su.c revision 1.42
1 /* $NetBSD: su.c,v 1.42 2000/07/13 08:37:10 assar Exp $ */ 2 3 /* 4 * Copyright (c) 1988 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include <sys/cdefs.h> 37 #ifndef lint 38 __COPYRIGHT( 39 "@(#) Copyright (c) 1988 The Regents of the University of California.\n\ 40 All rights reserved.\n"); 41 #endif /* not lint */ 42 43 #ifndef lint 44 #if 0 45 static char sccsid[] = "@(#)su.c 8.3 (Berkeley) 4/2/94";*/ 46 #else 47 __RCSID("$NetBSD: su.c,v 1.42 2000/07/13 08:37:10 assar Exp $"); 48 #endif 49 #endif /* not lint */ 50 51 #include <sys/param.h> 52 #include <sys/time.h> 53 #include <sys/resource.h> 54 #include <err.h> 55 #include <errno.h> 56 #include <grp.h> 57 #include <paths.h> 58 #include <pwd.h> 59 #include <stdio.h> 60 #ifdef SKEY 61 #include <skey.h> 62 #endif 63 #include <stdlib.h> 64 #include <string.h> 65 #include <syslog.h> 66 #include <time.h> 67 #include <tzfile.h> 68 #include <unistd.h> 69 70 #ifdef LOGIN_CAP 71 #include <login_cap.h> 72 #endif 73 74 #ifdef KERBEROS 75 #include <des.h> 76 #include <krb.h> 77 #include <netdb.h> 78 79 static int kerberos __P((char *, char *, int)); 80 static int koktologin __P((char *, char *, char *)); 81 82 #endif 83 84 #ifdef KERBEROS5 85 #include <krb5.h> 86 87 static int kerberos5 __P((char *, char *, int)); 88 89 #endif 90 91 #if defined(KERBEROS) || defined(KERBEROS5) 92 93 #define ARGSTRX "-Kflm" 94 95 int use_kerberos = 1; 96 97 #else 98 #define ARGSTRX "-flm" 99 #endif 100 101 #ifndef SUGROUP 102 #define SUGROUP "wheel" 103 #endif 104 105 #ifdef LOGIN_CAP 106 #define ARGSTR ARGSTRX "c:" 107 #else 108 #define ARGSTR ARGSTRX 109 #endif 110 111 int main __P((int, char **)); 112 113 static int chshell __P((const char *)); 114 static char *ontty __P((void)); 115 116 117 int 118 main(argc, argv) 119 int argc; 120 char **argv; 121 { 122 extern char *__progname; 123 extern char **environ; 124 struct passwd *pwd; 125 char *p; 126 struct group *gr; 127 #ifdef BSD4_4 128 struct timeval tp; 129 #endif 130 uid_t ruid; 131 int asme, ch, asthem, fastlogin, prio; 132 enum { UNSET, YES, NO } iscsh = UNSET; 133 char *user, *shell, *avshell, *username, **np; 134 char *userpass, *class; 135 char shellbuf[MAXPATHLEN], avshellbuf[MAXPATHLEN]; 136 time_t pw_warntime = _PASSWORD_WARNDAYS * SECSPERDAY; 137 #ifdef LOGIN_CAP 138 login_cap_t *lc; 139 #endif 140 141 asme = asthem = fastlogin = 0; 142 shell = class = NULL; 143 while ((ch = getopt(argc, argv, ARGSTR)) != -1) 144 switch((char)ch) { 145 #if defined(KERBEROS) || defined(KERBEROS5) 146 case 'K': 147 use_kerberos = 0; 148 break; 149 #endif 150 #ifdef LOGIN_CAP 151 case 'c': 152 class = optarg; 153 break; 154 #endif 155 case 'f': 156 fastlogin = 1; 157 break; 158 case '-': 159 case 'l': 160 asme = 0; 161 asthem = 1; 162 break; 163 case 'm': 164 asme = 1; 165 asthem = 0; 166 break; 167 case '?': 168 default: 169 (void)fprintf(stderr, 170 "Usage: %s [%s] [login [shell arguments]]\n", 171 __progname, ARGSTR); 172 exit(1); 173 } 174 argv += optind; 175 176 errno = 0; 177 prio = getpriority(PRIO_PROCESS, 0); 178 if (errno) 179 prio = 0; 180 (void)setpriority(PRIO_PROCESS, 0, -2); 181 openlog("su", LOG_CONS, 0); 182 183 /* get current login name and shell */ 184 ruid = getuid(); 185 username = getlogin(); 186 if (username == NULL || (pwd = getpwnam(username)) == NULL || 187 pwd->pw_uid != ruid) 188 pwd = getpwuid(ruid); 189 if (pwd == NULL) 190 errx(1, "who are you?"); 191 username = strdup(pwd->pw_name); 192 userpass = strdup(pwd->pw_passwd); 193 if (username == NULL || userpass == NULL) 194 err(1, "strdup"); 195 196 197 if (asme) { 198 if (pwd->pw_shell && *pwd->pw_shell) { 199 shell = strncpy(shellbuf, pwd->pw_shell, 200 sizeof(shellbuf) - 1); 201 shellbuf[sizeof(shellbuf) - 1] = '\0'; 202 } else { 203 shell = _PATH_BSHELL; 204 iscsh = NO; 205 } 206 } 207 /* get target login information, default to root */ 208 user = *argv ? *argv : "root"; 209 np = *argv ? argv : argv-1; 210 211 if ((pwd = getpwnam(user)) == NULL) 212 errx(1, "unknown login %s", user); 213 214 #ifdef LOGIN_CAP 215 /* force the usage of specified class */ 216 if (class) { 217 if (ruid) 218 errx(1, "Only root may use -c"); 219 220 pwd->pw_class = class; 221 } 222 lc = login_getclass(pwd->pw_class); 223 224 pw_warntime = login_getcaptime(lc, "password-warn", 225 _PASSWORD_WARNDAYS * SECSPERDAY, 226 _PASSWORD_WARNDAYS * SECSPERDAY); 227 #endif 228 229 if (ruid 230 #ifdef KERBEROS5 231 && (!use_kerberos || kerberos5(username, user, pwd->pw_uid)) 232 #endif 233 #ifdef KERBEROS 234 && (!use_kerberos || kerberos(username, user, pwd->pw_uid)) 235 #endif 236 ) { 237 char *pass = pwd->pw_passwd; 238 int ok = pwd->pw_uid != 0; 239 char **g; 240 241 #ifdef ROOTAUTH 242 /* 243 * Allow those in group rootauth to su to root, by supplying 244 * their own password. 245 */ 246 if (!ok && (gr = getgrnam(ROOTAUTH))) 247 for (g = gr->gr_mem;; ++g) { 248 if (!*g) { 249 ok = 0; 250 break; 251 } 252 if (!strcmp(username, *g)) { 253 pass = userpass; 254 user = username; 255 ok = 1; 256 break; 257 } 258 } 259 #endif 260 /* 261 * Only allow those in group SUGROUP to su to root, 262 * but only if that group has any members. 263 * If SUGROUP has no members, allow anyone to su root 264 */ 265 if (!ok) { 266 if ( !(gr = getgrnam(SUGROUP)) || !*gr->gr_mem) 267 ok = 1; 268 else 269 for (g = gr->gr_mem; ; g++) { 270 if (*g == NULL) { 271 ok = 0; 272 break; 273 } 274 if (strcmp(username, *g) == 0) { 275 ok = 1; 276 break; 277 } 278 } 279 } 280 if (!ok) 281 errx(1, 282 "you are not listed in the correct secondary group (%s) to su %s.", 283 SUGROUP, user); 284 /* if target requires a password, verify it */ 285 if (*pass) { 286 p = getpass("Password:"); 287 #ifdef SKEY 288 if (strcasecmp(p, "s/key") == 0) { 289 if (skey_haskey(user)) 290 errx(1, "Sorry, you have no s/key."); 291 else { 292 if (skey_authenticate(user)) { 293 goto badlogin; 294 } 295 } 296 297 } else 298 #endif 299 if (strcmp(pass, crypt(p, pass))) { 300 #ifdef SKEY 301 badlogin: 302 #endif 303 fprintf(stderr, "Sorry\n"); 304 syslog(LOG_AUTH|LOG_WARNING, 305 "BAD SU %s to %s%s", username, 306 pwd->pw_name, ontty()); 307 exit(1); 308 } 309 } 310 } 311 312 if (asme) { 313 /* if asme and non-standard target shell, must be root */ 314 if (!chshell(pwd->pw_shell) && ruid) 315 errx(1,"permission denied (shell)."); 316 } else if (pwd->pw_shell && *pwd->pw_shell) { 317 shell = pwd->pw_shell; 318 iscsh = UNSET; 319 } else { 320 shell = _PATH_BSHELL; 321 iscsh = NO; 322 } 323 324 if ((p = strrchr(shell, '/')) != NULL) 325 avshell = p+1; 326 else 327 avshell = shell; 328 329 /* if we're forking a csh, we want to slightly muck the args */ 330 if (iscsh == UNSET) 331 iscsh = strstr(avshell, "csh") ? YES : NO; 332 333 #ifndef LOGIN_CAP /* This is done by setusercontext() */ 334 /* set permissions */ 335 if (setgid(pwd->pw_gid) < 0) 336 err(1, "setgid"); 337 if (initgroups(user, pwd->pw_gid)) 338 errx(1, "initgroups failed"); 339 if (setuid(pwd->pw_uid) < 0) 340 err(1, "setuid"); 341 #endif 342 343 if (!asme) { 344 if (asthem) { 345 p = getenv("TERM"); 346 /* Create an empty environment */ 347 if ((environ = malloc(sizeof(char *))) == NULL) 348 err(1, NULL); 349 environ[0] = NULL; 350 #ifdef LOGIN_CAP 351 if (setusercontext(lc, 352 pwd, pwd->pw_uid, LOGIN_SETPATH)) 353 err(1, "setting user context"); 354 #else 355 (void)setenv("PATH", _PATH_DEFPATH, 1); 356 #endif 357 if (p) 358 (void)setenv("TERM", p, 1); 359 if (chdir(pwd->pw_dir) < 0) 360 errx(1, "no directory"); 361 } 362 363 if (asthem || pwd->pw_uid) 364 (void)setenv("USER", pwd->pw_name, 1); 365 (void)setenv("HOME", pwd->pw_dir, 1); 366 (void)setenv("SHELL", shell, 1); 367 } 368 (void)setenv("SU_FROM", username, 1); 369 370 if (iscsh == YES) { 371 if (fastlogin) 372 *np-- = "-f"; 373 if (asme) 374 *np-- = "-m"; 375 } 376 377 if (asthem) { 378 avshellbuf[0] = '-'; 379 (void)strncpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 2); 380 avshell = avshellbuf; 381 } else if (iscsh == YES) { 382 /* csh strips the first character... */ 383 avshellbuf[0] = '_'; 384 (void)strncpy(avshellbuf+1, avshell, sizeof(avshellbuf) - 2); 385 avshell = avshellbuf; 386 } 387 *np = avshell; 388 389 #ifdef BSD4_4 390 if (pwd->pw_change || pwd->pw_expire) 391 (void)gettimeofday(&tp, (struct timezone *)NULL); 392 if (pwd->pw_change) { 393 if (tp.tv_sec >= pwd->pw_change) { 394 (void)printf("%s -- %s's password has expired.\n", 395 (ruid ? "Sorry" : "Note"), user); 396 if (ruid != 0) 397 exit(1); 398 } else if (pwd->pw_change - tp.tv_sec < pw_warntime) 399 (void)printf("Warning: %s's password expires on %s", 400 user, ctime(&pwd->pw_change)); 401 } 402 if (pwd->pw_expire) { 403 if (tp.tv_sec >= pwd->pw_expire) { 404 (void)printf("%s -- %s's account has expired.\n", 405 (ruid ? "Sorry" : "Note"), user); 406 if (ruid != 0) 407 exit(1); 408 } else if (pwd->pw_expire - tp.tv_sec < 409 _PASSWORD_WARNDAYS * SECSPERDAY) 410 (void)printf("Warning: %s's account expires on %s", 411 user, ctime(&pwd->pw_expire)); 412 } 413 #endif 414 if (ruid != 0) 415 syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s", 416 username, pwd->pw_name, ontty()); 417 418 (void)setpriority(PRIO_PROCESS, 0, prio); 419 #ifdef LOGIN_CAP 420 if (setusercontext(lc, pwd, pwd->pw_uid, 421 (asthem ? (LOGIN_SETPRIORITY | LOGIN_SETUMASK) : 0) | 422 LOGIN_SETRESOURCES | LOGIN_SETGROUP | LOGIN_SETUSER)) 423 err(1, "setting user context"); 424 #endif 425 426 execv(shell, np); 427 err(1, "%s", shell); 428 /* NOTREACHED */ 429 } 430 431 static int 432 chshell(sh) 433 const char *sh; 434 { 435 const char *cp; 436 437 while ((cp = getusershell()) != NULL) 438 if (!strcmp(cp, sh)) 439 return (1); 440 return (0); 441 } 442 443 static char * 444 ontty() 445 { 446 char *p; 447 static char buf[MAXPATHLEN + 4]; 448 449 buf[0] = 0; 450 if ((p = ttyname(STDERR_FILENO)) != NULL) 451 (void)snprintf(buf, sizeof buf, " on %s", p); 452 return (buf); 453 } 454 455 #ifdef KERBEROS5 456 static int 457 kerberos5(username, user, uid) 458 char *username, *user; 459 int uid; 460 { 461 krb5_error_code ret; 462 krb5_context context; 463 krb5_principal princ = NULL; 464 krb5_ccache ccache, ccache2; 465 char *cc_name; 466 467 ret = krb5_init_context(&context); 468 if (ret) 469 return (1); 470 471 if (strcmp (user, "root") == 0) 472 ret = krb5_make_principal(context, &princ, 473 NULL, username, "root", NULL); 474 else 475 ret = krb5_make_principal(context, &princ, 476 NULL, user, NULL); 477 if (ret) 478 goto fail; 479 if (!krb5_kuserok(context, princ, user) && !uid) { 480 warnx ("kerberos5: not in %s's ACL.", user); 481 goto fail; 482 } 483 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache); 484 if (ret) 485 goto fail; 486 ret = krb5_verify_user_lrealm(context, princ, ccache, NULL, TRUE, 487 NULL); 488 if (ret) { 489 krb5_cc_destroy(context, ccache); 490 switch (ret) { 491 case KRB5_LIBOS_PWDINTR : 492 break; 493 case KRB5KRB_AP_ERR_BAD_INTEGRITY: 494 case KRB5KRB_AP_ERR_MODIFIED: 495 krb5_warnx(context, "Password incorrect"); 496 break; 497 default : 498 krb5_warn(context, ret, "krb5_verify_user"); 499 break; 500 } 501 goto fail; 502 } 503 ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache2); 504 if (ret) { 505 krb5_cc_destroy(context, ccache); 506 goto fail; 507 } 508 ret = krb5_cc_copy_cache(context, ccache, ccache2); 509 if (ret) { 510 krb5_cc_destroy(context, ccache); 511 krb5_cc_destroy(context, ccache2); 512 goto fail; 513 } 514 515 asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2), 516 krb5_cc_get_name(context, ccache2)); 517 setenv("KRB5CCNAME", cc_name, 1); 518 free(cc_name); 519 krb5_cc_close(context, ccache2); 520 krb5_cc_destroy(context, ccache); 521 return 0; 522 523 fail: 524 if (princ != NULL) 525 krb5_free_principal (context, princ); 526 krb5_free_context (context); 527 return (1); 528 } 529 #endif 530 531 #ifdef KERBEROS 532 static int 533 kerberos(username, user, uid) 534 char *username, *user; 535 int uid; 536 { 537 KTEXT_ST ticket; 538 AUTH_DAT authdata; 539 struct hostent *hp; 540 int kerno; 541 u_long faddr; 542 char lrealm[REALM_SZ], krbtkfile[MAXPATHLEN]; 543 char hostname[MAXHOSTNAMELEN + 1], savehost[MAXHOSTNAMELEN + 1]; 544 545 if (krb_get_lrealm(lrealm, 1) != KSUCCESS) 546 return (1); 547 if (koktologin(username, lrealm, user) && !uid) { 548 warnx("kerberos: not in %s's ACL.", user); 549 return (1); 550 } 551 (void)snprintf(krbtkfile, sizeof krbtkfile, "%s_%s_%d", TKT_ROOT, 552 user, getuid()); 553 554 (void)setenv("KRBTKFILE", krbtkfile, 1); 555 (void)krb_set_tkt_string(krbtkfile); 556 /* 557 * Set real as well as effective ID to 0 for the moment, 558 * to make the kerberos library do the right thing. 559 */ 560 if (setuid(0) < 0) { 561 warn("setuid"); 562 return (1); 563 } 564 565 /* 566 * Little trick here -- if we are su'ing to root, 567 * we need to get a ticket for "xxx.root", where xxx represents 568 * the name of the person su'ing. Otherwise (non-root case), 569 * we need to get a ticket for "yyy.", where yyy represents 570 * the name of the person being su'd to, and the instance is null 571 * 572 * We should have a way to set the ticket lifetime, 573 * with a system default for root. 574 */ 575 { 576 char prompt[128]; 577 char passw[256]; 578 579 (void)snprintf (prompt, sizeof(prompt), 580 "%s's Password: ", 581 krb_unparse_name_long ((uid == 0 ? username : user), 582 (uid == 0 ? "root" : ""), 583 lrealm)); 584 if (des_read_pw_string (passw, sizeof (passw), prompt, 0)) { 585 memset (passw, 0, sizeof (passw)); 586 return (1); 587 } 588 if (strlen(passw) == 0) 589 return (1); /* Empty passwords are not allowed */ 590 591 kerno = krb_get_pw_in_tkt((uid == 0 ? username : user), 592 (uid == 0 ? "root" : ""), lrealm, 593 KRB_TICKET_GRANTING_TICKET, 594 lrealm, 595 DEFAULT_TKT_LIFE, 596 passw); 597 memset (passw, 0, strlen (passw)); 598 } 599 600 if (kerno != KSUCCESS) { 601 if (kerno == KDC_PR_UNKNOWN) { 602 warnx("kerberos: principal unknown: %s.%s@%s", 603 (uid == 0 ? username : user), 604 (uid == 0 ? "root" : ""), lrealm); 605 return (1); 606 } 607 warnx("kerberos: unable to su: %s", krb_err_txt[kerno]); 608 syslog(LOG_NOTICE|LOG_AUTH, 609 "BAD Kerberos SU: %s to %s%s: %s", 610 username, user, ontty(), krb_err_txt[kerno]); 611 return (1); 612 } 613 614 if (chown(krbtkfile, uid, -1) < 0) { 615 warn("chown"); 616 (void)unlink(krbtkfile); 617 return (1); 618 } 619 620 (void)setpriority(PRIO_PROCESS, 0, -2); 621 622 if (gethostname(hostname, sizeof(hostname)) == -1) { 623 warn("gethostname"); 624 dest_tkt(); 625 return (1); 626 } 627 hostname[sizeof(hostname) - 1] = '\0'; 628 629 (void)strlcpy(savehost, krb_get_phost(hostname), sizeof(savehost)); 630 savehost[sizeof(savehost) - 1] = '\0'; 631 632 kerno = krb_mk_req(&ticket, "rcmd", savehost, lrealm, 33); 633 634 if (kerno == KDC_PR_UNKNOWN) { 635 warnx("Warning: TGT not verified."); 636 syslog(LOG_NOTICE|LOG_AUTH, 637 "%s to %s%s, TGT not verified (%s); %s.%s not registered?", 638 username, user, ontty(), krb_err_txt[kerno], 639 "rcmd", savehost); 640 } else if (kerno != KSUCCESS) { 641 warnx("Unable to use TGT: %s", krb_err_txt[kerno]); 642 syslog(LOG_NOTICE|LOG_AUTH, "failed su: %s to %s%s: %s", 643 username, user, ontty(), krb_err_txt[kerno]); 644 dest_tkt(); 645 return (1); 646 } else { 647 if (!(hp = gethostbyname(hostname))) { 648 warnx("can't get addr of %s", hostname); 649 dest_tkt(); 650 return (1); 651 } 652 memmove((char *)&faddr, (char *)hp->h_addr, sizeof(faddr)); 653 654 if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr, 655 &authdata, "")) != KSUCCESS) { 656 warnx("kerberos: unable to verify rcmd ticket: %s\n", 657 krb_err_txt[kerno]); 658 syslog(LOG_NOTICE|LOG_AUTH, 659 "failed su: %s to %s%s: %s", username, 660 user, ontty(), krb_err_txt[kerno]); 661 dest_tkt(); 662 return (1); 663 } 664 } 665 return (0); 666 } 667 668 static int 669 koktologin(name, realm, toname) 670 char *name, *realm, *toname; 671 { 672 return krb_kuserok(name, 673 strcmp (toname, "root") == 0 ? "root" : "", 674 realm, 675 toname); 676 } 677 #endif 678
Indexes created Sun Sep 28 16:09:52 GMT 2025