su.c revision 105080 
1/*
2 * Copyright (c) 1988, 1993, 1994
3 *	The Regents of the University of California.  All rights reserved.
4 * Copyright (c) 2002 Networks Associates Technologies, Inc.
5 * All rights reserved.
6 *
7 * Portions of this software were developed for the FreeBSD Project by
8 * ThinkSec AS and NAI Labs, the Security Research Division of Network
9 * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
10 * ("CBOSS"), as part of the DARPA CHATS research program.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 *    notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 *    notice, this list of conditions and the following disclaimer in the
19 *    documentation and/or other materials provided with the distribution.
20 * 3. All advertising materials mentioning features or use of this software
21 *    must display the following acknowledgement:
22 *	This product includes software developed by the University of
23 *	California, Berkeley and its contributors.
24 * 4. Neither the name of the University nor the names of its contributors
25 *    may be used to endorse or promote products derived from this software
26 *    without specific prior written permission.
27 *
28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41#ifndef lint
42static const char copyright[] =
43"@(#) Copyright (c) 1988, 1993, 1994\n\
44	The Regents of the University of California.  All rights reserved.\n";
45#endif /* not lint */
46
47#ifndef lint
48#if 0
49static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
50#endif
51static const char rcsid[] =
52  "$FreeBSD: head/usr.bin/su/su.c 105080 2002-10-14 08:54:08Z phk $";
53#endif /* not lint */
54
55#include <sys/param.h>
56#include <sys/time.h>
57#include <sys/resource.h>
58#include <sys/wait.h>
59
60#include <err.h>
61#include <errno.h>
62#include <grp.h>
63#include <libutil.h>
64#include <login_cap.h>
65#include <paths.h>
66#include <pwd.h>
67#include <signal.h>
68#include <stdio.h>
69#include <stdlib.h>
70#include <string.h>
71#include <syslog.h>
72#include <unistd.h>
73
74#include <security/pam_appl.h>
75#include <security/openpam.h>
76
77#define PAM_END() do {						\
78	int local_ret;						\
79	if (pamh != NULL && creds_set) {			\
80		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
81		if (local_ret != PAM_SUCCESS)			\
82			syslog(LOG_ERR, "pam_setcred: %s",	\
83				pam_strerror(pamh, local_ret));	\
84		local_ret = pam_end(pamh, local_ret);		\
85		if (local_ret != PAM_SUCCESS)			\
86			syslog(LOG_ERR, "pam_end: %s",		\
87				pam_strerror(pamh, local_ret));	\
88	}							\
89} while (0)
90
91
92#define PAM_SET_ITEM(what, item) do {				\
93	int local_ret;						\
94	local_ret = pam_set_item(pamh, what, item);		\
95	if (local_ret != PAM_SUCCESS) {				\
96		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
97			pam_strerror(pamh, local_ret));		\
98		errx(1, "pam_set_item(" #what "): %s",		\
99			pam_strerror(pamh, local_ret));		\
100	}							\
101} while (0)
102
103enum tristate { UNSET, YES, NO };
104
105static pam_handle_t *pamh = NULL;
106static int	creds_set = 0;
107static char	**environ_pam;
108
109static char	*ontty(void);
110static int	chshell(char *);
111static void	usage(void);
112static int	export_pam_environment(void);
113static int	ok_to_export(const char *);
114
115extern char	**environ;
116
117int
118main(int argc, char *argv[])
119{
120	struct passwd	*pwd;
121	struct pam_conv	conv = { openpam_ttyconv, NULL };
122	enum tristate	iscsh;
123	login_cap_t	*lc;
124	union {
125		const char	**a;
126		char		* const *b;
127	}		np;
128	uid_t		ruid;
129	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
130			statusp, child_pid, child_pgrp, ret_pid;
131	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
132	const char	*p, *user, *shell, *mytty, **nargv;
133
134	struct sigaction sa, sa_int, sa_quit, sa_tstp;
135
136	shell = class = cleanenv = NULL;
137	asme = asthem = fastlogin = statusp = 0;
138	user = "root";
139	iscsh = UNSET;
140
141	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
142		switch ((char)ch) {
143		case 'f':
144			fastlogin = 1;
145			break;
146		case '-':
147		case 'l':
148			asme = 0;
149			asthem = 1;
150			break;
151		case 'm':
152			asme = 1;
153			asthem = 0;
154			break;
155		case 'c':
156			class = optarg;
157			break;
158		case '?':
159		default:
160			usage();
161		}
162
163	if (optind < argc)
164		user = argv[optind++];
165
166	if (user == NULL)
167		usage();
168
169	if (strlen(user) > MAXLOGNAME - 1)
170		errx(1, "username too long");
171
172	nargv = malloc(sizeof(char *) * (argc + 4));
173	if (nargv == NULL)
174		errx(1, "malloc failure");
175
176	nargv[argc + 3] = NULL;
177	for (i = argc; i >= optind; i--)
178		nargv[i + 3] = argv[i];
179	np.a = &nargv[i + 3];
180
181	argv += optind;
182
183	errno = 0;
184	prio = getpriority(PRIO_PROCESS, 0);
185	if (errno)
186		prio = 0;
187
188	setpriority(PRIO_PROCESS, 0, -2);
189	openlog("su", LOG_CONS, LOG_AUTH);
190
191	/* get current login name, real uid and shell */
192	ruid = getuid();
193	username = getlogin();
194	pwd = getpwnam(username);
195	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
196		pwd = getpwuid(ruid);
197	if (pwd == NULL)
198		errx(1, "who are you?");
199
200	username = strdup(pwd->pw_name);
201	if (username == NULL)
202		err(1, "strdup failure");
203
204	if (asme) {
205		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
206			/* must copy - pwd memory is recycled */
207			shell = strncpy(shellbuf, pwd->pw_shell,
208			    sizeof(shellbuf));
209			shellbuf[sizeof(shellbuf) - 1] = '\0';
210		}
211		else {
212			shell = _PATH_BSHELL;
213			iscsh = NO;
214		}
215	}
216
217	/* Do the whole PAM startup thing */
218	retcode = pam_start("su", user, &conv, &pamh);
219	if (retcode != PAM_SUCCESS) {
220		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
221		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
222	}
223
224	PAM_SET_ITEM(PAM_RUSER, getlogin());
225
226	mytty = ttyname(STDERR_FILENO);
227	if (!mytty)
228		mytty = "tty";
229	PAM_SET_ITEM(PAM_TTY, mytty);
230
231	retcode = pam_authenticate(pamh, 0);
232	if (retcode != PAM_SUCCESS) {
233		syslog(LOG_ERR, "pam_authenticate: %s",
234		    pam_strerror(pamh, retcode));
235		errx(1, "Sorry");
236	}
237	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
238	if (retcode == PAM_SUCCESS)
239		user = p;
240	else
241		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
242		    pam_strerror(pamh, retcode));
243
244	retcode = pam_acct_mgmt(pamh, 0);
245	if (retcode == PAM_NEW_AUTHTOK_REQD) {
246		retcode = pam_chauthtok(pamh,
247			PAM_CHANGE_EXPIRED_AUTHTOK);
248		if (retcode != PAM_SUCCESS) {
249			syslog(LOG_ERR, "pam_chauthtok: %s",
250			    pam_strerror(pamh, retcode));
251			errx(1, "Sorry");
252		}
253	}
254	if (retcode != PAM_SUCCESS) {
255		syslog(LOG_ERR, "pam_acct_mgmt: %s",
256			pam_strerror(pamh, retcode));
257		errx(1, "Sorry");
258	}
259
260	/* get target login information, default to root */
261	pwd = getpwnam(user);
262	if (pwd == NULL)
263		errx(1, "unknown login: %s", user);
264	if (class == NULL)
265		lc = login_getpwclass(pwd);
266	else {
267		if (ruid != 0)
268			errx(1, "only root may use -c");
269		lc = login_getclass(class);
270		if (lc == NULL)
271			errx(1, "unknown class: %s", class);
272	}
273
274	/* if asme and non-standard target shell, must be root */
275	if (asme) {
276		if (ruid != 0 && !chshell(pwd->pw_shell))
277			errx(1, "permission denied (shell).");
278	}
279	else if (pwd->pw_shell && *pwd->pw_shell) {
280		shell = pwd->pw_shell;
281		iscsh = UNSET;
282	}
283	else {
284		shell = _PATH_BSHELL;
285		iscsh = NO;
286	}
287
288	/* if we're forking a csh, we want to slightly muck the args */
289	if (iscsh == UNSET) {
290		p = strrchr(shell, '/');
291		if (p)
292			++p;
293		else
294			p = shell;
295		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
296	}
297	setpriority(PRIO_PROCESS, 0, prio);
298
299	/*
300	 * PAM modules might add supplementary groups in pam_setcred(), so
301	 * initialize them first.
302	 */
303	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
304		err(1, "setusercontext");
305
306	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
307	if (retcode != PAM_SUCCESS)
308		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
309		    pam_strerror(pamh, retcode));
310	else
311		creds_set = 1;
312
313	/*
314	 * We must fork() before setuid() because we need to call
315	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
316	 */
317	sa.sa_flags = SA_RESTART;
318	sa.__sigaction_u.__sa_handler = SIG_IGN;
319	sigemptyset(&sa.sa_mask);
320	sigaction(SIGINT, &sa, &sa_int);
321	sigaction(SIGQUIT, &sa, &sa_quit);
322	sigaction(SIGTSTP, &sa, &sa_tstp);
323
324	statusp = 1;
325	child_pid = fork();
326	switch (child_pid) {
327	default:
328		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
329			if (WIFSTOPPED(statusp)) {
330				kill(getpid(), SIGSTOP);
331				child_pgrp = getpgid(child_pid);
332				if (tcgetpgrp(1) == getpgrp()) {
333					tcsetpgrp(1, child_pgrp);
334					kill(child_pid, SIGCONT);
335				}
336				statusp = 1;
337				continue;
338			}
339			break;
340		}
341		if (ret_pid == -1)
342			err(1, "waitpid");
343		PAM_END();
344		exit(statusp);
345	case -1:
346		err(1, "fork");
347		PAM_END();
348		exit(1);
349	case 0:
350		sigaction(SIGINT, &sa_int, NULL);
351		sigaction(SIGQUIT, &sa_quit, NULL);
352		sigaction(SIGTSTP, &sa_tstp, NULL);
353		/*
354		 * Set all user context except for: Environmental variables
355		 * Umask Login records (wtmp, etc) Path
356		 */
357		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
358			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
359		/*
360		 * Don't touch resource/priority settings if -m has been used
361		 * or -l and -c hasn't, and we're not su'ing to root.
362		 */
363		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
364			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
365		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
366			err(1, "setusercontext");
367
368		if (!asme) {
369			if (asthem) {
370				p = getenv("TERM");
371				environ = &cleanenv;
372
373				/*
374				 * Add any environmental variables that the
375				 * PAM modules may have set.
376				 */
377				environ_pam = pam_getenvlist(pamh);
378				if (environ_pam)
379					export_pam_environment();
380
381				/* set the su'd user's environment & umask */
382				setusercontext(lc, pwd, pwd->pw_uid,
383					LOGIN_SETPATH | LOGIN_SETUMASK |
384					LOGIN_SETENV);
385				if (p)
386					setenv("TERM", p, 1);
387				if (chdir(pwd->pw_dir) < 0)
388					errx(1, "no directory");
389			}
390			if (asthem || pwd->pw_uid)
391				setenv("USER", pwd->pw_name, 1);
392			setenv("HOME", pwd->pw_dir, 1);
393			setenv("SHELL", shell, 1);
394		}
395		login_close(lc);
396
397		if (iscsh == YES) {
398			if (fastlogin)
399				*np.a-- = "-f";
400			if (asme)
401				*np.a-- = "-m";
402		}
403		/* csh strips the first character... */
404		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
405
406		if (ruid != 0)
407			syslog(LOG_NOTICE, "%s to %s%s", username, user,
408			    ontty());
409
410		execv(shell, np.b);
411		err(1, "%s", shell);
412	}
413}
414
415static int
416export_pam_environment(void)
417{
418	char	**pp;
419
420	for (pp = environ_pam; *pp != NULL; pp++) {
421		if (ok_to_export(*pp))
422			putenv(*pp);
423		free(*pp);
424	}
425	return PAM_SUCCESS;
426}
427
428/*
429 * Sanity checks on PAM environmental variables:
430 * - Make sure there is an '=' in the string.
431 * - Make sure the string doesn't run on too long.
432 * - Do not export certain variables.  This list was taken from the
433 *   Solaris pam_putenv(3) man page.
434 */
435static int
436ok_to_export(const char *s)
437{
438	static const char *noexport[] = {
439		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
440		"IFS", "PATH", NULL
441	};
442	const char **pp;
443	size_t n;
444
445	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
446		return 0;
447	if (strncmp(s, "LD_", 3) == 0)
448		return 0;
449	for (pp = noexport; *pp != NULL; pp++) {
450		n = strlen(*pp);
451		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
452			return 0;
453	}
454	return 1;
455}
456
457static void
458usage(void)
459{
460
461	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
462	exit(1);
463}
464
465static int
466chshell(char *sh)
467{
468	int r;
469	char *cp;
470
471	r = 0;
472	setusershell();
473	do {
474		cp = getusershell();
475		r = strcmp(cp, sh);
476	} while (!r && cp != NULL);
477	endusershell();
478	return r;
479}
480
481static char *
482ontty(void)
483{
484	char *p;
485	static char buf[MAXPATHLEN + 4];
486
487	buf[0] = 0;
488	p = ttyname(STDERR_FILENO);
489	if (p)
490		snprintf(buf, sizeof(buf), " on %s", p);
491	return buf;
492}
493