2 * Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of KTH nor the names of its contributors may be
18 * used to endorse or promote products derived from this software without
19 * specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
35 RCSID("$Id: su.c,v 1.20 2001/02/20 01:44:48 assar Exp $");
53 #ifdef HAVE_OPENSSL_DES_H
54 #include <openssl/des.h>
66 #define _PATH_DEFPATH "/usr/bin:/bin"
70 #define _PATH_BSHELL "/bin/sh"
73 int kerberos_flag = 1;
77 char *kerberos_instance = "root";
82 struct getargs args[] = {
83 { "kerberos", 'K', arg_negative_flag, &kerberos_flag,
84 "don't use kerberos" },
85 { NULL, 'f', arg_flag, &csh_f_flag,
86 "don't read .cshrc" },
87 { "full", 'l', arg_flag, &full_login,
88 "simulate full login" },
89 { NULL, 'm', arg_flag, &env_flag,
90 "leave environment unmodified" },
91 { "instance", 'i', arg_string, &kerberos_instance,
92 "root instance to use" },
93 { "command", 'c', arg_string, &cmd,
94 "command to execute" },
95 { "help", 'h', arg_flag, &help_flag },
96 { "version", 0, arg_flag, &version_flag },
103 arg_printusage (args,
104 sizeof(args)/sizeof(*args),
106 "[login [shell arguments]]");
110 static struct passwd*
111 make_info(struct passwd *pwd)
114 info = malloc(sizeof(*info));
117 info->pw_name = strdup(pwd->pw_name);
118 info->pw_passwd = strdup(pwd->pw_passwd);
119 info->pw_uid = pwd->pw_uid;
120 info->pw_gid = pwd->pw_gid;
121 info->pw_dir = strdup(pwd->pw_dir);
122 info->pw_shell = strdup(pwd->pw_shell);
123 if(info->pw_name == NULL || info->pw_passwd == NULL ||
124 info->pw_dir == NULL || info->pw_shell == NULL)
130 static krb5_context context;
131 static krb5_ccache ccache;
135 krb5_verify(struct passwd *login_info, struct passwd *su_info,
136 const char *kerberos_instance)
142 ret = krb5_init_context (&context);
145 warnx("krb5_init_context failed: %d", ret);
150 if (strcmp (su_info->pw_name, "root") == 0)
151 ret = krb5_make_principal(context, &p, NULL,
156 ret = krb5_make_principal(context, &p, NULL,
162 if(su_info->pw_uid != 0 || krb5_kuserok(context, p, su_info->pw_name)) {
163 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
166 krb5_warn(context, ret, "krb5_cc_gen_new");
168 krb5_free_principal (context, p);
171 ret = krb5_verify_user_lrealm(context, p, ccache, NULL, TRUE, NULL);
172 krb5_free_principal (context, p);
174 krb5_cc_destroy(context, ccache);
176 case KRB5_LIBOS_PWDINTR :
178 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
179 case KRB5KRB_AP_ERR_MODIFIED:
180 krb5_warnx(context, "Password incorrect");
183 krb5_warn(context, ret, "krb5_verify_user");
190 krb5_free_principal (context, p);
197 krb5_start_session(void)
203 ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache2);
205 krb5_cc_destroy(context, ccache);
209 ret = krb5_cc_copy_cache(context, ccache, ccache2);
211 asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
212 krb5_cc_get_name(context, ccache2));
213 esetenv("KRB5CCNAME", cc_name, 1);
215 /* we want to export this even if we don't directly support KRB4 */
218 #define TKT_ROOT "/tmp/tkt"
222 strlcpy(tkfile, TKT_ROOT, sizeof(tkfile));
223 strlcat(tkfile, "_XXXXXX", sizeof(tkfile));
224 fd = mkstemp(tkfile);
227 esetenv("KRBTKFILE", tkfile, 1);
235 krb5_afslog(context, ccache2, NULL, NULL);
239 krb5_cc_close(context, ccache2);
240 krb5_cc_destroy(context, ccache);
246 verify_unix(struct passwd *su)
252 if(su->pw_passwd != NULL && *su->pw_passwd != '\0') {
253 snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name);
254 r = des_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0);
257 pw = crypt(pw_buf, su->pw_passwd);
258 memset(pw_buf, 0, sizeof(pw_buf));
259 if(strcmp(pw, su->pw_passwd) != 0)
266 main(int argc, char **argv)
270 struct passwd *su_info;
271 char *login_user = NULL;
272 struct passwd *login_info;
279 int kerberos_error=1;
281 setprogname (argv[0]);
283 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
286 for (i=0; i < optind; i++)
287 if (strcmp(argv[i], "-") == 0) {
301 su_user = argv[optind++];
303 pwd = k_getpwnam(su_user);
305 errx (1, "unknown login %s", su_user);
306 if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) {
307 syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
308 errx (1, "unknown login %s", su_user);
310 su_info = make_info(pwd);
312 #if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
313 login_user = getlogin();
315 if(login_user == NULL || (pwd = getpwnam(login_user)) == NULL)
316 pwd = getpwuid(getuid());
318 errx(1, "who are you?");
319 login_info = make_info(pwd);
321 shell = login_info->pw_shell;
323 shell = su_info->pw_shell;
324 if(shell == NULL || *shell == '\0')
325 shell = _PATH_BSHELL;
327 if(kerberos_flag && ok == 0 &&
328 (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0)
331 if(ok == 0 && login_info->pw_uid && verify_unix(su_info) != 0) {
340 sp = getspnam(su_info->pw_name);
342 today = time(0)/(24L * 60 * 60);
343 if (sp->sp_expire > 0) {
344 if (today >= sp->sp_expire) {
345 if (login_info->pw_uid)
346 errx(1,"Your account has expired.");
348 printf("Your account has expired.");
350 else if (sp->sp_expire - today < 14)
351 printf("Your account will expire in %d days.\n",
352 (int)(sp->sp_expire - today));
354 if (sp->sp_max > 0) {
355 if (today >= sp->sp_lstchg + sp->sp_max) {
356 if (login_info->pw_uid)
357 errx(1,"Your password has expired. Choose a new one.");
359 printf("Your password has expired. Choose a new one.");
361 else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
362 printf("Your account will expire in %d days.\n",
363 (int)(sp->sp_lstchg + sp->sp_max -today));
369 char *tty = ttyname (STDERR_FILENO);
370 syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s" : "%s to %s on %s",
371 login_info->pw_name, su_info->pw_name, tty);
377 char *t = getenv ("TERM");
379 environ = malloc (10 * sizeof (char *));
383 esetenv ("PATH", _PATH_DEFPATH, 1);
385 esetenv ("TERM", t, 1);
386 if (chdir (su_info->pw_dir) < 0)
387 errx (1, "no directory");
389 if (full_login || su_info->pw_uid)
390 esetenv ("USER", su_info->pw_name, 1);
391 esetenv("HOME", su_info->pw_dir, 1);
392 esetenv("SHELL", shell, 1);
400 p = strrchr(shell, '/');
406 if (strcmp(p, "csh") != 0)
409 args = malloc(((cmd ? 2 : 0) + 1 + argc - optind + 1 + csh_f_flag) * sizeof(*args));
414 asprintf(&args[i++], "-%s", p);
425 for (argv += optind; *argv; ++argv)
429 if(setgid(su_info->pw_gid) < 0)
431 if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
432 err (1, "initgroups");
433 if(setuid(su_info->pw_uid) < 0
434 || (su_info->pw_uid != 0 && setuid(0) == 0))
439 krb5_start_session();