2 * Copyright 1989 - 1994, Julianne Frances Haugh
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 /* Some parts substantially derived from an ancestor of: */
30 /* su for GNU. Run a shell with substitute user and group IDs.
31 Copyright (C) 1992-2003 Free Software Foundation, Inc.
33 This program is free software; you can redistribute it and/or modify
34 it under the terms of the GNU General Public License as published by
35 the Free Software Foundation; either version 2, or (at your option)
38 This program is distributed in the hope that it will be useful,
39 but WITHOUT ANY WARRANTY; without even the implied warranty of
40 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
41 GNU General Public License for more details.
43 You should have received a copy of the GNU General Public License
44 along with this program; if not, write to the Free Software Foundation,
45 Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
57 #include <sys/types.h>
58 #include "prototypes.h"
60 #include "exitcodes.h"
67 * Assorted #defines to control su's behavior
72 /* not needed by sulog.c anymore */
73 static char name[BUFSIZ];
74 static char oldname[BUFSIZ];
76 /* If nonzero, change some environment vars to indicate the user su'd to. */
77 static int change_environment;
80 static pam_handle_t *pamh = NULL;
81 static int caught = 0;
85 extern struct passwd pwent;
88 * External identifiers
91 extern char **newenvp;
92 extern char **environ;
93 extern size_t newenvc;
95 /* local function prototypes */
99 static RETSIGTYPE die (int);
100 static int iswheel (const char *);
103 * die - set or reset termio modes.
105 * die() is called before processing begins. signal() is then called
106 * with die() as the signal handler. If signal later calls die() with a
107 * signal number, the terminal modes are then reset.
109 static RETSIGTYPE die (int killed)
124 static int iswheel (const char *username)
128 grp = getgrnam ("wheel");;
129 if (!grp || !grp->gr_mem)
131 return is_on_list (grp->gr_mem, username);
133 #endif /* !USE_PAM */
135 /* borrowed from GNU sh-utils' "su.c" */
136 static int restricted_shell (const char *shellstr)
141 while ((line = getusershell ()) != NULL) {
142 if (*line != '#' && strcmp (line, shellstr) == 0) {
151 static void su_failure (const char *tty)
153 sulog (tty, 0, oldname, name); /* log failed attempt */
155 if (getdef_bool ("SYSLOG_SU_ENAB"))
156 SYSLOG ((pwent.pw_uid ? LOG_INFO : LOG_NOTICE,
158 oldname[0] ? oldname : "???", name[0] ? name : "???"));
166 /* Signal handler for parent process later */
167 static void catch_signals (int sig)
172 /* This I ripped out of su.c from sh-utils after the Mandrake pam patch
173 * have been applied. Some work was needed to get it integrated into
176 static void run_shell (const char *shellstr, char *args[], int doshell,
185 if (child == 0) { /* child shell */
187 * PAM_DATA_SILENT is not supported by some modules, and
188 * there is no strong need to clean up the process space's
189 * memory since we will either call exec or exit.
190 pam_end (pamh, PAM_SUCCESS | PAM_DATA_SILENT);
194 (void) shell (shellstr, (char *) args[0], envp);
196 (void) execve (shellstr, (char **) args, envp);
197 exit (errno == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
198 } else if (child == -1) {
199 (void) fprintf (stderr, "%s: Cannot fork user shell\n", Prog);
200 SYSLOG ((LOG_WARN, "Cannot execute %s", shellstr));
205 sigfillset (&ourset);
206 if (sigprocmask (SIG_BLOCK, &ourset, NULL)) {
207 (void) fprintf (stderr, "%s: signal malfunction\n", Prog);
211 struct sigaction action;
213 action.sa_handler = catch_signals;
214 sigemptyset (&action.sa_mask);
216 sigemptyset (&ourset);
218 if (sigaddset (&ourset, SIGTERM)
219 || sigaddset (&ourset, SIGALRM)
220 || sigaction (SIGTERM, &action, NULL)
221 || sigprocmask (SIG_UNBLOCK, &ourset, NULL)
224 "%s: signal masking malfunction\n", Prog);
233 pid = waitpid (-1, &status, WUNTRACED);
235 if (WIFSTOPPED (status)) {
236 kill (getpid (), SIGSTOP);
237 /* once we get here, we must have resumed */
240 } while (WIFSTOPPED (status));
244 fprintf (stderr, "\nSession terminated, killing shell...");
245 kill (child, SIGTERM);
248 ret = pam_close_session (pamh, 0);
249 if (ret != PAM_SUCCESS) {
250 SYSLOG ((LOG_ERR, "pam_close_session: %s",
251 pam_strerror (pamh, ret)));
252 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
257 ret = pam_end (pamh, PAM_SUCCESS);
261 kill (child, SIGKILL);
262 fprintf (stderr, " ...killed.\n");
266 exit (WIFEXITED (status)
267 ? WEXITSTATUS (status)
268 : WTERMSIG (status) + 128);
273 * usage - print command line syntax and exit
275 static void usage (void)
277 fprintf (stderr, _("Usage: su [options] [LOGIN]\n"
280 " -c, --command COMMAND pass COMMAND to the invoked shell\n"
281 " -h, --help display this help message and exit\n"
282 " -, -l, --login make the shell a login shell\n"
284 " --preserve-environment do not reset environment variables, and keep\n"
286 " -s, --shell SHELL use SHELL instead of the default in passwd\n"
292 * su - switch user id
294 * su changes the user's ids to the values for the specified user. if
295 * no new user name is specified, "root" is used by default.
297 * Any additional arguments are passed to the user's shell. In
298 * particular, the argument "-c" will cause the next argument to be
299 * interpreted as a command by the common shell programs.
301 int main (int argc, char **argv)
304 const char *tty = 0; /* Name of tty SU is run from */
309 struct passwd *pw = 0;
310 char **envp = environ;
311 char *shellstr = 0, *command = 0;
319 RETSIGTYPE (*oldsig) ();
322 struct spwd *spwd = 0;
327 #endif /* !USE_PAM */
331 setlocale (LC_ALL, "");
332 bindtextdomain (PACKAGE, LOCALEDIR);
333 textdomain (PACKAGE);
335 change_environment = 1;
338 * Get the program name. The program name is used as a prefix to
339 * most error messages.
341 Prog = Basename (argv[0]);
346 * Process the command line arguments.
351 * Parse the command line options.
353 int option_index = 0;
355 static struct option long_options[] = {
356 {"command", required_argument, NULL, 'c'},
357 {"help", no_argument, NULL, 'h'},
358 {"login", no_argument, NULL, 'l'},
359 {"preserve-environment", no_argument, NULL, 'p'},
360 {"shell", required_argument, NULL, 's'},
361 {NULL, 0, NULL, '\0'}
365 getopt_long (argc, argv, "-c:hlmps:", long_options,
366 &option_index)) != -1) {
369 /* this is not an su option */
370 /* The next arguments are either '-', the
371 * target name, or arguments to be passed
374 /* rewind the (not yet handled) option */
377 break; /* NOT REACHED */
389 /* This will only have an effect if the target
390 * user do not have a restricted shell, or if
391 * su is called by root.
393 change_environment = 0;
399 usage (); /* NOT REACHED */
403 if (optind < argc && !strcmp (argv[optind], "-")) {
406 if (optind < argc && !strcmp (argv[optind], "--"))
414 amroot = (my_uid == 0);
417 * Get the tty name. Entries will be logged indicating that the user
418 * tried to change to the named new user from the current terminal.
420 if (isatty (0) && (cp = ttyname (0))) {
421 if (strncmp (cp, "/dev/", 5) == 0)
426 is_console = console (tty);
430 * Be more paranoid, like su from SimplePAMApps. --marekm
434 _("%s: must be run from a terminal\n"), Prog);
441 * The next argument must be either a user ID, or some flag to a
442 * subshell. Pretty sticky since you can't have an argument which
443 * doesn't start with a "-" unless you specify the new user name.
444 * Any remaining arguments will be passed to the user's login shell.
446 if (optind < argc && argv[optind][0] != '-') {
447 STRFCPY (name, argv[optind++]); /* use this login id */
448 if (optind < argc && !strcmp (argv[optind], "--"))
451 if (!name[0]) /* use default user ID */
452 (void) strcpy (name, "root");
454 doshell = argc == optind; /* any arguments remaining? */
459 * Get the user's real name. The current UID is used to determine
460 * who has executed su. That user ID must exist.
462 pw = get_my_pwent ();
464 SYSLOG ((LOG_CRIT, "Unknown UID: %u", my_uid));
467 STRFCPY (oldname, pw->pw_name);
472 * Sort out the password of user calling su, in case needed later
475 if ((spwd = getspnam (oldname)))
476 pw->pw_passwd = spwd->sp_pwdp;
477 oldpass = xstrdup (pw->pw_passwd);
478 #endif /* SU_ACCESS */
481 ret = pam_start ("su", name, &conv, &pamh);
482 if (ret != PAM_SUCCESS) {
483 SYSLOG ((LOG_ERR, "pam_start: error %d", ret);
484 fprintf (stderr, _("%s: pam_start: error %d\n"),
489 ret = pam_set_item (pamh, PAM_TTY, (const void *) tty);
490 if (ret == PAM_SUCCESS)
491 ret = pam_set_item (pamh, PAM_RUSER, (const void *) oldname);
492 if (ret != PAM_SUCCESS) {
493 SYSLOG ((LOG_ERR, "pam_set_item: %s",
494 pam_strerror (pamh, ret)));
495 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
503 * This is the common point for validating a user whose name is
504 * known. It will be reached either by normal processing, or if the
505 * user is to be logged into a subsystem root.
507 * The password file entries for the user is gotten and the account
510 if (!(pw = getpwnam (name))) {
511 (void) fprintf (stderr, _("Unknown id: %s\n"), name);
517 if (strcmp (pw->pw_passwd, SHADOW_PASSWD_STRING) == 0
518 && (spwd = getspnam (name)))
519 pw->pw_passwd = spwd->sp_pwdp;
520 #endif /* !USE_PAM */
523 /* If su is not called by root, and the target user has a restricted
524 * shell, the environment must be changed.
526 change_environment |= (restricted_shell (pwent.pw_shell) && !amroot);
529 * If a new login is being set up, the old environment will be
530 * ignored and a new one created later on.
531 * (note: in the case of a subsystem, the shell will be restricted,
532 * and this won't be executed on the first pass)
534 if (fakelogin && change_environment) {
536 * The terminal type will be left alone if it is present in
537 * the environment already.
539 if ((cp = getenv ("TERM")))
542 if ((cp = getdef_str ("ENV_TZ")))
543 addenv (*cp == '/' ? tz (cp) : cp, NULL);
546 * The clock frequency will be reset to the login value if required
548 if ((cp = getdef_str ("ENV_HZ")))
549 addenv (cp, NULL); /* set the default $HZ, if one */
552 * Also leave DISPLAY and XAUTHORITY if present, else
553 * pam_xauth will not work.
555 if ((cp = getenv ("DISPLAY")))
556 addenv ("DISPLAY", cp);
557 if ((cp = getenv ("XAUTHORITY")))
558 addenv ("XAUTHORITY", cp);
559 #endif /* !USE_PAM */
562 addenv (*envp++, NULL);
567 * BSD systems only allow "wheel" to SU to root. USG systems don't,
568 * so we make this a configurable option.
571 /* The original Shadow 3.3.2 did this differently. Do it like BSD:
573 * - check for UID 0 instead of name "root" - there are systems with
574 * several root accounts under different names,
576 * - check the contents of /etc/group instead of the current group
577 * set (you must be listed as a member, GID 0 is not sufficient).
579 * In addition to this traditional feature, we now have complete su
580 * access control (allow, deny, no password, own password). Thanks
581 * to Chris Evans <lady0110@sable.ox.ac.uk>.
585 if (pwent.pw_uid == 0 && getdef_bool ("SU_WHEEL_ONLY")
586 && !iswheel (oldname)) {
588 _("You are not authorized to su %s\n"), name);
592 switch (check_su_auth (oldname, name)) {
593 case 0: /* normal su, require target user's password */
595 case 1: /* require no password */
596 pwent.pw_passwd = ""; /* XXX warning: const */
598 case 2: /* require own password */
599 puts (_("(Enter your own password)"));
600 pwent.pw_passwd = oldpass;
602 default: /* access denied (-1) or unexpected value */
604 _("You are not authorized to su %s\n"), name);
607 #endif /* SU_ACCESS */
609 #endif /* !USE_PAM */
611 /* If the user do not want to change the environment,
612 * use the current SHELL.
613 * (unless another shell is required by the command line)
615 if (shellstr == NULL && change_environment == 0)
616 shellstr = getenv ("SHELL");
617 /* For users with non null UID, if this user has a restricted
618 * shell, the shell must be the one specified in /etc/passwd
620 if (shellstr != NULL && !amroot && restricted_shell (pwent.pw_shell))
622 /* If the shell is not set at this time, use the shell specified
625 if (shellstr == NULL)
626 shellstr = (char *) strdup (pwent.pw_shell);
629 * Set the default shell.
631 if (shellstr == NULL || shellstr[0] == '\0')
632 shellstr = "/bin/sh";
634 signal (SIGINT, SIG_IGN);
635 signal (SIGQUIT, SIG_IGN);
637 ret = pam_authenticate (pamh, 0);
638 if (ret != PAM_SUCCESS) {
639 SYSLOG ((LOG_ERR, "pam_authenticate: %s",
640 pam_strerror (pamh, ret)));
641 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
646 ret = pam_acct_mgmt (pamh, 0);
647 if (ret != PAM_SUCCESS) {
649 fprintf (stderr, _("%s: %s\n(Ignored)\n"), Prog,
650 pam_strerror (pamh, ret));
651 } else if (ret == PAM_NEW_AUTHTOK_REQD) {
652 ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
653 if (ret != PAM_SUCCESS) {
654 SYSLOG ((LOG_ERR, "pam_chauthtok: %s",
655 pam_strerror (pamh, ret)));
656 fprintf (stderr, _("%s: %s\n"), Prog,
657 pam_strerror (pamh, ret));
662 SYSLOG ((LOG_ERR, "pam_acct_mgmt: %s",
663 pam_strerror (pamh, ret)));
664 fprintf (stderr, _("%s: %s\n"), Prog,
665 pam_strerror (pamh, ret));
672 * Set up a signal handler in case the user types QUIT.
675 oldsig = signal (SIGQUIT, die);
678 * See if the system defined authentication method is being used.
679 * The first character of an administrator defined method is an '@'
682 if (!amroot && pw_auth (pwent.pw_passwd, name, PW_SU, (char *) 0)) {
683 SYSLOG ((pwent.pw_uid ? LOG_NOTICE : LOG_WARN,
684 "Authentication failed for %s", name));
687 signal (SIGQUIT, oldsig);
690 * Check to see if the account is expired. root gets to ignore any
691 * expired accounts, but normal users can't become a user with an
696 spwd = pwd_to_spwd (&pwent);
698 if (expire (&pwent, spwd)) {
699 struct passwd *pwd = getpwnam (name);
701 spwd = getspnam (name);
708 * Check to see if the account permits "su". root gets to ignore any
709 * restricted accounts, but normal users can't become a user if
710 * there is a "SU" entry in the /etc/porttime file denying access to
714 if (!isttytime (pwent.pw_name, "SU", time ((time_t *) 0))) {
715 SYSLOG ((pwent.pw_uid ? LOG_WARN : LOG_CRIT,
716 "SU by %s to restricted account %s",
721 #endif /* !USE_PAM */
723 signal (SIGINT, SIG_DFL);
724 signal (SIGQUIT, SIG_DFL);
726 cp = getdef_str ((pwent.pw_uid == 0) ? "ENV_SUPATH" : "ENV_PATH");
728 addenv ("PATH=/bin:/usr/bin", NULL);
729 } else if (strchr (cp, '=')) {
735 if (getenv ("IFS")) /* don't export user IFS ... */
736 addenv ("IFS= \t\n", NULL); /* ... instead, set a safe IFS */
739 * Even if --shell is specified, the subsystem login test is based on
740 * the shell specified in /etc/passwd (not the one specified with
741 * --shell, which will be the one executed in the chroot later).
743 if (pwent.pw_shell[0] == '*') { /* subsystem root required */
744 pwent.pw_shell++; /* skip the '*' */
745 subsystem (&pwent); /* figure out what to execute */
751 sulog (tty, 1, oldname, name); /* save SU information */
755 if (getdef_bool ("SYSLOG_SU_ENAB"))
756 SYSLOG ((LOG_INFO, "+ %s %s:%s", tty,
757 oldname[0] ? oldname : "???", name[0] ? name : "???"));
761 /* set primary group id and supplementary groups */
762 if (setup_groups (&pwent)) {
763 pam_end (pamh, PAM_ABORT);
768 * pam_setcred() may do things like resource limits, console groups,
769 * and much more, depending on the configured modules
771 ret = pam_setcred (pamh, PAM_ESTABLISH_CRED);
772 if (ret != PAM_SUCCESS) {
773 SYSLOG ((LOG_ERR, "pam_setcred: %s", pam_strerror (pamh, ret)));
774 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
779 ret = pam_open_session (pamh, 0);
780 if (ret != PAM_SUCCESS) {
781 SYSLOG ((LOG_ERR, "pam_open_session: %s",
782 pam_strerror (pamh, ret)));
783 fprintf (stderr, _("%s: %s\n"), Prog, pam_strerror (pamh, ret));
784 pam_setcred (pamh, PAM_DELETE_CRED);
789 if (change_environment) {
790 /* we need to setup the environment *after* pam_open_session(),
791 * else the UID is changed before stuff like pam_xauth could
792 * run, and we cannot access /etc/shadow and co
794 environ = newenvp; /* make new environment active */
796 /* update environment with all pam set variables */
797 envcp = pam_getenvlist (pamh);
800 addenv (*envcp, NULL);
806 /* become the new user */
807 if (change_uid (&pwent)) {
808 pam_close_session (pamh, 0);
809 pam_setcred (pamh, PAM_DELETE_CRED);
810 pam_end (pamh, PAM_ABORT);
814 environ = newenvp; /* make new environment active */
816 /* no limits if su from root (unless su must fake login's behavior) */
817 if (!amroot || fakelogin)
818 setup_limits (&pwent);
820 if (setup_uid_gid (&pwent, is_console))
822 #endif /* !USE_PAM */
824 if (change_environment) {
826 pwent.pw_shell = shellstr;
829 addenv ("HOME", pwent.pw_dir);
830 addenv ("USER", pwent.pw_name);
831 addenv ("LOGNAME", pwent.pw_name);
832 addenv ("SHELL", shellstr);
837 * This is a workaround for Linux libc bug/feature (?) - the
838 * /dev/log file descriptor is open without the close-on-exec flag
839 * and used to be passed to the new shell. There is "fcntl(LogFile,
840 * F_SETFD, 1)" in libc/misc/syslog.c, but it is commented out (at
841 * least in 5.4.33). Why? --marekm
846 * See if the user has extra arguments on the command line. In that
847 * case they will be provided to the new user's shell as arguments.
852 cp = getdef_str ("SU_NAME");
854 cp = Basename (shellstr);
856 arg0 = xmalloc (strlen (cp) + 2);
858 strcpy (arg0 + 1, cp);
861 cp = Basename (shellstr);
864 /* Position argv to the remaining arguments */
872 * Use the shell and create an argv
873 * with the rest of the command line included.
877 (void) execve (shellstr, &argv[-1], environ);
879 (void) fprintf (stderr, _("No shell\n"));
880 SYSLOG ((LOG_WARN, "Cannot execute %s", shellstr));
882 exit (err == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
884 run_shell (shellstr, &argv[-1], 0, environ); /* no return */
888 err = shell (shellstr, cp, environ);
889 exit (err == ENOENT ? E_CMD_NOTFOUND : E_CMD_NOEXEC);
891 run_shell (shellstr, &cp, 1, environ);