xref: /freebsd/usr.bin/su/su.c (revision 1b6c76a2fe091c74f08427e6c870851025a9cf67) 
1 /*
2  * Copyright (c) 1988, 1993, 1994
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifndef lint
35 static const char copyright[] =
36 "@(#) Copyright (c) 1988, 1993, 1994\n\
37 	The Regents of the University of California.  All rights reserved.\n";
38 #endif /* not lint */
39 
40 #ifndef lint
41 #if 0
42 static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
43 #endif
44 static const char rcsid[] =
45   "$FreeBSD$";
46 #endif /* not lint */
47 
48 #include <sys/param.h>
49 #include <sys/time.h>
50 #include <sys/resource.h>
51 #include <sys/wait.h>
52 
53 #include <err.h>
54 #include <errno.h>
55 #include <grp.h>
56 #include <libutil.h>
57 #include <login_cap.h>
58 #include <paths.h>
59 #include <pwd.h>
60 #include <signal.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 #include <syslog.h>
65 #include <unistd.h>
66 
67 #include <security/pam_appl.h>
68 #include <security/pam_misc.h>
69 
70 #define PAM_END do {						\
71 	int local_ret;						\
72 	if (pamh != NULL && creds_set) {			\
73 		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
74 		if (local_ret != PAM_SUCCESS)			\
75 			syslog(LOG_ERR, "pam_setcred: %s",	\
76 				pam_strerror(pamh, local_ret));	\
77 		local_ret = pam_end(pamh, local_ret);		\
78 		if (local_ret != PAM_SUCCESS)			\
79 			syslog(LOG_ERR, "pam_end: %s",		\
80 				pam_strerror(pamh, local_ret));	\
81 	}							\
82 } while (0)
83 
84 
85 #define PAM_SET_ITEM(what, item) do {				\
86 	int local_ret;						\
87 	local_ret = pam_set_item(pamh, what, item);		\
88 	if (local_ret != PAM_SUCCESS) {				\
89 		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
90 			pam_strerror(pamh, local_ret));		\
91 		errx(1, "pam_set_item(" #what "): %s",		\
92 			pam_strerror(pamh, local_ret));		\
93 	}							\
94 } while (0)
95 
96 #define	ARGSTR	"-flmc:"
97 
98 enum tristate { UNSET, YES, NO };
99 
100 static pam_handle_t *pamh = NULL;
101 static int	creds_set = 0;
102 static char	**environ_pam;
103 
104 static char	*ontty(void);
105 static int	chshell(char *);
106 static void	usage(void);
107 static int	export_pam_environment(void);
108 static int	ok_to_export(const char *);
109 
110 extern char	**environ;
111 
112 int
113 main(int argc, char *argv[])
114 {
115 	struct passwd	*pwd;
116 	struct pam_conv	conv = {misc_conv, NULL};
117 	enum tristate	iscsh;
118 	login_cap_t	*lc;
119 	uid_t		ruid;
120 	gid_t		gid;
121 	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
122 			statusp, child_pid, child_pgrp, ret_pid;
123 	char		*p, *user, *shell, *username, *cleanenv, **nargv, **np,
124 			*class, *mytty, shellbuf[MAXPATHLEN],
125 			myhost[MAXHOSTNAMELEN + 1];
126 
127 	shell = class = cleanenv = NULL;
128 	asme = asthem = fastlogin = statusp = 0;
129 	user = "root";
130 	iscsh = UNSET;
131 
132 	while ((ch = getopt(argc, argv, ARGSTR)) != -1)
133 		switch ((char)ch) {
134 		case 'f':
135 			fastlogin = 1;
136 			break;
137 		case '-':
138 		case 'l':
139 			asme = 0;
140 			asthem = 1;
141 			break;
142 		case 'm':
143 			asme = 1;
144 			asthem = 0;
145 			break;
146 		case 'c':
147 			class = optarg;
148 			break;
149 		case '?':
150 		default:
151 			usage();
152 		}
153 
154 	if (optind < argc)
155 		user = argv[optind++];
156 
157 	if (user == NULL)
158 		usage();
159 
160 	if (strlen(user) > MAXLOGNAME - 1)
161 		errx(1, "username too long");
162 
163 	nargv = malloc(sizeof(char *) * (argc + 4));
164 	if (nargv == NULL)
165 		errx(1, "malloc failure");
166 
167 	nargv[argc + 3] = NULL;
168 	for (i = argc; i >= optind; i--)
169 		nargv[i + 3] = argv[i];
170 	np = &nargv[i + 3];
171 
172 	argv += optind;
173 
174 	errno = 0;
175 	prio = getpriority(PRIO_PROCESS, 0);
176 	if (errno)
177 		prio = 0;
178 
179 	setpriority(PRIO_PROCESS, 0, -2);
180 	openlog("su", LOG_CONS, LOG_AUTH);
181 
182 	/* get current login name, real uid and shell */
183 	ruid = getuid();
184 	username = getlogin();
185 	pwd = getpwnam(username);
186 	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
187 		pwd = getpwuid(ruid);
188 	if (pwd == NULL)
189 		errx(1, "who are you?");
190 	gid = pwd->pw_gid;
191 
192 	username = strdup(pwd->pw_name);
193 	if (username == NULL)
194 		err(1, "strdup failure");
195 
196 	if (asme) {
197 		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
198 			/* must copy - pwd memory is recycled */
199 			shell = strncpy(shellbuf, pwd->pw_shell,
200 			    sizeof(shellbuf));
201 			shellbuf[sizeof(shellbuf) - 1] = '\0';
202 		}
203 		else {
204 			shell = _PATH_BSHELL;
205 			iscsh = NO;
206 		}
207 	}
208 
209 	/* Do the whole PAM startup thing */
210 	retcode = pam_start("su", user, &conv, &pamh);
211 	if (retcode != PAM_SUCCESS) {
212 		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
213 		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
214 	}
215 
216 	gethostname(myhost, sizeof(myhost));
217 	PAM_SET_ITEM(PAM_RHOST, myhost);
218 
219 	mytty = ttyname(STDERR_FILENO);
220 	if (!mytty)
221 		mytty = "tty";
222 	PAM_SET_ITEM(PAM_TTY, mytty);
223 
224 	retcode = pam_authenticate(pamh, 0);
225 	if (retcode != PAM_SUCCESS) {
226 		syslog(LOG_ERR, "pam_authenticate: %s",
227 		    pam_strerror(pamh, retcode));
228 		errx(1, "Sorry");
229 	}
230 	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
231 	if (retcode == PAM_SUCCESS)
232 		user = p;
233 	else
234 		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
235 		    pam_strerror(pamh, retcode));
236 
237 	retcode = pam_acct_mgmt(pamh, 0);
238 	if (retcode == PAM_NEW_AUTHTOK_REQD) {
239 		retcode = pam_chauthtok(pamh,
240 			PAM_CHANGE_EXPIRED_AUTHTOK);
241 		if (retcode != PAM_SUCCESS) {
242 			syslog(LOG_ERR, "pam_chauthtok: %s",
243 			    pam_strerror(pamh, retcode));
244 			errx(1, "Sorry");
245 		}
246 	}
247 	if (retcode != PAM_SUCCESS) {
248 		syslog(LOG_ERR, "pam_acct_mgmt: %s",
249 			pam_strerror(pamh, retcode));
250 		errx(1, "Sorry");
251 	}
252 
253 	/* get target login information, default to root */
254 	pwd = getpwnam(user);
255 	if (pwd == NULL)
256 		errx(1, "unknown login: %s", user);
257 	if (class == NULL)
258 		lc = login_getpwclass(pwd);
259 	else {
260 		if (ruid != 0)
261 			errx(1, "only root may use -c");
262 		lc = login_getclass(class);
263 		if (lc == NULL)
264 			errx(1, "unknown class: %s", class);
265 	}
266 
267 	/* if asme and non-standard target shell, must be root */
268 	if (asme) {
269 		if (ruid != 0 && !chshell(pwd->pw_shell))
270 			errx(1, "permission denied (shell).");
271 	}
272 	else if (pwd->pw_shell && *pwd->pw_shell) {
273 		shell = pwd->pw_shell;
274 		iscsh = UNSET;
275 	}
276 	else {
277 		shell = _PATH_BSHELL;
278 		iscsh = NO;
279 	}
280 
281 	/* if we're forking a csh, we want to slightly muck the args */
282 	if (iscsh == UNSET) {
283 		p = strrchr(shell, '/');
284 		if (p)
285 			++p;
286 		else
287 			p = shell;
288 		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
289 	}
290 	setpriority(PRIO_PROCESS, 0, prio);
291 
292 	/*
293 	 * PAM modules might add supplementary groups in pam_setcred(), so
294 	 * initialize them first.
295 	 */
296 	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
297 		err(1, "setusercontext");
298 
299 	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
300 	if (retcode != PAM_SUCCESS)
301 		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
302 		    pam_strerror(pamh, retcode));
303 	else
304 		creds_set = 1;
305 
306 	/*
307 	 * We must fork() before setuid() because we need to call
308 	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
309 	 */
310 
311 	statusp = 1;
312 	child_pid = fork();
313 	switch (child_pid) {
314 	default:
315 		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
316 			if (WIFSTOPPED(statusp)) {
317 				child_pgrp = tcgetpgrp(1);
318 				kill(getpid(), SIGSTOP);
319 				tcsetpgrp(1, child_pgrp);
320 				kill(child_pid, SIGCONT);
321 				statusp = 1;
322 				continue;
323 			}
324 			break;
325 		}
326 		if (ret_pid == -1)
327 			err(1, "waitpid");
328 		PAM_END;
329 		exit(statusp);
330 	case -1:
331 		err(1, "fork");
332 		PAM_END;
333 		exit(1);
334 	case 0:
335 		/*
336 		 * Set all user context except for: Environmental variables
337 		 * Umask Login records (wtmp, etc) Path
338 		 */
339 		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
340 			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
341 		/*
342 		 * Don't touch resource/priority settings if -m has been used
343 		 * or -l and -c hasn't, and we're not su'ing to root.
344 		 */
345 		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
346 			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
347 		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
348 			err(1, "setusercontext");
349 
350 		if (!asme) {
351 			if (asthem) {
352 				p = getenv("TERM");
353 				environ = &cleanenv;
354 
355 				/*
356 				 * Add any environmental variables that the
357 				 * PAM modules may have set.
358 				 */
359 				environ_pam = pam_getenvlist(pamh);
360 				if (environ_pam)
361 					export_pam_environment();
362 
363 				/* set the su'd user's environment & umask */
364 				setusercontext(lc, pwd, pwd->pw_uid,
365 					LOGIN_SETPATH | LOGIN_SETUMASK |
366 					LOGIN_SETENV);
367 				if (p)
368 					setenv("TERM", p, 1);
369 				if (chdir(pwd->pw_dir) < 0)
370 					errx(1, "no directory");
371 			}
372 			if (asthem || pwd->pw_uid)
373 				setenv("USER", pwd->pw_name, 1);
374 			setenv("HOME", pwd->pw_dir, 1);
375 			setenv("SHELL", shell, 1);
376 		}
377 		login_close(lc);
378 
379 		if (iscsh == YES) {
380 			if (fastlogin)
381 				*np-- = "-f";
382 			if (asme)
383 				*np-- = "-m";
384 		}
385 		/* csh strips the first character... */
386 		*np = asthem ? "-su" : iscsh == YES ? "_su" : "su";
387 
388 		if (ruid != 0)
389 			syslog(LOG_NOTICE, "%s to %s%s", username, user,
390 			    ontty());
391 
392 		execv(shell, np);
393 		err(1, "%s", shell);
394 	}
395 }
396 
397 static int
398 export_pam_environment(void)
399 {
400 	char	**pp;
401 
402 	for (pp = environ_pam; *pp != NULL; pp++) {
403 		if (ok_to_export(*pp))
404 			putenv(*pp);
405 		free(*pp);
406 	}
407 	return PAM_SUCCESS;
408 }
409 
410 /*
411  * Sanity checks on PAM environmental variables:
412  * - Make sure there is an '=' in the string.
413  * - Make sure the string doesn't run on too long.
414  * - Do not export certain variables.  This list was taken from the
415  *   Solaris pam_putenv(3) man page.
416  */
417 static int
418 ok_to_export(const char *s)
419 {
420 	static const char *noexport[] = {
421 		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
422 		"IFS", "PATH", NULL
423 	};
424 	const char **pp;
425 	size_t n;
426 
427 	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
428 		return 0;
429 	if (strncmp(s, "LD_", 3) == 0)
430 		return 0;
431 	for (pp = noexport; *pp != NULL; pp++) {
432 		n = strlen(*pp);
433 		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
434 			return 0;
435 	}
436 	return 1;
437 }
438 
439 static void
440 usage(void)
441 {
442 	errx(1, "usage: su [%s] [login [args]]", ARGSTR);
443 }
444 
445 static int
446 chshell(char *sh)
447 {
448 	int r;
449 	char *cp;
450 
451 	r = 0;
452 	setusershell();
453 	do {
454 		cp = getusershell();
455 		r = strcmp(cp, sh);
456 	} while (!r && cp != NULL);
457 	endusershell();
458 	return r;
459 }
460 
461 static char *
462 ontty(void)
463 {
464 	char *p;
465 	static char buf[MAXPATHLEN + 4];
466 
467 	buf[0] = 0;
468 	p = ttyname(STDERR_FILENO);
469 	if (p)
470 		snprintf(buf, sizeof(buf), " on %s", p);
471 	return buf;
472 }
473