author | Tanguy Pruvot <tanguy.pruvot@gmail.com> | 2014-08-01 03:36:56 (GMT) |
---|---|---|
committer | Tanguy Pruvot <tanguy.pruvot@gmail.com> | 2014-08-06 11:40:07 (GMT) |
commit | d8482dbecc75c8a94bd15a02fa8844cfea91e6d2 (patch) | |
tree | efe2bfd8ce14e518c567f06a371fb164de13abb8 | |
parent | 9d673761c2dec82482fa5c43ce17aa1f367f250f (diff) | |
download | busybox-d8482dbecc75c8a94bd15a02fa8844cfea91e6d2.zip busybox-d8482dbecc75c8a94bd15a02fa8844cfea91e6d2.tar.gz busybox-d8482dbecc75c8a94bd15a02fa8844cfea91e6d2.tar.bz2 |
Bionic changes for tty related applets
Tested (but applets not included/enabled)
getty, login, su, passwd, mkpasswd, cryptpw
Sample /etc/passwd required before 'passwd' :
root:x:0:0:root:/:/system/xbin/bash
busybox su allow to change current user, if you are root
Example: "busybox su shell -c /system/xbin/bash"
busybox login allow also to do that :
Example: "busybox login shell"
getpwnam() returns now an empty string in passwd member
instead of null, busybox often check directly pw->pw_passwd[0]
Update also selinux related stubs after tests on x86 4.4.2,
l-preview and aosp/master
If you want to include these applets, here is the required
source list to add in busybox-full.sources :
libbb/correct_password.c libbb/pw_encrypt.c libbb/update_passwd.c
loginutils/getty.c loginutils/login.c loginutils/su.c
loginutils/passwd.c loginutils/chpasswd.c loginutils/cryptpw.c
And the config flags to add :
CONFIG_GETTY=y
CONFIG_LOGIN=y
CONFIG_FEATURE_NOLOGIN=y
CONFIG_PASSWD=y
CONFIG_CRYPTPW=y
CONFIG_CHPASSWD=y
CONFIG_SU=y
CONFIG_FEATURE_SU_CHECKS_SHELLS=y
Signed-off-by: Tanguy Pruvot <tanguy.pruvot@gmail.com>
Change-Id: I96ee64f0872856fad6b3ff299faafad6451da556
-rw-r--r-- | android/selinux/android_selinux.h | 9 | ||||
-rw-r--r-- | android/selinux/stubs.c | 23 | ||||
-rw-r--r-- | busybox-full.config | 4 | ||||
-rw-r--r-- | busybox-full.sources | 2 | ||||
-rw-r--r-- | include/libbb.h | 2 | ||||
-rw-r--r-- | libbb/bb_pwd.c | 27 | ||||
-rw-r--r-- | loginutils/getty.c | 11 | ||||
-rw-r--r-- | loginutils/login.c | 7 | ||||
-rw-r--r-- | loginutils/sulogin.c | 2 | ||||
-rw-r--r-- | miscutils/crond.c | 2 | ||||
-rw-r--r-- | networking/telnetd.c | 2 |
11 files changed, 70 insertions, 21 deletions
diff --git a/android/selinux/android_selinux.h b/android/selinux/android_selinux.h index c39d87a..8a0cfb0 100644 --- a/android/selinux/android_selinux.h +++ b/android/selinux/android_selinux.h @@ -103,6 +103,15 @@ extern int selinux_file_context_verify(const char *path, mode_t mode); extern int get_default_context(const char* user, const char* fromcon, char ** newcon); +/* Check a permission in the passwd class. + Return 0 if granted or -1 otherwise. */ +#define PASSWD__PASSWD 0x001UL +#define PASSWD__CHFN 0x002UL +#define PASSWD__CHSH 0x004UL +#define PASSWD__ROOTOK 0x008UL +#define PASSWD__CRONTAB 0x010UL +extern int selinux_check_passwd_access(access_vector_t requested); + #define lgetfilecon_raw(path, context) \ lgetfilecon(path, context) diff --git a/android/selinux/stubs.c b/android/selinux/stubs.c index c3f442d..7bcbc95 100644 --- a/android/selinux/stubs.c +++ b/android/selinux/stubs.c @@ -1,9 +1,9 @@ -#include <stdio.h> -#include <stdlib.h> +#include <libbb.h> #include <selinux/selinux.h> /* create a new context with user name (may be unsafe) */ -int get_default_context(const char* user, const char* fromcon, +int get_default_context(const char* user, + const char* fromcon UNUSED_PARAM, char ** newcon) { char fmt[] = "u:r:%s:s0\0"; @@ -19,9 +19,18 @@ int get_default_context(const char* user, const char* fromcon, /* Compute a relabeling decision and set *newcon to refer to it. Caller must free via freecon. Stub not implemented in bionic, but declared in selinux.h */ -int security_compute_relabel(const char *scon, const char *tcon, - security_class_t tclass, +#if defined(BIONIC_L) || !defined(__i386__) +int security_compute_relabel(const char *scon UNUSED_PARAM, + const char *tcon, + security_class_t tclass UNUSED_PARAM, char ** newcon) +#else +/* this was changed after 4.4.2 */ +int security_compute_relabel(const security_context_t scon UNUSED_PARAM, + const security_context_t tcon, + security_class_t tclass UNUSED_PARAM, + security_context_t *newcon) +#endif { if (tcon) *newcon = strdup(tcon); @@ -32,7 +41,7 @@ int security_compute_relabel(const char *scon, const char *tcon, /* Check a permission in the passwd class. Return 0 if granted or -1 otherwise. */ -int selinux_check_passwd_access(access_vector_t requested) +int selinux_check_passwd_access(access_vector_t requested UNUSED_PARAM) { return 0; -}
\ No newline at end of file +} diff --git a/busybox-full.config b/busybox-full.config index bbf6857..27221c6 100644 --- a/busybox-full.config +++ b/busybox-full.config @@ -1,7 +1,7 @@ # # Automatically generated make config: don't edit # Busybox version: 1.22.1 -# Fri Aug 1 16:21:29 2014 +# Wed Aug 6 13:27:12 2014 # CONFIG_HAVE_DOT_CONFIG=y @@ -452,7 +452,7 @@ CONFIG_FEATURE_MESG_ENABLE_ONLY_GROUP=y # CONFIG_USE_BB_PWD_GRP is not set # CONFIG_USE_BB_SHADOW is not set CONFIG_USE_BB_CRYPT=y -# CONFIG_USE_BB_CRYPT_SHA is not set +CONFIG_USE_BB_CRYPT_SHA=y # CONFIG_ADDUSER is not set # CONFIG_FEATURE_ADDUSER_LONG_OPTIONS is not set # CONFIG_FEATURE_CHECK_NAMES is not set diff --git a/busybox-full.sources b/busybox-full.sources index 773e1fe..b65472c 100644 --- a/busybox-full.sources +++ b/busybox-full.sources @@ -45,7 +45,7 @@ libbb/time.c libbb/trim.c libbb/u_signal_names.c libbb/udp_io.c libbb/unicode.c libbb/vdprintf.c libbb/verror_msg.c libbb/vfork_daemon_rexec.c libbb/warn_ignoring_args.c libbb/wfopen.c libbb/wfopen_input.c libbb/write.c libbb/xatonum.c libbb/xconnect.c libbb/xfunc_die.c libbb/xfuncs.c libbb/xfuncs_printf.c libbb/xgetcwd.c libbb/xgethostbyname.c libbb/xreadlink.c libbb/xrealloc_vector.c libbb/xregcomp.c -libbb/endofname.c libbb/in_ether.c +libbb/endofname.c libbb/in_ether.c libbb/nuke_str.c libpwdgrp/uidgid_get.c diff --git a/include/libbb.h b/include/libbb.h index 08d2f19..3730474 100644 --- a/include/libbb.h +++ b/include/libbb.h @@ -903,6 +903,8 @@ int get_uidgid(struct bb_uidgid_t*, const char*, int numeric_ok) FAST_FUNC; void xget_uidgid(struct bb_uidgid_t*, const char*) FAST_FUNC; /* chown-like handling of "user[:[group]" */ void parse_chown_usergroup_or_die(struct bb_uidgid_t *u, char *user_group) FAST_FUNC; +struct passwd* safegetpwnam(const char *name) FAST_FUNC; +struct passwd* safegetpwuid(uid_t uid) FAST_FUNC; struct passwd* xgetpwnam(const char *name) FAST_FUNC; struct group* xgetgrnam(const char *name) FAST_FUNC; struct passwd* xgetpwuid(uid_t uid) FAST_FUNC; diff --git a/libbb/bb_pwd.c b/libbb/bb_pwd.c index 8250cd4..d5e651c 100644 --- a/libbb/bb_pwd.c +++ b/libbb/bb_pwd.c @@ -15,9 +15,31 @@ * pointers to static data (getpwuid) */ -struct passwd* FAST_FUNC xgetpwnam(const char *name) +struct passwd* FAST_FUNC safegetpwnam(const char *name) { struct passwd *pw = getpwnam(name); +#ifdef __BIONIC__ + if (pw && !pw->pw_passwd) { + pw->pw_passwd = ""; + } +#endif + return pw; +} + +struct passwd* FAST_FUNC safegetpwuid(uid_t uid) +{ + struct passwd *pw = getpwuid(uid); +#ifdef __BIONIC__ + if (pw && !pw->pw_passwd) { + pw->pw_passwd = ""; + } +#endif + return pw; +} + +struct passwd* FAST_FUNC xgetpwnam(const char *name) +{ + struct passwd *pw = safegetpwnam(name); if (!pw) bb_error_msg_and_die("unknown user %s", name); return pw; @@ -31,10 +53,9 @@ struct group* FAST_FUNC xgetgrnam(const char *name) return gr; } - struct passwd* FAST_FUNC xgetpwuid(uid_t uid) { - struct passwd *pw = getpwuid(uid); + struct passwd *pw = safegetpwuid(uid); if (!pw) bb_error_msg_and_die("unknown uid %u", (unsigned)uid); return pw; diff --git a/loginutils/getty.c b/loginutils/getty.c index 0f060ae..6fd4ff2 100644 --- a/loginutils/getty.c +++ b/loginutils/getty.c @@ -54,7 +54,12 @@ static FILE *dbf; * and for line editing at the same time. */ #undef _PATH_LOGIN +#ifdef __BIONIC__ +#define cfsetspeed(t,s) cfsetispeed(t,s) +#define _PATH_LOGIN "/system/xbin/login" +#else #define _PATH_LOGIN "/bin/login" +#endif /* Displayed before the login prompt. * If ISSUE is not defined, getty will never display the contents of the @@ -94,7 +99,7 @@ struct globals { //usage:#define getty_trivial_usage //usage: "[OPTIONS] BAUD_RATE[,BAUD_RATE]... TTY [TERMTYPE]" //usage:#define getty_full_usage "\n\n" -//usage: "Open TTY, prompt for login name, then invoke /bin/login\n" +//usage: "Open TTY, prompt for login name, then invoke /system/xbin/login\n" //usage: "\n -h Enable hardware RTS/CTS flow control" //usage: "\n -L Set CLOCAL (ignore Carrier Detect state)" //usage: "\n -m Get baud rate from modem's CONNECT status message" @@ -102,7 +107,7 @@ struct globals { //usage: "\n -w Wait for CR or LF before sending /etc/issue" //usage: "\n -i Don't display /etc/issue" //usage: "\n -f ISSUE_FILE Display ISSUE_FILE instead of /etc/issue" -//usage: "\n -l LOGIN Invoke LOGIN instead of /bin/login" +//usage: "\n -l LOGIN Invoke LOGIN instead of /system/xbin/login" //usage: "\n -t SEC Terminate after SEC if no login name is read" //usage: "\n -I INITSTR Send INITSTR before anything else" //usage: "\n -H HOST Log HOST into the utmp file as the hostname" @@ -499,7 +504,7 @@ static char *get_logname(void) default: if ((unsigned char)c < ' ') { /* ignore garbage characters */ - } else if ((int)(bp - G.line_buf) < sizeof(G.line_buf) - 1) { + } else if ((int)(bp - G.line_buf) < (int)sizeof(G.line_buf) - 1) { /* echo and store the character */ full_write(STDOUT_FILENO, &c, 1); *bp++ = c; diff --git a/loginutils/login.c b/loginutils/login.c index a4b19cc..862104c 100644 --- a/loginutils/login.c +++ b/loginutils/login.c @@ -17,9 +17,11 @@ #if ENABLE_SELINUX # include <selinux/selinux.h> /* for is_selinux_enabled() */ +#ifndef __BIONIC__ # include <selinux/get_context_list.h> /* for get_default_context() */ # include <selinux/flask.h> /* for security class definitions */ #endif +#endif #if ENABLE_PAM /* PAM may include <locale.h>. We may need to undefine bbox's stub define: */ @@ -118,7 +120,8 @@ static void initselinux(char *username, char *full_tty, bb_perror_msg_and_die("security_change_sid(%s) failed", full_tty); } if (setfilecon(full_tty, new_tty_sid) != 0) { - bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid); + if (strcmp(old_tty_sid, new_tty_sid)) + bb_perror_msg_and_die("chsid(%s, %s) failed", full_tty, new_tty_sid); } } #endif @@ -397,7 +400,7 @@ int login_main(int argc UNUSED_PARAM, char **argv) pam_strerror(pamh, pamret), pamret); safe_strncpy(username, "UNKNOWN", sizeof(username)); #else /* not PAM */ - pw = getpwnam(username); + pw = safegetpwnam(username); if (!pw) { strcpy(username, "UNKNOWN"); goto fake_it; diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c index 2a29099..c8e5fc9 100644 --- a/loginutils/sulogin.c +++ b/loginutils/sulogin.c @@ -45,7 +45,7 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv) /* Clear dangerous stuff, set PATH */ sanitize_env_if_suid(); - pwd = getpwuid(0); + pwd = safegetpwuid(0); if (!pwd) { goto auth_error; } diff --git a/miscutils/crond.c b/miscutils/crond.c index 12f217d..2545618 100644 --- a/miscutils/crond.c +++ b/miscutils/crond.c @@ -697,7 +697,7 @@ static void start_one_job(const char *user, CronLine *line) struct passwd *pas; pid_t pid; - pas = getpwnam(user); + pas = safegetpwnam(user); if (!pas) { crondlog(WARN9 "can't get uid for %s", user); goto err; diff --git a/networking/telnetd.c b/networking/telnetd.c index 1f244a3..d00d87d 100644 --- a/networking/telnetd.c +++ b/networking/telnetd.c @@ -84,7 +84,7 @@ struct globals { } FIX_ALIASING; #define G (*(struct globals*)&bb_common_bufsiz1) #define INIT_G() do { \ - G.loginpath = "/bin/login"; \ + G.loginpath = "/system/xbin/login"; \ G.issuefile = "/etc/issue.net"; \ } while (0) |