su.c revision 112085 
1/*
2 * Copyright (c) 1988, 1993, 1994
3 *	The Regents of the University of California.  All rights reserved.
4 * Copyright (c) 2002 Networks Associates Technologies, Inc.
5 * All rights reserved.
6 *
7 * Portions of this software were developed for the FreeBSD Project by
8 * ThinkSec AS and NAI Labs, the Security Research Division of Network
9 * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
10 * ("CBOSS"), as part of the DARPA CHATS research program.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 *    notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 *    notice, this list of conditions and the following disclaimer in the
19 *    documentation and/or other materials provided with the distribution.
20 * 3. All advertising materials mentioning features or use of this software
21 *    must display the following acknowledgement:
22 *	This product includes software developed by the University of
23 *	California, Berkeley and its contributors.
24 * 4. Neither the name of the University nor the names of its contributors
25 *    may be used to endorse or promote products derived from this software
26 *    without specific prior written permission.
27 *
28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41#ifndef lint
42static const char copyright[] =
43"@(#) Copyright (c) 1988, 1993, 1994\n\
44	The Regents of the University of California.  All rights reserved.\n";
45#endif /* not lint */
46
47#ifndef lint
48#if 0
49static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
50#endif
51static const char rcsid[] =
52  "$FreeBSD: head/usr.bin/su/su.c 112085 2003-03-11 09:16:51Z davidxu $";
53#endif /* not lint */
54
55#include <sys/param.h>
56#include <sys/time.h>
57#include <sys/resource.h>
58#include <sys/wait.h>
59
60#include <err.h>
61#include <errno.h>
62#include <grp.h>
63#include <libutil.h>
64#include <login_cap.h>
65#include <paths.h>
66#include <pwd.h>
67#include <signal.h>
68#include <stdio.h>
69#include <stdlib.h>
70#include <string.h>
71#include <syslog.h>
72#include <unistd.h>
73
74#include <security/pam_appl.h>
75#include <security/openpam.h>
76
77#define PAM_END() do {						\
78	int local_ret;						\
79	if (pamh != NULL && creds_set) {			\
80		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
81		if (local_ret != PAM_SUCCESS)			\
82			syslog(LOG_ERR, "pam_setcred: %s",	\
83				pam_strerror(pamh, local_ret));	\
84		local_ret = pam_end(pamh, local_ret);		\
85		if (local_ret != PAM_SUCCESS)			\
86			syslog(LOG_ERR, "pam_end: %s",		\
87				pam_strerror(pamh, local_ret));	\
88	}							\
89} while (0)
90
91
92#define PAM_SET_ITEM(what, item) do {				\
93	int local_ret;						\
94	local_ret = pam_set_item(pamh, what, item);		\
95	if (local_ret != PAM_SUCCESS) {				\
96		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
97			pam_strerror(pamh, local_ret));		\
98		errx(1, "pam_set_item(" #what "): %s",		\
99			pam_strerror(pamh, local_ret));		\
100	}							\
101} while (0)
102
103enum tristate { UNSET, YES, NO };
104
105static pam_handle_t *pamh = NULL;
106static int	creds_set = 0;
107static char	**environ_pam;
108
109static char	*ontty(void);
110static int	chshell(char *);
111static void	usage(void);
112static int	export_pam_environment(void);
113static int	ok_to_export(const char *);
114
115extern char	**environ;
116
117int
118main(int argc, char *argv[])
119{
120	struct passwd	*pwd;
121	struct pam_conv	conv = { openpam_ttyconv, NULL };
122	enum tristate	iscsh;
123	login_cap_t	*lc;
124	union {
125		const char	**a;
126		char		* const *b;
127	}		np;
128	uid_t		ruid;
129	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
130			statusp, child_pid, child_pgrp, ret_pid, setmaclabel;
131	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
132	const char	*p, *user, *shell, *mytty, **nargv;
133
134	struct sigaction sa, sa_int, sa_quit;
135
136	shell = class = cleanenv = NULL;
137	asme = asthem = fastlogin = statusp = 0;
138	user = "root";
139	iscsh = UNSET;
140	setmaclabel = 0;
141
142	while ((ch = getopt(argc, argv, "-flmsc:")) != -1)
143		switch ((char)ch) {
144		case 'f':
145			fastlogin = 1;
146			break;
147		case '-':
148		case 'l':
149			asme = 0;
150			asthem = 1;
151			break;
152		case 'm':
153			asme = 1;
154			asthem = 0;
155			break;
156		case 's':
157			setmaclabel = 1;
158			break;
159		case 'c':
160			class = optarg;
161			break;
162		case '?':
163		default:
164			usage();
165		}
166
167	if (optind < argc)
168		user = argv[optind++];
169
170	if (user == NULL)
171		usage();
172
173	if (strlen(user) > MAXLOGNAME - 1)
174		errx(1, "username too long");
175
176	nargv = malloc(sizeof(char *) * (argc + 4));
177	if (nargv == NULL)
178		errx(1, "malloc failure");
179
180	nargv[argc + 3] = NULL;
181	for (i = argc; i >= optind; i--)
182		nargv[i + 3] = argv[i];
183	np.a = &nargv[i + 3];
184
185	argv += optind;
186
187	errno = 0;
188	prio = getpriority(PRIO_PROCESS, 0);
189	if (errno)
190		prio = 0;
191
192	setpriority(PRIO_PROCESS, 0, -2);
193	openlog("su", LOG_CONS, LOG_AUTH);
194
195	/* get current login name, real uid and shell */
196	ruid = getuid();
197	username = getlogin();
198	pwd = getpwnam(username);
199	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
200		pwd = getpwuid(ruid);
201	if (pwd == NULL)
202		errx(1, "who are you?");
203
204	username = strdup(pwd->pw_name);
205	if (username == NULL)
206		err(1, "strdup failure");
207
208	if (asme) {
209		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
210			/* must copy - pwd memory is recycled */
211			shell = strncpy(shellbuf, pwd->pw_shell,
212			    sizeof(shellbuf));
213			shellbuf[sizeof(shellbuf) - 1] = '\0';
214		}
215		else {
216			shell = _PATH_BSHELL;
217			iscsh = NO;
218		}
219	}
220
221	/* Do the whole PAM startup thing */
222	retcode = pam_start("su", user, &conv, &pamh);
223	if (retcode != PAM_SUCCESS) {
224		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
225		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
226	}
227
228	PAM_SET_ITEM(PAM_RUSER, username);
229
230	mytty = ttyname(STDERR_FILENO);
231	if (!mytty)
232		mytty = "tty";
233	PAM_SET_ITEM(PAM_TTY, mytty);
234
235	retcode = pam_authenticate(pamh, 0);
236	if (retcode != PAM_SUCCESS) {
237#if 0
238		syslog(LOG_ERR, "pam_authenticate: %s",
239		    pam_strerror(pamh, retcode));
240#endif
241		syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s",
242		    username, user, mytty);
243		errx(1, "Sorry");
244	}
245	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
246	if (retcode == PAM_SUCCESS)
247		user = p;
248	else
249		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
250		    pam_strerror(pamh, retcode));
251
252	retcode = pam_acct_mgmt(pamh, 0);
253	if (retcode == PAM_NEW_AUTHTOK_REQD) {
254		retcode = pam_chauthtok(pamh,
255			PAM_CHANGE_EXPIRED_AUTHTOK);
256		if (retcode != PAM_SUCCESS) {
257			syslog(LOG_ERR, "pam_chauthtok: %s",
258			    pam_strerror(pamh, retcode));
259			errx(1, "Sorry");
260		}
261	}
262	if (retcode != PAM_SUCCESS) {
263		syslog(LOG_ERR, "pam_acct_mgmt: %s",
264			pam_strerror(pamh, retcode));
265		errx(1, "Sorry");
266	}
267
268	/* get target login information, default to root */
269	pwd = getpwnam(user);
270	if (pwd == NULL)
271		errx(1, "unknown login: %s", user);
272	if (class == NULL)
273		lc = login_getpwclass(pwd);
274	else {
275		if (ruid != 0)
276			errx(1, "only root may use -c");
277		lc = login_getclass(class);
278		if (lc == NULL)
279			errx(1, "unknown class: %s", class);
280	}
281
282	/* if asme and non-standard target shell, must be root */
283	if (asme) {
284		if (ruid != 0 && !chshell(pwd->pw_shell))
285			errx(1, "permission denied (shell).");
286	}
287	else if (pwd->pw_shell && *pwd->pw_shell) {
288		shell = pwd->pw_shell;
289		iscsh = UNSET;
290	}
291	else {
292		shell = _PATH_BSHELL;
293		iscsh = NO;
294	}
295
296	/* if we're forking a csh, we want to slightly muck the args */
297	if (iscsh == UNSET) {
298		p = strrchr(shell, '/');
299		if (p)
300			++p;
301		else
302			p = shell;
303		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
304	}
305	setpriority(PRIO_PROCESS, 0, prio);
306
307	/*
308	 * PAM modules might add supplementary groups in pam_setcred(), so
309	 * initialize them first.
310	 */
311	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
312		err(1, "setusercontext");
313
314	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
315	if (retcode != PAM_SUCCESS)
316		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
317		    pam_strerror(pamh, retcode));
318	else
319		creds_set = 1;
320
321	/*
322	 * We must fork() before setuid() because we need to call
323	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
324	 */
325	sa.sa_flags = SA_RESTART;
326	sa.sa_handler = SIG_IGN;
327	sigemptyset(&sa.sa_mask);
328	sigaction(SIGINT, &sa, &sa_int);
329	sigaction(SIGQUIT, &sa, &sa_quit);
330	sa.sa_handler = SIG_DFL;
331	sigaction(SIGTSTP, &sa, NULL);
332
333	statusp = 1;
334	child_pid = fork();
335	switch (child_pid) {
336	default:
337		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
338			if (WIFSTOPPED(statusp)) {
339				kill(getpid(), SIGSTOP);
340				child_pgrp = getpgid(child_pid);
341				if (tcgetpgrp(1) == getpgrp()) {
342					tcsetpgrp(1, child_pgrp);
343					kill(child_pid, SIGCONT);
344				}
345				statusp = 1;
346				continue;
347			}
348			break;
349		}
350		if (ret_pid == -1)
351			err(1, "waitpid");
352		PAM_END();
353		exit(statusp);
354	case -1:
355		err(1, "fork");
356		PAM_END();
357		exit(1);
358	case 0:
359		sigaction(SIGINT, &sa_int, NULL);
360		sigaction(SIGQUIT, &sa_quit, NULL);
361		/*
362		 * Set all user context except for: Environmental variables
363		 * Umask Login records (wtmp, etc) Path
364		 */
365		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
366			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP |
367			   LOGIN_SETMAC);
368		/*
369		 * If -s is present, also set the MAC label.
370		 */
371		if (setmaclabel)
372			setwhat |= LOGIN_SETMAC;
373		/*
374		 * Don't touch resource/priority settings if -m has been used
375		 * or -l and -c hasn't, and we're not su'ing to root.
376		 */
377		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
378			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
379		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
380			err(1, "setusercontext");
381
382		if (!asme) {
383			if (asthem) {
384				p = getenv("TERM");
385				environ = &cleanenv;
386
387				/*
388				 * Add any environmental variables that the
389				 * PAM modules may have set.
390				 */
391				environ_pam = pam_getenvlist(pamh);
392				if (environ_pam)
393					export_pam_environment();
394
395				/* set the su'd user's environment & umask */
396				setusercontext(lc, pwd, pwd->pw_uid,
397					LOGIN_SETPATH | LOGIN_SETUMASK |
398					LOGIN_SETENV);
399				if (p)
400					setenv("TERM", p, 1);
401				if (chdir(pwd->pw_dir) < 0)
402					errx(1, "no directory");
403			}
404			if (asthem || pwd->pw_uid)
405				setenv("USER", pwd->pw_name, 1);
406			setenv("HOME", pwd->pw_dir, 1);
407			setenv("SHELL", shell, 1);
408		}
409		login_close(lc);
410
411		if (iscsh == YES) {
412			if (fastlogin)
413				*np.a-- = "-f";
414			if (asme)
415				*np.a-- = "-m";
416		}
417		/* csh strips the first character... */
418		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
419
420		if (ruid != 0)
421			syslog(LOG_NOTICE, "%s to %s%s", username, user,
422			    ontty());
423
424		execv(shell, np.b);
425		err(1, "%s", shell);
426	}
427}
428
429static int
430export_pam_environment(void)
431{
432	char	**pp;
433
434	for (pp = environ_pam; *pp != NULL; pp++) {
435		if (ok_to_export(*pp))
436			putenv(*pp);
437		free(*pp);
438	}
439	return PAM_SUCCESS;
440}
441
442/*
443 * Sanity checks on PAM environmental variables:
444 * - Make sure there is an '=' in the string.
445 * - Make sure the string doesn't run on too long.
446 * - Do not export certain variables.  This list was taken from the
447 *   Solaris pam_putenv(3) man page.
448 */
449static int
450ok_to_export(const char *s)
451{
452	static const char *noexport[] = {
453		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
454		"IFS", "PATH", NULL
455	};
456	const char **pp;
457	size_t n;
458
459	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
460		return 0;
461	if (strncmp(s, "LD_", 3) == 0)
462		return 0;
463	for (pp = noexport; *pp != NULL; pp++) {
464		n = strlen(*pp);
465		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
466			return 0;
467	}
468	return 1;
469}
470
471static void
472usage(void)
473{
474
475	fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n");
476	exit(1);
477}
478
479static int
480chshell(char *sh)
481{
482	int r;
483	char *cp;
484
485	r = 0;
486	setusershell();
487	do {
488		cp = getusershell();
489		r = strcmp(cp, sh);
490	} while (!r && cp != NULL);
491	endusershell();
492	return r;
493}
494
495static char *
496ontty(void)
497{
498	char *p;
499	static char buf[MAXPATHLEN + 4];
500
501	buf[0] = 0;
502	p = ttyname(STDERR_FILENO);
503	if (p)
504		snprintf(buf, sizeof(buf), " on %s", p);
505	return buf;
506}
507