usr.bin/su/su.c

1590Srgrimes/*
140392Srwatson * Copyright (c) 2002, 2005 Networks Associates Technologies, Inc.
97377Sdes * All rights reserved.
1590Srgrimes *
97377Sdes * Portions of this software were developed for the FreeBSD Project by
97377Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network
97377Sdes * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
97377Sdes * ("CBOSS"), as part of the DARPA CHATS research program.
97377Sdes *
1590Srgrimes * Redistribution and use in source and binary forms, with or without
1590Srgrimes * modification, are permitted provided that the following conditions
1590Srgrimes * are met:
1590Srgrimes * 1. Redistributions of source code must retain the above copyright
1590Srgrimes *    notice, this list of conditions and the following disclaimer.
1590Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
1590Srgrimes *    notice, this list of conditions and the following disclaimer in the
1590Srgrimes *    documentation and/or other materials provided with the distribution.
140392Srwatson *
140392Srwatson * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
140392Srwatson * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
140392Srwatson * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
140392Srwatson * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
140392Srwatson * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
140392Srwatson * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
140392Srwatson * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
140392Srwatson * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
140392Srwatson * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
140392Srwatson * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
140392Srwatson * SUCH DAMAGE.
140392Srwatson */
140392Srwatson/*-
140392Srwatson * Copyright (c) 1988, 1993, 1994
140392Srwatson *	The Regents of the University of California.  All rights reserved.
140392Srwatson *
140392Srwatson * Redistribution and use in source and binary forms, with or without
140392Srwatson * modification, are permitted provided that the following conditions
140392Srwatson * are met:
140392Srwatson * 1. Redistributions of source code must retain the above copyright
140392Srwatson *    notice, this list of conditions and the following disclaimer.
140392Srwatson * 2. Redistributions in binary form must reproduce the above copyright
140392Srwatson *    notice, this list of conditions and the following disclaimer in the
140392Srwatson *    documentation and/or other materials provided with the distribution.
1590Srgrimes * 3. All advertising materials mentioning features or use of this software
1590Srgrimes *    must display the following acknowledgement:
1590Srgrimes *	This product includes software developed by the University of
1590Srgrimes *	California, Berkeley and its contributors.
1590Srgrimes * 4. Neither the name of the University nor the names of its contributors
1590Srgrimes *    may be used to endorse or promote products derived from this software
1590Srgrimes *    without specific prior written permission.
1590Srgrimes *
1590Srgrimes * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1590Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1590Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1590Srgrimes * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1590Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1590Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1590Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1590Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1590Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1590Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1590Srgrimes * SUCH DAMAGE.
1590Srgrimes */
1590Srgrimes
1590Srgrimes#ifndef lint
14440Smarkmstatic const char copyright[] =
1590Srgrimes"@(#) Copyright (c) 1988, 1993, 1994\n\
1590Srgrimes	The Regents of the University of California.  All rights reserved.\n";
1590Srgrimes#endif /* not lint */
1590Srgrimes
127848Scharnier#if 0
1590Srgrimes#ifndef lint
1590Srgrimesstatic char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
127848Scharnier#endif /* not lint */
28099Scharnier#endif
1590Srgrimes
127848Scharnier#include <sys/cdefs.h>
127848Scharnier__FBSDID("$FreeBSD: head/usr.bin/su/su.c 169177 2007-05-01 16:02:44Z ache $");
127848Scharnier
1590Srgrimes#include <sys/param.h>
1590Srgrimes#include <sys/time.h>
1590Srgrimes#include <sys/resource.h>
77220Smarkm#include <sys/wait.h>
1590Srgrimes
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp#include <bsm/libbsm.h>
161815Scsjp#include <bsm/audit_uevents.h>
161815Scsjp#endif
161815Scsjp
1590Srgrimes#include <err.h>
1590Srgrimes#include <errno.h>
1590Srgrimes#include <grp.h>
77220Smarkm#include <login_cap.h>
1590Srgrimes#include <paths.h>
1590Srgrimes#include <pwd.h>
77220Smarkm#include <signal.h>
1590Srgrimes#include <stdio.h>
1590Srgrimes#include <stdlib.h>
1590Srgrimes#include <string.h>
1590Srgrimes#include <syslog.h>
1590Srgrimes#include <unistd.h>
161815Scsjp#include <stdarg.h>
21646Sdavidn
74874Smarkm#include <security/pam_appl.h>
91745Sdes#include <security/openpam.h>
74874Smarkm
113262Sdes#define PAM_END() do {							\
113262Sdes	int local_ret;							\
113262Sdes	if (pamh != NULL) {						\
113262Sdes		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);		\
113262Sdes		if (local_ret != PAM_SUCCESS)				\
113262Sdes			syslog(LOG_ERR, "pam_setcred: %s",		\
113262Sdes				pam_strerror(pamh, local_ret));		\
113262Sdes		if (asthem) {						\
113262Sdes			local_ret = pam_close_session(pamh, 0);		\
113262Sdes			if (local_ret != PAM_SUCCESS)			\
113262Sdes				syslog(LOG_ERR, "pam_close_session: %s",\
113262Sdes					pam_strerror(pamh, local_ret));	\
113262Sdes		}							\
113262Sdes		local_ret = pam_end(pamh, local_ret);			\
113262Sdes		if (local_ret != PAM_SUCCESS)				\
113262Sdes			syslog(LOG_ERR, "pam_end: %s",			\
113262Sdes				pam_strerror(pamh, local_ret));		\
113262Sdes	}								\
77220Smarkm} while (0)
74874Smarkm
74874Smarkm
113262Sdes#define PAM_SET_ITEM(what, item) do {					\
113262Sdes	int local_ret;							\
113262Sdes	local_ret = pam_set_item(pamh, what, item);			\
113262Sdes	if (local_ret != PAM_SUCCESS) {					\
113262Sdes		syslog(LOG_ERR, "pam_set_item(" #what "): %s",		\
113262Sdes			pam_strerror(pamh, local_ret));			\
113262Sdes		errx(1, "pam_set_item(" #what "): %s",			\
113262Sdes			pam_strerror(pamh, local_ret));			\
130409Smarkm		/* NOTREACHED */					\
113262Sdes	}								\
77220Smarkm} while (0)
3702Spst
77220Smarkmenum tristate { UNSET, YES, NO };
1590Srgrimes
77220Smarkmstatic pam_handle_t *pamh = NULL;
77220Smarkmstatic char	**environ_pam;
77220Smarkm
77220Smarkmstatic char	*ontty(void);
130409Smarkmstatic int	chshell(const char *);
130409Smarkmstatic void	usage(void) __dead2;
130409Smarkmstatic void	export_pam_environment(void);
77220Smarkmstatic int	ok_to_export(const char *);
77220Smarkm
77220Smarkmextern char	**environ;
77220Smarkm
1590Srgrimesint
77220Smarkmmain(int argc, char *argv[])
1590Srgrimes{
130409Smarkm	static char	*cleanenv;
77220Smarkm	struct passwd	*pwd;
91745Sdes	struct pam_conv	conv = { openpam_ttyconv, NULL };
77220Smarkm	enum tristate	iscsh;
77220Smarkm	login_cap_t	*lc;
83373Smarkm	union {
83373Smarkm		const char	**a;
83373Smarkm		char		* const *b;
97377Sdes	}		np;
77220Smarkm	uid_t		ruid;
153985Sbrian	pid_t		child_pid, child_pgrp, pid;
130409Smarkm	int		asme, ch, asthem, fastlogin, prio, i, retcode,
113262Sdes			statusp, setmaclabel;
130409Smarkm	u_int		setwhat;
130409Smarkm	char		*username, *class, shellbuf[MAXPATHLEN];
83373Smarkm	const char	*p, *user, *shell, *mytty, **nargv;
112695Sdavidxu	struct sigaction sa, sa_int, sa_quit, sa_pipe;
112695Sdavidxu	int temp, fds[2];
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp	const char	*aerr;
161815Scsjp	au_id_t		 auid;
161815Scsjp#endif
98837Sdillon
77220Smarkm	shell = class = cleanenv = NULL;
77220Smarkm	asme = asthem = fastlogin = statusp = 0;
10586Sjoerg	user = "root";
77220Smarkm	iscsh = UNSET;
105758Srwatson	setmaclabel = 0;
77220Smarkm
105758Srwatson	while ((ch = getopt(argc, argv, "-flmsc:")) != -1)
77220Smarkm		switch ((char)ch) {
1590Srgrimes		case 'f':
1590Srgrimes			fastlogin = 1;
1590Srgrimes			break;
1590Srgrimes		case '-':
1590Srgrimes		case 'l':
1590Srgrimes			asme = 0;
1590Srgrimes			asthem = 1;
1590Srgrimes			break;
1590Srgrimes		case 'm':
1590Srgrimes			asme = 1;
1590Srgrimes			asthem = 0;
1590Srgrimes			break;
105758Srwatson		case 's':
105758Srwatson			setmaclabel = 1;
105758Srwatson			break;
30793Sguido		case 'c':
30793Sguido			class = optarg;
30793Sguido			break;
1590Srgrimes		case '?':
1590Srgrimes		default:
28099Scharnier			usage();
130409Smarkm		/* NOTREACHED */
28099Scharnier		}
39538Sroberto
39538Sroberto	if (optind < argc)
10586Sjoerg		user = argv[optind++];
10586Sjoerg
28612Sjoerg	if (user == NULL)
28612Sjoerg		usage();
130409Smarkm	/* NOTREACHED */
28612Sjoerg
140392Srwatson	/*
140392Srwatson	 * Try to provide more helpful debugging output if su(1) is running
140392Srwatson	 * non-setuid, or was run from a file system not mounted setuid.
140392Srwatson	 */
140392Srwatson	if (geteuid() != 0)
140392Srwatson		errx(1, "not running setuid");
140392Srwatson
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp	if (getauid(&auid) < 0 && errno != ENOSYS) {
161815Scsjp		syslog(LOG_AUTH | LOG_ERR, "getauid: %s", strerror(errno));
161815Scsjp		errx(1, "Permission denied");
161815Scsjp	}
161815Scsjp#endif
161815Scsjp	if (strlen(user) > MAXLOGNAME - 1) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp		if (audit_submit(AUE_su, auid,
161815Scsjp		    1, EPERM, "username too long: '%s'", user))
161815Scsjp			errx(1, "Permission denied");
161815Scsjp#endif
161815Scsjp		errx(1, "username too long");
161815Scsjp	}
161815Scsjp
130409Smarkm	nargv = malloc(sizeof(char *) * (size_t)(argc + 4));
77220Smarkm	if (nargv == NULL)
77220Smarkm		errx(1, "malloc failure");
77220Smarkm
10586Sjoerg	nargv[argc + 3] = NULL;
10586Sjoerg	for (i = argc; i >= optind; i--)
77220Smarkm		nargv[i + 3] = argv[i];
83373Smarkm	np.a = &nargv[i + 3];
10586Sjoerg
1590Srgrimes	argv += optind;
1590Srgrimes
1590Srgrimes	errno = 0;
1590Srgrimes	prio = getpriority(PRIO_PROCESS, 0);
1590Srgrimes	if (errno)
1590Srgrimes		prio = 0;
77220Smarkm
77220Smarkm	setpriority(PRIO_PROCESS, 0, -2);
74874Smarkm	openlog("su", LOG_CONS, LOG_AUTH);
1590Srgrimes
77220Smarkm	/* get current login name, real uid and shell */
1590Srgrimes	ruid = getuid();
1590Srgrimes	username = getlogin();
77220Smarkm	pwd = getpwnam(username);
77220Smarkm	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
1590Srgrimes		pwd = getpwuid(ruid);
161815Scsjp	if (pwd == NULL) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp		if (audit_submit(AUE_su, auid, 1, EPERM,
161815Scsjp		    "unable to determine invoking subject: '%s'", username))
161815Scsjp			errx(1, "Permission denied");
161815Scsjp#endif
1590Srgrimes		errx(1, "who are you?");
161815Scsjp	}
77220Smarkm
1590Srgrimes	username = strdup(pwd->pw_name);
1590Srgrimes	if (username == NULL)
77220Smarkm		err(1, "strdup failure");
77220Smarkm
21646Sdavidn	if (asme) {
21646Sdavidn		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
77220Smarkm			/* must copy - pwd memory is recycled */
77220Smarkm			shell = strncpy(shellbuf, pwd->pw_shell,
77220Smarkm			    sizeof(shellbuf));
77220Smarkm			shellbuf[sizeof(shellbuf) - 1] = '\0';
77220Smarkm		}
77220Smarkm		else {
1590Srgrimes			shell = _PATH_BSHELL;
1590Srgrimes			iscsh = NO;
1590Srgrimes		}
21646Sdavidn	}
1590Srgrimes
77220Smarkm	/* Do the whole PAM startup thing */
74874Smarkm	retcode = pam_start("su", user, &conv, &pamh);
74874Smarkm	if (retcode != PAM_SUCCESS) {
74874Smarkm		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
74874Smarkm		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
74874Smarkm	}
74874Smarkm
110456Sdes	PAM_SET_ITEM(PAM_RUSER, username);
81529Smarkm
74874Smarkm	mytty = ttyname(STDERR_FILENO);
74874Smarkm	if (!mytty)
74874Smarkm		mytty = "tty";
77220Smarkm	PAM_SET_ITEM(PAM_TTY, mytty);
77220Smarkm
77220Smarkm	retcode = pam_authenticate(pamh, 0);
74874Smarkm	if (retcode != PAM_SUCCESS) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp		if (audit_submit(AUE_su, auid, 1, EPERM, "bad su %s to %s on %s",
161815Scsjp		    username, user, mytty))
161815Scsjp			errx(1, "Permission denied");
161815Scsjp#endif
105386Smarkm		syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s",
105386Smarkm		    username, user, mytty);
77220Smarkm		errx(1, "Sorry");
74874Smarkm	}
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp	if (audit_submit(AUE_su, auid, 0, 0, "successful authentication"))
161815Scsjp		errx(1, "Permission denied");
161815Scsjp#endif
77220Smarkm	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
77220Smarkm	if (retcode == PAM_SUCCESS)
77220Smarkm		user = p;
77220Smarkm	else
77220Smarkm		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
77220Smarkm		    pam_strerror(pamh, retcode));
124166Sdes	pwd = getpwnam(user);
161815Scsjp	if (pwd == NULL) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp		if (audit_submit(AUE_su, auid, 1, EPERM,
161815Scsjp		    "unknown subject: %s", user))
161815Scsjp			errx(1, "Permission denied");
161815Scsjp#endif
124166Sdes		errx(1, "unknown login: %s", user);
161815Scsjp	}
74874Smarkm
77220Smarkm	retcode = pam_acct_mgmt(pamh, 0);
77220Smarkm	if (retcode == PAM_NEW_AUTHTOK_REQD) {
77220Smarkm		retcode = pam_chauthtok(pamh,
77220Smarkm			PAM_CHANGE_EXPIRED_AUTHTOK);
74874Smarkm		if (retcode != PAM_SUCCESS) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp			aerr = pam_strerror(pamh, retcode);
161815Scsjp			if (aerr == NULL)
161815Scsjp				aerr = "Unknown PAM error";
161815Scsjp			if (audit_submit(AUE_su, auid, 1, EPERM,
161815Scsjp			    "pam_chauthtok: %s", aerr))
161815Scsjp				errx(1, "Permission denied");
161815Scsjp#endif
77220Smarkm			syslog(LOG_ERR, "pam_chauthtok: %s",
77220Smarkm			    pam_strerror(pamh, retcode));
74874Smarkm			errx(1, "Sorry");
74874Smarkm		}
74874Smarkm	}
77220Smarkm	if (retcode != PAM_SUCCESS) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp		if (audit_submit(AUE_su, auid, 1, EPERM, "pam_acct_mgmt: %s",
161815Scsjp		    pam_strerror(pamh, retcode)))
161815Scsjp			errx(1, "Permission denied");
161815Scsjp#endif
77220Smarkm		syslog(LOG_ERR, "pam_acct_mgmt: %s",
77220Smarkm			pam_strerror(pamh, retcode));
77220Smarkm		errx(1, "Sorry");
77220Smarkm	}
74874Smarkm
124166Sdes	/* get target login information */
77220Smarkm	if (class == NULL)
30793Sguido		lc = login_getpwclass(pwd);
77220Smarkm	else {
161815Scsjp		if (ruid != 0) {
161815Scsjp#ifdef USE_BSM_AUDIT
161815Scsjp			if (audit_submit(AUE_su, auid, 1, EPERM,
161815Scsjp			    "only root may use -c"))
161815Scsjp				errx(1, "Permission denied");
161815Scsjp#endif
30793Sguido			errx(1, "only root may use -c");
161815Scsjp		}
30793Sguido		lc = login_getclass(class);
30793Sguido		if (lc == NULL)
30793Sguido			errx(1, "unknown class: %s", class);
30793Sguido	}
1590Srgrimes
77220Smarkm	/* if asme and non-standard target shell, must be root */
1590Srgrimes	if (asme) {
77220Smarkm		if (ruid != 0 && !chshell(pwd->pw_shell))
127848Scharnier			errx(1, "permission denied (shell)");
77220Smarkm	}
77220Smarkm	else if (pwd->pw_shell && *pwd->pw_shell) {
1590Srgrimes		shell = pwd->pw_shell;
1590Srgrimes		iscsh = UNSET;
77220Smarkm	}
77220Smarkm	else {
1590Srgrimes		shell = _PATH_BSHELL;
1590Srgrimes		iscsh = NO;
1590Srgrimes	}
1590Srgrimes
1590Srgrimes	/* if we're forking a csh, we want to slightly muck the args */
1590Srgrimes	if (iscsh == UNSET) {
14440Smarkm		p = strrchr(shell, '/');
14440Smarkm		if (p)
1590Srgrimes			++p;
1590Srgrimes		else
1590Srgrimes			p = shell;
77220Smarkm		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
1590Srgrimes	}
77220Smarkm	setpriority(PRIO_PROCESS, 0, prio);
1590Srgrimes
21646Sdavidn	/*
77220Smarkm	 * PAM modules might add supplementary groups in pam_setcred(), so
77220Smarkm	 * initialize them first.
74874Smarkm	 */
74874Smarkm	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
74874Smarkm		err(1, "setusercontext");
74874Smarkm
74874Smarkm	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
113262Sdes	if (retcode != PAM_SUCCESS) {
113262Sdes		syslog(LOG_ERR, "pam_setcred: %s",
77220Smarkm		    pam_strerror(pamh, retcode));
113262Sdes		errx(1, "failed to establish credentials.");
113262Sdes	}
113262Sdes	if (asthem) {
113262Sdes		retcode = pam_open_session(pamh, 0);
113262Sdes		if (retcode != PAM_SUCCESS) {
113262Sdes			syslog(LOG_ERR, "pam_open_session: %s",
113262Sdes			    pam_strerror(pamh, retcode));
113262Sdes			errx(1, "failed to open session.");
113262Sdes		}
113262Sdes	}
74874Smarkm
74874Smarkm	/*
74874Smarkm	 * We must fork() before setuid() because we need to call
74874Smarkm	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
74874Smarkm	 */
98837Sdillon	sa.sa_flags = SA_RESTART;
105362Stjr	sa.sa_handler = SIG_IGN;
98837Sdillon	sigemptyset(&sa.sa_mask);
98837Sdillon	sigaction(SIGINT, &sa, &sa_int);
98837Sdillon	sigaction(SIGQUIT, &sa, &sa_quit);
112695Sdavidxu	sigaction(SIGPIPE, &sa, &sa_pipe);
112085Sdavidxu	sa.sa_handler = SIG_DFL;
112085Sdavidxu	sigaction(SIGTSTP, &sa, NULL);
74874Smarkm	statusp = 1;
112695Sdavidxu	if (pipe(fds) == -1) {
130409Smarkm		PAM_END();
112695Sdavidxu		err(1, "pipe");
112695Sdavidxu	}
77220Smarkm	child_pid = fork();
77220Smarkm	switch (child_pid) {
74874Smarkm	default:
122013Sdavidxu		sa.sa_handler = SIG_IGN;
122013Sdavidxu		sigaction(SIGTTOU, &sa, NULL);
112695Sdavidxu		close(fds[0]);
153985Sbrian		setpgid(child_pid, child_pid);
153985Sbrian		if (tcgetpgrp(STDERR_FILENO) == getpgrp())
153985Sbrian			tcsetpgrp(STDERR_FILENO, child_pid);
112695Sdavidxu		close(fds[1]);
112695Sdavidxu		sigaction(SIGPIPE, &sa_pipe, NULL);
113262Sdes		while ((pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
77220Smarkm			if (WIFSTOPPED(statusp)) {
153985Sbrian				child_pgrp = getpgid(child_pid);
153985Sbrian				if (tcgetpgrp(STDERR_FILENO) == child_pgrp)
153985Sbrian					tcsetpgrp(STDERR_FILENO, getpgrp());
153966Sbrian				kill(getpid(), SIGSTOP);
153985Sbrian				if (tcgetpgrp(STDERR_FILENO) == getpgrp()) {
153985Sbrian					child_pgrp = getpgid(child_pid);
153985Sbrian					tcsetpgrp(STDERR_FILENO, child_pgrp);
153985Sbrian				}
153966Sbrian				kill(child_pid, SIGCONT);
77220Smarkm				statusp = 1;
77220Smarkm				continue;
77220Smarkm			}
77220Smarkm			break;
74874Smarkm		}
153985Sbrian		child_pgrp = getpgid(child_pid);
153985Sbrian		if (tcgetpgrp(STDERR_FILENO) == child_pgrp)
153985Sbrian			tcsetpgrp(STDERR_FILENO, getpgrp());
113262Sdes		if (pid == -1)
77220Smarkm			err(1, "waitpid");
81528Smarkm		PAM_END();
130409Smarkm		exit(WEXITSTATUS(statusp));
74874Smarkm	case -1:
130409Smarkm		PAM_END();
77220Smarkm		err(1, "fork");
74874Smarkm	case 0:
112695Sdavidxu		close(fds[1]);
112695Sdavidxu		read(fds[0], &temp, 1);
112695Sdavidxu		close(fds[0]);
112695Sdavidxu		sigaction(SIGPIPE, &sa_pipe, NULL);
98837Sdillon		sigaction(SIGINT, &sa_int, NULL);
98837Sdillon		sigaction(SIGQUIT, &sa_quit, NULL);
112695Sdavidxu
77220Smarkm		/*
77220Smarkm		 * Set all user context except for: Environmental variables
77220Smarkm		 * Umask Login records (wtmp, etc) Path
77220Smarkm		 */
77220Smarkm		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
105758Srwatson			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP |
105758Srwatson			   LOGIN_SETMAC);
77220Smarkm		/*
105758Srwatson		 * If -s is present, also set the MAC label.
105758Srwatson		 */
105758Srwatson		if (setmaclabel)
105758Srwatson			setwhat |= LOGIN_SETMAC;
105758Srwatson		/*
77220Smarkm		 * Don't touch resource/priority settings if -m has been used
77220Smarkm		 * or -l and -c hasn't, and we're not su'ing to root.
77220Smarkm		 */
77220Smarkm		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
77220Smarkm			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
77220Smarkm		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
77220Smarkm			err(1, "setusercontext");
74874Smarkm
77220Smarkm		if (!asme) {
77220Smarkm			if (asthem) {
77220Smarkm				p = getenv("TERM");
77220Smarkm				environ = &cleanenv;
113262Sdes			}
69427Srwatson
113262Sdes			if (asthem || pwd->pw_uid)
113262Sdes				setenv("USER", pwd->pw_name, 1);
113262Sdes			setenv("HOME", pwd->pw_dir, 1);
113262Sdes			setenv("SHELL", shell, 1);
113262Sdes
113262Sdes			if (asthem) {
77220Smarkm				/*
77220Smarkm				 * Add any environmental variables that the
77220Smarkm				 * PAM modules may have set.
77220Smarkm				 */
77220Smarkm				environ_pam = pam_getenvlist(pamh);
77220Smarkm				if (environ_pam)
77220Smarkm					export_pam_environment();
1590Srgrimes
77220Smarkm				/* set the su'd user's environment & umask */
77220Smarkm				setusercontext(lc, pwd, pwd->pw_uid,
77220Smarkm					LOGIN_SETPATH | LOGIN_SETUMASK |
77220Smarkm					LOGIN_SETENV);
77220Smarkm				if (p)
77220Smarkm					setenv("TERM", p, 1);
162761Sluoqi
162761Sluoqi				p = pam_getenv(pamh, "HOME");
162761Sluoqi				if (chdir(p ? p : pwd->pw_dir) < 0)
162761Sluoqi					errx(1, "no directory");
77220Smarkm			}
77220Smarkm		}
77220Smarkm		login_close(lc);
74874Smarkm
77220Smarkm		if (iscsh == YES) {
77220Smarkm			if (fastlogin)
83373Smarkm				*np.a-- = "-f";
77220Smarkm			if (asme)
83373Smarkm				*np.a-- = "-m";
1590Srgrimes		}
77220Smarkm		/* csh strips the first character... */
83373Smarkm		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
74874Smarkm
77220Smarkm		if (ruid != 0)
77220Smarkm			syslog(LOG_NOTICE, "%s to %s%s", username, user,
77220Smarkm			    ontty());
74874Smarkm
83373Smarkm		execv(shell, np.b);
77220Smarkm		err(1, "%s", shell);
1590Srgrimes	}
1590Srgrimes}
1590Srgrimes
130409Smarkmstatic void
77220Smarkmexport_pam_environment(void)
74874Smarkm{
74874Smarkm	char	**pp;
74874Smarkm
74874Smarkm	for (pp = environ_pam; *pp != NULL; pp++) {
74874Smarkm		if (ok_to_export(*pp))
169177Sache			putenv(*pp);
169177Sache		free(*pp);
74874Smarkm	}
74874Smarkm}
74874Smarkm
74874Smarkm/*
74874Smarkm * Sanity checks on PAM environmental variables:
74874Smarkm * - Make sure there is an '=' in the string.
74874Smarkm * - Make sure the string doesn't run on too long.
74874Smarkm * - Do not export certain variables.  This list was taken from the
74874Smarkm *   Solaris pam_putenv(3) man page.
113262Sdes * Note that if the user is chrooted, PAM may have a better idea than we
113262Sdes * do of where her home directory is.
74874Smarkm */
74874Smarkmstatic int
77220Smarkmok_to_export(const char *s)
74874Smarkm{
74874Smarkm	static const char *noexport[] = {
113262Sdes		"SHELL", /* "HOME", */ "LOGNAME", "MAIL", "CDPATH",
74874Smarkm		"IFS", "PATH", NULL
74874Smarkm	};
74874Smarkm	const char **pp;
74874Smarkm	size_t n;
74874Smarkm
74874Smarkm	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
74874Smarkm		return 0;
74874Smarkm	if (strncmp(s, "LD_", 3) == 0)
74874Smarkm		return 0;
74874Smarkm	for (pp = noexport; *pp != NULL; pp++) {
74874Smarkm		n = strlen(*pp);
74874Smarkm		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
74874Smarkm			return 0;
74874Smarkm	}
74874Smarkm	return 1;
74874Smarkm}
74874Smarkm
28099Scharnierstatic void
77220Smarkmusage(void)
28099Scharnier{
81702Sru
105758Srwatson	fprintf(stderr, "usage: su [-] [-flms] [-c class] [login [args]]\n");
81702Sru	exit(1);
130409Smarkm	/* NOTREACHED */
28099Scharnier}
28099Scharnier
77220Smarkmstatic int
130409Smarkmchshell(const char *sh)
1590Srgrimes{
77220Smarkm	int r;
1590Srgrimes	char *cp;
1590Srgrimes
77220Smarkm	r = 0;
21646Sdavidn	setusershell();
121236Scognet	while ((cp = getusershell()) != NULL && !r)
121236Scognet	    r = (strcmp(cp, sh) == 0);
21646Sdavidn	endusershell();
21646Sdavidn	return r;
1590Srgrimes}
1590Srgrimes
77220Smarkmstatic char *
77220Smarkmontty(void)
1590Srgrimes{
1590Srgrimes	char *p;
1590Srgrimes	static char buf[MAXPATHLEN + 4];
1590Srgrimes
1590Srgrimes	buf[0] = 0;
14440Smarkm	p = ttyname(STDERR_FILENO);
14440Smarkm	if (p)
1590Srgrimes		snprintf(buf, sizeof(buf), " on %s", p);
77220Smarkm	return buf;
1590Srgrimes}