su.c revision 101446 
1/*
2 * Copyright (c) 1988, 1993, 1994
3 *	The Regents of the University of California.  All rights reserved.
4 * Copyright (c) 2002 Networks Associates Technologies, Inc.
5 * All rights reserved.
6 *
7 * Portions of this software were developed for the FreeBSD Project by
8 * ThinkSec AS and NAI Labs, the Security Research Division of Network
9 * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
10 * ("CBOSS"), as part of the DARPA CHATS research program.
11 *
12 * Redistribution and use in source and binary forms, with or without
13 * modification, are permitted provided that the following conditions
14 * are met:
15 * 1. Redistributions of source code must retain the above copyright
16 *    notice, this list of conditions and the following disclaimer.
17 * 2. Redistributions in binary form must reproduce the above copyright
18 *    notice, this list of conditions and the following disclaimer in the
19 *    documentation and/or other materials provided with the distribution.
20 * 3. All advertising materials mentioning features or use of this software
21 *    must display the following acknowledgement:
22 *	This product includes software developed by the University of
23 *	California, Berkeley and its contributors.
24 * 4. Neither the name of the University nor the names of its contributors
25 *    may be used to endorse or promote products derived from this software
26 *    without specific prior written permission.
27 *
28 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * SUCH DAMAGE.
39 */
40
41#ifndef lint
42static const char copyright[] =
43"@(#) Copyright (c) 1988, 1993, 1994\n\
44	The Regents of the University of California.  All rights reserved.\n";
45#endif /* not lint */
46
47#ifndef lint
48#if 0
49static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
50#endif
51static const char rcsid[] =
52  "$FreeBSD: head/usr.bin/su/su.c 101446 2002-08-07 05:44:50Z ache $";
53#endif /* not lint */
54
55#include <sys/param.h>
56#include <sys/time.h>
57#include <sys/resource.h>
58#include <sys/wait.h>
59
60#include <err.h>
61#include <errno.h>
62#include <grp.h>
63#include <libutil.h>
64#include <login_cap.h>
65#include <paths.h>
66#include <pwd.h>
67#include <signal.h>
68#include <stdio.h>
69#include <stdlib.h>
70#include <string.h>
71#include <syslog.h>
72#include <unistd.h>
73
74#include <security/pam_appl.h>
75#include <security/openpam.h>
76
77#define PAM_END() do {						\
78	int local_ret;						\
79	if (pamh != NULL && creds_set) {			\
80		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
81		if (local_ret != PAM_SUCCESS)			\
82			syslog(LOG_ERR, "pam_setcred: %s",	\
83				pam_strerror(pamh, local_ret));	\
84		local_ret = pam_end(pamh, local_ret);		\
85		if (local_ret != PAM_SUCCESS)			\
86			syslog(LOG_ERR, "pam_end: %s",		\
87				pam_strerror(pamh, local_ret));	\
88	}							\
89} while (0)
90
91
92#define PAM_SET_ITEM(what, item) do {				\
93	int local_ret;						\
94	local_ret = pam_set_item(pamh, what, item);		\
95	if (local_ret != PAM_SUCCESS) {				\
96		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
97			pam_strerror(pamh, local_ret));		\
98		errx(1, "pam_set_item(" #what "): %s",		\
99			pam_strerror(pamh, local_ret));		\
100	}							\
101} while (0)
102
103enum tristate { UNSET, YES, NO };
104
105static pam_handle_t *pamh = NULL;
106static int	creds_set = 0;
107static char	**environ_pam;
108
109static char	*ontty(void);
110static int	chshell(char *);
111static void	usage(void);
112static int	export_pam_environment(void);
113static int	ok_to_export(const char *);
114
115extern char	**environ;
116
117int
118main(int argc, char *argv[])
119{
120	struct passwd	*pwd;
121	struct pam_conv	conv = { openpam_ttyconv, NULL };
122	enum tristate	iscsh;
123	login_cap_t	*lc;
124	union {
125		const char	**a;
126		char		* const *b;
127	}		np;
128	uid_t		ruid;
129	gid_t		gid;
130	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
131			statusp, child_pid, child_pgrp, ret_pid;
132	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
133	const char	*p, *user, *shell, *mytty, **nargv;
134
135	struct sigaction sa, sa_int, sa_quit, sa_tstp;
136
137	shell = class = cleanenv = NULL;
138	asme = asthem = fastlogin = statusp = 0;
139	user = "root";
140	iscsh = UNSET;
141
142	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
143		switch ((char)ch) {
144		case 'f':
145			fastlogin = 1;
146			break;
147		case '-':
148		case 'l':
149			asme = 0;
150			asthem = 1;
151			break;
152		case 'm':
153			asme = 1;
154			asthem = 0;
155			break;
156		case 'c':
157			class = optarg;
158			break;
159		case '?':
160		default:
161			usage();
162		}
163
164	if (optind < argc)
165		user = argv[optind++];
166
167	if (user == NULL)
168		usage();
169
170	if (strlen(user) > MAXLOGNAME - 1)
171		errx(1, "username too long");
172
173	nargv = malloc(sizeof(char *) * (argc + 4));
174	if (nargv == NULL)
175		errx(1, "malloc failure");
176
177	nargv[argc + 3] = NULL;
178	for (i = argc; i >= optind; i--)
179		nargv[i + 3] = argv[i];
180	np.a = &nargv[i + 3];
181
182	argv += optind;
183
184	errno = 0;
185	prio = getpriority(PRIO_PROCESS, 0);
186	if (errno)
187		prio = 0;
188
189	setpriority(PRIO_PROCESS, 0, -2);
190	openlog("su", LOG_CONS, LOG_AUTH);
191
192	/* get current login name, real uid and shell */
193	ruid = getuid();
194	username = getlogin();
195	pwd = getpwnam(username);
196	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
197		pwd = getpwuid(ruid);
198	if (pwd == NULL)
199		errx(1, "who are you?");
200	gid = pwd->pw_gid;
201
202	username = strdup(pwd->pw_name);
203	if (username == NULL)
204		err(1, "strdup failure");
205
206	if (asme) {
207		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
208			/* must copy - pwd memory is recycled */
209			shell = strncpy(shellbuf, pwd->pw_shell,
210			    sizeof(shellbuf));
211			shellbuf[sizeof(shellbuf) - 1] = '\0';
212		}
213		else {
214			shell = _PATH_BSHELL;
215			iscsh = NO;
216		}
217	}
218
219	/* Do the whole PAM startup thing */
220	retcode = pam_start("su", user, &conv, &pamh);
221	if (retcode != PAM_SUCCESS) {
222		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
223		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
224	}
225
226	PAM_SET_ITEM(PAM_RUSER, getlogin());
227
228	mytty = ttyname(STDERR_FILENO);
229	if (!mytty)
230		mytty = "tty";
231	PAM_SET_ITEM(PAM_TTY, mytty);
232
233	retcode = pam_authenticate(pamh, 0);
234	if (retcode != PAM_SUCCESS) {
235		syslog(LOG_ERR, "pam_authenticate: %s",
236		    pam_strerror(pamh, retcode));
237		errx(1, "Sorry");
238	}
239	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
240	if (retcode == PAM_SUCCESS)
241		user = p;
242	else
243		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
244		    pam_strerror(pamh, retcode));
245
246	retcode = pam_acct_mgmt(pamh, 0);
247	if (retcode == PAM_NEW_AUTHTOK_REQD) {
248		retcode = pam_chauthtok(pamh,
249			PAM_CHANGE_EXPIRED_AUTHTOK);
250		if (retcode != PAM_SUCCESS) {
251			syslog(LOG_ERR, "pam_chauthtok: %s",
252			    pam_strerror(pamh, retcode));
253			errx(1, "Sorry");
254		}
255	}
256	if (retcode != PAM_SUCCESS) {
257		syslog(LOG_ERR, "pam_acct_mgmt: %s",
258			pam_strerror(pamh, retcode));
259		errx(1, "Sorry");
260	}
261
262	/* get target login information, default to root */
263	pwd = getpwnam(user);
264	if (pwd == NULL)
265		errx(1, "unknown login: %s", user);
266	if (class == NULL)
267		lc = login_getpwclass(pwd);
268	else {
269		if (ruid != 0)
270			errx(1, "only root may use -c");
271		lc = login_getclass(class);
272		if (lc == NULL)
273			errx(1, "unknown class: %s", class);
274	}
275
276	/* if asme and non-standard target shell, must be root */
277	if (asme) {
278		if (ruid != 0 && !chshell(pwd->pw_shell))
279			errx(1, "permission denied (shell).");
280	}
281	else if (pwd->pw_shell && *pwd->pw_shell) {
282		shell = pwd->pw_shell;
283		iscsh = UNSET;
284	}
285	else {
286		shell = _PATH_BSHELL;
287		iscsh = NO;
288	}
289
290	/* if we're forking a csh, we want to slightly muck the args */
291	if (iscsh == UNSET) {
292		p = strrchr(shell, '/');
293		if (p)
294			++p;
295		else
296			p = shell;
297		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
298	}
299	setpriority(PRIO_PROCESS, 0, prio);
300
301	/*
302	 * PAM modules might add supplementary groups in pam_setcred(), so
303	 * initialize them first.
304	 */
305	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
306		err(1, "setusercontext");
307
308	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
309	if (retcode != PAM_SUCCESS)
310		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
311		    pam_strerror(pamh, retcode));
312	else
313		creds_set = 1;
314
315	/*
316	 * We must fork() before setuid() because we need to call
317	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
318	 */
319	sa.sa_flags = SA_RESTART;
320	sa.__sigaction_u.__sa_handler = SIG_IGN;
321	sigemptyset(&sa.sa_mask);
322	sigaction(SIGINT, &sa, &sa_int);
323	sigaction(SIGQUIT, &sa, &sa_quit);
324	sigaction(SIGTSTP, &sa, &sa_tstp);
325
326	statusp = 1;
327	child_pid = fork();
328	switch (child_pid) {
329	default:
330		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
331			if (WIFSTOPPED(statusp)) {
332				child_pgrp = tcgetpgrp(1);
333				kill(getpid(), SIGSTOP);
334				tcsetpgrp(1, child_pgrp);
335				kill(child_pid, SIGCONT);
336				statusp = 1;
337				continue;
338			}
339			break;
340		}
341		if (ret_pid == -1)
342			err(1, "waitpid");
343		PAM_END();
344		exit(statusp);
345	case -1:
346		err(1, "fork");
347		PAM_END();
348		exit(1);
349	case 0:
350		sigaction(SIGINT, &sa_int, NULL);
351		sigaction(SIGQUIT, &sa_quit, NULL);
352		sigaction(SIGTSTP, &sa_tstp, NULL);
353		/*
354		 * Set all user context except for: Environmental variables
355		 * Umask Login records (wtmp, etc) Path
356		 */
357		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
358			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
359		/*
360		 * Don't touch resource/priority settings if -m has been used
361		 * or -l and -c hasn't, and we're not su'ing to root.
362		 */
363		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
364			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
365		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
366			err(1, "setusercontext");
367
368		if (!asme) {
369			if (asthem) {
370				p = getenv("TERM");
371				environ = &cleanenv;
372
373				/*
374				 * Add any environmental variables that the
375				 * PAM modules may have set.
376				 */
377				environ_pam = pam_getenvlist(pamh);
378				if (environ_pam)
379					export_pam_environment();
380
381				/* set the su'd user's environment & umask */
382				setusercontext(lc, pwd, pwd->pw_uid,
383					LOGIN_SETPATH | LOGIN_SETUMASK |
384					LOGIN_SETENV);
385				if (p)
386					setenv("TERM", p, 1);
387				if (chdir(pwd->pw_dir) < 0)
388					errx(1, "no directory");
389			}
390			if (asthem || pwd->pw_uid)
391				setenv("USER", pwd->pw_name, 1);
392			setenv("HOME", pwd->pw_dir, 1);
393			setenv("SHELL", shell, 1);
394		}
395		login_close(lc);
396
397		if (iscsh == YES) {
398			if (fastlogin)
399				*np.a-- = "-f";
400			if (asme)
401				*np.a-- = "-m";
402		}
403		/* csh strips the first character... */
404		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
405
406		if (ruid != 0)
407			syslog(LOG_NOTICE, "%s to %s%s", username, user,
408			    ontty());
409
410		execv(shell, np.b);
411		err(1, "%s", shell);
412	}
413}
414
415static int
416export_pam_environment(void)
417{
418	char	**pp;
419
420	for (pp = environ_pam; *pp != NULL; pp++) {
421		if (ok_to_export(*pp))
422			putenv(*pp);
423		free(*pp);
424	}
425	return PAM_SUCCESS;
426}
427
428/*
429 * Sanity checks on PAM environmental variables:
430 * - Make sure there is an '=' in the string.
431 * - Make sure the string doesn't run on too long.
432 * - Do not export certain variables.  This list was taken from the
433 *   Solaris pam_putenv(3) man page.
434 */
435static int
436ok_to_export(const char *s)
437{
438	static const char *noexport[] = {
439		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
440		"IFS", "PATH", NULL
441	};
442	const char **pp;
443	size_t n;
444
445	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
446		return 0;
447	if (strncmp(s, "LD_", 3) == 0)
448		return 0;
449	for (pp = noexport; *pp != NULL; pp++) {
450		n = strlen(*pp);
451		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
452			return 0;
453	}
454	return 1;
455}
456
457static void
458usage(void)
459{
460
461	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
462	exit(1);
463}
464
465static int
466chshell(char *sh)
467{
468	int r;
469	char *cp;
470
471	r = 0;
472	setusershell();
473	do {
474		cp = getusershell();
475		r = strcmp(cp, sh);
476	} while (!r && cp != NULL);
477	endusershell();
478	return r;
479}
480
481static char *
482ontty(void)
483{
484	char *p;
485	static char buf[MAXPATHLEN + 4];
486
487	buf[0] = 0;
488	p = ttyname(STDERR_FILENO);
489	if (p)
490		snprintf(buf, sizeof(buf), " on %s", p);
491	return buf;
492}
493