xref: /freebsd/usr.bin/su/su.c (revision 3ff369fed2a08f32dda232c10470b949bef9489f) 
1 /*
2  * Copyright (c) 1988, 1993, 1994
3  *	The Regents of the University of California.  All rights reserved.
4  * Copyright (c) 2002 Networks Associates Technologies, Inc.
5  * All rights reserved.
6  *
7  * Portions of this software were developed for the FreeBSD Project by
8  * ThinkSec AS and NAI Labs, the Security Research Division of Network
9  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
10  * ("CBOSS"), as part of the DARPA CHATS research program.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  * 3. All advertising materials mentioning features or use of this software
21  *    must display the following acknowledgement:
22  *	This product includes software developed by the University of
23  *	California, Berkeley and its contributors.
24  * 4. Neither the name of the University nor the names of its contributors
25  *    may be used to endorse or promote products derived from this software
26  *    without specific prior written permission.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38  * SUCH DAMAGE.
39  */
40 
41 #ifndef lint
42 static const char copyright[] =
43 "@(#) Copyright (c) 1988, 1993, 1994\n\
44 	The Regents of the University of California.  All rights reserved.\n";
45 #endif /* not lint */
46 
47 #ifndef lint
48 #if 0
49 static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
50 #endif
51 static const char rcsid[] =
52   "$FreeBSD$";
53 #endif /* not lint */
54 
55 #include <sys/param.h>
56 #include <sys/time.h>
57 #include <sys/resource.h>
58 #include <sys/wait.h>
59 
60 #include <err.h>
61 #include <errno.h>
62 #include <grp.h>
63 #include <libutil.h>
64 #include <login_cap.h>
65 #include <paths.h>
66 #include <pwd.h>
67 #include <signal.h>
68 #include <stdio.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <syslog.h>
72 #include <unistd.h>
73 
74 #include <security/pam_appl.h>
75 #include <security/openpam.h>
76 
77 #define PAM_END() do {						\
78 	int local_ret;						\
79 	if (pamh != NULL && creds_set) {			\
80 		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
81 		if (local_ret != PAM_SUCCESS)			\
82 			syslog(LOG_ERR, "pam_setcred: %s",	\
83 				pam_strerror(pamh, local_ret));	\
84 		local_ret = pam_end(pamh, local_ret);		\
85 		if (local_ret != PAM_SUCCESS)			\
86 			syslog(LOG_ERR, "pam_end: %s",		\
87 				pam_strerror(pamh, local_ret));	\
88 	}							\
89 } while (0)
90 
91 
92 #define PAM_SET_ITEM(what, item) do {				\
93 	int local_ret;						\
94 	local_ret = pam_set_item(pamh, what, item);		\
95 	if (local_ret != PAM_SUCCESS) {				\
96 		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
97 			pam_strerror(pamh, local_ret));		\
98 		errx(1, "pam_set_item(" #what "): %s",		\
99 			pam_strerror(pamh, local_ret));		\
100 	}							\
101 } while (0)
102 
103 enum tristate { UNSET, YES, NO };
104 
105 static pam_handle_t *pamh = NULL;
106 static int	creds_set = 0;
107 static char	**environ_pam;
108 
109 static char	*ontty(void);
110 static int	chshell(char *);
111 static void	usage(void);
112 static int	export_pam_environment(void);
113 static int	ok_to_export(const char *);
114 
115 extern char	**environ;
116 
117 int
118 main(int argc, char *argv[])
119 {
120 	struct passwd	*pwd;
121 	struct pam_conv	conv = { openpam_ttyconv, NULL };
122 	enum tristate	iscsh;
123 	login_cap_t	*lc;
124 	union {
125 		const char	**a;
126 		char		* const *b;
127 	}		np;
128 	uid_t		ruid;
129 	gid_t		gid;
130 	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
131 			statusp, child_pid, child_pgrp, ret_pid;
132 	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
133 	const char	*p, *user, *shell, *mytty, **nargv;
134 
135 	shell = class = cleanenv = NULL;
136 	asme = asthem = fastlogin = statusp = 0;
137 	user = "root";
138 	iscsh = UNSET;
139 
140 	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
141 		switch ((char)ch) {
142 		case 'f':
143 			fastlogin = 1;
144 			break;
145 		case '-':
146 		case 'l':
147 			asme = 0;
148 			asthem = 1;
149 			break;
150 		case 'm':
151 			asme = 1;
152 			asthem = 0;
153 			break;
154 		case 'c':
155 			class = optarg;
156 			break;
157 		case '?':
158 		default:
159 			usage();
160 		}
161 
162 	if (optind < argc)
163 		user = argv[optind++];
164 
165 	if (user == NULL)
166 		usage();
167 
168 	if (strlen(user) > MAXLOGNAME - 1)
169 		errx(1, "username too long");
170 
171 	nargv = malloc(sizeof(char *) * (argc + 4));
172 	if (nargv == NULL)
173 		errx(1, "malloc failure");
174 
175 	nargv[argc + 3] = NULL;
176 	for (i = argc; i >= optind; i--)
177 		nargv[i + 3] = argv[i];
178 	np.a = &nargv[i + 3];
179 
180 	argv += optind;
181 
182 	errno = 0;
183 	prio = getpriority(PRIO_PROCESS, 0);
184 	if (errno)
185 		prio = 0;
186 
187 	setpriority(PRIO_PROCESS, 0, -2);
188 	openlog("su", LOG_CONS, LOG_AUTH);
189 
190 	/* get current login name, real uid and shell */
191 	ruid = getuid();
192 	username = getlogin();
193 	pwd = getpwnam(username);
194 	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
195 		pwd = getpwuid(ruid);
196 	if (pwd == NULL)
197 		errx(1, "who are you?");
198 	gid = pwd->pw_gid;
199 
200 	username = strdup(pwd->pw_name);
201 	if (username == NULL)
202 		err(1, "strdup failure");
203 
204 	if (asme) {
205 		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
206 			/* must copy - pwd memory is recycled */
207 			shell = strncpy(shellbuf, pwd->pw_shell,
208 			    sizeof(shellbuf));
209 			shellbuf[sizeof(shellbuf) - 1] = '\0';
210 		}
211 		else {
212 			shell = _PATH_BSHELL;
213 			iscsh = NO;
214 		}
215 	}
216 
217 	/* Do the whole PAM startup thing */
218 	retcode = pam_start("su", user, &conv, &pamh);
219 	if (retcode != PAM_SUCCESS) {
220 		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
221 		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
222 	}
223 
224 	PAM_SET_ITEM(PAM_RUSER, getlogin());
225 
226 	mytty = ttyname(STDERR_FILENO);
227 	if (!mytty)
228 		mytty = "tty";
229 	PAM_SET_ITEM(PAM_TTY, mytty);
230 
231 	retcode = pam_authenticate(pamh, 0);
232 	if (retcode != PAM_SUCCESS) {
233 		syslog(LOG_ERR, "pam_authenticate: %s",
234 		    pam_strerror(pamh, retcode));
235 		errx(1, "Sorry");
236 	}
237 	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
238 	if (retcode == PAM_SUCCESS)
239 		user = p;
240 	else
241 		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
242 		    pam_strerror(pamh, retcode));
243 
244 	retcode = pam_acct_mgmt(pamh, 0);
245 	if (retcode == PAM_NEW_AUTHTOK_REQD) {
246 		retcode = pam_chauthtok(pamh,
247 			PAM_CHANGE_EXPIRED_AUTHTOK);
248 		if (retcode != PAM_SUCCESS) {
249 			syslog(LOG_ERR, "pam_chauthtok: %s",
250 			    pam_strerror(pamh, retcode));
251 			errx(1, "Sorry");
252 		}
253 	}
254 	if (retcode != PAM_SUCCESS) {
255 		syslog(LOG_ERR, "pam_acct_mgmt: %s",
256 			pam_strerror(pamh, retcode));
257 		errx(1, "Sorry");
258 	}
259 
260 	/* get target login information, default to root */
261 	pwd = getpwnam(user);
262 	if (pwd == NULL)
263 		errx(1, "unknown login: %s", user);
264 	if (class == NULL)
265 		lc = login_getpwclass(pwd);
266 	else {
267 		if (ruid != 0)
268 			errx(1, "only root may use -c");
269 		lc = login_getclass(class);
270 		if (lc == NULL)
271 			errx(1, "unknown class: %s", class);
272 	}
273 
274 	/* if asme and non-standard target shell, must be root */
275 	if (asme) {
276 		if (ruid != 0 && !chshell(pwd->pw_shell))
277 			errx(1, "permission denied (shell).");
278 	}
279 	else if (pwd->pw_shell && *pwd->pw_shell) {
280 		shell = pwd->pw_shell;
281 		iscsh = UNSET;
282 	}
283 	else {
284 		shell = _PATH_BSHELL;
285 		iscsh = NO;
286 	}
287 
288 	/* if we're forking a csh, we want to slightly muck the args */
289 	if (iscsh == UNSET) {
290 		p = strrchr(shell, '/');
291 		if (p)
292 			++p;
293 		else
294 			p = shell;
295 		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
296 	}
297 	setpriority(PRIO_PROCESS, 0, prio);
298 
299 	/*
300 	 * PAM modules might add supplementary groups in pam_setcred(), so
301 	 * initialize them first.
302 	 */
303 	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
304 		err(1, "setusercontext");
305 
306 	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
307 	if (retcode != PAM_SUCCESS)
308 		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
309 		    pam_strerror(pamh, retcode));
310 	else
311 		creds_set = 1;
312 
313 	/*
314 	 * We must fork() before setuid() because we need to call
315 	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
316 	 */
317 
318 	statusp = 1;
319 	child_pid = fork();
320 	switch (child_pid) {
321 	default:
322 		setpgid(child_pid, child_pid);
323 		tcsetpgrp(1, child_pid);
324 		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
325 			if (WIFSTOPPED(statusp)) {
326 				child_pgrp = tcgetpgrp(1);
327 				kill(getpid(), SIGSTOP);
328 				tcsetpgrp(1, child_pgrp);
329 				kill(child_pid, SIGCONT);
330 				statusp = 1;
331 				continue;
332 			}
333 			break;
334 		}
335 		if (ret_pid == -1)
336 			err(1, "waitpid");
337 		PAM_END();
338 		exit(statusp);
339 	case -1:
340 		err(1, "fork");
341 		PAM_END();
342 		exit(1);
343 	case 0:
344 		/*
345 		 * Set all user context except for: Environmental variables
346 		 * Umask Login records (wtmp, etc) Path
347 		 */
348 		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
349 			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
350 		/*
351 		 * Don't touch resource/priority settings if -m has been used
352 		 * or -l and -c hasn't, and we're not su'ing to root.
353 		 */
354 		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
355 			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
356 		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
357 			err(1, "setusercontext");
358 
359 		if (!asme) {
360 			if (asthem) {
361 				p = getenv("TERM");
362 				environ = &cleanenv;
363 
364 				/*
365 				 * Add any environmental variables that the
366 				 * PAM modules may have set.
367 				 */
368 				environ_pam = pam_getenvlist(pamh);
369 				if (environ_pam)
370 					export_pam_environment();
371 
372 				/* set the su'd user's environment & umask */
373 				setusercontext(lc, pwd, pwd->pw_uid,
374 					LOGIN_SETPATH | LOGIN_SETUMASK |
375 					LOGIN_SETENV);
376 				if (p)
377 					setenv("TERM", p, 1);
378 				if (chdir(pwd->pw_dir) < 0)
379 					errx(1, "no directory");
380 			}
381 			if (asthem || pwd->pw_uid)
382 				setenv("USER", pwd->pw_name, 1);
383 			setenv("HOME", pwd->pw_dir, 1);
384 			setenv("SHELL", shell, 1);
385 		}
386 		login_close(lc);
387 
388 		if (iscsh == YES) {
389 			if (fastlogin)
390 				*np.a-- = "-f";
391 			if (asme)
392 				*np.a-- = "-m";
393 		}
394 		/* csh strips the first character... */
395 		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
396 
397 		if (ruid != 0)
398 			syslog(LOG_NOTICE, "%s to %s%s", username, user,
399 			    ontty());
400 
401 		execv(shell, np.b);
402 		err(1, "%s", shell);
403 	}
404 }
405 
406 static int
407 export_pam_environment(void)
408 {
409 	char	**pp;
410 
411 	for (pp = environ_pam; *pp != NULL; pp++) {
412 		if (ok_to_export(*pp))
413 			putenv(*pp);
414 		free(*pp);
415 	}
416 	return PAM_SUCCESS;
417 }
418 
419 /*
420  * Sanity checks on PAM environmental variables:
421  * - Make sure there is an '=' in the string.
422  * - Make sure the string doesn't run on too long.
423  * - Do not export certain variables.  This list was taken from the
424  *   Solaris pam_putenv(3) man page.
425  */
426 static int
427 ok_to_export(const char *s)
428 {
429 	static const char *noexport[] = {
430 		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
431 		"IFS", "PATH", NULL
432 	};
433 	const char **pp;
434 	size_t n;
435 
436 	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
437 		return 0;
438 	if (strncmp(s, "LD_", 3) == 0)
439 		return 0;
440 	for (pp = noexport; *pp != NULL; pp++) {
441 		n = strlen(*pp);
442 		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
443 			return 0;
444 	}
445 	return 1;
446 }
447 
448 static void
449 usage(void)
450 {
451 
452 	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
453 	exit(1);
454 }
455 
456 static int
457 chshell(char *sh)
458 {
459 	int r;
460 	char *cp;
461 
462 	r = 0;
463 	setusershell();
464 	do {
465 		cp = getusershell();
466 		r = strcmp(cp, sh);
467 	} while (!r && cp != NULL);
468 	endusershell();
469 	return r;
470 }
471 
472 static char *
473 ontty(void)
474 {
475 	char *p;
476 	static char buf[MAXPATHLEN + 4];
477 
478 	buf[0] = 0;
479 	p = ttyname(STDERR_FILENO);
480 	if (p)
481 		snprintf(buf, sizeof(buf), " on %s", p);
482 	return buf;
483 }
484