usr.bin/su/su.c

1590Srgrimes/*
1590Srgrimes * Copyright (c) 1988, 1993, 1994
1590Srgrimes *	The Regents of the University of California.  All rights reserved.
97377Sdes * Copyright (c) 2002 Networks Associates Technologies, Inc.
97377Sdes * All rights reserved.
1590Srgrimes *
97377Sdes * Portions of this software were developed for the FreeBSD Project by
97377Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network
97377Sdes * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
97377Sdes * ("CBOSS"), as part of the DARPA CHATS research program.
97377Sdes *
1590Srgrimes * Redistribution and use in source and binary forms, with or without
1590Srgrimes * modification, are permitted provided that the following conditions
1590Srgrimes * are met:
1590Srgrimes * 1. Redistributions of source code must retain the above copyright
1590Srgrimes *    notice, this list of conditions and the following disclaimer.
1590Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
1590Srgrimes *    notice, this list of conditions and the following disclaimer in the
1590Srgrimes *    documentation and/or other materials provided with the distribution.
1590Srgrimes * 3. All advertising materials mentioning features or use of this software
1590Srgrimes *    must display the following acknowledgement:
1590Srgrimes *	This product includes software developed by the University of
1590Srgrimes *	California, Berkeley and its contributors.
1590Srgrimes * 4. Neither the name of the University nor the names of its contributors
1590Srgrimes *    may be used to endorse or promote products derived from this software
1590Srgrimes *    without specific prior written permission.
1590Srgrimes *
1590Srgrimes * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1590Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1590Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1590Srgrimes * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1590Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1590Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1590Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1590Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1590Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1590Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1590Srgrimes * SUCH DAMAGE.
1590Srgrimes */
1590Srgrimes
1590Srgrimes#ifndef lint
14440Smarkmstatic const char copyright[] =
1590Srgrimes"@(#) Copyright (c) 1988, 1993, 1994\n\
1590Srgrimes	The Regents of the University of California.  All rights reserved.\n";
1590Srgrimes#endif /* not lint */
1590Srgrimes
1590Srgrimes#ifndef lint
28099Scharnier#if 0
1590Srgrimesstatic char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
28099Scharnier#endif
14440Smarkmstatic const char rcsid[] =
50477Speter  "$FreeBSD: head/usr.bin/su/su.c 105362 2002-10-17 23:32:44Z tjr $";
1590Srgrimes#endif /* not lint */
1590Srgrimes
1590Srgrimes#include <sys/param.h>
1590Srgrimes#include <sys/time.h>
1590Srgrimes#include <sys/resource.h>
77220Smarkm#include <sys/wait.h>
1590Srgrimes
1590Srgrimes#include <err.h>
1590Srgrimes#include <errno.h>
1590Srgrimes#include <grp.h>
77220Smarkm#include <libutil.h>
77220Smarkm#include <login_cap.h>
1590Srgrimes#include <paths.h>
1590Srgrimes#include <pwd.h>
77220Smarkm#include <signal.h>
1590Srgrimes#include <stdio.h>
1590Srgrimes#include <stdlib.h>
1590Srgrimes#include <string.h>
1590Srgrimes#include <syslog.h>
1590Srgrimes#include <unistd.h>
21646Sdavidn
74874Smarkm#include <security/pam_appl.h>
91745Sdes#include <security/openpam.h>
74874Smarkm
81528Smarkm#define PAM_END() do {						\
77220Smarkm	int local_ret;						\
77220Smarkm	if (pamh != NULL && creds_set) {			\
77220Smarkm		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
77220Smarkm		if (local_ret != PAM_SUCCESS)			\
77220Smarkm			syslog(LOG_ERR, "pam_setcred: %s",	\
77220Smarkm				pam_strerror(pamh, local_ret));	\
77220Smarkm		local_ret = pam_end(pamh, local_ret);		\
77220Smarkm		if (local_ret != PAM_SUCCESS)			\
77220Smarkm			syslog(LOG_ERR, "pam_end: %s",		\
77220Smarkm				pam_strerror(pamh, local_ret));	\
77220Smarkm	}							\
77220Smarkm} while (0)
74874Smarkm
74874Smarkm
77220Smarkm#define PAM_SET_ITEM(what, item) do {				\
77220Smarkm	int local_ret;						\
77220Smarkm	local_ret = pam_set_item(pamh, what, item);		\
77220Smarkm	if (local_ret != PAM_SUCCESS) {				\
77220Smarkm		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
77220Smarkm			pam_strerror(pamh, local_ret));		\
77220Smarkm		errx(1, "pam_set_item(" #what "): %s",		\
77220Smarkm			pam_strerror(pamh, local_ret));		\
77220Smarkm	}							\
77220Smarkm} while (0)
3702Spst
77220Smarkmenum tristate { UNSET, YES, NO };
1590Srgrimes
77220Smarkmstatic pam_handle_t *pamh = NULL;
77220Smarkmstatic int	creds_set = 0;
77220Smarkmstatic char	**environ_pam;
77220Smarkm
77220Smarkmstatic char	*ontty(void);
77220Smarkmstatic int	chshell(char *);
77220Smarkmstatic void	usage(void);
77220Smarkmstatic int	export_pam_environment(void);
77220Smarkmstatic int	ok_to_export(const char *);
77220Smarkm
77220Smarkmextern char	**environ;
77220Smarkm
1590Srgrimesint
77220Smarkmmain(int argc, char *argv[])
1590Srgrimes{
77220Smarkm	struct passwd	*pwd;
91745Sdes	struct pam_conv	conv = { openpam_ttyconv, NULL };
77220Smarkm	enum tristate	iscsh;
77220Smarkm	login_cap_t	*lc;
83373Smarkm	union {
83373Smarkm		const char	**a;
83373Smarkm		char		* const *b;
97377Sdes	}		np;
77220Smarkm	uid_t		ruid;
77220Smarkm	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
101446Sache			statusp, child_pid, child_pgrp, ret_pid;
89746Sdes	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
83373Smarkm	const char	*p, *user, *shell, *mytty, **nargv;
1590Srgrimes
98837Sdillon	struct sigaction sa, sa_int, sa_quit, sa_tstp;
98837Sdillon
77220Smarkm	shell = class = cleanenv = NULL;
77220Smarkm	asme = asthem = fastlogin = statusp = 0;
10586Sjoerg	user = "root";
77220Smarkm	iscsh = UNSET;
77220Smarkm
81703Sru	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
77220Smarkm		switch ((char)ch) {
1590Srgrimes		case 'f':
1590Srgrimes			fastlogin = 1;
1590Srgrimes			break;
1590Srgrimes		case '-':
1590Srgrimes		case 'l':
1590Srgrimes			asme = 0;
1590Srgrimes			asthem = 1;
1590Srgrimes			break;
1590Srgrimes		case 'm':
1590Srgrimes			asme = 1;
1590Srgrimes			asthem = 0;
1590Srgrimes			break;
30793Sguido		case 'c':
30793Sguido			class = optarg;
30793Sguido			break;
1590Srgrimes		case '?':
1590Srgrimes		default:
28099Scharnier			usage();
28099Scharnier		}
39538Sroberto
39538Sroberto	if (optind < argc)
10586Sjoerg		user = argv[optind++];
10586Sjoerg
28612Sjoerg	if (user == NULL)
28612Sjoerg		usage();
28612Sjoerg
77220Smarkm	if (strlen(user) > MAXLOGNAME - 1)
77220Smarkm		errx(1, "username too long");
10586Sjoerg
77220Smarkm	nargv = malloc(sizeof(char *) * (argc + 4));
77220Smarkm	if (nargv == NULL)
77220Smarkm		errx(1, "malloc failure");
77220Smarkm
10586Sjoerg	nargv[argc + 3] = NULL;
10586Sjoerg	for (i = argc; i >= optind; i--)
77220Smarkm		nargv[i + 3] = argv[i];
83373Smarkm	np.a = &nargv[i + 3];
10586Sjoerg
1590Srgrimes	argv += optind;
1590Srgrimes
1590Srgrimes	errno = 0;
1590Srgrimes	prio = getpriority(PRIO_PROCESS, 0);
1590Srgrimes	if (errno)
1590Srgrimes		prio = 0;
77220Smarkm
77220Smarkm	setpriority(PRIO_PROCESS, 0, -2);
74874Smarkm	openlog("su", LOG_CONS, LOG_AUTH);
1590Srgrimes
77220Smarkm	/* get current login name, real uid and shell */
1590Srgrimes	ruid = getuid();
1590Srgrimes	username = getlogin();
77220Smarkm	pwd = getpwnam(username);
77220Smarkm	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
1590Srgrimes		pwd = getpwuid(ruid);
1590Srgrimes	if (pwd == NULL)
1590Srgrimes		errx(1, "who are you?");
77220Smarkm
1590Srgrimes	username = strdup(pwd->pw_name);
1590Srgrimes	if (username == NULL)
77220Smarkm		err(1, "strdup failure");
77220Smarkm
21646Sdavidn	if (asme) {
21646Sdavidn		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
77220Smarkm			/* must copy - pwd memory is recycled */
77220Smarkm			shell = strncpy(shellbuf, pwd->pw_shell,
77220Smarkm			    sizeof(shellbuf));
77220Smarkm			shellbuf[sizeof(shellbuf) - 1] = '\0';
77220Smarkm		}
77220Smarkm		else {
1590Srgrimes			shell = _PATH_BSHELL;
1590Srgrimes			iscsh = NO;
1590Srgrimes		}
21646Sdavidn	}
1590Srgrimes
77220Smarkm	/* Do the whole PAM startup thing */
74874Smarkm	retcode = pam_start("su", user, &conv, &pamh);
74874Smarkm	if (retcode != PAM_SUCCESS) {
74874Smarkm		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
74874Smarkm		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
74874Smarkm	}
74874Smarkm
81529Smarkm	PAM_SET_ITEM(PAM_RUSER, getlogin());
81529Smarkm
74874Smarkm	mytty = ttyname(STDERR_FILENO);
74874Smarkm	if (!mytty)
74874Smarkm		mytty = "tty";
77220Smarkm	PAM_SET_ITEM(PAM_TTY, mytty);
77220Smarkm
77220Smarkm	retcode = pam_authenticate(pamh, 0);
74874Smarkm	if (retcode != PAM_SUCCESS) {
77220Smarkm		syslog(LOG_ERR, "pam_authenticate: %s",
77220Smarkm		    pam_strerror(pamh, retcode));
77220Smarkm		errx(1, "Sorry");
74874Smarkm	}
77220Smarkm	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
77220Smarkm	if (retcode == PAM_SUCCESS)
77220Smarkm		user = p;
77220Smarkm	else
77220Smarkm		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
77220Smarkm		    pam_strerror(pamh, retcode));
74874Smarkm
77220Smarkm	retcode = pam_acct_mgmt(pamh, 0);
77220Smarkm	if (retcode == PAM_NEW_AUTHTOK_REQD) {
77220Smarkm		retcode = pam_chauthtok(pamh,
77220Smarkm			PAM_CHANGE_EXPIRED_AUTHTOK);
74874Smarkm		if (retcode != PAM_SUCCESS) {
77220Smarkm			syslog(LOG_ERR, "pam_chauthtok: %s",
77220Smarkm			    pam_strerror(pamh, retcode));
74874Smarkm			errx(1, "Sorry");
74874Smarkm		}
74874Smarkm	}
77220Smarkm	if (retcode != PAM_SUCCESS) {
77220Smarkm		syslog(LOG_ERR, "pam_acct_mgmt: %s",
77220Smarkm			pam_strerror(pamh, retcode));
77220Smarkm		errx(1, "Sorry");
77220Smarkm	}
74874Smarkm
1590Srgrimes	/* get target login information, default to root */
77220Smarkm	pwd = getpwnam(user);
77220Smarkm	if (pwd == NULL)
9502Swollman		errx(1, "unknown login: %s", user);
77220Smarkm	if (class == NULL)
30793Sguido		lc = login_getpwclass(pwd);
77220Smarkm	else {
77220Smarkm		if (ruid != 0)
30793Sguido			errx(1, "only root may use -c");
30793Sguido		lc = login_getclass(class);
30793Sguido		if (lc == NULL)
30793Sguido			errx(1, "unknown class: %s", class);
30793Sguido	}
1590Srgrimes
77220Smarkm	/* if asme and non-standard target shell, must be root */
1590Srgrimes	if (asme) {
77220Smarkm		if (ruid != 0 && !chshell(pwd->pw_shell))
1590Srgrimes			errx(1, "permission denied (shell).");
77220Smarkm	}
77220Smarkm	else if (pwd->pw_shell && *pwd->pw_shell) {
1590Srgrimes		shell = pwd->pw_shell;
1590Srgrimes		iscsh = UNSET;
77220Smarkm	}
77220Smarkm	else {
1590Srgrimes		shell = _PATH_BSHELL;
1590Srgrimes		iscsh = NO;
1590Srgrimes	}
1590Srgrimes
1590Srgrimes	/* if we're forking a csh, we want to slightly muck the args */
1590Srgrimes	if (iscsh == UNSET) {
14440Smarkm		p = strrchr(shell, '/');
14440Smarkm		if (p)
1590Srgrimes			++p;
1590Srgrimes		else
1590Srgrimes			p = shell;
77220Smarkm		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
1590Srgrimes	}
77220Smarkm	setpriority(PRIO_PROCESS, 0, prio);
1590Srgrimes
21646Sdavidn	/*
77220Smarkm	 * PAM modules might add supplementary groups in pam_setcred(), so
77220Smarkm	 * initialize them first.
74874Smarkm	 */
74874Smarkm	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
74874Smarkm		err(1, "setusercontext");
74874Smarkm
74874Smarkm	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
77220Smarkm	if (retcode != PAM_SUCCESS)
77220Smarkm		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
77220Smarkm		    pam_strerror(pamh, retcode));
77220Smarkm	else
77220Smarkm		creds_set = 1;
74874Smarkm
74874Smarkm	/*
74874Smarkm	 * We must fork() before setuid() because we need to call
74874Smarkm	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
74874Smarkm	 */
98837Sdillon	sa.sa_flags = SA_RESTART;
105362Stjr	sa.sa_handler = SIG_IGN;
98837Sdillon	sigemptyset(&sa.sa_mask);
98837Sdillon	sigaction(SIGINT, &sa, &sa_int);
98837Sdillon	sigaction(SIGQUIT, &sa, &sa_quit);
98837Sdillon	sigaction(SIGTSTP, &sa, &sa_tstp);
74874Smarkm
74874Smarkm	statusp = 1;
77220Smarkm	child_pid = fork();
77220Smarkm	switch (child_pid) {
74874Smarkm	default:
77220Smarkm		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
77220Smarkm			if (WIFSTOPPED(statusp)) {
77220Smarkm				kill(getpid(), SIGSTOP);
101722Sache				child_pgrp = getpgid(child_pid);
101749Sache				if (tcgetpgrp(1) == getpgrp()) {
101722Sache					tcsetpgrp(1, child_pgrp);
101722Sache					kill(child_pid, SIGCONT);
101722Sache				}
77220Smarkm				statusp = 1;
77220Smarkm				continue;
77220Smarkm			}
77220Smarkm			break;
74874Smarkm		}
77220Smarkm		if (ret_pid == -1)
77220Smarkm			err(1, "waitpid");
81528Smarkm		PAM_END();
77220Smarkm		exit(statusp);
74874Smarkm	case -1:
77220Smarkm		err(1, "fork");
81528Smarkm		PAM_END();
77220Smarkm		exit(1);
74874Smarkm	case 0:
98837Sdillon		sigaction(SIGINT, &sa_int, NULL);
98837Sdillon		sigaction(SIGQUIT, &sa_quit, NULL);
98837Sdillon		sigaction(SIGTSTP, &sa_tstp, NULL);
77220Smarkm		/*
77220Smarkm		 * Set all user context except for: Environmental variables
77220Smarkm		 * Umask Login records (wtmp, etc) Path
77220Smarkm		 */
77220Smarkm		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
77220Smarkm			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
77220Smarkm		/*
77220Smarkm		 * Don't touch resource/priority settings if -m has been used
77220Smarkm		 * or -l and -c hasn't, and we're not su'ing to root.
77220Smarkm		 */
77220Smarkm		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
77220Smarkm			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
77220Smarkm		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
77220Smarkm			err(1, "setusercontext");
74874Smarkm
77220Smarkm		if (!asme) {
77220Smarkm			if (asthem) {
77220Smarkm				p = getenv("TERM");
77220Smarkm				environ = &cleanenv;
69427Srwatson
77220Smarkm				/*
77220Smarkm				 * Add any environmental variables that the
77220Smarkm				 * PAM modules may have set.
77220Smarkm				 */
77220Smarkm				environ_pam = pam_getenvlist(pamh);
77220Smarkm				if (environ_pam)
77220Smarkm					export_pam_environment();
1590Srgrimes
77220Smarkm				/* set the su'd user's environment & umask */
77220Smarkm				setusercontext(lc, pwd, pwd->pw_uid,
77220Smarkm					LOGIN_SETPATH | LOGIN_SETUMASK |
77220Smarkm					LOGIN_SETENV);
77220Smarkm				if (p)
77220Smarkm					setenv("TERM", p, 1);
77220Smarkm				if (chdir(pwd->pw_dir) < 0)
77220Smarkm					errx(1, "no directory");
77220Smarkm			}
77220Smarkm			if (asthem || pwd->pw_uid)
77220Smarkm				setenv("USER", pwd->pw_name, 1);
77220Smarkm			setenv("HOME", pwd->pw_dir, 1);
77220Smarkm			setenv("SHELL", shell, 1);
77220Smarkm		}
77220Smarkm		login_close(lc);
74874Smarkm
77220Smarkm		if (iscsh == YES) {
77220Smarkm			if (fastlogin)
83373Smarkm				*np.a-- = "-f";
77220Smarkm			if (asme)
83373Smarkm				*np.a-- = "-m";
1590Srgrimes		}
77220Smarkm		/* csh strips the first character... */
83373Smarkm		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
74874Smarkm
77220Smarkm		if (ruid != 0)
77220Smarkm			syslog(LOG_NOTICE, "%s to %s%s", username, user,
77220Smarkm			    ontty());
74874Smarkm
83373Smarkm		execv(shell, np.b);
77220Smarkm		err(1, "%s", shell);
1590Srgrimes	}
1590Srgrimes}
1590Srgrimes
74874Smarkmstatic int
77220Smarkmexport_pam_environment(void)
74874Smarkm{
74874Smarkm	char	**pp;
74874Smarkm
74874Smarkm	for (pp = environ_pam; *pp != NULL; pp++) {
74874Smarkm		if (ok_to_export(*pp))
77220Smarkm			putenv(*pp);
74874Smarkm		free(*pp);
74874Smarkm	}
74874Smarkm	return PAM_SUCCESS;
74874Smarkm}
74874Smarkm
74874Smarkm/*
74874Smarkm * Sanity checks on PAM environmental variables:
74874Smarkm * - Make sure there is an '=' in the string.
74874Smarkm * - Make sure the string doesn't run on too long.
74874Smarkm * - Do not export certain variables.  This list was taken from the
74874Smarkm *   Solaris pam_putenv(3) man page.
74874Smarkm */
74874Smarkmstatic int
77220Smarkmok_to_export(const char *s)
74874Smarkm{
74874Smarkm	static const char *noexport[] = {
74874Smarkm		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
74874Smarkm		"IFS", "PATH", NULL
74874Smarkm	};
74874Smarkm	const char **pp;
74874Smarkm	size_t n;
74874Smarkm
74874Smarkm	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
74874Smarkm		return 0;
74874Smarkm	if (strncmp(s, "LD_", 3) == 0)
74874Smarkm		return 0;
74874Smarkm	for (pp = noexport; *pp != NULL; pp++) {
74874Smarkm		n = strlen(*pp);
74874Smarkm		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
74874Smarkm			return 0;
74874Smarkm	}
74874Smarkm	return 1;
74874Smarkm}
74874Smarkm
28099Scharnierstatic void
77220Smarkmusage(void)
28099Scharnier{
81702Sru
81971Smarkm	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
81702Sru	exit(1);
28099Scharnier}
28099Scharnier
77220Smarkmstatic int
77220Smarkmchshell(char *sh)
1590Srgrimes{
77220Smarkm	int r;
1590Srgrimes	char *cp;
1590Srgrimes
77220Smarkm	r = 0;
21646Sdavidn	setusershell();
77220Smarkm	do {
77220Smarkm		cp = getusershell();
77220Smarkm		r = strcmp(cp, sh);
77220Smarkm	} while (!r && cp != NULL);
21646Sdavidn	endusershell();
21646Sdavidn	return r;
1590Srgrimes}
1590Srgrimes
77220Smarkmstatic char *
77220Smarkmontty(void)
1590Srgrimes{
1590Srgrimes	char *p;
1590Srgrimes	static char buf[MAXPATHLEN + 4];
1590Srgrimes
1590Srgrimes	buf[0] = 0;
14440Smarkm	p = ttyname(STDERR_FILENO);
14440Smarkm	if (p)
1590Srgrimes		snprintf(buf, sizeof(buf), " on %s", p);
77220Smarkm	return buf;
1590Srgrimes}