xref: /dragonfly/usr.bin/su/su.c (revision 1ab20d67) 
1 /*
2  * Copyright (c) 1988, 1993, 1994
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  *
33  * @(#) Copyright (c) 1988, 1993, 1994 The Regents of the University of California.  All rights reserved.
34  * @(#)su.c	8.3 (Berkeley) 4/2/94
35  * $FreeBSD: src/usr.bin/su/su.c,v 1.34.2.4 2002/06/16 21:04:15 nectar Exp $
36  * $DragonFly: src/usr.bin/su/su.c,v 1.4 2003/10/04 20:36:51 hmp Exp $
37  */
38 
39 #include <sys/param.h>
40 #include <sys/time.h>
41 #include <sys/resource.h>
42 
43 #include <err.h>
44 #include <errno.h>
45 #include <grp.h>
46 #include <paths.h>
47 #include <pwd.h>
48 #include <stdio.h>
49 #include <stdlib.h>
50 #include <string.h>
51 #include <syslog.h>
52 #include <unistd.h>
53 #include <libutil.h>
54 
55 #ifdef LOGIN_CAP
56 #include <login_cap.h>
57 #endif
58 
59 #ifdef	SKEY
60 #include <skey.h>
61 #endif
62 
63 #ifdef KERBEROS5
64 #include <krb5.h>
65 
66 static long get_su_principal(krb5_context context, const char *target_user,
67     const char *current_user, char **su_principal_name,
68     krb5_principal *su_principal);
69 static long kerberos5(krb5_context context, const char *current_user,
70     const char *target_user, krb5_principal su_principal,
71     const char *pass);
72 
73 int use_kerberos5 = 1;
74 #endif
75 
76 #ifdef LOGIN_CAP
77 #define LOGIN_CAP_ARG(x) x
78 #else
79 #define LOGIN_CAP_ARG(x)
80 #endif
81 #if defined(KERBEROS5)
82 #define KERBEROS_ARG(x) x
83 #else
84 #define KERBEROS_ARG(x)
85 #endif
86 #define COMMON_ARG(x) x
87 #define ARGSTR	"-" COMMON_ARG("flm") LOGIN_CAP_ARG("c:") KERBEROS_ARG("K")
88 
89 char   *ontty(void);
90 int	chshell(char *);
91 static void usage(void);
92 
93 int
94 main(int argc, char **argv)
95 {
96 	extern char **environ;
97 	struct passwd *pwd;
98 #ifdef WHEELSU
99 	char *targetpass;
100 	int iswheelsu;
101 #endif /* WHEELSU */
102 	char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np;
103 	struct group *gr;
104 	uid_t ruid;
105 	gid_t gid;
106 	int asme, ch, asthem, fastlogin, prio, i;
107 	enum { UNSET, YES, NO } iscsh = UNSET;
108 #ifdef LOGIN_CAP
109 	login_cap_t *lc;
110 	char *class=NULL;
111 	int setwhat;
112 #endif
113 #if defined(KERBEROS5)
114 	char *k;
115 #endif
116 #ifdef KERBEROS5
117 	char *su_principal_name, *ccname;
118 	krb5_context context;
119 	krb5_principal su_principal;
120 #endif
121 	char shellbuf[MAXPATHLEN];
122 
123 #ifdef WHEELSU
124 	iswheelsu =
125 #endif /* WHEELSU */
126 	asme = asthem = fastlogin = 0;
127 	user = "root";
128 	while((ch = getopt(argc, argv, ARGSTR)) != -1)
129 		switch((char)ch) {
130 #if defined(KERBEROS5)
131 		case 'K':
132 			use_kerberos5 = 0;
133 			break;
134 #endif
135 		case 'f':
136 			fastlogin = 1;
137 			break;
138 		case '-':
139 		case 'l':
140 			asme = 0;
141 			asthem = 1;
142 			break;
143 		case 'm':
144 			asme = 1;
145 			asthem = 0;
146 			break;
147 #ifdef LOGIN_CAP
148 		case 'c':
149 			class = optarg;
150 			break;
151 #endif
152 		case '?':
153 		default:
154 			usage();
155 		}
156 
157 	if (optind < argc)
158 		user = argv[optind++];
159 
160 	if (strlen(user) > MAXLOGNAME - 1) {
161 		(void)fprintf(stderr, "su: username too long.\n");
162 		exit(1);
163 	}
164 
165 	if (user == NULL)
166 		usage();
167 
168 	if ((nargv = malloc (sizeof (char *) * (argc + 4))) == NULL) {
169 	    errx(1, "malloc failure");
170 	}
171 
172 	nargv[argc + 3] = NULL;
173 	for (i = argc; i >= optind; i--)
174 	    nargv[i + 3] = argv[i];
175 	np = &nargv[i + 3];
176 
177 	argv += optind;
178 
179 #if defined(KERBEROS5)
180 	k = auth_getval("auth_list");
181 	if (k && !strstr(k, "kerberos")) {
182 	    use_kerberos5 = 0;
183 	}
184 	su_principal_name = NULL;
185 	su_principal = NULL;
186 	if (krb5_init_context(&context) != 0)
187 		use_kerberos5 = 0;
188 #endif
189 	errno = 0;
190 	prio = getpriority(PRIO_PROCESS, 0);
191 	if (errno)
192 		prio = 0;
193 	(void)setpriority(PRIO_PROCESS, 0, -2);
194 	openlog("su", LOG_CONS, 0);
195 
196 	/* get current login name and shell */
197 	ruid = getuid();
198 	username = getlogin();
199 	if (username == NULL || (pwd = getpwnam(username)) == NULL ||
200 	    pwd->pw_uid != ruid)
201 		pwd = getpwuid(ruid);
202 	if (pwd == NULL)
203 		errx(1, "who are you?");
204 	username = strdup(pwd->pw_name);
205 	gid = pwd->pw_gid;
206 	if (username == NULL)
207 		err(1, NULL);
208 	if (asme) {
209 		if (pwd->pw_shell != NULL && *pwd->pw_shell != '\0') {
210 			/* copy: pwd memory is recycled */
211 			shell = strncpy(shellbuf,  pwd->pw_shell, sizeof shellbuf);
212 			shellbuf[sizeof shellbuf - 1] = '\0';
213 		} else {
214 			shell = _PATH_BSHELL;
215 			iscsh = NO;
216 		}
217 	}
218 
219 	/* get target login information, default to root */
220 	if ((pwd = getpwnam(user)) == NULL) {
221 		errx(1, "unknown login: %s", user);
222 	}
223 #ifdef LOGIN_CAP
224 	if (class==NULL) {
225 		lc = login_getpwclass(pwd);
226 	} else {
227 		if (ruid)
228 			errx(1, "only root may use -c");
229 		lc = login_getclass(class);
230 		if (lc == NULL)
231 			errx(1, "unknown class: %s", class);
232 	}
233 #endif
234 
235 #ifdef WHEELSU
236 	targetpass = strdup(pwd->pw_passwd);
237 #endif /* WHEELSU */
238 
239 	if (ruid) {
240 #ifdef KERBEROS5
241 		if (use_kerberos5) {
242 			if (get_su_principal(context, user, username,
243 			    &su_principal_name, &su_principal) != 0 ||
244 			    !krb5_kuserok(context, su_principal, user)) {
245 				warnx("kerberos5: not in %s's ACL.", user);
246 				use_kerberos5 = 0;
247 			}
248 		}
249 #endif
250 		{
251 			/*
252 			 * Only allow those with pw_gid==0 or those listed in
253 			 * group zero to su to root.  If group zero entry is
254 			 * missing or empty, then allow anyone to su to root.
255 			 * iswheelsu will only be set if the user is EXPLICITLY
256 			 * listed in group zero.
257 			 */
258 			if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)) &&
259 			    gr->gr_mem && *(gr->gr_mem))
260 				for (g = gr->gr_mem;; ++g) {
261 					if (!*g) {
262 						if (gid == 0)
263 							break;
264 						else
265 							errx(1,
266 			     "you are not in the correct group (%s) to su %s.",
267 							    gr->gr_name,
268 							    user);
269 					}
270 					if (strcmp(username, *g) == 0) {
271 #ifdef WHEELSU
272 						iswheelsu = 1;
273 #endif /* WHEELSU */
274 						break;
275 					}
276 				}
277 		}
278 		/* if target requires a password, verify it */
279 		if (*pwd->pw_passwd) {
280 #ifdef	SKEY
281 #ifdef WHEELSU
282 			if (iswheelsu) {
283 				pwd = getpwnam(username);
284 			}
285 #endif /* WHEELSU */
286 			p = skey_getpass("Password:", pwd, 1);
287 			if (!(!strcmp(pwd->pw_passwd, skey_crypt(p, pwd->pw_passwd, pwd, 1))
288 #ifdef WHEELSU
289 			      || (iswheelsu && !strcmp(targetpass, crypt(p,targetpass)))
290 #endif /* WHEELSU */
291 			      )) {
292 #else
293 			p = getpass("Password:");
294 			if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) {
295 #endif
296 #ifdef KERBEROS5
297 				if (use_kerberos5 && kerberos5(context,
298 				    username, user, su_principal, p) == 0)
299 					goto authok;
300 #endif
301 				fprintf(stderr, "Sorry\n");
302 				syslog(LOG_AUTH|LOG_WARNING,
303 				    "BAD SU %s to %s%s", username, user,
304 				    ontty());
305 				exit(1);
306 			}
307 #if defined(KERBEROS5)
308 		authok:
309 #endif
310 #ifdef WHEELSU
311 			if (iswheelsu) {
312 				pwd = getpwnam(user);
313 			}
314 #endif /* WHEELSU */
315 		}
316 		if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) {
317 			fprintf(stderr, "Sorry - account expired\n");
318 			syslog(LOG_AUTH|LOG_WARNING,
319 				"BAD SU %s to %s%s", username,
320 				user, ontty());
321 			exit(1);
322 		}
323 	}
324 
325 	if (asme) {
326 		/* if asme and non-standard target shell, must be root */
327 		if (!chshell(pwd->pw_shell) && ruid)
328 			errx(1, "permission denied (shell).");
329 	} else if (pwd->pw_shell && *pwd->pw_shell) {
330 		shell = pwd->pw_shell;
331 		iscsh = UNSET;
332 	} else {
333 		shell = _PATH_BSHELL;
334 		iscsh = NO;
335 	}
336 
337 	/* if we're forking a csh, we want to slightly muck the args */
338 	if (iscsh == UNSET) {
339 		p = strrchr(shell, '/');
340 		if (p)
341 			++p;
342 		else
343 			p = shell;
344 		if ((iscsh = strcmp(p, "csh") ? NO : YES) == NO)
345 		    iscsh = strcmp(p, "tcsh") ? NO : YES;
346 	}
347 
348 	(void)setpriority(PRIO_PROCESS, 0, prio);
349 
350 #ifdef LOGIN_CAP
351 	/* Set everything now except the environment & umask */
352 	setwhat = LOGIN_SETUSER|LOGIN_SETGROUP|LOGIN_SETRESOURCES|LOGIN_SETPRIORITY;
353 	/*
354 	 * Don't touch resource/priority settings if -m has been
355 	 * used or -l and -c hasn't, and we're not su'ing to root.
356 	 */
357         if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
358 		setwhat &= ~(LOGIN_SETPRIORITY|LOGIN_SETRESOURCES);
359 	if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) < 0)
360 		err(1, "setusercontext");
361 #else
362 	/* set permissions */
363 	if (setgid(pwd->pw_gid) < 0)
364 		err(1, "setgid");
365 	if (initgroups(user, pwd->pw_gid))
366 		errx(1, "initgroups failed");
367 	if (setuid(pwd->pw_uid) < 0)
368 		err(1, "setuid");
369 #endif
370 
371 	if (!asme) {
372 		if (asthem) {
373 			p = getenv("TERM");
374 #ifdef KERBEROS5
375 			ccname = getenv("KRB5CCNAME");
376 #endif
377 			if ((cleanenv = calloc(20, sizeof(char*))) == NULL)
378 				errx(1, "calloc");
379 			cleanenv[0] = NULL;
380 			environ = cleanenv;
381 #ifdef LOGIN_CAP
382 			/* set the su'd user's environment & umask */
383 			setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV);
384 #else
385 			(void)setenv("PATH", _PATH_DEFPATH, 1);
386 #endif
387 			if (p)
388 				(void)setenv("TERM", p, 1);
389 #ifdef KERBEROS5
390 			if (ccname)
391 				(void)setenv("KRB5CCNAME", ccname, 1);
392 #endif
393 			if (chdir(pwd->pw_dir) < 0)
394 				errx(1, "no directory");
395 		}
396 		if (asthem || pwd->pw_uid)
397 			(void)setenv("USER", pwd->pw_name, 1);
398 		(void)setenv("HOME", pwd->pw_dir, 1);
399 		(void)setenv("SHELL", shell, 1);
400 	}
401 	if (iscsh == YES) {
402 		if (fastlogin)
403 			*np-- = "-f";
404 		if (asme)
405 			*np-- = "-m";
406 	}
407 
408 	/* csh strips the first character... */
409 	*np = asthem ? "-su" : iscsh == YES ? "_su" : "su";
410 
411 	if (ruid != 0)
412 		syslog(LOG_NOTICE|LOG_AUTH, "%s to %s%s",
413 		    username, user, ontty());
414 
415 #ifdef LOGIN_CAP
416 	login_close(lc);
417 #endif
418 
419 	execv(shell, np);
420 	err(1, "%s", shell);
421 }
422 
423 static void
424 usage(void)
425 {
426 	(void)fprintf(stderr, "usage: su [-] [-%s] %s[login [args]]\n",
427 	    KERBEROS_ARG("K") COMMON_ARG("flm"),
428 #ifdef LOGIN_CAP
429 	    "[-c class] "
430 #else
431 	    ""
432 #endif
433 	    );
434 	exit(1);
435 }
436 
437 int
438 chshell(char *sh)
439 {
440 	int  r = 0;
441 	char *cp;
442 
443 	setusershell();
444 	while (!r && (cp = getusershell()) != NULL)
445 		r = strcmp(cp, sh) == 0;
446 	endusershell();
447 	return r;
448 }
449 
450 char *
451 ontty(void)
452 {
453 	char *p;
454 	static char buf[MAXPATHLEN + 4];
455 
456 	buf[0] = 0;
457 	p = ttyname(STDERR_FILENO);
458 	if (p)
459 		snprintf(buf, sizeof(buf), " on %s", p);
460 	return (buf);
461 }
462 
463 #ifdef KERBEROS5
464 const char superuser[] = "root";
465 
466 /* Authenticate using Kerberos 5.
467  *   context           -- An initialized krb5_context.
468  *   current_user      -- The current username.
469  *   target_user       -- The target account name.
470  *   su_principal      -- The target krb5_principal.
471  *   pass              -- The user's password.
472  * Note that a valid keytab in the default location with a host entry
473  * must be available.
474  * Returns 0 if authentication was successful, or a com_err error code if
475  * it was not.
476  */
477 static long
478 kerberos5(krb5_context context, const char *current_user,
479     const char *target_user, krb5_principal su_principal,
480     const char *pass)
481 {
482 	krb5_creds	 creds;
483 	krb5_get_init_creds_opt gic_opt;
484 	krb5_verify_init_creds_opt vic_opt;
485 	long		 rv;
486 
487 	krb5_get_init_creds_opt_init(&gic_opt);
488 	krb5_verify_init_creds_opt_init(&vic_opt);
489 	rv = krb5_get_init_creds_password(context, &creds, su_principal,
490 	    pass, NULL, NULL, 0, NULL, &gic_opt);
491 	if (rv != 0) {
492 		syslog(LOG_NOTICE|LOG_AUTH, "BAD Kerberos5 SU: %s to %s%s: %s",
493 		    current_user, target_user, ontty(),
494 		    krb5_get_err_text(context, rv));
495 		return (rv);
496 	}
497 	krb5_verify_init_creds_opt_set_ap_req_nofail(&vic_opt, 1);
498 	rv = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL,
499 	    &vic_opt);
500 	krb5_free_cred_contents(context, &creds);
501 	if (rv != 0) {
502 		syslog(LOG_NOTICE|LOG_AUTH, "BAD Kerberos5 SU: %s to %s%s: %s",
503 		    current_user, target_user, ontty(),
504 		    krb5_get_err_text(context, rv));
505 		return (rv);
506 	}
507 	return (0);
508 }
509 
510 /* Determine the target principal given the current user and the target user.
511  *   context           -- An initialized krb5_context.
512  *   target_user       -- The target username.
513  *   current_user      -- The current username.
514  *   su_principal_name -- (out) The target principal name.
515  *   su_principal      -- (out) The target krb5_principal.
516  *
517  * When target_user is `root', the su_principal will be a `root
518  * instance', e.g. `luser/root@REA.LM'.  Otherwise, the su_principal
519  * will simply be the current user's default principal name.  Note that
520  * in any case, if KRB5CCNAME is set and a credentials cache exists, the
521  * principal name found there will be the `starting point', rather than
522  * the current_user parameter.
523  *
524  * Returns 0 for success, or a com_err error code on failure.
525  */
526 static long
527 get_su_principal(krb5_context context, const char *target_user,
528     const char *current_user, char **su_principal_name,
529     krb5_principal *su_principal)
530 {
531 	krb5_principal	 default_principal;
532 	krb5_ccache	 ccache;
533 	char		*principal_name, *ccname, *p;
534 	long		 rv;
535 	uid_t		 euid, ruid;
536 
537 	*su_principal = NULL;
538 	default_principal = NULL;
539 	/* Lower privs while messing about with the credentials
540 	 * cache.
541 	 */
542 	ruid = getuid();
543 	euid = geteuid();
544 	rv = seteuid(getuid());
545 	if (rv != 0)
546 		return (errno);
547 	p = getenv("KRB5CCNAME");
548 	if (p != NULL)
549 		ccname = strdup(p);
550 	else
551 		(void)asprintf(&ccname, "%s%lu", KRB5_DEFAULT_CCROOT,
552 		    (unsigned long)ruid);
553 	if (ccname == NULL)
554 		return (errno);
555 	rv = krb5_cc_resolve(context, ccname, &ccache);
556 	free(ccname);
557 	if (rv == 0) {
558 		rv = krb5_cc_get_principal(context, ccache,
559 		    &default_principal);
560 		krb5_cc_close(context, ccache);
561 		if (rv != 0)
562 			default_principal = NULL; /* just to be safe */
563 	}
564 	rv = seteuid(euid);
565 	if (rv != 0)
566 		return (errno);
567 	if (default_principal == NULL) {
568 		rv = krb5_make_principal(context, &default_principal, NULL,
569 		    current_user, NULL);
570 		if (rv != 0) {
571 			warnx("Could not determine default principal name.");
572 			return (rv);
573 		}
574 	}
575 	/* Now that we have some principal, if the target account is
576 	 * `root', then transform it into a `root' instance, e.g.
577 	 * `user@REA.LM' -> `user/root@REA.LM'.
578 	 */
579 	rv = krb5_unparse_name(context, default_principal, &principal_name);
580 	krb5_free_principal(context, default_principal);
581 	if (rv != 0) {
582 		warnx("krb5_unparse_name: %s", krb5_get_err_text(context, rv));
583 		return (rv);
584 	}
585 	if (strcmp(target_user, superuser) == 0) {
586 		p = strrchr(principal_name, '@');
587 		if (p == NULL) {
588 			warnx("malformed principal name `%s'", principal_name);
589 			free(principal_name);
590 			return (rv);
591 		}
592 		*p++ = '\0';
593 		(void)asprintf(su_principal_name, "%s/%s@%s", principal_name,
594 		    superuser, p);
595 		free(principal_name);
596 	} else
597 		*su_principal_name = principal_name;
598 	if (*su_principal_name == NULL)
599 		return errno;
600 	rv = krb5_parse_name(context, *su_principal_name, &default_principal);
601 	if (rv != 0) {
602 		warnx("krb5_parse_name `%s': %s", *su_principal_name,
603 		    krb5_get_err_text(context, rv));
604 		free(*su_principal_name);
605 		return (rv);
606 	}
607 	*su_principal = default_principal;
608 	return 0;
609 }
610 
611 #endif
612