| blob | ae67bf9f38ea55b51ae2c0248160dfba6696f1e6 |
1 /* su for GNU. Run a shell with substitute user and group IDs.
2 Copyright (C) 1992-2002 Free Software Foundation, Inc.
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2, or (at your option)
7 any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software Foundation,
16 Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */
18 /* Run a shell with the real and effective UID and GID and groups
19 of USER, default `root'.
21 The shell run is taken from USER's password entry, /bin/sh if
22 none is specified there. If the account has a password, su
23 prompts for a password unless run by a user with real UID 0.
25 Does not change the current directory.
26 Sets `HOME' and `SHELL' from the password entry for USER, and if
27 USER is not root, sets `USER' and `LOGNAME' to USER.
28 The subshell is not a login shell.
30 If one or more ARGs are given, they are passed as additional
31 arguments to the subshell.
33 Does not handle /bin/sh or other shells specially
34 (setting argv[0] to "-su", passing -c only to certain shells, etc.).
35 I don't see the point in doing that, and it's ugly.
37 This program intentionally does not support a "wheel group" that
38 restricts who can su to UID 0 accounts. RMS considers that to
39 be fascist.
41 Options:
42 -, -l, --login Make the subshell a login shell.
43 Unset all environment variables except
44 TERM, HOME and SHELL (set as above), and USER
45 and LOGNAME (set unconditionally as above), and
46 set PATH to a default value.
47 Change to USER's home directory.
48 Prepend "-" to the shell's name.
49 -c, --commmand=COMMAND
50 Pass COMMAND to the subshell with a -c option
51 instead of starting an interactive shell.
52 -f, --fast Pass the -f option to the subshell.
53 -m, -p, --preserve-environment
54 Do not change HOME, USER, LOGNAME, SHELL.
55 Run $SHELL instead of USER's shell from /etc/passwd
56 unless not the superuser and USER's shell is
57 restricted.
58 Overridden by --login and --shell.
59 -s, --shell=shell Run SHELL instead of USER's shell from /etc/passwd
60 unless not the superuser and USER's shell is
61 restricted.
63 Compile-time options:
64 -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog.
65 -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog.
67 -DSYSLOG_NON_ROOT Log all su's, not just those to root (UID 0).
68 Never logs attempted su's to nonexistent accounts.
70 Written by David MacKenzie <djm@gnu.ai.mit.edu>. */
72 #include <config.h>
73 #include <stdio.h>
74 #include <getopt.h>
75 #include <sys/types.h>
76 #include <pwd.h>
77 #include <grp.h>
79 /* Hide any system prototype for getusershell.
80 This is necessary because some Cray systems have a conflicting
81 prototype (returning `int') in <unistd.h>. */
82 #define getusershell _getusershell_sys_proto_
88 #undef getusershell
90 #if HAVE_SYSLOG_H && HAVE_SYSLOG
91 # include <syslog.h>
92 #else
93 # undef SYSLOG_SUCCESS
94 # undef SYSLOG_FAILURE
95 # undef SYSLOG_NON_ROOT
96 #endif
98 #if HAVE_SYS_PARAM_H
99 # include <sys/param.h>
100 #endif
102 #ifndef HAVE_ENDGRENT
103 # define endgrent() ((void) 0)
104 #endif
106 #ifndef HAVE_ENDPWENT
107 # define endpwent() ((void) 0)
108 #endif
110 #if HAVE_SHADOW_H
111 # include <shadow.h>
112 #endif
116 /* The official name of this program (e.g., no `g' prefix). */
121 #if HAVE_PATHS_H
122 # include <paths.h>
123 #endif
125 /* The default PATH for simulated logins to non-superuser accounts. */
126 #ifdef _PATH_DEFPATH
127 # define DEFAULT_LOGIN_PATH _PATH_DEFPATH
128 #else
130 #endif
132 /* The default PATH for simulated logins to superuser accounts. */
133 #ifdef _PATH_DEFPATH_ROOT
134 # define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT
135 #else
137 #endif
139 /* The shell to run if none is given in the user's passwd entry. */
142 /* The user to become if none is specified. */
154 ATTRIBUTE_NORETURN;
156 /* The name this program was run with. */
159 /* If nonzero, pass the `-f' option to the subshell. */
162 /* If nonzero, simulate a login instead of just starting a shell. */
165 /* If nonzero, change some environment vars to indicate the user su'd to. */
169 {
178 };
180 /* Add VAL to the environment, checking for out of memory errors. */
182 static void
184 {
187 }
189 /* Return a newly-allocated string whose contents concatenate
190 those of S1, S2, S3. */
194 {
204 }
206 /* Return the number of elements in ARR, a null-terminated array. */
208 static int
210 {
216 }
218 #if defined (SYSLOG_SUCCESS) || defined (SYSLOG_FAILURE)
219 /* Log the fact that someone has run su to the user given by PW;
220 if SUCCESSFUL is nonzero, they gave the correct password, etc. */
222 static void
224 {
227 # ifndef SYSLOG_NON_ROOT
230 # endif
232 /* The utmp entry (via getlogin) is probably the best way to identify
233 the user, especially if someone su's from a su-shell. */
236 {
237 /* getlogin can fail -- usually due to lack of utmp entry.
238 Resort to getpwuid. */
241 }
245 /* 4.2BSD openlog doesn't have the third parameter. */
247 # ifdef LOG_AUTH
248 , LOG_AUTH
249 # endif
250 );
252 # ifdef SYSLOG_NON_ROOT
254 # else
256 # endif
258 # ifdef SYSLOG_NON_ROOT
259 new_user,
260 # endif
263 }
264 #endif
266 /* Ask the user for a password.
267 Return 1 if the user gives the correct password for entry PW,
268 0 if not. Return 1 without asking for a password if run by UID 0
269 or if PW has an empty password. */
271 static int
273 {
275 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
276 /* Shadow passwd stuff for SVR3 and maybe other systems. */
282 else
283 #endif
291 {
294 }
298 }
300 /* Update `environ' for the new shell based on PW, with SHELL being
301 the value for the SHELL environment variable. */
303 static void
305 {
309 {
310 /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
311 Unset all other environment variables. */
322 ? DEFAULT_LOGIN_PATH
324 }
325 else
326 {
327 /* Set HOME, SHELL, and if not becoming a super-user,
328 USER and LOGNAME. */
330 {
334 {
337 }
338 }
339 }
340 }
342 /* Become the user and group(s) specified by PW. */
344 static void
346 {
347 #ifdef HAVE_INITGROUPS
352 #endif
357 }
359 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
360 If COMMAND is nonzero, pass it to the shell with the -c option.
361 If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
362 arguments. */
364 static void
366 {
373 else
376 {
385 }
386 else
391 {
394 }
401 {
405 }
406 }
408 /* Return 1 if SHELL is a restricted shell (one not returned by
409 getusershell), else 0, meaning it is a standard shell. */
411 static int
413 {
418 {
420 {
423 }
424 }
427 }
429 void
431 {
434 program_name);
435 else
436 {
456 }
458 }
460 int
462 {
481 {
483 {
508 case_GETOPT_HELP_CHAR;
514 }
515 }
518 {
521 }
532 /* Make sure pw->pw_shell is non-NULL. It may be NULL when NEW_USER
533 is a username that is retrieved via NIS (YP), but that doesn't have
534 a default shell listed. */
538 /* Make a copy of the password information and point pw at the local
539 copy instead. Otherwise, some systems (e.g. Linux) would clobber
540 the static data through the getlogin call from log_su. */
548 {
549 #ifdef SYSLOG_FAILURE
551 #endif
553 }
554 #ifdef SYSLOG_SUCCESS
555 else
556 {
558 }
559 #endif
564 {
565 /* The user being su'd to has a nonstandard shell, and so is
566 probably a uucp account or has restricted access. Don't
567 compromise the account by allowing access with a standard
568 shell. */
571 }
573 {
575 }
583 }