maint: use more readable operator: "||" rather than "|"
[coreutils.git] / src / su.c
blobf8f5b6188a54ca70417790afbef47f9924f6f1a2
1 /* su for GNU. Run a shell with substitute user and group IDs.
2 Copyright (C) 1992-2006, 2008-2010 Free Software Foundation, Inc.
4 This program is free software: you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation, either version 3 of the License, or
7 (at your option) any later version.
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program. If not, see <http://www.gnu.org/licenses/>. */
17 /* Run a shell with the real and effective UID and GID and groups
18 of USER, default `root'.
20 The shell run is taken from USER's password entry, /bin/sh if
21 none is specified there. If the account has a password, su
22 prompts for a password unless run by a user with real UID 0.
24 Does not change the current directory.
25 Sets `HOME' and `SHELL' from the password entry for USER, and if
26 USER is not root, sets `USER' and `LOGNAME' to USER.
27 The subshell is not a login shell.
29 If one or more ARGs are given, they are passed as additional
30 arguments to the subshell.
32 Does not handle /bin/sh or other shells specially
33 (setting argv[0] to "-su", passing -c only to certain shells, etc.).
34 I don't see the point in doing that, and it's ugly.
36 This program intentionally does not support a "wheel group" that
37 restricts who can su to UID 0 accounts. RMS considers that to
38 be fascist.
40 Compile-time options:
41 -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog.
42 -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog.
44 -DSYSLOG_NON_ROOT Log all su's, not just those to root (UID 0).
45 Never logs attempted su's to nonexistent accounts.
47 Written by David MacKenzie <djm@gnu.ai.mit.edu>. */
49 #include <config.h>
50 #include <stdio.h>
51 #include <getopt.h>
52 #include <sys/types.h>
53 #include <pwd.h>
54 #include <grp.h>
56 #include "system.h"
57 #include "getpass.h"
59 #if HAVE_SYSLOG_H && HAVE_SYSLOG
60 # include <syslog.h>
61 #else
62 # undef SYSLOG_SUCCESS
63 # undef SYSLOG_FAILURE
64 # undef SYSLOG_NON_ROOT
65 #endif
67 #if HAVE_SYS_PARAM_H
68 # include <sys/param.h>
69 #endif
71 #ifndef HAVE_ENDGRENT
72 # define endgrent() ((void) 0)
73 #endif
75 #ifndef HAVE_ENDPWENT
76 # define endpwent() ((void) 0)
77 #endif
79 #if HAVE_SHADOW_H
80 # include <shadow.h>
81 #endif
83 #include "error.h"
85 /* The official name of this program (e.g., no `g' prefix). */
86 #define PROGRAM_NAME "su"
88 #define AUTHORS proper_name ("David MacKenzie")
90 #if HAVE_PATHS_H
91 # include <paths.h>
92 #endif
94 /* The default PATH for simulated logins to non-superuser accounts. */
95 #ifdef _PATH_DEFPATH
96 # define DEFAULT_LOGIN_PATH _PATH_DEFPATH
97 #else
98 # define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin"
99 #endif
101 /* The default PATH for simulated logins to superuser accounts. */
102 #ifdef _PATH_DEFPATH_ROOT
103 # define DEFAULT_ROOT_LOGIN_PATH _PATH_DEFPATH_ROOT
104 #else
105 # define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc"
106 #endif
108 /* The shell to run if none is given in the user's passwd entry. */
109 #define DEFAULT_SHELL "/bin/sh"
111 /* The user to become if none is specified. */
112 #define DEFAULT_USER "root"
114 char *crypt (char const *key, char const *salt);
116 static void run_shell (char const *, char const *, char **, size_t)
117 ATTRIBUTE_NORETURN;
119 /* If true, pass the `-f' option to the subshell. */
120 static bool fast_startup;
122 /* If true, simulate a login instead of just starting a shell. */
123 static bool simulate_login;
125 /* If true, change some environment vars to indicate the user su'd to. */
126 static bool change_environment;
128 static struct option const longopts[] =
130 {"command", required_argument, NULL, 'c'},
131 {"fast", no_argument, NULL, 'f'},
132 {"login", no_argument, NULL, 'l'},
133 {"preserve-environment", no_argument, NULL, 'p'},
134 {"shell", required_argument, NULL, 's'},
135 {GETOPT_HELP_OPTION_DECL},
136 {GETOPT_VERSION_OPTION_DECL},
137 {NULL, 0, NULL, 0}
140 /* Add NAME=VAL to the environment, checking for out of memory errors. */
142 static void
143 xsetenv (char const *name, char const *val)
145 size_t namelen = strlen (name);
146 size_t vallen = strlen (val);
147 char *string = xmalloc (namelen + 1 + vallen + 1);
148 strcpy (string, name);
149 string[namelen] = '=';
150 strcpy (string + namelen + 1, val);
151 if (putenv (string) != 0)
152 xalloc_die ();
155 #if defined SYSLOG_SUCCESS || defined SYSLOG_FAILURE
156 /* Log the fact that someone has run su to the user given by PW;
157 if SUCCESSFUL is true, they gave the correct password, etc. */
159 static void
160 log_su (struct passwd const *pw, bool successful)
162 const char *new_user, *old_user, *tty;
164 # ifndef SYSLOG_NON_ROOT
165 if (pw->pw_uid)
166 return;
167 # endif
168 new_user = pw->pw_name;
169 /* The utmp entry (via getlogin) is probably the best way to identify
170 the user, especially if someone su's from a su-shell. */
171 old_user = getlogin ();
172 if (!old_user)
174 /* getlogin can fail -- usually due to lack of utmp entry.
175 Resort to getpwuid. */
176 struct passwd *pwd = getpwuid (getuid ());
177 old_user = (pwd ? pwd->pw_name : "");
179 tty = ttyname (STDERR_FILENO);
180 if (!tty)
181 tty = "none";
182 /* 4.2BSD openlog doesn't have the third parameter. */
183 openlog (last_component (program_name), 0
184 # ifdef LOG_AUTH
185 , LOG_AUTH
186 # endif
188 syslog (LOG_NOTICE,
189 # ifdef SYSLOG_NON_ROOT
190 "%s(to %s) %s on %s",
191 # else
192 "%s%s on %s",
193 # endif
194 successful ? "" : "FAILED SU ",
195 # ifdef SYSLOG_NON_ROOT
196 new_user,
197 # endif
198 old_user, tty);
199 closelog ();
201 #endif
203 /* Ask the user for a password.
204 Return true if the user gives the correct password for entry PW,
205 false if not. Return true without asking for a password if run by UID 0
206 or if PW has an empty password. */
208 static bool
209 correct_password (const struct passwd *pw)
211 char *unencrypted, *encrypted, *correct;
212 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
213 /* Shadow passwd stuff for SVR3 and maybe other systems. */
214 struct spwd *sp = getspnam (pw->pw_name);
216 endspent ();
217 if (sp)
218 correct = sp->sp_pwdp;
219 else
220 #endif
221 correct = pw->pw_passwd;
223 if (getuid () == 0 || !correct || correct[0] == '\0')
224 return true;
226 unencrypted = getpass (_("Password:"));
227 if (!unencrypted)
229 error (0, 0, _("getpass: cannot open /dev/tty"));
230 return false;
232 encrypted = crypt (unencrypted, correct);
233 memset (unencrypted, 0, strlen (unencrypted));
234 return STREQ (encrypted, correct);
237 /* Update `environ' for the new shell based on PW, with SHELL being
238 the value for the SHELL environment variable. */
240 static void
241 modify_environment (const struct passwd *pw, const char *shell)
243 if (simulate_login)
245 /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
246 Unset all other environment variables. */
247 char const *term = getenv ("TERM");
248 if (term)
249 term = xstrdup (term);
250 environ = xmalloc ((6 + !!term) * sizeof (char *));
251 environ[0] = NULL;
252 if (term)
253 xsetenv ("TERM", term);
254 xsetenv ("HOME", pw->pw_dir);
255 xsetenv ("SHELL", shell);
256 xsetenv ("USER", pw->pw_name);
257 xsetenv ("LOGNAME", pw->pw_name);
258 xsetenv ("PATH", (pw->pw_uid
259 ? DEFAULT_LOGIN_PATH
260 : DEFAULT_ROOT_LOGIN_PATH));
262 else
264 /* Set HOME, SHELL, and if not becoming a super-user,
265 USER and LOGNAME. */
266 if (change_environment)
268 xsetenv ("HOME", pw->pw_dir);
269 xsetenv ("SHELL", shell);
270 if (pw->pw_uid)
272 xsetenv ("USER", pw->pw_name);
273 xsetenv ("LOGNAME", pw->pw_name);
279 /* Become the user and group(s) specified by PW. */
281 static void
282 change_identity (const struct passwd *pw)
284 #ifdef HAVE_INITGROUPS
285 errno = 0;
286 if (initgroups (pw->pw_name, pw->pw_gid) == -1)
287 error (EXIT_CANCELED, errno, _("cannot set groups"));
288 endgrent ();
289 #endif
290 if (setgid (pw->pw_gid))
291 error (EXIT_CANCELED, errno, _("cannot set group id"));
292 if (setuid (pw->pw_uid))
293 error (EXIT_CANCELED, errno, _("cannot set user id"));
296 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
297 If COMMAND is nonzero, pass it to the shell with the -c option.
298 Pass ADDITIONAL_ARGS to the shell as more arguments; there
299 are N_ADDITIONAL_ARGS extra arguments. */
301 static void
302 run_shell (char const *shell, char const *command, char **additional_args,
303 size_t n_additional_args)
305 size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1;
306 char const **args = xnmalloc (n_args, sizeof *args);
307 size_t argno = 1;
309 if (simulate_login)
311 char *arg0;
312 char *shell_basename;
314 shell_basename = last_component (shell);
315 arg0 = xmalloc (strlen (shell_basename) + 2);
316 arg0[0] = '-';
317 strcpy (arg0 + 1, shell_basename);
318 args[0] = arg0;
320 else
321 args[0] = last_component (shell);
322 if (fast_startup)
323 args[argno++] = "-f";
324 if (command)
326 args[argno++] = "-c";
327 args[argno++] = command;
329 memcpy (args + argno, additional_args, n_additional_args * sizeof *args);
330 args[argno + n_additional_args] = NULL;
331 execv (shell, (char **) args);
334 int exit_status = (errno == ENOENT ? EXIT_ENOENT : EXIT_CANNOT_INVOKE);
335 error (0, errno, "%s", shell);
336 exit (exit_status);
340 /* Return true if SHELL is a restricted shell (one not returned by
341 getusershell), else false, meaning it is a standard shell. */
343 static bool
344 restricted_shell (const char *shell)
346 char *line;
348 setusershell ();
349 while ((line = getusershell ()) != NULL)
351 if (*line != '#' && STREQ (line, shell))
353 endusershell ();
354 return false;
357 endusershell ();
358 return true;
361 void
362 usage (int status)
364 if (status != EXIT_SUCCESS)
365 fprintf (stderr, _("Try `%s --help' for more information.\n"),
366 program_name);
367 else
369 printf (_("Usage: %s [OPTION]... [-] [USER [ARG]...]\n"), program_name);
370 fputs (_("\
371 Change the effective user id and group id to that of USER.\n\
373 -, -l, --login make the shell a login shell\n\
374 -c, --command=COMMAND pass a single COMMAND to the shell with -c\n\
375 -f, --fast pass -f to the shell (for csh or tcsh)\n\
376 -m, --preserve-environment do not reset environment variables\n\
377 -p same as -m\n\
378 -s, --shell=SHELL run SHELL if /etc/shells allows it\n\
379 "), stdout);
380 fputs (HELP_OPTION_DESCRIPTION, stdout);
381 fputs (VERSION_OPTION_DESCRIPTION, stdout);
382 fputs (_("\
384 A mere - implies -l. If USER not given, assume root.\n\
385 "), stdout);
386 emit_ancillary_info ();
388 exit (status);
392 main (int argc, char **argv)
394 int optc;
395 const char *new_user = DEFAULT_USER;
396 char *command = NULL;
397 char *shell = NULL;
398 struct passwd *pw;
399 struct passwd pw_copy;
401 initialize_main (&argc, &argv);
402 set_program_name (argv[0]);
403 setlocale (LC_ALL, "");
404 bindtextdomain (PACKAGE, LOCALEDIR);
405 textdomain (PACKAGE);
407 initialize_exit_failure (EXIT_CANCELED);
408 atexit (close_stdout);
410 fast_startup = false;
411 simulate_login = false;
412 change_environment = true;
414 while ((optc = getopt_long (argc, argv, "c:flmps:", longopts, NULL)) != -1)
416 switch (optc)
418 case 'c':
419 command = optarg;
420 break;
422 case 'f':
423 fast_startup = true;
424 break;
426 case 'l':
427 simulate_login = true;
428 break;
430 case 'm':
431 case 'p':
432 change_environment = false;
433 break;
435 case 's':
436 shell = optarg;
437 break;
439 case_GETOPT_HELP_CHAR;
441 case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
443 default:
444 usage (EXIT_CANCELED);
448 if (optind < argc && STREQ (argv[optind], "-"))
450 simulate_login = true;
451 ++optind;
453 if (optind < argc)
454 new_user = argv[optind++];
456 pw = getpwnam (new_user);
457 if (! (pw && pw->pw_name && pw->pw_name[0] && pw->pw_dir && pw->pw_dir[0]
458 && pw->pw_passwd))
459 error (EXIT_CANCELED, 0, _("user %s does not exist"), new_user);
461 /* Make a copy of the password information and point pw at the local
462 copy instead. Otherwise, some systems (e.g. GNU/Linux) would clobber
463 the static data through the getlogin call from log_su.
464 Also, make sure pw->pw_shell is a nonempty string.
465 It may be NULL when NEW_USER is a username that is retrieved via NIS (YP),
466 but that doesn't have a default shell listed. */
467 pw_copy = *pw;
468 pw = &pw_copy;
469 pw->pw_name = xstrdup (pw->pw_name);
470 pw->pw_passwd = xstrdup (pw->pw_passwd);
471 pw->pw_dir = xstrdup (pw->pw_dir);
472 pw->pw_shell = xstrdup (pw->pw_shell && pw->pw_shell[0]
473 ? pw->pw_shell
474 : DEFAULT_SHELL);
475 endpwent ();
477 if (!correct_password (pw))
479 #ifdef SYSLOG_FAILURE
480 log_su (pw, false);
481 #endif
482 error (EXIT_CANCELED, 0, _("incorrect password"));
484 #ifdef SYSLOG_SUCCESS
485 else
487 log_su (pw, true);
489 #endif
491 if (!shell && !change_environment)
492 shell = getenv ("SHELL");
493 if (shell && getuid () != 0 && restricted_shell (pw->pw_shell))
495 /* The user being su'd to has a nonstandard shell, and so is
496 probably a uucp account or has restricted access. Don't
497 compromise the account by allowing access with a standard
498 shell. */
499 error (0, 0, _("using restricted shell %s"), pw->pw_shell);
500 shell = NULL;
502 shell = xstrdup (shell ? shell : pw->pw_shell);
503 modify_environment (pw, shell);
505 change_identity (pw);
506 if (simulate_login && chdir (pw->pw_dir) != 0)
507 error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
509 /* error() flushes stderr, but does not check for write failure.
510 Normally, we would catch this via our atexit() hook of
511 close_stdout, but execv() gets in the way. If stderr
512 encountered a write failure, there is no need to try calling
513 error() again. */
514 if (ferror (stderr))
515 exit (EXIT_CANCELED);
517 run_shell (shell, command, argv + optind, MAX (0, argc - optind));