![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to su.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / usr.bin / su|
Return to su.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / usr.bin / su |
1.1 ! root 1: /* ! 2: * Copyright (c) 1988 The Regents of the University of California. ! 3: * All rights reserved. ! 4: * ! 5: * Redistribution and use in source and binary forms are permitted provided ! 6: * that: (1) source distributions retain this entire copyright notice and ! 7: * comment, and (2) distributions including binaries display the following ! 8: * acknowledgement: ``This product includes software developed by the ! 9: * University of California, Berkeley and its contributors'' in the ! 10: * documentation or other materials provided with the distribution and in ! 11: * all advertising materials mentioning features or use of this software. ! 12: * Neither the name of the University nor the names of its contributors may ! 13: * be used to endorse or promote products derived from this software without ! 14: * specific prior written permission. ! 15: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED ! 16: * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF ! 17: * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. ! 18: */ ! 19: ! 20: #ifndef lint ! 21: char copyright[] = ! 22: "@(#) Copyright (c) 1988 The Regents of the University of California.\n\ ! 23: All rights reserved.\n"; ! 24: #endif /* not lint */ ! 25: ! 26: #ifndef lint ! 27: static char sccsid[] = "@(#)su.c 5.21 (Berkeley) 6/20/90"; ! 28: #endif /* not lint */ ! 29: ! 30: #include <sys/param.h> ! 31: #include <sys/time.h> ! 32: #include <sys/resource.h> ! 33: #include <syslog.h> ! 34: #include <stdio.h> ! 35: #include <pwd.h> ! 36: #include <grp.h> ! 37: #include <string.h> ! 38: #include <unistd.h> ! 39: #include "pathnames.h" ! 40: ! 41: #ifdef KERBEROS ! 42: #include <kerberosIV/des.h> ! 43: #include <kerberosIV/krb.h> ! 44: #include <netdb.h> ! 45: ! 46: #define ARGSTR "-Kflm" ! 47: ! 48: int use_kerberos = 1; ! 49: #else ! 50: #define ARGSTR "-flm" ! 51: #endif ! 52: ! 53: main(argc, argv) ! 54: int argc; ! 55: char **argv; ! 56: { ! 57: extern char **environ; ! 58: extern int errno, optind; ! 59: register struct passwd *pwd; ! 60: register char *p, **g; ! 61: struct group *gr; ! 62: uid_t ruid, getuid(); ! 63: int asme, ch, asthem, fastlogin, prio; ! 64: enum { UNSET, YES, NO } iscsh = UNSET; ! 65: char *user, *shell, *username, *cleanenv[2], *nargv[4], **np; ! 66: char shellbuf[MAXPATHLEN]; ! 67: char *crypt(), *getpass(), *getenv(), *getlogin(), *mytty(); ! 68: ! 69: np = &nargv[3]; ! 70: *np-- = NULL; ! 71: asme = asthem = fastlogin = 0; ! 72: while ((ch = getopt(argc, argv, ARGSTR)) != EOF) ! 73: switch((char)ch) { ! 74: #ifdef KERBEROS ! 75: case 'K': ! 76: use_kerberos = 0; ! 77: break; ! 78: #endif ! 79: case 'f': ! 80: fastlogin = 1; ! 81: break; ! 82: case '-': ! 83: case 'l': ! 84: asme = 0; ! 85: asthem = 1; ! 86: break; ! 87: case 'm': ! 88: asme = 1; ! 89: asthem = 0; ! 90: break; ! 91: case '?': ! 92: default: ! 93: (void)fprintf(stderr, "usage: su [%s] [login]\n", ! 94: ARGSTR); ! 95: exit(1); ! 96: } ! 97: argv += optind; ! 98: ! 99: errno = 0; ! 100: prio = getpriority(PRIO_PROCESS, 0); ! 101: if (errno) ! 102: prio = 0; ! 103: (void)setpriority(PRIO_PROCESS, 0, -2); ! 104: ! 105: /* get current login name and shell */ ! 106: if ((pwd = getpwuid(ruid = getuid())) == NULL) { ! 107: fprintf(stderr, "su: who are you?\n"); ! 108: exit(1); ! 109: } ! 110: username = strdup(pwd->pw_name); ! 111: if (asme) ! 112: if (pwd->pw_shell && *pwd->pw_shell) ! 113: shell = strcpy(shellbuf, pwd->pw_shell); ! 114: else { ! 115: shell = _PATH_BSHELL; ! 116: iscsh = NO; ! 117: } ! 118: ! 119: /* get target login information, default to root */ ! 120: user = *argv ? *argv : "root"; ! 121: if ((pwd = getpwnam(user)) == NULL) { ! 122: fprintf(stderr, "su: unknown login %s\n", user); ! 123: exit(1); ! 124: } ! 125: ! 126: /* only allow those in group zero to su to root. */ ! 127: if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0))) ! 128: for (g = gr->gr_mem;; ++g) { ! 129: if (!*g) { ! 130: (void)fprintf(stderr, ! 131: "su: you are not in the correct group to su %s.\n", user); ! 132: exit(1); ! 133: } ! 134: if (!strcmp(username, *g)) ! 135: break; ! 136: } ! 137: openlog("su", LOG_CONS, 0); ! 138: ! 139: if (ruid) { ! 140: #ifdef KERBEROS ! 141: if (!use_kerberos || kerberos(username, user, pwd->pw_uid)) ! 142: #endif ! 143: /* if target requires a password, verify it */ ! 144: if (*pwd->pw_passwd) { ! 145: p = getpass("Password:"); ! 146: if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { ! 147: fprintf(stderr, "Sorry\n"); ! 148: syslog(LOG_AUTH|LOG_CRIT, ! 149: "BAD SU %s on %s to %s", username, ! 150: mytty(), user); ! 151: exit(1); ! 152: } ! 153: } ! 154: } ! 155: ! 156: if (asme) { ! 157: /* if asme and non-standard target shell, must be root */ ! 158: if (!chshell(pwd->pw_shell) && ruid) { ! 159: (void)fprintf(stderr, ! 160: "su: permission denied (shell).\n"); ! 161: exit(1); ! 162: } ! 163: } else if (pwd->pw_shell && *pwd->pw_shell) { ! 164: shell = pwd->pw_shell; ! 165: iscsh = UNSET; ! 166: } else { ! 167: shell = _PATH_BSHELL; ! 168: iscsh = NO; ! 169: } ! 170: ! 171: /* if we're forking a csh, we want to slightly muck the args */ ! 172: if (iscsh == UNSET) { ! 173: if (p = rindex(shell, '/')) ! 174: ++p; ! 175: else ! 176: p = shell; ! 177: iscsh = strcmp(p, "csh") ? NO : YES; ! 178: } ! 179: ! 180: /* set permissions */ ! 181: if (setgid(pwd->pw_gid) < 0) { ! 182: perror("su: setgid"); ! 183: exit(1); ! 184: } ! 185: if (initgroups(user, pwd->pw_gid)) { ! 186: (void)fprintf(stderr, "su: initgroups failed.\n"); ! 187: exit(1); ! 188: } ! 189: if (setuid(pwd->pw_uid) < 0) { ! 190: perror("su: setuid"); ! 191: exit(1); ! 192: } ! 193: ! 194: if (!asme) { ! 195: if (asthem) { ! 196: p = getenv("TERM"); ! 197: cleanenv[0] = _PATH_SEARCHPATH; ! 198: cleanenv[1] = NULL; ! 199: environ = cleanenv; ! 200: (void)setenv("TERM", p, 1); ! 201: if (chdir(pwd->pw_dir) < 0) { ! 202: fprintf(stderr, "su: no directory\n"); ! 203: exit(1); ! 204: } ! 205: } ! 206: if (asthem || pwd->pw_uid) ! 207: (void)setenv("USER", pwd->pw_name, 1); ! 208: (void)setenv("HOME", pwd->pw_dir, 1); ! 209: (void)setenv("SHELL", shell, 1); ! 210: } ! 211: ! 212: if (iscsh == YES) { ! 213: if (fastlogin) ! 214: *np-- = "-f"; ! 215: if (asme) ! 216: *np-- = "-m"; ! 217: } ! 218: ! 219: /* csh strips the first character... */ ! 220: *np = asthem ? "-su" : iscsh == YES ? "_su" : "su"; ! 221: ! 222: syslog(LOG_NOTICE|LOG_AUTH, "%s on %s to %s", username, mytty(), user); ! 223: ! 224: (void)setpriority(PRIO_PROCESS, 0, prio); ! 225: ! 226: execv(shell, np); ! 227: (void)fprintf(stderr, "su: %s not found.\n", shell); ! 228: exit(1); ! 229: } ! 230: ! 231: chshell(sh) ! 232: char *sh; ! 233: { ! 234: register char *cp; ! 235: char *getusershell(); ! 236: ! 237: while ((cp = getusershell()) != NULL) ! 238: if (!strcmp(cp, sh)) ! 239: return(1); ! 240: return(0); ! 241: } ! 242: ! 243: char * ! 244: mytty() ! 245: { ! 246: char *p, *ttyname(); ! 247: ! 248: return((p = ttyname(STDERR_FILENO)) ? p : "UNKNOWN TTY"); ! 249: } ! 250: ! 251: #ifdef KERBEROS ! 252: kerberos(username, user, uid) ! 253: char *username, *user; ! 254: int uid; ! 255: { ! 256: extern char *krb_err_txt[]; ! 257: KTEXT_ST ticket; ! 258: AUTH_DAT authdata; ! 259: struct hostent *hp; ! 260: register char *p; ! 261: int kerno; ! 262: u_long faddr; ! 263: char lrealm[REALM_SZ], krbtkfile[MAXPATHLEN]; ! 264: char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN]; ! 265: char *mytty(); ! 266: ! 267: if (krb_get_lrealm(lrealm, 1) != KSUCCESS) { ! 268: (void)fprintf(stderr, "su: couldn't get local realm.\n"); ! 269: return(1); ! 270: } ! 271: if (koktologin(username, lrealm, user) && !uid) { ! 272: (void)fprintf(stderr, "kerberos su: not in %s's ACL.\n", user); ! 273: return(1); ! 274: } ! 275: (void)sprintf(krbtkfile, "%s_%s_%d", TKT_ROOT, user, getuid()); ! 276: ! 277: (void)setenv("KRBTKFILE", krbtkfile, 1); ! 278: if (setuid(0) < 0) { ! 279: perror("su: setuid"); ! 280: return(1); ! 281: } ! 282: (void)unlink(krbtkfile); ! 283: ! 284: /* ! 285: * Little trick here -- if we are su'ing to root, ! 286: * we need to get a ticket for "xxx.root", where xxx represents ! 287: * the name of the person su'ing. Otherwise (non-root case), ! 288: * we need to get a ticket for "yyy.", where yyy represents ! 289: * the name of the person being su'd to, and the instance is null ! 290: * ! 291: * Also: POLICY: short ticket lifetime for root ! 292: */ ! 293: kerno = krb_get_pw_in_tkt((uid == 0 ? username : user), ! 294: (uid == 0 ? "root" : ""), lrealm, ! 295: "krbtgt", lrealm, (uid == 0 ? 2 : DEFAULT_TKT_LIFE), 0); ! 296: ! 297: if (kerno != KSUCCESS) { ! 298: if (kerno == KDC_PR_UNKNOWN) { ! 299: fprintf(stderr, "principal unknown: %s.%s@%s\n", ! 300: (uid == 0 ? username : user), ! 301: (uid == 0 ? "root" : ""), lrealm); ! 302: return(1); ! 303: } ! 304: (void)printf("su: unable to su: %s\n", krb_err_txt[kerno]); ! 305: syslog(LOG_NOTICE|LOG_AUTH, ! 306: "su: BAD Kerberos SU: %s on %s to %s: %s", ! 307: username, mytty(), user, krb_err_txt[kerno]); ! 308: return(1); ! 309: } ! 310: ! 311: if (chown(krbtkfile, uid, -1) < 0) { ! 312: perror("su: chown:"); ! 313: (void)unlink(krbtkfile); ! 314: return(1); ! 315: } ! 316: ! 317: (void)setpriority(PRIO_PROCESS, 0, -2); ! 318: ! 319: if (gethostname(hostname, sizeof(hostname)) == -1) { ! 320: perror("su: hostname"); ! 321: dest_tkt(); ! 322: return(1); ! 323: } ! 324: ! 325: (void)strncpy(savehost, krb_get_phost(hostname), sizeof(savehost)); ! 326: savehost[sizeof(savehost) - 1] = '\0'; ! 327: ! 328: kerno = krb_mk_req(&ticket, "rcmd", savehost, lrealm, 33); ! 329: ! 330: if (kerno == KDC_PR_UNKNOWN) { ! 331: (void)printf("Warning: tgt not verified.\n"); ! 332: syslog(LOG_NOTICE|LOG_AUTH, ! 333: "su: %s on %s to %s, TGT not verified", ! 334: username, mytty(), user); ! 335: } else if (kerno != KSUCCESS) { ! 336: (void)printf("Unable to use TGT: %s\n", krb_err_txt[kerno]); ! 337: syslog(LOG_NOTICE|LOG_AUTH, "su: failed su: %s on %s to %s: %s", ! 338: username, mytty(), user, krb_err_txt[kerno]); ! 339: dest_tkt(); ! 340: return(1); ! 341: } else { ! 342: if (!(hp = gethostbyname(hostname))) { ! 343: (void)printf("su: can't get addr of %s\n", hostname); ! 344: dest_tkt(); ! 345: return(1); ! 346: } ! 347: (void)bcopy((char *)hp->h_addr, (char *)&faddr, sizeof(faddr)); ! 348: ! 349: if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr, ! 350: &authdata, "")) != KSUCCESS) { ! 351: (void)printf("su: unable to verify rcmd ticket: %s\n", ! 352: krb_err_txt[kerno]); ! 353: syslog(LOG_NOTICE|LOG_AUTH, ! 354: "su: failed su: %s on %s to %s: %s", username, ! 355: mytty(), user, krb_err_txt[kerno]); ! 356: dest_tkt(); ! 357: return(1); ! 358: } ! 359: } ! 360: return(0); ! 361: } ! 362: ! 363: koktologin(name, realm, toname) ! 364: char *name, *realm, *toname; ! 365: { ! 366: register AUTH_DAT *kdata; ! 367: AUTH_DAT kdata_st; ! 368: ! 369: kdata = &kdata_st; ! 370: bzero((caddr_t) kdata, sizeof(*kdata)); ! 371: (void)strcpy(kdata->pname, name); ! 372: (void)strcpy(kdata->pinst, ! 373: ((strcmp(toname, "root") == 0) ? "root" : "")); ! 374: (void)strcpy(kdata->prealm, realm); ! 375: return(kuserok(kdata, toname)); ! 376: } ! 377: #endif
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.