/* * Copyright 1989 - 1994, Julianne Frances Haugh * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Julianne F. Haugh nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include "rcsid.h" RCSID(PKG_VER "$Id: su.c,v 1.18 2001/06/28 20:47:06 kloczek Exp $") #include #include #ifdef USE_PAM #include "pam_defs.h" static const struct pam_conv conv = { misc_conv, NULL }; static pam_handle_t *pamh = NULL; #endif #include "prototypes.h" #include "defines.h" #include #include #include #include "pwauth.h" #include "getdef.h" /* * Assorted #defines to control su's behavior */ /* * Global variables */ /* not needed by sulog.c anymore */ static char name[BUFSIZ]; static char oldname[BUFSIZ]; static char *Prog; struct passwd pwent; /* * External identifiers */ extern char **newenvp; extern size_t newenvc; extern char **environ; /* local function prototypes */ #ifndef USE_PAM static RETSIGTYPE die(int); static int iswheel(const char *); /* * die - set or reset termio modes. * * die() is called before processing begins. signal() is then * called with die() as the signal handler. If signal later * calls die() with a signal number, the terminal modes are * then reset. */ static RETSIGTYPE die(int killed) { static TERMIO sgtty; if (killed) STTY(0, &sgtty); else GTTY(0, &sgtty); if (killed) { closelog(); exit(killed); } } static int iswheel(const char *username) { struct group *grp; grp = getgrgid(0); if (!grp || !grp->gr_mem) return 0; return is_on_list(grp->gr_mem, username); } #endif /* !USE_PAM */ static void su_failure(const char *tty) { sulog(tty, 0, oldname, name); /* log failed attempt */ #ifdef USE_SYSLOG if (getdef_bool("SYSLOG_SU_ENAB")) SYSLOG((pwent.pw_uid ? LOG_INFO:LOG_NOTICE, "- %s %s-%s\n", tty, oldname[0] ? oldname:"???", name[0] ? name:"???")); closelog(); #endif puts(_("Sorry.")); exit(1); } /* * su - switch user id * * su changes the user's ids to the values for the specified user. * if no new user name is specified, "root" is used by default. * * The only valid option is a "-" character, which is interpreted * as requiring a new login session to be simulated. * * Any additional arguments are passed to the user's shell. In * particular, the argument "-c" will cause the next argument to * be interpreted as a command by the common shell programs. */ int main(int argc, char **argv) { char *cp; const char *tty = 0; /* Name of tty SU is run from */ int doshell = 0; int fakelogin = 0; int amroot = 0; uid_t my_uid; struct passwd *pw = 0; char **envp = environ; #ifdef USE_PAM int ret; #else /* !USE_PAM */ RETSIGTYPE (*oldsig)(); int is_console = 0; #ifdef SHADOWPWD struct spwd *spwd = 0; #endif #ifdef SU_ACCESS char *oldpass; #endif #endif /* !USE_PAM */ sanitize_env(); setlocale(LC_ALL, ""); bindtextdomain(PACKAGE, LOCALEDIR); textdomain(PACKAGE); /* * Get the program name. The program name is used as a * prefix to most error messages. */ Prog = Basename(argv[0]); OPENLOG("su"); initenv(); my_uid = getuid(); amroot = (my_uid == 0); /* * Get the tty name. Entries will be logged indicating that * the user tried to change to the named new user from the * current terminal. */ if (isatty(0) && (cp = ttyname(0))) { if (strncmp (cp, "/dev/", 5) == 0) tty = cp + 5; else tty = cp; #ifndef USE_PAM is_console = console(tty); #endif } else { /* * Be more paranoid, like su from SimplePAMApps. --marekm */ if (!amroot) { fprintf(stderr, _("%s: must be run from a terminal\n"), Prog); exit(1); } tty = "???"; } /* * Process the command line arguments. */ argc--; argv++; /* shift out command name */ if (argc > 0 && strcmp(argv[0], "-") == 0) { fakelogin = 1; argc--; argv++; /* shift ... */ } /* * If a new login is being set up, the old environment will * be ignored and a new one created later on. */ if (fakelogin) { if ((cp=getdef_str("ENV_TZ"))) addenv(*cp == '/' ? tz(cp) : cp, NULL); /* * The clock frequency will be reset to the login value if required */ if ((cp=getdef_str("ENV_HZ"))) addenv(cp, NULL); /* set the default $HZ, if one */ /* * The terminal type will be left alone if it is present in the * environment already. */ if ((cp = getenv ("TERM"))) addenv("TERM", cp); } else { while (*envp) addenv(*envp++, NULL); } /* * The next argument must be either a user ID, or some flag to * a subshell. Pretty sticky since you can't have an argument * which doesn't start with a "-" unless you specify the new user * name. Any remaining arguments will be passed to the user's * login shell. */ if (argc > 0 && argv[0][0] != '-') { STRFCPY(name, argv[0]); /* use this login id */ argc--; argv++; /* shift ... */ } if (! name[0]) /* use default user ID */ (void) strcpy (name, "root"); doshell = argc == 0; /* any arguments remaining? */ /* * Get the user's real name. The current UID is used to determine * who has executed su. That user ID must exist. */ pw = get_my_pwent(); if (!pw) { SYSLOG((LOG_CRIT, "Unknown UID: %d\n", (int) my_uid)); su_failure(tty); } STRFCPY(oldname, pw->pw_name); #ifndef USE_PAM #ifdef SU_ACCESS /* * Sort out the password of user calling su, in case needed later * -- chris */ #ifdef SHADOWPWD if ((spwd = getspnam(oldname))) pw->pw_passwd = spwd->sp_pwdp; #endif oldpass = xstrdup(pw->pw_passwd); #endif /* SU_ACCESS */ #else /* USE_PAM */ ret = pam_start("su", name, &conv, &pamh); if (ret != PAM_SUCCESS) { SYSLOG((LOG_ERR, "pam_start: error %d\n", ret); fprintf(stderr, _("%s: pam_start: error %d\n"), Prog, ret)); exit(1); } ret = pam_set_item(pamh, PAM_TTY, (const void *) tty); if (ret == PAM_SUCCESS) ret = pam_set_item(pamh, PAM_RUSER, (const void *) oldname); if (ret != PAM_SUCCESS) { SYSLOG((LOG_ERR, "pam_set_item: %s\n", pam_strerror(pamh, ret))); fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret)); pam_end(pamh, ret); exit(1); } #endif /* USE_PAM */ top: /* * This is the common point for validating a user whose name * is known. It will be reached either by normal processing, * or if the user is to be logged into a subsystem root. * * The password file entries for the user is gotten and the * account validated. */ if (!(pw = getpwnam(name))) { (void) fprintf (stderr, _("Unknown id: %s\n"), name); closelog(); exit(1); } #ifndef USE_PAM #ifdef SHADOWPWD spwd = NULL; if (strcmp(pw->pw_passwd, SHADOW_PASSWD_STRING) == 0 && (spwd = getspnam(name))) pw->pw_passwd = spwd->sp_pwdp; #endif #endif /* !USE_PAM */ pwent = *pw; #ifndef USE_PAM /* * BSD systems only allow "wheel" to SU to root. USG systems * don't, so we make this a configurable option. */ /* The original Shadow 3.3.2 did this differently. Do it like BSD: - check for uid 0 instead of name "root" - there are systems with several root accounts under different names, - check the contents of /etc/group instead of the current group set (you must be listed as a member, GID 0 is not sufficient). In addition to this traditional feature, we now have complete su access control (allow, deny, no password, own password). Thanks to Chris Evans . */ if (!amroot) { if (pwent.pw_uid == 0 && getdef_bool("SU_WHEEL_ONLY") && !iswheel(oldname)) { fprintf(stderr, _("You are not authorized to su %s\n"), name); exit(1); } #ifdef SU_ACCESS switch (check_su_auth(oldname, name)) { case 0: /* normal su, require target user's password */ break; case 1: /* require no password */ pwent.pw_passwd = ""; /* XXX warning: const */ break; case 2: /* require own password */ puts(_("(Enter your own password.)")); pwent.pw_passwd = oldpass; break; default: /* access denied (-1) or unexpected value */ fprintf(stderr, _("You are not authorized to su %s\n"), name); exit(1); } #endif /* SU_ACCESS */ } #endif /* !USE_PAM */ /* * Set the default shell. */ if (pwent.pw_shell[0] == '\0') pwent.pw_shell = "/bin/sh"; /* XXX warning: const */ #ifdef USE_PAM ret = pam_authenticate(pamh, 0); if (ret != PAM_SUCCESS) { SYSLOG((LOG_ERR, "pam_authenticate: %s\n", pam_strerror(pamh, ret))); fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret)); pam_end(pamh, ret); su_failure(tty); } ret = pam_acct_mgmt(pamh, 0); if (ret != PAM_SUCCESS) { if (amroot) { fprintf(stderr, _("%s: %s\n(Ignored)\n"), Prog, pam_strerror(pamh, ret)); } else { SYSLOG((LOG_ERR, "pam_acct_mgmt: %s\n", pam_strerror(pamh, ret))); fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret)); pam_end(pamh, ret); su_failure(tty); } } #else /* !USE_PAM */ /* * Set up a signal handler in case the user types QUIT. */ die (0); oldsig = signal (SIGQUIT, die); /* * See if the system defined authentication method is being used. * The first character of an administrator defined method is an * '@' character. */ if (! amroot && pw_auth (pwent.pw_passwd, name, PW_SU, (char *) 0)) { SYSLOG((pwent.pw_uid ? LOG_NOTICE:LOG_WARN, "Authentication failed for %s\n", name)); su_failure(tty); } signal (SIGQUIT, oldsig); /* * Check to see if the account is expired. root gets to * ignore any expired accounts, but normal users can't become * a user with an expired password. */ if (! amroot) { #ifdef SHADOWPWD if (!spwd) spwd = pwd_to_spwd(&pwent); if (isexpired(&pwent, spwd)) { SYSLOG((pwent.pw_uid ? LOG_WARN : LOG_CRIT, "Expired account %s\n", name)); su_failure(tty); } #else #if defined(ATT_AGE) && defined(AGING) else if (pwent.pw_age[0] && isexpired (&pwent)) { SYSLOG((pwent.pw_uid ? LOG_WARN:LOG_CRIT, "Expired account %s\n", name)); su_failure(tty); } #endif /* ATT_AGE */ #endif } /* * Check to see if the account permits "su". root gets to * ignore any restricted accounts, but normal users can't become * a user if there is a "SU" entry in the /etc/porttime file * denying access to the account. */ if (! amroot) { if (! isttytime (pwent.pw_name, "SU", time ((time_t *) 0))) { SYSLOG((pwent.pw_uid ? LOG_WARN : LOG_CRIT, "SU by %s to restricted account %s\n", oldname, name)); su_failure(tty); } } #endif /* !USE_PAM */ signal(SIGINT, SIG_DFL); cp = getdef_str((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH"); #if 0 addenv(cp ? cp : "PATH=/bin:/usr/bin", NULL); #else /* XXX very similar code duplicated in libmisc/setupenv.c */ if (!cp) { addenv("PATH=/bin:/usr/bin", NULL); } else if (strchr(cp, '=')) { addenv(cp, NULL); } else { addenv("PATH", cp); } #endif environ = newenvp; /* make new environment active */ if (getenv ("IFS")) /* don't export user IFS ... */ addenv("IFS= \t\n", NULL); /* ... instead, set a safe IFS */ if (pwent.pw_shell[0] == '*') { /* subsystem root required */ pwent.pw_shell++; /* skip the '*' */ subsystem (&pwent); /* figure out what to execute */ endpwent (); #ifdef SHADOWPWD endspent (); #endif goto top; } sulog(tty, 1, oldname, name); /* save SU information */ endpwent (); #ifdef SHADOWPWD endspent (); #endif #ifdef USE_SYSLOG if (getdef_bool("SYSLOG_SU_ENAB")) SYSLOG((LOG_INFO, "+ %s %s-%s\n", tty, oldname[0] ? oldname:"???", name[0] ? name:"???")); #endif #ifdef USE_PAM /* set primary group id and supplementary groups */ if (setup_groups(&pwent)) { pam_end(pamh, PAM_ABORT); exit(1); } /* pam_setcred() may do things like resource limits, console groups, and much more, depending on the configured modules */ ret = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (ret != PAM_SUCCESS) { SYSLOG((LOG_ERR, "pam_setcred: %s\n", pam_strerror(pamh, ret))); fprintf(stderr, "%s: %s\n", Prog, pam_strerror(pamh, ret)); pam_end(pamh, ret); exit(1); } /* become the new user */ if (change_uid(&pwent)) { pam_setcred(pamh, PAM_DELETE_CRED); pam_end(pamh, PAM_ABORT); exit(1); } /* now we are done using PAM */ pam_end(pamh, PAM_SUCCESS); #else /* !USE_PAM */ if (!amroot) /* no limits if su from root */ setup_limits(&pwent); if (setup_uid_gid(&pwent, is_console)) exit(1); #endif /* !USE_PAM */ if (fakelogin) setup_env(&pwent); #if 1 /* Suggested by Joey Hess. XXX - is this right? */ else addenv("HOME", pwent.pw_dir); #endif /* * This is a workaround for Linux libc bug/feature (?) - the * /dev/log file descriptor is open without the close-on-exec * flag and used to be passed to the new shell. There is * "fcntl(LogFile, F_SETFD, 1)" in libc/misc/syslog.c, but * it is commented out (at least in 5.4.33). Why? --marekm */ closelog(); /* * See if the user has extra arguments on the command line. In * that case they will be provided to the new user's shell as * arguments. */ if (fakelogin) { char *arg0; #if 0 /* XXX - GNU su doesn't do this. --marekm */ if (! hushed (&pwent)) { motd (); mailcheck (); } #endif cp = getdef_str("SU_NAME"); if (!cp) cp = Basename(pwent.pw_shell); arg0 = xmalloc(strlen(cp) + 2); arg0[0] = '-'; strcpy(arg0 + 1, cp); cp = arg0; } else cp = Basename(pwent.pw_shell); if (! doshell) { /* * Use new user's shell from /etc/passwd and create an * argv with the rest of the command line included. */ argv[-1] = pwent.pw_shell; (void) execv (pwent.pw_shell, &argv[-1]); (void) fprintf (stderr, _("No shell\n")); SYSLOG((LOG_WARN, "Cannot execute %s\n", pwent.pw_shell)); closelog(); exit (1); } shell(pwent.pw_shell, cp); /*NOTREACHED*/ exit(1); }