login.c revision 1.6
1 /*- 2 * Copyright (c) 1980, 1987, 1988, 1991 The Regents of the University 3 * of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. All advertising materials mentioning features or use of this software 14 * must display the following acknowledgement: 15 * This product includes software developed by the University of 16 * California, Berkeley and its contributors. 17 * 4. Neither the name of the University nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifndef lint 35 char copyright[] = 36 "@(#) Copyright (c) 1980, 1987, 1988, 1991 The Regents of the University of California.\n\ 37 All rights reserved.\n"; 38 #endif /* not lint */ 39 40 #ifndef lint 41 /*static char sccsid[] = "from: @(#)login.c 5.78 (Berkeley) 6/29/92";*/ 42 static char rcsid[] = "$Id: login.c,v 1.6 1993/08/01 18:13:31 mycroft Exp $"; 43 #endif /* not lint */ 44 45 /* 46 * login [ name ] 47 * login -h hostname (for telnetd, etc.) 48 * login -f name (for pre-authenticated login: datakit, xterm, etc.) 49 */ 50 51 #include <sys/param.h> 52 #include <sys/stat.h> 53 #include <sys/time.h> 54 #include <sys/resource.h> 55 #include <sys/file.h> 56 57 #include <signal.h> 58 #include <ttyent.h> 59 #include <syslog.h> 60 #include <setjmp.h> 61 #include <tzfile.h> 62 #include <utmp.h> 63 #include <errno.h> 64 #include <grp.h> 65 #include <pwd.h> 66 #include <unistd.h> 67 #include <stdio.h> 68 #include <stdlib.h> 69 #include <string.h> 70 #include "pathnames.h" 71 72 void badlogin __P((char *)); 73 void checknologin __P((void)); 74 void dolastlog __P((int)); 75 void getloginname __P((void)); 76 void motd __P((void)); 77 int rootterm __P((char *)); 78 void sigint __P((int)); 79 void sleepexit __P((int)); 80 char *stypeof __P((char *)); 81 void timedout __P((int)); 82 #ifdef KERBEROS 83 int klogin __P((struct passwd *, char *, char *, char *)); 84 #endif 85 86 #define TTYGRPNAME "tty" /* name of group to own ttys */ 87 88 /* 89 * This bounds the time given to login. Not a define so it can 90 * be patched on machines where it's too small. 91 */ 92 int timeout = 300; 93 94 #ifdef KERBEROS 95 int notickets = 1; 96 char *instance; 97 char *krbtkfile_env; 98 int authok; 99 #endif 100 101 struct passwd *pwd; 102 int failures; 103 char term[64], *envinit[1], *hostname, *username, *tty; 104 105 int 106 main(argc, argv) 107 int argc; 108 char *argv[]; 109 { 110 extern char **environ; 111 register int ch; 112 register char *p; 113 struct group *gr; 114 struct stat st; 115 struct timeval tp; 116 struct utmp utmp; 117 int ask, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval, uid; 118 char *domain, *salt, *ttyn; 119 char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; 120 char localhost[MAXHOSTNAMELEN]; 121 122 (void)signal(SIGALRM, timedout); 123 (void)alarm((u_int)timeout); 124 (void)signal(SIGQUIT, SIG_IGN); 125 (void)signal(SIGINT, SIG_IGN); 126 (void)setpriority(PRIO_PROCESS, 0, 0); 127 128 openlog("login", LOG_ODELAY, LOG_AUTH); 129 130 /* 131 * -p is used by getty to tell login not to destroy the environment 132 * -f is used to skip a second login authentication 133 * -h is used by other servers to pass the name of the remote 134 * host to login so that it may be placed in utmp and wtmp 135 */ 136 domain = NULL; 137 if (gethostname(localhost, sizeof(localhost)) < 0) 138 syslog(LOG_ERR, "couldn't get local hostname: %m"); 139 else 140 domain = index(localhost, '.'); 141 142 fflag = hflag = pflag = 0; 143 uid = getuid(); 144 while ((ch = getopt(argc, argv, "fh:p")) != EOF) 145 switch (ch) { 146 case 'f': 147 fflag = 1; 148 break; 149 case 'h': 150 if (uid) { 151 (void)fprintf(stderr, 152 "login: -h option: %s\n", strerror(EPERM)); 153 exit(1); 154 } 155 hflag = 1; 156 if (domain && (p = index(optarg, '.')) && 157 strcasecmp(p, domain) == 0) 158 *p = 0; 159 hostname = optarg; 160 break; 161 case 'p': 162 pflag = 1; 163 break; 164 case '?': 165 default: 166 if (!uid) 167 syslog(LOG_ERR, "invalid flag %c", ch); 168 (void)fprintf(stderr, 169 "usage: login [-fp] [-h hostname] [username]\n"); 170 exit(1); 171 } 172 argc -= optind; 173 argv += optind; 174 175 if (*argv) { 176 username = *argv; 177 ask = 0; 178 } else 179 ask = 1; 180 181 for (cnt = getdtablesize(); cnt > 2; cnt--) 182 (void)close(cnt); 183 184 ttyn = ttyname(STDIN_FILENO); 185 if (ttyn == NULL || *ttyn == '\0') { 186 (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); 187 ttyn = tname; 188 } 189 if (tty = rindex(ttyn, '/')) 190 ++tty; 191 else 192 tty = ttyn; 193 194 for (cnt = 0;; ask = 1) { 195 if (ask) { 196 fflag = 0; 197 getloginname(); 198 } 199 rootlogin = 0; 200 #ifdef KERBEROS 201 if ((instance = index(username, '.')) != NULL) { 202 if (strncmp(instance, ".root", 5) == 0) 203 rootlogin = 1; 204 *instance++ = '\0'; 205 } else 206 instance = ""; 207 #endif 208 if (strlen(username) > UT_NAMESIZE) 209 username[UT_NAMESIZE] = '\0'; 210 211 /* 212 * Note if trying multiple user names; log failures for 213 * previous user name, but don't bother logging one failure 214 * for nonexistent name (mistyped username). 215 */ 216 if (failures && strcmp(tbuf, username)) { 217 if (failures > (pwd ? 0 : 1)) 218 badlogin(tbuf); 219 failures = 0; 220 } 221 (void)strcpy(tbuf, username); 222 223 if (pwd = getpwnam(username)) 224 salt = pwd->pw_passwd; 225 else 226 salt = "xx"; 227 228 /* 229 * if we have a valid account name, and it doesn't have a 230 * password, or the -f option was specified and the caller 231 * is root or the caller isn't changing their uid, don't 232 * authenticate. 233 */ 234 if (pwd && (*pwd->pw_passwd == '\0' || 235 fflag && (uid == 0 || uid == pwd->pw_uid))) 236 break; 237 fflag = 0; 238 if (pwd && pwd->pw_uid == 0) 239 rootlogin = 1; 240 241 (void)setpriority(PRIO_PROCESS, 0, -4); 242 243 p = getpass("Password:"); 244 245 if (pwd) { 246 #ifdef KERBEROS 247 rval = klogin(pwd, instance, localhost, p); 248 if (rval == 0) 249 authok = 1; 250 else if (rval == 1) 251 rval = strcmp(crypt(p, salt), pwd->pw_passwd); 252 #else 253 rval = strcmp(crypt(p, salt), pwd->pw_passwd); 254 #endif 255 } 256 bzero(p, strlen(p)); 257 258 (void)setpriority(PRIO_PROCESS, 0, 0); 259 260 /* 261 * If trying to log in as root without Kerberos, 262 * but with insecure terminal, refuse the login attempt. 263 */ 264 #ifdef KERBEROS 265 if (authok == 0) 266 #endif 267 if (pwd && rootlogin && !rootterm(tty)) { 268 (void)fprintf(stderr, 269 "%s login refused on this terminal.\n", 270 pwd->pw_name); 271 if (hostname) 272 syslog(LOG_NOTICE, 273 "LOGIN %s REFUSED FROM %s ON TTY %s", 274 pwd->pw_name, hostname, tty); 275 else 276 syslog(LOG_NOTICE, 277 "LOGIN %s REFUSED ON TTY %s", 278 pwd->pw_name, tty); 279 continue; 280 } 281 282 if (pwd && !rval) 283 break; 284 285 (void)printf("Login incorrect\n"); 286 failures++; 287 /* we allow 10 tries, but after 3 we start backing off */ 288 if (++cnt > 3) { 289 if (cnt >= 10) { 290 badlogin(username); 291 sleepexit(1); 292 } 293 sleep((u_int)((cnt - 3) * 5)); 294 } 295 } 296 297 /* committed to login -- turn off timeout */ 298 (void)alarm((u_int)0); 299 300 endpwent(); 301 302 /* if user not super-user, check for disabled logins */ 303 if (!rootlogin) 304 checknologin(); 305 306 if (chdir(pwd->pw_dir) < 0) { 307 (void)printf("No home directory %s!\n", pwd->pw_dir); 308 if (chdir("/")) 309 exit(0); 310 pwd->pw_dir = "/"; 311 (void)printf("Logging in with home = \"/\".\n"); 312 } 313 314 quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; 315 316 if (pwd->pw_change || pwd->pw_expire) 317 (void)gettimeofday(&tp, (struct timezone *)NULL); 318 if (pwd->pw_change) 319 if (tp.tv_sec >= pwd->pw_change) { 320 (void)printf("Sorry -- your password has expired.\n"); 321 sleepexit(1); 322 } else if (pwd->pw_change - tp.tv_sec < 323 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) 324 (void)printf("Warning: your password expires on %s", 325 ctime(&pwd->pw_change)); 326 if (pwd->pw_expire) 327 if (tp.tv_sec >= pwd->pw_expire) { 328 (void)printf("Sorry -- your account has expired.\n"); 329 sleepexit(1); 330 } else if (pwd->pw_expire - tp.tv_sec < 331 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) 332 (void)printf("Warning: your account expires on %s", 333 ctime(&pwd->pw_expire)); 334 335 /* Nothing else left to fail -- really log in. */ 336 bzero((void *)&utmp, sizeof(utmp)); 337 (void)time(&utmp.ut_time); 338 (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); 339 if (hostname) 340 (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); 341 (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); 342 login(&utmp); 343 344 dolastlog(quietlog); 345 346 (void)chown(ttyn, pwd->pw_uid, 347 (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); 348 (void)setgid(pwd->pw_gid); 349 350 initgroups(username, pwd->pw_gid); 351 352 if (*pwd->pw_shell == '\0') 353 pwd->pw_shell = _PATH_BSHELL; 354 355 /* Destroy environment unless user has requested its preservation. */ 356 if (!pflag) 357 environ = envinit; 358 (void)setenv("HOME", pwd->pw_dir, 1); 359 (void)setenv("SHELL", pwd->pw_shell, 1); 360 if (term[0] == '\0') 361 (void)strncpy(term, stypeof(tty), sizeof(term)); 362 (void)setenv("TERM", term, 0); 363 (void)setenv("LOGNAME", pwd->pw_name, 1); 364 (void)setenv("USER", pwd->pw_name, 1); 365 (void)setenv("PATH", _PATH_DEFPATH, 0); 366 #ifdef KERBEROS 367 if (krbtkfile_env) 368 (void)setenv("KRBTKFILE", krbtkfile_env, 1); 369 #endif 370 371 if (tty[sizeof("tty")-1] == 'd') 372 syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); 373 374 /* If fflag is on, assume caller/authenticator has logged root login. */ 375 if (rootlogin && fflag == 0) 376 if (hostname) 377 syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", 378 username, tty, hostname); 379 else 380 syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); 381 382 #ifdef KERBEROS 383 if (!quietlog && notickets == 1) 384 (void)printf("Warning: no Kerberos tickets issued.\n"); 385 #endif 386 387 if (!quietlog) { 388 (void)printf( 389 "Copyright (c) 1980,1983,1986,1988,1990,1991 The Regents of the University\n%s", 390 "of California. All rights reserved.\n\n"); 391 motd(); 392 (void)snprintf(tbuf, 393 sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name); 394 if (stat(tbuf, &st) == 0 && st.st_size != 0) 395 (void)printf("You have %smail.\n", 396 (st.st_mtime > st.st_atime) ? "new " : ""); 397 } 398 399 (void)signal(SIGALRM, SIG_DFL); 400 (void)signal(SIGQUIT, SIG_DFL); 401 (void)signal(SIGINT, SIG_DFL); 402 (void)signal(SIGTSTP, SIG_IGN); 403 404 tbuf[0] = '-'; 405 (void)strcpy(tbuf + 1, (p = rindex(pwd->pw_shell, '/')) ? 406 p + 1 : pwd->pw_shell); 407 408 if (setlogin(pwd->pw_name) < 0) 409 syslog(LOG_ERR, "setlogin() failure: %m"); 410 411 /* Discard permissions last so can't get killed and drop core. */ 412 if (rootlogin) 413 (void) setuid(0); 414 else 415 (void) setuid(pwd->pw_uid); 416 417 execlp(pwd->pw_shell, tbuf, 0); 418 (void)fprintf(stderr, "%s: %s\n", pwd->pw_shell, strerror(errno)); 419 exit(1); 420 } 421 422 #ifdef KERBEROS 423 #define NBUFSIZ (UT_NAMESIZE + 1 + 5) /* .root suffix */ 424 #else 425 #define NBUFSIZ (UT_NAMESIZE + 1) 426 #endif 427 428 void 429 getloginname() 430 { 431 register int ch; 432 register char *p; 433 static char nbuf[NBUFSIZ]; 434 435 for (;;) { 436 (void)printf("login: "); 437 for (p = nbuf; (ch = getchar()) != '\n'; ) { 438 if (ch == EOF) { 439 badlogin(username); 440 exit(0); 441 } 442 if (p < nbuf + (NBUFSIZ - 1)) 443 *p++ = ch; 444 } 445 if (p > nbuf) 446 if (nbuf[0] == '-') 447 (void)fprintf(stderr, 448 "login names may not start with '-'.\n"); 449 else { 450 *p = '\0'; 451 username = nbuf; 452 break; 453 } 454 } 455 } 456 457 int 458 rootterm(ttyn) 459 char *ttyn; 460 { 461 struct ttyent *t; 462 463 return((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); 464 } 465 466 jmp_buf motdinterrupt; 467 468 void 469 motd() 470 { 471 register int fd, nchars; 472 sig_t oldint; 473 char tbuf[8192]; 474 475 if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0) 476 return; 477 oldint = signal(SIGINT, sigint); 478 if (setjmp(motdinterrupt) == 0) 479 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 480 (void)write(fileno(stdout), tbuf, nchars); 481 (void)signal(SIGINT, oldint); 482 (void)close(fd); 483 } 484 485 /* ARGSUSED */ 486 void 487 sigint(signo) 488 int signo; 489 { 490 longjmp(motdinterrupt, 1); 491 } 492 493 /* ARGSUSED */ 494 void 495 timedout(signo) 496 int signo; 497 { 498 (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); 499 exit(0); 500 } 501 502 void 503 checknologin() 504 { 505 register int fd, nchars; 506 char tbuf[8192]; 507 508 if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) { 509 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 510 (void)write(fileno(stdout), tbuf, nchars); 511 sleepexit(0); 512 } 513 } 514 515 void 516 dolastlog(quiet) 517 int quiet; 518 { 519 struct lastlog ll; 520 int fd; 521 522 if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { 523 (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); 524 if (!quiet) { 525 if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && 526 ll.ll_time != 0) { 527 (void)printf("Last login: %.*s ", 528 24-5, (char *)ctime(&ll.ll_time)); 529 if (*ll.ll_host != '\0') 530 (void)printf("from %.*s\n", 531 (int)sizeof(ll.ll_host), 532 ll.ll_host); 533 else 534 (void)printf("on %.*s\n", 535 (int)sizeof(ll.ll_line), 536 ll.ll_line); 537 } 538 (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); 539 } 540 bzero((void *)&ll, sizeof(ll)); 541 (void)time(&ll.ll_time); 542 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); 543 if (hostname) 544 (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); 545 (void)write(fd, (char *)&ll, sizeof(ll)); 546 (void)close(fd); 547 } 548 } 549 550 void 551 badlogin(name) 552 char *name; 553 { 554 if (failures == 0) 555 return; 556 if (hostname) { 557 syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s", 558 failures, failures > 1 ? "S" : "", hostname); 559 syslog(LOG_AUTHPRIV|LOG_NOTICE, 560 "%d LOGIN FAILURE%s FROM %s, %s", 561 failures, failures > 1 ? "S" : "", hostname, name); 562 } else { 563 syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s", 564 failures, failures > 1 ? "S" : "", tty); 565 syslog(LOG_AUTHPRIV|LOG_NOTICE, 566 "%d LOGIN FAILURE%s ON %s, %s", 567 failures, failures > 1 ? "S" : "", tty, name); 568 } 569 } 570 571 #undef UNKNOWN 572 #define UNKNOWN "su" 573 574 char * 575 stypeof(ttyid) 576 char *ttyid; 577 { 578 struct ttyent *t; 579 580 return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN); 581 } 582 583 void 584 sleepexit(eval) 585 int eval; 586 { 587 (void)sleep((u_int)5); 588 exit(eval); 589 } 590
Indexes created Wed Oct 01 13:09:50 GMT 2025