static mode_t
setlogincontext(login_cap_t *lc, const struct passwd *pwd,
mode_t mymask, unsigned long flags)
{
if (lc) {
/* Set resources */
if (flags & LOGIN_SETRESOURCES)
setclassresources(lc);
/* See if there's a umask override */
if (flags & LOGIN_SETUMASK)
mymask = (mode_t)login_getcapnum(lc, "umask", mymask, mymask);
/* Set paths */
if (flags & LOGIN_SETPATH)
setclassenvironment(lc, pwd, 1);
/* Set environment */
if (flags & LOGIN_SETENV)
setclassenvironment(lc, pwd, 0);
}
return (mymask);
}
int
setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned int flags)
{
quad_t p;
mode_t mymask;
login_cap_t *llc = NULL;
struct sigaction sa, prevsa;
struct rtprio rtp;
int error;
if (lc == NULL) {
if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL)
llc = lc; /* free this when we're done */
}
if (flags & LOGIN_SETPATH)
pathvars[0].def = uid ? _PATH_DEFPATH : _PATH_STDPATH;
/* we need a passwd entry to set these */
if (pwd == NULL)
flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN | LOGIN_SETMAC);
/* Set the process priority */
if (flags & LOGIN_SETPRIORITY) {
p = login_getcapnum(lc, "priority", LOGIN_DEFPRI, LOGIN_DEFPRI);
if (p > PRIO_MAX) {
rtp.type = RTP_PRIO_IDLE;
rtp.prio = p - PRIO_MAX - 1;
p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
if (rtprio(RTP_SET, 0, &rtp))
syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
pwd ? pwd->pw_name : "-",
lc ? lc->lc_class : LOGIN_DEFCLASS);
} else if (p < PRIO_MIN) {
rtp.type = RTP_PRIO_REALTIME;
rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
if (rtprio(RTP_SET, 0, &rtp))
syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
pwd ? pwd->pw_name : "-",
lc ? lc->lc_class : LOGIN_DEFCLASS);
} else {
if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
pwd ? pwd->pw_name : "-",
lc ? lc->lc_class : LOGIN_DEFCLASS);
}
}
/* Setup the user's group permissions */
if (flags & LOGIN_SETGROUP) {
if (setgid(pwd->pw_gid) != 0) {
syslog(LOG_ERR, "setgid(%lu): %m", (u_long)pwd->pw_gid);
login_close(llc);
return (-1);
}
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
(u_long)pwd->pw_gid);
login_close(llc);
return (-1);
}
}
/* Set up the user's MAC label. */
if ((flags & LOGIN_SETMAC) && mac_is_present(NULL) == 1) {
const char *label_string;
mac_t label;
label_string = login_getcapstr(lc, "label", NULL, NULL);
if (label_string != NULL) {
if (mac_from_text(&label, label_string) == -1) {
syslog(LOG_ERR, "mac_from_text('%s') for %s: %m",
pwd->pw_name, label_string);
return (-1);
}
if (mac_set_proc(label) == -1)
error = errno;
else
error = 0;
mac_free(label);
if (error != 0) {
syslog(LOG_ERR, "mac_set_proc('%s') for %s: %s",
label_string, pwd->pw_name, strerror(error));
return (-1);
}
}
}
/* Set the sessions login */
if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);
login_close(llc);
return (-1);
}
/* Inform the kernel about current login class */
if (lc != NULL && lc->lc_class != NULL && (flags & LOGIN_SETLOGINCLASS)) {
/*
* XXX: This is a workaround to fail gracefully in case the kernel
* does not support setloginclass(2).
*/
bzero(&sa, sizeof(sa));
sa.sa_handler = SIG_IGN;
sigfillset(&sa.sa_mask);
sigaction(SIGSYS, &sa, &prevsa);
error = setloginclass(lc->lc_class);
sigaction(SIGSYS, &prevsa, NULL);
if (error != 0) {
syslog(LOG_ERR, "setloginclass(%s): %m", lc->lc_class);
#ifdef notyet
login_close(llc);
return (-1);
#endif
}
}
mymask = (flags & LOGIN_SETUMASK) ? umask(LOGIN_DEFUMASK) : 0;
mymask = setlogincontext(lc, pwd, mymask, flags);
login_close(llc);
/* This needs to be done after anything that needs root privs */
if ((flags & LOGIN_SETUSER) && setuid(uid) != 0) {
syslog(LOG_ERR, "setuid(%lu): %m", (u_long)uid);
return (-1); /* Paranoia again */
}
/*
* Now, we repeat some of the above for the user's private entries
*/
if (getuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
mymask = setlogincontext(lc, pwd, mymask, flags);
login_close(lc);
}
/* Finally, set any umask we've found */
if (flags & LOGIN_SETUMASK)
umask(mymask);
return (0);
}
int
main(int argc, char *argv[])
{
struct group *gr;
struct stat st;
int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin, rval;
uid_t uid, saved_uid;
gid_t saved_gid, saved_gids[NGROUPS_MAX];
int nsaved_gids;
#ifdef notdef
char *domain;
#endif
char *p, *ttyn;
const char *pwprompt;
char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
char localhost[MAXHOSTNAMELEN + 1];
int need_chpass, require_chpass;
int login_retries = DEFAULT_RETRIES,
login_backoff = DEFAULT_BACKOFF;
time_t pw_warntime = _PASSWORD_WARNDAYS * SECSPERDAY;
char *loginname = NULL;
#ifdef KERBEROS5
int Fflag;
krb5_error_code kerror;
#endif
#if defined(KERBEROS5)
int got_tickets = 0;
#endif
#ifdef LOGIN_CAP
char *shell = NULL;
login_cap_t *lc = NULL;
#endif
tbuf[0] = '\0';
rval = 0;
pwprompt = NULL;
nested = NULL;
need_chpass = require_chpass = 0;
(void)signal(SIGALRM, timedout);
(void)alarm(timeout);
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGINT, SIG_IGN);
(void)setpriority(PRIO_PROCESS, 0, 0);
openlog("login", 0, LOG_AUTH);
/*
* -p is used by getty to tell login not to destroy the environment
* -f is used to skip a second login authentication
* -h is used by other servers to pass the name of the remote host to
* login so that it may be placed in utmp/utmpx and wtmp/wtmpx
* -a in addition to -h, a server may supply -a to pass the actual
* server address.
* -s is used to force use of S/Key or equivalent.
*/
if (gethostname(localhost, sizeof(localhost)) < 0) {
syslog(LOG_ERR, "couldn't get local hostname: %m");
strcpy(hostname, "amnesiac");
}
#ifdef notdef
domain = strchr(localhost, '.');
#endif
localhost[sizeof(localhost) - 1] = '\0';
fflag = hflag = pflag = sflag = 0;
have_ss = 0;
#ifdef KERBEROS5
Fflag = 0;
have_forward = 0;
#endif
uid = getuid();
while ((ch = getopt(argc, argv, "a:Ffh:ps")) != -1)
switch (ch) {
case 'a':
if (uid)
errx(EXIT_FAILURE, "-a option: %s", strerror(EPERM));
decode_ss(optarg);
#ifdef notdef
(void)sockaddr_snprintf(optarg,
sizeof(struct sockaddr_storage), "%a", (void *)&ss);
#endif
break;
case 'F':
#ifdef KERBEROS5
Fflag = 1;
#endif
/* FALLTHROUGH */
case 'f':
fflag = 1;
break;
case 'h':
if (uid)
errx(EXIT_FAILURE, "-h option: %s", strerror(EPERM));
hflag = 1;
#ifdef notdef
if (domain && (p = strchr(optarg, '.')) != NULL &&
strcasecmp(p, domain) == 0)
*p = '\0';
#endif
hostname = optarg;
break;
case 'p':
pflag = 1;
break;
case 's':
sflag = 1;
break;
default:
case '?':
usage();
break;
}
setproctitle(NULL);
argc -= optind;
argv += optind;
if (*argv) {
username = loginname = *argv;
ask = 0;
} else
ask = 1;
#ifdef F_CLOSEM
(void)fcntl(3, F_CLOSEM, 0);
#else
for (cnt = getdtablesize(); cnt > 2; cnt--)
(void)close(cnt);
#endif
ttyn = ttyname(STDIN_FILENO);
if (ttyn == NULL || *ttyn == '\0') {
(void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
ttyn = tname;
}
if ((tty = strstr(ttyn, "/pts/")) != NULL)
++tty;
else if ((tty = strrchr(ttyn, '/')) != NULL)
++tty;
else
tty = ttyn;
if (issetugid()) {
nested = strdup(user_from_uid(getuid(), 0));
if (nested == NULL) {
syslog(LOG_ERR, "strdup: %m");
sleepexit(EXIT_FAILURE);
}
}
#ifdef LOGIN_CAP
/* Get "login-retries" and "login-backoff" from default class */
if ((lc = login_getclass(NULL)) != NULL) {
login_retries = (int)login_getcapnum(lc, "login-retries",
DEFAULT_RETRIES, DEFAULT_RETRIES);
login_backoff = (int)login_getcapnum(lc, "login-backoff",
DEFAULT_BACKOFF, DEFAULT_BACKOFF);
login_close(lc);
lc = NULL;
}
#endif
#ifdef KERBEROS5
kerror = krb5_init_context(&kcontext);
if (kerror) {
/*
* If Kerberos is not configured, that is, we are
* not using Kerberos, do not log the error message.
* However, if Kerberos is configured, and the
* context init fails for some other reason, we need
* to issue a no tickets warning to the user when the
* login succeeds.
*/
if (kerror != ENXIO) { /* XXX NetBSD-local Heimdal hack */
syslog(LOG_NOTICE,
"%s when initializing Kerberos context",
error_message(kerror));
krb5_configured = 1;
}
login_krb5_get_tickets = 0;
}
#endif /* KERBEROS5 */
for (cnt = 0;; ask = 1) {
#if defined(KERBEROS5)
if (login_krb5_get_tickets)
k5destroy();
#endif
if (ask) {
fflag = 0;
loginname = getloginname();
}
rootlogin = 0;
#ifdef KERBEROS5
if ((instance = strchr(loginname, '/')) != NULL)
*instance++ = '\0';
else
instance = __UNCONST("");
#endif
username = trimloginname(loginname);
/*
* Note if trying multiple user names; log failures for
* previous user name, but don't bother logging one failure
* for nonexistent name (mistyped username).
*/
if (failures && strcmp(tbuf, username)) {
if (failures > (pwd ? 0 : 1))
badlogin(tbuf);
failures = 0;
}
(void)strlcpy(tbuf, username, sizeof(tbuf));
pwd = getpwnam(username);
#ifdef LOGIN_CAP
/*
* Establish the class now, before we might goto
* within the next block. pwd can be NULL since it
* falls back to the "default" class if it is.
*/
lc = login_getclass(pwd ? pwd->pw_class : NULL);
#endif
/*
* if we have a valid account name, and it doesn't have a
* password, or the -f option was specified and the caller
* is root or the caller isn't changing their uid, don't
* authenticate.
*/
if (pwd) {
if (pwd->pw_uid == 0)
rootlogin = 1;
if (fflag && (uid == 0 || uid == pwd->pw_uid)) {
/* already authenticated */
#ifdef KERBEROS5
if (login_krb5_get_tickets && Fflag)
k5_read_creds(username);
#endif
break;
} else if (pwd->pw_passwd[0] == '\0') {
/* pretend password okay */
rval = 0;
goto ttycheck;
}
}
fflag = 0;
(void)setpriority(PRIO_PROCESS, 0, -4);
#ifdef SKEY
if (skey_haskey(username) == 0) {
static char skprompt[80];
const char *skinfo = skey_keyinfo(username);
(void)snprintf(skprompt, sizeof(skprompt),
"Password [ %s ]:",
skinfo ? skinfo : "error getting challenge");
pwprompt = skprompt;
} else
#endif
pwprompt = "Password:"******"Login incorrect or refused on this "
"terminal.\n");
if (hostname)
syslog(LOG_NOTICE,
"LOGIN %s REFUSED FROM %s ON TTY %s",
pwd->pw_name, hostname, tty);
else
syslog(LOG_NOTICE,
"LOGIN %s REFUSED ON TTY %s",
pwd->pw_name, tty);
continue;
}
if (pwd && !rval)
break;
(void)printf("Login incorrect or refused on this "
"terminal.\n");
failures++;
cnt++;
/*
* We allow login_retries tries, but after login_backoff
* we start backing off. These default to 10 and 3
* respectively.
*/
if (cnt > login_backoff) {
if (cnt >= login_retries) {
badlogin(username);
sleepexit(EXIT_FAILURE);
}
sleep((u_int)((cnt - login_backoff) * 5));
}
}
/* committed to login -- turn off timeout */
(void)alarm((u_int)0);
endpwent();
/* if user not super-user, check for disabled logins */
#ifdef LOGIN_CAP
if (!login_getcapbool(lc, "ignorenologin", rootlogin))
checknologin(login_getcapstr(lc, "nologin", NULL, NULL));
#else
if (!rootlogin)
checknologin(NULL);
#endif
#ifdef LOGIN_CAP
quietlog = login_getcapbool(lc, "hushlogin", 0);
#else
quietlog = 0;
#endif
/* Temporarily give up special privileges so we can change */
/* into NFS-mounted homes that are exported for non-root */
/* access and have mode 7x0 */
saved_uid = geteuid();
saved_gid = getegid();
nsaved_gids = getgroups(NGROUPS_MAX, saved_gids);
(void)setegid(pwd->pw_gid);
initgroups(username, pwd->pw_gid);
(void)seteuid(pwd->pw_uid);
if (chdir(pwd->pw_dir) < 0) {
#ifdef LOGIN_CAP
if (login_getcapbool(lc, "requirehome", 0)) {
(void)printf("Home directory %s required\n",
pwd->pw_dir);
sleepexit(EXIT_FAILURE);
}
#endif
(void)printf("No home directory %s!\n", pwd->pw_dir);
if (chdir("/") == -1)
exit(EXIT_FAILURE);
pwd->pw_dir = __UNCONST("/");
(void)printf("Logging in with home = \"/\".\n");
}
if (!quietlog)
quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0;
/* regain special privileges */
(void)seteuid(saved_uid);
setgroups(nsaved_gids, saved_gids);
(void)setegid(saved_gid);
#ifdef LOGIN_CAP
pw_warntime = login_getcaptime(lc, "password-warn",
_PASSWORD_WARNDAYS * SECSPERDAY,
_PASSWORD_WARNDAYS * SECSPERDAY);
#endif
(void)gettimeofday(&now, NULL);
if (pwd->pw_expire) {
if (now.tv_sec >= pwd->pw_expire) {
(void)printf("Sorry -- your account has expired.\n");
sleepexit(EXIT_FAILURE);
} else if (pwd->pw_expire - now.tv_sec < pw_warntime &&
!quietlog)
(void)printf("Warning: your account expires on %s",
ctime(&pwd->pw_expire));
}
if (pwd->pw_change) {
if (pwd->pw_change == _PASSWORD_CHGNOW)
need_chpass = 1;
else if (now.tv_sec >= pwd->pw_change) {
(void)printf("Sorry -- your password has expired.\n");
sleepexit(EXIT_FAILURE);
} else if (pwd->pw_change - now.tv_sec < pw_warntime &&
!quietlog)
(void)printf("Warning: your password expires on %s",
ctime(&pwd->pw_change));
}
/* Nothing else left to fail -- really log in. */
update_db(quietlog, rootlogin, fflag);
(void)chown(ttyn, pwd->pw_uid,
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
if (ttyaction(ttyn, "login", pwd->pw_name))
(void)printf("Warning: ttyaction failed.\n");
#if defined(KERBEROS5)
/* Fork so that we can call kdestroy */
if (! login_krb5_retain_ccache && has_ccache)
dofork();
#endif
/* Destroy environment unless user has requested its preservation. */
if (!pflag)
environ = envinit;
#ifdef LOGIN_CAP
if (nested == NULL && setusercontext(lc, pwd, pwd->pw_uid,
LOGIN_SETLOGIN) != 0) {
syslog(LOG_ERR, "setusercontext failed");
exit(EXIT_FAILURE);
}
if (setusercontext(lc, pwd, pwd->pw_uid,
(LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETLOGIN))) != 0) {
syslog(LOG_ERR, "setusercontext failed");
exit(EXIT_FAILURE);
}
#else
(void)setgid(pwd->pw_gid);
initgroups(username, pwd->pw_gid);
if (nested == NULL && setlogin(pwd->pw_name) < 0)
syslog(LOG_ERR, "setlogin() failure: %m");
/* Discard permissions last so can't get killed and drop core. */
if (rootlogin)
(void)setuid(0);
else
(void)setuid(pwd->pw_uid);
#endif
if (*pwd->pw_shell == '\0')
pwd->pw_shell = __UNCONST(_PATH_BSHELL);
#ifdef LOGIN_CAP
if ((shell = login_getcapstr(lc, "shell", NULL, NULL)) != NULL) {
if ((shell = strdup(shell)) == NULL) {
syslog(LOG_ERR, "Cannot alloc mem");
sleepexit(EXIT_FAILURE);
}
pwd->pw_shell = shell;
}
#endif
(void)setenv("HOME", pwd->pw_dir, 1);
(void)setenv("SHELL", pwd->pw_shell, 1);
if (term[0] == '\0') {
const char *tt = stypeof(tty);
#ifdef LOGIN_CAP
if (tt == NULL)
tt = login_getcapstr(lc, "term", NULL, NULL);
#endif
/* unknown term -> "su" */
(void)strlcpy(term, tt != NULL ? tt : "su", sizeof(term));
}
(void)setenv("TERM", term, 0);
(void)setenv("LOGNAME", pwd->pw_name, 1);
(void)setenv("USER", pwd->pw_name, 1);
#ifdef LOGIN_CAP
setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH);
#else
(void)setenv("PATH", _PATH_DEFPATH, 0);
#endif
#ifdef KERBEROS5
if (krb5tkfile_env)
(void)setenv("KRB5CCNAME", krb5tkfile_env, 1);
#endif
/* If fflag is on, assume caller/authenticator has logged root login. */
if (rootlogin && fflag == 0) {
if (hostname)
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s",
username, tty, hostname);
else
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s",
username, tty);
}
#if defined(KERBEROS5)
if (KERBEROS_CONFIGURED && !quietlog && notickets == 1)
(void)printf("Warning: no Kerberos tickets issued.\n");
#endif
if (!quietlog) {
const char *fname;
#ifdef LOGIN_CAP
fname = login_getcapstr(lc, "copyright", NULL, NULL);
if (fname != NULL && access(fname, F_OK) == 0)
motd(fname);
else
#endif
(void)printf("%s", copyrightstr);
#ifdef LOGIN_CAP
fname = login_getcapstr(lc, "welcome", NULL, NULL);
if (fname == NULL || access(fname, F_OK) != 0)
#endif
fname = _PATH_MOTDFILE;
motd(fname);
(void)snprintf(tbuf,
sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name);
if (stat(tbuf, &st) == 0 && st.st_size != 0)
(void)printf("You have %smail.\n",
(st.st_mtime > st.st_atime) ? "new " : "");
}
#ifdef LOGIN_CAP
login_close(lc);
#endif
(void)signal(SIGALRM, SIG_DFL);
(void)signal(SIGQUIT, SIG_DFL);
(void)signal(SIGINT, SIG_DFL);
(void)signal(SIGTSTP, SIG_IGN);
tbuf[0] = '-';
(void)strlcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ?
p + 1 : pwd->pw_shell, sizeof(tbuf) - 1);
/* Wait to change password until we're unprivileged */
if (need_chpass) {
if (!require_chpass)
(void)printf(
"Warning: your password has expired. Please change it as soon as possible.\n");
else {
int status;
(void)printf(
"Your password has expired. Please choose a new one.\n");
switch (fork()) {
case -1:
warn("fork");
sleepexit(EXIT_FAILURE);
case 0:
execl(_PATH_BINPASSWD, "passwd", NULL);
_exit(EXIT_FAILURE);
default:
if (wait(&status) == -1 ||
WEXITSTATUS(status))
sleepexit(EXIT_FAILURE);
}
}
}
#ifdef KERBEROS5
if (login_krb5_get_tickets)
k5_write_creds();
#endif
execlp(pwd->pw_shell, tbuf, NULL);
err(EXIT_FAILURE, "%s", pwd->pw_shell);
}
int
main(int argc, char **argv)
{
struct group *gr;
struct stat st;
int retries, backoff;
int ask, ch, cnt, quietlog, rootlogin, rval;
uid_t uid, euid;
gid_t egid;
char *term;
char *p, *ttyn;
char tname[sizeof(_PATH_TTY) + 10];
char *arg0;
const char *tp;
const char *shell = NULL;
login_cap_t *lc = NULL;
login_cap_t *lc_user = NULL;
pid_t pid;
#ifdef USE_BSM_AUDIT
char auditsuccess = 1;
#endif
signal(SIGQUIT, SIG_IGN);
signal(SIGINT, SIG_IGN);
signal(SIGHUP, SIG_IGN);
if (setjmp(timeout_buf)) {
if (failures)
badlogin(username);
fprintf(stderr, "Login timed out after %d seconds\n",
timeout);
bail(NO_SLEEP_EXIT, 0);
}
signal(SIGALRM, timedout);
alarm(timeout);
setpriority(PRIO_PROCESS, 0, 0);
openlog("login", LOG_ODELAY, LOG_AUTH);
uid = getuid();
euid = geteuid();
egid = getegid();
while ((ch = getopt(argc, argv, "fh:p")) != -1)
switch (ch) {
case 'f':
fflag = 1;
break;
case 'h':
if (uid != 0)
errx(1, "-h option: %s", strerror(EPERM));
if (strlen(optarg) >= MAXHOSTNAMELEN)
errx(1, "-h option: %s: exceeds maximum "
"hostname size", optarg);
hflag = 1;
hostname = optarg;
break;
case 'p':
pflag = 1;
break;
case '?':
default:
if (uid == 0)
syslog(LOG_ERR, "invalid flag %c", ch);
usage();
}
argc -= optind;
argv += optind;
if (argc > 0) {
username = strdup(*argv);
if (username == NULL)
err(1, "strdup()");
ask = 0;
} else {
ask = 1;
}
setproctitle("-%s", getprogname());
for (cnt = getdtablesize(); cnt > 2; cnt--)
close(cnt);
/*
* Get current TTY
*/
ttyn = ttyname(STDIN_FILENO);
if (ttyn == NULL || *ttyn == '\0') {
snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
ttyn = tname;
}
if (strncmp(ttyn, _PATH_DEV, sizeof(_PATH_DEV) -1) == 0)
tty = ttyn + sizeof(_PATH_DEV) -1;
else
tty = ttyn;
/*
* Get "login-retries" & "login-backoff" from default class
*/
lc = login_getclass(NULL);
prompt = login_getcapstr(lc, "login_prompt",
default_prompt, default_prompt);
passwd_prompt = login_getcapstr(lc, "passwd_prompt",
default_passwd_prompt, default_passwd_prompt);
retries = login_getcapnum(lc, "login-retries",
DEFAULT_RETRIES, DEFAULT_RETRIES);
backoff = login_getcapnum(lc, "login-backoff",
DEFAULT_BACKOFF, DEFAULT_BACKOFF);
login_close(lc);
lc = NULL;
/*
* Try to authenticate the user until we succeed or time out.
*/
for (cnt = 0;; ask = 1) {
if (ask) {
fflag = 0;
if (olduser != NULL)
free(olduser);
olduser = username;
username = getloginname();
}
rootlogin = 0;
/*
* Note if trying multiple user names; log failures for
* previous user name, but don't bother logging one failure
* for nonexistent name (mistyped username).
*/
if (failures && strcmp(olduser, username) != 0) {
if (failures > (pwd ? 0 : 1))
badlogin(olduser);
}
/*
* Load the PAM policy and set some variables
*/
pam_err = pam_start("login", username, &pamc, &pamh);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_start()");
#ifdef USE_BSM_AUDIT
au_login_fail("PAM Error", 1);
#endif
bail(NO_SLEEP_EXIT, 1);
}
pam_err = pam_set_item(pamh, PAM_TTY, tty);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_set_item(PAM_TTY)");
#ifdef USE_BSM_AUDIT
au_login_fail("PAM Error", 1);
#endif
bail(NO_SLEEP_EXIT, 1);
}
pam_err = pam_set_item(pamh, PAM_RHOST, hostname);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_set_item(PAM_RHOST)");
#ifdef USE_BSM_AUDIT
au_login_fail("PAM Error", 1);
#endif
bail(NO_SLEEP_EXIT, 1);
}
pwd = getpwnam(username);
if (pwd != NULL && pwd->pw_uid == 0)
rootlogin = 1;
/*
* If the -f option was specified and the caller is
* root or the caller isn't changing their uid, don't
* authenticate.
*/
if (pwd != NULL && fflag &&
(uid == (uid_t)0 || uid == (uid_t)pwd->pw_uid)) {
/* already authenticated */
rval = 0;
#ifdef USE_BSM_AUDIT
auditsuccess = 0; /* opened a terminal window only */
#endif
} else {
fflag = 0;
setpriority(PRIO_PROCESS, 0, -4);
rval = auth_pam();
setpriority(PRIO_PROCESS, 0, 0);
}
if (pwd && rval == 0)
break;
pam_cleanup();
/*
* We are not exiting here, but this corresponds to a failed
* login event, so set exitstatus to 1.
*/
#ifdef USE_BSM_AUDIT
au_login_fail("Login incorrect", 1);
#endif
printf("Login incorrect\n");
failures++;
pwd = NULL;
/*
* Allow up to 'retry' (10) attempts, but start
* backing off after 'backoff' (3) attempts.
*/
if (++cnt > backoff) {
if (cnt >= retries) {
badlogin(username);
bail(SLEEP_EXIT, 1);
}
sleep((u_int)((cnt - backoff) * 5));
}
}
/* committed to login -- turn off timeout */
alarm((u_int)0);
signal(SIGHUP, SIG_DFL);
endpwent();
#ifdef USE_BSM_AUDIT
/* Audit successful login. */
if (auditsuccess)
au_login_success();
#endif
/*
* Establish the login class.
*/
lc = login_getpwclass(pwd);
lc_user = login_getuserclass(pwd);
if (!(quietlog = login_getcapbool(lc_user, "hushlogin", 0)))
quietlog = login_getcapbool(lc, "hushlogin", 0);
/*
* Switching needed for NFS with root access disabled.
*
* XXX: This change fails to modify the additional groups for the
* process, and as such, may restrict rights normally granted
* through those groups.
*/
setegid(pwd->pw_gid);
seteuid(rootlogin ? 0 : pwd->pw_uid);
if (!*pwd->pw_dir || chdir(pwd->pw_dir) < 0) {
if (login_getcapbool(lc, "requirehome", 0))
refused("Home directory not available", "HOMEDIR", 1);
if (chdir("/") < 0)
refused("Cannot find root directory", "ROOTDIR", 1);
if (!quietlog || *pwd->pw_dir)
printf("No home directory.\nLogging in with home = \"/\".\n");
pwd->pw_dir = strdup("/");
if (pwd->pw_dir == NULL) {
syslog(LOG_NOTICE, "strdup(): %m");
bail(SLEEP_EXIT, 1);
}
}
seteuid(euid);
setegid(egid);
if (!quietlog) {
quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0;
if (!quietlog)
pam_silent = 0;
}
shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell);
if (*pwd->pw_shell == '\0')
pwd->pw_shell = strdup(_PATH_BSHELL);
if (pwd->pw_shell == NULL) {
syslog(LOG_NOTICE, "strdup(): %m");
bail(SLEEP_EXIT, 1);
}
if (*shell == '\0') /* Not overridden */
shell = pwd->pw_shell;
if ((shell = strdup(shell)) == NULL) {
syslog(LOG_NOTICE, "strdup(): %m");
bail(SLEEP_EXIT, 1);
}
/*
* Set device protections, depending on what terminal the
* user is logged in. This feature is used on Suns to give
* console users better privacy.
*/
login_fbtab(tty, pwd->pw_uid, pwd->pw_gid);
/*
* Clear flags of the tty. None should be set, and when the
* user sets them otherwise, this can cause the chown to fail.
* Since it isn't clear that flags are useful on character
* devices, we just clear them.
*
* We don't log in the case of EOPNOTSUPP because dev might be
* on NFS, which doesn't support chflags.
*
* We don't log in the EROFS because that means that /dev is on
* a read only file system and we assume that the permissions there
* are sane.
*/
if (ttyn != tname && chflags(ttyn, 0))
if (errno != EOPNOTSUPP && errno != EROFS)
syslog(LOG_ERR, "chflags(%s): %m", ttyn);
if (ttyn != tname && chown(ttyn, pwd->pw_uid,
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid))
if (errno != EROFS)
syslog(LOG_ERR, "chown(%s): %m", ttyn);
/*
* Exclude cons/vt/ptys only, assume dialup otherwise
* TODO: Make dialup tty determination a library call
* for consistency (finger etc.)
*/
if (hflag && isdialuptty(tty))
syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
#ifdef LOGALL
/*
* Syslog each successful login, so we don't have to watch
* hundreds of wtmp or lastlogin files.
*/
if (hflag)
syslog(LOG_INFO, "login from %s on %s as %s",
hostname, tty, pwd->pw_name);
else
syslog(LOG_INFO, "login on %s as %s",
tty, pwd->pw_name);
#endif
/*
* If fflag is on, assume caller/authenticator has logged root
* login.
*/
if (rootlogin && fflag == 0) {
if (hflag)
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s",
username, tty, hostname);
else
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s",
username, tty);
}
/*
* Destroy environment unless user has requested its
* preservation - but preserve TERM in all cases
*/
term = getenv("TERM");
if (!pflag)
environ = envinit;
if (term != NULL) {
if (setenv("TERM", term, 0) == -1)
err(1, "setenv: cannot set TERM=%s", term);
}
/*
* PAM modules might add supplementary groups during pam_setcred().
*/
if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETGROUP) != 0) {
syslog(LOG_ERR, "setusercontext() failed - exiting");
bail(NO_SLEEP_EXIT, 1);
}
pam_err = pam_setcred(pamh, pam_silent|PAM_ESTABLISH_CRED);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_setcred()");
bail(NO_SLEEP_EXIT, 1);
}
pam_cred_established = 1;
pam_err = pam_open_session(pamh, pam_silent);
if (pam_err != PAM_SUCCESS) {
pam_syslog("pam_open_session()");
bail(NO_SLEEP_EXIT, 1);
}
pam_session_established = 1;
/*
* We must fork() before setuid() because we need to call
* pam_close_session() as root.
*/
pid = fork();
if (pid < 0) {
err(1, "fork");
} else if (pid != 0) {
/*
* Parent: wait for child to finish, then clean up
* session.
*/
int status;
setproctitle("-%s [pam]", getprogname());
waitpid(pid, &status, 0);
bail(NO_SLEEP_EXIT, 0);
}
/*
* NOTICE: We are now in the child process!
*/
/*
* Add any environment variables the PAM modules may have set.
*/
export_pam_environment();
/*
* We're done with PAM now; our parent will deal with the rest.
*/
pam_end(pamh, 0);
pamh = NULL;
/*
* We don't need to be root anymore, so set the login name and
* the UID.
*/
if (setlogin(username) != 0) {
syslog(LOG_ERR, "setlogin(%s): %m - exiting", username);
bail(NO_SLEEP_EXIT, 1);
}
if (setusercontext(lc, pwd, pwd->pw_uid,
LOGIN_SETALL & ~(LOGIN_SETLOGIN|LOGIN_SETGROUP)) != 0) {
syslog(LOG_ERR, "setusercontext() failed - exiting");
exit(1);
}
if (setenv("SHELL", pwd->pw_shell, 1) == -1)
err(1, "setenv: cannot set SHELL=%s", pwd->pw_shell);
if (setenv("HOME", pwd->pw_dir, 1) == -1)
err(1, "setenv: cannot set HOME=%s", pwd->pw_dir);
/* Overwrite "term" from login.conf(5) for any known TERM */
if (term == NULL && (tp = stypeof(tty)) != NULL) {
if (setenv("TERM", tp, 1) == -1)
err(1, "setenv: cannot set TERM=%s", tp);
} else {
if (setenv("TERM", TERM_UNKNOWN, 0) == -1)
err(1, "setenv: cannot set TERM=%s", TERM_UNKNOWN);
}
if (setenv("LOGNAME", username, 1) == -1)
err(1, "setenv: cannot set LOGNAME=%s", username);
if (setenv("USER", username, 1) == -1)
err(1, "setenv: cannot set USER=%s", username);
if (setenv("PATH",
rootlogin ? _PATH_STDPATH : _PATH_DEFPATH, 0) == -1) {
err(1, "setenv: cannot set PATH=%s",
rootlogin ? _PATH_STDPATH : _PATH_DEFPATH);
}
if (!quietlog) {
const char *cw;
cw = login_getcapstr(lc, "copyright", NULL, NULL);
if (cw == NULL || motd(cw) == -1)
printf("%s", copyright);
printf("\n");
cw = login_getcapstr(lc, "welcome", NULL, NULL);
if (cw != NULL && access(cw, F_OK) == 0)
motd(cw);
else
motd(_PATH_MOTDFILE);
if (login_getcapbool(lc_user, "nocheckmail", 0) == 0 &&
login_getcapbool(lc, "nocheckmail", 0) == 0) {
char *cx;
/* $MAIL may have been set by class. */
cx = getenv("MAIL");
if (cx == NULL) {
asprintf(&cx, "%s/%s",
_PATH_MAILDIR, pwd->pw_name);
}
if (cx && stat(cx, &st) == 0 && st.st_size != 0)
printf("You have %smail.\n",
(st.st_mtime > st.st_atime) ? "new " : "");
if (getenv("MAIL") == NULL)
free(cx);
}
}
login_close(lc_user);
login_close(lc);
signal(SIGALRM, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGINT, SIG_DFL);
signal(SIGTSTP, SIG_IGN);
/*
* Login shells have a leading '-' in front of argv[0]
*/
p = strrchr(pwd->pw_shell, '/');
if (asprintf(&arg0, "-%s", p ? p + 1 : pwd->pw_shell) >= MAXPATHLEN) {
syslog(LOG_ERR, "user: %s: shell exceeds maximum pathname size",
username);
errx(1, "shell exceeds maximum pathname size");
} else if (arg0 == NULL) {
err(1, "asprintf()");
}
execlp(shell, arg0, NULL);
err(1, "%s", shell);
/*
* That's it, folks!
*/
}
/*ARGSUSED*/
int
main(int argc, char *argv[])
{
char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ], date[256];
char *p, *style, *nstyle, *ttynam;
struct itimerval ntimer, otimer;
int ch, sectimeout, usemine, cnt, tries = 10, backoff = 3;
const char *errstr;
struct passwd *pw;
struct tm *timp;
time_t curtime;
login_cap_t *lc;
sectimeout = TIMEOUT;
style = NULL;
usemine = 0;
no_timeout = 0;
if (!(pw = getpwuid(getuid())))
errx(1, "unknown uid %u.", getuid());
lc = login_getclass(pw->pw_class);
if (lc != NULL) {
/*
* We allow "login-tries" attempts to login but start
* slowing down after "login-backoff" attempts.
*/
tries = (int)login_getcapnum(lc, "login-tries", 10, 10);
backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3);
}
while ((ch = getopt(argc, argv, "a:npt:")) != -1)
switch (ch) {
case 'a':
if (lc) {
style = login_getstyle(lc, optarg, "auth-lock");
if (style == NULL)
errx(1,
"invalid authentication style: %s",
optarg);
}
usemine = 1;
break;
case 't':
sectimeout = (int)strtonum(optarg, 1, INT_MAX, &errstr);
if (errstr)
errx(1, "timeout %s: %s", errstr, optarg);
break;
case 'p':
usemine = 1;
break;
case 'n':
no_timeout = 1;
break;
default:
(void)fprintf(stderr,
"usage: %s [-np] [-a style] [-t timeout]\n",
__progname);
exit(1);
}
timeout.tv_sec = sectimeout * 60;
gethostname(hostname, sizeof(hostname));
if (usemine && lc == NULL)
errx(1, "login class not found");
if (!(ttynam = ttyname(STDIN_FILENO)))
errx(1, "not a terminal?");
curtime = time(NULL);
nexttime = curtime + (sectimeout * 60);
timp = localtime(&curtime);
strftime(date, sizeof(date), "%c", timp);
if (!usemine) {
/* get key and check again */
if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
*s == '\0')
exit(0);
/*
* Don't need EOF test here, if we get EOF, then s1 != s
* and the right things will happen.
*/
(void)readpassphrase("Again: ", s1, sizeof(s1), RPP_ECHO_OFF);
if (strcmp(s1, s)) {
warnx("\apasswords didn't match.");
exit(1);
}
s[0] = '\0';
}
/* set signal handlers */
(void)signal(SIGINT, hi);
(void)signal(SIGQUIT, hi);
(void)signal(SIGTSTP, hi);
(void)signal(SIGALRM, bye);
ntimer.it_interval = zerotime;
ntimer.it_value = timeout;
if (!no_timeout)
setitimer(ITIMER_REAL, &ntimer, &otimer);
/* header info */
if (no_timeout) {
(void)fprintf(stderr,
"%s: %s on %s. no timeout\ntime now is %s\n",
__progname, ttynam, hostname, date);
} else {
(void)fprintf(stderr,
"%s: %s on %s. timeout in %d minutes\ntime now is %s\n",
__progname, ttynam, hostname, sectimeout, date);
}
for (cnt = 0;;) {
if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
*s == '\0') {
hi(0);
continue;
}
if (usemine) {
/*
* If user entered 's/key' or the style specified via
* the '-a' argument, auth_userokay() will prompt
* for a new password. Otherwise, use what we have.
*/
if ((strcmp(s, "s/key") == 0 &&
(nstyle = login_getstyle(lc, "skey", "auth-lock")))
|| ((nstyle = style) && strcmp(s, nstyle) == 0))
p = NULL;
else
p = s;
if (auth_userokay(pw->pw_name, nstyle, "auth-lock", p))
break;
} else if (strcmp(s, s1) == 0)
break;
(void)putc('\a', stderr);
cnt %= tries;
if (++cnt > backoff) {
sigset_t set, oset;
sigfillset(&set);
sigprocmask(SIG_BLOCK, &set, &oset);
sleep((u_int)((cnt - backoff) * tries / 2));
sigprocmask(SIG_SETMASK, &oset, NULL);
}
}
exit(0);
}
int
setusercontext(login_cap_t *lc, const struct passwd *pwd, uid_t uid, unsigned int flags)
{
quad_t p;
mode_t mymask;
login_cap_t *llc = NULL;
struct rtprio rtp;
if (lc == NULL) {
if (pwd != NULL && (lc = login_getpwclass(pwd)) != NULL)
llc = lc; /* free this when we're done */
}
if (flags & LOGIN_SETPATH)
pathvars[0].def = uid ? _PATH_DEFPATH : _PATH_STDPATH;
/* we need a passwd entry to set these */
if (pwd == NULL)
flags &= ~(LOGIN_SETGROUP | LOGIN_SETLOGIN);
/* Set the process priority */
if (flags & LOGIN_SETPRIORITY) {
p = login_getcapnum(lc, "priority", LOGIN_DEFPRI, LOGIN_DEFPRI);
if (p > PRIO_MAX) {
rtp.type = RTP_PRIO_IDLE;
rtp.prio = p - PRIO_MAX - 1;
p = (rtp.prio > RTP_PRIO_MAX) ? 31 : p;
if (rtprio(RTP_SET, 0, &rtp))
syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
pwd ? pwd->pw_name : "-",
lc ? lc->lc_class : LOGIN_DEFCLASS);
} else if (p < PRIO_MIN) {
rtp.type = RTP_PRIO_REALTIME;
rtp.prio = abs(p - PRIO_MIN + RTP_PRIO_MAX);
p = (rtp.prio > RTP_PRIO_MAX) ? 1 : p;
if (rtprio(RTP_SET, 0, &rtp))
syslog(LOG_WARNING, "rtprio '%s' (%s): %m",
pwd ? pwd->pw_name : "-",
lc ? lc->lc_class : LOGIN_DEFCLASS);
} else {
if (setpriority(PRIO_PROCESS, 0, (int)p) != 0)
syslog(LOG_WARNING, "setpriority '%s' (%s): %m",
pwd ? pwd->pw_name : "-",
lc ? lc->lc_class : LOGIN_DEFCLASS);
}
}
/* Setup the user's group permissions */
if (flags & LOGIN_SETGROUP) {
if (setgid(pwd->pw_gid) != 0) {
syslog(LOG_ERR, "setgid(%lu): %m", (u_long)pwd->pw_gid);
login_close(llc);
return (-1);
}
if (initgroups(pwd->pw_name, pwd->pw_gid) == -1) {
syslog(LOG_ERR, "initgroups(%s,%lu): %m", pwd->pw_name,
(u_long)pwd->pw_gid);
login_close(llc);
return (-1);
}
}
/* Set the sessions login */
if ((flags & LOGIN_SETLOGIN) && setlogin(pwd->pw_name) != 0) {
syslog(LOG_ERR, "setlogin(%s): %m", pwd->pw_name);
login_close(llc);
return (-1);
}
mymask = (flags & LOGIN_SETUMASK) ? umask(LOGIN_DEFUMASK) : 0;
mymask = setlogincontext(lc, pwd, mymask, flags);
login_close(llc);
/* This needs to be done after anything that needs root privs */
if ((flags & LOGIN_SETUSER) && setuid(uid) != 0) {
syslog(LOG_ERR, "setuid(%lu): %m", (u_long)uid);
return (-1); /* Paranoia again */
}
/*
* Now, we repeat some of the above for the user's private entries
*/
if (getuid() == uid && (lc = login_getuserclass(pwd)) != NULL) {
mymask = setlogincontext(lc, pwd, mymask, flags);
login_close(lc);
}
/* Finally, set any umask we've found */
if (flags & LOGIN_SETUMASK)
umask(mymask);
return (0);
}
int
main(int argc, char *argv[])
{
char *domain, *p, *ttyn, *shell, *fullname, *instance;
char *lipaddr, *script, *ripaddr, *style, *type, *fqdn;
char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
char localhost[MAXHOSTNAMELEN], *copyright;
char mail[sizeof(_PATH_MAILDIR) + 1 + NAME_MAX];
int ask, ch, cnt, fflag, pflag, quietlog, rootlogin, lastchance;
int error, homeless, needto, authok, tries, backoff;
struct addrinfo *ai, hints;
struct rlimit cds, scds;
quad_t expire, warning;
struct utmp utmp;
struct group *gr;
struct stat st;
uid_t uid;
openlog("login", LOG_ODELAY, LOG_AUTH);
fqdn = lipaddr = ripaddr = fullname = type = NULL;
authok = 0;
tries = 10;
backoff = 3;
domain = NULL;
if (gethostname(localhost, sizeof(localhost)) < 0) {
syslog(LOG_ERR, "couldn't get local hostname: %m");
strlcpy(localhost, "localhost", sizeof(localhost));
} else if ((domain = strchr(localhost, '.'))) {
domain++;
if (*domain && strchr(domain, '.') == NULL)
domain = localhost;
}
if ((as = auth_open()) == NULL) {
syslog(LOG_ERR, "auth_open: %m");
err(1, "unable to initialize BSD authentication");
}
auth_setoption(as, "login", "yes");
/*
* -p is used by getty to tell login not to destroy the environment
* -f is used to skip a second login authentication
* -h is used by other servers to pass the name of the remote
* host to login so that it may be placed in utmp and wtmp
*/
fflag = pflag = 0;
uid = getuid();
while ((ch = getopt(argc, argv, "fh:pu:L:R:")) != -1)
switch (ch) {
case 'f':
fflag = 1;
break;
case 'h':
if (uid) {
warnc(EPERM, "-h option");
quickexit(1);
}
free(fqdn);
if ((fqdn = strdup(optarg)) == NULL) {
warn(NULL);
quickexit(1);
}
auth_setoption(as, "fqdn", fqdn);
if (domain && (p = strchr(optarg, '.')) &&
strcasecmp(p+1, domain) == 0)
*p = 0;
hostname = optarg;
auth_setoption(as, "hostname", hostname);
break;
case 'L':
if (uid) {
warnc(EPERM, "-L option");
quickexit(1);
}
if (lipaddr) {
warnx("duplicate -L option");
quickexit(1);
}
lipaddr = optarg;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_UNSPEC;
hints.ai_flags = AI_CANONNAME;
error = getaddrinfo(lipaddr, NULL, &hints, &ai);
if (!error) {
strlcpy(localhost, ai->ai_canonname,
sizeof(localhost));
freeaddrinfo(ai);
} else
strlcpy(localhost, lipaddr, sizeof(localhost));
auth_setoption(as, "local_addr", lipaddr);
break;
case 'p':
pflag = 1;
break;
case 'R':
if (uid) {
warnc(EPERM, "-R option");
quickexit(1);
}
if (ripaddr) {
warnx("duplicate -R option");
quickexit(1);
}
ripaddr = optarg;
auth_setoption(as, "remote_addr", ripaddr);
break;
case 'u':
if (uid) {
warnc(EPERM, "-u option");
quickexit(1);
}
rusername = optarg;
break;
default:
if (!uid)
syslog(LOG_ERR, "invalid flag %c", ch);
(void)fprintf(stderr,
"usage: login [-fp] [-h hostname] [-L local-addr] "
"[-R remote-addr] [-u username]\n\t[user]\n");
quickexit(1);
}
argc -= optind;
argv += optind;
if (*argv) {
username = *argv;
ask = 0;
} else
ask = 1;
/*
* If effective user is not root, just run su(1) to emulate login(1).
*/
if (geteuid() != 0) {
char *av[5], **ap;
auth_close(as);
closelog();
closefrom(STDERR_FILENO + 1);
ap = av;
*ap++ = _PATH_SU;
*ap++ = "-L";
if (!pflag)
*ap++ = "-l";
if (!ask)
*ap++ = username;
*ap = NULL;
execv(_PATH_SU, av);
warn("unable to exec %s", _PATH_SU);
_exit(1);
}
ttyn = ttyname(STDIN_FILENO);
if (ttyn == NULL || *ttyn == '\0') {
(void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
ttyn = tname;
}
if ((tty = strrchr(ttyn, '/')))
++tty;
else
tty = ttyn;
/*
* Since login deals with sensitive information, turn off coredumps.
*/
if (getrlimit(RLIMIT_CORE, &scds) < 0) {
syslog(LOG_ERR, "couldn't get core dump size: %m");
scds.rlim_cur = scds.rlim_max = QUAD_MIN;
}
cds.rlim_cur = cds.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &cds) < 0) {
syslog(LOG_ERR, "couldn't set core dump size to 0: %m");
scds.rlim_cur = scds.rlim_max = QUAD_MIN;
}
(void)signal(SIGALRM, timedout);
if (argc > 1) {
needto = 0;
(void)alarm(timeout);
} else
needto = 1;
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGINT, SIG_IGN);
(void)signal(SIGHUP, SIG_IGN);
(void)setpriority(PRIO_PROCESS, 0, 0);
#ifdef notyet
/* XXX - we don't (yet) support per-tty auth stuff */
/* BSDi uses a ttys.conf file but we could just overload /etc/ttys */
/*
* Classify the attempt.
* By default we use the value in the ttys file.
* If there is a classify script we run that as
*
* classify [-f] [username]
*/
if (type = getttyauth(tty))
auth_setoption(as, "auth_type", type);
#endif
/* get the default login class */
if ((lc = login_getclass(0)) == NULL) { /* get the default class */
warnx("Failure to retrieve default class");
quickexit(1);
}
timeout = (u_int)login_getcapnum(lc, "login-timeout", 300, 300);
if ((script = login_getcapstr(lc, "classify", NULL, NULL)) != NULL) {
unsetenv("AUTH_TYPE");
unsetenv("REMOTE_NAME");
if (script[0] != '/') {
syslog(LOG_ERR, "Invalid classify script: %s", script);
warnx("Classification failure");
quickexit(1);
}
shell = strrchr(script, '/') + 1;
auth_setstate(as, AUTH_OKAY);
auth_call(as, script, shell,
fflag ? "-f" : username, fflag ? username : 0, (char *)0);
if (!(auth_getstate(as) & AUTH_ALLOW))
quickexit(1);
auth_setenv(as);
if ((p = getenv("AUTH_TYPE")) != NULL &&
strncmp(p, "auth-", 5) == 0)
type = p;
if ((p = getenv("REMOTE_NAME")) != NULL)
hostname = p;
/*
* we may have changed some values, reset them
*/
auth_clroptions(as);
if (type)
auth_setoption(as, "auth_type", type);
if (fqdn)
auth_setoption(as, "fqdn", fqdn);
if (hostname)
auth_setoption(as, "hostname", hostname);
if (lipaddr)
auth_setoption(as, "local_addr", lipaddr);
if (ripaddr)
auth_setoption(as, "remote_addr", ripaddr);
}
/*
* Request the things like the approval script print things
* to stdout (in particular, the nologins files)
*/
auth_setitem(as, AUTHV_INTERACTIVE, "True");
for (cnt = 0;; ask = 1) {
/*
* Clean up our current authentication session.
* Options are not cleared so we need to clear any
* we might set below.
*/
auth_clean(as);
auth_clroption(as, "style");
auth_clroption(as, "lastchance");
lastchance = 0;
if (ask) {
fflag = 0;
getloginname();
}
if (needto) {
needto = 0;
alarm(timeout);
}
if ((style = strchr(username, ':')) != NULL)
*style++ = '\0';
if (fullname)
free(fullname);
if (auth_setitem(as, AUTHV_NAME, username) < 0 ||
(fullname = strdup(username)) == NULL) {
syslog(LOG_ERR, "%m");
warn(NULL);
quickexit(1);
}
rootlogin = 0;
if ((instance = strchr(username, '/')) != NULL) {
if (strncmp(instance + 1, "root", 4) == 0)
rootlogin = 1;
*instance++ = '\0';
} else
instance = "";
if (strlen(username) > UT_NAMESIZE)
username[UT_NAMESIZE] = '\0';
/*
* Note if trying multiple user names; log failures for
* previous user name, but don't bother logging one failure
* for nonexistent name (mistyped username).
*/
if (failures && strcmp(tbuf, username)) {
if (failures > (pwd ? 0 : 1))
badlogin(tbuf);
failures = 0;
}
(void)strlcpy(tbuf, username, sizeof(tbuf));
if ((pwd = getpwnam(username)) != NULL &&
auth_setpwd(as, pwd) < 0) {
syslog(LOG_ERR, "%m");
warn(NULL);
quickexit(1);
}
lc = login_getclass(pwd ? pwd->pw_class : NULL);
if (!lc)
goto failed;
style = login_getstyle(lc, style, type);
if (!style)
goto failed;
/*
* We allow "login-tries" attempts to login but start
* slowing down after "login-backoff" attempts.
*/
tries = (int)login_getcapnum(lc, "login-tries", 10, 10);
backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3);
/*
* Turn off the fflag if we have an invalid user
* or we are not root and we are trying to change uids.
*/
if (!pwd || (uid && uid != pwd->pw_uid))
fflag = 0;
if (pwd && pwd->pw_uid == 0)
rootlogin = 1;
/*
* If we do not have the force flag authenticate the user
*/
if (!fflag) {
lastchance =
login_getcaptime(lc, "password-dead", 0, 0) != 0;
if (lastchance)
auth_setoption(as, "lastchance", "yes");
/*
* Once we start asking for a password
* we want to log a failure on a hup.
*/
signal(SIGHUP, sighup);
auth_verify(as, style, NULL, lc->lc_class, NULL);
authok = auth_getstate(as);
/*
* If their password expired and it has not been
* too long since then, give the user one last
* chance to change their password
*/
if ((authok & AUTH_PWEXPIRED) && lastchance) {
authok = AUTH_OKAY;
} else
lastchance = 0;
if ((authok & AUTH_ALLOW) == 0)
goto failed;
if (auth_setoption(as, "style", style) < 0) {
syslog(LOG_ERR, "%m");
warn(NULL);
quickexit(1);
}
}
/*
* explicitly reject users without password file entries
*/
if (pwd == NULL)
goto failed;
/*
* If trying to log in as root on an insecure terminal,
* refuse the login attempt unless the authentication
* style explicitly says a root login is okay.
*/
if (pwd && rootlogin && !rootterm(tty))
goto failed;
if (fflag) {
type = 0;
style = "forced";
}
break;
failed:
if (authok & AUTH_SILENT)
quickexit(0);
if (rootlogin && !rootterm(tty)) {
warnx("%s login refused on this terminal.",
fullname);
if (hostname)
syslog(LOG_NOTICE,
"LOGIN %s REFUSED FROM %s%s%s ON TTY %s",
fullname, rusername ? rusername : "",
rusername ? "@" : "", hostname, tty);
else
syslog(LOG_NOTICE,
"LOGIN %s REFUSED ON TTY %s",
fullname, tty);
} else {
if (!as || (p = auth_getvalue(as, "errormsg")) == NULL)
p = "Login incorrect";
(void)printf("%s\n", p);
}
failures++;
if (pwd)
log_failedlogin(pwd->pw_uid, hostname, rusername, tty);
/*
* By default, we allow 10 tries, but after 3 we start
* backing off to slow down password guessers.
*/
if (++cnt > backoff) {
if (cnt >= tries) {
badlogin(username);
sleepexit(1);
}
sleep((u_int)((cnt - backoff) * tries / 2));
}
}
/* committed to login -- turn off timeout */
(void)alarm(0);
endpwent();
shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell);
if (*shell == '\0')
shell = _PATH_BSHELL;
else if (strlen(shell) >= MAXPATHLEN) {
syslog(LOG_ERR, "shell path too long: %s", shell);
warnx("invalid shell");
quickexit(1);
}
/* Destroy environment unless user has requested its preservation. */
if (!pflag) {
if ((environ = calloc(1, sizeof (char *))) == NULL)
err(1, "calloc");
} else {
char **cpp, **cpp2;
for (cpp2 = cpp = environ; *cpp; cpp++) {
if (strncmp(*cpp, "LD_", 3) &&
strncmp(*cpp, "ENV=", 4) &&
strncmp(*cpp, "BASH_ENV=", 9) &&
strncmp(*cpp, "IFS=", 4))
*cpp2++ = *cpp;
}
*cpp2 = 0;
}
/* Note: setusercontext(3) will set PATH */
if (setenv("HOME", pwd->pw_dir, 1) == -1 ||
setenv("SHELL", pwd->pw_shell, 1) == -1) {
warn("unable to setenv()");
quickexit(1);
}
if (term[0] == '\0')
(void)strlcpy(term, stypeof(tty), sizeof(term));
(void)snprintf(mail, sizeof(mail), "%s/%s", _PATH_MAILDIR,
pwd->pw_name);
if (setenv("TERM", term, 0) == -1 ||
setenv("LOGNAME", pwd->pw_name, 1) == -1 ||
setenv("USER", pwd->pw_name, 1) == -1 ||
setenv("MAIL", mail, 1) == -1) {
warn("unable to setenv()");
quickexit(1);
}
if (hostname) {
if (setenv("REMOTEHOST", hostname, 1) == -1) {
warn("unable to setenv()");
quickexit(1);
}
}
if (rusername) {
if (setenv("REMOTEUSER", rusername, 1) == -1) {
warn("unable to setenv()");
quickexit(1);
}
}
if (setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH)) {
warn("unable to set user context");
quickexit(1);
}
auth_setenv(as);
/* if user not super-user, check for disabled logins */
if (!rootlogin)
auth_checknologin(lc);
setegid(pwd->pw_gid);
seteuid(pwd->pw_uid);
homeless = chdir(pwd->pw_dir);
if (homeless) {
if (login_getcapbool(lc, "requirehome", 0)) {
(void)printf("No home directory %s!\n", pwd->pw_dir);
quickexit(1);
}
if (chdir("/"))
quickexit(0);
}
quietlog = ((strcmp(pwd->pw_shell, "/sbin/nologin") == 0) ||
login_getcapbool(lc, "hushlogin", 0) ||
(access(_PATH_HUSHLOGIN, F_OK) == 0));
seteuid(0);
setegid(0); /* XXX use a saved gid instead? */
if ((p = auth_getvalue(as, "warnmsg")) != NULL)
(void)printf("WARNING: %s\n\n", p);
expire = auth_check_expire(as);
if (expire < 0) {
(void)printf("Sorry -- your account has expired.\n");
quickexit(1);
} else if (expire > 0 && !quietlog) {
warning = login_getcaptime(lc, "expire-warn",
2 * DAYSPERWEEK * SECSPERDAY, 2 * DAYSPERWEEK * SECSPERDAY);
if (expire < warning)
(void)printf("Warning: your account expires on %s",
ctime(&pwd->pw_expire));
}
/* Nothing else left to fail -- really log in. */
(void)signal(SIGHUP, SIG_DFL);
memset(&utmp, 0, sizeof(utmp));
(void)time(&utmp.ut_time);
(void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name));
if (hostname)
(void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host));
(void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line));
login(&utmp);
if (!quietlog)
(void)check_failedlogin(pwd->pw_uid);
dolastlog(quietlog);
login_fbtab(tty, pwd->pw_uid, pwd->pw_gid);
(void)chown(ttyn, pwd->pw_uid,
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
/* If fflag is on, assume caller/authenticator has logged root login. */
if (rootlogin && fflag == 0) {
if (hostname)
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s%s%s",
username, tty, rusername ? rusername : "",
rusername ? "@" : "", hostname);
else
syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty);
}
if (!quietlog) {
if ((copyright =
login_getcapstr(lc, "copyright", NULL, NULL)) != NULL)
auth_cat(copyright);
motd();
if (stat(mail, &st) == 0 && st.st_size != 0)
(void)printf("You have %smail.\n",
(st.st_mtime > st.st_atime) ? "new " : "");
}
(void)signal(SIGALRM, SIG_DFL);
(void)signal(SIGQUIT, SIG_DFL);
(void)signal(SIGHUP, SIG_DFL);
(void)signal(SIGINT, SIG_DFL);
(void)signal(SIGTSTP, SIG_IGN);
tbuf[0] = '-';
(void)strlcpy(tbuf + 1, (p = strrchr(shell, '/')) ?
p + 1 : shell, sizeof(tbuf) - 1);
if ((scds.rlim_cur != QUAD_MIN || scds.rlim_max != QUAD_MIN) &&
setrlimit(RLIMIT_CORE, &scds) < 0)
syslog(LOG_ERR, "couldn't reset core dump size: %m");
if (lastchance)
(void)printf("WARNING: Your password has expired."
" You must change your password, now!\n");
if (setusercontext(lc, pwd, rootlogin ? 0 : pwd->pw_uid,
LOGIN_SETALL & ~LOGIN_SETPATH) < 0) {
warn("unable to set user context");
quickexit(1);
}
if (homeless) {
(void)printf("No home directory %s!\n", pwd->pw_dir);
(void)printf("Logging in with home = \"/\".\n");
(void)setenv("HOME", "/", 1);
}
if (auth_approval(as, lc, NULL, "login") == 0) {
if (auth_getstate(as) & AUTH_EXPIRED)
(void)printf("Sorry -- your account has expired.\n");
else
(void)printf("approval failure\n");
quickexit(1);
}
/*
* The last thing we do is discard all of the open file descriptors.
* Last because the C library may have some open.
*/
closefrom(STDERR_FILENO + 1);
/*
* Close the authentication session, make sure it is marked
* as okay so no files are removed.
*/
auth_setstate(as, AUTH_OKAY);
auth_close(as);
execlp(shell, tbuf, (char *)NULL);
err(1, "%s", shell);
}
int
server_unlock(const char *s)
{
struct client *c;
#ifdef HAVE_LOGIN_CAP
login_cap_t *lc;
#endif
u_int i;
char *out;
u_int failures, tries, backoff;
if (!server_locked || server_locked_pw == NULL)
return (0);
server_activity = time(NULL);
if (server_activity < password_backoff)
return (-2);
if (server_password != NULL) {
if (s == NULL)
return (-1);
out = crypt(s, server_password);
if (strcmp(out, server_password) != 0)
goto wrong;
}
for (i = 0; i < ARRAY_LENGTH(&clients); i++) {
c = ARRAY_ITEM(&clients, i);
if (c == NULL)
continue;
status_prompt_clear(c);
server_redraw_client(c);
}
server_locked = 0;
password_failures = 0;
password_backoff = 0;
return (0);
wrong:
password_failures++;
password_backoff = 0;
for (i = 0; i < ARRAY_LENGTH(&clients); i++) {
c = ARRAY_ITEM(&clients, i);
if (c == NULL || c->prompt_buffer == NULL)
continue;
*c->prompt_buffer = '\0';
c->prompt_index = 0;
server_redraw_client(c);
}
/*
* Start slowing down after "login-backoff" attempts and reset every
* "login-tries" attempts.
*/
#ifdef HAVE_LOGIN_CAP
lc = login_getclass(server_locked_pw->pw_class);
if (lc != NULL) {
tries = login_getcapnum(lc, (char *) "login-tries", 10, 10);
backoff = login_getcapnum(lc, (char *) "login-backoff", 3, 3);
} else {
tries = 10;
backoff = 3;
}
#else
tries = 10;
backoff = 3;
#endif
failures = password_failures % tries;
if (failures > backoff) {
password_backoff =
server_activity + ((failures - backoff) * tries / 2);
return (-2);
}
return (-1);
}
void
pwlocal_process(const char *username, int argc, char **argv)
{
struct passwd *pw;
struct passwd old_pw;
time_t old_change;
int pfd, tfd;
int min_pw_len = 0;
int pw_expiry = 0;
int ch;
#ifdef LOGIN_CAP
login_cap_t *lc;
#endif
while ((ch = getopt(argc, argv, "l")) != -1) {
switch (ch) {
case 'l':
/*
* Aborb the -l that may have gotten us here.
*/
break;
default:
usage();
/* NOTREACHED */
}
}
argc -= optind;
argv += optind;
switch (argc) {
case 0:
/* username already provided */
break;
case 1:
username = argv[0];
break;
default:
usage();
/* NOTREACHED */
}
if (!(pw = getpwnam(username)))
errx(1, "unknown user %s", username);
uid = getuid();
if (uid && uid != pw->pw_uid)
errx(1, "%s", strerror(EACCES));
/* Save the old pw information for comparing on pw_copy(). */
old_pw = *pw;
/*
* Get class restrictions for this user, then get the new password.
*/
#ifdef LOGIN_CAP
if((lc = login_getclass(pw->pw_class)) != NULL) {
min_pw_len = (int) login_getcapnum(lc, "minpasswordlen", 0, 0);
pw_expiry = (int) login_getcaptime(lc, "passwordtime", 0, 0);
login_close(lc);
}
#endif
#if 0
printf("AAA: pw_expiry = %x\n", pw_expiry);
#endif
pw->pw_passwd = getnewpasswd(pw, min_pw_len);
old_change = pw->pw_change;
pw->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0;
/*
* Now that the user has given us a new password, let us
* change the database.
*/
pw_init();
tfd = pw_lock(0);
if (tfd < 0) {
warnx ("The passwd file is busy, waiting...");
tfd = pw_lock(10);
if (tfd < 0)
errx(1, "The passwd file is still busy, "
"try again later.");
}
pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0);
if (pfd < 0)
pw_error(_PATH_MASTERPASSWD, 1, 1);
pw_copy(pfd, tfd, pw, &old_pw);
if (pw_mkdb(username, old_change == pw->pw_change) < 0)
pw_error((char *)NULL, 0, 1);
syslog(LOG_AUTH | LOG_INFO,
"user %s (UID %lu) successfully changed "
"the local password of user %s",
uid ? username : "******", (unsigned long)uid, username);
}
