1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved. 23 * Copyright 2012 Milan Jurik. All rights reserved. 24 * Copyright 2014 Nexenta Systems, Inc. 25 */ 26 /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 27 /* All Rights Reserved */ 28 29 /* Copyright (c) 1987, 1988 Microsoft Corporation */ 30 /* All Rights Reserved */ 31 32 /* 33 * su [-] [name [arg ...]] change userid, `-' changes environment. 34 * If SULOG is defined, all attempts to su to another user are 35 * logged there. 36 * If CONSOLE is defined, all successful attempts to su to uid 0 37 * are also logged there. 38 * 39 * If su cannot create, open, or write entries into SULOG, 40 * (or on the CONSOLE, if defined), the entry will not 41 * be logged -- thus losing a record of the su's attempted 42 * during this period. 43 */ 44 45 #include <stdio.h> 46 #include <sys/types.h> 47 #include <sys/stat.h> 48 #include <sys/param.h> 49 #include <unistd.h> 50 #include <stdlib.h> 51 #include <crypt.h> 52 #include <pwd.h> 53 #include <shadow.h> 54 #include <time.h> 55 #include <signal.h> 56 #include <fcntl.h> 57 #include <string.h> 58 #include <locale.h> 59 #include <syslog.h> 60 #include <sys/utsname.h> 61 #include <sys/wait.h> 62 #include <grp.h> 63 #include <deflt.h> 64 #include <limits.h> 65 #include <errno.h> 66 #include <stdarg.h> 67 #include <user_attr.h> 68 #include <priv.h> 69 70 #include <bsm/adt.h> 71 #include <bsm/adt_event.h> 72 73 #include <security/pam_appl.h> 74 75 #define PATH "/usr/bin:" /* path for users other than root */ 76 #define SUPATH "/usr/sbin:/usr/bin" /* path for root */ 77 #define SUPRMT "PS1=# " /* primary prompt for root */ 78 #define ELIM 128 79 #define ROOT 0 80 #ifdef DYNAMIC_SU 81 #define EMBEDDED_NAME "embedded_su" 82 #define DEF_ATTEMPTS 3 /* attempts to change password */ 83 #endif /* DYNAMIC_SU */ 84 85 #define PW_FALSE 1 /* no password change */ 86 #define PW_TRUE 2 /* successful password change */ 87 #define PW_FAILED 3 /* failed password change */ 88 89 /* 90 * Intervals to sleep after failed su 91 */ 92 #ifndef SLEEPTIME 93 #define SLEEPTIME 4 94 #endif 95 96 #define DEFAULT_LOGIN "/etc/default/login" 97 #define DEFFILE "/etc/default/su" 98 99 100 char *Sulog, *Console; 101 char *Path, *Supath; 102 103 /* 104 * Locale variables to be propagated to "su -" environment 105 */ 106 static char *initvar; 107 static char *initenv[] = { 108 "TZ", "LANG", "LC_CTYPE", 109 "LC_NUMERIC", "LC_TIME", "LC_COLLATE", 110 "LC_MONETARY", "LC_MESSAGES", "LC_ALL", 0}; 111 static char mail[30] = { "MAIL=/var/mail/" }; 112 113 static void envalt(void); 114 static void log(char *, char *, int); 115 static void to(int); 116 117 enum messagemode { USAGE, ERR, WARN }; 118 static void message(enum messagemode, char *, ...); 119 120 static char *alloc_vsprintf(const char *, va_list); 121 static char *tail(char *); 122 123 static void audit_success(int, struct passwd *); 124 static void audit_logout(adt_session_data_t *, au_event_t); 125 static void audit_failure(int, struct passwd *, char *, int); 126 127 #ifdef DYNAMIC_SU 128 static void validate(char *, int *); 129 static int legalenvvar(char *); 130 static int su_conv(int, struct pam_message **, struct pam_response **, void *); 131 static int emb_su_conv(int, struct pam_message **, struct pam_response **, 132 void *); 133 static void freeresponse(int, struct pam_response **response); 134 static struct pam_conv pam_conv = {su_conv, NULL}; 135 static struct pam_conv emb_pam_conv = {emb_su_conv, NULL}; 136 static void quotemsg(char *, ...); 137 static void readinitblock(void); 138 #else /* !DYNAMIC_SU */ 139 static void update_audit(struct passwd *pwd); 140 #endif /* DYNAMIC_SU */ 141 142 static pam_handle_t *pamh = NULL; /* Authentication handle */ 143 struct passwd pwd; 144 char pwdbuf[1024]; /* buffer for getpwnam_r() */ 145 char shell[] = "/usr/bin/sh"; /* default shell */ 146 char safe_shell[] = "/sbin/sh"; /* "fallback" shell */ 147 char su[PATH_MAX] = "su"; /* arg0 for exec of shprog */ 148 char homedir[PATH_MAX] = "HOME="; 149 char logname[20] = "LOGNAME="; 150 char *suprmt = SUPRMT; 151 char termtyp[PATH_MAX] = "TERM="; 152 char *term; 153 char shelltyp[PATH_MAX] = "SHELL="; 154 char *hz; 155 char tznam[PATH_MAX]; 156 char hzname[10] = "HZ="; 157 char path[PATH_MAX] = "PATH="; 158 char supath[PATH_MAX] = "PATH="; 159 char *envinit[ELIM]; 160 extern char **environ; 161 char *ttyn; 162 char *username; /* the invoker */ 163 static int dosyslog = 0; /* use syslog? */ 164 char *myname; 165 #ifdef DYNAMIC_SU 166 int pam_flags = 0; 167 boolean_t embedded = B_FALSE; 168 #endif /* DYNAMIC_SU */ 169 170 int 171 main(int argc, char **argv) 172 { 173 #ifndef DYNAMIC_SU 174 struct spwd sp; 175 char spbuf[1024]; /* buffer for getspnam_r() */ 176 char *password; 177 #endif /* !DYNAMIC_SU */ 178 char *nptr; 179 char *pshell; 180 int eflag = 0; 181 int envidx = 0; 182 uid_t uid; 183 gid_t gid; 184 char *dir, *shprog, *name; 185 char *ptr; 186 char *prog = argv[0]; 187 #ifdef DYNAMIC_SU 188 int sleeptime = SLEEPTIME; 189 char **pam_env = 0; 190 int flags = 0; 191 int retcode; 192 int idx = 0; 193 #endif /* DYNAMIC_SU */ 194 int pw_change = PW_FALSE; 195 196 (void) setlocale(LC_ALL, ""); 197 #if !defined(TEXT_DOMAIN) /* Should be defined by cc -D */ 198 #define TEXT_DOMAIN "SYS_TEST" /* Use this only if it wasn't */ 199 #endif 200 (void) textdomain(TEXT_DOMAIN); 201 202 myname = tail(argv[0]); 203 204 #ifdef DYNAMIC_SU 205 if (strcmp(myname, EMBEDDED_NAME) == 0) { 206 embedded = B_TRUE; 207 setbuf(stdin, NULL); 208 setbuf(stdout, NULL); 209 readinitblock(); 210 } 211 #endif /* DYNAMIC_SU */ 212 213 if (argc > 1 && *argv[1] == '-') { 214 /* Explicitly check for just `-' (no trailing chars) */ 215 if (strlen(argv[1]) == 1) { 216 eflag++; /* set eflag if `-' is specified */ 217 argv++; 218 argc--; 219 } else { 220 message(USAGE, 221 gettext("Usage: %s [-] [ username [ arg ... ] ]"), 222 prog); 223 exit(1); 224 } 225 } 226 227 /* 228 * Determine specified userid, get their password file entry, 229 * and set variables to values in password file entry fields. 230 */ 231 if (argc > 1) { 232 /* 233 * Usernames can't start with a `-', so we check for that to 234 * catch bad usage (like "su - -c ls"). 235 */ 236 if (*argv[1] == '-') { 237 message(USAGE, 238 gettext("Usage: %s [-] [ username [ arg ... ] ]"), 239 prog); 240 exit(1); 241 } else 242 nptr = argv[1]; /* use valid command-line username */ 243 } else 244 nptr = "root"; /* use default "root" username */ 245 246 if (defopen(DEFFILE) == 0) { 247 248 if (Sulog = defread("SULOG=")) 249 Sulog = strdup(Sulog); 250 if (Console = defread("CONSOLE=")) 251 Console = strdup(Console); 252 if (Path = defread("PATH=")) 253 Path = strdup(Path); 254 if (Supath = defread("SUPATH=")) 255 Supath = strdup(Supath); 256 if ((ptr = defread("SYSLOG=")) != NULL) 257 dosyslog = strcmp(ptr, "YES") == 0; 258 259 (void) defopen(NULL); 260 } 261 (void) strlcat(path, (Path) ? Path : PATH, sizeof (path)); 262 (void) strlcat(supath, (Supath) ? Supath : SUPATH, sizeof (supath)); 263 264 if ((ttyn = ttyname(0)) == NULL) 265 if ((ttyn = ttyname(1)) == NULL) 266 if ((ttyn = ttyname(2)) == NULL) 267 ttyn = "/dev/???"; 268 if ((username = cuserid(NULL)) == NULL) 269 username = "(null)"; 270 271 /* 272 * if Sulog defined, create SULOG, if it does not exist, with 273 * mode read/write user. Change owner and group to root 274 */ 275 if (Sulog != NULL) { 276 (void) close(open(Sulog, O_WRONLY | O_APPEND | O_CREAT, 277 (S_IRUSR|S_IWUSR))); 278 (void) chown(Sulog, (uid_t)ROOT, (gid_t)ROOT); 279 } 280 281 #ifdef DYNAMIC_SU 282 if (pam_start(embedded ? EMBEDDED_NAME : "su", nptr, 283 embedded ? &emb_pam_conv : &pam_conv, &pamh) != PAM_SUCCESS) 284 exit(1); 285 if (pam_set_item(pamh, PAM_TTY, ttyn) != PAM_SUCCESS) 286 exit(1); 287 if (getpwuid_r(getuid(), &pwd, pwdbuf, sizeof (pwdbuf)) == NULL || 288 pam_set_item(pamh, PAM_AUSER, pwd.pw_name) != PAM_SUCCESS) 289 exit(1); 290 #endif /* DYNAMIC_SU */ 291 292 openlog("su", LOG_CONS, LOG_AUTH); 293 294 #ifdef DYNAMIC_SU 295 296 /* 297 * Use the same value of sleeptime and password required that 298 * login(1) uses. 299 * This is obtained by reading the file /etc/default/login 300 * using the def*() functions 301 */ 302 if (defopen(DEFAULT_LOGIN) == 0) { 303 if ((ptr = defread("SLEEPTIME=")) != NULL) { 304 sleeptime = atoi(ptr); 305 if (sleeptime < 0 || sleeptime > 5) 306 sleeptime = SLEEPTIME; 307 } 308 309 if ((ptr = defread("PASSREQ=")) != NULL && 310 strcasecmp("YES", ptr) == 0) 311 pam_flags |= PAM_DISALLOW_NULL_AUTHTOK; 312 313 (void) defopen((char *)NULL); 314 } 315 /* 316 * Ignore SIGQUIT and SIGINT 317 */ 318 (void) signal(SIGQUIT, SIG_IGN); 319 (void) signal(SIGINT, SIG_IGN); 320 321 /* call pam_authenticate() to authenticate the user through PAM */ 322 if (getpwnam_r(nptr, &pwd, pwdbuf, sizeof (pwdbuf)) == NULL) 323 retcode = PAM_USER_UNKNOWN; 324 else if ((flags = (getuid() != (uid_t)ROOT)) != 0) { 325 retcode = pam_authenticate(pamh, pam_flags); 326 } else /* root user does not need to authenticate */ 327 retcode = PAM_SUCCESS; 328 329 if (retcode != PAM_SUCCESS) { 330 /* 331 * 1st step: audit and log the error. 332 * 2nd step: sleep. 333 * 3rd step: print out message to user. 334 */ 335 /* don't let audit_failure distinguish a role here */ 336 audit_failure(PW_FALSE, NULL, nptr, retcode); 337 switch (retcode) { 338 case PAM_USER_UNKNOWN: 339 closelog(); 340 (void) sleep(sleeptime); 341 message(ERR, gettext("Unknown id: %s"), nptr); 342 break; 343 344 case PAM_AUTH_ERR: 345 if (Sulog != NULL) 346 log(Sulog, nptr, 0); /* log entry */ 347 if (dosyslog) 348 syslog(LOG_CRIT, "'su %s' failed for %s on %s", 349 pwd.pw_name, username, ttyn); 350 closelog(); 351 (void) sleep(sleeptime); 352 message(ERR, gettext("Sorry")); 353 break; 354 355 case PAM_CONV_ERR: 356 default: 357 if (dosyslog) 358 syslog(LOG_CRIT, "'su %s' failed for %s on %s", 359 pwd.pw_name, username, ttyn); 360 closelog(); 361 (void) sleep(sleeptime); 362 message(ERR, gettext("Sorry")); 363 break; 364 } 365 366 (void) signal(SIGQUIT, SIG_DFL); 367 (void) signal(SIGINT, SIG_DFL); 368 exit(1); 369 } 370 if (flags) 371 validate(username, &pw_change); 372 if (pam_setcred(pamh, PAM_REINITIALIZE_CRED) != PAM_SUCCESS) { 373 message(ERR, gettext("unable to set credentials")); 374 exit(2); 375 } 376 if (dosyslog) 377 syslog(pwd.pw_uid == 0 ? LOG_NOTICE : LOG_INFO, 378 "'su %s' succeeded for %s on %s", 379 pwd.pw_name, username, ttyn); 380 closelog(); 381 (void) signal(SIGQUIT, SIG_DFL); 382 (void) signal(SIGINT, SIG_DFL); 383 #else /* !DYNAMIC_SU */ 384 if ((getpwnam_r(nptr, &pwd, pwdbuf, sizeof (pwdbuf)) == NULL) || 385 (getspnam_r(nptr, &sp, spbuf, sizeof (spbuf)) == NULL)) { 386 message(ERR, gettext("Unknown id: %s"), nptr); 387 audit_failure(PW_FALSE, NULL, nptr, PAM_USER_UNKNOWN); 388 closelog(); 389 exit(1); 390 } 391 392 /* 393 * Prompt for password if invoking user is not root or 394 * if specified(new) user requires a password 395 */ 396 if (sp.sp_pwdp[0] == '\0' || getuid() == (uid_t)ROOT) 397 goto ok; 398 password = getpass(gettext("Password:")); 399 400 if ((strcmp(sp.sp_pwdp, crypt(password, sp.sp_pwdp)) != 0)) { 401 /* clear password file entry */ 402 (void) memset((void *)spbuf, 0, sizeof (spbuf)); 403 if (Sulog != NULL) 404 log(Sulog, nptr, 0); /* log entry */ 405 message(ERR, gettext("Sorry")); 406 audit_failure(PW_FALSE, NULL, nptr, PAM_AUTH_ERR); 407 if (dosyslog) 408 syslog(LOG_CRIT, "'su %s' failed for %s on %s", 409 pwd.pw_name, username, ttyn); 410 closelog(); 411 exit(2); 412 } 413 /* clear password file entry */ 414 (void) memset((void *)spbuf, 0, sizeof (spbuf)); 415 ok: 416 /* update audit session in a non-pam environment */ 417 update_audit(&pwd); 418 if (dosyslog) 419 syslog(pwd.pw_uid == 0 ? LOG_NOTICE : LOG_INFO, 420 "'su %s' succeeded for %s on %s", 421 pwd.pw_name, username, ttyn); 422 #endif /* DYNAMIC_SU */ 423 424 audit_success(pw_change, &pwd); 425 uid = pwd.pw_uid; 426 gid = pwd.pw_gid; 427 dir = strdup(pwd.pw_dir); 428 shprog = strdup(pwd.pw_shell); 429 name = strdup(pwd.pw_name); 430 431 if (Sulog != NULL) 432 log(Sulog, nptr, 1); /* log entry */ 433 434 /* set user and group ids to specified user */ 435 436 /* set the real (and effective) GID */ 437 if (setgid(gid) == -1) { 438 message(ERR, gettext("Invalid GID")); 439 exit(2); 440 } 441 /* Initialize the supplementary group access list. */ 442 if (!nptr) 443 exit(2); 444 if (initgroups(nptr, gid) == -1) { 445 exit(2); 446 } 447 /* set the real (and effective) UID */ 448 if (setuid(uid) == -1) { 449 message(ERR, gettext("Invalid UID")); 450 exit(2); 451 } 452 453 /* 454 * If new user's shell field is neither NULL nor equal to /usr/bin/sh, 455 * set: 456 * 457 * pshell = their shell 458 * su = [-]last component of shell's pathname 459 * 460 * Otherwise, set the shell to /usr/bin/sh and set argv[0] to '[-]su'. 461 */ 462 if (shprog[0] != '\0' && strcmp(shell, shprog) != 0) { 463 char *p; 464 465 pshell = shprog; 466 (void) strcpy(su, eflag ? "-" : ""); 467 468 if ((p = strrchr(pshell, '/')) != NULL) 469 (void) strlcat(su, p + 1, sizeof (su)); 470 else 471 (void) strlcat(su, pshell, sizeof (su)); 472 } else { 473 pshell = shell; 474 (void) strcpy(su, eflag ? "-su" : "su"); 475 } 476 477 /* 478 * set environment variables for new user; 479 * arg0 for exec of shprog must now contain `-' 480 * so that environment of new user is given 481 */ 482 if (eflag) { 483 int j; 484 char *var; 485 486 if (strlen(dir) == 0) { 487 (void) strcpy(dir, "/"); 488 message(WARN, gettext("No directory! Using home=/")); 489 } 490 (void) strlcat(homedir, dir, sizeof (homedir)); 491 (void) strlcat(logname, name, sizeof (logname)); 492 if (hz = getenv("HZ")) 493 (void) strlcat(hzname, hz, sizeof (hzname)); 494 495 (void) strlcat(shelltyp, pshell, sizeof (shelltyp)); 496 497 if (chdir(dir) < 0) { 498 message(ERR, gettext("No directory!")); 499 exit(1); 500 } 501 envinit[envidx = 0] = homedir; 502 envinit[++envidx] = ((uid == (uid_t)ROOT) ? supath : path); 503 envinit[++envidx] = logname; 504 envinit[++envidx] = hzname; 505 if ((term = getenv("TERM")) != NULL) { 506 (void) strlcat(termtyp, term, sizeof (termtyp)); 507 envinit[++envidx] = termtyp; 508 } 509 envinit[++envidx] = shelltyp; 510 511 (void) strlcat(mail, name, sizeof (mail)); 512 envinit[++envidx] = mail; 513 514 /* 515 * Fetch the relevant locale/TZ environment variables from 516 * the inherited environment. 517 * 518 * We have a priority here for setting TZ. If TZ is set in 519 * in the inherited environment, that value remains top 520 * priority. If the file /etc/default/login has TIMEZONE set, 521 * that has second highest priority. 522 */ 523 tznam[0] = '\0'; 524 for (j = 0; initenv[j] != 0; j++) { 525 if (initvar = getenv(initenv[j])) { 526 527 /* 528 * Skip over values beginning with '/' for 529 * security. 530 */ 531 if (initvar[0] == '/') continue; 532 533 if (strcmp(initenv[j], "TZ") == 0) { 534 (void) strcpy(tznam, "TZ="); 535 (void) strlcat(tznam, initvar, 536 sizeof (tznam)); 537 538 } else { 539 var = (char *) 540 malloc(strlen(initenv[j]) 541 + strlen(initvar) 542 + 2); 543 if (var == NULL) { 544 perror("malloc"); 545 exit(4); 546 } 547 (void) strcpy(var, initenv[j]); 548 (void) strcat(var, "="); 549 (void) strcat(var, initvar); 550 envinit[++envidx] = var; 551 } 552 } 553 } 554 555 /* 556 * Check if TZ was found. If not then try to read it from 557 * /etc/default/login. 558 */ 559 if (tznam[0] == '\0') { 560 if (defopen(DEFAULT_LOGIN) == 0) { 561 if (initvar = defread("TIMEZONE=")) { 562 (void) strcpy(tznam, "TZ="); 563 (void) strlcat(tznam, initvar, 564 sizeof (tznam)); 565 } 566 (void) defopen(NULL); 567 } 568 } 569 570 if (tznam[0] != '\0') 571 envinit[++envidx] = tznam; 572 573 #ifdef DYNAMIC_SU 574 /* 575 * set the PAM environment variables - 576 * check for legal environment variables 577 */ 578 if ((pam_env = pam_getenvlist(pamh)) != 0) { 579 while (pam_env[idx] != 0) { 580 if (envidx + 2 < ELIM && 581 legalenvvar(pam_env[idx])) { 582 envinit[++envidx] = pam_env[idx]; 583 } 584 idx++; 585 } 586 } 587 #endif /* DYNAMIC_SU */ 588 envinit[++envidx] = NULL; 589 environ = envinit; 590 } else { 591 char **pp = environ, **qq, *p; 592 593 while ((p = *pp) != NULL) { 594 if (*p == 'L' && p[1] == 'D' && p[2] == '_') { 595 for (qq = pp; (*qq = qq[1]) != NULL; qq++) 596 ; 597 /* pp is not advanced */ 598 } else { 599 pp++; 600 } 601 } 602 } 603 604 #ifdef DYNAMIC_SU 605 if (pamh) 606 (void) pam_end(pamh, PAM_SUCCESS); 607 #endif /* DYNAMIC_SU */ 608 609 /* 610 * if new user is root: 611 * if CONSOLE defined, log entry there; 612 * if eflag not set, change environment to that of root. 613 */ 614 if (uid == (uid_t)ROOT) { 615 if (Console != NULL) 616 if (strcmp(ttyn, Console) != 0) { 617 (void) signal(SIGALRM, to); 618 (void) alarm(30); 619 log(Console, nptr, 1); 620 (void) alarm(0); 621 } 622 if (!eflag) 623 envalt(); 624 } 625 626 /* 627 * Default for SIGCPU and SIGXFSZ. Shells inherit 628 * signal disposition from parent. And the 629 * shells should have default dispositions for these 630 * signals. 631 */ 632 (void) signal(SIGXCPU, SIG_DFL); 633 (void) signal(SIGXFSZ, SIG_DFL); 634 635 #ifdef DYNAMIC_SU 636 if (embedded) { 637 (void) puts("SUCCESS"); 638 /* 639 * After this point, we're no longer talking the 640 * embedded_su protocol, so turn it off. 641 */ 642 embedded = B_FALSE; 643 } 644 #endif /* DYNAMIC_SU */ 645 646 /* 647 * if additional arguments, exec shell program with array 648 * of pointers to arguments: 649 * -> if shell = default, then su = [-]su 650 * -> if shell != default, then su = [-]last component of 651 * shell's pathname 652 * 653 * if no additional arguments, exec shell with arg0 of su 654 * where: 655 * -> if shell = default, then su = [-]su 656 * -> if shell != default, then su = [-]last component of 657 * shell's pathname 658 */ 659 if (argc > 2) { 660 argv[1] = su; 661 (void) execv(pshell, &argv[1]); 662 } else 663 (void) execl(pshell, su, 0); 664 665 666 /* 667 * Try to clean up after an administrator who has made a mistake 668 * configuring root's shell; if root's shell is other than /sbin/sh, 669 * try exec'ing /sbin/sh instead. 670 */ 671 if ((uid == (uid_t)ROOT) && (strcmp(name, "root") == 0) && 672 (strcmp(safe_shell, pshell) != 0)) { 673 message(WARN, 674 gettext("No shell %s. Trying fallback shell %s."), 675 pshell, safe_shell); 676 677 if (eflag) { 678 (void) strcpy(su, "-sh"); 679 (void) strlcpy(shelltyp + strlen("SHELL="), 680 safe_shell, sizeof (shelltyp) - strlen("SHELL=")); 681 } else { 682 (void) strcpy(su, "sh"); 683 } 684 685 if (argc > 2) { 686 argv[1] = su; 687 (void) execv(safe_shell, &argv[1]); 688 } else { 689 (void) execl(safe_shell, su, 0); 690 } 691 message(ERR, gettext("Couldn't exec fallback shell %s: %s"), 692 safe_shell, strerror(errno)); 693 } else { 694 message(ERR, gettext("No shell")); 695 } 696 return (3); 697 } 698 699 /* 700 * Environment altering routine - 701 * This routine is called when a user is su'ing to root 702 * without specifying the - flag. 703 * The user's PATH and PS1 variables are reset 704 * to the correct value for root. 705 * All of the user's other environment variables retain 706 * their current values after the su (if they are exported). 707 */ 708 static void 709 envalt(void) 710 { 711 /* 712 * If user has PATH variable in their environment, change its value 713 * to /bin:/etc:/usr/bin ; 714 * if user does not have PATH variable, add it to the user's 715 * environment; 716 * if either of the above fail, an error message is printed. 717 */ 718 if (putenv(supath) != 0) { 719 message(ERR, 720 gettext("unable to obtain memory to expand environment")); 721 exit(4); 722 } 723 724 /* 725 * If user has PROMPT variable in their environment, change its value 726 * to # ; 727 * if user does not have PROMPT variable, add it to the user's 728 * environment; 729 * if either of the above fail, an error message is printed. 730 */ 731 if (putenv(suprmt) != 0) { 732 message(ERR, 733 gettext("unable to obtain memory to expand environment")); 734 exit(4); 735 } 736 } 737 738 /* 739 * Logging routine - 740 * where = SULOG or CONSOLE 741 * towho = specified user ( user being su'ed to ) 742 * how = 0 if su attempt failed; 1 if su attempt succeeded 743 */ 744 static void 745 log(char *where, char *towho, int how) 746 { 747 FILE *logf; 748 time_t now; 749 struct tm *tmp; 750 751 /* 752 * open SULOG or CONSOLE - if open fails, return 753 */ 754 if ((logf = fopen(where, "a")) == NULL) 755 return; 756 757 now = time(0); 758 tmp = localtime(&now); 759 760 /* 761 * write entry into SULOG or onto CONSOLE - if write fails, return 762 */ 763 (void) fprintf(logf, "SU %.2d/%.2d %.2d:%.2d %c %s %s-%s\n", 764 tmp->tm_mon + 1, tmp->tm_mday, tmp->tm_hour, tmp->tm_min, 765 how ? '+' : '-', ttyn + sizeof ("/dev/") - 1, username, towho); 766 767 (void) fclose(logf); /* close SULOG or CONSOLE */ 768 } 769 770 /*ARGSUSED*/ 771 static void 772 to(int sig) 773 {} 774 775 /* 776 * audit_success - audit successful su 777 * 778 * Entry process audit context established -- i.e., pam_setcred() 779 * or equivalent called. 780 * pw_change = PW_TRUE, if successful password change audit 781 * required. 782 * pwd = passwd entry for new user. 783 */ 784 785 static void 786 audit_success(int pw_change, struct passwd *pwd) 787 { 788 adt_session_data_t *ah = NULL; 789 adt_event_data_t *event; 790 au_event_t event_id = ADT_su; 791 userattr_t *user_entry; 792 char *kva_value; 793 794 if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { 795 syslog(LOG_AUTH | LOG_ALERT, 796 "adt_start_session(ADT_su): %m"); 797 return; 798 } 799 if (((user_entry = getusernam(pwd->pw_name)) != NULL) && 800 ((kva_value = kva_match((kva_t *)user_entry->attr, 801 USERATTR_TYPE_KW)) != NULL) && 802 ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) == 0) || 803 (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) == 0))) { 804 event_id = ADT_role_login; 805 } 806 free_userattr(user_entry); /* OK to use, checks for NULL */ 807 808 /* since proc uid/gid not yet updated */ 809 if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, pwd->pw_uid, 810 pwd->pw_gid, NULL, ADT_USER) != 0) { 811 syslog(LOG_AUTH | LOG_ERR, 812 "adt_set_user(ADT_su, ADT_FAILURE): %m"); 813 } 814 if ((event = adt_alloc_event(ah, event_id)) == NULL) { 815 syslog(LOG_AUTH | LOG_ALERT, "adt_alloc_event(ADT_su): %m"); 816 } else if (adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS) != 0) { 817 syslog(LOG_AUTH | LOG_ALERT, 818 "adt_put_event(ADT_su, ADT_SUCCESS): %m"); 819 } 820 821 if (pw_change == PW_TRUE) { 822 /* Also audit password change */ 823 adt_free_event(event); 824 if ((event = adt_alloc_event(ah, ADT_passwd)) == NULL) { 825 syslog(LOG_AUTH | LOG_ALERT, 826 "adt_alloc_event(ADT_passwd): %m"); 827 } else if (adt_put_event(event, ADT_SUCCESS, 828 ADT_SUCCESS) != 0) { 829 syslog(LOG_AUTH | LOG_ALERT, 830 "adt_put_event(ADT_passwd, ADT_SUCCESS): %m"); 831 } 832 } 833 adt_free_event(event); 834 /* 835 * The preceeding code is a noop if audit isn't enabled, 836 * but, let's not make a new process when it's not necessary. 837 */ 838 if (adt_audit_state(AUC_AUDITING)) { 839 audit_logout(ah, event_id); /* fork to catch logout */ 840 } 841 (void) adt_end_session(ah); 842 } 843 844 845 /* 846 * audit_logout - audit successful su logout 847 * 848 * Entry ah = Successful su audit handle 849 * event_id = su event ID: ADT_su, ADT_role_login 850 * 851 * Exit Errors are just ignored and we go on. 852 * su logout event written. 853 */ 854 static void 855 audit_logout(adt_session_data_t *ah, au_event_t event_id) 856 { 857 adt_event_data_t *event; 858 int status; /* wait status */ 859 pid_t pid; 860 priv_set_t *priv; /* waiting process privs */ 861 862 if (event_id == ADT_su) { 863 event_id = ADT_su_logout; 864 } else { 865 event_id = ADT_role_logout; 866 } 867 if ((event = adt_alloc_event(ah, event_id)) == NULL) { 868 syslog(LOG_AUTH | LOG_ALERT, 869 "adt_alloc_event(ADT_su_logout): %m"); 870 return; 871 } 872 if ((priv = priv_allocset()) == NULL) { 873 syslog(LOG_AUTH | LOG_ALERT, 874 "su audit_logout: could not alloc basic privs: %m"); 875 adt_free_event(event); 876 return; 877 } 878 879 /* 880 * The child returns and continues su processing. 881 * The parent's sole job is to wait for child exit, write the 882 * logout audit record, and replay the child's exit code. 883 */ 884 if ((pid = fork()) == 0) { 885 /* child */ 886 887 adt_free_event(event); 888 priv_freeset(priv); 889 return; 890 } 891 if (pid == -1) { 892 /* failure */ 893 894 syslog(LOG_AUTH | LOG_ALERT, 895 "su audit_logout: could not fork: %m"); 896 adt_free_event(event); 897 priv_freeset(priv); 898 return; 899 } 900 901 /* parent process */ 902 903 /* 904 * When this routine is called, the current working 905 * directory is the unknown and there are unknown open 906 * files. For the waiting process, change the current 907 * directory to root and close open files so that 908 * directories can be unmounted if necessary. 909 */ 910 if (chdir("/") != 0) { 911 syslog(LOG_AUTH | LOG_ALERT, 912 "su audit_logout: could not chdir /: %m"); 913 } 914 /* 915 * Reduce privileges to just those needed. 916 */ 917 priv_basicset(priv); 918 (void) priv_delset(priv, PRIV_PROC_EXEC); 919 (void) priv_delset(priv, PRIV_PROC_FORK); 920 (void) priv_delset(priv, PRIV_PROC_INFO); 921 (void) priv_delset(priv, PRIV_PROC_SESSION); 922 (void) priv_delset(priv, PRIV_FILE_LINK_ANY); 923 if ((priv_addset(priv, PRIV_PROC_AUDIT) != 0) || 924 (setppriv(PRIV_SET, PRIV_PERMITTED, priv) != 0)) { 925 syslog(LOG_AUTH | LOG_ALERT, 926 "su audit_logout: could not reduce privs: %m"); 927 } 928 closefrom(0); 929 priv_freeset(priv); 930 931 for (;;) { 932 if (pid != waitpid(pid, &status, WUNTRACED)) { 933 if (errno == ECHILD) { 934 /* 935 * No existing child with the given pid. Lets 936 * audit the logout. 937 */ 938 break; 939 } 940 continue; 941 } 942 943 if (WIFEXITED(status) || WIFSIGNALED(status)) { 944 /* 945 * The child shell exited or was terminated by 946 * a signal. Lets audit logout. 947 */ 948 break; 949 } else if (WIFSTOPPED(status)) { 950 pid_t pgid; 951 int fd; 952 void (*sg_handler)(); 953 /* 954 * The child shell has been stopped/suspended. 955 * We need to suspend here as well and pass down 956 * the control to the parent process. 957 */ 958 sg_handler = signal(WSTOPSIG(status), SIG_DFL); 959 (void) sigsend(P_PGID, getpgrp(), WSTOPSIG(status)); 960 /* 961 * We stop here. When resumed, mark the child 962 * shell group as foreground process group 963 * which gives the child shell a control over 964 * the controlling terminal. 965 */ 966 (void) signal(WSTOPSIG(status), sg_handler); 967 968 pgid = getpgid(pid); 969 if ((fd = open("/dev/tty", O_RDWR)) != -1) { 970 /* 971 * Pass down the control over the controlling 972 * terminal iff we are in a foreground process 973 * group. Otherwise, we are in a background 974 * process group and the kernel will send 975 * SIGTTOU signal to stop us (by default). 976 */ 977 if (tcgetpgrp(fd) == getpgrp()) { 978 (void) tcsetpgrp(fd, pgid); 979 } 980 (void) close(fd); 981 } 982 /* Wake up the child shell */ 983 (void) sigsend(P_PGID, pgid, SIGCONT); 984 } 985 } 986 987 (void) adt_put_event(event, ADT_SUCCESS, ADT_SUCCESS); 988 adt_free_event(event); 989 (void) adt_end_session(ah); 990 exit(WEXITSTATUS(status)); 991 } 992 993 994 /* 995 * audit_failure - audit failed su 996 * 997 * Entry New audit context not set. 998 * pw_change == PW_FALSE, if no password change requested. 999 * PW_FAILED, if failed password change audit 1000 * required. 1001 * pwd = NULL, or password entry to use. 1002 * user = username entered. Add to record if pwd == NULL. 1003 * pamerr = PAM error code; reason for failure. 1004 */ 1005 1006 static void 1007 audit_failure(int pw_change, struct passwd *pwd, char *user, int pamerr) 1008 { 1009 adt_session_data_t *ah; /* audit session handle */ 1010 adt_event_data_t *event; /* event to generate */ 1011 au_event_t event_id = ADT_su; 1012 userattr_t *user_entry; 1013 char *kva_value; 1014 1015 if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { 1016 syslog(LOG_AUTH | LOG_ALERT, 1017 "adt_start_session(ADT_su, ADT_FAILURE): %m"); 1018 return; 1019 } 1020 1021 if (pwd != NULL) { 1022 /* target user authenticated, merge audit state */ 1023 if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, pwd->pw_uid, 1024 pwd->pw_gid, NULL, ADT_UPDATE) != 0) { 1025 syslog(LOG_AUTH | LOG_ERR, 1026 "adt_set_user(ADT_su, ADT_FAILURE): %m"); 1027 } 1028 if (((user_entry = getusernam(pwd->pw_name)) != NULL) && 1029 ((kva_value = kva_match((kva_t *)user_entry->attr, 1030 USERATTR_TYPE_KW)) != NULL) && 1031 ((strcmp(kva_value, USERATTR_TYPE_NONADMIN_KW) == 0) || 1032 (strcmp(kva_value, USERATTR_TYPE_ADMIN_KW) == 0))) { 1033 event_id = ADT_role_login; 1034 } 1035 free_userattr(user_entry); /* OK to use, checks for NULL */ 1036 } 1037 if ((event = adt_alloc_event(ah, event_id)) == NULL) { 1038 syslog(LOG_AUTH | LOG_ALERT, 1039 "adt_alloc_event(ADT_su, ADT_FAILURE): %m"); 1040 return; 1041 } 1042 /* 1043 * can't tell if user not found is a role, so always use su 1044 * If we do pass in pwd when the JNI is fixed, then can 1045 * distinguish and set name in both su and role_login 1046 */ 1047 if (pwd == NULL) { 1048 /* 1049 * this should be "fail_user" rather than "message" 1050 * see adt_xml. The JNI breaks, so for now we leave 1051 * this alone. 1052 */ 1053 event->adt_su.message = user; 1054 } 1055 if (adt_put_event(event, ADT_FAILURE, 1056 ADT_FAIL_PAM + pamerr) != 0) { 1057 syslog(LOG_AUTH | LOG_ALERT, 1058 "adt_put_event(ADT_su(ADT_FAIL, %s): %m", 1059 pam_strerror(pamh, pamerr)); 1060 } 1061 if (pw_change != PW_FALSE) { 1062 /* Also audit password change failed */ 1063 adt_free_event(event); 1064 if ((event = adt_alloc_event(ah, ADT_passwd)) == NULL) { 1065 syslog(LOG_AUTH | LOG_ALERT, 1066 "su: adt_alloc_event(ADT_passwd): %m"); 1067 } else if (adt_put_event(event, ADT_FAILURE, 1068 ADT_FAIL_PAM + pamerr) != 0) { 1069 syslog(LOG_AUTH | LOG_ALERT, 1070 "su: adt_put_event(ADT_passwd, ADT_FAILURE): %m"); 1071 } 1072 } 1073 adt_free_event(event); 1074 (void) adt_end_session(ah); 1075 } 1076 1077 #ifdef DYNAMIC_SU 1078 /* 1079 * su_conv(): 1080 * This is the conv (conversation) function called from 1081 * a PAM authentication module to print error messages 1082 * or garner information from the user. 1083 */ 1084 /*ARGSUSED*/ 1085 static int 1086 su_conv(int num_msg, struct pam_message **msg, struct pam_response **response, 1087 void *appdata_ptr) 1088 { 1089 struct pam_message *m; 1090 struct pam_response *r; 1091 char *temp; 1092 int k; 1093 char respbuf[PAM_MAX_RESP_SIZE]; 1094 1095 if (num_msg <= 0) 1096 return (PAM_CONV_ERR); 1097 1098 *response = (struct pam_response *)calloc(num_msg, 1099 sizeof (struct pam_response)); 1100 if (*response == NULL) 1101 return (PAM_BUF_ERR); 1102 1103 k = num_msg; 1104 m = *msg; 1105 r = *response; 1106 while (k--) { 1107 1108 switch (m->msg_style) { 1109 1110 case PAM_PROMPT_ECHO_OFF: 1111 errno = 0; 1112 temp = getpassphrase(m->msg); 1113 if (errno == EINTR) 1114 return (PAM_CONV_ERR); 1115 if (temp != NULL) { 1116 r->resp = strdup(temp); 1117 if (r->resp == NULL) { 1118 freeresponse(num_msg, response); 1119 return (PAM_BUF_ERR); 1120 } 1121 } 1122 break; 1123 1124 case PAM_PROMPT_ECHO_ON: 1125 if (m->msg != NULL) { 1126 (void) fputs(m->msg, stdout); 1127 } 1128 1129 (void) fgets(respbuf, sizeof (respbuf), stdin); 1130 temp = strchr(respbuf, '\n'); 1131 if (temp != NULL) 1132 *temp = '\0'; 1133 1134 r->resp = strdup(respbuf); 1135 if (r->resp == NULL) { 1136 freeresponse(num_msg, response); 1137 return (PAM_BUF_ERR); 1138 } 1139 break; 1140 1141 case PAM_ERROR_MSG: 1142 if (m->msg != NULL) { 1143 (void) fputs(m->msg, stderr); 1144 (void) fputs("\n", stderr); 1145 } 1146 break; 1147 1148 case PAM_TEXT_INFO: 1149 if (m->msg != NULL) { 1150 (void) fputs(m->msg, stdout); 1151 (void) fputs("\n", stdout); 1152 } 1153 break; 1154 1155 default: 1156 break; 1157 } 1158 m++; 1159 r++; 1160 } 1161 return (PAM_SUCCESS); 1162 } 1163 1164 /* 1165 * emb_su_conv(): 1166 * This is the conv (conversation) function called from 1167 * a PAM authentication module to print error messages 1168 * or garner information from the user. 1169 * This version is used for embedded_su. 1170 */ 1171 /*ARGSUSED*/ 1172 static int 1173 emb_su_conv(int num_msg, struct pam_message **msg, 1174 struct pam_response **response, void *appdata_ptr) 1175 { 1176 struct pam_message *m; 1177 struct pam_response *r; 1178 char *temp; 1179 int k; 1180 char respbuf[PAM_MAX_RESP_SIZE]; 1181 1182 if (num_msg <= 0) 1183 return (PAM_CONV_ERR); 1184 1185 *response = (struct pam_response *)calloc(num_msg, 1186 sizeof (struct pam_response)); 1187 if (*response == NULL) 1188 return (PAM_BUF_ERR); 1189 1190 /* First, send the prompts */ 1191 (void) printf("CONV %d\n", num_msg); 1192 k = num_msg; 1193 m = *msg; 1194 while (k--) { 1195 switch (m->msg_style) { 1196 1197 case PAM_PROMPT_ECHO_OFF: 1198 (void) puts("PAM_PROMPT_ECHO_OFF"); 1199 goto msg_common; 1200 1201 case PAM_PROMPT_ECHO_ON: 1202 (void) puts("PAM_PROMPT_ECHO_ON"); 1203 goto msg_common; 1204 1205 case PAM_ERROR_MSG: 1206 (void) puts("PAM_ERROR_MSG"); 1207 goto msg_common; 1208 1209 case PAM_TEXT_INFO: 1210 (void) puts("PAM_TEXT_INFO"); 1211 /* fall through to msg_common */ 1212 msg_common: 1213 if (m->msg == NULL) 1214 quotemsg(NULL); 1215 else 1216 quotemsg("%s", m->msg); 1217 break; 1218 1219 default: 1220 break; 1221 } 1222 m++; 1223 } 1224 1225 /* Next, collect the responses */ 1226 k = num_msg; 1227 m = *msg; 1228 r = *response; 1229 while (k--) { 1230 1231 switch (m->msg_style) { 1232 1233 case PAM_PROMPT_ECHO_OFF: 1234 case PAM_PROMPT_ECHO_ON: 1235 (void) fgets(respbuf, sizeof (respbuf), stdin); 1236 1237 temp = strchr(respbuf, '\n'); 1238 if (temp != NULL) 1239 *temp = '\0'; 1240 1241 r->resp = strdup(respbuf); 1242 if (r->resp == NULL) { 1243 freeresponse(num_msg, response); 1244 return (PAM_BUF_ERR); 1245 } 1246 1247 break; 1248 1249 case PAM_ERROR_MSG: 1250 case PAM_TEXT_INFO: 1251 break; 1252 1253 default: 1254 break; 1255 } 1256 m++; 1257 r++; 1258 } 1259 return (PAM_SUCCESS); 1260 } 1261 1262 static void 1263 freeresponse(int num_msg, struct pam_response **response) 1264 { 1265 struct pam_response *r; 1266 int i; 1267 1268 /* free responses */ 1269 r = *response; 1270 for (i = 0; i < num_msg; i++, r++) { 1271 if (r->resp != NULL) { 1272 /* Zap it in case it's a password */ 1273 (void) memset(r->resp, '\0', strlen(r->resp)); 1274 free(r->resp); 1275 } 1276 } 1277 free(*response); 1278 *response = NULL; 1279 } 1280 1281 /* 1282 * Print a message, applying quoting for lines starting with '.'. 1283 * 1284 * I18n note: \n is "safe" in all locales, and all locales use 1285 * a high-bit-set character to start multibyte sequences, so 1286 * scanning for a \n followed by a '.' is safe. 1287 */ 1288 static void 1289 quotemsg(char *fmt, ...) 1290 { 1291 if (fmt != NULL) { 1292 char *msg; 1293 char *p; 1294 boolean_t bol; 1295 va_list v; 1296 1297 va_start(v, fmt); 1298 msg = alloc_vsprintf(fmt, v); 1299 va_end(v); 1300 1301 bol = B_TRUE; 1302 for (p = msg; *p != '\0'; p++) { 1303 if (bol) { 1304 if (*p == '.') 1305 (void) putchar('.'); 1306 bol = B_FALSE; 1307 } 1308 (void) putchar(*p); 1309 if (*p == '\n') 1310 bol = B_TRUE; 1311 } 1312 (void) putchar('\n'); 1313 free(msg); 1314 } 1315 (void) putchar('.'); 1316 (void) putchar('\n'); 1317 } 1318 1319 /* 1320 * validate - Check that the account is valid for switching to. 1321 */ 1322 static void 1323 validate(char *usernam, int *pw_change) 1324 { 1325 int error; 1326 int tries; 1327 1328 if ((error = pam_acct_mgmt(pamh, pam_flags)) != PAM_SUCCESS) { 1329 if (Sulog != NULL) 1330 log(Sulog, pwd.pw_name, 0); /* log entry */ 1331 if (error == PAM_NEW_AUTHTOK_REQD) { 1332 tries = 0; 1333 message(ERR, gettext("Password for user " 1334 "'%s' has expired"), pwd.pw_name); 1335 while ((error = pam_chauthtok(pamh, 1336 PAM_CHANGE_EXPIRED_AUTHTOK)) != PAM_SUCCESS) { 1337 if ((error == PAM_AUTHTOK_ERR || 1338 error == PAM_TRY_AGAIN) && 1339 (tries++ < DEF_ATTEMPTS)) { 1340 continue; 1341 } 1342 message(ERR, gettext("Sorry")); 1343 audit_failure(PW_FAILED, &pwd, NULL, error); 1344 if (dosyslog) 1345 syslog(LOG_CRIT, 1346 "'su %s' failed for %s on %s", 1347 pwd.pw_name, usernam, ttyn); 1348 closelog(); 1349 exit(1); 1350 } 1351 *pw_change = PW_TRUE; 1352 return; 1353 } else { 1354 message(ERR, gettext("Sorry")); 1355 audit_failure(PW_FALSE, &pwd, NULL, error); 1356 if (dosyslog) 1357 syslog(LOG_CRIT, "'su %s' failed for %s on %s", 1358 pwd.pw_name, usernam, ttyn); 1359 closelog(); 1360 exit(3); 1361 } 1362 } 1363 } 1364 1365 static char *illegal[] = { 1366 "SHELL=", 1367 "HOME=", 1368 "LOGNAME=", 1369 #ifndef NO_MAIL 1370 "MAIL=", 1371 #endif 1372 "CDPATH=", 1373 "IFS=", 1374 "PATH=", 1375 "TZ=", 1376 "HZ=", 1377 "TERM=", 1378 0 1379 }; 1380 1381 /* 1382 * legalenvvar - can PAM modules insert this environmental variable? 1383 */ 1384 1385 static int 1386 legalenvvar(char *s) 1387 { 1388 register char **p; 1389 1390 for (p = illegal; *p; p++) 1391 if (strncmp(s, *p, strlen(*p)) == 0) 1392 return (0); 1393 1394 if (s[0] == 'L' && s[1] == 'D' && s[2] == '_') 1395 return (0); 1396 1397 return (1); 1398 } 1399 1400 /* 1401 * The embedded_su protocol allows the client application to supply 1402 * an initialization block terminated by a line with just a "." on it. 1403 * 1404 * This initialization block is currently unused, reserved for future 1405 * expansion. Ignore it. This is made very slightly more complex by 1406 * the desire to cleanly ignore input lines of any length, while still 1407 * correctly detecting a line with just a "." on it. 1408 * 1409 * I18n note: It appears that none of the Solaris-supported locales 1410 * use 0x0a for any purpose other than newline, so looking for '\n' 1411 * seems safe. 1412 * All locales use high-bit-set leadin characters for their multi-byte 1413 * sequences, so a line consisting solely of ".\n" is what it appears 1414 * to be. 1415 */ 1416 static void 1417 readinitblock(void) 1418 { 1419 char buf[100]; 1420 boolean_t bol; 1421 1422 bol = B_TRUE; 1423 for (;;) { 1424 if (fgets(buf, sizeof (buf), stdin) == NULL) 1425 return; 1426 if (bol && strcmp(buf, ".\n") == 0) 1427 return; 1428 bol = (strchr(buf, '\n') != NULL); 1429 } 1430 } 1431 #else /* !DYNAMIC_SU */ 1432 static void 1433 update_audit(struct passwd *pwd) 1434 { 1435 adt_session_data_t *ah; /* audit session handle */ 1436 1437 if (adt_start_session(&ah, NULL, ADT_USE_PROC_DATA) != 0) { 1438 message(ERR, gettext("Sorry")); 1439 if (dosyslog) 1440 syslog(LOG_CRIT, "'su %s' failed for %s " 1441 "cannot start audit session %m", 1442 pwd->pw_name, username); 1443 closelog(); 1444 exit(2); 1445 } 1446 if (adt_set_user(ah, pwd->pw_uid, pwd->pw_gid, pwd->pw_uid, 1447 pwd->pw_gid, NULL, ADT_UPDATE) != 0) { 1448 if (dosyslog) 1449 syslog(LOG_CRIT, "'su %s' failed for %s " 1450 "cannot update audit session %m", 1451 pwd->pw_name, username); 1452 closelog(); 1453 exit(2); 1454 } 1455 } 1456 #endif /* DYNAMIC_SU */ 1457 1458 /* 1459 * Report an error, either a fatal one, a warning, or a usage message, 1460 * depending on the mode parameter. 1461 */ 1462 /*ARGSUSED*/ 1463 static void 1464 message(enum messagemode mode, char *fmt, ...) 1465 { 1466 char *s; 1467 va_list v; 1468 1469 va_start(v, fmt); 1470 s = alloc_vsprintf(fmt, v); 1471 va_end(v); 1472 1473 #ifdef DYNAMIC_SU 1474 if (embedded) { 1475 if (mode == WARN) { 1476 (void) printf("CONV 1\n"); 1477 (void) printf("PAM_ERROR_MSG\n"); 1478 } else { /* ERR, USAGE */ 1479 (void) printf("ERROR\n"); 1480 } 1481 if (mode == USAGE) { 1482 quotemsg("%s", s); 1483 } else { /* ERR, WARN */ 1484 quotemsg("%s: %s", myname, s); 1485 } 1486 } else { 1487 #endif /* DYNAMIC_SU */ 1488 if (mode == USAGE) { 1489 (void) fprintf(stderr, "%s\n", s); 1490 } else { /* ERR, WARN */ 1491 (void) fprintf(stderr, "%s: %s\n", myname, s); 1492 } 1493 #ifdef DYNAMIC_SU 1494 } 1495 #endif /* DYNAMIC_SU */ 1496 1497 free(s); 1498 } 1499 1500 /* 1501 * Return a pointer to the last path component of a. 1502 */ 1503 static char * 1504 tail(char *a) 1505 { 1506 char *p; 1507 1508 p = strrchr(a, '/'); 1509 if (p == NULL) 1510 p = a; 1511 else 1512 p++; /* step over the '/' */ 1513 1514 return (p); 1515 } 1516 1517 static char * 1518 alloc_vsprintf(const char *fmt, va_list ap1) 1519 { 1520 va_list ap2; 1521 int n; 1522 char buf[1]; 1523 char *s; 1524 1525 /* 1526 * We need to scan the argument list twice. Save off a copy 1527 * of the argument list pointer(s) for the second pass. Note that 1528 * we are responsible for va_end'ing our copy. 1529 */ 1530 va_copy(ap2, ap1); 1531 1532 /* 1533 * vsnprintf into a dummy to get a length. One might 1534 * think that passing 0 as the length to snprintf would 1535 * do what we want, but it's defined not to. 1536 * 1537 * Perhaps we should sprintf into a 100 character buffer 1538 * or something like that, to avoid two calls to snprintf 1539 * in most cases. 1540 */ 1541 n = vsnprintf(buf, sizeof (buf), fmt, ap2); 1542 va_end(ap2); 1543 1544 /* 1545 * Allocate an appropriately-sized buffer. 1546 */ 1547 s = malloc(n + 1); 1548 if (s == NULL) { 1549 perror("malloc"); 1550 exit(4); 1551 } 1552 1553 (void) vsnprintf(s, n+1, fmt, ap1); 1554 1555 return (s); 1556 } 1557