platform/external/busybox.git - Unnamed repository; edit this file 'description' to name the repository.

1 /* vi: set sw=4 ts=4: */
2 /*
3  * Mini su implementation for busybox
4  *
5  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
6  */
7 //config:config SU
8 //config:	bool "su"
9 //config:	default y
10 //config:	select FEATURE_SYSLOG
11 //config:	help
12 //config:	  su is used to become another user during a login session.
13 //config:	  Invoked without a username, su defaults to becoming the super user.
14 //config:
15 //config:	  Note that Busybox binary must be setuid root for this applet to
16 //config:	  work properly.
17 //config:
18 //config:config FEATURE_SU_SYSLOG
19 //config:	bool "Enable su to write to syslog"
20 //config:	default y
21 //config:	depends on SU
22 //config:
23 //config:config FEATURE_SU_CHECKS_SHELLS
24 //config:	bool "Enable su to check user's shell to be listed in /etc/shells"
25 //config:	depends on SU
26 //config:	default y
27
28 //applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */
29 //applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE))
30
31 //kbuild:lib-$(CONFIG_SU) += su.o
32
33 //usage:#define su_trivial_usage
34 //usage:       "[-lmp] [-] [-s SH] [USER [SCRIPT ARGS / -c 'CMD' ARG0 ARGS]]"
35 //usage:#define su_full_usage "\n\n"
36 //usage:       "Run shell under USER (by default, root)\n"
37 //usage:     "\n	-,-l	Clear environment, go to home dir, run shell as login shell"
38 //usage:     "\n	-p,-m	Do not set new $HOME, $SHELL, $USER, $LOGNAME"
39 //usage:     "\n	-c CMD	Command to pass to 'sh -c'"
40 //usage:     "\n	-s SH	Shell to use instead of user's default"
41
42 #include "libbb.h"
43 #include <syslog.h>
44
45 #if ENABLE_FEATURE_SU_CHECKS_SHELLS
46 /* Return 1 if SHELL is a restricted shell (one not returned by
47  * getusershell), else 0, meaning it is a standard shell.  */
48 static int restricted_shell(const char *shell)
49 {
50 	char *line;
51 	int result = 1;
52
53 	/*setusershell(); - getusershell does it itself*/
54 	while ((line = getusershell()) != NULL) {
55 		if (/* *line != '#' && */ strcmp(line, shell) == 0) {
56 			result = 0;
57 			break;
58 		}
59 	}
60 	if (ENABLE_FEATURE_CLEAN_UP)
61 		endusershell();
62 	return result;
63 }
64 #endif
65
66 #define SU_OPT_mp (3)
67 #define SU_OPT_l  (4)
68
69 int su_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
70 int su_main(int argc UNUSED_PARAM, char **argv)
71 {
72 	unsigned flags;
73 	char *opt_shell = NULL;
74 	char *opt_command = NULL;
75 	const char *opt_username = "root";
76 	struct passwd *pw;
77 	uid_t cur_uid = getuid();
78 	const char *tty;
79 #if ENABLE_FEATURE_UTMP
80 	char user_buf[64];
81 #endif
82 	const char *old_user;
83
84 	/* Note: we don't use "'+': stop at first non-option" idiom here.
85 	 * For su, "SCRIPT ARGS" or "-c CMD ARGS" do not stop option parsing:
86 	 * ARGS starting with dash will be treated as su options,
87 	 * not passed to shell. (Tested on util-linux 2.28).
88 	 */
89 	flags = getopt32(argv, "mplc:s:", &opt_command, &opt_shell);
90 	argv += optind;
91
92 	if (argv[0] && LONE_DASH(argv[0])) {
93 		flags |= SU_OPT_l;
94 		argv++;
95 	}
96
97 	/* get user if specified */
98 	if (argv[0]) {
99 		opt_username = argv[0];
100 		argv++;
101 	}
102
103 	if (ENABLE_FEATURE_SU_SYSLOG) {
104 		/* The utmp entry (via getlogin) is probably the best way to
105 		 * identify the user, especially if someone su's from a su-shell.
106 		 * But getlogin can fail -- usually due to lack of utmp entry.
107 		 * in this case resort to getpwuid.  */
108 #if ENABLE_FEATURE_UTMP
109 		old_user = user_buf;
110 		if (getlogin_r(user_buf, sizeof(user_buf)) != 0)
111 #endif
112 		{
113 			pw = getpwuid(cur_uid);
114 			old_user = pw ? xstrdup(pw->pw_name) : "";
115 		}
116 		tty = xmalloc_ttyname(2);
117 		if (!tty) {
118 			tty = "none";
119 		}
120 		openlog(applet_name, 0, LOG_AUTH);
121 	}
122
123 	pw = xgetpwnam(opt_username);
124
125 	if (cur_uid == 0 || ask_and_check_password(pw) > 0) {
126 		if (ENABLE_FEATURE_SU_SYSLOG)
127 			syslog(LOG_NOTICE, "%c %s %s:%s",
128 				'+', tty, old_user, opt_username);
129 	} else {
130 		if (ENABLE_FEATURE_SU_SYSLOG)
131 			syslog(LOG_NOTICE, "%c %s %s:%s",
132 				'-', tty, old_user, opt_username);
133 		bb_do_delay(LOGIN_FAIL_DELAY);
134 		bb_error_msg_and_die("incorrect password");
135 	}
136
137 	if (ENABLE_FEATURE_CLEAN_UP && ENABLE_FEATURE_SU_SYSLOG) {
138 		closelog();
139 	}
140
141 	if (!opt_shell && (flags & SU_OPT_mp)) {
142 		/* -s SHELL is not given, but "preserve env" opt is */
143 		opt_shell = getenv("SHELL");
144 	}
145
146 #if ENABLE_FEATURE_SU_CHECKS_SHELLS
147 	if (opt_shell && cur_uid != 0 && pw->pw_shell && restricted_shell(pw->pw_shell)) {
148 		/* The user being su'd to has a nonstandard shell, and so is
149 		 * probably a uucp account or has restricted access.  Don't
150 		 * compromise the account by allowing access with a standard
151 		 * shell.  */
152 		bb_error_msg("using restricted shell");
153 		opt_shell = NULL; /* ignore -s PROG */
154 	}
155 	/* else: user can run whatever he wants via "su -s PROG USER".
156 	 * This is safe since PROG is run under user's uid/gid. */
157 #endif
158 	if (!opt_shell)
159 		opt_shell = pw->pw_shell;
160
161 	change_identity(pw);
162 	setup_environment(opt_shell,
163 			((flags & SU_OPT_l) / SU_OPT_l * SETUP_ENV_CLEARENV)
164 			+ (!(flags & SU_OPT_mp) * SETUP_ENV_CHANGEENV)
165 			+ (!(flags & SU_OPT_l) * SETUP_ENV_NO_CHDIR),
166 			pw);
167 	IF_SELINUX(set_current_security_context(NULL);)
168
169 	if (opt_command) {
170 		*--argv = opt_command;
171 		*--argv = (char*)"-c";
172 	}
173
174 	/* A nasty ioctl exists which can stuff data into input queue:
175 	 * #include <sys/ioctl.h>
176 	 * int main() {
177 	 *	const char *msg = "echo $UID\n";
178 	 *	while (*msg) ioctl(0, TIOCSTI, *msg++);
179 	 *	return 0;
180 	 * }
181 	 * With "su USER -c EXPLOIT" run by root, exploit can make root shell
182 	 * read as input and execute arbitrary command.
183 	 * It's debatable whether we need to protect against this
184 	 * (root may hesitate to run unknown scripts interactively).
185 	 *
186 	 * Some versions of su run -c CMD in a different session:
187 	 * ioctl(TIOCSTI) works only on the controlling tty.
188 	 */
189
190 	/* Never returns */
191 	run_shell(opt_shell, flags & SU_OPT_l, (const char**)argv);
192
193 	/* return EXIT_FAILURE; - not reached */
194 }
195
1	/* vi: set sw=4 ts=4: */
2	/*
3	* Mini su implementation for busybox
4	*
5	* Licensed under GPLv2 or later, see file LICENSE in this source tree.
6	*/
7	//config:config SU
8	//config: bool "su"
9	//config: default y
10	//config: select FEATURE_SYSLOG
11	//config: help
12	//config: su is used to become another user during a login session.
13	//config: Invoked without a username, su defaults to becoming the super user.
14	//config:
15	//config: Note that Busybox binary must be setuid root for this applet to
16	//config: work properly.
17	//config:
18	//config:config FEATURE_SU_SYSLOG
19	//config: bool "Enable su to write to syslog"
20	//config: default y
21	//config: depends on SU
22	//config:
23	//config:config FEATURE_SU_CHECKS_SHELLS
24	//config: bool "Enable su to check user's shell to be listed in /etc/shells"
25	//config: depends on SU
26	//config: default y
27
28	//applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */
29	//applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE))
30
31	//kbuild:lib-$(CONFIG_SU) += su.o
32
33	//usage:#define su_trivial_usage
34	//usage: "[-lmp] [-] [-s SH] [USER [SCRIPT ARGS / -c 'CMD' ARG0 ARGS]]"
35	//usage:#define su_full_usage "\n\n"
36	//usage: "Run shell under USER (by default, root)\n"
37	//usage: "\n -,-l Clear environment, go to home dir, run shell as login shell"
38	//usage: "\n -p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME"
39	//usage: "\n -c CMD Command to pass to 'sh -c'"
40	//usage: "\n -s SH Shell to use instead of user's default"
41
42	#include "libbb.h"
43	#include <syslog.h>
44
45	#if ENABLE_FEATURE_SU_CHECKS_SHELLS
46	/* Return 1 if SHELL is a restricted shell (one not returned by
47	* getusershell), else 0, meaning it is a standard shell. */
48	static int restricted_shell(const char *shell)
49	{
50	char *line;
51	int result = 1;
52
53	/setusershell(); - getusershell does it itself/
54	while ((line = getusershell()) != NULL) {
55	if (/* line != '#' && / strcmp(line, shell) == 0) {
56	result = 0;
57	break;
58	}
59	}
60	if (ENABLE_FEATURE_CLEAN_UP)
61	endusershell();
62	return result;
63	}
64	#endif
65
66	#define SU_OPT_mp (3)
67	#define SU_OPT_l (4)
68
69	int su_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
70	int su_main(int argc UNUSED_PARAM, char **argv)
71	{
72	unsigned flags;
73	char *opt_shell = NULL;
74	char *opt_command = NULL;
75	const char *opt_username = "root";
76	struct passwd *pw;
77	uid_t cur_uid = getuid();
78	const char *tty;
79	#if ENABLE_FEATURE_UTMP
80	char user_buf[64];
81	#endif
82	const char *old_user;
83
84	/* Note: we don't use "'+': stop at first non-option" idiom here.
85	* For su, "SCRIPT ARGS" or "-c CMD ARGS" do not stop option parsing:
86	* ARGS starting with dash will be treated as su options,
87	* not passed to shell. (Tested on util-linux 2.28).
88	*/
89	flags = getopt32(argv, "mplc:s:", &opt_command, &opt_shell);
90	argv += optind;
91
92	if (argv[0] && LONE_DASH(argv[0])) {
93	flags \|= SU_OPT_l;
94	argv++;
95	}
96
97	/* get user if specified */
98	if (argv[0]) {
99	opt_username = argv[0];
100	argv++;
101	}
102
103	if (ENABLE_FEATURE_SU_SYSLOG) {
104	/* The utmp entry (via getlogin) is probably the best way to
105	* identify the user, especially if someone su's from a su-shell.
106	* But getlogin can fail -- usually due to lack of utmp entry.
107	* in this case resort to getpwuid. */
108	#if ENABLE_FEATURE_UTMP
109	old_user = user_buf;
110	if (getlogin_r(user_buf, sizeof(user_buf)) != 0)
111	#endif
112	{
113	pw = getpwuid(cur_uid);
114	old_user = pw ? xstrdup(pw->pw_name) : "";
115	}
116	tty = xmalloc_ttyname(2);
117	if (!tty) {
118	tty = "none";
119	}
120	openlog(applet_name, 0, LOG_AUTH);
121	}
122
123	pw = xgetpwnam(opt_username);
124
125	if (cur_uid == 0 \|\| ask_and_check_password(pw) > 0) {
126	if (ENABLE_FEATURE_SU_SYSLOG)
127	syslog(LOG_NOTICE, "%c %s %s:%s",
128	'+', tty, old_user, opt_username);
129	} else {
130	if (ENABLE_FEATURE_SU_SYSLOG)
131	syslog(LOG_NOTICE, "%c %s %s:%s",
132	'-', tty, old_user, opt_username);
133	bb_do_delay(LOGIN_FAIL_DELAY);
134	bb_error_msg_and_die("incorrect password");
135	}
136
137	if (ENABLE_FEATURE_CLEAN_UP && ENABLE_FEATURE_SU_SYSLOG) {
138	closelog();
139	}
140
141	if (!opt_shell && (flags & SU_OPT_mp)) {
142	/* -s SHELL is not given, but "preserve env" opt is */
143	opt_shell = getenv("SHELL");
144	}
145
146	#if ENABLE_FEATURE_SU_CHECKS_SHELLS
147	if (opt_shell && cur_uid != 0 && pw->pw_shell && restricted_shell(pw->pw_shell)) {
148	/* The user being su'd to has a nonstandard shell, and so is
149	* probably a uucp account or has restricted access. Don't
150	* compromise the account by allowing access with a standard
151	* shell. */
152	bb_error_msg("using restricted shell");
153	opt_shell = NULL; /* ignore -s PROG */
154	}
155	/* else: user can run whatever he wants via "su -s PROG USER".
156	* This is safe since PROG is run under user's uid/gid. */
157	#endif
158	if (!opt_shell)
159	opt_shell = pw->pw_shell;
160
161	change_identity(pw);
162	setup_environment(opt_shell,
163	((flags & SU_OPT_l) / SU_OPT_l * SETUP_ENV_CLEARENV)
164	+ (!(flags & SU_OPT_mp) * SETUP_ENV_CHANGEENV)
165	+ (!(flags & SU_OPT_l) * SETUP_ENV_NO_CHDIR),
166	pw);
167	IF_SELINUX(set_current_security_context(NULL);)
168
169	if (opt_command) {
170	*--argv = opt_command;
171	--argv = (char)"-c";
172	}
173
174	/* A nasty ioctl exists which can stuff data into input queue:
175	* #include <sys/ioctl.h>
176	* int main() {
177	* const char *msg = "echo $UID\n";
178	* while (msg) ioctl(0, TIOCSTI, msg++);
179	* return 0;
180	* }
181	* With "su USER -c EXPLOIT" run by root, exploit can make root shell
182	* read as input and execute arbitrary command.
183	* It's debatable whether we need to protect against this
184	* (root may hesitate to run unknown scripts interactively).
185	*
186	* Some versions of su run -c CMD in a different session:
187	* ioctl(TIOCSTI) works only on the controlling tty.
188	*/
189
190	/* Never returns */
191	run_shell(opt_shell, flags & SU_OPT_l, (const char**)argv);
192
193	/* return EXIT_FAILURE; - not reached */
194	}
195