1 /*        $NetBSD: su_pam.c,v 1.24 2023/03/24 16:58:24 kre Exp $      */
2 
3 /*
4  * Copyright (c) 1988 The Regents of the University of California.
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1988\
35  The Regents of the University of California.  All rights reserved.");
36 #endif /* not lint */
37 
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)su.c        8.3 (Berkeley) 4/2/94";*/
41 #else
42 __RCSID("$NetBSD: su_pam.c,v 1.24 2023/03/24 16:58:24 kre Exp $");
43 #endif
44 #endif /* not lint */
45 
46 #include <sys/param.h>
47 #include <sys/time.h>
48 #include <sys/resource.h>
49 #include <sys/wait.h>
50 #include <err.h>
51 #include <errno.h>
52 #include <grp.h>
53 #include <paths.h>
54 #include <pwd.h>
55 #include <signal.h>
56 #include <stdio.h>
57 #include <stdlib.h>
58 #include <string.h>
59 #include <syslog.h>
60 #include <time.h>
61 #include <tzfile.h>
62 #include <unistd.h>
63 #include <util.h>
64 #include <login_cap.h>
65 
66 #include <security/pam_appl.h>
67 #include <security/openpam.h>   /* for openpam_ttyconv() */
68 
69 #ifdef ALLOW_GROUP_CHANGE
70 #include "grutil.h"
71 #endif
72 #include "suutil.h"
73 
74 static const struct pam_conv pamc = { &openpam_ttyconv, NULL };
75 
76 #define   ARGSTRX   "-dflm"
77 
78 #ifdef LOGIN_CAP
79 #define ARGSTR      ARGSTRX "c:"
80 #else
81 #define ARGSTR ARGSTRX
82 #endif
83 
84 static void logit(const char *, ...) __printflike(1, 2);
85 
86 static const char *
safe_pam_strerror(pam_handle_t * pamh,int pam_err)87 safe_pam_strerror(pam_handle_t *pamh, int pam_err) {
88           const char *msg;
89 
90           if ((msg = pam_strerror(pamh, pam_err)) != NULL)
91                     return msg;
92 
93           static char buf[1024];
94           snprintf(buf, sizeof(buf), "Unknown pam error %d", pam_err);
95           return buf;
96 }
97 
98 int
main(int argc,char ** argv)99 main(int argc, char **argv)
100 {
101           extern char **environ;
102           struct passwd *pwd, pwres;
103           char *p;
104           uid_t ruid;
105           int asme, ch, asthem, fastlogin, prio, gohome;
106           u_int setwhat;
107           enum { UNSET, YES, NO } iscsh = UNSET;
108           const char *user, *shell, *avshell;
109           char *username, *class;
110           char **np;
111           char shellbuf[MAXPATHLEN], avshellbuf[MAXPATHLEN];
112           int pam_err;
113           char hostname[MAXHOSTNAMELEN];
114           char *tty;
115           const char *func;
116           const void *newuser;
117           login_cap_t *lc;
118           pam_handle_t *pamh = NULL;
119           char pwbuf[1024];
120 #ifdef PAM_DEBUG
121           extern int _openpam_debug;
122 
123           _openpam_debug = 1;
124 #endif
125 #ifdef ALLOW_GROUP_CHANGE
126           char *gname;
127 #endif
128 
129           (void)setprogname(argv[0]);
130           asme = asthem = fastlogin = 0;
131           gohome = 1;
132           shell = class = NULL;
133           while ((ch = getopt(argc, argv, ARGSTR)) != -1)
134                     switch((char)ch) {
135                     case 'c':
136                               class = optarg;
137                               break;
138                     case 'd':
139                               asme = 0;
140                               asthem = 1;
141                               gohome = 0;
142                               break;
143                     case 'f':
144                               fastlogin = 1;
145                               break;
146                     case '-':
147                     case 'l':
148                               asme = 0;
149                               asthem = 1;
150                               break;
151                     case 'm':
152                               asme = 1;
153                               asthem = 0;
154                               break;
155                     case '?':
156                     default:
157                               (void)fprintf(stderr,
158 #ifdef ALLOW_GROUP_CHANGE
159                                   "Usage: %s [%s] [login[:group] [shell arguments]]\n",
160 #else
161                                   "Usage: %s [%s] [login [shell arguments]]\n",
162 #endif
163                                   getprogname(), ARGSTR);
164                               exit(EXIT_FAILURE);
165                     }
166           argv += optind;
167 
168           /* Lower the priority so su runs faster */
169           errno = 0;
170           prio = getpriority(PRIO_PROCESS, 0);
171           if (errno)
172                     prio = 0;
173           if (prio > -2)
174                     (void)setpriority(PRIO_PROCESS, 0, -2);
175           openlog("su", 0, LOG_AUTH);
176 
177           /* get current login name and shell */
178           ruid = getuid();
179           username = getlogin();
180           if (username == NULL ||
181               getpwnam_r(username, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
182               pwd == NULL || pwd->pw_uid != ruid) {
183                     if (getpwuid_r(ruid, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0)
184                               pwd = NULL;
185           }
186           if (pwd == NULL)
187                     errx(EXIT_FAILURE, "who are you?");
188           username = estrdup(pwd->pw_name);
189 
190           if (asme) {
191                     if (pwd->pw_shell && *pwd->pw_shell) {
192                               (void)estrlcpy(shellbuf, pwd->pw_shell, sizeof(shellbuf));
193                               shell = shellbuf;
194                     } else {
195                               shell = _PATH_BSHELL;
196                               iscsh = NO;
197                     }
198           }
199           /* get target login information, default to root */
200           user = *argv ? *argv : "root";
201           np = *argv ? argv : argv - 1;
202 
203 #ifdef ALLOW_GROUP_CHANGE
204           if ((p = strchr(user, ':')) != NULL) {
205                     *p = '\0';
206                     gname = ++p;
207                     if (*gname == '\0')
208                               errx(EXIT_FAILURE, "missing 'group' after ':'");
209           } else
210                     gname = NULL;
211 
212 #ifdef ALLOW_EMPTY_USER
213           if (user[0] == '\0')
214                     user = username;
215 #endif
216 #endif
217           if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
218               pwd == NULL)
219                     errx(EXIT_FAILURE, "unknown login %s", user);
220 
221           /*
222            * PAM initialization
223            */
224 #define PAM_END(msg) do { func = msg; goto done;} /* NOTREACHED */ while (0)
225 
226           if ((pam_err = pam_start("su", user, &pamc, &pamh)) != PAM_SUCCESS) {
227                     if (pamh != NULL)
228                               PAM_END("pam_start");
229                     /* Things went really bad... */
230                     syslog(LOG_ERR, "pam_start failed: %s",
231                         safe_pam_strerror(pamh, pam_err));
232                     errx(EXIT_FAILURE, "pam_start failed");
233           }
234 
235 #define PAM_END_ITEM(item)    PAM_END("pam_set_item(" # item ")")
236 #define PAM_SET_ITEM(item, var)                                                     \
237           if ((pam_err = pam_set_item(pamh, (item), (var))) != PAM_SUCCESS)   \
238                     PAM_END_ITEM(item)
239 
240           /*
241            * Fill hostname, username and tty
242            */
243           PAM_SET_ITEM(PAM_RUSER, username);
244           if (gethostname(hostname, sizeof(hostname)) != -1)
245                     PAM_SET_ITEM(PAM_RHOST, hostname);
246 
247           if ((tty = ttyname(STDERR_FILENO)) != NULL)
248                     PAM_SET_ITEM(PAM_TTY, tty);
249 
250           /*
251            * Authentication
252            */
253           if ((pam_err = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
254                     syslog(LOG_WARNING, "BAD SU %s to %s%s: %s",
255                         username, user, ontty(), safe_pam_strerror(pamh, pam_err));
256                     (void)pam_end(pamh, pam_err);
257                     errx(EXIT_FAILURE, "Sorry: %s", safe_pam_strerror(NULL, pam_err));
258           }
259 
260           /*
261            * Authorization
262            */
263           switch(pam_err = pam_acct_mgmt(pamh, 0)) {
264           case PAM_NEW_AUTHTOK_REQD:
265                     pam_err = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
266                     if (pam_err != PAM_SUCCESS)
267                               PAM_END("pam_chauthok");
268                     break;
269           case PAM_SUCCESS:
270                     break;
271           default:
272                     PAM_END("pam_acct_mgmt");
273                     break;
274           }
275 
276           /*
277            * pam_authenticate might have changed the target user.
278            * refresh pwd and user
279            */
280           pam_err = pam_get_item(pamh, PAM_USER, &newuser);
281           if (pam_err != PAM_SUCCESS) {
282                     syslog(LOG_WARNING,
283                         "pam_get_item(PAM_USER): %s", safe_pam_strerror(pamh, pam_err));
284           } else {
285                     user = (char *)__UNCONST(newuser);
286                     if (getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 ||
287                         pwd == NULL) {
288                               (void)pam_end(pamh, pam_err);
289                               syslog(LOG_ERR, "unknown login: %s", username);
290                               errx(EXIT_FAILURE, "unknown login: %s", username);
291                     }
292           }
293 
294 #define ERRX_PAM_END(args) do {                             \
295           (void)pam_end(pamh, pam_err);           \
296           errx args;                                        \
297 } while (0)
298 
299 #define ERR_PAM_END(args) do {                              \
300           (void)pam_end(pamh, pam_err);           \
301           err args;                               \
302 } while (0)
303 
304           /* force the usage of specified class */
305           if (class) {
306                     if (ruid)
307                               ERRX_PAM_END((EXIT_FAILURE, "Only root may use -c"));
308 
309                     pwd->pw_class = class;
310           }
311 
312           if ((lc = login_getclass(pwd->pw_class)) == NULL)
313                     ERRX_PAM_END((EXIT_FAILURE,
314                         "Unknown class %s\n", pwd->pw_class));
315 
316           if (asme) {
317                     /* if asme and non-standard target shell, must be root */
318                     if (chshell(pwd->pw_shell) == 0 && ruid)
319                               ERRX_PAM_END((EXIT_FAILURE,
320                                   "permission denied (shell)."));
321           } else if (pwd->pw_shell && *pwd->pw_shell) {
322                     shell = pwd->pw_shell;
323                     iscsh = UNSET;
324           } else {
325                     shell = _PATH_BSHELL;
326                     iscsh = NO;
327           }
328 
329           if ((p = strrchr(shell, '/')) != NULL)
330                     avshell = p + 1;
331           else
332                     avshell = shell;
333 
334           /* if we're forking a csh, we want to slightly muck the args */
335           if (iscsh == UNSET)
336                     iscsh = strstr(avshell, "csh") ? YES : NO;
337 
338           /*
339            * Initialize the supplemental groups before pam gets to them,
340            * so that other pam modules get a chance to add more when
341            * we do setcred. Note, we don't relinquish our set-userid yet
342            */
343           /* if we aren't changing users, keep the current group members */
344           if (ruid != pwd->pw_uid &&
345               setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) == -1)
346                     ERR_PAM_END((EXIT_FAILURE, "setting user context"));
347 
348 #ifdef ALLOW_GROUP_CHANGE
349           addgroup(lc, gname, pwd, ruid, "Group Password:");
350 #endif
351           if ((pam_err = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
352                     PAM_END("pam_setcred");
353 
354           /*
355            * Manage session.
356            */
357           if (asthem) {
358                     pid_t pid, xpid;
359                     int status = 1;
360                     struct sigaction sa, sa_int, sa_pipe, sa_quit;
361                     int fds[2];
362 
363                     if ((pam_err = pam_open_session(pamh, 0)) != PAM_SUCCESS)
364                               PAM_END("pam_open_session");
365 
366                     /*
367                      * In order to call pam_close_session after the
368                      * command terminates, we need to fork.
369                      */
370                     sa.sa_flags = SA_RESTART;
371                     sa.sa_handler = SIG_IGN;
372                     (void)sigemptyset(&sa.sa_mask);
373                     (void)sigaction(SIGINT, &sa, &sa_int);
374                     (void)sigaction(SIGQUIT, &sa, &sa_quit);
375                     (void)sigaction(SIGPIPE, &sa, &sa_pipe);
376                     sa.sa_handler = SIG_DFL;
377                     (void)sigaction(SIGTSTP, &sa, NULL);
378                     /*
379                      * Use a pipe to guarantee the order of execution of
380                      * the parent and the child.
381                      */
382                     if (pipe(fds) == -1) {
383                               warn("pipe failed");
384                               goto out;
385                     }
386 
387                     switch (pid = fork()) {
388                     case -1:
389                               logit("fork failed (%s)", strerror(errno));
390                               goto out;
391 
392                     case 0:   /* Child */
393                               (void)close(fds[1]);
394                               (void)read(fds[0], &status, 1);
395                               (void)close(fds[0]);
396                               (void)sigaction(SIGINT, &sa_int, NULL);
397                               (void)sigaction(SIGQUIT, &sa_quit, NULL);
398                               (void)sigaction(SIGPIPE, &sa_pipe, NULL);
399                               break;
400 
401                     default:
402                               sa.sa_handler = SIG_IGN;
403                               (void)sigaction(SIGTTOU, &sa, NULL);
404                               (void)close(fds[0]);
405                               (void)setpgid(pid, pid);
406                               (void)tcsetpgrp(STDERR_FILENO, pid);
407                               (void)close(fds[1]);
408                               (void)sigaction(SIGPIPE, &sa_pipe, NULL);
409                               /*
410                                * Parent: wait for the child to terminate
411                                * and call pam_close_session.
412                                */
413                               while ((xpid = waitpid(pid, &status, WUNTRACED))
414                                   == pid) {
415                                         if (WIFSTOPPED(status)) {
416                                                   (void)kill(getpid(), SIGSTOP);
417                                                   (void)tcsetpgrp(STDERR_FILENO,
418                                                       getpgid(pid));
419                                                   (void)kill(pid, SIGCONT);
420                                                   status = 1;
421                                                   continue;
422                                         }
423                                         break;
424                               }
425 
426                               (void)tcsetpgrp(STDERR_FILENO, getpgid(0));
427 
428                               if (xpid == -1) {
429                                   logit("Error waiting for pid %d (%s)", pid,
430                                         strerror(errno));
431                               } else if (xpid != pid) {
432                                   /* Can't happen. */
433                                   logit("Wrong PID: %d != %d", pid, xpid);
434                               }
435 out:
436                               pam_err = pam_setcred(pamh, PAM_DELETE_CRED);
437                               if (pam_err != PAM_SUCCESS)
438                                         logit("pam_setcred: %s",
439                                             safe_pam_strerror(pamh, pam_err));
440                               pam_err = pam_close_session(pamh, 0);
441                               if (pam_err != PAM_SUCCESS)
442                                         logit("pam_close_session: %s",
443                                             safe_pam_strerror(pamh, pam_err));
444                               (void)pam_end(pamh, pam_err);
445                               exit(WEXITSTATUS(status));
446                               break;
447                     }
448           }
449 
450           /*
451            * The child: starting here, we don't have to care about
452            * handling PAM issues if we exit, the parent will do the
453            * job when we exit.
454            */
455 #undef PAM_END
456 #undef ERR_PAM_END
457 #undef ERRX_PAM_END
458 
459           if (!asme) {
460                     if (asthem) {
461                               char **pamenv;
462 
463                               p = getenv("TERM");
464                               /*
465                                * Create an empty environment
466                                */
467                               environ = emalloc(sizeof(char *));
468                               environ[0] = NULL;
469 
470                               /*
471                                * Add PAM environement, before the LOGIN_CAP stuff:
472                                * if the login class is unspecified, we'll get the
473                                * same data from PAM, if -c was used, the specified
474                                * class must override PAM.
475                                */
476                               if ((pamenv = pam_getenvlist(pamh)) != NULL) {
477                                         char **envitem;
478 
479                                         /*
480                                          * XXX Here FreeBSD filters out
481                                          * SHELL, LOGNAME, MAIL, CDPATH, IFS, PATH
482                                          * how could we get untrusted data here?
483                                          */
484                                         for (envitem = pamenv; *envitem; envitem++) {
485                                                   if (putenv(*envitem) == -1)
486                                                             free(*envitem);
487                                         }
488 
489                                         free(pamenv);
490                               }
491 
492                               if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH |
493                                         LOGIN_SETENV | LOGIN_SETUMASK) == -1)
494                                         err(EXIT_FAILURE, "setting user context");
495                               if (p)
496                                         (void)setenv("TERM", p, 1);
497                     }
498 
499                     if (asthem || pwd->pw_uid) {
500                               (void)setenv("LOGNAME", pwd->pw_name, 1);
501                               (void)setenv("USER", pwd->pw_name, 1);
502                     }
503                     (void)setenv("HOME", pwd->pw_dir, 1);
504                     (void)setenv("SHELL", shell, 1);
505           }
506           (void)setenv("SU_FROM", username, 1);
507 
508           if (iscsh == YES) {
509                     if (fastlogin)
510                               *np-- = __UNCONST("-f");
511                     if (asme)
512                               *np-- = __UNCONST("-m");
513           } else {
514                     if (fastlogin)
515                               (void)unsetenv("ENV");
516           }
517 
518           if (asthem) {
519                     avshellbuf[0] = '-';
520                     (void)estrlcpy(avshellbuf + 1, avshell, sizeof(avshellbuf) - 1);
521                     avshell = avshellbuf;
522           } else if (iscsh == YES) {
523                     /* csh strips the first character... */
524                     avshellbuf[0] = '_';
525                     (void)estrlcpy(avshellbuf + 1, avshell, sizeof(avshellbuf) - 1);
526                     avshell = avshellbuf;
527           }
528           *np = __UNCONST(avshell);
529 
530           if (ruid != 0)
531                     syslog(LOG_NOTICE, "%s to %s%s",
532                         username, pwd->pw_name, ontty());
533 
534           /* Raise our priority back to what we had before */
535           (void)setpriority(PRIO_PROCESS, 0, prio);
536 
537           /*
538            * Set user context, except for umask, and the stuff
539            * we have done before.
540            */
541           setwhat = LOGIN_SETALL & ~(LOGIN_SETENV | LOGIN_SETUMASK |
542               LOGIN_SETLOGIN | LOGIN_SETPATH | LOGIN_SETGROUP);
543 
544           /*
545            * Don't touch resource/priority settings if -m has been used
546            * or -l and -c hasn't, and we're not su'ing to root.
547            */
548           if ((asme || (!asthem && class == NULL)) && pwd->pw_uid)
549                     setwhat &= ~(LOGIN_SETPRIORITY | LOGIN_SETRESOURCES);
550 
551           if (setusercontext(lc, pwd, pwd->pw_uid, setwhat) == -1)
552                     err(EXIT_FAILURE, "setusercontext");
553 
554           if (!asme) {
555                     if (asthem) {
556                               if (gohome && chdir(pwd->pw_dir) == -1)
557                                         errx(EXIT_FAILURE, "no directory");
558                     }
559           }
560 
561           (void)execv(shell, np);
562           err(EXIT_FAILURE, "%s", shell);
563 done:
564           logit("%s: %s", func, safe_pam_strerror(pamh, pam_err));
565           (void)pam_end(pamh, pam_err);
566           return EXIT_FAILURE;
567 }
568 
569 static void
logit(const char * fmt,...)570 logit(const char *fmt, ...)
571 {
572           va_list ap;
573 
574           va_start(ap, fmt);
575           vwarnx(fmt, ap);
576           va_end(ap);
577           va_start(ap, fmt);
578           vsyslog(LOG_ERR, fmt, ap);
579           va_end(ap);
580 }
581