2 * Copyright (c) 1999 - 2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of KTH nor the names of its contributors may be
18 * used to endorse or promote products derived from this software without
19 * specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
22 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
24 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
25 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
26 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
27 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
28 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
29 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
30 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
31 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
39 RCSID("$Id: su.c 21988 2007-10-19 05:36:54Z lha $");
60 #include "crypto-headers.h"
74 int kerberos_flag = 1;
78 char *kerberos_instance = "root";
84 struct getargs args[] = {
85 { "kerberos", 'K', arg_negative_flag, &kerberos_flag,
86 "don't use kerberos" },
87 { NULL, 'f', arg_flag, &csh_f_flag,
88 "don't read .cshrc" },
89 { "full", 'l', arg_flag, &full_login,
90 "simulate full login" },
91 { NULL, 'm', arg_flag, &env_flag,
92 "leave environment unmodified" },
93 { "instance", 'i', arg_string, &kerberos_instance,
94 "root instance to use" },
95 { "command", 'c', arg_string, &cmd,
96 "command to execute" },
97 { "help", 'h', arg_flag, &help_flag },
98 { "version", 0, arg_flag, &version_flag },
105 arg_printusage (args,
106 sizeof(args)/sizeof(*args),
108 "[login [shell arguments]]");
113 free_info(struct passwd *p)
122 static struct passwd*
123 dup_info(const struct passwd *pwd)
127 info = malloc(sizeof(*info));
130 info->pw_name = strdup(pwd->pw_name);
131 info->pw_passwd = strdup(pwd->pw_passwd);
132 info->pw_uid = pwd->pw_uid;
133 info->pw_gid = pwd->pw_gid;
134 info->pw_dir = strdup(pwd->pw_dir);
135 info->pw_shell = strdup(pwd->pw_shell);
136 if(info->pw_name == NULL || info->pw_passwd == NULL ||
137 info->pw_dir == NULL || info->pw_shell == NULL) {
144 #if defined(KRB4) || defined(KRB5)
149 #define TKT_ROOT "/tmp/tkt"
154 snprintf(tkfile, sizeof(tkfile), "%s_XXXXXX", TKT_ROOT);
155 fd = mkstemp(tkfile);
159 krb_set_tkt_string(tkfile);
165 static krb5_context context;
166 static krb5_ccache ccache;
169 krb5_verify(const struct passwd *login_info,
170 const struct passwd *su_info,
171 const char *kerberos_instance)
175 krb5_realm *realms, *r;
176 char *login_name = NULL;
179 #if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
180 login_name = getlogin();
182 ret = krb5_init_context (&context);
185 warnx("krb5_init_context failed: %d", ret);
190 ret = krb5_get_default_realms(context, &realms);
194 /* Check all local realms */
195 for (r = realms; *r != NULL && !user_ok; r++) {
197 if (login_name == NULL || strcmp (login_name, "root") == 0)
198 login_name = login_info->pw_name;
199 if (strcmp (su_info->pw_name, "root") == 0)
200 ret = krb5_make_principal(context, &p, *r,
205 ret = krb5_make_principal(context, &p, *r,
209 krb5_free_host_realm(context, realms);
213 /* if we are su-ing too root, check with krb5_kuserok */
214 if (su_info->pw_uid == 0 && !krb5_kuserok(context, p, su_info->pw_name))
217 ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &ccache);
219 krb5_free_host_realm(context, realms);
220 krb5_free_principal (context, p);
223 ret = krb5_verify_user(context, p, ccache, NULL, TRUE, NULL);
224 krb5_free_principal (context, p);
229 case KRB5_LIBOS_PWDINTR :
230 krb5_cc_destroy(context, ccache);
232 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
233 case KRB5KRB_AP_ERR_MODIFIED:
234 krb5_cc_destroy(context, ccache);
235 krb5_warnx(context, "Password incorrect");
238 krb5_cc_destroy(context, ccache);
239 krb5_warn(context, ret, "krb5_verify_user");
243 krb5_free_host_realm(context, realms);
250 krb5_start_session(void)
256 ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache2);
258 krb5_cc_destroy(context, ccache);
262 ret = krb5_cc_copy_cache(context, ccache, ccache2);
264 ret = asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
265 krb5_cc_get_name(context, ccache2));
267 errx(1, "malloc - out of memory");
268 esetenv("KRB5CCNAME", cc_name, 1);
270 /* we want to export this even if we don't directly support KRB4 */
272 esetenv("KRBTKFILE", tkfile, 1);
277 krb5_afslog(context, ccache2, NULL, NULL);
280 krb5_cc_close(context, ccache2);
281 krb5_cc_destroy(context, ccache);
289 krb_verify(const struct passwd *login_info,
290 const struct passwd *su_info,
291 const char *kerberos_instance)
294 char *login_name = NULL;
295 char *name, *instance, realm[REALM_SZ];
297 #if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
298 login_name = getlogin();
301 ret = krb_get_lrealm(realm, 1);
303 if (login_name == NULL || strcmp (login_name, "root") == 0)
304 login_name = login_info->pw_name;
305 if (strcmp (su_info->pw_name, "root") == 0) {
307 instance = (char*)kerberos_instance;
309 name = su_info->pw_name;
313 if(su_info->pw_uid != 0 ||
314 krb_kuserok(name, instance, realm, su_info->pw_name) == 0) {
317 ret = asprintf (&prompt,
319 krb_unparse_name_long (name, instance, realm));
322 if (UI_UTIL_read_pw_string (password, sizeof (password), prompt, 0)) {
323 memset (password, 0, sizeof (password));
328 if (strlen(password) == 0)
329 return (1); /* Empty passwords are not allowed */
331 setuid(geteuid()); /* need to run as root here */
332 ret = krb_verify_user(name, instance, realm, password,
333 KRB_VERIFY_SECURE, NULL);
334 memset(password, 0, sizeof(password));
337 warnx("%s", krb_get_err_text(ret));
340 chown (tkt_string(), su_info->pw_uid, su_info->pw_gid);
348 krb_start_session(void)
350 esetenv("KRBTKFILE", tkfile, 1);
353 if(k_hasafs() && k_setpag() == 0)
354 krb_afslog(NULL, NULL);
360 #define GROUP_MEMBER 0
361 #define GROUP_MISSING 1
362 #define GROUP_EMPTY 2
363 #define GROUP_NOT_MEMBER 3
366 group_member_p(const char *group, const char *user)
372 return GROUP_MISSING;
373 if(g->gr_mem[0] == NULL)
375 for(i = 0; g->gr_mem[i] != NULL; i++)
376 if(strcmp(user, g->gr_mem[i]) == 0)
378 return GROUP_NOT_MEMBER;
382 verify_unix(struct passwd *login, struct passwd *su)
388 if(su->pw_passwd != NULL && *su->pw_passwd != '\0') {
389 snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name);
390 r = UI_UTIL_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0);
393 pw = crypt(pw_buf, su->pw_passwd);
394 memset(pw_buf, 0, sizeof(pw_buf));
395 if(strcmp(pw, su->pw_passwd) != 0) {
396 syslog (LOG_ERR | LOG_AUTH, "%s to %s: incorrect password",
397 login->pw_name, su->pw_name);
401 /* if su:ing to root, check membership of group wheel or root; if
402 that group doesn't exist, or is empty, allow anyone to su
404 if(su->pw_uid == 0) {
406 #define ROOT_GROUP "wheel"
408 int gs = group_member_p(ROOT_GROUP, login->pw_name);
409 if(gs == GROUP_NOT_MEMBER) {
410 syslog (LOG_ERR | LOG_AUTH, "%s to %s: not in group %s",
411 login->pw_name, su->pw_name, ROOT_GROUP);
420 main(int argc, char **argv)
424 struct passwd *su_info;
425 struct passwd *login_info;
432 int kerberos_error=1;
434 setprogname (argv[0]);
436 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind))
439 for (i=0; i < optind; i++)
440 if (strcmp(argv[i], "-") == 0) {
454 su_user = argv[optind++];
456 if (!issuid() && getuid() != 0)
457 warnx("Not setuid and you are root, expect this to fail");
459 pwd = k_getpwnam(su_user);
461 errx (1, "unknown login %s", su_user);
462 if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) {
463 syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
464 errx (1, "unknown login %s", su_user);
466 su_info = dup_info(pwd);
468 errx (1, "malloc: out of memory");
470 pwd = getpwuid(getuid());
472 errx(1, "who are you?");
473 login_info = dup_info(pwd);
474 if (login_info == NULL)
475 errx (1, "malloc: out of memory");
477 shell = login_info->pw_shell;
479 shell = su_info->pw_shell;
480 if(shell == NULL || *shell == '\0')
481 shell = _PATH_BSHELL;
485 if(kerberos_flag && ok == 0 &&
486 (kerberos_error=krb5_verify(login_info, su_info, kerberos_instance)) == 0)
490 if(kerberos_flag && ok == 0 &&
491 (kerberos_error = krb_verify(login_info, su_info, kerberos_instance)) == 0)
495 if(ok == 0 && login_info->pw_uid && verify_unix(login_info, su_info) != 0) {
504 sp = getspnam(su_info->pw_name);
506 today = time(0)/(24L * 60 * 60);
507 if (sp->sp_expire > 0) {
508 if (today >= sp->sp_expire) {
509 if (login_info->pw_uid)
510 errx(1,"Your account has expired.");
512 printf("Your account has expired.");
514 else if (sp->sp_expire - today < 14)
515 printf("Your account will expire in %d days.\n",
516 (int)(sp->sp_expire - today));
518 if (sp->sp_max > 0) {
519 if (today >= sp->sp_lstchg + sp->sp_max) {
520 if (login_info->pw_uid)
521 errx(1,"Your password has expired. Choose a new one.");
523 printf("Your password has expired. Choose a new one.");
525 else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
526 printf("Your account will expire in %d days.\n",
527 (int)(sp->sp_lstchg + sp->sp_max -today));
533 char *tty = ttyname (STDERR_FILENO);
534 syslog (LOG_NOTICE | LOG_AUTH, tty ? "%s to %s on %s" : "%s to %s",
535 login_info->pw_name, su_info->pw_name, tty);
541 char *t = getenv ("TERM");
542 char **newenv = NULL;
545 i = read_environment(_PATH_ETC_ENVIRONMENT, &newenv);
547 environ = malloc ((10 + i) * sizeof (char *));
552 for (j = 0; j < i; j++) {
553 char *p = strchr(newenv[j], '=');
555 esetenv (newenv[j], p, 1);
559 esetenv ("PATH", _PATH_DEFPATH, 1);
561 esetenv ("TERM", t, 1);
562 if (chdir (su_info->pw_dir) < 0)
563 errx (1, "no directory");
565 if (full_login || su_info->pw_uid)
566 esetenv ("USER", su_info->pw_name, 1);
567 esetenv("HOME", su_info->pw_dir, 1);
568 esetenv("SHELL", shell, 1);
576 p = strrchr(shell, '/');
582 if (strcmp(p, "csh") != 0)
585 args = malloc(((cmd ? 2 : 0) + 1 + argc - optind + 1 + csh_f_flag) * sizeof(*args));
590 if (asprintf(&args[i++], "-%s", p) == -1)
602 for (argv += optind; *argv; ++argv)
606 if(setgid(su_info->pw_gid) < 0)
608 if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
609 err (1, "initgroups");
610 if(setuid(su_info->pw_uid) < 0
611 || (su_info->pw_uid != 0 && setuid(0) == 0))
616 krb5_start_session();