/* * Copyright 1989 - 1994, Julianne Frances Haugh * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of Julianne F. Haugh nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #include "rcsid.h" RCSID (PKG_VER "$Id: su.c,v 1.22 2002/03/08 04:30:28 kloczek Exp $") #include #include #ifdef USE_PAM #include "pam_defs.h" static const struct pam_conv conv = { misc_conv, NULL }; static pam_handle_t *pamh = NULL; #endif #include "prototypes.h" #include "defines.h" #include #include #include #include "pwauth.h" #include "getdef.h" /* * Assorted #defines to control su's behavior */ /* * Global variables */ /* not needed by sulog.c anymore */ static char name[BUFSIZ]; static char oldname[BUFSIZ]; static char *Prog; extern struct passwd pwent; /* * External identifiers */ extern char **newenvp; extern size_t newenvc; extern char **environ; /* local function prototypes */ #ifndef USE_PAM static RETSIGTYPE die (int); static int iswheel (const char *); /* * die - set or reset termio modes. * * die() is called before processing begins. signal() is then called * with die() as the signal handler. If signal later calls die() with a * signal number, the terminal modes are then reset. */ static RETSIGTYPE die (int killed) { static TERMIO sgtty; if (killed) STTY (0, &sgtty); else GTTY (0, &sgtty); if (killed) { closelog (); exit (killed); } } static int iswheel (const char *username) { struct group *grp; grp = getgrgid (0); if (!grp || !grp->gr_mem) return 0; return is_on_list (grp->gr_mem, username); } #endif /* !USE_PAM */ static void su_failure (const char *tty) { sulog (tty, 0, oldname, name); /* log failed attempt */ #ifdef USE_SYSLOG if (getdef_bool ("SYSLOG_SU_ENAB")) SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE, "- %s %s-%s", tty, oldname[0] ? oldname : "???", name[0] ? name : "???")); closelog (); #endif puts (_("Sorry.")); exit (1); } /* * su - switch user id * * su changes the user's ids to the values for the specified user. if * no new user name is specified, "root" is used by default. * * The only valid option is a "-" character, which is interpreted as * requiring a new login session to be simulated. * * Any additional arguments are passed to the user's shell. In * particular, the argument "-c" will cause the next argument to be * interpreted as a command by the common shell programs. */ int main (int argc, char **argv) { char *cp; const char *tty = 0; /* Name of tty SU is run from */ int doshell = 0; int fakelogin = 0; int amroot = 0; uid_t my_uid; struct passwd *pw = 0; char **envp = environ; #ifdef USE_PAM int ret; #else /* !USE_PAM */ RETSIGTYPE (*oldsig) (); int is_console = 0; #ifdef SHADOWPWD struct spwd *spwd = 0; #endif #ifdef SU_ACCESS char *oldpass; #endif #endif /* !USE_PAM */ sanitize_env (); setlocale (LC_ALL, ""); bindtextdomain (PACKAGE, LOCALEDIR); textdomain (PACKAGE); /* * Get the program name. The program name is used as a prefix to * most error messages. */ Prog = Basename (argv[0]); OPENLOG ("su"); initenv (); my_uid = getuid (); amroot = (my_uid == 0); /* * Get the tty name. Entries will be logged indicating that the user * tried to change to the named new user from the current terminal. */ if (isatty (0) && (cp = ttyname (0))) { if (strncmp (cp, "/dev/", 5) == 0) tty = cp + 5; else tty = cp; #ifndef USE_PAM is_console = console (tty); #endif } else { /* * Be more paranoid, like su from SimplePAMApps. --marekm */ if (!amroot) { fprintf (stderr, _("%s: must be run from a terminal\n"), Prog); exit (1); } tty = "???"; } /* * Process the command line arguments. */ argc--; argv++; /* shift out command name */ if (argc > 0 && strcmp (argv[0], "-") == 0) { fakelogin = 1; argc--; argv++; /* shift ... */ } /* * If a new login is being set up, the old environment will be * ignored and a new one created later on. */ if (fakelogin) { if ((cp = getdef_str ("ENV_TZ"))) addenv (*cp == '/' ? tz (cp) : cp, NULL); /* * The clock frequency will be reset to the login value if required */ if ((cp = getdef_str ("ENV_HZ"))) addenv (cp, NULL); /* set the default $HZ, if one */ /* * The terminal type will be left alone if it is present in * the environment already. */ if ((cp = getenv ("TERM"))) addenv ("TERM", cp); } else { while (*envp) addenv (*envp++, NULL); } /* * The next argument must be either a user ID, or some flag to a * subshell. Pretty sticky since you can't have an argument which * doesn't start with a "-" unless you specify the new user name. * Any remaining arguments will be passed to the user's login shell. */ if (argc > 0 && argv[0][0] != '-') { STRFCPY (name, argv[0]); /* use this login id */ argc--; argv++; /* shift ... */ } if (!name[0]) /* use default user ID */ (void) strcpy (name, "root"); doshell = argc == 0; /* any arguments remaining? */ /* * Get the user's real name. The current UID is used to determine * who has executed su. That user ID must exist. */ pw = get_my_pwent (); if (!pw) { SYSLOG ((LOG_CRIT, "Unknown UID: %u", my_uid)); su_failure (tty); } STRFCPY (oldname, pw->pw_name); #ifndef USE_PAM #ifdef SU_ACCESS /* * Sort out the password of user calling su, in case needed later * -- chris */ #ifdef SHADOWPWD if ((spwd = getspnam (oldname))) pw->pw_passwd = spwd->sp_pwdp; #endif oldpass = xstrdup (pw->pw_passwd); #endif /* SU_ACCESS */ #else /* USE_PAM */ ret = pam_start ("su", name, &conv, &pamh); if (ret != PAM_SUCCESS) { SYSLOG ((LOG_ERR, "pam_start: error %d", ret); fprintf (stderr, _("%s: pam_start: error %d\n"), Prog, ret)); exit (1); } ret = pam_set_item (pamh, PAM_TTY, (const void *) tty); if (ret == PAM_SUCCESS) ret = pam_set_item (pamh, PAM_RUSER, (const void *) oldname); if (ret != PAM_SUCCESS) { SYSLOG ((LOG_ERR, "pam_set_item: %s", pam_strerror (pamh, ret))); fprintf (stderr, "%s: %s\n", Prog, pam_strerror (pamh, ret)); pam_end (pamh, ret); exit (1); } #endif /* USE_PAM */ top: /* * This is the common point for validating a user whose name is * known. It will be reached either by normal processing, or if the * user is to be logged into a subsystem root. * * The password file entries for the user is gotten and the account * validated. */ if (!(pw = getpwnam (name))) { (void) fprintf (stderr, _("Unknown id: %s\n"), name); closelog (); exit (1); } #ifndef USE_PAM #ifdef SHADOWPWD spwd = NULL; if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0 && (spwd = getspnam (name))) pw->pw_passwd = spwd->sp_pwdp; #endif #endif /* !USE_PAM */ pwent = *pw; #ifndef USE_PAM /* * BSD systems only allow "wheel" to SU to root. USG systems don't, * so we make this a configurable option. */ /* The original Shadow 3.3.2 did this differently. Do it like BSD: * * - check for uid 0 instead of name "root" - there are systems with * several root accounts under different names, * * - check the contents of /etc/group instead of the current group * set (you must be listed as a member, GID 0 is not sufficient). * * In addition to this traditional feature, we now have complete su * access control (allow, deny, no password, own password). Thanks * to Chris Evans . */ if (!amroot) { if (pwent.pw_uid == 0 && getdef_bool ("SU_WHEEL_ONLY") && !iswheel (oldname)) { fprintf (stderr, _("You are not authorized to su %s\n"), name); exit (1); } #ifdef SU_ACCESS switch (check_su_auth (oldname, name)) { case 0: /* normal su, require target user's password */ break; case 1: /* require no password */ pwent.pw_passwd = ""; /* XXX warning: const */ break; case 2: /* require own password */ puts (_("(Enter your own password.)")); pwent.pw_passwd = oldpass; break; default: /* access denied (-1) or unexpected value */ fprintf (stderr, _("You are not authorized to su %s\n"), name); exit (1); } #endif /* SU_ACCESS */ } #endif /* !USE_PAM */ /* * Set the default shell. */ if (pwent.pw_shell[0] == '\0') pwent.pw_shell = "/bin/sh"; /* XXX warning: const */ #ifdef USE_PAM ret = pam_authenticate (pamh, 0); if (ret != PAM_SUCCESS) { SYSLOG ((LOG_ERR, "pam_authenticate: %s", pam_strerror (pamh, ret))); fprintf (stderr, "%s: %s\n", Prog, pam_strerror (pamh, ret)); pam_end (pamh, ret); su_failure (tty); } ret = pam_acct_mgmt (pamh, 0); if (ret != PAM_SUCCESS) { if (amroot) { fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog, pam_strerror (pamh, ret)); } else { SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s", pam_strerror (pamh, ret))); fprintf (stderr, "%s: %s\n", Prog, pam_strerror (pamh, ret)); pam_end (pamh, ret); su_failure (tty); } } #else /* !USE_PAM */ /* * Set up a signal handler in case the user types QUIT. */ die (0); oldsig = signal (SIGQUIT, die); /* * See if the system defined authentication method is being used. * The first character of an administrator defined method is an '@' * character. */ if (!amroot && pw_auth (pwent.pw_passwd, name, PW_SU, (char *) 0)) { SYSLOG ((pwent.pw_uid ? LOG_NOTICE : LOG_WARN, "Authentication failed for %s", name)); su_failure (tty); } signal (SIGQUIT, oldsig); /* * Check to see if the account is expired. root gets to ignore any * expired accounts, but normal users can't become a user with an * expired password. */ if (!amroot) { #ifdef SHADOWPWD if (!spwd) spwd = pwd_to_spwd (&pwent); if (isexpired (&pwent, spwd)) { SYSLOG ((pwent.pw_uid ? LOG_WARN : LOG_CRIT, "Expired account %s", name)); su_failure (tty); } #else #if defined(ATT_AGE) if (pwent.pw_age[0] && isexpired (&pwent)) { SYSLOG ((pwent.pw_uid ? LOG_WARN : LOG_CRIT, "Expired account %s", name)); su_failure (tty); } #endif /* ATT_AGE */ #endif } /* * Check to see if the account permits "su". root gets to ignore any * restricted accounts, but normal users can't become a user if * there is a "SU" entry in the /etc/porttime file denying access to * the account. */ if (!amroot) { if (!isttytime (pwent.pw_name, "SU", time ((time_t *) 0))) { SYSLOG ((pwent.pw_uid ? LOG_WARN : LOG_CRIT, "SU by %s to restricted account %s", oldname, name)); su_failure (tty); } } #endif /* !USE_PAM */ signal (SIGINT, SIG_DFL); cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH"); #if 0 addenv (cp ? cp : "PATH=/bin:/usr/bin", NULL); #else /* XXX very similar code duplicated in libmisc/setupenv.c */ if (!cp) { addenv ("PATH=/bin:/usr/bin", NULL); } else if (strchr (cp, '=')) { addenv (cp, NULL); } else { addenv ("PATH", cp); } #endif environ = newenvp; /* make new environment active */ if (getenv ("IFS")) /* don't export user IFS ... */ addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */ if (pwent.pw_shell[0] == '*') { /* subsystem root required */ pwent.pw_shell++; /* skip the '*' */ subsystem (&pwent); /* figure out what to execute */ endpwent (); #ifdef SHADOWPWD endspent (); #endif goto top; } sulog (tty, 1, oldname, name); /* save SU information */ endpwent (); #ifdef SHADOWPWD endspent (); #endif #ifdef USE_SYSLOG if (getdef_bool ("SYSLOG_SU_ENAB")) SYSLOG ((LOG_INFO, "+ %s %s-%s", tty, oldname[0] ? oldname : "???", name[0] ? name : "???")); #endif #ifdef USE_PAM /* set primary group id and supplementary groups */ if (setup_groups (&pwent)) { pam_end (pamh, PAM_ABORT); exit (1); } /* * pam_setcred() may do things like resource limits, console groups, * and much more, depending on the configured modules */ ret = pam_setcred (pamh, PAM_ESTABLISH_CRED); if (ret != PAM_SUCCESS) { SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret))); fprintf (stderr, "%s: %s\n", Prog, pam_strerror (pamh, ret)); pam_end (pamh, ret); exit (1); } /* become the new user */ if (change_uid (&pwent)) { pam_setcred (pamh, PAM_DELETE_CRED); pam_end (pamh, PAM_ABORT); exit (1); } /* now we are done using PAM */ pam_end (pamh, PAM_SUCCESS); #else /* !USE_PAM */ if (!amroot) /* no limits if su from root */ setup_limits (&pwent); if (setup_uid_gid (&pwent, is_console)) exit (1); #endif /* !USE_PAM */ if (fakelogin) setup_env (&pwent); #if 1 /* Suggested by Joey Hess. XXX - is this right? */ else addenv ("HOME", pwent.pw_dir); #endif /* * This is a workaround for Linux libc bug/feature (?) - the * /dev/log file descriptor is open without the close-on-exec flag * and used to be passed to the new shell. There is "fcntl(LogFile, * F_SETFD, 1)" in libc/misc/syslog.c, but it is commented out (at * least in 5.4.33). Why? --marekm */ closelog (); /* * See if the user has extra arguments on the command line. In that * case they will be provided to the new user's shell as arguments. */ if (fakelogin) { char *arg0; #if 0 /* XXX - GNU su doesn't do this. --marekm */ if (!hushed (&pwent)) { motd (); mailcheck (); } #endif cp = getdef_str ("SU_NAME"); if (!cp) cp = Basename (pwent.pw_shell); arg0 = xmalloc (strlen (cp) + 2); arg0[0] = '-'; strcpy (arg0 + 1, cp); cp = arg0; } else cp = Basename (pwent.pw_shell); if (!doshell) { /* * Use new user's shell from /etc/passwd and create an argv * with the rest of the command line included. */ argv[-1] = pwent.pw_shell; (void) execv (pwent.pw_shell, &argv[-1]); (void) fprintf (stderr, _("No shell\n")); SYSLOG ((LOG_WARN, "Cannot execute %s", pwent.pw_shell)); closelog (); exit (1); } shell (pwent.pw_shell, cp); /*NOTREACHED*/ exit (1); }