2 * Copyright (c) 1989 - 1994, Julianne Frances Haugh
3 * Copyright (c) 1996 - 2000, Marek Michałkiewicz
4 * Copyright (c) 2000 - 2006, Tomasz Kłoczko
5 * Copyright (c) 2007 - 2011, Nicolas François
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the copyright holders or contributors may not be used to
17 * endorse or promote products derived from this software without
18 * specific prior written permission.
20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
21 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
23 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
24 * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
25 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
26 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 /* Some parts substantially derived from an ancestor of:
34 su for GNU. Run a shell with substitute user and group IDs.
36 Copyright (C) 1992-2003 Free Software Foundation, Inc.
38 This program is free software; you can redistribute it and/or modify
39 it under the terms of the GNU General Public License as published by
40 the Free Software Foundation; either version 2, or (at your option)
43 This program is distributed in the hope that it will be useful,
44 but WITHOUT ANY WARRANTY; without even the implied warranty of
45 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
46 GNU General Public License for more details.
48 You should have received a copy of the GNU General Public License
49 along with this program; if not, write to the Free Software
50 Foundation, Inc., 51 Franklin Street, Fifth Floor,
51 Boston, MA 02110-1301, USA. */
63 #include <sys/types.h>
66 #include <sys/ioctl.h>
67 #include <sys/types.h>
71 #include "prototypes.h"
79 #include "exitcodes.h"
85 static /*@observer@*/const char *caller_tty = NULL; /* Name of tty SU is run from */
86 static bool caller_is_root = false;
87 static uid_t caller_uid;
89 static bool caller_on_console = false;
91 static /*@only@*/char *caller_pass;
94 static bool doshell = false;
95 static bool fakelogin = false;
96 static /*@observer@*/const char *shellstr;
97 static /*@null@*/char *command = NULL;
100 /* not needed by sulog.c anymore */
101 static char name[BUFSIZ];
102 static char caller_name[BUFSIZ];
104 /* If nonzero, change some environment vars to indicate the user su'd to. */
105 static bool change_environment = true;
108 static pam_handle_t *pamh = NULL;
109 static int caught = 0;
110 /* PID of the child, in case it needs to be killed */
111 static pid_t pid_child = 0;
115 * External identifiers
118 extern char **newenvp; /* libmisc/env.c */
119 extern size_t newenvc; /* libmisc/env.c */
121 /* local function prototypes */
123 static void execve_shell (const char *shellname,
127 static RETSIGTYPE kill_child (int unused(s));
128 static void prepare_pam_close_session (void);
130 static RETSIGTYPE die (int);
131 static bool iswheel (const char *);
132 #endif /* !USE_PAM */
133 static bool restricted_shell (const char *shellname);
134 static /*@noreturn@*/void su_failure (const char *tty, bool su_to_root);
135 static /*@only@*/struct passwd * check_perms (void);
137 static void check_perms_pam (const struct passwd *pw);
139 static void check_perms_nopam (const struct passwd *pw);
140 #endif /* !USE_PAM */
141 static void save_caller_context (char **argv);
142 static void process_flags (int argc, char **argv);
143 static void set_environment (struct passwd *pw);
147 * die - set or reset termio modes.
149 * die() is called before processing begins. signal() is then called
150 * with die() as the signal handler. If signal later calls die() with a
151 * signal number, the terminal modes are then reset.
153 static RETSIGTYPE die (int killed)
169 static bool iswheel (const char *username)
173 grp = getgrnam ("wheel"); /* !USE_PAM, no need for xgetgrnam */
175 || (NULL == grp->gr_mem)) {
178 return is_on_list (grp->gr_mem, username);
181 static RETSIGTYPE kill_child (int unused(s))
183 if (0 != pid_child) {
184 (void) kill (pid_child, SIGKILL);
185 (void) fputs (_(" ...killed.\n"), stderr);
187 (void) fputs (_(" ...waiting for child to terminate.\n"),
194 /* borrowed from GNU sh-utils' "su.c" */
195 static bool restricted_shell (const char *shellname)
197 /*@observer@*/const char *line;
200 while ((line = getusershell ()) != NULL) {
201 if (('#' != *line) && (strcmp (line, shellname) == 0)) {
210 static /*@noreturn@*/void su_failure (const char *tty, bool su_to_root)
212 sulog (tty, false, caller_name, name); /* log failed attempt */
214 if (getdef_bool ("SYSLOG_SU_ENAB")) {
215 SYSLOG ((su_to_root ? LOG_NOTICE : LOG_INFO,
217 ('\0' != caller_name[0]) ? caller_name : "???",
218 ('\0' != name[0]) ? name : "???"));
226 * execve_shell - Execute a shell with execve, or interpret it with
229 static void execve_shell (const char *shellname,
234 (void) execve (shellname, (char **) args, envp);
237 if (access (shellname, R_OK|X_OK) == 0) {
239 * Assume this is a shell script (with no shebang).
240 * Interpret it with /bin/sh
244 while (NULL != args[n_args]) {
247 targs = (char **) xmalloc ((n_args + 3) * sizeof (args[0]));
250 targs[2] = xstrdup (shellname);
251 targs[n_args+2] = NULL;
252 while (1 != n_args) {
253 targs[n_args+1] = args[n_args - 1];
257 (void) execve (SHELL, targs, envp);
264 /* Signal handler for parent process later */
265 static void catch_signals (int sig)
271 * prepare_pam_close_session - Fork and wait for the child to close the session
273 * Only the child returns. The parent will wait for the child to
274 * terminate and exit.
276 static void prepare_pam_close_session (void)
283 if (pid_child == 0) { /* child shell */
284 return; /* Only the child will return from pam_create_session */
285 } else if ((pid_t)-1 == pid_child) {
286 (void) fprintf (stderr,
287 _("%s: Cannot fork user shell\n"),
289 SYSLOG ((LOG_WARN, "Cannot execute %s", shellstr));
292 /* Only the child returns. See above. */
296 sigfillset (&ourset);
297 if (sigprocmask (SIG_BLOCK, &ourset, NULL) != 0) {
298 (void) fprintf (stderr,
299 _("%s: signal malfunction\n"),
304 struct sigaction action;
306 action.sa_handler = catch_signals;
307 sigemptyset (&action.sa_mask);
309 sigemptyset (&ourset);
311 if ( (sigaddset (&ourset, SIGTERM) != 0)
312 || (sigaddset (&ourset, SIGALRM) != 0)
313 || (sigaction (SIGTERM, &action, NULL) != 0)
314 || ( !doshell /* handle SIGINT (Ctrl-C), SIGQUIT
315 * (Ctrl-\), and SIGTSTP (Ctrl-Z)
316 * since the child will not control
319 && ( (sigaddset (&ourset, SIGINT) != 0)
320 || (sigaddset (&ourset, SIGQUIT) != 0)
321 || (sigaddset (&ourset, SIGTSTP) != 0)
322 || (sigaction (SIGINT, &action, NULL) != 0)
323 || (sigaction (SIGQUIT, &action, NULL) != 0)
324 || (sigaction (SIGTSTP, &action, NULL) != 0)))
325 || (sigprocmask (SIG_UNBLOCK, &ourset, NULL) != 0)
328 _("%s: signal masking malfunction\n"),
341 pid = waitpid (-1, &status, WUNTRACED);
343 /* When interrupted by signal, the signal will be
344 * forwarded to the child, and termination will be
347 if ( ((pid_t)-1 == pid)
349 && (SIGTSTP == caught)) {
350 /* Except for SIGTSTP, which request to
352 * We will SIGSTOP ourself on the next
355 kill (pid_child, SIGSTOP);
357 } else if ( ((pid_t)-1 != pid)
358 && (0 != WIFSTOPPED (status))) {
359 /* The child (shell) was suspended.
361 kill (getpid (), SIGSTOP);
362 /* wake child when resumed */
370 (void) fputs ("\n", stderr);
371 (void) fputs (_("Session terminated, terminating shell..."),
373 (void) kill (pid_child, caught);
376 ret = pam_close_session (pamh, 0);
377 if (PAM_SUCCESS != ret) {
378 SYSLOG ((LOG_ERR, "pam_close_session: %s",
379 pam_strerror (pamh, ret)));
380 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
383 (void) pam_setcred (pamh, PAM_DELETE_CRED);
384 (void) pam_end (pamh, PAM_SUCCESS);
387 (void) signal (SIGALRM, kill_child);
390 (void) wait (&status);
391 (void) fputs (_(" ...terminated.\n"), stderr);
394 exit ((0 != WIFEXITED (status)) ? WEXITSTATUS (status)
395 : WTERMSIG (status) + 128);
396 /* Only the child returns. See above. */
401 * usage - print command line syntax and exit
403 static void usage (int status)
406 fputs (_("Usage: su [options] [LOGIN]\n"
409 " -c, --command COMMAND pass COMMAND to the invoked shell\n"
410 " -h, --help display this help message and exit\n"
411 " -, -l, --login make the shell a login shell\n"
413 " --preserve-environment do not reset environment variables, and\n"
414 " keep the same shell\n"
415 " -s, --shell SHELL use SHELL instead of the default in passwd\n"
416 "\n"), (E_SUCCESS != status) ? stderr : stdout);
421 static void check_perms_pam (const struct passwd *pw)
424 ret = pam_authenticate (pamh, 0);
425 if (PAM_SUCCESS != ret) {
426 SYSLOG ((LOG_ERR, "pam_authenticate: %s",
427 pam_strerror (pamh, ret)));
428 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
429 (void) pam_end (pamh, ret);
430 su_failure (caller_tty, 0 == pw->pw_uid);
433 ret = pam_acct_mgmt (pamh, 0);
434 if (PAM_SUCCESS != ret) {
435 if (caller_is_root) {
437 _("%s: %s\n(Ignored)\n"),
438 Prog, pam_strerror (pamh, ret));
439 } else if (PAM_NEW_AUTHTOK_REQD == ret) {
440 ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
441 if (PAM_SUCCESS != ret) {
442 SYSLOG ((LOG_ERR, "pam_chauthtok: %s",
443 pam_strerror (pamh, ret)));
446 Prog, pam_strerror (pamh, ret));
447 (void) pam_end (pamh, ret);
448 su_failure (caller_tty, 0 == pw->pw_uid);
451 SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
452 pam_strerror (pamh, ret)));
455 Prog, pam_strerror (pamh, ret));
456 (void) pam_end (pamh, ret);
457 su_failure (caller_tty, 0 == pw->pw_uid);
462 static void check_perms_nopam (const struct passwd *pw)
464 /*@observer@*/const struct spwd *spwd = NULL;
465 /*@observer@*/const char *password = pw->pw_passwd;
466 RETSIGTYPE (*oldsig) (int);
468 if (caller_is_root) {
473 * BSD systems only allow "wheel" to SU to root. USG systems don't,
474 * so we make this a configurable option.
477 /* The original Shadow 3.3.2 did this differently. Do it like BSD:
479 * - check for UID 0 instead of name "root" - there are systems with
480 * several root accounts under different names,
482 * - check the contents of /etc/group instead of the current group
483 * set (you must be listed as a member, GID 0 is not sufficient).
485 * In addition to this traditional feature, we now have complete su
486 * access control (allow, deny, no password, own password). Thanks
487 * to Chris Evans <lady0110@sable.ox.ac.uk>.
490 if ( (0 == pw->pw_uid)
491 && getdef_bool ("SU_WHEEL_ONLY")
492 && !iswheel (caller_name)) {
494 _("You are not authorized to su %s\n"),
498 spwd = getspnam (name); /* !USE_PAM, no need for xgetspnam */
500 if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
502 password = spwd->sp_pwdp;
506 switch (check_su_auth (caller_name, name, 0 == pw->pw_uid)) {
507 case 0: /* normal su, require target user's password */
509 case 1: /* require no password */
510 password = ""; /* XXX warning: const */
512 case 2: /* require own password */
513 (void) puts (_("(Enter your own password)"));
514 password = caller_pass;
516 default: /* access denied (-1) or unexpected value */
518 _("You are not authorized to su %s\n"),
522 #endif /* SU_ACCESS */
524 * Set up a signal handler in case the user types QUIT.
527 oldsig = signal (SIGQUIT, die);
530 * See if the system defined authentication method is being used.
531 * The first character of an administrator defined method is an '@'
534 if (pw_auth (password, name, PW_SU, (char *) 0) != 0) {
535 SYSLOG (((pw->pw_uid != 0)? LOG_NOTICE : LOG_WARN,
536 "Authentication failed for %s", name));
537 fprintf(stderr, _("%s: Authentication failure\n"), Prog);
538 su_failure (caller_tty, 0 == pw->pw_uid);
540 (void) signal (SIGQUIT, oldsig);
543 * Check to see if the account is expired. root gets to ignore any
544 * expired accounts, but normal users can't become a user with an
548 (void) expire (pw, spwd);
552 * Check to see if the account permits "su". root gets to ignore any
553 * restricted accounts, but normal users can't become a user if
554 * there is a "SU" entry in the /etc/porttime file denying access to
557 if (!isttytime (name, "SU", time ((time_t *) 0))) {
558 SYSLOG (((0 != pw->pw_uid) ? LOG_WARN : LOG_CRIT,
559 "SU by %s to restricted account %s",
562 _("%s: You are not authorized to su at that time\n"),
564 su_failure (caller_tty, 0 == pw->pw_uid);
567 #endif /* !USE_PAM */
570 * check_perms - check permissions to switch to the user 'name'
572 * In case of subsystem login, the user is first authenticated in the
573 * caller's root subsystem, and then in the user's target subsystem.
575 static /*@only@*/struct passwd * check_perms (void)
578 const char *tmp_name;
580 #endif /* !USE_PAM */
582 * The password file entries for the user is gotten and the account
585 struct passwd *pw = xgetpwnam (name);
587 (void) fprintf (stderr,
588 _("No passwd entry for user '%s'\n"), name);
589 SYSLOG ((LOG_ERR, "No passwd entry for user '%s'", name));
590 su_failure (caller_tty, true);
593 (void) signal (SIGINT, SIG_IGN);
594 (void) signal (SIGQUIT, SIG_IGN);
597 check_perms_pam (pw);
598 /* PAM authentication can request a change of account */
599 ret = pam_get_item(pamh, PAM_USER, (const void **) &tmp_name);
600 if (ret != PAM_SUCCESS) {
601 SYSLOG((LOG_ERR, "pam_get_item: internal PAM error\n"));
602 (void) fprintf (stderr,
603 "%s: Internal PAM error retrieving username\n",
605 (void) pam_end (pamh, ret);
606 su_failure (caller_tty, 0 == pw->pw_uid);
608 if (strcmp (name, tmp_name) != 0) {
610 "Change user from '%s' to '%s' as requested by PAM",
612 strncpy (name, tmp_name, sizeof(name) - 1);
613 name[sizeof(name) - 1] = '\0';
614 pw = xgetpwnam (name);
616 (void) fprintf (stderr,
617 _("No passwd entry for user '%s'\n"),
620 "No passwd entry for user '%s'", name));
621 su_failure (caller_tty, true);
625 check_perms_nopam (pw);
626 #endif /* !USE_PAM */
628 (void) signal (SIGINT, SIG_DFL);
629 (void) signal (SIGQUIT, SIG_DFL);
632 * Even if --shell is specified, the subsystem login test is based on
633 * the shell specified in /etc/passwd (not the one specified with
634 * --shell, which will be the one executed in the chroot later).
636 if ('*' == pw->pw_shell[0]) { /* subsystem root required */
637 subsystem (pw); /* change to the subsystem root */
638 endpwent (); /* close the old password databases */
641 return check_perms (); /* authenticate in the subsystem */
648 * save_caller_context - save information from the call context
650 * Save the program's name (Prog), caller's UID (caller_uid /
651 * caller_is_root), name (caller_name), and password (caller_pass),
652 * the TTY (ttyp), and whether su was called from a console
653 * (is_console) for further processing and before they might change.
655 static void save_caller_context (char **argv)
657 struct passwd *pw = NULL;
660 const char *password = NULL;
661 #endif /* SU_ACCESS */
662 #endif /* !USE_PAM */
664 * Get the program name. The program name is used as a prefix to
665 * most error messages.
667 Prog = Basename (argv[0]);
669 caller_uid = getuid ();
670 caller_is_root = (caller_uid == 0);
673 * Get the tty name. Entries will be logged indicating that the user
674 * tried to change to the named new user from the current terminal.
676 caller_tty = ttyname (0);
677 if ((isatty (0) != 0) && (NULL != caller_tty)) {
679 caller_on_console = console (caller_tty);
680 #endif /* !USE_PAM */
683 * Be more paranoid, like su from SimplePAMApps. --marekm
685 if (!caller_is_root) {
687 _("%s: must be run from a terminal\n"),
695 * Get the user's real name. The current UID is used to determine
696 * who has executed su. That user ID must exist.
698 pw = get_my_pwent ();
701 _("%s: Cannot determine your user name.\n"),
703 SYSLOG ((LOG_WARN, "Cannot determine the user name of the caller (UID %lu)",
704 (unsigned long) caller_uid));
705 su_failure (caller_tty, true); /* unknown target UID*/
707 STRFCPY (caller_name, pw->pw_name);
712 * Sort out the password of user calling su, in case needed later
715 password = pw->pw_passwd;
716 if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
717 const struct spwd *spwd = getspnam (caller_name);
719 password = spwd->sp_pwdp;
723 caller_pass = xstrdup (password);
724 #endif /* SU_ACCESS */
725 #endif /* !USE_PAM */
730 * process_flags - Process the command line arguments
732 * process_flags() interprets the command line arguments and sets
733 * the values that the user will be created with accordingly. The
734 * values are checked for sanity.
736 static void process_flags (int argc, char **argv)
739 static struct option long_options[] = {
740 {"command", required_argument, NULL, 'c'},
741 {"help", no_argument, NULL, 'h'},
742 {"login", no_argument, NULL, 'l'},
743 {"preserve-environment", no_argument, NULL, 'p'},
744 {"shell", required_argument, NULL, 's'},
745 {NULL, 0, NULL, '\0'}
748 while ((c = getopt_long (argc, argv, "c:hlmps:",
749 long_options, NULL)) != -1) {
762 /* This will only have an effect if the target
763 * user do not have a restricted shell, or if
764 * su is called by root.
766 change_environment = false;
772 usage (E_USAGE); /* NOT REACHED */
776 if ((optind < argc) && (strcmp (argv[optind], "-") == 0)) {
780 && (strcmp (argv[optind], "--") == 0)) {
786 * The next argument must be either a user ID, or some flag to a
787 * subshell. Pretty sticky since you can't have an argument which
788 * doesn't start with a "-" unless you specify the new user name.
789 * Any remaining arguments will be passed to the user's login shell.
791 if ((optind < argc) && ('-' != argv[optind][0])) {
792 STRFCPY (name, argv[optind++]); /* use this login id */
793 if ((optind < argc) && (strcmp (argv[optind], "--") == 0)) {
797 if ('\0' == name[0]) { /* use default user */
798 struct passwd *root_pw = getpwnam ("root");
799 if ((NULL != root_pw) && (0 == root_pw->pw_uid)) {
800 (void) strcpy (name, "root");
802 root_pw = getpwuid (0);
803 if (NULL == root_pw) {
804 SYSLOG ((LOG_CRIT, "There is no UID 0 user."));
805 su_failure (caller_tty, true);
807 (void) strcpy (name, root_pw->pw_name);
811 doshell = (argc == optind); /* any arguments remaining? */
812 if (NULL != command) {
817 static void set_environment (struct passwd *pw)
821 * If a new login is being set up, the old environment will be
822 * ignored and a new one created later on.
824 if (change_environment && fakelogin) {
826 * The terminal type will be left alone if it is present in
827 * the environment already.
829 cp = getenv ("TERM");
835 * For some terminals COLORTERM seems to be the only way
836 * for checking for that specific terminal. For instance,
837 * gnome-terminal sets its TERM as "xterm" but its
838 * COLORTERM as "gnome-terminal". The COLORTERM variable
839 * is also of use when running GNU screen since it sets
840 * TERM to "screen" but doesn't touch COLORTERM.
842 cp = getenv ("COLORTERM");
844 addenv ("COLORTERM", cp);
848 cp = getdef_str ("ENV_TZ");
850 addenv (('/' == *cp) ? tz (cp) : cp, NULL);
854 * The clock frequency will be reset to the login value if required
856 cp = getdef_str ("ENV_HZ");
858 addenv (cp, NULL); /* set the default $HZ, if one */
860 #endif /* !USE_PAM */
863 * Also leave DISPLAY and XAUTHORITY if present, else
864 * pam_xauth will not work.
866 cp = getenv ("DISPLAY");
868 addenv ("DISPLAY", cp);
870 cp = getenv ("XAUTHORITY");
872 addenv ("XAUTHORITY", cp);
875 char **envp = environ;
876 while (NULL != *envp) {
877 addenv (*envp, NULL);
882 cp = getdef_str ((pw->pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
884 addenv ((pw->pw_uid == 0) ? "PATH=/sbin:/bin:/usr/sbin:/usr/bin" : "PATH=/bin:/usr/bin", NULL);
885 } else if (strchr (cp, '=') != NULL) {
891 if (getenv ("IFS") != NULL) { /* don't export user IFS ... */
892 addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */
896 /* we need to setup the environment *after* pam_open_session(),
897 * else the UID is changed before stuff like pam_xauth could
898 * run, and we cannot access /etc/shadow and co
900 environ = newenvp; /* make new environment active */
902 if (change_environment) {
903 /* update environment with all pam set variables */
904 char **envcp = pam_getenvlist (pamh);
906 while (NULL != *envcp) {
907 addenv (*envcp, NULL);
914 environ = newenvp; /* make new environment active */
915 #endif /* !USE_PAM */
917 if (change_environment) {
919 if (shellstr != pw->pw_shell) {
921 pw->pw_shell = xstrdup (shellstr);
925 addenv ("HOME", pw->pw_dir);
926 addenv ("USER", pw->pw_name);
927 addenv ("LOGNAME", pw->pw_name);
928 addenv ("SHELL", shellstr);
935 * su - switch user id
937 * su changes the user's ids to the values for the specified user. if
938 * no new user name is specified, "root" or UID 0 is used by default.
940 * Any additional arguments are passed to the user's shell. In
941 * particular, the argument "-c" will cause the next argument to be
942 * interpreted as a command by the common shell programs.
944 int main (int argc, char **argv)
947 struct passwd *pw = NULL;
953 (void) setlocale (LC_ALL, "");
954 (void) bindtextdomain (PACKAGE, LOCALEDIR);
955 (void) textdomain (PACKAGE);
957 save_caller_context (argv);
961 process_flags (argc, argv);
966 ret = pam_start ("su", name, &conv, &pamh);
967 if (PAM_SUCCESS != ret) {
968 SYSLOG ((LOG_ERR, "pam_start: error %d", ret);
970 _("%s: pam_start: error %d\n"),
975 ret = pam_set_item (pamh, PAM_TTY, (const void *) caller_tty);
976 if (PAM_SUCCESS == ret) {
977 ret = pam_set_item (pamh, PAM_RUSER, (const void *) caller_name);
979 if (PAM_SUCCESS != ret) {
980 SYSLOG ((LOG_ERR, "pam_set_item: %s",
981 pam_strerror (pamh, ret)));
982 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
990 /* If the user do not want to change the environment,
991 * use the current SHELL.
992 * (unless another shell is required by the command line)
994 if ((NULL == shellstr) && !change_environment) {
995 shellstr = getenv ("SHELL");
998 /* If su is not called by root, and the target user has a
999 * restricted shell, the environment must be changed and the shell
1000 * must be the one specified in /etc/passwd.
1002 if ( !caller_is_root
1003 && restricted_shell (pw->pw_shell)) {
1005 change_environment = true;
1008 /* If the shell is not set at this time, use the shell specified
1011 if (NULL == shellstr) {
1012 shellstr = pw->pw_shell;
1016 * Set the default shell.
1018 if ((NULL == shellstr) || ('\0' == shellstr[0])) {
1022 sulog (caller_tty, true, caller_name, name); /* save SU information */
1024 if (getdef_bool ("SYSLOG_SU_ENAB")) {
1025 SYSLOG ((LOG_INFO, "+ %s %s:%s", caller_tty,
1026 ('\0' != caller_name[0]) ? caller_name : "???",
1027 ('\0' != name[0]) ? name : "???"));
1032 /* set primary group id and supplementary groups */
1033 if (setup_groups (pw) != 0) {
1034 pam_end (pamh, PAM_ABORT);
1039 * pam_setcred() may do things like resource limits, console groups,
1040 * and much more, depending on the configured modules
1042 ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
1043 if (PAM_SUCCESS != ret) {
1044 SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
1045 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
1046 (void) pam_end (pamh, ret);
1050 ret = pam_open_session (pamh, 0);
1051 if (PAM_SUCCESS != ret) {
1052 SYSLOG ((LOG_ERR, "pam_open_session: %s",
1053 pam_strerror (pamh, ret)));
1054 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
1055 pam_setcred (pamh, PAM_DELETE_CRED);
1056 (void) pam_end (pamh, ret);
1060 prepare_pam_close_session ();
1062 /* become the new user */
1063 if (change_uid (pw) != 0) {
1066 #else /* !USE_PAM */
1067 /* no limits if su from root (unless su must fake login's behavior) */
1068 if (!caller_is_root || fakelogin) {
1072 if (setup_uid_gid (pw, caller_on_console) != 0) {
1075 #endif /* !USE_PAM */
1077 set_environment (pw);
1080 /* There is no need for a controlling terminal.
1081 * This avoids the callee to inject commands on
1082 * the caller's tty. */
1086 /* When PAM is used, we are on the child */
1089 /* Otherwise, we cannot use setsid */
1090 int fd = open ("/dev/tty", O_RDWR);
1093 err = ioctl (fd, TIOCNOTTY, (char *) 0);
1096 #endif /* USE_PAM */
1099 (void) fprintf (stderr,
1100 _("%s: Cannot drop the controlling terminal\n"),
1107 * PAM_DATA_SILENT is not supported by some modules, and
1108 * there is no strong need to clean up the process space's
1109 * memory since we will either call exec or exit.
1110 pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
1116 * This is a workaround for Linux libc bug/feature (?) - the
1117 * /dev/log file descriptor is open without the close-on-exec flag
1118 * and used to be passed to the new shell. There is "fcntl(LogFile,
1119 * F_SETFD, 1)" in libc/misc/syslog.c, but it is commented out (at
1120 * least in 5.4.33). Why? --marekm
1125 * See if the user has extra arguments on the command line. In that
1126 * case they will be provided to the new user's shell as arguments.
1131 cp = getdef_str ("SU_NAME");
1133 cp = Basename (shellstr);
1136 arg0 = xmalloc (strlen (cp) + 2);
1138 strcpy (arg0 + 1, cp);
1141 cp = Basename (shellstr);
1146 /* Position argv to the remaining arguments */
1148 if (NULL != command) {
1154 * Use the shell and create an argv
1155 * with the rest of the command line included.
1158 execve_shell (shellstr, &argv[-1], environ);
1160 (void) fprintf (stderr,
1161 _("Cannot execute %s\n"), shellstr);
1164 (void) shell (shellstr, cp, environ);
1169 return (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);