2012-02-28 10:45:10 -06:00
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* sulogin
|
2012-02-28 10:45:10 -06:00
|
|
|
*
|
2012-03-12 05:29:09 -05:00
|
|
|
* This program gives Linux machines a reasonable secure way to boot single
|
|
|
|
* user. It forces the user to supply the root password before a shell is
|
|
|
|
* started. If there is a shadow password file and the encrypted root password
|
|
|
|
* is "x" the shadow password will be used.
|
2012-02-28 10:45:10 -06:00
|
|
|
*
|
|
|
|
* Copyright (C) 1998-2003 Miquel van Smoorenburg.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
|
|
*/
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <signal.h>
|
|
|
|
#include <pwd.h>
|
|
|
|
#include <shadow.h>
|
|
|
|
#include <termios.h>
|
|
|
|
#include <errno.h>
|
2012-03-12 06:23:29 -05:00
|
|
|
#include <getopt.h>
|
2012-02-28 10:45:10 -06:00
|
|
|
#include <sys/ioctl.h>
|
2012-02-28 10:45:19 -06:00
|
|
|
#ifdef HAVE_CRYPT_H
|
2012-03-12 05:29:09 -05:00
|
|
|
# include <crypt.h>
|
2012-02-28 10:45:10 -06:00
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef HAVE_LIBSELINUX
|
2012-03-12 05:29:09 -05:00
|
|
|
# include <selinux/selinux.h>
|
|
|
|
# include <selinux/get_context_list.h>
|
2012-02-28 10:45:10 -06:00
|
|
|
#endif
|
|
|
|
|
2012-02-28 10:45:20 -06:00
|
|
|
#include "c.h"
|
|
|
|
#include "nls.h"
|
2012-02-28 10:45:18 -06:00
|
|
|
#include "pathnames.h"
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
static int timeout;
|
|
|
|
static int profile;
|
|
|
|
|
2012-02-28 10:45:13 -06:00
|
|
|
struct sigaction saved_sigint;
|
|
|
|
struct sigaction saved_sigtstp;
|
|
|
|
struct sigaction saved_sigquit;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Called at timeout.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:13 -06:00
|
|
|
static void alrm_handler(int sig __attribute__((unused)))
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
2012-02-28 10:45:13 -06:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void mask_signal(int signal, void (*handler)(int),
|
|
|
|
struct sigaction *origaction)
|
|
|
|
{
|
|
|
|
struct sigaction newaction;
|
|
|
|
|
|
|
|
newaction.sa_handler = handler;
|
|
|
|
sigemptyset(&newaction.sa_mask);
|
|
|
|
newaction.sa_flags = 0;
|
|
|
|
|
|
|
|
sigaction(signal, NULL, origaction);
|
|
|
|
sigaction(signal, &newaction, NULL);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void unmask_signal(int signal, struct sigaction *sa)
|
|
|
|
{
|
|
|
|
sigaction(signal, sa, NULL);
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* See if an encrypted password is valid. The encrypted password is checked for
|
|
|
|
* traditional-style DES and FreeBSD-style MD5 encryption.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
static int valid(const char *pass)
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
|
|
|
const char *s;
|
|
|
|
char id[5];
|
|
|
|
size_t len;
|
|
|
|
off_t off;
|
|
|
|
|
2012-02-28 10:45:12 -06:00
|
|
|
if (pass[0] == 0)
|
|
|
|
return 1;
|
|
|
|
if (pass[0] != '$')
|
|
|
|
goto check_des;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* up to 4 bytes for the signature e.g. $1$
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
for (s = pass+1; *s && *s != '$'; s++);
|
|
|
|
|
|
|
|
if (*s++ != '$')
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if ((off = (off_t)(s-pass)) > 4 || off < 3)
|
|
|
|
return 0;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
memset(id, '\0', sizeof(id));
|
|
|
|
strncpy(id, pass, off);
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* up to 16 bytes for the salt
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
for (; *s && *s != '$'; s++);
|
|
|
|
|
|
|
|
if (*s++ != '$')
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if ((off_t)(s-pass) > 16)
|
|
|
|
return 0;
|
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
len = strlen(s);
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* the MD5 hash (128 bits or 16 bytes) encoded in base64 = 22 bytes
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
if ((strcmp(id, "$1$") == 0) && (len < 22 || len > 24))
|
|
|
|
return 0;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* the SHA-256 hash 43 bytes
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
if ((strcmp(id, "$5$") == 0) && (len < 42 || len > 44))
|
|
|
|
return 0;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* the SHA-512 hash 86 bytes
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
if ((strcmp(id, "$6$") == 0) && (len < 85 || len > 87))
|
|
|
|
return 0;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* e.g. Blowfish hash
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
return 1;
|
|
|
|
check_des:
|
2012-02-28 10:45:12 -06:00
|
|
|
if (strlen(pass) != 13)
|
|
|
|
return 0;
|
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
for (s = pass; *s; s++) {
|
|
|
|
if ((*s < '0' || *s > '9') &&
|
|
|
|
(*s < 'a' || *s > 'z') &&
|
|
|
|
(*s < 'A' || *s > 'Z') &&
|
2012-02-28 10:45:12 -06:00
|
|
|
*s != '.' && *s != '/')
|
|
|
|
return 0;
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Set a variable if the value is not NULL.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
static void set(char **var, char *val)
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
2012-02-28 10:45:12 -06:00
|
|
|
if (val)
|
|
|
|
*var = val;
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Get the root password entry.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
static struct passwd *getrootpwent(int try_manually)
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
|
|
|
static struct passwd pwd;
|
|
|
|
struct passwd *pw;
|
|
|
|
struct spwd *spw;
|
|
|
|
FILE *fp;
|
|
|
|
static char line[256];
|
|
|
|
static char sline[256];
|
|
|
|
char *p;
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* First, we try to get the password the standard way using normal
|
|
|
|
* library calls.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
if ((pw = getpwnam("root")) &&
|
|
|
|
!strcmp(pw->pw_passwd, "x") &&
|
|
|
|
(spw = getspnam("root")))
|
|
|
|
pw->pw_passwd = spw->sp_pwdp;
|
2012-03-12 05:29:09 -05:00
|
|
|
|
2012-02-28 10:45:12 -06:00
|
|
|
if (pw || !try_manually)
|
|
|
|
return pw;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* If we come here, we could not retrieve the root password through
|
|
|
|
* library calls and we try to read the password and shadow files
|
|
|
|
* manually.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
pwd.pw_name = "root";
|
|
|
|
pwd.pw_passwd = "";
|
|
|
|
pwd.pw_gecos = "Super User";
|
|
|
|
pwd.pw_dir = "/";
|
|
|
|
pwd.pw_shell = "";
|
|
|
|
pwd.pw_uid = 0;
|
|
|
|
pwd.pw_gid = 0;
|
|
|
|
|
2012-02-28 10:45:18 -06:00
|
|
|
if ((fp = fopen(_PATH_PASSWD, "r")) == NULL) {
|
2012-03-12 05:38:12 -05:00
|
|
|
warn(_("%s: open failed"), _PATH_PASSWD);
|
2012-02-28 10:45:10 -06:00
|
|
|
return &pwd;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Find root in the password file.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
while ((p = fgets(line, 256, fp)) != NULL) {
|
2012-02-28 10:45:10 -06:00
|
|
|
if (strncmp(line, "root:", 5) != 0)
|
|
|
|
continue;
|
|
|
|
p += 5;
|
|
|
|
set(&pwd.pw_passwd, strsep(&p, ":"));
|
2012-02-28 10:45:12 -06:00
|
|
|
strsep(&p, ":");
|
|
|
|
strsep(&p, ":");
|
2012-02-28 10:45:10 -06:00
|
|
|
set(&pwd.pw_gecos, strsep(&p, ":"));
|
|
|
|
set(&pwd.pw_dir, strsep(&p, ":"));
|
|
|
|
set(&pwd.pw_shell, strsep(&p, "\n"));
|
|
|
|
p = line;
|
|
|
|
break;
|
|
|
|
}
|
2012-03-12 05:29:09 -05:00
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
fclose(fp);
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* If the encrypted password is valid or not found, return.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
if (p == NULL) {
|
2012-03-12 05:38:12 -05:00
|
|
|
warnx(_("%s: no entry for root\n"), _PATH_PASSWD);
|
2012-02-28 10:45:10 -06:00
|
|
|
return &pwd;
|
|
|
|
}
|
2012-02-28 10:45:12 -06:00
|
|
|
if (valid(pwd.pw_passwd))
|
|
|
|
return &pwd;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* The password is invalid. If there is a shadow password, try it.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
strcpy(pwd.pw_passwd, "");
|
2012-02-28 10:45:18 -06:00
|
|
|
if ((fp = fopen(_PATH_SHADOW_PASSWD, "r")) == NULL) {
|
2012-03-12 05:48:33 -05:00
|
|
|
warn(_("%s: open failed"), _PATH_PASSWD);
|
2012-02-28 10:45:10 -06:00
|
|
|
return &pwd;
|
|
|
|
}
|
2012-02-28 10:45:12 -06:00
|
|
|
while ((p = fgets(sline, 256, fp)) != NULL) {
|
2012-02-28 10:45:10 -06:00
|
|
|
if (strncmp(sline, "root:", 5) != 0)
|
|
|
|
continue;
|
|
|
|
p += 5;
|
|
|
|
set(&pwd.pw_passwd, strsep(&p, ":"));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
fclose(fp);
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* If the password is still invalid, NULL it, and return.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
if (p == NULL) {
|
2012-03-12 05:48:33 -05:00
|
|
|
warnx(_("%s: no entry for root"), _PATH_SHADOW_PASSWD);
|
2012-02-28 10:45:10 -06:00
|
|
|
strcpy(pwd.pw_passwd, "");
|
|
|
|
}
|
|
|
|
if (!valid(pwd.pw_passwd)) {
|
2012-03-12 05:48:33 -05:00
|
|
|
warnx(_("%s: root password garbled"), _PATH_SHADOW_PASSWD);
|
2012-02-28 10:45:12 -06:00
|
|
|
strcpy(pwd.pw_passwd, "");
|
|
|
|
}
|
2012-02-28 10:45:10 -06:00
|
|
|
return &pwd;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Ask for the password. Note that there is no default timeout as we normally
|
|
|
|
* skip this during boot.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
static char *getpasswd(char *crypted)
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
|
|
|
struct sigaction sa;
|
|
|
|
struct termios old, tty;
|
|
|
|
static char pass[128];
|
|
|
|
char *ret = pass;
|
2012-02-28 10:45:16 -06:00
|
|
|
size_t i;
|
2012-02-28 10:45:15 -06:00
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
if (crypted[0])
|
2012-02-28 10:45:21 -06:00
|
|
|
printf(_("Give root password for maintenance\n"));
|
2012-02-28 10:45:10 -06:00
|
|
|
else
|
2012-02-28 10:45:21 -06:00
|
|
|
printf(_("Press enter for maintenance"));
|
|
|
|
printf(_("(or type Control-D to continue): "));
|
2012-02-28 10:45:10 -06:00
|
|
|
fflush(stdout);
|
|
|
|
|
|
|
|
tcgetattr(0, &old);
|
|
|
|
tcgetattr(0, &tty);
|
|
|
|
tty.c_iflag &= ~(IUCLC|IXON|IXOFF|IXANY);
|
|
|
|
tty.c_lflag &= ~(ECHO|ECHOE|ECHOK|ECHONL|TOSTOP);
|
|
|
|
tcsetattr(0, TCSANOW, &tty);
|
|
|
|
|
|
|
|
pass[sizeof(pass) - 1] = 0;
|
|
|
|
|
|
|
|
sa.sa_handler = alrm_handler;
|
|
|
|
sa.sa_flags = 0;
|
|
|
|
sigaction(SIGALRM, &sa, NULL);
|
2012-02-28 10:45:12 -06:00
|
|
|
if (timeout)
|
|
|
|
alarm(timeout);
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
if (read(0, pass, sizeof(pass) - 1) <= 0)
|
|
|
|
ret = NULL;
|
|
|
|
else {
|
2012-02-28 10:45:16 -06:00
|
|
|
for (i = 0; i < sizeof(pass) && pass[i]; i++)
|
2012-02-28 10:45:10 -06:00
|
|
|
if (pass[i] == '\r' || pass[i] == '\n') {
|
|
|
|
pass[i] = 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
alarm(0);
|
|
|
|
tcsetattr(0, TCSANOW, &old);
|
|
|
|
printf("\n");
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Password was OK, execute a shell.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
static void sushell(struct passwd *pwd)
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
2012-03-12 06:32:03 -05:00
|
|
|
char shell[PATH_MAX];
|
|
|
|
char home[PATH_MAX];
|
2012-02-28 10:45:10 -06:00
|
|
|
char *p;
|
|
|
|
char *sushell;
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Set directory and shell.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-03-12 06:32:03 -05:00
|
|
|
if (chdir(pwd->pw_dir) != 0) {
|
|
|
|
warn(_("%s: change directory failed"), pwd->pw_dir);
|
|
|
|
printf(_("Logging in with home = \"/\".\n"));
|
|
|
|
|
|
|
|
if (chdir("/") != 0)
|
|
|
|
warn(_("change directory to system root failed"));
|
|
|
|
}
|
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
if ((p = getenv("SUSHELL")) != NULL)
|
|
|
|
sushell = p;
|
|
|
|
else if ((p = getenv("sushell")) != NULL)
|
|
|
|
sushell = p;
|
|
|
|
else {
|
|
|
|
if (pwd->pw_shell[0])
|
|
|
|
sushell = pwd->pw_shell;
|
|
|
|
else
|
2012-02-28 10:45:18 -06:00
|
|
|
sushell = "/bin/sh";
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
if ((p = strrchr(sushell, '/')) == NULL)
|
|
|
|
p = sushell;
|
|
|
|
else
|
|
|
|
p++;
|
2012-03-12 05:29:09 -05:00
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
snprintf(shell, sizeof(shell), profile ? "-%s" : "%s", p);
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Set some important environment variables.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-03-12 06:32:03 -05:00
|
|
|
if (getcwd(home, sizeof(home)) != NULL)
|
|
|
|
setenv("HOME", home, 1);
|
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
setenv("LOGNAME", "root", 1);
|
|
|
|
setenv("USER", "root", 1);
|
|
|
|
if (!profile)
|
|
|
|
setenv("SHLVL","0",1);
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Try to execute a shell.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
setenv("SHELL", sushell, 1);
|
2012-02-28 10:45:13 -06:00
|
|
|
unmask_signal(SIGINT, &saved_sigint);
|
|
|
|
unmask_signal(SIGTSTP, &saved_sigtstp);
|
|
|
|
unmask_signal(SIGQUIT, &saved_sigquit);
|
2012-02-28 10:45:10 -06:00
|
|
|
#ifdef WITH_SELINUX
|
|
|
|
if (is_selinux_enabled() > 0) {
|
2012-02-28 10:45:12 -06:00
|
|
|
security_context_t scon=NULL;
|
|
|
|
char *seuser=NULL;
|
|
|
|
char *level=NULL;
|
|
|
|
if (getseuserbyname("root", &seuser, &level) == 0) {
|
|
|
|
if (get_default_context_with_level(seuser, level, 0, &scon) == 0) {
|
|
|
|
if (setexeccon(scon) != 0)
|
2012-03-12 05:48:33 -05:00
|
|
|
warnx(_("setexeccon failed"));
|
2012-02-28 10:45:12 -06:00
|
|
|
freecon(scon);
|
|
|
|
}
|
|
|
|
}
|
2012-02-28 10:45:10 -06:00
|
|
|
free(seuser);
|
|
|
|
free(level);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
execl(sushell, shell, NULL);
|
2012-03-12 05:38:12 -05:00
|
|
|
warn(_("%s: exec failed"), sushell);
|
2012-02-28 10:45:10 -06:00
|
|
|
|
2012-02-28 10:45:18 -06:00
|
|
|
setenv("SHELL", "/bin/sh", 1);
|
|
|
|
execl("/bin/sh", profile ? "-sh" : "sh", NULL);
|
2012-03-12 05:38:12 -05:00
|
|
|
warn(_("%s: exec failed"), "/bin/sh");
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
2012-02-28 10:45:20 -06:00
|
|
|
static void usage(FILE *out)
|
2012-02-28 10:45:10 -06:00
|
|
|
{
|
2012-03-12 06:23:29 -05:00
|
|
|
fputs(USAGE_HEADER, out);
|
2012-02-28 10:45:20 -06:00
|
|
|
fprintf(out, _(
|
2012-03-12 06:23:29 -05:00
|
|
|
" %s [options] [tty device]\n"), program_invocation_short_name);
|
|
|
|
|
|
|
|
fputs(USAGE_OPTIONS, out);
|
|
|
|
fputs(_(" -p, --login-shell start a login shell\n"
|
|
|
|
" -t, --timeout <seconds> max time to wait for a password (default: no limit)\n"
|
|
|
|
" -e, --force examine password files directly if getpwnam(3) fails\n"),
|
|
|
|
out);
|
|
|
|
|
|
|
|
fputs(USAGE_SEPARATOR, out);
|
|
|
|
fputs(USAGE_HELP, out);
|
|
|
|
fputs(USAGE_VERSION, out);
|
|
|
|
fprintf(out, USAGE_MAN_TAIL("sulogin(8)"));
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
int main(int argc, char **argv)
|
|
|
|
{
|
|
|
|
char *tty = NULL;
|
|
|
|
char *p;
|
|
|
|
struct passwd *pwd;
|
|
|
|
int c, fd = -1;
|
|
|
|
int opt_e = 0;
|
|
|
|
pid_t pid, pgrp, ppgrp, ttypgrp;
|
2012-02-28 10:45:13 -06:00
|
|
|
struct sigaction saved_sighup;
|
2012-02-28 10:45:10 -06:00
|
|
|
|
2012-03-12 06:23:29 -05:00
|
|
|
static const struct option longopts[] = {
|
|
|
|
{ "login-shell", 0, 0, 'p' },
|
|
|
|
{ "timeout", 1, 0, 't' },
|
|
|
|
{ "force", 0, 0, 'e' },
|
|
|
|
{ "help", 0, 0, 'h' },
|
|
|
|
{ "version", 0, 0, 'V' },
|
|
|
|
{ NULL, 0, 0, 0 }
|
|
|
|
};
|
|
|
|
|
2012-02-28 10:45:10 -06:00
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* See if we have a timeout flag.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-03-12 06:23:29 -05:00
|
|
|
while ((c = getopt_long(argc, argv, "ehpt:V", longopts, NULL)) != -1) {
|
2012-02-28 10:45:12 -06:00
|
|
|
switch(c) {
|
2012-02-28 10:45:10 -06:00
|
|
|
case 't':
|
|
|
|
timeout = atoi(optarg);
|
|
|
|
break;
|
|
|
|
case 'p':
|
|
|
|
profile = 1;
|
|
|
|
break;
|
|
|
|
case 'e':
|
|
|
|
opt_e = 1;
|
|
|
|
break;
|
2012-03-12 06:23:29 -05:00
|
|
|
case 'V':
|
|
|
|
printf(UTIL_LINUX_VERSION);
|
|
|
|
return EXIT_SUCCESS;
|
2012-02-28 10:45:20 -06:00
|
|
|
case 'h':
|
|
|
|
usage(stdout);
|
2012-03-12 05:51:19 -05:00
|
|
|
return EXIT_SUCCESS;
|
2012-02-28 10:45:10 -06:00
|
|
|
default:
|
2012-02-28 10:45:20 -06:00
|
|
|
usage(stderr);
|
2012-02-28 10:45:10 -06:00
|
|
|
/* Do not exit! */
|
|
|
|
break;
|
2012-02-28 10:45:12 -06:00
|
|
|
}
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
2012-03-12 05:48:33 -05:00
|
|
|
if (geteuid() != 0)
|
|
|
|
errx(EXIT_FAILURE, _("only root can run this program."));
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* See if we need to open an other tty device.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:13 -06:00
|
|
|
mask_signal(SIGQUIT, SIG_IGN, &saved_sigquit);
|
|
|
|
mask_signal(SIGTSTP, SIG_IGN, &saved_sigtstp);
|
|
|
|
mask_signal(SIGINT, SIG_IGN, &saved_sigint);
|
2012-02-28 10:45:12 -06:00
|
|
|
if (optind < argc)
|
|
|
|
tty = argv[optind];
|
2012-02-28 10:45:10 -06:00
|
|
|
|
|
|
|
if (tty || (tty = getenv("CONSOLE"))) {
|
|
|
|
|
|
|
|
if ((fd = open(tty, O_RDWR)) < 0) {
|
2012-03-12 05:38:12 -05:00
|
|
|
warn(_("%s: open failed"), tty);
|
2012-02-28 10:45:10 -06:00
|
|
|
fd = dup(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!isatty(fd)) {
|
2012-03-12 05:48:33 -05:00
|
|
|
warn(_("%s: not a tty"), tty);
|
2012-02-28 10:45:10 -06:00
|
|
|
close(fd);
|
|
|
|
} else {
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Only go through this trouble if the new tty doesn't
|
|
|
|
* fall in this process group.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
pid = getpid();
|
|
|
|
pgrp = getpgid(0);
|
|
|
|
ppgrp = getpgid(getppid());
|
|
|
|
ttypgrp = tcgetpgrp(fd);
|
|
|
|
|
|
|
|
if (pgrp != ttypgrp && ppgrp != ttypgrp) {
|
|
|
|
if (pid != getsid(0)) {
|
|
|
|
if (pid == getpgid(0))
|
|
|
|
setpgid(0, getpgid(getppid()));
|
|
|
|
setsid();
|
|
|
|
}
|
|
|
|
|
2012-02-28 10:45:13 -06:00
|
|
|
sigaction(SIGHUP, NULL, &saved_sighup);
|
2012-02-28 10:45:10 -06:00
|
|
|
if (ttypgrp > 0)
|
|
|
|
ioctl(0, TIOCNOTTY, (char *)1);
|
2012-02-28 10:45:13 -06:00
|
|
|
sigaction(SIGHUP, &saved_sighup, NULL);
|
2012-02-28 10:45:10 -06:00
|
|
|
close(0);
|
|
|
|
close(1);
|
|
|
|
close(2);
|
|
|
|
if (fd > 2)
|
|
|
|
close(fd);
|
2012-03-12 05:38:12 -05:00
|
|
|
if ((fd = open(tty, O_RDWR|O_NOCTTY)) < 0)
|
|
|
|
warn(_("%s: open failed"), tty);
|
|
|
|
else {
|
2012-02-28 10:45:10 -06:00
|
|
|
ioctl(0, TIOCSCTTY, (char *)1);
|
|
|
|
tcsetpgrp(fd, ppgrp);
|
|
|
|
dup2(fd, 0);
|
|
|
|
dup2(fd, 1);
|
|
|
|
dup2(fd, 2);
|
|
|
|
if (fd > 2)
|
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
if (fd > 2)
|
|
|
|
close(fd);
|
|
|
|
}
|
|
|
|
} else if (getpid() == 1) {
|
|
|
|
/* We are init. We hence need to set a session anyway */
|
|
|
|
setsid();
|
|
|
|
if (ioctl(0, TIOCSCTTY, (char *)1))
|
2012-03-12 05:38:12 -05:00
|
|
|
warn(_("TIOCSCTTY: ioctl failed"));
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Get the root password.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
|
|
|
if ((pwd = getrootpwent(opt_e)) == NULL) {
|
2012-03-12 05:48:33 -05:00
|
|
|
warnx(_("cannot open password database."));
|
2012-02-28 10:45:10 -06:00
|
|
|
sleep(2);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* Ask for the password.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-02-28 10:45:12 -06:00
|
|
|
while (pwd) {
|
|
|
|
if ((p = getpasswd(pwd->pw_passwd)) == NULL)
|
|
|
|
break;
|
2012-02-28 10:45:10 -06:00
|
|
|
if (pwd->pw_passwd[0] == 0 ||
|
|
|
|
strcmp(crypt(p, pwd->pw_passwd), pwd->pw_passwd) == 0)
|
|
|
|
sushell(pwd);
|
2012-02-28 10:45:13 -06:00
|
|
|
mask_signal(SIGQUIT, SIG_IGN, &saved_sigquit);
|
|
|
|
mask_signal(SIGTSTP, SIG_IGN, &saved_sigtstp);
|
|
|
|
mask_signal(SIGINT, SIG_IGN, &saved_sigint);
|
2012-03-12 05:48:33 -05:00
|
|
|
fprintf(stderr, _("Login incorrect\n\n"));
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2012-03-12 05:29:09 -05:00
|
|
|
* User pressed Control-D.
|
2012-02-28 10:45:10 -06:00
|
|
|
*/
|
2012-03-12 05:51:19 -05:00
|
|
|
return EXIT_SUCCESS;
|
2012-02-28 10:45:10 -06:00
|
|
|
}
|