1/* vi: set sw=4 ts=4: */ 2/* 3 * Mini su implementation for busybox 4 * 5 * Licensed under GPLv2 or later, see file LICENSE in this source tree. 6 */ 7//config:config SU 8//config: bool "su (19 kb)" 9//config: default y 10//config: select FEATURE_SYSLOG 11//config: help 12//config: su is used to become another user during a login session. 13//config: Invoked without a username, su defaults to becoming the super user. 14//config: Note that busybox binary must be setuid root for this applet to 15//config: work properly. 16//config: 17//config:config FEATURE_SU_SYSLOG 18//config: bool "Log to syslog all attempts to use su" 19//config: default y 20//config: depends on SU 21//config: 22//config:config FEATURE_SU_CHECKS_SHELLS 23//config: bool "If user's shell is not in /etc/shells, disallow -s PROG" 24//config: default y 25//config: depends on SU 26//config: 27//config:config FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY 28//config: bool "Allow blank passwords only on TTYs in /etc/securetty" 29//config: default n 30//config: depends on SU 31 32//applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */ 33//applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE)) 34 35//kbuild:lib-$(CONFIG_SU) += su.o 36 37//usage:#define su_trivial_usage 38//usage: "[-lmp] [-s SH] [-] [USER [FILE ARGS | -c 'CMD' [ARG0 ARGS]]]" 39//usage:#define su_full_usage "\n\n" 40//usage: "Run shell under USER (by default, root)\n" 41//usage: "\n -,-l Clear environment, go to home dir, run shell as login shell" 42//usage: "\n -p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME" 43//usage: "\n -c CMD Command to pass to 'sh -c'" 44//usage: "\n -s SH Shell to use instead of user's default" 45 46#include "libbb.h" 47#include <syslog.h> 48 49#if ENABLE_FEATURE_SU_CHECKS_SHELLS 50/* Return 1 if SHELL is a restricted shell (one not returned by 51 * getusershell), else 0, meaning it is a standard shell. */ 52static int restricted_shell(const char *shell) 53{ 54 char *line; 55 int result = 1; 56 57 /*setusershell(); - getusershell does it itself*/ 58 while ((line = getusershell()) != NULL) { 59 if (/* *line != '#' && */ strcmp(line, shell) == 0) { 60 result = 0; 61 break; 62 } 63 } 64 if (ENABLE_FEATURE_CLEAN_UP) 65 endusershell(); 66 return result; 67} 68#endif 69 70#define SU_OPT_mp (3) 71#define SU_OPT_l (4) 72 73int su_main(int argc, char **argv) MAIN_EXTERNALLY_VISIBLE; 74int su_main(int argc UNUSED_PARAM, char **argv) 75{ 76 unsigned flags; 77 char *opt_shell = NULL; 78 char *opt_command = NULL; 79 const char *opt_username = "root"; 80 struct passwd *pw; 81 uid_t cur_uid = getuid(); 82 const char *tty; 83#if ENABLE_FEATURE_UTMP 84 char user_buf[64]; 85#endif 86 const char *old_user; 87 int r; 88 89 /* Note: we don't use "'+': stop at first non-option" idiom here. 90 * For su, "SCRIPT ARGS" or "-c CMD ARGS" do not stop option parsing: 91 * ARGS starting with dash will be treated as su options, 92 * not passed to shell. (Tested on util-linux 2.28). 93 */ 94 flags = getopt32(argv, "mplc:s:", &opt_command, &opt_shell); 95 argv += optind; 96 97 if (argv[0] && LONE_DASH(argv[0])) { 98 flags |= SU_OPT_l; 99 argv++; 100 } 101 102 /* get user if specified */ 103 if (argv[0]) { 104 opt_username = argv[0]; 105 argv++; 106 } 107 108 tty = xmalloc_ttyname(STDIN_FILENO); 109 if (!tty) 110 tty = "none"; 111 tty = skip_dev_pfx(tty); 112 113 if (ENABLE_FEATURE_SU_SYSLOG) { 114 /* The utmp entry (via getlogin) is probably the best way to 115 * identify the user, especially if someone su's from a su-shell. 116 * But getlogin can fail -- usually due to lack of utmp entry. 117 * in this case resort to getpwuid. */ 118#if ENABLE_FEATURE_UTMP 119 old_user = user_buf; 120 if (getlogin_r(user_buf, sizeof(user_buf)) != 0) 121#endif 122 { 123 pw = getpwuid(cur_uid); 124 old_user = pw ? xstrdup(pw->pw_name) : ""; 125 } 126 openlog(applet_name, 0, LOG_AUTH); 127 } 128 129 pw = xgetpwnam(opt_username); 130 131 r = 1; 132 if (cur_uid != 0) 133 r = ask_and_check_password(pw); 134 if (r > 0) { 135 if (ENABLE_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY 136 && r == CHECKPASS_PW_HAS_EMPTY_PASSWORD 137 && !is_tty_secure(tty) 138 ) { 139 goto fail; 140 } 141 if (ENABLE_FEATURE_SU_SYSLOG) 142 syslog(LOG_NOTICE, "%c %s %s:%s", 143 '+', tty, old_user, opt_username); 144 } else { 145 fail: 146 if (ENABLE_FEATURE_SU_SYSLOG) 147 syslog(LOG_NOTICE, "%c %s %s:%s", 148 '-', tty, old_user, opt_username); 149 pause_after_failed_login(); 150 bb_simple_error_msg_and_die("incorrect password"); 151 } 152 153 if (ENABLE_FEATURE_CLEAN_UP && ENABLE_FEATURE_SU_SYSLOG) { 154 closelog(); 155 } 156 157 if (!opt_shell && (flags & SU_OPT_mp)) { 158 /* -s SHELL is not given, but "preserve env" opt is */ 159 opt_shell = getenv("SHELL"); 160 } 161 162#if ENABLE_FEATURE_SU_CHECKS_SHELLS 163 if (opt_shell && cur_uid != 0 && pw->pw_shell && restricted_shell(pw->pw_shell)) { 164 /* The user being su'd to has a nonstandard shell, and so is 165 * probably a uucp account or has restricted access. Don't 166 * compromise the account by allowing access with a standard 167 * shell. */ 168 bb_simple_error_msg("using restricted shell"); 169 opt_shell = NULL; /* ignore -s PROG */ 170 } 171 /* else: user can run whatever he wants via "su -s PROG USER". 172 * This is safe since PROG is run under user's uid/gid. */ 173#endif 174 if (!opt_shell) 175 opt_shell = pw->pw_shell; 176 177 change_identity(pw); 178 setup_environment(opt_shell, 179 ((flags & SU_OPT_l) / SU_OPT_l * SETUP_ENV_CLEARENV) 180 + (!(flags & SU_OPT_mp) * SETUP_ENV_CHANGEENV) 181 + (!(flags & SU_OPT_l) * SETUP_ENV_NO_CHDIR), 182 pw); 183 IF_SELINUX(set_current_security_context(NULL);) 184 185 if (opt_command) { 186 *--argv = opt_command; 187 *--argv = (char*)"-c"; 188 } 189 190 /* A nasty ioctl exists which can stuff data into input queue: 191 * #include <sys/ioctl.h> 192 * int main() { 193 * const char *msg = "echo $UID\n"; 194 * while (*msg) ioctl(0, TIOCSTI, *msg++); 195 * return 0; 196 * } 197 * With "su USER -c EXPLOIT" run by root, exploit can make root shell 198 * read as input and execute arbitrary command. 199 * It's debatable whether we need to protect against this 200 * (root may hesitate to run unknown scripts interactively). 201 * 202 * Some versions of su run -c CMD in a different session: 203 * ioctl(TIOCSTI) works only on the controlling tty. 204 */ 205 206 /* Never returns */ 207 exec_shell(opt_shell, flags & SU_OPT_l, (const char**)argv); 208 209 /* return EXIT_FAILURE; - not reached */ 210} 211