL, field))
|
|
|
|
|| strtok ((char *) NULL, field)) {
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d. Bad number of fields.\n",
|
|
|
|
SUAUTHFILE, lines));
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
if (!applies (wanted_id, to_users))
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2007-10-07 17:15:23 +05:30
|
|
|
if (!applies (actual_id, from_users))
|
2007-10-07 17:14:02 +05:30
|
|
|
continue;
|
2007-10-07 17:15:23 +05:30
|
|
|
if (!strcmp (action, "DENY")) {
|
|
|
|
SYSLOG ((pwent.pw_uid ? LOG_NOTICE : LOG_WARN,
|
|
|
|
"DENIED su from `%s' to `%s' (%s)\n",
|
|
|
|
actual_id, wanted_id, SUAUTHFILE));
|
|
|
|
fprintf (stderr,
|
2007-10-07 17:16:07 +05:30
|
|
|
_("Access to su to that account DENIED.\n"));
|
2007-10-07 17:15:23 +05:30
|
|
|
fclose (authfile_fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
return DENY;
|
2007-10-07 17:15:23 +05:30
|
|
|
} else if (!strcmp (action, "NOPASS")) {
|
|
|
|
SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
|
|
|
|
"NO password asked for su from `%s' to `%s' (%s)\n",
|
|
|
|
actual_id, wanted_id, SUAUTHFILE));
|
|
|
|
fprintf (stderr,
|
|
|
|
_("Password authentication bypassed.\n"));
|
|
|
|
fclose (authfile_fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
return NOPWORD;
|
2007-10-07 17:15:23 +05:30
|
|
|
} else if (!strcmp (action, "OWNPASS")) {
|
|
|
|
SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
|
|
|
|
"su from `%s' to `%s': asking for user's own password (%s)\n",
|
|
|
|
actual_id, wanted_id, SUAUTHFILE));
|
|
|
|
fprintf (stderr,
|
|
|
|
_
|
|
|
|
("Please enter your OWN password as authentication.\n"));
|
|
|
|
fclose (authfile_fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
return OWNPWORD;
|
|
|
|
} else {
|
2007-10-07 17:15:23 +05:30
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d: unrecognised action!\n",
|
|
|
|
SUAUTHFILE, lines));
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
}
|
2007-10-07 17:15:23 +05:30
|
|
|
fclose (authfile_fd);
|
2007-10-07 17:14:02 +05:30
|
|
|
return NOACTION;
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
static int applies (const char *single, char *list)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:15:23 +05:30
|
|
|
const char split[] = ", ";
|
|
|
|
char *tok;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
int state = 0;
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
for (tok = strtok (list, split); tok != NULL;
|
|
|
|
tok = strtok (NULL, split)) {
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
if (!strcmp (tok, "ALL")) {
|
2007-10-07 17:14:02 +05:30
|
|
|
if (state != 0) {
|
2007-10-07 17:15:23 +05:30
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d: ALL in bad place\n",
|
|
|
|
SUAUTHFILE, lines));
|
2007-10-07 17:14:02 +05:30
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
state = 1;
|
2007-10-07 17:15:23 +05:30
|
|
|
} else if (!strcmp (tok, "EXCEPT")) {
|
2007-10-07 17:14:02 +05:30
|
|
|
if (state != 1) {
|
2007-10-07 17:15:23 +05:30
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d: EXCEPT in bas place\n",
|
|
|
|
SUAUTHFILE, lines));
|
2007-10-07 17:14:02 +05:30
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
state = 2;
|
2007-10-07 17:15:23 +05:30
|
|
|
} else if (!strcmp (tok, "GROUP")) {
|
2007-10-07 17:14:02 +05:30
|
|
|
if ((state != 0) && (state != 2)) {
|
2007-10-07 17:15:23 +05:30
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d: GROUP in bad place\n",
|
|
|
|
SUAUTHFILE, lines));
|
2007-10-07 17:14:02 +05:30
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
state = (state == 0) ? 3 : 4;
|
|
|
|
} else {
|
|
|
|
switch (state) {
|
2007-10-07 17:15:23 +05:30
|
|
|
case 0: /* No control words yet */
|
|
|
|
if (!strcmp (tok, single))
|
|
|
|
return 1;
|
|
|
|
break;
|
|
|
|
case 1: /* An all */
|
|
|
|
SYSLOG ((LOG_ERR,
|
|
|
|
"%s, line %d: expect another token after ALL\n",
|
|
|
|
SUAUTHFILE, lines));
|
|
|
|
return 0;
|
|
|
|
case 2: /* All except */
|
|
|
|
if (!strcmp (tok, single))
|
|
|
|
return 0;
|
|
|
|
break;
|
|
|
|
case 3: /* Group */
|
|
|
|
if (isgrp (single, tok))
|
|
|
|
return 1;
|
|
|
|
break;
|
|
|
|
case 4: /* All except group */
|
|
|
|
if (isgrp (single, tok))
|
2007-10-07 17:14:02 +05:30
|
|
|
return 0;
|
2007-10-07 17:15:23 +05:30
|
|
|
/* FALL THRU */
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ((state != 0) && (state != 3))
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
int isgrp (const char *name, const char *group)
|
2007-10-07 17:14:02 +05:30
|
|
|
{
|
2007-10-07 17:15:23 +05:30
|
|
|
struct group *grp;
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
grp = getgrnam (group);
|
2007-10-07 17:14:02 +05:30
|
|
|
|
|
|
|
if (!grp || !grp->gr_mem)
|
|
|
|
return 0;
|
|
|
|
|
2007-10-07 17:15:23 +05:30
|
|
|
return is_on_list (grp->gr_mem, name);
|
2007-10-07 17:14:02 +05:30
|
|
|
}
|
2007-10-07 17:15:23 +05:30
|
|
|
#endif /* SU_ACCESS */
|