3
0

su.c 5.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209
  1. /* vi: set sw=4 ts=4: */
  2. /*
  3. * Mini su implementation for busybox
  4. *
  5. * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  6. */
  7. //config:config SU
  8. //config: bool "su (19 kb)"
  9. //config: default y
  10. //config: select FEATURE_SYSLOG
  11. //config: help
  12. //config: su is used to become another user during a login session.
  13. //config: Invoked without a username, su defaults to becoming the super user.
  14. //config: Note that busybox binary must be setuid root for this applet to
  15. //config: work properly.
  16. //config:
  17. //config:config FEATURE_SU_SYSLOG
  18. //config: bool "Log to syslog all attempts to use su"
  19. //config: default y
  20. //config: depends on SU
  21. //config:
  22. //config:config FEATURE_SU_CHECKS_SHELLS
  23. //config: bool "If user's shell is not in /etc/shells, disallow -s PROG"
  24. //config: default y
  25. //config: depends on SU
  26. //config:
  27. //config:config FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY
  28. //config: bool "Allow blank passwords only on TTYs in /etc/securetty"
  29. //config: default n
  30. //config: depends on SU
  31. //applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */
  32. //applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE))
  33. //kbuild:lib-$(CONFIG_SU) += su.o
  34. //usage:#define su_trivial_usage
  35. //usage: "[-lmp] [-s SH] [-] [USER [FILE ARGS | -c 'CMD' [ARG0 ARGS]]]"
  36. //usage:#define su_full_usage "\n\n"
  37. //usage: "Run shell under USER (by default, root)\n"
  38. //usage: "\n -,-l Clear environment, go to home dir, run shell as login shell"
  39. //usage: "\n -p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME"
  40. //usage: "\n -c CMD Command to pass to 'sh -c'"
  41. //usage: "\n -s SH Shell to use instead of user's default"
  42. #include "libbb.h"
  43. #include <syslog.h>
  44. #if ENABLE_FEATURE_SU_CHECKS_SHELLS
  45. /* Return 1 if SHELL is a restricted shell (one not returned by
  46. * getusershell), else 0, meaning it is a standard shell. */
  47. static int restricted_shell(const char *shell)
  48. {
  49. char *line;
  50. int result = 1;
  51. /*setusershell(); - getusershell does it itself*/
  52. while ((line = getusershell()) != NULL) {
  53. if (/* *line != '#' && */ strcmp(line, shell) == 0) {
  54. result = 0;
  55. break;
  56. }
  57. }
  58. if (ENABLE_FEATURE_CLEAN_UP)
  59. endusershell();
  60. return result;
  61. }
  62. #endif
  63. #define SU_OPT_mp (3)
  64. #define SU_OPT_l (4)
  65. int su_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE;
  66. int su_main(int argc UNUSED_PARAM, char **argv)
  67. {
  68. unsigned flags;
  69. char *opt_shell = NULL;
  70. char *opt_command = NULL;
  71. const char *opt_username = "root";
  72. struct passwd *pw;
  73. uid_t cur_uid = getuid();
  74. const char *tty;
  75. #if ENABLE_FEATURE_UTMP
  76. char user_buf[64];
  77. #endif
  78. const char *old_user;
  79. int r;
  80. /* Note: we don't use "'+': stop at first non-option" idiom here.
  81. * For su, "SCRIPT ARGS" or "-c CMD ARGS" do not stop option parsing:
  82. * ARGS starting with dash will be treated as su options,
  83. * not passed to shell. (Tested on util-linux 2.28).
  84. */
  85. flags = getopt32(argv, "mplc:s:", &opt_command, &opt_shell);
  86. argv += optind;
  87. if (argv[0] && LONE_DASH(argv[0])) {
  88. flags |= SU_OPT_l;
  89. argv++;
  90. }
  91. /* get user if specified */
  92. if (argv[0]) {
  93. opt_username = argv[0];
  94. argv++;
  95. }
  96. tty = xmalloc_ttyname(STDIN_FILENO);
  97. if (!tty)
  98. tty = "none";
  99. tty = skip_dev_pfx(tty);
  100. if (ENABLE_FEATURE_SU_SYSLOG) {
  101. /* The utmp entry (via getlogin) is probably the best way to
  102. * identify the user, especially if someone su's from a su-shell.
  103. * But getlogin can fail -- usually due to lack of utmp entry.
  104. * in this case resort to getpwuid. */
  105. #if ENABLE_FEATURE_UTMP
  106. old_user = user_buf;
  107. if (getlogin_r(user_buf, sizeof(user_buf)) != 0)
  108. #endif
  109. {
  110. pw = getpwuid(cur_uid);
  111. old_user = pw ? xstrdup(pw->pw_name) : "";
  112. }
  113. openlog(applet_name, 0, LOG_AUTH);
  114. }
  115. pw = xgetpwnam(opt_username);
  116. r = 1;
  117. if (cur_uid != 0)
  118. r = ask_and_check_password(pw);
  119. if (r > 0) {
  120. if (ENABLE_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY
  121. && r == CHECKPASS_PW_HAS_EMPTY_PASSWORD
  122. && !is_tty_secure(tty)
  123. ) {
  124. goto fail;
  125. }
  126. if (ENABLE_FEATURE_SU_SYSLOG)
  127. syslog(LOG_NOTICE, "%c %s %s:%s",
  128. '+', tty, old_user, opt_username);
  129. } else {
  130. fail:
  131. if (ENABLE_FEATURE_SU_SYSLOG)
  132. syslog(LOG_NOTICE, "%c %s %s:%s",
  133. '-', tty, old_user, opt_username);
  134. pause_after_failed_login();
  135. bb_simple_error_msg_and_die("incorrect password");
  136. }
  137. if (ENABLE_FEATURE_CLEAN_UP && ENABLE_FEATURE_SU_SYSLOG) {
  138. closelog();
  139. }
  140. if (!opt_shell && (flags & SU_OPT_mp)) {
  141. /* -s SHELL is not given, but "preserve env" opt is */
  142. opt_shell = getenv("SHELL");
  143. }
  144. #if ENABLE_FEATURE_SU_CHECKS_SHELLS
  145. if (opt_shell && cur_uid != 0 && pw->pw_shell && restricted_shell(pw->pw_shell)) {
  146. /* The user being su'd to has a nonstandard shell, and so is
  147. * probably a uucp account or has restricted access. Don't
  148. * compromise the account by allowing access with a standard
  149. * shell. */
  150. bb_simple_error_msg("using restricted shell");
  151. opt_shell = NULL; /* ignore -s PROG */
  152. }
  153. /* else: user can run whatever he wants via "su -s PROG USER".
  154. * This is safe since PROG is run under user's uid/gid. */
  155. #endif
  156. if (!opt_shell)
  157. opt_shell = pw->pw_shell;
  158. change_identity(pw);
  159. setup_environment(opt_shell,
  160. ((flags & SU_OPT_l) ? (SETUP_ENV_CLEARENV + SETUP_ENV_CHDIR) : 0)
  161. + (!(flags & SU_OPT_mp) * SETUP_ENV_CHANGEENV),
  162. pw);
  163. IF_SELINUX(set_current_security_context(NULL);)
  164. if (opt_command) {
  165. *--argv = opt_command;
  166. *--argv = (char*)"-c";
  167. }
  168. /* A nasty ioctl exists which can stuff data into input queue:
  169. * #include <sys/ioctl.h>
  170. * int main() {
  171. * const char *msg = "echo $UID\n";
  172. * while (*msg) ioctl(0, TIOCSTI, *msg++);
  173. * return 0;
  174. * }
  175. * With "su USER -c EXPLOIT" run by root, exploit can make root shell
  176. * read as input and execute arbitrary command.
  177. * It's debatable whether we need to protect against this
  178. * (root may hesitate to run unknown scripts interactively).
  179. *
  180. * Some versions of su run -c CMD in a different session:
  181. * ioctl(TIOCSTI) works only on the controlling tty.
  182. */
  183. /* Never returns */
  184. exec_shell(opt_shell, flags & SU_OPT_l, (const char**)argv);
  185. /* return EXIT_FAILURE; - not reached */
  186. }