xref: /illumos-gate/usr/src/cmd/su/su.c (revision 66582b606a8194f7f3ba5b3a3a6dca5b0d346361)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
23  * Copyright 2012 Milan Jurik. All rights reserved.
24  * Copyright 2014 Nexenta Systems, Inc.
25  */
26 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */
27 /*	  All Rights Reserved	*/
28 
29 /*	Copyright (c) 1987, 1988 Microsoft Corporation	*/
30 /*	  All Rights Reserved	*/
31 
32 /*
33  *	su [-] [name [arg ...]] change userid, `-' changes environment.
34  *	If SULOG is defined, all attempts to su to another user are
35  *	logged there.
36  *	If CONSOLE is defined, all successful attempts to su to uid 0
37  *	are also logged there.
38  *
39  *	If su cannot create, open, or write entries into SULOG,
40  *	(or on the CONSOLE, if defined), the entry will not
41  *	be logged -- thus losing a record of the su's attempted
42  *	during this period.
43  */
44 
45 #include <stdio.h>
46 #include <sys/types.h>
47 #include <sys/stat.h>
48 #include <sys/param.h>
49 #include <unistd.h>
50 #include <stdlib.h>
51 #include <crypt.h>
52 #include <pwd.h>
53 #include <shadow.h>
54 #include <time.h>
55 #include <signal.h>
56 #include <fcntl.h>
57 #include <string.h>
58 #include <locale.h>
59 #include <syslog.h>
60 #include <sys/utsname.h>
61 #include <sys/wait.h>
62 #include <grp.h>
63 #include <deflt.h>
64 #include <limits.h>
65 #include <errno.h>
66 #include <stdarg.h>
67 #include <user_attr.h>
68 #include <priv.h>
69 
70 #include <bsm/adt.h>
71 #include <bsm/adt_event.h>
72 
73 #include <security/pam_appl.h>
74 
75 #define	PATH	"/usr/bin:"		/* path for users other than root */
76 #define	SUPATH	"/usr/sbin:/usr/bin"	/* path for root */
77 #define	SUPRMT	"PS1=# "		/* primary prompt for root */
78 #define	ELIM 128
79 #define	ROOT 0
80 #ifdef	DYNAMIC_SU
81 #define	EMBEDDED_NAME	"embedded_su"
82 #define	DEF_ATTEMPTS	3		/* attempts to change password */
83 #endif	/* DYNAMIC_SU */
84 
85 #define	PW_FALSE	1		/* no password change */
86 #define	PW_TRUE		2		/* successful password change */
87 #define	PW_FAILED	3		/* failed password change */
88 
89 /*
90  * Intervals to sleep after failed su
91  */
92 #ifndef SLEEPTIME
93 #define	SLEEPTIME	4
94 #endif
95 
96 #define	DEFAULT_LOGIN "/etc/default/login"
97 #define	DEFFILE "/etc/default/su"
98 
99 
100 char	*Sulog, *Console;
101 char	*Path, *Supath;
102 
103 /*
104  * Locale variables to be propagated to "su -" environment
105  */
106 static char *initvar;
107 static char *initenv[] = {
108 	"TZ", "LANG", "LC_CTYPE",
109 	"LC_NUMERIC", "LC_TIME", "LC_COLLATE",
110 	"LC_MONETARY", "LC_MESSAGES", "LC_ALL", 0};
111 static char mail[30] = { "MAIL=/var/mail/" };
112 
113 static void envalt(void);
114 static void log(char *, char *, int);
115 static void to(int);
116 
117 enum messagemode { USAGE, ERR, WARN };
118 static void message(enum messagemode, char *, ...);
119 
120 static char *alloc_vsprintf(const char *, va_list);
121 static char *tail(char *);
122 
123 static void audit_success(int, struct passwd *);
124 static void audit_logout(adt_session_data_t *, au_event_t);
125 static void audit_failure(int, struct passwd *, char *, int);
126 
127 #ifdef DYNAMIC_SU
128 static void validate(char *, int *);
129 static int legalenvvar(char *);
130 static int su_conv(int, struct pam_message **, struct pam_response **, void *);
131 static int emb_su_conv(int, struct pam_message **, struct pam_response **,
132     void *);
133 static void freeresponse(int, struct pam_response **response);
134 static struct pam_conv pam_conv = {su_conv, NULL};
135 static struct pam_conv emb_pam_conv = {emb_su_conv, NULL};
136 static void quotemsg(char *, ...);
137 static void readinitblock(void);
138 #else	/* !DYNAMIC_SU */
139 static void update_audit(struct passwd *pwd);
140 #endif	/* DYNAMIC_SU */
141 
142 static pam_handle_t	*pamh = NULL;	/* Authentication handle */
143 struct	passwd pwd;
144 char	pwdbuf[1024];			/* buffer for getpwnam_r() */
145 char	shell[] = "/usr/bin/sh";	/* default shell */
146 char	safe_shell[] = "/sbin/sh";	/* "fallback" shell */
147 char	su[PATH_MAX] = "su";		/* arg0 for exec of shprog */
148 char	homedir[PATH_MAX] = "HOME=";
149 char	logname[20] = "LOGNAME=";
150 char	*suprmt = SUPRMT;
151 char	termtyp[PATH_MAX] = "TERM=";
152 char	*term;
153 char	shelltyp[PATH_MAX] = "SHELL=";
154 char	*hz;
155 char	tznam[PATH_MAX];
156 char	hzname[10] = "HZ=";
157 char	path[PATH_MAX] = "PATH=";
158 char	supath[PATH_MAX] = "PATH=";
159 char	*envinit[ELIM];
160 extern	char **environ;
161 char *ttyn;
162 char *username;					/* the invoker */
163 static	int	dosyslog = 0;			/* use syslog? */
164 char	*myname;
165 #ifdef	DYNAMIC_SU
166 int pam_flags = 0;
167 boolean_t embedded = B_FALSE;
168 #endif	/* DYNAMIC_SU */
169 
170 int
171 main(int argc, char **argv)
172 {
173 #ifndef DYNAMIC_SU
174 	struct spwd sp;
175 	char  spbuf[1024];		/* buffer for getspnam_r() */
176 	char *password;
177 #endif	/* !DYNAMIC_SU */
178 	char *nptr;
179 	char *pshell;
180 	int eflag = 0;
181 	int envidx = 0;
182 	uid_t uid;
183 	gid_t gid;
184 	char *dir, *shprog, *name;
185 	char *ptr;
186 	char *prog = argv[0];
187 #ifdef DYNAMIC_SU
188 	int sleeptime = SLEEPTIME;
189 	char **pam_env = 0;
190 	int flags = 0;
191 	int retcode;
192 	int idx = 0;
193 #endif	/* DYNAMIC_SU */
194 	int pw_change = PW_FALSE;
195 
196 	(void) setlocale(LC_ALL, "");
197 #if !defined(TEXT_DOMAIN)	/* Should be defined by cc -D */
198 #define	TEXT_DOMAIN "SYS_TEST"	/* Use this only if it wasn't */
199 #endif
200 	(void) textdomain(TEXT_DOMAIN);
201 
202 	myname = tail(argv[0]);
203 
204 #ifdef	DYNAMIC_SU
205 	if (strcmp(myname, EMBEDDED_NAME) == 0) {
206 		embedded = B_TRUE;
207 		setbuf(stdin, NULL);
208 		setbuf(stdout, NULL);
209 		readinitblock();
210 	}
211 #endif	/* DYNAMIC_SU */
212 
213 	if (argc > 1 && *argv[1] == '-') {
214 		/* Explicitly check for just `-' (no trailing chars) */
215 		if (strlen(argv[1]) == 1) {
216 			eflag++;	/* set eflag if `-' is specified */
217 			argv++;
218 			argc--;
219 		} else {
220 			message(USAGE,
221 			    gettext("Usage: %s [-] [ username [ arg ... ] ]"),
222 			    prog);
223 			exit(1);
224 		}
225 	}
226 
227 	/*
228 	 * Determine specified userid, get their password file entry,
229 	 * and set variables to values in password file entry fields.
230 	 */
231 	if (argc > 1) {
232 		/*
233 		 * Usernames can't start with a `-', so we check for that to
234 		 * catch bad usage (like "su - -c ls").
235 		 */
236 		if (*argv[1] == '-') {
237 			message(USAGE,
238 			    gettext("Usage: %s [-] [ username [ arg ... ] ]"),
239 			    prog);
240 			exit(1);
241 		} else
242 			nptr = argv[1];	/* use valid command-line username */
243 	} else
244 		nptr = "root";		/* use default "root" username */
245 
246 	if (defopen(DEFFILE) == 0) {
247 
248 		if (Sulog = defread("SULOG="))
249 			Sulog = strdup(Sulog);
250 		if (Console = defread("CONSOLE="))
251 			Console = strdup(Console);
252 		if (Path = defread("PATH="))
253 			Path = strdup(Path);
254 		if (Supath = defread("SUPATH="))
255 			Supath = strdup(Supath);
256 		if ((ptr = defread("SYSLOG=")) != NULL)
257 			dosyslog = strcmp(ptr, "YES") == 0;
258 
259 		(void) defopen(NULL);
260 	}
261 	(void) strlcat(path, (Path) ? Path : PATH, sizeof (path));
262 	(void) strlcat(supath, (Supath) ? Supath : SUPATH, sizeof (supath));
263 
264 	if ((ttyn = ttyname(0)) == NULL)
265 		if ((ttyn = ttyname(1)) == NULL)
266 			if ((ttyn = ttyname(2)) == NULL)
267 				ttyn = "/dev/???";
268 	if ((username = cuserid(NULL)) == NULL)
269 		username = "(null)";
270 
271 	/*
272 	 * if Sulog defined, create SULOG, if it does not exist, with
273 	 * mode read/write user. Change owner and group to root
274 	 */
275 	if (Sulog != NULL) {
276 		(void) close(open(Sulog, O_WRONLY | O_APPEND | O_CREAT,
277 		    (S_IRUSR|S_IWUSR)));
278 		(void) chown(Sulog, (uid_t)ROOT, (gid_t)ROOT);
279 	}
280 
281 #ifdef DYNAMIC_SU
282 	if (pam_start(embedded ? EMBEDDED_NAME : "su", nptr,
283 	    embedded ? &emb_pam_conv : &pam_conv, &pamh) != PAM_SUCCESS)
284 		exit(1);
285 	if (pam_set_item(pamh, PAM_TTY, ttyn) != PAM_SUCCESS)
286 		exit(1);
287 	if (getpwuid_r(getuid(), &pwd, pwdbuf, sizeof (pwdbuf)) == NULL ||
288 	    pam_set_item(pamh, PAM_AUSER, pwd.pw_name) != PAM_SUCCESS)
289 		exit(1);
290 #endif	/* DYNAMIC_SU */
291 
292 	openlog("su", LOG_CONS, LOG_AUTH);
293 
294 #ifdef DYNAMIC_SU
295 
296 	/*
297 	 * Use the same value of sleeptime and password required that
298 	 * login(1) uses.
299 	 * This is obtained by reading the file /etc/default/login
300 	 * using the def*() functions
301 	 */
302 	if (defopen(DEFAULT_LOGIN) == 0) {
303 		if ((ptr = defread("SLEEPTIME=")) != NULL) {
304 			sleeptime = atoi(ptr);
305 			if (sleeptime < 0 || sleeptime > 5)
306 				sleeptime = SLEEPTIME;
307 		}
308 
309 		if ((ptr = defread("PASSREQ=")) != NULL &&
310 		    strcasecmp("YES", ptr) == 0)
311 			pam_flags |= PAM_DISALLOW_NULL_AUTHTOK;
312 
313 		(void) defopen((char *)NULL);
314 	}
315 	/*
316 	 * Ignore SIGQUIT and SIGINT
317 	 */
318 	(void) signal(SIGQUIT, SIG_IGN);
319 	(void) signal(SIGINT, SIG_IGN);
320 
321 	/* call pam_authenticate() to authenticate the user through PAM */
322 	if (getpwnam_r(nptr, &pwd, pwdbuf, sizeof (pwdbuf)) == NULL)
323 		retcode = PAM_USER_UNKNOWN;
324 	else if ((flags = (getuid() != (uid_t)ROOT)) != 0) {
325 		retcode = pam_authenticate(pamh, pam_flags);
326 	} else /* root user does not need to authenticate */
327 		retcode = PAM_SUCCESS;
328 
329 	if (retcode != PAM_SUCCESS) {
330 		/*
331 		 * 1st step: audit and log the error.
332 		 * 2nd step: sleep.
333 		 * 3rd step: print out message to user.
334 		 */
335 		/* don't let audit_failure distinguish a role here */
336 		audit_failure(PW_FALSE, NULL, nptr, retcode);
337 		switch (retcode) {
338 		case PAM_USER_UNKNOWN:
339 			closelog();
340 			(void) sleep(sleeptime);
341 			message(ERR, gettext("Unknown id: %s"), nptr);
342 			break;
343 
344 		case PAM_AUTH_ERR:
345 			if (Sulog != NULL)
346 				log(Sulog, nptr, 0);	/* log entry */
347 			if (dosyslog)
348 				syslog(LOG_CRIT, "'su %s' failed for %s on %s",
349 				    pwd.pw_name, username, ttyn);
350 			closelog();
351 			(void) sleep(sleeptime);
352 			message(ERR, gettext("Sorry"));
353 			break;
354 
355 		case PAM_CONV_ERR:
356 		default:
357 			if (dosyslog)
358 				syslog(LOG_CRIT, "'su %s' failed for %s on %s",
359 				    pwd.pw_name, username, ttyn);
360 			closelog();
361 			(void) sleep(sleeptime);
362 			message(ERR, gettext("Sorry"));
363 			break;
364 		}
365 
366 		(void) signal(SIGQUIT, SIG_DFL);
367 		(void) signal(SIGINT, SIG_DFL);
368 		exit(1);
369 	}
370 	if (flags)
371 		validate(username, &pw_change);
372 	if (pam_setcred(pamh, PAM_REINITIALIZE_CRED) != PAM_SUCCESS) {
373 		message(ERR, gettext("unable to set credentials"));
374 		exit(2);
375 	}
376 	if (dosyslog)
377 		syslog(pwd.pw_uid == 0 ? LOG_NOTICE : LOG_INFO,
378 		    "'su %s' succeeded for %s on %s",
379 		    pwd.pw_name, username, ttyn);
380 	closelog();
381 	(void) signal(SIGQUIT, SIG_DFL);
382 	(void) signal(SIGINT, SIG_DFL);
383 #else	/* !DYNAMIC_SU */
384 	if ((getpwnam_r(nptr, &pwd, pwdbuf, sizeof (pwdbuf)) == NULL) ||
385 	    (getspnam_r(nptr, &sp, spbuf, sizeof (spbuf)) == NULL)) {
386 		message(ERR, gettext("Unknown id: %s"), nptr);
387 		audit_failure(PW_FALSE, NULL, nptr, PAM_USER_UNKNOWN);
388 		closelog();
389 		exit(1);
390 	}
391 
392 	/*
393 	 * Prompt for password if invoking user is not root or
394 	 * if specified(new) user requires a password
395 	 */
396 	if (sp.sp_pwdp[0] == '\0' || getuid() == (uid_t)ROOT)
397 		goto ok;
398 	password = getpass(gettext("Password:"));
399 
400 	if ((strcmp(sp.sp_pwdp, crypt(password, sp.sp_pwdp)) != 0)) {
401 		/* clear password file entry */
402 		(void) memset((void *)spbuf, 0, sizeof (spbuf));
403 		if (Sulog != NULL)
404 			log(Sulog, nptr, 0);    /* log entry */
405 		message(ERR, gettext("Sorry"));
406 		audit_failure(PW_FALSE, NULL, nptr, PAM_AUTH_ERR);
407 		if (dosyslog)
408 			syslog(LOG_CRIT, "'su %s' failed for %s on %s",
409 			    pwd.pw_name, username, ttyn);
410 		closelog();
411 		exit(2);
412 	}
413 	/* clear password file entry */
414 	(void) memset((void *)spbuf, 0, sizeof (spbuf));
415 ok:
416 	/* update audit session in a non-pam environment */
417 	update_audit(&pwd);
418 	if (dosyslog)
419 		syslog(pwd.pw_uid == 0 ? LOG_NOTICE : LOG_INFO,
420 		    "'su %s' succeeded for %s on %s",
421 		    pwd.pw_name, username, ttyn);
422 #endif	/* DYNAMIC_SU */
423 
424 	audit_success(pw_change, &pwd);
425 	uid = pwd.pw_uid;
426 	gid = pwd.pw_gid;
427 	dir = strdup(pwd.pw_dir);
428 	shprog = strdup(pwd.pw_shell);
429 	name = strdup(pwd.pw_name);
430 
431 	if (Sulog != NULL)
432 		log(Sulog, nptr, 1);	/* log entry */
433 
434 	/* set user and group ids to specified user */
435 
436 	/* set the real (and effective) GID */
437 	if (setgid(gid) == -1) {
438 		message(ERR, gettext("Invalid GID"));
439 		exit(2);
440 	}
441 	/* Initialize the supplementary group access list. */
442 	if (!nptr)
443 		exit(2);
444 	if (initgroups(nptr, gid) == -1) {
445 		exit(2);
446 	}
447 	/* set the real (and effective) UID */
448 	if (setuid(uid) == -1) {
449 		message(ERR, gettext("Invalid UID"));
450 		exit(2);
451 	}
452 
453 	/*
454 	 * If new user's shell field is neither NULL nor equal to /usr/bin/sh,
455 	 * set:
456 	 *
457 	 *	pshell = their shell
458 	 *	su = [-]last component of shell's pathname
459 	 *
460 	 * Otherwise, set the shell to /usr/bin/sh and set argv[0] to '[-]su'.
461 	 */
462 	if (shprog[0] != '\0' && strcmp(shell, shprog) != 0) {
463 		char *p;
464 
465 		pshell = shprog;
466 		(void) strcpy(su, eflag ? "-" : "");
467 
468 		if ((p = strrchr(pshell, '/')) != NULL)
469 			(void) strlcat(su, p + 1, sizeof (su));
470 		else
471 			(void) strlcat(su, pshell, sizeof (su));
472 	} else {
473 		pshell = shell;
474 		(void) strcpy(su, eflag ? "-su" : "su");
475 	}
476 
477 	/*
478 	 * set environment variables for new user;
479 	 * arg0 for exec of shprog must now contain `-'
480 	 * so that environment of new user is given
481 	 */
482 	if (eflag) {
483 		int j;
484 		char *var;
485 
486 		if (strlen(dir) == 0) {
487 			(void) strcpy(dir, "/");
488 			message(WARN, gettext("No directory! Using home=/"));
489 		}
490 		(void) strlcat(homedir, dir, sizeof (homedir));
491 		(void) strlcat(logname, name, sizeof (logname));
492 		if (hz = getenv("HZ"))
493 			(void) strlcat(hzname, hz, sizeof (hzname));
494 
495 		(void) strlcat(shelltyp, pshell, sizeof (shelltyp));
496 
497 		if (chdir(dir) < 0) {
498 			message(ERR, gettext("No directory!"));
499 			exit(1);
500 		}
501 		envinit[envidx = 0] = homedir;
502 		envinit[++envidx] = ((uid == (uid_t)ROOT) ? supath : path);
503 		envinit[++envidx] = logname;
504 		envinit[++envidx] = hzname;
505 		if ((term = getenv("TERM")) != NULL) {
506 			(void) strlcat(termtyp, term, sizeof (termtyp));
507 			envinit[++envidx] = termtyp;
508 		}
509 		envinit[++envidx] = shelltyp;
510 
511 		(void) strlcat(mail, name, sizeof (mail));
512 		envinit[++envidx] = mail;
513 
514 		/*
515 		 * Fetch the relevant locale/TZ environment variables from
516 		 * the inherited environment.
517 		 *
518 		 * We have a priority here for setting TZ. If TZ is set in
519 		 * in the inherited environment, that value remains top
520 		 * priority. If the file /etc/default/login has TIMEZONE set,
521 		 * that has second highest priority.
522 		 */
523 		tznam[0] = '\0';
524 		for (j = 0; initenv[j] != 0; j++) {
525 			if (initvar = getenv(initenv[j])) {
526 
527 				/*
528 				 * Skip over values beginning with '/' for
529 				 * security.
530 				 */
531 				if (initvar[0] == '/')  continue;
532 
533 				if (strcmp(initenv[j], "TZ") == 0) {
534 					(void) strcpy(tznam, "TZ=");
535 					(void) strlcat(tznam, initvar,
536 					    sizeof (tznam));
537 
538 				} else {
539 					var = (char *)
540 					    malloc(strlen(initenv[j])
541 					    + strlen(initvar)
542 					    + 2);
543 					if (var == NULL) {
544 						perror("malloc");
545 						exit(4);
546 					}
547 					(void) strcpy(var, initenv[j]);
548 					(void) strcat(var, "=");
549 					(void) strcat(var, initvar);
550 					envinit[++envidx] = var;
551 				}
552 			}
553 		}
554 
555 		/*
556 		 * Check if TZ was found. If not then try to read it from
557 		 * /etc/default/login.
558 		 */
559 		if (tznam[0] == '\0') {
560 			if (defopen(DEFAULT_LOGIN) == 0) {
561 				if (initvar = defread("TIMEZONE=")) {
562 					(void) strcpy(tznam, "TZ=");
563 					(void) strlcat(tznam, initvar,
564 					    sizeof (tznam));
565 				}
566 				(void) defopen(NULL);
567 			}
568 		}
569 
570 		if (tznam[0] != '\0')
571 			envinit[++envidx] = tznam;
572 
573 #ifdef DYNAMIC_SU
574 		/*
575 		 * set the PAM environment variables -
576 		 * check for legal environment variables
577 		 */
578 		if ((pam_env = pam_getenvlist(pamh)) != 0) {
579 			while (pam_env[idx] != 0) {
580 				if (envidx + 2 < ELIM &&
581 				    legalenvvar(pam_env[idx])) {
582 					envinit[++envidx] = pam_env[idx];
583 				}
584 				idx++;
585 			}
586 		}
587 #endif	/* DYNAMIC_SU */
588 		envinit[++envidx] = NULL;
589 		environ = envinit;
590 	} else {
591 		char **pp = environ, **qq, *p;
592 
593 		while ((p = *pp) != NULL) {
594 			if (*p == 'L' && p[1] == 'D' && p[2] == '_') {
595 				for (qq = pp; (*qq = qq[1]) != NULL; qq++)
596 					;
597 				/* pp is not advanced */
598 			} else {
599 				pp++;
600 			}
601 		}
602 	}
603 
604 #ifdef DYNAMIC_SU
605 	if (pamh)
606 		(void) pam_end(pamh, PAM_SUCCESS);
607 #endif	/* DYNAMIC_SU */
608 
609 	/*
610 	 * if new user is root:
611 	 *	if CONSOLE defined, log entry there;
612 	 *	if eflag not set, change environment to that of root.
613 	 */
614 	if (uid == (uid_t)ROOT) {
615 		if (Console != NULL)
616 			if (strcmp(ttyn, Console) != 0) {
617 				(void) signal(SIGALRM, to);
618 				(void) alarm(30);
619 				log(Console, nptr, 1);
620 				(void) alarm(0);
621 			}
622 		if (!eflag)
623 			envalt();
624 	}
625 
626 	/*
627 	 * Default for SIGCPU and SIGXFSZ.  Shells inherit
628 	 * signal disposition from parent.  And the
629 	 * shells should have default dispositions for these
630 	 * signals.
631 	 */
632 	(void) signal(SIGXCPU, SIG_DFL);
633 	(void) signal(SIGXFSZ, SIG_DFL);
634 
635 #ifdef	DYNAMIC_SU
636 	if (embedded) {
637 		(void) puts("SUCCESS");
638 		/*
639 		 * After this point, we're no longer talking the
640 		 * embedded_su protocol, so turn it off.
641 		 */
642 		embedded = B_FALSE;
643 	}
644 #endif	/* DYNAMIC_SU */
645 
646 	/*
647 	 * if additional arguments, exec shell program with array
648 	 * of pointers to arguments:
649 	 *	-> if shell = default, then su = [-]su
650 	 *	-> if shell != default, then su = [-]last component of
651 	 *						shell's pathname
652 	 *
653 	 * if no additional arguments, exec shell with arg0 of su
654 	 * where:
655 	 *	-> if shell = default, then su = [-]su
656 	 *	-> if shell != default, then su = [-]last component of
657 	 *						shell's pathname
658 	 */
659 	if (argc > 2) {
660 		argv[1] = su;
661 		(void) execv(pshell, &argv[1]);
662 	} else
663 		(void) execl(pshell, su, 0);
664 
665 
666 	/*
667 	 * Try to clean up after an administrator who has made a mistake
668 	 * configuring root's shell; if root's shell is other than /sbin/sh,
669 	 * try exec'ing /sbin/sh instead.
670 	 */
671 	if ((uid == (uid_t)ROOT) && (strcmp(name, "root") == 0) &&
672 	    (strcmp(safe_shell, pshell) != 0)) {
673 		message(WARN,
674 		    gettext("No shell %s.  Trying fallback shell %s."),
675 		    pshell, safe_shell);
676 
677 		if (eflag) {
678 			(void) strcpy(su, "-sh");
679 			(void) strlcpy(shelltyp + strlen("SHELL="),
680 			    safe_shell, sizeof (shelltyp) - strlen("SHELL="));
681 		} else {
682 			(void) strcpy(su, "sh");
683 		}
684 
685 		if (argc > 2) {
686 			argv[1] = su;
687 			(void) execv(safe_shell, &argv[1]);
688 		} else {
689 			(void) execl(safe_shell, su, 0);
690 		}
691 		message(ERR, gettext("Couldn't exec fallback shell %s: %s"),
692 		    safe_shell, strerror(errno));
693 	} else {
694 		message(ERR, gettext("No shell"));
695 	}
696 	return (3);
697 }
698 
699 /*
700  * Environment altering routine -
701  *	This routine is called when a user is su'ing to root
702  *	without specifying the - flag.
703  *	The user's PATH and PS1 variables are reset
704  *	to the correct value for root.
705  *	All of the user's other environment variables retain
706  *	their current values after the su (if they are exported).
707  */
708 static void
709 envalt(void)
710 {
711 	/*
712 	 * If user has PATH variable in their environment, change its value
713 	 *		to /bin:/etc:/usr/bin ;
714 	 * if user does not have PATH variable, add it to the user's
715 	 *		environment;
716 	 * if either of the above fail, an error message is printed.
717 	 */
718 	if (putenv(supath) != 0) {
719 		message(ERR,
720 		    gettext("unable to obtain memory to expand environment"));
721 		exit(4);
722 	}
723 
724 	/*
725 	 * If user has PROMPT variable in their environment, change its value
726 	 *		to # ;
727 	 * if user does not have PROMPT variable, add it to the user's
728 	 *		environment;
729 	 * if either of the above fail, an error message is printed.
730 	 */
731 	if (putenv(suprmt) != 0) {
732 		message(ERR,
733 		    gettext("unable to obtain memory to expand environment"));
734 		exit(4);
735 	}
736 }
737 
738 /*
739  * Logging routine -
740  *	where = SULOG or CONSOLE
741  *	towho = specified user ( user being su'ed to )
742  *	how = 0 if su attempt failed; 1 if su attempt succeeded
743  */
744 static void
745 log(char *where, char *towho, int how)
746 {
747 	FILE *logf;
748 	time_t now;
749 	struct tm *tmp;
750 
751 	/*
752 	 * open SULOG or CONSOLE - if open fails, return
753 	 */
754 	if ((logf = fopen(where, "a")) == NULL)
755 		return;
756 
757 	now = time(0);
758 	tmp = localtime(&now);
759 
760 	/*
761 	 * write entry into SULOG or onto CONSOLE - if write fails, return
762 	 */
763 	(void) fprintf(logf, "SU %.2d/%.2d %.2d:%.2d %c %s %s-%s\n",
764 	    tmp->tm_mon + 1, tmp->tm_mday, tmp->tm_hour, tmp->tm_min,
765 	    how ? '+' : '-', ttyn + sizeof ("/dev/") - 1, username, towho);
766 
767 	(void) fclose(logf);	/* close SULOG or CONSOLE */
768 }
769 
770 /*ARGSUSED*/
771 static void
772 to(int sig)
773 {}
774 
775 /*
776  * audit_success - audit successful su
777  *
778  *	Entry	process audit context established -- i.e., pam_setcred()
779  *			or equivalent called.
780  *		pw_change = PW_TRUE, if successful password change audit
781  *				required.
782  *		pwd = passwd entry for new user.
783  */
784 
785 static void
786 audit_success(int pw_change, struct passwd *pwd)
787 {
788 	adt_session_data_t	*ah = NULL;
789 	adt_event_data_t	*event;
790 	au_event_t		event_id = ADT_su;
791 	userattr_t		*user_entry;
792 	char			*kva_value;
793 
794 	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
795 		syslog(LOG_AUTH | LOG_ALERT,
796 		    "adt_start_session(ADT_su): %m");
797 		return;
798 	}
799 	if (((user_entry = getusernam(pwd->pw_name)) != NULL) &&
800 	    ((kva_value = kva_match((kva_t *)user_entry->attr,
801 	    USERATTR_TYPE_KW)) != NULL) &&
802 	    ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) == 0) ||
803 	    (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) == 0))) {
804 		event_id = ADT_role_login;
805 	}
806 	free_userattr(user_entry);	/* OK to use, checks for NULL */
807 
808 	/* since proc uid/gid not yet updated */
809 	if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, pwd->pw_uid,
810 	    pwd->pw_gid, NULL, ADT_USER) != 0) {
811 		syslog(LOG_AUTH | LOG_ERR,
812 		    "adt_set_user(ADT_su, ADT_FAILURE): %m");
813 	}
814 	if ((event = adt_alloc_event(ah, event_id)) == NULL) {
815 		syslog(LOG_AUTH | LOG_ALERT, "adt_alloc_event(ADT_su): %m");
816 	} else if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) {
817 		syslog(LOG_AUTH | LOG_ALERT,
818 		    "adt_put_event(ADT_su, ADT_SUCCESS): %m");
819 	}
820 
821 	if (pw_change == PW_TRUE) {
822 		/* Also audit password change */
823 		adt_free_event(event);
824 		if ((event = adt_alloc_event(ah, ADT_passwd)) == NULL) {
825 			syslog(LOG_AUTH | LOG_ALERT,
826 			    "adt_alloc_event(ADT_passwd): %m");
827 		} else if (adt_put_event(event, ADT_SUCCESS,
828 		    ADT_SUCCESS) != 0) {
829 			syslog(LOG_AUTH | LOG_ALERT,
830 			    "adt_put_event(ADT_passwd, ADT_SUCCESS): %m");
831 		}
832 	}
833 	adt_free_event(event);
834 	/*
835 	 * The preceeding code is a noop if audit isn't enabled,
836 	 * but, let's not make a new process when it's not necessary.
837 	 */
838 	if (adt_audit_state(AUC_AUDITING)) {
839 		audit_logout(ah, event_id);	/* fork to catch logout */
840 	}
841 	(void) adt_end_session(ah);
842 }
843 
844 
845 /*
846  * audit_logout - audit successful su logout
847  *
848  *	Entry	ah = Successful su audit handle
849  *		event_id = su event ID: ADT_su, ADT_role_login
850  *
851  *	Exit	Errors are just ignored and we go on.
852  *		su logout event written.
853  */
854 static void
855 audit_logout(adt_session_data_t *ah, au_event_t event_id)
856 {
857 	adt_event_data_t	*event;
858 	int			status;		/* wait status */
859 	pid_t			pid;
860 	priv_set_t		*priv;		/* waiting process privs */
861 
862 	if (event_id == ADT_su) {
863 		event_id = ADT_su_logout;
864 	} else {
865 		event_id = ADT_role_logout;
866 	}
867 	if ((event = adt_alloc_event(ah, event_id)) == NULL) {
868 		syslog(LOG_AUTH | LOG_ALERT,
869 		    "adt_alloc_event(ADT_su_logout): %m");
870 		return;
871 	}
872 	if ((priv = priv_allocset())  == NULL) {
873 		syslog(LOG_AUTH | LOG_ALERT,
874 		    "su audit_logout: could not alloc basic privs: %m");
875 		adt_free_event(event);
876 		return;
877 	}
878 
879 	/*
880 	 * The child returns and continues su processing.
881 	 * The parent's sole job is to wait for child exit, write the
882 	 * logout audit record, and replay the child's exit code.
883 	 */
884 	if ((pid = fork()) == 0) {
885 		/* child */
886 
887 		adt_free_event(event);
888 		priv_freeset(priv);
889 		return;
890 	}
891 	if (pid == -1) {
892 		/* failure */
893 
894 		syslog(LOG_AUTH | LOG_ALERT,
895 		    "su audit_logout: could not fork: %m");
896 		adt_free_event(event);
897 		priv_freeset(priv);
898 		return;
899 	}
900 
901 	/* parent process */
902 
903 	/*
904 	 * When this routine is called, the current working
905 	 * directory is the unknown and there are unknown open
906 	 * files. For the waiting process, change the current
907 	 * directory to root and close open files so that
908 	 * directories can be unmounted if necessary.
909 	 */
910 	if (chdir("/") != 0) {
911 		syslog(LOG_AUTH | LOG_ALERT,
912 		    "su audit_logout: could not chdir /: %m");
913 	}
914 	/*
915 	 * Reduce privileges to just those needed.
916 	 */
917 	priv_basicset(priv);
918 	(void) priv_delset(priv, PRIV_PROC_EXEC);
919 	(void) priv_delset(priv, PRIV_PROC_FORK);
920 	(void) priv_delset(priv, PRIV_PROC_INFO);
921 	(void) priv_delset(priv, PRIV_PROC_SESSION);
922 	(void) priv_delset(priv, PRIV_FILE_LINK_ANY);
923 	if ((priv_addset(priv, PRIV_PROC_AUDIT) != 0) ||
924 	    (setppriv(PRIV_SET, PRIV_PERMITTED, priv) != 0)) {
925 		syslog(LOG_AUTH | LOG_ALERT,
926 		    "su audit_logout: could not reduce privs: %m");
927 	}
928 	closefrom(0);
929 	priv_freeset(priv);
930 
931 	for (;;) {
932 		if (pid != waitpid(pid, &status, WUNTRACED)) {
933 			if (errno == ECHILD) {
934 				/*
935 				 * No existing child with the given pid. Lets
936 				 * audit the logout.
937 				 */
938 				break;
939 			}
940 			continue;
941 		}
942 
943 		if (WIFEXITED(status) || WIFSIGNALED(status)) {
944 			/*
945 			 * The child shell exited or was terminated by
946 			 * a signal. Lets audit logout.
947 			 */
948 			break;
949 		} else if (WIFSTOPPED(status)) {
950 			pid_t pgid;
951 			int fd;
952 			void (*sg_handler)();
953 			/*
954 			 * The child shell has been stopped/suspended.
955 			 * We need to suspend here as well and pass down
956 			 * the control to the parent process.
957 			 */
958 			sg_handler = signal(WSTOPSIG(status), SIG_DFL);
959 			(void) sigsend(P_PGID, getpgrp(), WSTOPSIG(status));
960 			/*
961 			 * We stop here. When resumed, mark the child
962 			 * shell group as foreground process group
963 			 * which gives the child shell a control over
964 			 * the controlling terminal.
965 			 */
966 			(void) signal(WSTOPSIG(status), sg_handler);
967 
968 			pgid = getpgid(pid);
969 			if ((fd = open("/dev/tty", O_RDWR)) != -1) {
970 				/*
971 				 * Pass down the control over the controlling
972 				 * terminal iff we are in a foreground process
973 				 * group. Otherwise, we are in a background
974 				 * process group and the kernel will send
975 				 * SIGTTOU signal to stop us (by default).
976 				 */
977 				if (tcgetpgrp(fd) == getpgrp()) {
978 					(void) tcsetpgrp(fd, pgid);
979 				}
980 				(void) close(fd);
981 			}
982 			/* Wake up the child shell */
983 			(void) sigsend(P_PGID, pgid, SIGCONT);
984 		}
985 	}
986 
987 	(void) adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS);
988 	adt_free_event(event);
989 	(void) adt_end_session(ah);
990 	exit(WEXITSTATUS(status));
991 }
992 
993 
994 /*
995  * audit_failure - audit failed su
996  *
997  *	Entry	New audit context not set.
998  *		pw_change == PW_FALSE, if no password change requested.
999  *			     PW_FAILED, if failed password change audit
1000  *				      required.
1001  *		pwd = NULL, or password entry to use.
1002  *		user = username entered.  Add to record if pwd == NULL.
1003  *		pamerr = PAM error code; reason for failure.
1004  */
1005 
1006 static void
1007 audit_failure(int pw_change, struct passwd *pwd, char *user, int pamerr)
1008 {
1009 	adt_session_data_t	*ah;	/* audit session handle */
1010 	adt_event_data_t	*event;	/* event to generate */
1011 	au_event_t		event_id = ADT_su;
1012 	userattr_t		*user_entry;
1013 	char			*kva_value;
1014 
1015 	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
1016 		syslog(LOG_AUTH | LOG_ALERT,
1017 		    "adt_start_session(ADT_su, ADT_FAILURE): %m");
1018 		return;
1019 	}
1020 
1021 	if (pwd != NULL) {
1022 		/* target user authenticated, merge audit state */
1023 		if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, pwd->pw_uid,
1024 		    pwd->pw_gid, NULL, ADT_UPDATE) != 0) {
1025 			syslog(LOG_AUTH | LOG_ERR,
1026 			    "adt_set_user(ADT_su, ADT_FAILURE): %m");
1027 		}
1028 		if (((user_entry = getusernam(pwd->pw_name)) != NULL) &&
1029 		    ((kva_value = kva_match((kva_t *)user_entry->attr,
1030 		    USERATTR_TYPE_KW)) != NULL) &&
1031 		    ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) == 0) ||
1032 		    (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) == 0))) {
1033 			event_id = ADT_role_login;
1034 		}
1035 		free_userattr(user_entry);	/* OK to use, checks for NULL */
1036 	}
1037 	if ((event = adt_alloc_event(ah, event_id)) == NULL) {
1038 		syslog(LOG_AUTH | LOG_ALERT,
1039 		    "adt_alloc_event(ADT_su, ADT_FAILURE): %m");
1040 		return;
1041 	}
1042 	/*
1043 	 * can't tell if user not found is a role, so always use su
1044 	 * If we do pass in pwd when the JNI is fixed, then can
1045 	 * distinguish and set name in both su and role_login
1046 	 */
1047 	if (pwd == NULL) {
1048 		/*
1049 		 * this should be "fail_user" rather than "message"
1050 		 * see adt_xml.  The JNI breaks, so for now we leave
1051 		 * this alone.
1052 		 */
1053 		event->adt_su.message = user;
1054 	}
1055 	if (adt_put_event(event, ADT_FAILURE,
1056 	    ADT_FAIL_PAM + pamerr) != 0) {
1057 		syslog(LOG_AUTH | LOG_ALERT,
1058 		    "adt_put_event(ADT_su(ADT_FAIL, %s): %m",
1059 		    pam_strerror(pamh, pamerr));
1060 	}
1061 	if (pw_change != PW_FALSE) {
1062 		/* Also audit password change failed */
1063 		adt_free_event(event);
1064 		if ((event = adt_alloc_event(ah, ADT_passwd)) == NULL) {
1065 			syslog(LOG_AUTH | LOG_ALERT,
1066 			    "su: adt_alloc_event(ADT_passwd): %m");
1067 		} else if (adt_put_event(event, ADT_FAILURE,
1068 		    ADT_FAIL_PAM + pamerr) != 0) {
1069 			syslog(LOG_AUTH | LOG_ALERT,
1070 			    "su: adt_put_event(ADT_passwd, ADT_FAILURE): %m");
1071 		}
1072 	}
1073 	adt_free_event(event);
1074 	(void) adt_end_session(ah);
1075 }
1076 
1077 #ifdef DYNAMIC_SU
1078 /*
1079  * su_conv():
1080  *	This is the conv (conversation) function called from
1081  *	a PAM authentication module to print error messages
1082  *	or garner information from the user.
1083  */
1084 /*ARGSUSED*/
1085 static int
1086 su_conv(int num_msg, struct pam_message **msg, struct pam_response **response,
1087     void *appdata_ptr)
1088 {
1089 	struct pam_message	*m;
1090 	struct pam_response	*r;
1091 	char			*temp;
1092 	int			k;
1093 	char			respbuf[PAM_MAX_RESP_SIZE];
1094 
1095 	if (num_msg <= 0)
1096 		return (PAM_CONV_ERR);
1097 
1098 	*response = (struct pam_response *)calloc(num_msg,
1099 	    sizeof (struct pam_response));
1100 	if (*response == NULL)
1101 		return (PAM_BUF_ERR);
1102 
1103 	k = num_msg;
1104 	m = *msg;
1105 	r = *response;
1106 	while (k--) {
1107 
1108 		switch (m->msg_style) {
1109 
1110 		case PAM_PROMPT_ECHO_OFF:
1111 			errno = 0;
1112 			temp = getpassphrase(m->msg);
1113 			if (errno == EINTR)
1114 				return (PAM_CONV_ERR);
1115 			if (temp != NULL) {
1116 				r->resp = strdup(temp);
1117 				if (r->resp == NULL) {
1118 					freeresponse(num_msg, response);
1119 					return (PAM_BUF_ERR);
1120 				}
1121 			}
1122 			break;
1123 
1124 		case PAM_PROMPT_ECHO_ON:
1125 			if (m->msg != NULL) {
1126 				(void) fputs(m->msg, stdout);
1127 			}
1128 
1129 			(void) fgets(respbuf, sizeof (respbuf), stdin);
1130 			temp = strchr(respbuf, '\n');
1131 			if (temp != NULL)
1132 				*temp = '\0';
1133 
1134 			r->resp = strdup(respbuf);
1135 			if (r->resp == NULL) {
1136 				freeresponse(num_msg, response);
1137 				return (PAM_BUF_ERR);
1138 			}
1139 			break;
1140 
1141 		case PAM_ERROR_MSG:
1142 			if (m->msg != NULL) {
1143 				(void) fputs(m->msg, stderr);
1144 				(void) fputs("\n", stderr);
1145 			}
1146 			break;
1147 
1148 		case PAM_TEXT_INFO:
1149 			if (m->msg != NULL) {
1150 				(void) fputs(m->msg, stdout);
1151 				(void) fputs("\n", stdout);
1152 			}
1153 			break;
1154 
1155 		default:
1156 			break;
1157 		}
1158 		m++;
1159 		r++;
1160 	}
1161 	return (PAM_SUCCESS);
1162 }
1163 
1164 /*
1165  * emb_su_conv():
1166  *	This is the conv (conversation) function called from
1167  *	a PAM authentication module to print error messages
1168  *	or garner information from the user.
1169  *	This version is used for embedded_su.
1170  */
1171 /*ARGSUSED*/
1172 static int
1173 emb_su_conv(int num_msg, struct pam_message **msg,
1174     struct pam_response **response, void *appdata_ptr)
1175 {
1176 	struct pam_message	*m;
1177 	struct pam_response	*r;
1178 	char			*temp;
1179 	int			k;
1180 	char			respbuf[PAM_MAX_RESP_SIZE];
1181 
1182 	if (num_msg <= 0)
1183 		return (PAM_CONV_ERR);
1184 
1185 	*response = (struct pam_response *)calloc(num_msg,
1186 	    sizeof (struct pam_response));
1187 	if (*response == NULL)
1188 		return (PAM_BUF_ERR);
1189 
1190 	/* First, send the prompts */
1191 	(void) printf("CONV %d\n", num_msg);
1192 	k = num_msg;
1193 	m = *msg;
1194 	while (k--) {
1195 		switch (m->msg_style) {
1196 
1197 		case PAM_PROMPT_ECHO_OFF:
1198 			(void) puts("PAM_PROMPT_ECHO_OFF");
1199 			goto msg_common;
1200 
1201 		case PAM_PROMPT_ECHO_ON:
1202 			(void) puts("PAM_PROMPT_ECHO_ON");
1203 			goto msg_common;
1204 
1205 		case PAM_ERROR_MSG:
1206 			(void) puts("PAM_ERROR_MSG");
1207 			goto msg_common;
1208 
1209 		case PAM_TEXT_INFO:
1210 			(void) puts("PAM_TEXT_INFO");
1211 			/* fall through to msg_common */
1212 msg_common:
1213 			if (m->msg == NULL)
1214 				quotemsg(NULL);
1215 			else
1216 				quotemsg("%s", m->msg);
1217 			break;
1218 
1219 		default:
1220 			break;
1221 		}
1222 		m++;
1223 	}
1224 
1225 	/* Next, collect the responses */
1226 	k = num_msg;
1227 	m = *msg;
1228 	r = *response;
1229 	while (k--) {
1230 
1231 		switch (m->msg_style) {
1232 
1233 		case PAM_PROMPT_ECHO_OFF:
1234 		case PAM_PROMPT_ECHO_ON:
1235 			(void) fgets(respbuf, sizeof (respbuf), stdin);
1236 
1237 			temp = strchr(respbuf, '\n');
1238 			if (temp != NULL)
1239 				*temp = '\0';
1240 
1241 			r->resp = strdup(respbuf);
1242 			if (r->resp == NULL) {
1243 				freeresponse(num_msg, response);
1244 				return (PAM_BUF_ERR);
1245 			}
1246 
1247 			break;
1248 
1249 		case PAM_ERROR_MSG:
1250 		case PAM_TEXT_INFO:
1251 			break;
1252 
1253 		default:
1254 			break;
1255 		}
1256 		m++;
1257 		r++;
1258 	}
1259 	return (PAM_SUCCESS);
1260 }
1261 
1262 static void
1263 freeresponse(int num_msg, struct pam_response **response)
1264 {
1265 	struct pam_response *r;
1266 	int i;
1267 
1268 	/* free responses */
1269 	r = *response;
1270 	for (i = 0; i < num_msg; i++, r++) {
1271 		if (r->resp != NULL) {
1272 			/* Zap it in case it's a password */
1273 			(void) memset(r->resp, '\0', strlen(r->resp));
1274 			free(r->resp);
1275 		}
1276 	}
1277 	free(*response);
1278 	*response = NULL;
1279 }
1280 
1281 /*
1282  * Print a message, applying quoting for lines starting with '.'.
1283  *
1284  * I18n note:  \n is "safe" in all locales, and all locales use
1285  * a high-bit-set character to start multibyte sequences, so
1286  * scanning for a \n followed by a '.' is safe.
1287  */
1288 static void
1289 quotemsg(char *fmt, ...)
1290 {
1291 	if (fmt != NULL) {
1292 		char *msg;
1293 		char *p;
1294 		boolean_t bol;
1295 		va_list v;
1296 
1297 		va_start(v, fmt);
1298 		msg = alloc_vsprintf(fmt, v);
1299 		va_end(v);
1300 
1301 		bol = B_TRUE;
1302 		for (p = msg; *p != '\0'; p++) {
1303 			if (bol) {
1304 				if (*p == '.')
1305 					(void) putchar('.');
1306 				bol = B_FALSE;
1307 			}
1308 			(void) putchar(*p);
1309 			if (*p == '\n')
1310 				bol = B_TRUE;
1311 		}
1312 		(void) putchar('\n');
1313 		free(msg);
1314 	}
1315 	(void) putchar('.');
1316 	(void) putchar('\n');
1317 }
1318 
1319 /*
1320  * validate - Check that the account is valid for switching to.
1321  */
1322 static void
1323 validate(char *usernam, int *pw_change)
1324 {
1325 	int error;
1326 	int tries;
1327 
1328 	if ((error = pam_acct_mgmt(pamh, pam_flags)) != PAM_SUCCESS) {
1329 		if (Sulog != NULL)
1330 			log(Sulog, pwd.pw_name, 0);    /* log entry */
1331 		if (error == PAM_NEW_AUTHTOK_REQD) {
1332 			tries = 0;
1333 			message(ERR, gettext("Password for user "
1334 			    "'%s' has expired"), pwd.pw_name);
1335 			while ((error = pam_chauthtok(pamh,
1336 			    PAM_CHANGE_EXPIRED_AUTHTOK)) != PAM_SUCCESS) {
1337 				if ((error == PAM_AUTHTOK_ERR ||
1338 				    error == PAM_TRY_AGAIN) &&
1339 				    (tries++ < DEF_ATTEMPTS)) {
1340 					continue;
1341 				}
1342 				message(ERR, gettext("Sorry"));
1343 				audit_failure(PW_FAILED, &pwd, NULL, error);
1344 				if (dosyslog)
1345 					syslog(LOG_CRIT,
1346 					    "'su %s' failed for %s on %s",
1347 					    pwd.pw_name, usernam, ttyn);
1348 				closelog();
1349 				exit(1);
1350 			}
1351 			*pw_change = PW_TRUE;
1352 			return;
1353 		} else {
1354 			message(ERR, gettext("Sorry"));
1355 			audit_failure(PW_FALSE, &pwd, NULL, error);
1356 			if (dosyslog)
1357 				syslog(LOG_CRIT, "'su %s' failed for %s on %s",
1358 				    pwd.pw_name, usernam, ttyn);
1359 			closelog();
1360 			exit(3);
1361 		}
1362 	}
1363 }
1364 
1365 static char *illegal[] = {
1366 	"SHELL=",
1367 	"HOME=",
1368 	"LOGNAME=",
1369 #ifndef NO_MAIL
1370 	"MAIL=",
1371 #endif
1372 	"CDPATH=",
1373 	"IFS=",
1374 	"PATH=",
1375 	"TZ=",
1376 	"HZ=",
1377 	"TERM=",
1378 	0
1379 };
1380 
1381 /*
1382  * legalenvvar - can PAM modules insert this environmental variable?
1383  */
1384 
1385 static int
1386 legalenvvar(char *s)
1387 {
1388 	register char **p;
1389 
1390 	for (p = illegal; *p; p++)
1391 		if (strncmp(s, *p, strlen(*p)) == 0)
1392 			return (0);
1393 
1394 	if (s[0] == 'L' && s[1] == 'D' && s[2] == '_')
1395 		return (0);
1396 
1397 	return (1);
1398 }
1399 
1400 /*
1401  * The embedded_su protocol allows the client application to supply
1402  * an initialization block terminated by a line with just a "." on it.
1403  *
1404  * This initialization block is currently unused, reserved for future
1405  * expansion.  Ignore it.  This is made very slightly more complex by
1406  * the desire to cleanly ignore input lines of any length, while still
1407  * correctly detecting a line with just a "." on it.
1408  *
1409  * I18n note:  It appears that none of the Solaris-supported locales
1410  * use 0x0a for any purpose other than newline, so looking for '\n'
1411  * seems safe.
1412  * All locales use high-bit-set leadin characters for their multi-byte
1413  * sequences, so a line consisting solely of ".\n" is what it appears
1414  * to be.
1415  */
1416 static void
1417 readinitblock(void)
1418 {
1419 	char buf[100];
1420 	boolean_t bol;
1421 
1422 	bol = B_TRUE;
1423 	for (;;) {
1424 		if (fgets(buf, sizeof (buf), stdin) == NULL)
1425 			return;
1426 		if (bol && strcmp(buf, ".\n") == 0)
1427 			return;
1428 		bol = (strchr(buf, '\n') != NULL);
1429 	}
1430 }
1431 #else	/* !DYNAMIC_SU */
1432 static void
1433 update_audit(struct passwd *pwd)
1434 {
1435 	adt_session_data_t	*ah;	/* audit session handle */
1436 
1437 	if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) {
1438 		message(ERR, gettext("Sorry"));
1439 		if (dosyslog)
1440 			syslog(LOG_CRIT, "'su %s' failed for %s "
1441 			    "cannot start audit session %m",
1442 			    pwd->pw_name, username);
1443 		closelog();
1444 		exit(2);
1445 	}
1446 	if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, pwd->pw_uid,
1447 	    pwd->pw_gid, NULL, ADT_UPDATE) != 0) {
1448 		if (dosyslog)
1449 			syslog(LOG_CRIT, "'su %s' failed for %s "
1450 			    "cannot update audit session %m",
1451 			    pwd->pw_name, username);
1452 		closelog();
1453 		exit(2);
1454 	}
1455 }
1456 #endif	/* DYNAMIC_SU */
1457 
1458 /*
1459  * Report an error, either a fatal one, a warning, or a usage message,
1460  * depending on the mode parameter.
1461  */
1462 /*ARGSUSED*/
1463 static void
1464 message(enum messagemode mode, char *fmt, ...)
1465 {
1466 	char *s;
1467 	va_list v;
1468 
1469 	va_start(v, fmt);
1470 	s = alloc_vsprintf(fmt, v);
1471 	va_end(v);
1472 
1473 #ifdef	DYNAMIC_SU
1474 	if (embedded) {
1475 		if (mode == WARN) {
1476 			(void) printf("CONV 1\n");
1477 			(void) printf("PAM_ERROR_MSG\n");
1478 		} else { /* ERR, USAGE */
1479 			(void) printf("ERROR\n");
1480 		}
1481 		if (mode == USAGE) {
1482 			quotemsg("%s", s);
1483 		} else { /* ERR, WARN */
1484 			quotemsg("%s: %s", myname, s);
1485 		}
1486 	} else {
1487 #endif	/* DYNAMIC_SU */
1488 		if (mode == USAGE) {
1489 			(void) fprintf(stderr, "%s\n", s);
1490 		} else { /* ERR, WARN */
1491 			(void) fprintf(stderr, "%s: %s\n", myname, s);
1492 		}
1493 #ifdef	DYNAMIC_SU
1494 	}
1495 #endif	/* DYNAMIC_SU */
1496 
1497 	free(s);
1498 }
1499 
1500 /*
1501  * Return a pointer to the last path component of a.
1502  */
1503 static char *
1504 tail(char *a)
1505 {
1506 	char *p;
1507 
1508 	p = strrchr(a, '/');
1509 	if (p == NULL)
1510 		p = a;
1511 	else
1512 		p++;	/* step over the '/' */
1513 
1514 	return (p);
1515 }
1516 
1517 static char *
1518 alloc_vsprintf(const char *fmt, va_list ap1)
1519 {
1520 	va_list ap2;
1521 	int n;
1522 	char buf[1];
1523 	char *s;
1524 
1525 	/*
1526 	 * We need to scan the argument list twice.  Save off a copy
1527 	 * of the argument list pointer(s) for the second pass.  Note that
1528 	 * we are responsible for va_end'ing our copy.
1529 	 */
1530 	va_copy(ap2, ap1);
1531 
1532 	/*
1533 	 * vsnprintf into a dummy to get a length.  One might
1534 	 * think that passing 0 as the length to snprintf would
1535 	 * do what we want, but it's defined not to.
1536 	 *
1537 	 * Perhaps we should sprintf into a 100 character buffer
1538 	 * or something like that, to avoid two calls to snprintf
1539 	 * in most cases.
1540 	 */
1541 	n = vsnprintf(buf, sizeof (buf), fmt, ap2);
1542 	va_end(ap2);
1543 
1544 	/*
1545 	 * Allocate an appropriately-sized buffer.
1546 	 */
1547 	s = malloc(n + 1);
1548 	if (s == NULL) {
1549 		perror("malloc");
1550 		exit(4);
1551 	}
1552 
1553 	(void) vsnprintf(s, n+1, fmt, ap1);
1554 
1555 	return (s);
1556 }
1557