1 /**	$MirOS: src/lib/libc/gen/login_cap.c,v 1.2 2005/03/06 20:28:40 tg Exp $ */
2 /*	$OpenBSD: login_cap.c,v 1.24 2004/09/16 06:24:41 deraadt Exp $	*/
3 
4 /*
5  * Copyright (c) 2000-2004 Todd C. Miller <Todd.Miller@courtesan.com>
6  *
7  * Permission to use, copy, modify, and distribute this software for any
8  * purpose with or without fee is hereby granted, provided that the above
9  * copyright notice and this permission notice appear in all copies.
10  *
11  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18  */
19 /*-
20  * Copyright (c) 1995,1997 Berkeley Software Design, Inc. All rights reserved.
21  *
22  * Redistribution and use in source and binary forms, with or without
23  * modification, are permitted provided that the following conditions
24  * are met:
25  * 1. Redistributions of source code must retain the above copyright
26  *    notice, this list of conditions and the following disclaimer.
27  * 2. Redistributions in binary form must reproduce the above copyright
28  *    notice, this list of conditions and the following disclaimer in the
29  *    documentation and/or other materials provided with the distribution.
30  * 3. All advertising materials mentioning features or use of this software
31  *    must display the following acknowledgement:
32  *	This product includes software developed by Berkeley Software Design,
33  *	Inc.
34  * 4. The name of Berkeley Software Design, Inc.  may not be used to endorse
35  *    or promote products derived from this software without specific prior
36  *    written permission.
37  *
38  * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
39  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
40  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
41  * ARE DISCLAIMED.  IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
42  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
43  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
44  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
45  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
46  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
47  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
48  * SUCH DAMAGE.
49  *
50  *	BSDI $From: login_cap.c,v 2.16 2000/03/22 17:10:55 donn Exp $
51  */
52 #include <sys/types.h>
53 #include <sys/stat.h>
54 #include <sys/time.h>
55 #include <sys/resource.h>
56 
57 #include <err.h>
58 #include <errno.h>
59 #include <fcntl.h>
60 #include <limits.h>
61 #include <login_cap.h>
62 #include <paths.h>
63 #include <pwd.h>
64 #include <stdio.h>
65 #include <stdlib.h>
66 #include <string.h>
67 #include <syslog.h>
68 #include <unistd.h>
69 
70 __RCSID("$MirOS: src/lib/libc/gen/login_cap.c,v 1.2 2005/03/06 20:28:40 tg Exp $");
71 
72 static	char *_authtypes[] = { LOGIN_DEFSTYLE, 0 };
73 static	char *expandstr(const char *, const struct passwd *, int);
74 static	int login_setenv(char *, char *, const struct passwd *, int);
75 static	int setuserenv(login_cap_t *lc, const struct passwd *pwd);
76 static	int setuserpath(login_cap_t *, const struct passwd *pwd);
77 static	u_quad_t multiply(u_quad_t, u_quad_t);
78 static	u_quad_t strtolimit(char *, char **, int);
79 static	u_quad_t strtosize(char *, char **, int);
80 static	int gsetrl(login_cap_t *lc, int what, char *name, int type);
81 
82 login_cap_t *
login_getclass(char * class)83 login_getclass(char *class)
84 {
85 	char *classfiles[2];
86 	login_cap_t *lc;
87 	int res;
88 
89 	if (secure_path(_PATH_LOGIN_CONF) == 0) {
90 		classfiles[0] = _PATH_LOGIN_CONF;
91 		classfiles[1] = NULL;
92 	} else {
93 		classfiles[0] = NULL;
94 	}
95 
96 	if ((lc = malloc(sizeof(login_cap_t))) == NULL) {
97 		syslog(LOG_ERR, "%s:%d malloc: %m", __FILE__, __LINE__);
98 		return (0);
99 	}
100 
101 	lc->lc_cap = 0;
102 	lc->lc_style = 0;
103 
104 	if (class == NULL || class[0] == '\0')
105 		class = LOGIN_DEFCLASS;
106 
107     	if ((lc->lc_class = strdup(class)) == NULL) {
108 		syslog(LOG_ERR, "%s:%d strdup: %m", __FILE__, __LINE__);
109 		free(lc);
110 		return (0);
111 	}
112 
113 	/*
114 	 * Not having a login.conf file is not an error condition.
115 	 * The individual routines deal reasonably with missing
116 	 * capabilities and use default values.
117 	 */
118 	if (classfiles[0] == NULL)
119 		return(lc);
120 
121 	if ((res = cgetent(&lc->lc_cap, classfiles, lc->lc_class)) != 0) {
122 		lc->lc_cap = 0;
123 		switch (res) {
124 		case 1:
125 			syslog(LOG_ERR, "%s: couldn't resolve 'tc'",
126 				lc->lc_class);
127 			break;
128 		case -1:
129 			if ((res = open(classfiles[0], 0)) >= 0)
130 				close(res);
131 			if (strcmp(lc->lc_class, LOGIN_DEFCLASS) == 0 &&
132 			    res < 0)
133 				return (lc);
134 			syslog(LOG_ERR, "%s: unknown class", lc->lc_class);
135 			break;
136 		case -2:
137 			syslog(LOG_ERR, "%s: getting class information: %m",
138 				lc->lc_class);
139 			break;
140 		case -3:
141 			syslog(LOG_ERR, "%s: 'tc' reference loop",
142 				lc->lc_class);
143 			break;
144 		default:
145 			syslog(LOG_ERR, "%s: unexpected cgetent error",
146 				lc->lc_class);
147 			break;
148 		}
149 		free(lc->lc_class);
150 		free(lc);
151 		return (0);
152 	}
153 	return (lc);
154 }
155 
156 char *
login_getstyle(login_cap_t * lc,char * style,char * atype)157 login_getstyle(login_cap_t *lc, char *style, char *atype)
158 {
159     	char **authtypes = _authtypes;
160 	char *auths, *ta;
161     	char *f1, **f2;
162 	int i;
163 
164 	f1 = 0;
165 	f2 = 0;
166 
167 	/* Silently convert 's/key' -> 'skey' */
168 	if (style && strcmp(style, "s/key") == 0)
169 		style = "skey";
170 
171 	if (lc->lc_style) {
172 		free(lc->lc_style);
173 		lc->lc_style = 0;
174 	}
175 
176     	if (!atype || !(auths = login_getcapstr(lc, atype, NULL, NULL)))
177 		auths = login_getcapstr(lc, "auth", NULL, NULL);
178 
179 	if (auths) {
180 		f1 = ta = auths;	/* auths malloced by login_getcapstr */
181 		i = 2;
182 		while (*ta)
183 			if (*ta++ == ',')
184 				++i;
185 		f2 = authtypes = malloc(sizeof(char *) * i);
186 		if (!authtypes) {
187 			syslog(LOG_ERR, "malloc: %m");
188 			free(f1);
189 			return (0);
190 		}
191 		i = 0;
192 		while (*auths) {
193 			authtypes[i] = auths;
194 			while (*auths && *auths != ',')
195 				++auths;
196 			if (*auths)
197 				*auths++ = 0;
198 			if (!*authtypes[i])
199 				authtypes[i] = LOGIN_DEFSTYLE;
200 			++i;
201 		}
202 		authtypes[i] = 0;
203 	}
204 
205 	if (!style)
206 		style = authtypes[0];
207 
208 	while (*authtypes && strcmp(style, *authtypes))
209 		++authtypes;
210 
211 	if (*authtypes == NULL || (auths = strdup(*authtypes)) == NULL) {
212 		if (f1)
213 			free(f1);
214 		if (f2)
215 			free(f2);
216 		if (*authtypes)
217 			syslog(LOG_ERR, "strdup: %m");
218 		return (0);
219 	}
220 	if (f1)
221 		free(f1);
222 	if (f2)
223 		free(f2);
224 	return (lc->lc_style = auths);
225 }
226 
227 char *
login_getcapstr(login_cap_t * lc,char * cap,char * def,char * e)228 login_getcapstr(login_cap_t *lc, char *cap, char *def, char *e)
229 {
230 	char *res, *str;
231 	int stat;
232 
233 	errno = 0;
234 	str = e;			/* return error string by default */
235 	res = NULL;
236 
237     	if (!lc->lc_cap)
238 		return (def);
239 
240 	switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
241 	case -1:
242 		str = def;
243 		break;
244 	case -2:
245 		syslog(LOG_ERR, "%s: getting capability %s: %m",
246 		    lc->lc_class, cap);
247 		break;
248 	default:
249 		if (stat >= 0)
250 			str = res;
251 		else
252 			syslog(LOG_ERR,
253 			    "%s: unexpected error with capability %s",
254 			    lc->lc_class, cap);
255 		break;
256 	}
257 
258 	if (res != NULL && str != res)
259 		free(res);
260 	return(str);
261 }
262 
263 quad_t
login_getcaptime(login_cap_t * lc,char * cap,quad_t def,quad_t e)264 login_getcaptime(login_cap_t *lc, char *cap, quad_t def, quad_t e)
265 {
266 	char *ep;
267 	char *res, *sres;
268 	int stat;
269 	quad_t q, r;
270 
271 	errno = 0;
272 	res = NULL;
273 
274     	if (!lc->lc_cap)
275 		return (def);
276 
277 	switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
278 	case -1:
279 		if (res)
280 			free(res);
281 		return (def);
282 	case -2:
283 		if (res)
284 			free(res);
285 		syslog(LOG_ERR, "%s: getting capability %s: %m",
286 		    lc->lc_class, cap);
287 		errno = ERANGE;
288 		return (e);
289 	default:
290 		if (stat >= 0)
291 			break;
292 		if (res)
293 			free(res);
294 		syslog(LOG_ERR, "%s: unexpected error with capability %s",
295 		    lc->lc_class, cap);
296 		errno = ERANGE;
297 		return (e);
298 	}
299 
300 	errno = 0;
301 
302 	if (strcasecmp(res, "infinity") == 0) {
303 		free(res);
304 		return (RLIM_INFINITY);
305 	}
306 
307 	q = 0;
308 	sres = res;
309 	while (*res) {
310 		r = strtoll(res, &ep, 0);
311 		if (!ep || ep == res ||
312 		    ((r == QUAD_MIN || r == QUAD_MAX) && errno == ERANGE)) {
313 invalid:
314 			free(sres);
315 			syslog(LOG_ERR, "%s:%s=%s: invalid time",
316 			    lc->lc_class, cap, sres);
317 			errno = ERANGE;
318 			return (e);
319 		}
320 		switch (*ep++) {
321 		case '\0':
322 			--ep;
323 			break;
324 		case 's': case 'S':
325 			break;
326 		case 'm': case 'M':
327 			r *= 60;
328 			break;
329 		case 'h': case 'H':
330 			r *= 60 * 60;
331 			break;
332 		case 'd': case 'D':
333 			r *= 60 * 60 * 24;
334 			break;
335 		case 'w': case 'W':
336 			r *= 60 * 60 * 24 * 7;
337 			break;
338 		case 'y': case 'Y':	/* Pretty absurd */
339 			r *= 60 * 60 * 24 * 365;
340 			break;
341 		default:
342 			goto invalid;
343 		}
344 		res = ep;
345 		q += r;
346 	}
347 	free(sres);
348 	return (q);
349 }
350 
351 quad_t
login_getcapnum(login_cap_t * lc,char * cap,quad_t def,quad_t e)352 login_getcapnum(login_cap_t *lc, char *cap, quad_t def, quad_t e)
353 {
354 	char *ep;
355 	char *res;
356 	int stat;
357 	quad_t q;
358 
359 	errno = 0;
360 	res = NULL;
361 
362     	if (!lc->lc_cap)
363 		return (def);
364 
365 	switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
366 	case -1:
367 		if (res)
368 			free(res);
369 		return (def);
370 	case -2:
371 		if (res)
372 			free(res);
373 		syslog(LOG_ERR, "%s: getting capability %s: %m",
374 		    lc->lc_class, cap);
375 		errno = ERANGE;
376 		return (e);
377 	default:
378 		if (stat >= 0)
379 			break;
380 		if (res)
381 			free(res);
382 		syslog(LOG_ERR, "%s: unexpected error with capability %s",
383 		    lc->lc_class, cap);
384 		errno = ERANGE;
385 		return (e);
386 	}
387 
388 	errno = 0;
389 
390 	if (strcasecmp(res, "infinity") == 0) {
391 		free(res);
392 		return (RLIM_INFINITY);
393 	}
394 
395     	q = strtoll(res, &ep, 0);
396 	if (!ep || ep == res || ep[0] ||
397 	    ((q == QUAD_MIN || q == QUAD_MAX) && errno == ERANGE)) {
398 		free(res);
399 		syslog(LOG_ERR, "%s:%s=%s: invalid number",
400 		    lc->lc_class, cap, res);
401 		errno = ERANGE;
402 		return (e);
403 	}
404 	free(res);
405 	return (q);
406 }
407 
408 quad_t
login_getcapsize(login_cap_t * lc,char * cap,quad_t def,quad_t e)409 login_getcapsize(login_cap_t *lc, char *cap, quad_t def, quad_t e)
410 {
411 	char *ep;
412 	char *res;
413 	int stat;
414 	quad_t q;
415 
416 	errno = 0;
417 	res = NULL;
418 
419     	if (!lc->lc_cap)
420 		return (def);
421 
422 	switch (stat = cgetstr(lc->lc_cap, cap, &res)) {
423 	case -1:
424 		if (res)
425 			free(res);
426 		return (def);
427 	case -2:
428 		if (res)
429 			free(res);
430 		syslog(LOG_ERR, "%s: getting capability %s: %m",
431 		    lc->lc_class, cap);
432 		errno = ERANGE;
433 		return (e);
434 	default:
435 		if (stat >= 0)
436 			break;
437 		if (res)
438 			free(res);
439 		syslog(LOG_ERR, "%s: unexpected error with capability %s",
440 		    lc->lc_class, cap);
441 		errno = ERANGE;
442 		return (e);
443 	}
444 
445 	errno = 0;
446 	q = strtolimit(res, &ep, 0);
447 	if (!ep || ep == res || (ep[0] && ep[1]) ||
448 	    ((q == QUAD_MIN || q == QUAD_MAX) && errno == ERANGE)) {
449 		free(res);
450 		syslog(LOG_ERR, "%s:%s=%s: invalid size",
451 		    lc->lc_class, cap, res);
452 		errno = ERANGE;
453 		return (e);
454 	}
455 	free(res);
456 	return (q);
457 }
458 
459 int
login_getcapbool(login_cap_t * lc,char * cap,u_int def)460 login_getcapbool(login_cap_t *lc, char *cap, u_int def)
461 {
462     	if (!lc->lc_cap)
463 		return (def);
464 
465 	return (cgetcap(lc->lc_cap, cap, ':') != NULL);
466 }
467 
468 void
login_close(login_cap_t * lc)469 login_close(login_cap_t *lc)
470 {
471 	if (lc) {
472 		if (lc->lc_class)
473 			free(lc->lc_class);
474 		if (lc->lc_cap)
475 			free(lc->lc_cap);
476 		if (lc->lc_style)
477 			free(lc->lc_style);
478 		free(lc);
479 	}
480 }
481 
482 #define	CTIME	1
483 #define	CSIZE	2
484 #define	CNUMB	3
485 
486 static struct {
487 	int	what;
488 	int	type;
489 	char *	name;
490 } r_list[] = {
491 	{ RLIMIT_CPU,		CTIME, "cputime", },
492 	{ RLIMIT_TIME,		CTIME, "time", },
493 	{ RLIMIT_FSIZE,		CSIZE, "filesize", },
494 	{ RLIMIT_DATA,		CSIZE, "datasize", },
495 	{ RLIMIT_STACK,		CSIZE, "stacksize", },
496 	{ RLIMIT_RSS,		CSIZE, "memoryuse", },
497 	{ RLIMIT_MEMLOCK,	CSIZE, "memorylocked", },
498 	{ RLIMIT_NPROC,		CNUMB, "maxproc", },
499 	{ RLIMIT_NOFILE,	CNUMB, "openfiles", },
500 	{ RLIMIT_CORE,		CSIZE, "coredumpsize", },
501 #ifdef RLIMIT_VMEM
502 	{ RLIMIT_VMEM,		CSIZE, "vmemoryuse", },
503 #endif
504 	{ -1, 0, 0 }
505 };
506 
507 static int
gsetrl(login_cap_t * lc,int what,char * name,int type)508 gsetrl(login_cap_t *lc, int what, char *name, int type)
509 {
510 	struct rlimit rl;
511 	struct rlimit r;
512 	char name_cur[32];
513 	char name_max[32];
514     	char *v;
515 
516 	/*
517 	 * If we have no capabilities then there is nothing to do and
518 	 * we can just return success.
519 	 */
520 	if (lc->lc_cap == NULL)
521 		return (0);
522 
523 	snprintf(name_cur, sizeof name_cur, "%s-cur", name);
524 	snprintf(name_max, sizeof name_max, "%s-max", name);
525 
526 	if (getrlimit(what, &r)) {
527 		syslog(LOG_ERR, "getting resource limit: %m");
528 		return (-1);
529 	}
530 
531 	/*
532 	 * We need to pre-fetch the 3 possible strings we will look
533 	 * up to see what order they come in.  If the one without
534 	 * the -cur or -max comes in first then we ignore any later
535 	 * -cur or -max entries.
536 	 * Note that the cgetent routines will always return failure
537 	 * on the entry "".  This will cause our login_get* routines
538 	 * to use the default entry.
539 	 */
540 	if ((v = cgetcap(lc->lc_cap, name, '=')) != NULL) {
541 		if (v < cgetcap(lc->lc_cap, name_cur, '='))
542 			name_cur[0] = '\0';
543 		if (v < cgetcap(lc->lc_cap, name_max, '='))
544 			name_max[0] = '\0';
545 	}
546 
547 #define	RCUR	r.rlim_cur
548 #define	RMAX	r.rlim_max
549 
550 	switch (type) {
551 	case CTIME:
552 		RCUR = login_getcaptime(lc, name, RCUR, RCUR);
553 		RMAX = login_getcaptime(lc, name, RMAX, RMAX);
554 		rl.rlim_cur = login_getcaptime(lc, name_cur, RCUR, RCUR);
555 		rl.rlim_max = login_getcaptime(lc, name_max, RMAX, RMAX);
556 		break;
557 	case CSIZE:
558 		RCUR = login_getcapsize(lc, name, RCUR, RCUR);
559 		RMAX = login_getcapsize(lc, name, RMAX, RMAX);
560 		rl.rlim_cur = login_getcapsize(lc, name_cur, RCUR, RCUR);
561 		rl.rlim_max = login_getcapsize(lc, name_max, RMAX, RMAX);
562 		break;
563 	case CNUMB:
564 		RCUR = login_getcapnum(lc, name, RCUR, RCUR);
565 		RMAX = login_getcapnum(lc, name, RMAX, RMAX);
566 		rl.rlim_cur = login_getcapnum(lc, name_cur, RCUR, RCUR);
567 		rl.rlim_max = login_getcapnum(lc, name_max, RMAX, RMAX);
568 		break;
569 	default:
570 		return (-1);
571 	}
572 
573 	if (setrlimit(what, &rl)) {
574 		syslog(LOG_ERR, "%s: setting resource limit %s: %m",
575 		    lc->lc_class, name);
576 		return (-1);
577 	}
578 #undef	RCUR
579 #undef	RMAX
580 	return (0);
581 }
582 
583 int
setclasscontext(char * class,u_int flags)584 setclasscontext(char *class, u_int flags)
585 {
586 	int ret;
587 	login_cap_t *lc;
588 
589 	flags &= LOGIN_SETRESOURCES | LOGIN_SETPRIORITY | LOGIN_SETUMASK |
590 	    LOGIN_SETPATH;
591 
592 	lc = login_getclass(class);
593 	ret = lc ? setusercontext(lc, NULL, 0, flags) : -1;
594 	login_close(lc);
595 	return (ret);
596 }
597 
598 int
setusercontext(login_cap_t * lc,struct passwd * pwd,uid_t uid,u_int flags)599 setusercontext(login_cap_t *lc, struct passwd *pwd, uid_t uid, u_int flags)
600 {
601 	login_cap_t *flc;
602 	quad_t p;
603 	int i;
604 
605 	flc = NULL;
606 
607 	if (!lc && !(flc = lc = login_getclass(pwd ? pwd->pw_class : NULL)))
608 		return (-1);
609 
610 	/*
611 	 * Without the pwd entry being passed we cannot set either
612 	 * the group or the login.  We could complain about it.
613 	 */
614 	if (pwd == NULL)
615 		flags &= ~(LOGIN_SETGROUP|LOGIN_SETLOGIN);
616 
617 	if (flags & LOGIN_SETRESOURCES)
618 		for (i = 0; r_list[i].name; ++i)
619 			if (gsetrl(lc, r_list[i].what, r_list[i].name,
620 			    r_list[i].type))
621 				/* XXX - call syslog()? */;
622 
623 	if (flags & LOGIN_SETPRIORITY) {
624 		p = login_getcapnum(lc, "priority", 0, 0);
625 
626 		if (setpriority(PRIO_PROCESS, 0, (int)p) < 0)
627 			syslog(LOG_ERR, "%s: setpriority: %m", lc->lc_class);
628 	}
629 
630 	if (flags & LOGIN_SETUMASK) {
631 		p = login_getcapnum(lc, "umask", LOGIN_DEFUMASK,LOGIN_DEFUMASK);
632 		umask((mode_t)p);
633 	}
634 
635 	if (flags & LOGIN_SETGROUP) {
636 		if (setgid(pwd->pw_gid) < 0) {
637 			syslog(LOG_ERR, "setgid(%u): %m", (u_int)pwd->pw_gid);
638 			login_close(flc);
639 			return (-1);
640 		}
641 
642 		if (initgroups(pwd->pw_name, pwd->pw_gid) < 0) {
643 			syslog(LOG_ERR, "initgroups(%s,%u): %m",
644 			    pwd->pw_name, (u_int)pwd->pw_gid);
645 			login_close(flc);
646 			return (-1);
647 		}
648 	}
649 
650 	if (flags & LOGIN_SETLOGIN)
651 		if (setlogin(pwd->pw_name) < 0) {
652 			syslog(LOG_ERR, "setlogin(%s) failure: %m",
653 			    pwd->pw_name);
654 			login_close(flc);
655 			return (-1);
656 		}
657 
658 	if (flags & LOGIN_SETUSER) {
659 		(void) seteuid(uid);	/* just in case */
660 		if (setuid(uid) < 0) {
661 			syslog(LOG_ERR, "setuid(%u): %m", uid);
662 			login_close(flc);
663 			return (-1);
664 		}
665 	}
666 
667 	if (flags & LOGIN_SETENV) {
668 		if (setuserenv(lc, pwd) == -1) {
669 			syslog(LOG_ERR, "could not set user environment: %m");
670 			login_close(flc);
671 			return (-1);
672 		}
673 	}
674 
675 	if (flags & LOGIN_SETPATH) {
676 		if (setuserpath(lc, pwd) == -1) {
677 			syslog(LOG_ERR, "could not set PATH: %m");
678 			login_close(flc);
679 			return (-1);
680 		}
681 	}
682 
683 	login_close(flc);
684 	return (0);
685 }
686 
687 /*
688  * Look up "path" for this user in login.conf and replace whitespace
689  * with ':' while expanding '~' and '$'.  Sets the PATH environment
690  * variable to the result or _PATH_DEFPATH on error.
691  */
692 static int
setuserpath(login_cap_t * lc,const struct passwd * pwd)693 setuserpath(login_cap_t *lc, const struct passwd *pwd)
694 {
695 	char *path = NULL, *opath = NULL, *op, *np;
696 	int len, error;
697 
698 	if (lc->lc_cap == NULL)
699 		goto setit;		/* impossible */
700 
701 	if ((len = cgetustr(lc->lc_cap, "path", &opath)) <= 0)
702 		goto setit;
703 
704 	if ((path = malloc(len + 1)) == NULL)
705 		goto setit;
706 
707 	/* Convert opath from space-separated to colon-separated path. */
708 	for (op = opath, np = path; *op != '\0'; ) {
709 		switch (*op) {
710 		case ' ':
711 		case '\t':
712 			/*
713 			 * Collapse consecutive spaces and trim any space
714 			 * at the very end.
715 			 */
716 			do {
717 				op++;
718 			} while (*op == ' ' || *op == '\t');
719 			if (*op != '\0')
720 				*np++ = ':';
721 			break;
722 		case '\\':
723 			/* check for escaped whitespace */
724 			if (*(op + 1) == ' ' || *(op + 1) == '\t')
725 				*np++ = *op++;
726 			/* FALLTHROUGH */
727 		default:
728 			*np++ = *op++;
729 			break;
730 		}
731 
732 	}
733 	*np = '\0';
734 setit:
735 	error = login_setenv("PATH", path ? path : _PATH_DEFPATH, pwd, 1);
736 	free(opath);
737 	free(path);
738 	return (error);
739 }
740 
741 /*
742  * Look up "setenv" for this user in login.conf and set the comma-separated
743  * list of environment variables, expanding '~' and '$'.
744  */
745 static int
setuserenv(login_cap_t * lc,const struct passwd * pwd)746 setuserenv(login_cap_t *lc, const struct passwd *pwd)
747 {
748 	char *beg, *end, *ep, *list, *value;
749 	int len, error;
750 
751 	if (lc->lc_cap == NULL)
752 		return (-1);		/* impossible */
753 
754 	if ((len = cgetustr(lc->lc_cap, "setenv", &list)) <= 0)
755 		return (0);
756 
757 	for (beg = end = list, ep = list + len + 1; end < ep; end++) {
758 		switch (*end) {
759 		case '\\':
760 			if (*(end + 1) == ',')
761 				end++;	/* skip escaped comma */
762 			continue;
763 		case ',':
764 		case '\0':
765 			*end = '\0';
766 			if (beg == end) {
767 				beg++;
768 				continue;
769 			}
770 			break;
771 		default:
772 			continue;
773 		}
774 
775 		if ((value = strchr(beg, '=')) != NULL)
776 			*value++ = '\0';
777 		else
778 			value = "";
779 		if ((error = login_setenv(beg, value, pwd, 0)) != 0) {
780 			free(list);
781 			return (error);
782 		}
783 		beg = end + 1;
784 	}
785 	free(list);
786 	return (0);
787 }
788 
789 /*
790  * Set an environment variable, substituting for ~ and $
791  */
792 static int
login_setenv(char * name,char * ovalue,const struct passwd * pwd,int ispath)793 login_setenv(char *name, char *ovalue, const struct passwd *pwd, int ispath)
794 {
795 	char *value = NULL;
796 	int error;
797 
798 	if (*ovalue != '\0')
799 		value = expandstr(ovalue, pwd, ispath);
800 	error = setenv(name, value ? value : ovalue, 1);
801 	free(value);
802 	return (error);
803 }
804 
805 /*
806  * Convert an expression of the following forms
807  * 	1) A number.
808  *	2) A number followed by a b (mult by 512).
809  *	3) A number followed by a k (mult by 1024).
810  *	5) A number followed by a m (mult by 1024 * 1024).
811  *	6) A number followed by a g (mult by 1024 * 1024 * 1024).
812  *	7) A number followed by a t (mult by 1024 * 1024 * 1024 * 1024).
813  *	8) Two or more numbers (with/without k,b,m,g, or t).
814  *	   separated by x (also * for backwards compatibility), specifying
815  *	   the product of the indicated values.
816  */
817 static
818 u_quad_t
strtosize(char * str,char ** endptr,int radix)819 strtosize(char *str, char **endptr, int radix)
820 {
821 	u_quad_t num, num2;
822 	char *expr, *expr2;
823 
824 	errno = 0;
825 	num = strtoull(str, &expr, radix);
826 	if (errno || expr == str) {
827 		if (endptr)
828 			*endptr = expr;
829 		return (num);
830 	}
831 
832 	switch(*expr) {
833 	case 'b': case 'B':
834 		num = multiply(num, (u_quad_t)512);
835 		++expr;
836 		break;
837 	case 'k': case 'K':
838 		num = multiply(num, (u_quad_t)1024);
839 		++expr;
840 		break;
841 	case 'm': case 'M':
842 		num = multiply(num, (u_quad_t)1024 * 1024);
843 		++expr;
844 		break;
845 	case 'g': case 'G':
846 		num = multiply(num, (u_quad_t)1024 * 1024 * 1024);
847 		++expr;
848 		break;
849 	case 't': case 'T':
850 		num = multiply(num, (u_quad_t)1024 * 1024);
851 		num = multiply(num, (u_quad_t)1024 * 1024);
852 		++expr;
853 		break;
854 	}
855 
856 	if (errno)
857 		goto erange;
858 
859 	switch(*expr) {
860 	case '*':			/* Backward compatible. */
861 	case 'x':
862 		num2 = strtosize(expr+1, &expr2, radix);
863 		if (errno) {
864 			expr = expr2;
865 			goto erange;
866 		}
867 
868 		if (expr2 == expr + 1) {
869 			if (endptr)
870 				*endptr = expr;
871 			return (num);
872 		}
873 		expr = expr2;
874 		num = multiply(num, num2);
875 		if (errno)
876 			goto erange;
877 		break;
878 	}
879 	if (endptr)
880 		*endptr = expr;
881 	return (num);
882 erange:
883 	if (endptr)
884 		*endptr = expr;
885 	errno = ERANGE;
886 	return (UQUAD_MAX);
887 }
888 
889 static
890 u_quad_t
strtolimit(char * str,char ** endptr,int radix)891 strtolimit(char *str, char **endptr, int radix)
892 {
893 	if (strcasecmp(str, "infinity") == 0 || strcasecmp(str, "inf") == 0) {
894 		if (endptr)
895 			*endptr = str + strlen(str);
896 		return ((u_quad_t)RLIM_INFINITY);
897 	}
898 	return (strtosize(str, endptr, radix));
899 }
900 
901 static u_quad_t
multiply(u_quad_t n1,u_quad_t n2)902 multiply(u_quad_t n1, u_quad_t n2)
903 {
904 	static int bpw = 0;
905 	u_quad_t m;
906 	u_quad_t r;
907 	int b1, b2;
908 
909 	/*
910 	 * Get rid of the simple cases
911 	 */
912 	if (n1 == 0 || n2 == 0)
913 		return (0);
914 	if (n1 == 1)
915 		return (n2);
916 	if (n2 == 1)
917 		return (n1);
918 
919 	/*
920 	 * sizeof() returns number of bytes needed for storage.
921 	 * This may be different from the actual number of useful bits.
922 	 */
923 	if (!bpw) {
924 		bpw = sizeof(u_quad_t) * 8;
925 		while (((u_quad_t)1 << (bpw-1)) == 0)
926 			--bpw;
927 	}
928 
929 	/*
930 	 * First check the magnitude of each number.  If the sum of the
931 	 * magnatude is way to high, reject the number.  (If this test
932 	 * is not done then the first multiply below may overflow.)
933 	 */
934 	for (b1 = bpw; (((u_quad_t)1 << (b1-1)) & n1) == 0; --b1)
935 		;
936 	for (b2 = bpw; (((u_quad_t)1 << (b2-1)) & n2) == 0; --b2)
937 		;
938 	if (b1 + b2 - 2 > bpw) {
939 		errno = ERANGE;
940 		return (UQUAD_MAX);
941 	}
942 
943 	/*
944 	 * Decompose the multiplication to be:
945 	 * h1 = n1 & ~1
946 	 * h2 = n2 & ~1
947 	 * l1 = n1 & 1
948 	 * l2 = n2 & 1
949 	 * (h1 + l1) * (h2 + l2)
950 	 * (h1 * h2) + (h1 * l2) + (l1 * h2) + (l1 * l2)
951 	 *
952 	 * Since h1 && h2 do not have the low bit set, we can then say:
953 	 *
954 	 * (h1>>1 * h2>>1 * 4) + ...
955 	 *
956 	 * So if (h1>>1 * h2>>1) > (1<<(bpw - 2)) then the result will
957 	 * overflow.
958 	 *
959 	 * Finally, if MAX - ((h1 * l2) + (l1 * h2) + (l1 * l2)) < (h1*h2)
960 	 * then adding in residual amount will cause an overflow.
961 	 */
962 
963 	m = (n1 >> 1) * (n2 >> 1);
964 
965 	if (m >= ((u_quad_t)1 << (bpw-2))) {
966 		errno = ERANGE;
967 		return (UQUAD_MAX);
968 	}
969 
970 	m *= 4;
971 
972 	r = (n1 & n2 & 1)
973 	  + (n2 & 1) * (n1 & ~(u_quad_t)1)
974 	  + (n1 & 1) * (n2 & ~(u_quad_t)1);
975 
976 	if ((u_quad_t)(m + r) < m) {
977 		errno = ERANGE;
978 		return (UQUAD_MAX);
979 	}
980 	m += r;
981 
982 	return (m);
983 }
984 
985 int
secure_path(char * path)986 secure_path(char *path)
987 {
988 	struct stat sb;
989 
990 	/*
991 	 * If not a regular file, or is owned/writeable by someone
992 	 * other than root, quit.
993 	 */
994 	if (lstat(path, &sb) < 0) {
995 		syslog(LOG_ERR, "cannot stat %s: %m", path);
996 		return (-1);
997 	} else if (!S_ISREG(sb.st_mode)) {
998 		syslog(LOG_ERR, "%s: not a regular file", path);
999 		return (-1);
1000 	} else if (sb.st_uid != 0) {
1001 		syslog(LOG_ERR, "%s: not owned by root", path);
1002 		return (-1);
1003 	} else if (sb.st_mode & (S_IWGRP | S_IWOTH)) {
1004 		syslog(LOG_ERR, "%s: writable by non-root", path);
1005 		return (-1);
1006 	}
1007 	return (0);
1008 }
1009 
1010 /*
1011  * Check whether or not a tilde in a string should be expanded.
1012  * We only do expansion for things like "~", "~/...", ~me", "~me/...".
1013  * Additionally, for paths the tilde must be a the beginning.
1014  */
1015 #define tilde_valid(s, b, u, l, ip) \
1016     ((!(ip) || (s) == (b) || (s)[-1] == ':') && \
1017     ((s)[1] == '/' || (s)[1] == '\0' || \
1018     (strncmp((s)+1, u, l) == 0 && ((s)[l+1] == '/' || (s)[l+1] == '\0'))))
1019 
1020 /*
1021  * Make a copy of a string, expanding '~' to the user's homedir, '$' to the
1022  * login name and other escape sequences as per cgetstr(3).
1023  */
1024 static char *
expandstr(const char * ostr,const struct passwd * pwd,int ispath)1025 expandstr(const char *ostr, const struct passwd *pwd, int ispath)
1026 {
1027 	size_t n, olen, nlen, ulen, dlen;
1028 	const char *ep, *eo, *op;
1029 	char *nstr, *np;
1030 	int ch;
1031 
1032 	if (pwd != NULL) {
1033 		ulen = strlen(pwd->pw_name);
1034 		dlen = strlen(pwd->pw_dir);
1035 	}
1036 
1037 	/* calculate the size of the new string */
1038 	olen = nlen = strlen(ostr);
1039 	for (op = ostr, ep = ostr + olen; op < ep; op++) {
1040 		switch (*op) {
1041 		case '~':
1042 			if (pwd == NULL ||
1043 			    !tilde_valid(op, ostr, pwd->pw_name, ulen, ispath))
1044 				break;
1045 			if (op[1] != '/' && op[1] != '\0') {
1046 				op += ulen;	/* ~username */
1047 				nlen = nlen - ulen - 1 + dlen;
1048 			} else
1049 				nlen += dlen - 1;
1050 			break;
1051 		case '$':
1052 			if (pwd != NULL)
1053 				nlen += ulen - 1;
1054 			break;
1055 		case '^':
1056 			/* control char */
1057 			if (*++op != '\0')
1058 				nlen--;
1059 			break;
1060 		case '\\':
1061 			if (op[1] == '\0')
1062 				break;
1063 			/*
1064 			 * Byte in octal notation (\123) or an escaped char (\t)
1065 			 */
1066 			eo = op + 4;
1067 			do {
1068 				op++;
1069 				nlen--;
1070 			} while (op < eo && *op >= '0' && *op <= '7');
1071 			break;
1072 		}
1073 	}
1074 	if ((np = nstr = malloc(++nlen)) == NULL)
1075 		return (NULL);
1076 
1077 	for (op = ostr, ep = ostr + olen; op < ep; op++) {
1078 		switch ((ch = *op)) {
1079 		case '~':
1080 			if (pwd == NULL ||
1081 			    !tilde_valid(op, ostr, pwd->pw_name, ulen, ispath))
1082 				break;
1083 			if (op[1] != '/' && op[1] != '\0')
1084 				op += ulen;	/* ~username */
1085 			strlcpy(np, pwd->pw_dir, nlen);
1086 			nlen -= dlen;
1087 			np += dlen;
1088 			continue;
1089 		case '$':
1090 			if (pwd == NULL)
1091 				break;
1092 			strlcpy(np, pwd->pw_name, nlen);
1093 			nlen -= ulen;
1094 			np += ulen;
1095 			continue;
1096 		case '^':
1097 			if (op[1] != '\0')
1098 				ch = *++op & 037;
1099 			break;
1100 		case '\\':
1101 			if (op[1] == '\0')
1102 				break;
1103 			switch(*++op) {
1104 			case '0': case '1': case '2': case '3':
1105 			case '4': case '5': case '6': case '7':
1106 				/* byte in octal up to 3 digits long */
1107 				ch = 0;
1108 				n = 3;
1109 				do {
1110 					ch = ch * 8 + (*op++ - '0');
1111 				} while (--n && *op >= '0' && *op <= '7');
1112 				break;
1113 			case 'b': case 'B':
1114 				ch = '\b';
1115 				break;
1116 			case 't': case 'T':
1117 				ch = '\t';
1118 				break;
1119 			case 'n': case 'N':
1120 				ch = '\n';
1121 				break;
1122 			case 'f': case 'F':
1123 				ch = '\f';
1124 				break;
1125 			case 'r': case 'R':
1126 				ch = '\r';
1127 				break;
1128 			case 'e': case 'E':
1129 				ch = '\033';
1130 				break;
1131 			case 'c': case 'C':
1132 				ch = ':';
1133 				break;
1134 			default:
1135 				ch = *op;
1136 				break;
1137 			}
1138 			break;
1139 		}
1140 		*np++ = ch;
1141 		nlen--;
1142 	}
1143 	*np = '\0';
1144 	return (nstr);
1145 }
1146