Пример #1
0
const char * ROKEN_LIB_FUNCTION
get_default_username (void)
{
    const char *user;

    user = getenv ("USER");
    if (user == NULL)
	user = getenv ("LOGNAME");
    if (user == NULL)
	user = getenv ("USERNAME");

#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
    if (user == NULL) {
	user = (const char *)getlogin ();
	if (user != NULL)
	    return user;
    }
#endif
#ifdef HAVE_PWD_H
    {
	uid_t uid = getuid ();
	struct passwd *pwd;

	if (user != NULL) {
	    pwd = k_getpwnam (user);
	    if (pwd != NULL && pwd->pw_uid == uid)
		return user;
	}
	pwd = k_getpwuid (uid);
	if (pwd != NULL)
	    return pwd->pw_name;
    }
#endif
    return user;
}
Пример #2
0
int
login_user(POP *p)
{
    struct stat st;
    struct passwd *pw;

    /*  Look for the user in the password file */
    if ((pw = k_getpwnam(p->user)) == NULL) {
	pop_log(p, POP_PRIORITY, "user %s (from %s) not found",
		p->user, p->ipaddr);
	return pop_msg(p, POP_FAILURE, "Login incorrect.");
    }

    pop_log(p, POP_INFO, "login from %s as %s", p->ipaddr, p->user);

    /*  Build the name of the user's maildrop */
    snprintf(p->drop_name, sizeof(p->drop_name), "%s/%s", POP_MAILDIR, p->user);
    if(stat(p->drop_name, &st) < 0 || !S_ISDIR(st.st_mode)){
	/*  Make a temporary copy of the user's maildrop */
	/*    and set the group and user id */
	if (pop_dropcopy(p, pw) != POP_SUCCESS) return (POP_FAILURE);

	/*  Get information about the maildrop */
	if (pop_dropinfo(p) != POP_SUCCESS) return(POP_FAILURE);
    } else {
	if(changeuser(p, pw) != POP_SUCCESS) return POP_FAILURE;
	if(pop_maildir_info(p) != POP_SUCCESS) return POP_FAILURE;
    }
    /*  Initialize the last-message-accessed number */
    p->last_msg = 0;
    return POP_SUCCESS;
}
Пример #3
0
int
afs_verify(char *name,
	   char *password,
	   int32_t *exp,
	   int quiet)
{
    int ret = 1;
    struct passwd *pwd = k_getpwnam (name);

    if(pwd == NULL)
	return 1;

    if (!pag_set && k_hasafs()) {
        k_setpag();
        pag_set=1;
    }

    if (ret)
	ret = unix_verify_user (name, password);
#ifdef KRB5
    if (ret)
	ret = verify_krb5(pwd, password, exp, quiet);
#endif
#ifdef KRB4
    if(ret)
	ret = verify_krb4(pwd, password, exp, quiet);
#endif
    return ret;
}
Пример #4
0
/*
 * expand tilde from the passwd file.
 */
static const Char *
globtilde(const Char *pattern, Char *patbuf, glob_t *pglob)
{
	struct passwd *pwd;
	char *h;
	const Char *p;
	Char *b;

	if (*pattern != CHAR_TILDE || !(pglob->gl_flags & GLOB_TILDE))
		return pattern;

	/* Copy up to the end of the string or / */
	for (p = pattern + 1, h = (char *) patbuf; *p && *p != CHAR_SLASH; 
	     *h++ = *p++)
		continue;

	*h = CHAR_EOS;

	if (((char *) patbuf)[0] == CHAR_EOS) {
		/* 
		 * handle a plain ~ or ~/ by expanding $HOME 
		 * first and then trying the password file
		 */
		if ((h = getenv("HOME")) == NULL) {
			if ((pwd = k_getpwuid(getuid())) == NULL)
				return pattern;
			else
				h = pwd->pw_dir;
		}
	}
	else {
		/*
		 * Expand a ~user
		 */
		if ((pwd = k_getpwnam((char*) patbuf)) == NULL)
			return pattern;
		else
			h = pwd->pw_dir;
	}

	/* Copy the home directory */
	for (b = patbuf; *h; *b++ = *h++)
		continue;
	
	/* Append the rest of the pattern */
	while ((*b++ = *p++) != CHAR_EOS)
		continue;

	return patbuf;
}
Пример #5
0
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
unix_verify_user(char *user, char *password)
{
    struct passwd *pw;

    pw = k_getpwnam(user);
    if(pw == NULL)
	return -1;
    if(strlen(pw->pw_passwd) == 0 && strlen(password) == 0)
	return 0;
    if(strcmp(crypt(password, pw->pw_passwd), pw->pw_passwd) == 0)
        return 0;
    return -1;
}
Пример #6
0
const char *
ftp_rooted(const char *path)
{
    static char home[MaxPathLen] = "";
    static char newpath[MaxPathLen];
    struct passwd *pwd;

    if(!home[0])
	if((pwd = k_getpwnam("ftp")))
	    strlcpy(home, pwd->pw_dir, sizeof(home));
    snprintf(newpath, sizeof(newpath), "%s/%s", home, path);
    if(access(newpath, X_OK))
	strlcpy(newpath, path, sizeof(newpath));
    return newpath;
}
Пример #7
0
ROKEN_LIB_FUNCTION const char * ROKEN_LIB_CALL
get_default_username (void)
{
    const char *user;

    user = getenv ("USER");
    if (user == NULL)
	user = getenv ("LOGNAME");
    if (user == NULL)
	user = getenv ("USERNAME");

#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN)
    if (user == NULL) {
	user = (const char *)getlogin ();
	if (user != NULL)
	    return user;
    }
#endif
#ifdef HAVE_PWD_H
    {
	uid_t uid = getuid ();
	struct passwd *pwd;

	if (user != NULL) {
	    pwd = k_getpwnam (user);
	    if (pwd != NULL && pwd->pw_uid == uid)
		return user;
	}
	pwd = k_getpwuid (uid);
	if (pwd != NULL)
	    return pwd->pw_name;
    }
#endif
#ifdef _WIN32
    /* TODO: We can call GetUserNameEx() and figure out a
       username. However, callers do not free the return value of this
       function. */
#endif

    return user;
}
Пример #8
0
/*
 * New .rhosts strategy: We are passed an ip address. We spin through
 * hosts.equiv and .rhosts looking for a match. When the .rhosts only
 * has ip addresses, we don't have to trust a nameserver.  When it
 * contains hostnames, we spin through the list of addresses the nameserver
 * gives us and look for a match.
 *
 * Returns 0 if ok, -1 if not ok.
 */
int ROKEN_LIB_FUNCTION
iruserok(unsigned raddr, int superuser, const char *ruser, const char *luser)
{
    char *cp;
    struct stat sbuf;
    struct passwd *pwd;
    FILE *hostf;
    uid_t uid;
    int first;
    char pbuf[MaxPathLen];

    first = 1;
    hostf = superuser ? NULL : fopen(_PATH_HEQUIV, "r");
again:
    if (hostf) {
        if (__ivaliduser(hostf, raddr, luser, ruser) == 0) {
            fclose(hostf);
            return (0);
        }
        fclose(hostf);
    }
    if (first == 1 && (__check_rhosts_file || superuser)) {
        first = 0;
        if ((pwd = k_getpwnam((char*)luser)) == NULL)
            return (-1);
        snprintf (pbuf, sizeof(pbuf), "%s/.rhosts", pwd->pw_dir);

        /*
         * Change effective uid while opening .rhosts.  If root and
         * reading an NFS mounted file system, can't read files that
         * are protected read/write owner only.
         */
        uid = geteuid();
        if (seteuid(pwd->pw_uid) < 0)
            return (-1);
        hostf = fopen(pbuf, "r");
        seteuid(uid);

        if (hostf == NULL)
            return (-1);
        /*
         * If not a regular file, or is owned by someone other than
         * user or root or if writeable by anyone but the owner, quit.
         */
        cp = NULL;
        if (lstat(pbuf, &sbuf) < 0)
            cp = ".rhosts lstat failed";
        else if (!S_ISREG(sbuf.st_mode))
            cp = ".rhosts not regular file";
        else if (fstat(fileno(hostf), &sbuf) < 0)
            cp = ".rhosts fstat failed";
        else if (sbuf.st_uid && sbuf.st_uid != pwd->pw_uid)
            cp = "bad .rhosts owner";
        else if (sbuf.st_mode & (S_IWGRP|S_IWOTH))
            cp = ".rhosts writeable by other than owner";
        /* If there were any problems, quit. */
        if (cp) {
            __rcmd_errstr = cp;
            fclose(hostf);
            return (-1);
        }
        goto again;
    }
    return (-1);
}
Пример #9
0
Файл: su.c Проект: Sp1l/heimdal
int
main(int argc, char **argv)
{
    int i, optidx = 0;
    char *su_user;
    struct passwd *su_info;
    struct passwd *login_info;

    struct passwd *pwd;

    char *shell;

    int ok = 0;

    setprogname (argv[0]);

    if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
	usage(1);

    for (i=0; i < optidx; i++)
      if (strcmp(argv[i], "-") == 0) {
	 full_login = 1;
	 break;
      }

    if(help_flag)
	usage(0);
    if(version_flag) {
	print_version(NULL);
	exit(0);
    }
    if(optidx >= argc)
	su_user = "******";
    else
	su_user = argv[optidx++];

    if (!issuid() && getuid() != 0)
	warnx("Not setuid and you are not root, expect this to fail");

    pwd = k_getpwnam(su_user);
    if(pwd == NULL)
	errx (1, "unknown login %s", su_user);
    if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) {
	syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user);
	errx (1, "unknown login %s", su_user);
    }
    su_info = dup_info(pwd);
    if (su_info == NULL)
	errx (1, "malloc: out of memory");

	pwd = getpwuid(getuid());
    if(pwd == NULL)
	errx(1, "who are you?");
    login_info = dup_info(pwd);
    if (login_info == NULL)
	errx (1, "malloc: out of memory");
    if(env_flag)
	shell = login_info->pw_shell;
    else
	shell = su_info->pw_shell;
    if(shell == NULL || *shell == '\0')
	shell = _PATH_BSHELL;


#ifdef KRB5
    if(kerberos_flag && ok == 0 &&
       krb5_verify(login_info, su_info, kerberos_instance) == 0)
	ok = 5;
#endif

    if(ok == 0 && login_info->pw_uid && verify_unix(login_info, su_info) != 0) {
	printf("Sorry!\n");
	exit(1);
    }

#ifdef HAVE_GETSPNAM
   {  struct spwd *sp;
      long    today;

    sp = getspnam(su_info->pw_name);
    if (sp != NULL) {
	today = time(0)/(24L * 60 * 60);
	if (sp->sp_expire > 0) {
	    if (today >= sp->sp_expire) {
		if (login_info->pw_uid)
		    errx(1,"Your account has expired.");
		else
		    printf("Your account has expired.");
            }
            else if (sp->sp_expire - today < 14)
                printf("Your account will expire in %d days.\n",
		       (int)(sp->sp_expire - today));
	}
	if (sp->sp_max > 0) {
	    if (today >= sp->sp_lstchg + sp->sp_max) {
		if (login_info->pw_uid)
		    errx(1,"Your password has expired. Choose a new one.");
		else
		    printf("Your password has expired. Choose a new one.");
	    }
	    else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn)
		printf("Your account will expire in %d days.\n",
		       (int)(sp->sp_lstchg + sp->sp_max -today));
	}
    }
    }
#endif
    {
	char *tty = ttyname (STDERR_FILENO);
	if (tty)
	    syslog (LOG_NOTICE | LOG_AUTH, "%s to %s on %s",
		    login_info->pw_name, su_info->pw_name, tty);
	else
	    syslog (LOG_NOTICE | LOG_AUTH, "%s to %s",
		    login_info->pw_name, su_info->pw_name);
    }


    if(!env_flag) {
	if(full_login) {
	    char *t = getenv ("TERM");
	    char **newenv = NULL;
	    int j;

	    i = read_environment(_PATH_ETC_ENVIRONMENT, &newenv);

	    environ = malloc ((10 + i) * sizeof (char *));
	    if (environ == NULL)
		err (1, "malloc");
	    environ[0] = NULL;

	    for (j = 0; j < i; j++) {
		char *p = strchr(newenv[j], '=');
		if (p == NULL)
		    errx(1, "environment '%s' missing '='", newenv[j]);
		*p++ = 0;
		esetenv (newenv[j], p, 1);
	    }
	    free(newenv);

	    esetenv ("PATH", _PATH_DEFPATH, 1);
	    if (t)
		esetenv ("TERM", t, 1);
	    if (chdir (su_info->pw_dir) < 0)
		errx (1, "no directory");
	}
	if (full_login || su_info->pw_uid)
	    esetenv ("USER", su_info->pw_name, 1);
	esetenv("HOME", su_info->pw_dir, 1);
	esetenv("SHELL", shell, 1);
    }

    {
	char **new_argv;
	char *p;

	p = strrchr(shell, '/');
	if(p)
	    p++;
	else
	    p = shell;

	if (strcmp(p, "csh") != 0)
	    csh_f_flag = 0;

        new_argv = malloc(((cmd ? 2 : 0) + 1 + argc - optidx + 1 + csh_f_flag)
	    * sizeof(*new_argv));
	if (new_argv == NULL)
	    err (1, "malloc");
	i = 0;
	if(full_login) {
	    if (asprintf(&new_argv[i++], "-%s", p) == -1)
		errx (1, "malloc");
	} else
	    new_argv[i++] = p;
	if (cmd) {
	   new_argv[i++] = "-c";
	   new_argv[i++] = cmd;
	}

	if (csh_f_flag)
	    new_argv[i++] = "-f";

	for (argv += optidx; *argv; ++argv)
	   new_argv[i++] = *argv;
	new_argv[i] = NULL;

	if(setgid(su_info->pw_gid) < 0)
	    err(1, "setgid");
	if (initgroups (su_info->pw_name, su_info->pw_gid) < 0)
	    err (1, "initgroups");
	if(setuid(su_info->pw_uid) < 0
	   || (su_info->pw_uid != 0 && setuid(0) == 0))
	    err(1, "setuid");

#ifdef KRB5
        if (ok == 5)
           krb5_start_session();
#endif
	execve(shell, new_argv, environ);
    }

    exit(1);
}
Пример #10
0
int
pop_pass (POP *p)
{
    struct passwd  *pw;
    int i;
    int status;

    /* Make one string of all these parameters */

    for (i = 1; i < p->parm_count; ++i)
	p->pop_parm[i][strlen(p->pop_parm[i])] = ' ';

    /*  Look for the user in the password file */
    if ((pw = k_getpwnam(p->user)) == NULL)
	return (pop_msg(p,POP_FAILURE,
			"Password supplied for \"%s\" is incorrect.",
			p->user));

    if (p->kerberosp) {
#ifdef KRB5
	if (p->version == 5) {
	    char *name;

	    if (!krb5_kuserok (p->context, p->principal, p->user)) {
		pop_log (p, POP_PRIORITY,
			 "krb5 permission denied");
		return pop_msg(p, POP_FAILURE,
			       "Popping not authorized");
	    }
	    if(krb5_unparse_name (p->context, p->principal, &name) == 0) {
		pop_log(p, POP_INFO, "%s: %s -> %s",
			p->ipaddr, name, p->user);
		free (name);
	    }
	} else {
	    pop_log (p, POP_PRIORITY, "kerberos authentication failed");
	    return pop_msg (p, POP_FAILURE,
			    "kerberos authentication failed");
	}
#endif
	{ }
    } else {
	 /*  We don't accept connections from users with null passwords */
	 if (pw->pw_passwd == NULL)
	      return (pop_msg(p,
			      POP_FAILURE,
			      "Password supplied for \"%s\" is incorrect.",
			      p->user));

#ifdef OTP
	 if (otp_verify_user (&p->otp_ctx, p->pop_parm[1]) == 0)
	     /* pass OK */;
	 else
#endif
	 /*  Compare the supplied password with the password file entry */
	 if (p->auth_level != AUTH_NONE)
	     return pop_msg(p, POP_FAILURE,
			    "Password supplied for \"%s\" is incorrect.",
			    p->user);
	 else if (!strcmp(crypt(p->pop_parm[1], pw->pw_passwd), pw->pw_passwd))
	     /* pass OK */;
	 else {
	     int ret = -1;
#ifdef KRB5
	     if(ret)
		 ret = krb5_verify_password (p);
#endif
	     if(ret)
		 return pop_msg(p, POP_FAILURE,
				"Password incorrect");
	 }
    }
    status = login_user(p);
    if(status != POP_SUCCESS)
	return status;

    /*  Authorization completed successfully */
    return (pop_msg (p, POP_SUCCESS,
		     "%s has %d message(s) (%ld octets).",
		     p->user, p->msg_count, p->drop_size));
}
Пример #11
0
int
main(int argc, char **argv)
{
    int max_tries = 5;
    int try;

    char username[32];
    int optidx = 0;

    int ask = 1;
    struct sigaction sa;

    setprogname(argv[0]);

#ifdef KRB5
    {
	krb5_error_code ret;

	ret = krb5_init_context(&context);
	if (ret)
	    errx (1, "krb5_init_context failed: %d", ret);
    }
#endif

    openlog("login", LOG_ODELAY | LOG_PID, LOG_AUTH);

    if (getarg (args, sizeof(args) / sizeof(args[0]), argc, argv,
		&optidx))
	usage (1);
    argc -= optidx;
    argv += optidx;

    if(help_flag)
	usage(0);
    if (version_flag) {
	print_version (NULL);
	return 0;
    }
	
    if (geteuid() != 0)
	errx(1, "only root may use login, use su");

    /* Default tty settings. */
    stty_default();

    if(p_flag)
	copy_env();
    else {
	/* this set of variables is always preserved by BSD login */
	if(getenv("TERM"))
	    add_env("TERM", getenv("TERM"));
	if(getenv("TZ"))
	    add_env("TZ", getenv("TZ"));
    }

    if(*argv){
	if(strchr(*argv, '=') == NULL && strcmp(*argv, "-") != 0){
	    strlcpy (username, *argv, sizeof(username));
	    ask = 0;
	}
    }

#if defined(DCE) && defined(AIX)
    esetenv("AUTHSTATE", "DCE", 1);
#endif

    /* XXX should we care about environment on the command line? */

    memset(&sa, 0, sizeof(sa));
    sa.sa_handler = sig_handler;
    sigemptyset(&sa.sa_mask);
    sa.sa_flags = 0;
    sigaction(SIGALRM, &sa, NULL);
    alarm(login_timeout);

    for(try = 0; try < max_tries; try++){
	struct passwd *pwd;
	char password[128];
	int ret;
	char ttname[32];
	char *tty, *ttyn;
        char prompt[128];
#ifdef OTP
        char otp_str[256];
#endif

	if(ask){
	    f_flag = 0;
#if 0
	    r_flag = 0;
#endif
	    ret = read_string("login: "******"");
        }
        else
#endif

        {
#ifdef OTP
           if(auth_level && strcmp(auth_level, "otp") == 0 &&
                 otp_challenge(&otp_ctx, username,
                            otp_str, sizeof(otp_str)) == 0)
                 snprintf (prompt, sizeof(prompt), "%s's %s Password: "******"Password: "******"Login incorrect.\n");
	    ask = 1;
	    continue;
	}

	if(f_flag == 0 && check_password(pwd, password)){
	    fprintf(stderr, "Login incorrect.\n");
            ask = 1;
	    continue;
	}
	ttyn = ttyname(STDIN_FILENO);
	if(ttyn == NULL){
	    snprintf(ttname, sizeof(ttname), "%s??", _PATH_TTY);
	    ttyn = ttname;
	}
	if (strncmp (ttyn, _PATH_DEV, strlen(_PATH_DEV)) == 0)
	    tty = ttyn + strlen(_PATH_DEV);
	else
	    tty = ttyn;

	if (login_access (pwd, remote_host ? remote_host : tty) == 0) {
	    fprintf(stderr, "Permission denied\n");
	    if (remote_host)
		syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s",
		       pwd->pw_name, remote_host);
	    else
		syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s",
		       pwd->pw_name, tty);
	    exit (1);
	} else {
	    if (remote_host)
		syslog(LOG_NOTICE, "%s LOGIN ACCEPTED FROM %s ppid=%d",
		       pwd->pw_name, remote_host, (int) getppid());
	    else
		syslog(LOG_NOTICE, "%s LOGIN ACCEPTED ON %s ppid=%d",
		       pwd->pw_name, tty, (int) getppid());
	}
        alarm(0);
	do_login(pwd, tty, ttyn);
    }
    exit(1);
}