xref: /freebsd/usr.bin/su/su.c (revision ebbd4fa8c8427d3dd847ba33c45c996e0500e6ff) 
1 /*
2  * Copyright (c) 1988, 1993, 1994
3  *	The Regents of the University of California.  All rights reserved.
4  * Copyright (c) 2002 Networks Associates Technologies, Inc.
5  * All rights reserved.
6  *
7  * Portions of this software were developed for the FreeBSD Project by
8  * ThinkSec AS and NAI Labs, the Security Research Division of Network
9  * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
10  * ("CBOSS"), as part of the DARPA CHATS research program.
11  *
12  * Redistribution and use in source and binary forms, with or without
13  * modification, are permitted provided that the following conditions
14  * are met:
15  * 1. Redistributions of source code must retain the above copyright
16  *    notice, this list of conditions and the following disclaimer.
17  * 2. Redistributions in binary form must reproduce the above copyright
18  *    notice, this list of conditions and the following disclaimer in the
19  *    documentation and/or other materials provided with the distribution.
20  * 3. All advertising materials mentioning features or use of this software
21  *    must display the following acknowledgement:
22  *	This product includes software developed by the University of
23  *	California, Berkeley and its contributors.
24  * 4. Neither the name of the University nor the names of its contributors
25  *    may be used to endorse or promote products derived from this software
26  *    without specific prior written permission.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
29  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
30  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
31  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
32  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
33  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
34  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
35  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
36  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
37  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38  * SUCH DAMAGE.
39  */
40 
41 #ifndef lint
42 static const char copyright[] =
43 "@(#) Copyright (c) 1988, 1993, 1994\n\
44 	The Regents of the University of California.  All rights reserved.\n";
45 #endif /* not lint */
46 
47 #ifndef lint
48 #if 0
49 static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";
50 #endif
51 static const char rcsid[] =
52   "$FreeBSD$";
53 #endif /* not lint */
54 
55 #include <sys/param.h>
56 #include <sys/time.h>
57 #include <sys/resource.h>
58 #include <sys/wait.h>
59 
60 #include <err.h>
61 #include <errno.h>
62 #include <grp.h>
63 #include <libutil.h>
64 #include <login_cap.h>
65 #include <paths.h>
66 #include <pwd.h>
67 #include <signal.h>
68 #include <stdio.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <syslog.h>
72 #include <unistd.h>
73 
74 #include <security/pam_appl.h>
75 #include <security/openpam.h>
76 
77 #define PAM_END() do {						\
78 	int local_ret;						\
79 	if (pamh != NULL && creds_set) {			\
80 		local_ret = pam_setcred(pamh, PAM_DELETE_CRED);	\
81 		if (local_ret != PAM_SUCCESS)			\
82 			syslog(LOG_ERR, "pam_setcred: %s",	\
83 				pam_strerror(pamh, local_ret));	\
84 		local_ret = pam_end(pamh, local_ret);		\
85 		if (local_ret != PAM_SUCCESS)			\
86 			syslog(LOG_ERR, "pam_end: %s",		\
87 				pam_strerror(pamh, local_ret));	\
88 	}							\
89 } while (0)
90 
91 
92 #define PAM_SET_ITEM(what, item) do {				\
93 	int local_ret;						\
94 	local_ret = pam_set_item(pamh, what, item);		\
95 	if (local_ret != PAM_SUCCESS) {				\
96 		syslog(LOG_ERR, "pam_set_item(" #what "): %s",	\
97 			pam_strerror(pamh, local_ret));		\
98 		errx(1, "pam_set_item(" #what "): %s",		\
99 			pam_strerror(pamh, local_ret));		\
100 	}							\
101 } while (0)
102 
103 enum tristate { UNSET, YES, NO };
104 
105 static pam_handle_t *pamh = NULL;
106 static int	creds_set = 0;
107 static char	**environ_pam;
108 
109 static char	*ontty(void);
110 static int	chshell(char *);
111 static void	usage(void);
112 static int	export_pam_environment(void);
113 static int	ok_to_export(const char *);
114 
115 extern char	**environ;
116 
117 int
118 main(int argc, char *argv[])
119 {
120 	struct passwd	*pwd;
121 	struct pam_conv	conv = { openpam_ttyconv, NULL };
122 	enum tristate	iscsh;
123 	login_cap_t	*lc;
124 	union {
125 		const char	**a;
126 		char		* const *b;
127 	}		np;
128 	uid_t		ruid;
129 	gid_t		gid;
130 	int		asme, ch, asthem, fastlogin, prio, i, setwhat, retcode,
131 			statusp, child_pid, ret_pid;
132 	char		*username, *cleanenv, *class, shellbuf[MAXPATHLEN];
133 	const char	*p, *user, *shell, *mytty, **nargv;
134 
135 	struct sigaction sa, sa_int, sa_quit, sa_tstp;
136 
137 	shell = class = cleanenv = NULL;
138 	asme = asthem = fastlogin = statusp = 0;
139 	user = "root";
140 	iscsh = UNSET;
141 
142 	while ((ch = getopt(argc, argv, "-flmc:")) != -1)
143 		switch ((char)ch) {
144 		case 'f':
145 			fastlogin = 1;
146 			break;
147 		case '-':
148 		case 'l':
149 			asme = 0;
150 			asthem = 1;
151 			break;
152 		case 'm':
153 			asme = 1;
154 			asthem = 0;
155 			break;
156 		case 'c':
157 			class = optarg;
158 			break;
159 		case '?':
160 		default:
161 			usage();
162 		}
163 
164 	if (optind < argc)
165 		user = argv[optind++];
166 
167 	if (user == NULL)
168 		usage();
169 
170 	if (strlen(user) > MAXLOGNAME - 1)
171 		errx(1, "username too long");
172 
173 	nargv = malloc(sizeof(char *) * (argc + 4));
174 	if (nargv == NULL)
175 		errx(1, "malloc failure");
176 
177 	nargv[argc + 3] = NULL;
178 	for (i = argc; i >= optind; i--)
179 		nargv[i + 3] = argv[i];
180 	np.a = &nargv[i + 3];
181 
182 	argv += optind;
183 
184 	errno = 0;
185 	prio = getpriority(PRIO_PROCESS, 0);
186 	if (errno)
187 		prio = 0;
188 
189 	setpriority(PRIO_PROCESS, 0, -2);
190 	openlog("su", LOG_CONS, LOG_AUTH);
191 
192 	/* get current login name, real uid and shell */
193 	ruid = getuid();
194 	username = getlogin();
195 	pwd = getpwnam(username);
196 	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
197 		pwd = getpwuid(ruid);
198 	if (pwd == NULL)
199 		errx(1, "who are you?");
200 	gid = pwd->pw_gid;
201 
202 	username = strdup(pwd->pw_name);
203 	if (username == NULL)
204 		err(1, "strdup failure");
205 
206 	if (asme) {
207 		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
208 			/* must copy - pwd memory is recycled */
209 			shell = strncpy(shellbuf, pwd->pw_shell,
210 			    sizeof(shellbuf));
211 			shellbuf[sizeof(shellbuf) - 1] = '\0';
212 		}
213 		else {
214 			shell = _PATH_BSHELL;
215 			iscsh = NO;
216 		}
217 	}
218 
219 	/* Do the whole PAM startup thing */
220 	retcode = pam_start("su", user, &conv, &pamh);
221 	if (retcode != PAM_SUCCESS) {
222 		syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, retcode));
223 		errx(1, "pam_start: %s", pam_strerror(pamh, retcode));
224 	}
225 
226 	PAM_SET_ITEM(PAM_RUSER, getlogin());
227 
228 	mytty = ttyname(STDERR_FILENO);
229 	if (!mytty)
230 		mytty = "tty";
231 	PAM_SET_ITEM(PAM_TTY, mytty);
232 
233 	retcode = pam_authenticate(pamh, 0);
234 	if (retcode != PAM_SUCCESS) {
235 		syslog(LOG_ERR, "pam_authenticate: %s",
236 		    pam_strerror(pamh, retcode));
237 		errx(1, "Sorry");
238 	}
239 	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
240 	if (retcode == PAM_SUCCESS)
241 		user = p;
242 	else
243 		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
244 		    pam_strerror(pamh, retcode));
245 
246 	retcode = pam_acct_mgmt(pamh, 0);
247 	if (retcode == PAM_NEW_AUTHTOK_REQD) {
248 		retcode = pam_chauthtok(pamh,
249 			PAM_CHANGE_EXPIRED_AUTHTOK);
250 		if (retcode != PAM_SUCCESS) {
251 			syslog(LOG_ERR, "pam_chauthtok: %s",
252 			    pam_strerror(pamh, retcode));
253 			errx(1, "Sorry");
254 		}
255 	}
256 	if (retcode != PAM_SUCCESS) {
257 		syslog(LOG_ERR, "pam_acct_mgmt: %s",
258 			pam_strerror(pamh, retcode));
259 		errx(1, "Sorry");
260 	}
261 
262 	/* get target login information, default to root */
263 	pwd = getpwnam(user);
264 	if (pwd == NULL)
265 		errx(1, "unknown login: %s", user);
266 	if (class == NULL)
267 		lc = login_getpwclass(pwd);
268 	else {
269 		if (ruid != 0)
270 			errx(1, "only root may use -c");
271 		lc = login_getclass(class);
272 		if (lc == NULL)
273 			errx(1, "unknown class: %s", class);
274 	}
275 
276 	/* if asme and non-standard target shell, must be root */
277 	if (asme) {
278 		if (ruid != 0 && !chshell(pwd->pw_shell))
279 			errx(1, "permission denied (shell).");
280 	}
281 	else if (pwd->pw_shell && *pwd->pw_shell) {
282 		shell = pwd->pw_shell;
283 		iscsh = UNSET;
284 	}
285 	else {
286 		shell = _PATH_BSHELL;
287 		iscsh = NO;
288 	}
289 
290 	/* if we're forking a csh, we want to slightly muck the args */
291 	if (iscsh == UNSET) {
292 		p = strrchr(shell, '/');
293 		if (p)
294 			++p;
295 		else
296 			p = shell;
297 		iscsh = strcmp(p, "csh") ? (strcmp(p, "tcsh") ? NO : YES) : YES;
298 	}
299 	setpriority(PRIO_PROCESS, 0, prio);
300 
301 	/*
302 	 * PAM modules might add supplementary groups in pam_setcred(), so
303 	 * initialize them first.
304 	 */
305 	if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) < 0)
306 		err(1, "setusercontext");
307 
308 	retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
309 	if (retcode != PAM_SUCCESS)
310 		syslog(LOG_ERR, "pam_setcred(pamh, PAM_ESTABLISH_CRED): %s",
311 		    pam_strerror(pamh, retcode));
312 	else
313 		creds_set = 1;
314 
315 	/*
316 	 * We must fork() before setuid() because we need to call
317 	 * pam_setcred(pamh, PAM_DELETE_CRED) as root.
318 	 */
319 	sa.sa_flags = SA_RESTART;
320 	sa.__sigaction_u.__sa_handler = SIG_IGN;
321 	sigemptyset(&sa.sa_mask);
322 	sigaction(SIGINT, &sa, &sa_int);
323 	sigaction(SIGQUIT, &sa, &sa_quit);
324 	sigaction(SIGTSTP, &sa, &sa_tstp);
325 
326 	statusp = 1;
327 	child_pid = fork();
328 	switch (child_pid) {
329 	default:
330 		while ((ret_pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
331 			if (WIFSTOPPED(statusp)) {
332 				kill(getpid(), SIGSTOP);
333 				kill(child_pid, SIGCONT);
334 				statusp = 1;
335 				continue;
336 			}
337 			break;
338 		}
339 		if (ret_pid == -1)
340 			err(1, "waitpid");
341 		PAM_END();
342 		exit(statusp);
343 	case -1:
344 		err(1, "fork");
345 		PAM_END();
346 		exit(1);
347 	case 0:
348 		sigaction(SIGINT, &sa_int, NULL);
349 		sigaction(SIGQUIT, &sa_quit, NULL);
350 		sigaction(SIGTSTP, &sa_tstp, NULL);
351 		/*
352 		 * Set all user context except for: Environmental variables
353 		 * Umask Login records (wtmp, etc) Path
354 		 */
355 		setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
356 			   LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
357 		/*
358 		 * Don't touch resource/priority settings if -m has been used
359 		 * or -l and -c hasn't, and we're not su'ing to root.
360 		 */
361 		if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
362 			setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
363 		if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
364 			err(1, "setusercontext");
365 
366 		if (!asme) {
367 			if (asthem) {
368 				p = getenv("TERM");
369 				environ = &cleanenv;
370 
371 				/*
372 				 * Add any environmental variables that the
373 				 * PAM modules may have set.
374 				 */
375 				environ_pam = pam_getenvlist(pamh);
376 				if (environ_pam)
377 					export_pam_environment();
378 
379 				/* set the su'd user's environment & umask */
380 				setusercontext(lc, pwd, pwd->pw_uid,
381 					LOGIN_SETPATH | LOGIN_SETUMASK |
382 					LOGIN_SETENV);
383 				if (p)
384 					setenv("TERM", p, 1);
385 				if (chdir(pwd->pw_dir) < 0)
386 					errx(1, "no directory");
387 			}
388 			if (asthem || pwd->pw_uid)
389 				setenv("USER", pwd->pw_name, 1);
390 			setenv("HOME", pwd->pw_dir, 1);
391 			setenv("SHELL", shell, 1);
392 		}
393 		login_close(lc);
394 
395 		if (iscsh == YES) {
396 			if (fastlogin)
397 				*np.a-- = "-f";
398 			if (asme)
399 				*np.a-- = "-m";
400 		}
401 		/* csh strips the first character... */
402 		*np.a = asthem ? "-su" : iscsh == YES ? "_su" : "su";
403 
404 		if (ruid != 0)
405 			syslog(LOG_NOTICE, "%s to %s%s", username, user,
406 			    ontty());
407 
408 		execv(shell, np.b);
409 		err(1, "%s", shell);
410 	}
411 }
412 
413 static int
414 export_pam_environment(void)
415 {
416 	char	**pp;
417 
418 	for (pp = environ_pam; *pp != NULL; pp++) {
419 		if (ok_to_export(*pp))
420 			putenv(*pp);
421 		free(*pp);
422 	}
423 	return PAM_SUCCESS;
424 }
425 
426 /*
427  * Sanity checks on PAM environmental variables:
428  * - Make sure there is an '=' in the string.
429  * - Make sure the string doesn't run on too long.
430  * - Do not export certain variables.  This list was taken from the
431  *   Solaris pam_putenv(3) man page.
432  */
433 static int
434 ok_to_export(const char *s)
435 {
436 	static const char *noexport[] = {
437 		"SHELL", "HOME", "LOGNAME", "MAIL", "CDPATH",
438 		"IFS", "PATH", NULL
439 	};
440 	const char **pp;
441 	size_t n;
442 
443 	if (strlen(s) > 1024 || strchr(s, '=') == NULL)
444 		return 0;
445 	if (strncmp(s, "LD_", 3) == 0)
446 		return 0;
447 	for (pp = noexport; *pp != NULL; pp++) {
448 		n = strlen(*pp);
449 		if (s[n] == '=' && strncmp(s, *pp, n) == 0)
450 			return 0;
451 	}
452 	return 1;
453 }
454 
455 static void
456 usage(void)
457 {
458 
459 	fprintf(stderr, "usage: su [-] [-flm] [-c class] [login [args]]\n");
460 	exit(1);
461 }
462 
463 static int
464 chshell(char *sh)
465 {
466 	int r;
467 	char *cp;
468 
469 	r = 0;
470 	setusershell();
471 	do {
472 		cp = getusershell();
473 		r = strcmp(cp, sh);
474 	} while (!r && cp != NULL);
475 	endusershell();
476 	return r;
477 }
478 
479 static char *
480 ontty(void)
481 {
482 	char *p;
483 	static char buf[MAXPATHLEN + 4];
484 
485 	buf[0] = 0;
486 	p = ttyname(STDERR_FILENO);
487 	if (p)
488 		snprintf(buf, sizeof(buf), " on %s", p);
489 	return buf;
490 }
491