1303 files changed, 32187 insertions, 57138 deletions
diff --git a/loginutils/login.c b/loginutils/login.c index 862104c..03ddadb 100644 --- a/loginutils/login.c +++ b/loginutils/login.c @@ -2,16 +2,67 @@ /* * Licensed under GPLv2 or later, see file LICENSE in this source tree. */ +//config:config LOGIN +//config: bool "login" +//config: default y +//config: select FEATURE_SYSLOG +//config: help +//config: login is used when signing onto a system. +//config: +//config: Note that Busybox binary must be setuid root for this applet to +//config: work properly. +//config: +//config:config LOGIN_SESSION_AS_CHILD +//config: bool "Run logged in session in a child process" +//config: default y if PAM +//config: depends on LOGIN +//config: help +//config: Run the logged in session in a child process. This allows +//config: login to clean up things such as utmp entries or PAM sessions +//config: when the login session is complete. If you use PAM, you +//config: almost always would want this to be set to Y, else PAM session +//config: will not be cleaned up. +//config: +//config:config LOGIN_SCRIPTS +//config: bool "Support for login scripts" +//config: depends on LOGIN +//config: default y +//config: help +//config: Enable this if you want login to execute $LOGIN_PRE_SUID_SCRIPT +//config: just prior to switching from root to logged-in user. +//config: +//config:config FEATURE_NOLOGIN +//config: bool "Support for /etc/nologin" +//config: default y +//config: depends on LOGIN +//config: help +//config: The file /etc/nologin is used by (some versions of) login(1). +//config: If it exists, non-root logins are prohibited. +//config: +//config:config FEATURE_SECURETTY +//config: bool "Support for /etc/securetty" +//config: default y +//config: depends on LOGIN +//config: help +//config: The file /etc/securetty is used by (some versions of) login(1). +//config: The file contains the device names of tty lines (one per line, +//config: without leading /dev/) on which root is allowed to login. + +//applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */ +//applet:IF_LOGIN(APPLET(login, BB_DIR_BIN, BB_SUID_REQUIRE)) + +//kbuild:lib-$(CONFIG_LOGIN) += login.o //usage:#define login_trivial_usage //usage: "[-p] [-h HOST] [[-f] USER]" //usage:#define login_full_usage "\n\n" //usage: "Begin a new session on the system\n" //usage: "\n -f Don't authenticate (user already authenticated)" -//usage: "\n -h Name of the remote host" +//usage: "\n -h HOST Host user came from (for network logins)" //usage: "\n -p Preserve environment" #include "libbb.h" +#include "common_bufsiz.h" #include <syslog.h> #include <sys/resource.h> @@ -19,7 +70,9 @@ # include <selinux/selinux.h> /* for is_selinux_enabled() */ #ifndef __BIONIC__ # include <selinux/get_context_list.h> /* for get_default_context() */ -# include <selinux/flask.h> /* for security class definitions */ +# /* from deprecated <selinux/flask.h>: */ +# undef SECCLASS_CHR_FILE +# define SECCLASS_CHR_FILE 10 #endif #endif @@ -30,6 +83,49 @@ * Apparently they like to confuse people. */ # include <security/pam_appl.h> # include <security/pam_misc.h> + +# if 0 +/* This supposedly can be used to avoid double password prompt, + * if used instead of standard misc_conv(): + * + * "When we want to authenticate first with local method and then with tacacs for example, + * the password is asked for local method and if not good is asked a second time for tacacs. + * So if we want to authenticate a user with tacacs, and the user exists localy, the password is + * asked two times before authentication is accepted." + * + * However, code looks shaky. For example, why misc_conv() return value is ignored? + * Are msg[i] and resp[i] indexes handled correctly? + */ +static char *passwd = NULL; +static int my_conv(int num_msg, const struct pam_message **msg, + struct pam_response **resp, void *data) +{ + int i; + for (i = 0; i < num_msg; i++) { + switch (msg[i]->msg_style) { + case PAM_PROMPT_ECHO_OFF: + if (passwd == NULL) { + misc_conv(num_msg, msg, resp, data); + passwd = xstrdup(resp[i]->resp); + return PAM_SUCCESS; + } + + resp[0] = xzalloc(sizeof(struct pam_response)); + resp[0]->resp = passwd; + passwd = NULL; + resp[0]->resp_retcode = PAM_SUCCESS; + resp[1] = NULL; + return PAM_SUCCESS; + + default: + break; + } + } + + return PAM_SUCCESS; +} +# endif + static const struct pam_conv conv = { misc_conv, NULL @@ -47,8 +143,8 @@ enum { struct globals { struct termios tty_attrs; } FIX_ALIASING; -#define G (*(struct globals*)&bb_common_bufsiz1) -#define INIT_G() do { } while (0) +#define G (*(struct globals*)bb_common_bufsiz1) +#define INIT_G() do { setup_common_bufsiz(); } while (0) #if ENABLE_FEATURE_NOLOGIN @@ -457,7 +553,7 @@ int login_main(int argc UNUSED_PARAM, char **argv) else { if (safe_waitpid(child_pid, NULL, 0) == -1) bb_perror_msg("waitpid"); - update_utmp(child_pid, DEAD_PROCESS, NULL, NULL, NULL); + update_utmp_DEAD_PROCESS(child_pid); } IF_PAM(login_pam_end(pamh);) return 0; @@ -492,7 +588,8 @@ int login_main(int argc UNUSED_PARAM, char **argv) } #endif - motd(); + if (access(".hushlogin", F_OK) != 0) + motd(); if (pw->pw_uid == 0) syslog(LOG_INFO, "root login%s", fromhost); @@ -526,7 +623,7 @@ int login_main(int argc UNUSED_PARAM, char **argv) signal(SIGINT, SIG_DFL); /* Exec login shell with no additional parameters */ - run_shell(pw->pw_shell, 1, NULL, NULL); + run_shell(pw->pw_shell, 1, NULL); /* return EXIT_FAILURE; - not reached */ } |