Home | History | Annotate | Download | only in su
History log of /src/usr.bin/su/su.c
RevisionDateAuthorComments
 1.75  24-Mar-2023  kre After a ':' (as in login:group or just :group) insist that there
actually be a group name (of some form, don't care what) present.
 1.74  30-Oct-2021  nia su(1): use reallocarr instead of malloc(x * y)
 1.73  17-Oct-2021  nia su: Use consttime_memequal instead of strcmp.

This only affects the non-PAM case.
 1.72  16-Jun-2015  christos fix some error handling.
 1.71  16-Mar-2014  dholland Fix gcc48 build. No obvious reason why nobody else has hit this...
 1.70  12-Apr-2012  christos branches: 1.70.2;
make this compile again.
 1.69  31-Aug-2011  plunky branches: 1.69.2; 1.69.4;
NULL does not need a cast
 1.68  21-Jul-2008  lukem Remove the \n and tabs from the __COPYRIGHT() strings.
Tweak to use a consistent format.
 1.67  05-Apr-2008  christos branches: 1.67.4;
call setprogname(), from Anon Ymous
 1.66  17-Oct-2007  christos From Anon Ymous:
- general cleanup [e-funcs, lint fixes, exit values, more error checking]
- add the ability to change the primary group group as login:group, or :group
*disabled*, until it is discussed.
- remove krb4 code since there is no more krb4 code in the tree.
- also make the old su behave like the pam su: su to the same user, does
not ask for a password.
- split out shared code into a separate file.
 1.65  05-Jul-2005  kleink branches: 1.65.12;
Set LOGNAME in the new environment (in addition to USER);
fixes PR bin/30670 from Pavel Cahyna.
 1.64  10-Jan-2005  christos branches: 1.64.2;
Restore su.c to version 1.58, plus minor prototyping. Split pam
into su_pam.c, and turn it off by default in the Makefile until it
is tested and actually works. The current pam version does not set ruid
properly anymore.
 1.63  09-Jan-2005  manu Rewrite PAMification of su.
- don't try to fallback to plain old authentication. It could lead to unix
authentication to be used while the administrator wanted to forbid it.
Moreover, a broken PAM setup can be fixed by just rebooting in single user.
- In order to make the code more readable, make two main(), with and aithout
PAM.
- Outstanding issues that seem impossible to fix:
The -K flag die with PAM.
-c cause PAM credentials to be ignored.
 1.62  08-Jan-2005  manu Don't fallback to plain old authentication on "normal" errors such as
authentication failure.
 1.61  08-Jan-2005  christos if we are using pam and it succeeded, don't re-initialize kerberos needlessly.
 1.60  08-Jan-2005  christos - avoid calling pam_end twice if pam failed in fatal
- make fatal proper macros
- fix typos in comments
- fix logical error initializing pam
XXX: Seems to work now, but the whole process is awkward.
Asking for an ssh passphrase and using this to do unix authentication is wrong.
Falling back to the old style auth is awkward. We should really provide a
pam_rootauth module if we want to support that.
 1.59  07-Jan-2005  manu Add PAM support to su
 1.58  05-Jan-2004  jmmv branches: 1.58.2; 1.58.4;
Homogenize usage messages: make the 'usage' word all lowercase, as this seems
to be the most common practice in our tree.
 1.57  20-Aug-2003  christos Normalize the program's compilation options so they are all of the form SU_
and document them.
 1.56  07-Aug-2003  agc Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22365, verified by myself.
 1.55  18-Jun-2003  jrf This addresses PR21693. Under certain conditions, su -m will fail because
the pointer to /etc/shells is pointing to the second entry. This change
resets the pointer before looping through the file again. FreeBSD does
this as well. Commit approved by christos and thanks to Geoff Adams for
catching and reporting it.
 1.54  27-Apr-2003  jmmv Implement the `-d' option, which behaves as `-l' but does not change the
current directory. Idea suggested by dsl@ in source-changes.
 1.53  25-Apr-2003  mycroft Only unset ENV if -f was used, AS THE CHANGE WAS DOCUMENTED.
I'm not convinced this is a good idea at all, but at least this fixed my usage.
 1.52  20-Apr-2003  christos PR/5803: Gregg A. Woods: su doesn't support it's "-f" option for sh and/or ksh
fixed by unsetenv("ENV") when -f is set and the shell is not csh.
 1.51  16-Nov-2002  itojun error handling on strdup failure
 1.50  16-Nov-2002  itojun use strlcpy
 1.49  11-Jun-2002  itojun err/errx/warn/warnx do not need \n at the end
 1.48  23-Apr-2001  simonb Revert to previous, less offensive, error message when a malloc fails.
 1.47  19-Feb-2001  cgd convert to use getprogname()
 1.46  10-Jan-2001  sjg If SU_INDIRECT_GROUP is defined (it is by default), then su will
consider that SUGROUP and ROOTAUTH group contain the names of
users and groups. If user is not found in the list check_ingroup()
recurses on each member until either user is found or end of chain
is reached.

The above allows su's use of the wheel group to be extended to a large
number of users without necessarily putting them in group wheel, and
in a way that will work over NIS that simply extending the line length
limit in getgrent.c cannot.
 1.45  10-Jan-2001  lukem - don't use LOG_CONS
- by default log to LOG_AUTH (so no need to specify LOG_AUTH at each syslog())
- log all unsuccessful attempts (for whatever reason) to LOG_WARNING
- log all successful attempts to LOG_NOTICE
 1.44  09-Sep-2000  erh Switch to the user we're su-ing to sooner. This allows su to actually access the user's home directory in cases where root can't. (i.e. root=nobody NFS mounts). Also, avoid inadvertently raising the priority.
 1.43  09-Aug-2000  assar set the correct owner on the krb5 ccache
 1.42  13-Jul-2000  assar fix the krb5 su to ordinary user case, from Mark Davies
<mark@MCS.VUW.AC.NZ>
 1.41  10-Jul-2000  assar add Kerberos5 support
 1.40  10-Jul-2000  assar repair, simplify, and improve the Kerberos part
 1.39  11-Feb-2000  abs branches: 1.39.4;
Set SU_FROM environment variable. This can be used to determine a 'su -'
shell from a real login shell (but only if you care).
 1.38  25-Jan-2000  mjl Removed code that would squash root's path when suing to root,
restores old behaviour of su.
 1.37  14-Jan-2000  mjl Implement login_cap capability lookup.
 1.36  09-Nov-1999  drochner Since our gcc doesn't warn about NULL format strings anymore, we can
fix the incorrect err(1, "%s", "") et al.
Closes PR bin/7592 by cgd.
 1.35  29-Aug-1999  christos branches: 1.35.4;
Amazing how this worked for so long. setenv(3) expects environ(7) to be
a malloc'ed pointer and it tries to realloc(3) it if it had to grow it
before. su(1) gave it a pointer from the stack which caused realloc to
core dump.
 1.34  11-Jul-1999  kim Allow people in group wheel to use the ROOTAUTH group.
Pick up SUROOTAUTH (presumably from /etc/mk.conf).
 1.33  22-Mar-1999  abs branches: 1.33.2;
Looks like some recent changes broke the 'anyone can su if wheel is not present
or empty' rule. Fix.
 1.32  15-Mar-1999  christos Revert - handling; it is done as part of getopt.
 1.31  15-Mar-1999  christos Remove Solaris shadow password support... Better to do this in the
compatibility library. Suggested by Matt.
 1.30  15-Mar-1999  christos - Add support for Solaris style shadow password files
- Enable su - option if BSD4_4 is not defined
- Add compile time option ROOTAUTH (not enabled), where people belonging
to the ROOTAUTH group can su to root by supplying their own password.
 1.29  20-Feb-1999  scottr Don't warn about being in a user's ACL if Kerberos appears to be
unconfigured. We determine this the same way that passwd(1) does.
 1.28  19-Dec-1998  christos ifdef the pw_change and pw_expire stuff with BSD4_4
 1.27  14-Oct-1998  wsanchez Add #ifdef SKEY around SKEY-specific code.
 1.26  25-Aug-1998  ross Add { and } to shut up egcs. Reformat the more questionable code.
 1.25  26-Jul-1998  mycroft const poisoning.
 1.24  06-Jul-1998  mrg fix error in previous.
 1.23  06-Jul-1998  mrg remove some (almost) duplicated (and thankfully harmless) code left from lite2 merge. KNFnits.
 1.22  06-Jul-1998  mrg - use an array MAXHOSTNAMELEN+1 size to hold hostnames
- ensure hostname from gethostname() is nul-terminated in all cases
- minor KNF
- use MAXHOSTNAMELEN over various other values/defines
- be safe will buffers that hold hostnames
 1.21  02-Apr-1998  kleink Need <time.h> for ctime() prototype.
 1.20  24-Oct-1997  christos Cleanup warnings when -DKERBEROS
 1.19  19-Oct-1997  lukem branches: 1.19.2;
WARNSify, fix .Nm usage, deprecate register, getopt returns -1 not EOF
 1.18  02-Jul-1997  lukem As per discussion with mrg, back out parts of previous change.

The appropriate entry in /etc/group as returned by getgrnam() is
used to determine if 'su root' may be permitted, rather than
checking if membership exists in the result of getgroups().

The following changes were made regarding the behaviour of the special
group for 'su root'
* allow for definition of SUGROUP (defaults to "wheel") to override group name.
* use getgrnam(SUGROUP) instead of getgrgid(0).
* only scan getgrnam(SUGROUP)->gr_mem when checking for group membership.
* be more specific as to why 'su root' failed

NOTE: If a user's primary group is SUGROUP, and they're not a member
of SUGROUP in /etc/group, they will not be able to su.
 1.17  27-Jun-1997  lukem * Notify of impending password or account expiry (check against
_PASSWORD_WARNDAYS from <pwd.h>). For non-root users, enforce expiry when
it happens. From Simon Gerraty <sjg@zen.void.oz.au> in [bin/935].
* Check for group 0 in process's current group membership (as returned by
getgroups(2)), instead of just looking at the entry for wheel in /etc/group.
Based on code by Dan Caresone <dan@oink.geek.com.au> in [bin/792], and
also solves [bin/2466].
* Clean up to pass -Wall
 1.16  04-Mar-1997  explorer s/strcnpy/strncpy/ typo
 1.15  11-Feb-1997  mrg remove possibly dangerous sprintf and strcpy calls.
 1.14  31-Jan-1997  ghudson As discussed on tech-userlevel, allow anyone to su if group wheel has
no members (if you have just "root" as a member, which is the shipped
default, then no one can su, as before).
 1.13  09-Jan-1997  tls Sync to 4.4BSD-Lite2
 1.12  15-Oct-1996  christos - Fix previous commit; shells require -c "command"
- RCSid police.
 1.11  12-Oct-1996  christos Fix PR/2837: su [login [args]] had the wrong usage and did not work properly. Build the correct argument list and add -c for the shells.
Fix PR/2839: su will not build with Kerberos.

- Also:
-Don't coredump when $TERM is not set.
-Add prototypes, remove local old style declarations of system
functions.
-Recognize shells that contain "csh" as being csh alike.
-Don't build with SKEY unconditionally. Obey bsd.own.mk.
 1.10  24-May-1994  deraadt add skey support
 1.9  12-Feb-1994  cgd fix bin/120: "su -" buglet when empty "shell" field in passwd
 1.8  07-Jan-1994  mycroft Fix bizarre handling of cleanenv, and set the subshells argv[0] according
to standard practice. Changes from Alan Batie, David Greenman, and myself.
 1.7  27-Aug-1993  jtc Minor tweaks: including header files to bring prototypes into scope,
explicitly declaring function return values, etc. to make gcc -Wall
shut up.
 1.6  01-Aug-1993  mycroft Add RCS identifiers.
 1.5  28-Jul-1993  jtc Back out last change until I can get an official interpretation.
 1.4  28-Jul-1993  jtc Update LOGNAME as well as USER environment variables to keep POSIX utilities
that only understand LOGNAME happy.
 1.3  26-Apr-1993  cgd changed to use new libcrypt scheme.
 1.2  17-Apr-1993  sef Allow 'su foo -c command'. MAY BE BUGGY! (So sayeth Keith Bostic.)
I have noticed no problems yet, however. Since Keith never did it
"properly" ...
 1.1  21-Mar-1993  cgd branches: 1.1.1;
Initial revision
 1.1.1.2  10-Dec-1994  jtc imported from 4.4lite
 1.1.1.1  21-Mar-1993  cgd initial import of 386bsd-0.1 sources
 1.19.2.1  24-Oct-1997  mellon Pull rev 1.20 up from trunk
 1.33.2.3  18-Feb-2000  he Pull up revision 1.39 (requested by abs):
Have su set SU_FROM environment variable, and use to avoid
incorrect 'use su' warning in root's .login.
 1.33.2.2  08-Jan-2000  he Pull up revision 1.34 (requested by kim):
Allow the make variable SUROOTAUTH to be set to a group where the
members can use their own password to authenticate to su to root.
By default this is not set, retaining the traditional behaviour.
 1.33.2.1  29-Aug-1999  he Pull up revision 1.35:
Fix memory corruption problem. (christos)
 1.35.4.1  27-Dec-1999  wrstuden Pull up to last week's -current.
 1.39.4.2  10-Sep-2000  erh Pull up revision 1.44:
Switch to user earlier so home directories on root=nobody NFS mount work.
Avoid inadvertently raising the prority when we want to lower it.
 1.39.4.1  09-Aug-2000  assar merge 1.39->1.43

approved by thorpej
 1.58.4.1  18-Jul-2005  riz Pull up revision 1.65 (requested by kleink in ticket #2070):
Set LOGNAME in the new environment (in addition to USER);
fixes PR bin/30670 from Pavel Cahyna.
 1.58.2.1  18-Jul-2005  riz Pull up revision 1.65 (requested by kleink in ticket #2070):
Set LOGNAME in the new environment (in addition to USER);
fixes PR bin/30670 from Pavel Cahyna.
 1.64.2.1  09-Jul-2005  tron Pull up revision 1.65 (requested by kleink in ticket #551):
Set LOGNAME in the new environment (in addition to USER);
fixes PR bin/30670 from Pavel Cahyna.
 1.65.12.1  06-Nov-2007  matt sync with HEAD
 1.67.4.1  18-Sep-2008  wrstuden Sync with wrstuden-revivesa-base-2.
 1.69.4.1  07-May-2012  riz Pull up following revision(s) (requested by christos in ticket #213):
usr.bin/su/su.c: revision 1.70
make this compile again.
 1.69.2.2  22-May-2014  yamt sync with head.

for a reference, the tree before this commit was tagged
as yamt-pagecache-tag8.

this commit was splitted into small chunks to avoid
a limitation of cvs. ("Protocol error: too many arguments")
 1.69.2.1  17-Apr-2012  yamt sync with head
 1.70.2.1  20-Aug-2014  tls Rebase to HEAD as of a few days ago.

RSS XML Feed