search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
worldstone: add -s for statistical profiling
[minix.git] / usr.bin / login / login.c
blob0023ab5a56f718c1e663a994e6876941b9b42823
1 /* $NetBSD: login.c,v 1.97 2009/12/29 19:26:13 christos Exp $ */
2
3 /*-
4 * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\
35 The Regents of the University of California. All rights reserved.");
36 #endif /* not lint */
37
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
41 #endif
42 __RCSID("$NetBSD: login.c,v 1.97 2009/12/29 19:26:13 christos Exp $");
43 #endif /* not lint */
44
45 /*
46 * login [ name ]
47 * login -h hostname (for telnetd, etc.)
48 * login -f name (for pre-authenticated login: datakit, xterm, etc.)
49 */
50
51 #include <sys/param.h>
52 #include <sys/stat.h>
53 #include <sys/time.h>
54 #include <sys/resource.h>
55 #include <sys/file.h>
56 #include <sys/wait.h>
57 #include <sys/socket.h>
58
59 #include <err.h>
60 #include <errno.h>
61 #include <grp.h>
62 #include <pwd.h>
63 #include <setjmp.h>
64 #include <signal.h>
65 #include <stdio.h>
66 #include <stdlib.h>
67 #include <string.h>
68 #include <syslog.h>
69 #include <time.h>
70 #include <ttyent.h>
71 #include <tzfile.h>
72 #include <unistd.h>
73 #include <sysexits.h>
74 #ifdef SUPPORT_UTMP
75 #include <utmp.h>
76 #endif
77 #ifdef SUPPORT_UTMPX
78 #include <utmpx.h>
79 #endif
80 #include <util.h>
81 #ifdef SKEY
82 #include <skey.h>
83 #endif
84 #ifdef KERBEROS5
85 #include <krb5/krb5.h>
86 #include <com_err.h>
87 #endif
88 #ifdef LOGIN_CAP
89 #include <login_cap.h>
90 #endif
91 #include <vis.h>
92
93 #include "pathnames.h"
94 #include "common.h"
95
96 #ifdef KERBEROS5
97 int login_krb5_forwardable_tgt = 0;
98 static int login_krb5_get_tickets = 1;
99 static int login_krb5_retain_ccache = 0;
100 #endif
101
102 static void checknologin(char *);
103 #ifdef KERBEROS5
104 int k5login(struct passwd *, char *, char *, char *);
105 void k5destroy(void);
106 int k5_read_creds(char*);
107 int k5_write_creds(void);
108 #endif
109 #if defined(KERBEROS5)
110 static void dofork(void);
111 #endif
112 static void usage(void);
113
114 #define TTYGRPNAME "tty" /* name of group to own ttys */
115
116 #define DEFAULT_BACKOFF 3
117 #define DEFAULT_RETRIES 10
118
119 #if defined(KERBEROS5)
120 int has_ccache = 0;
121 static int notickets = 1;
122 static char *instance;
123 extern krb5_context kcontext;
124 extern int have_forward;
125 extern char *krb5tkfile_env;
126 extern int krb5_configured;
127 #endif
128
129 #if defined(KERBEROS5)
130 #define KERBEROS_CONFIGURED krb5_configured
131 #endif
132
133 extern char **environ;
134
135 int
136 main(int argc, char *argv[])
137 {
138 struct group *gr;
139 struct stat st;
140 int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin, rval;
141 int Fflag;
142 uid_t uid, saved_uid;
143 gid_t saved_gid, saved_gids[NGROUPS_MAX];
144 int nsaved_gids;
145 char *domain, *p, *ttyn, *pwprompt;
146 char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
147 char localhost[MAXHOSTNAMELEN + 1];
148 int need_chpass, require_chpass;
149 int login_retries = DEFAULT_RETRIES,
150 login_backoff = DEFAULT_BACKOFF;
151 time_t pw_warntime = _PASSWORD_WARNDAYS * SECSPERDAY;
152 #ifdef KERBEROS5
153 krb5_error_code kerror;
154 #endif
155 #if defined(KERBEROS5)
156 int got_tickets = 0;
157 #endif
158 #ifdef LOGIN_CAP
159 char *shell = NULL;
160 login_cap_t *lc = NULL;
161 #endif
162
163 tbuf[0] = '\0';
164 rval = 0;
165 pwprompt = NULL;
166 nested = NULL;
167 need_chpass = require_chpass = 0;
168
169 (void)signal(SIGALRM, timedout);
170 (void)alarm(timeout);
171 (void)signal(SIGQUIT, SIG_IGN);
172 (void)signal(SIGINT, SIG_IGN);
173 (void)setpriority(PRIO_PROCESS, 0, 0);
174
175 openlog("login", 0, LOG_AUTH);
176
177 /*
178 * -p is used by getty to tell login not to destroy the environment
179 * -f is used to skip a second login authentication
180 * -h is used by other servers to pass the name of the remote host to
181 * login so that it may be placed in utmp/utmpx and wtmp/wtmpx
182 * -a in addition to -h, a server may supply -a to pass the actual
183 * server address.
184 * -s is used to force use of S/Key or equivalent.
185 */
186 domain = NULL;
187 if (gethostname(localhost, sizeof(localhost)) < 0)
188 syslog(LOG_ERR, "couldn't get local hostname: %m");
189 else
190 domain = strchr(localhost, '.');
191 localhost[sizeof(localhost) - 1] = '\0';
192
193 Fflag = fflag = hflag = pflag = sflag = 0;
194 have_ss = 0;
195 #ifdef KERBEROS5
196 have_forward = 0;
197 #endif
198 uid = getuid();
199 while ((ch = getopt(argc, argv, "a:Ffh:ps")) != -1)
200 switch (ch) {
201 case 'a':
202 if (uid)
203 errx(EXIT_FAILURE, "-a option: %s", strerror(EPERM));
204 decode_ss(optarg);
205 #ifdef notdef
206 (void)sockaddr_snprintf(optarg,
207 sizeof(struct sockaddr_storage), "%a", (void *)&ss);
208 #endif
209 break;
210 case 'F':
211 Fflag = 1;
212 /* FALLTHROUGH */
213 case 'f':
214 fflag = 1;
215 break;
216 case 'h':
217 if (uid)
218 errx(EXIT_FAILURE, "-h option: %s", strerror(EPERM));
219 hflag = 1;
220 #ifdef notdef
221 if (domain && (p = strchr(optarg, '.')) != NULL &&
222 strcasecmp(p, domain) == 0)
223 *p = '\0';
224 #endif
225 hostname = optarg;
226 break;
227 case 'p':
228 pflag = 1;
229 break;
230 case 's':
231 sflag = 1;
232 break;
233 default:
234 case '?':
235 usage();
236 break;
237 }
238
239 #ifndef __minix
240 setproctitle(NULL);
241 #endif
242 argc -= optind;
243 argv += optind;
244
245 if (*argv) {
246 username = *argv;
247 ask = 0;
248 } else
249 ask = 1;
250
251 #ifdef F_CLOSEM
252 (void)fcntl(3, F_CLOSEM, 0);
253 #else
254 for (cnt = getdtablesize(); cnt > 2; cnt--)
255 (void)close(cnt);
256 #endif
257
258 ttyn = ttyname(STDIN_FILENO);
259 if (ttyn == NULL || *ttyn == '\0') {
260 (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
261 ttyn = tname;
262 }
263 if ((tty = strstr(ttyn, "/pts/")) != NULL)
264 ++tty;
265 else if ((tty = strrchr(ttyn, '/')) != NULL)
266 ++tty;
267 else
268 tty = ttyn;
269
270 if (issetugid()) {
271 nested = strdup(user_from_uid(getuid(), 0));
272 if (nested == NULL) {
273 syslog(LOG_ERR, "strdup: %m");
274 sleepexit(EXIT_FAILURE);
275 }
276 }
277
278 #ifdef LOGIN_CAP
279 /* Get "login-retries" and "login-backoff" from default class */
280 if ((lc = login_getclass(NULL)) != NULL) {
281 login_retries = (int)login_getcapnum(lc, "login-retries",
282 DEFAULT_RETRIES, DEFAULT_RETRIES);
283 login_backoff = (int)login_getcapnum(lc, "login-backoff",
284 DEFAULT_BACKOFF, DEFAULT_BACKOFF);
285 login_close(lc);
286 lc = NULL;
287 }
288 #endif
289
290 #ifdef KERBEROS5
291 kerror = krb5_init_context(&kcontext);
292 if (kerror) {
293 /*
294 * If Kerberos is not configured, that is, we are
295 * not using Kerberos, do not log the error message.
296 * However, if Kerberos is configured, and the
297 * context init fails for some other reason, we need
298 * to issue a no tickets warning to the user when the
299 * login succeeds.
300 */
301 if (kerror != ENXIO) { /* XXX NetBSD-local Heimdal hack */
302 syslog(LOG_NOTICE,
303 "%s when initializing Kerberos context",
304 error_message(kerror));
305 krb5_configured = 1;
306 }
307 login_krb5_get_tickets = 0;
308 }
309 #endif /* KERBEROS5 */
310
311 for (cnt = 0;; ask = 1) {
312 #if defined(KERBEROS5)
313 if (login_krb5_get_tickets)
314 k5destroy();
315 #endif
316 if (ask) {
317 fflag = 0;
318 getloginname();
319 }
320 rootlogin = 0;
321 #ifdef KERBEROS5
322 if ((instance = strchr(username, '/')) != NULL)
323 *instance++ = '\0';
324 else
325 instance = "";
326 #endif
327 if (strlen(username) > MAXLOGNAME)
328 username[MAXLOGNAME] = '\0';
329
330 /*
331 * Note if trying multiple user names; log failures for
332 * previous user name, but don't bother logging one failure
333 * for nonexistent name (mistyped username).
334 */
335 if (failures && strcmp(tbuf, username)) {
336 if (failures > (pwd ? 0 : 1))
337 badlogin(tbuf);
338 failures = 0;
339 }
340 (void)strlcpy(tbuf, username, sizeof(tbuf));
341
342 pwd = getpwnam(username);
343
344 #ifdef LOGIN_CAP
345 /*
346 * Establish the class now, before we might goto
347 * within the next block. pwd can be NULL since it
348 * falls back to the "default" class if it is.
349 */
350 lc = login_getclass(pwd ? pwd->pw_class : NULL);
351 #endif
352 /*
353 * if we have a valid account name, and it doesn't have a
354 * password, or the -f option was specified and the caller
355 * is root or the caller isn't changing their uid, don't
356 * authenticate.
357 */
358 if (pwd) {
359 if (pwd->pw_uid == 0)
360 rootlogin = 1;
361
362 if (fflag && (uid == 0 || uid == pwd->pw_uid)) {
363 /* already authenticated */
364 #ifdef KERBEROS5
365 if (login_krb5_get_tickets && Fflag)
366 k5_read_creds(username);
367 #endif
368 break;
369 } else if (pwd->pw_passwd[0] == '\0') {
370 /* pretend password okay */
371 rval = 0;
372 goto ttycheck;
373 }
374 }
375
376 fflag = 0;
377
378 (void)setpriority(PRIO_PROCESS, 0, -4);
379
380 #ifdef SKEY
381 if (skey_haskey(username) == 0) {
382 static char skprompt[80];
383 const char *skinfo = skey_keyinfo(username);
384
385 (void)snprintf(skprompt, sizeof(skprompt),
386 "Password [ %s ]:",
387 skinfo ? skinfo : "error getting challenge");
388 pwprompt = skprompt;
389 } else
390 #endif
391 pwprompt = "Password:";
392
393 p = getpass(pwprompt);
394
395 if (pwd == NULL) {
396 rval = 1;
397 goto skip;
398 }
399 #ifdef KERBEROS5
400 if (login_krb5_get_tickets &&
401 k5login(pwd, instance, localhost, p) == 0) {
402 rval = 0;
403 got_tickets = 1;
404 }
405 #endif
406 #if defined(KERBEROS5)
407 if (got_tickets)
408 goto skip;
409 #endif
410 #ifdef SKEY
411 if (skey_haskey(username) == 0 &&
412 skey_passcheck(username, p) != -1) {
413 rval = 0;
414 goto skip;
415 }
416 #endif
417 if (!sflag && *pwd->pw_passwd != '\0' &&
418 !strcmp(crypt(p, pwd->pw_passwd), pwd->pw_passwd)) {
419 rval = 0;
420 require_chpass = 1;
421 goto skip;
422 }
423 rval = 1;
424
425 skip:
426 memset(p, 0, strlen(p));
427
428 (void)setpriority(PRIO_PROCESS, 0, 0);
429
430 ttycheck:
431 /*
432 * If trying to log in as root without Kerberos,
433 * but with insecure terminal, refuse the login attempt.
434 */
435 if (pwd && !rval && rootlogin && !rootterm(tty)) {
436 (void)printf("Login incorrect or refused on this "
437 "terminal.\n");
438 if (hostname)
439 syslog(LOG_NOTICE,
440 "LOGIN %s REFUSED FROM %s ON TTY %s",
441 pwd->pw_name, hostname, tty);
442 else
443 syslog(LOG_NOTICE,
444 "LOGIN %s REFUSED ON TTY %s",
445 pwd->pw_name, tty);
446 continue;
447 }
448
449 if (pwd && !rval)
450 break;
451
452 (void)printf("Login incorrect or refused on this "
453 "terminal.\n");
454 failures++;
455 cnt++;
456 /*
457 * We allow login_retries tries, but after login_backoff
458 * we start backing off. These default to 10 and 3
459 * respectively.
460 */
461 if (cnt > login_backoff) {
462 if (cnt >= login_retries) {
463 badlogin(username);
464 sleepexit(EXIT_FAILURE);
465 }
466 sleep((u_int)((cnt - login_backoff) * 5));
467 }
468 }
469
470 /* committed to login -- turn off timeout */
471 (void)alarm((u_int)0);
472
473 endpwent();
474
475 /* if user not super-user, check for disabled logins */
476 #ifdef LOGIN_CAP
477 if (!login_getcapbool(lc, "ignorenologin", rootlogin))
478 checknologin(login_getcapstr(lc, "nologin", NULL, NULL));
479 #else
480 if (!rootlogin)
481 checknologin(NULL);
482 #endif
483
484 #ifdef LOGIN_CAP
485 quietlog = login_getcapbool(lc, "hushlogin", 0);
486 #else
487 quietlog = 0;
488 #endif
489 /* Temporarily give up special privileges so we can change */
490 /* into NFS-mounted homes that are exported for non-root */
491 /* access and have mode 7x0 */
492 saved_uid = geteuid();
493 saved_gid = getegid();
494 nsaved_gids = getgroups(NGROUPS_MAX, saved_gids);
495
496 (void)setegid(pwd->pw_gid);
497 initgroups(username, pwd->pw_gid);
498 (void)seteuid(pwd->pw_uid);
499
500 if (chdir(pwd->pw_dir) < 0) {
501 #ifdef LOGIN_CAP
502 if (login_getcapbool(lc, "requirehome", 0)) {
503 (void)printf("Home directory %s required\n",
504 pwd->pw_dir);
505 sleepexit(EXIT_FAILURE);
506 }
507 #endif
508 (void)printf("No home directory %s!\n", pwd->pw_dir);
509 if (chdir("/") == -1)
510 exit(EXIT_FAILURE);
511 pwd->pw_dir = "/";
512 (void)printf("Logging in with home = \"/\".\n");
513 }
514
515 if (!quietlog)
516 quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0;
517
518 /* regain special privileges */
519 (void)seteuid(saved_uid);
520 setgroups(nsaved_gids, saved_gids);
521 (void)setegid(saved_gid);
522
523 #ifdef LOGIN_CAP
524 pw_warntime = login_getcaptime(lc, "password-warn",
525 _PASSWORD_WARNDAYS * SECSPERDAY,
526 _PASSWORD_WARNDAYS * SECSPERDAY);
527 #endif
528
529 (void)gettimeofday(&now, (struct timezone *)NULL);
530 if (pwd->pw_expire) {
531 if (now.tv_sec >= pwd->pw_expire) {
532 (void)printf("Sorry -- your account has expired.\n");
533 sleepexit(EXIT_FAILURE);
534 } else if (pwd->pw_expire - now.tv_sec < pw_warntime &&
535 !quietlog)
536 (void)printf("Warning: your account expires on %s",
537 ctime(&pwd->pw_expire));
538 }
539 if (pwd->pw_change) {
540 if (pwd->pw_change == _PASSWORD_CHGNOW)
541 need_chpass = 1;
542 else if (now.tv_sec >= pwd->pw_change) {
543 (void)printf("Sorry -- your password has expired.\n");
544 sleepexit(EXIT_FAILURE);
545 } else if (pwd->pw_change - now.tv_sec < pw_warntime &&
546 !quietlog)
547 (void)printf("Warning: your password expires on %s",
548 ctime(&pwd->pw_change));
549
550 }
551 /* Nothing else left to fail -- really log in. */
552 update_db(quietlog, rootlogin, fflag);
553
554 (void)chown(ttyn, pwd->pw_uid,
555 (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
556
557 if (ttyaction(ttyn, "login", pwd->pw_name))
558 (void)printf("Warning: ttyaction failed.\n");
559
560 #if defined(KERBEROS5)
561 /* Fork so that we can call kdestroy */
562 if (! login_krb5_retain_ccache && has_ccache)
563 dofork();
564 #endif
565
566 /* Destroy environment unless user has requested its preservation. */
567 if (!pflag)
568 environ = envinit;
569
570 #ifdef LOGIN_CAP
571 if (nested == NULL && setusercontext(lc, pwd, pwd->pw_uid,
572 LOGIN_SETLOGIN) != 0) {
573 syslog(LOG_ERR, "setusercontext failed");
574 exit(EXIT_FAILURE);
575 }
576 if (setusercontext(lc, pwd, pwd->pw_uid,
577 (LOGIN_SETALL & ~(LOGIN_SETPATH|LOGIN_SETLOGIN))) != 0) {
578 syslog(LOG_ERR, "setusercontext failed");
579 exit(EXIT_FAILURE);
580 }
581 #else
582 (void)setgid(pwd->pw_gid);
583
584 initgroups(username, pwd->pw_gid);
585
586 #ifndef __minix
587 if (nested == NULL && setlogin(pwd->pw_name) < 0)
588 syslog(LOG_ERR, "setlogin() failure: %m");
589 #endif
590
591 /* Discard permissions last so can't get killed and drop core. */
592 if (rootlogin)
593 (void)setuid(0);
594 else
595 (void)setuid(pwd->pw_uid);
596 #endif
597
598 if (*pwd->pw_shell == '\0')
599 pwd->pw_shell = _PATH_BSHELL;
600 #ifdef LOGIN_CAP
601 if ((shell = login_getcapstr(lc, "shell", NULL, NULL)) != NULL) {
602 if ((shell = strdup(shell)) == NULL) {
603 syslog(LOG_ERR, "Cannot alloc mem");
604 sleepexit(EXIT_FAILURE);
605 }
606 pwd->pw_shell = shell;
607 }
608 #endif
609
610 (void)setenv("HOME", pwd->pw_dir, 1);
611 (void)setenv("SHELL", pwd->pw_shell, 1);
612 if (term[0] == '\0') {
613 char *tt = (char *)stypeof(tty);
614 #ifdef LOGIN_CAP
615 if (tt == NULL)
616 tt = login_getcapstr(lc, "term", NULL, NULL);
617 #endif
618 /* unknown term -> "su" */
619 (void)strlcpy(term, tt != NULL ? tt : "su", sizeof(term));
620 }
621 (void)setenv("TERM", term, 0);
622 (void)setenv("LOGNAME", pwd->pw_name, 1);
623 (void)setenv("USER", pwd->pw_name, 1);
624
625 #ifdef LOGIN_CAP
626 setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH);
627 #else
628 (void)setenv("PATH", _PATH_DEFPATH, 0);
629 #endif
630
631 #ifdef KERBEROS5
632 if (krb5tkfile_env)
633 (void)setenv("KRB5CCNAME", krb5tkfile_env, 1);
634 #endif
635
636 if (tty[sizeof("tty")-1] == 'd')
637 syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);
638
639 /* If fflag is on, assume caller/authenticator has logged root login. */
640 if (rootlogin && fflag == 0) {
641 if (hostname)
642 syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s",
643 username, tty, hostname);
644 else
645 syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s",
646 username, tty);
647 }
648
649 #if defined(KERBEROS5)
650 if (KERBEROS_CONFIGURED && !quietlog && notickets == 1)
651 (void)printf("Warning: no Kerberos tickets issued.\n");
652 #endif
653
654 if (!quietlog) {
655 char *fname;
656 #ifdef LOGIN_CAP
657 fname = login_getcapstr(lc, "copyright", NULL, NULL);
658 if (fname != NULL && access(fname, F_OK) == 0)
659 motd(fname);
660 else
661 #endif
662 (void)printf("%s", copyrightstr);
663
664 #ifdef LOGIN_CAP
665 fname = login_getcapstr(lc, "welcome", NULL, NULL);
666 if (fname == NULL || access(fname, F_OK) != 0)
667 #endif
668 fname = _PATH_MOTDFILE;
669 motd(fname);
670
671 (void)snprintf(tbuf,
672 sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name);
673 if (stat(tbuf, &st) == 0 && st.st_size != 0)
674 (void)printf("You have %smail.\n",
675 (st.st_mtime > st.st_atime) ? "new " : "");
676 }
677
678 #ifdef LOGIN_CAP
679 login_close(lc);
680 #endif
681
682 (void)signal(SIGALRM, SIG_DFL);
683 (void)signal(SIGQUIT, SIG_DFL);
684 (void)signal(SIGINT, SIG_DFL);
685 (void)signal(SIGTSTP, SIG_IGN);
686
687 tbuf[0] = '-';
688 (void)strlcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ?
689 p + 1 : pwd->pw_shell, sizeof(tbuf) - 1);
690
691 /* Wait to change password until we're unprivileged */
692 if (need_chpass) {
693 if (!require_chpass)
694 (void)printf(
695 "Warning: your password has expired. Please change it as soon as possible.\n");
696 else {
697 int status;
698
699 (void)printf(
700 "Your password has expired. Please choose a new one.\n");
701 switch (fork()) {
702 case -1:
703 warn("fork");
704 sleepexit(EXIT_FAILURE);
705 case 0:
706 execl(_PATH_BINPASSWD, "passwd", NULL);
707 _exit(EXIT_FAILURE);
708 default:
709 if (wait(&status) == -1 ||
710 WEXITSTATUS(status))
711 sleepexit(EXIT_FAILURE);
712 }
713 }
714 }
715
716 #ifdef KERBEROS5
717 if (login_krb5_get_tickets)
718 k5_write_creds();
719 #endif
720 execlp(pwd->pw_shell, tbuf, NULL);
721 err(EXIT_FAILURE, "%s", pwd->pw_shell);
722 }
723
724 #if defined(KERBEROS5)
725 /*
726 * This routine handles cleanup stuff, and the like.
727 * It exists only in the child process.
728 */
729 static void
730 dofork(void)
731 {
732 pid_t child, wchild;
733
734 switch (child = fork()) {
735 case 0:
736 return; /* Child process */
737 case -1:
738 err(EXIT_FAILURE, "Can't fork");
739 /*NOTREACHED*/
740 default:
741 break;
742 }
743
744 /*
745 * Setup stuff? This would be things we could do in parallel
746 * with login
747 */
748 if (chdir("/") == -1) /* Let's not keep the fs busy... */
749 err(EXIT_FAILURE, "Can't chdir to `/'");
750
751 /* If we're the parent, watch the child until it dies */
752 while ((wchild = wait(NULL)) != child)
753 if (wchild == -1)
754 err(EXIT_FAILURE, "Can't wait");
755
756 /* Cleanup stuff */
757 /* Run kdestroy to destroy tickets */
758 if (login_krb5_get_tickets)
759 k5destroy();
760
761 /* Leave */
762 exit(EXIT_SUCCESS);
763 }
764 #endif
765
766 static void
767 checknologin(char *fname)
768 {
769 int fd, nchars;
770 char tbuf[8192];
771
772 if ((fd = open(fname ? fname : _PATH_NOLOGIN, O_RDONLY, 0)) >= 0) {
773 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
774 (void)write(fileno(stdout), tbuf, nchars);
775 sleepexit(EXIT_SUCCESS);
776 }
777 }
778
779 static void
780 usage(void)
781 {
782 (void)fprintf(stderr,
783 "Usage: %s [-Ffps] [-a address] [-h hostname] [username]\n",
784 getprogname());
785 exit(EXIT_FAILURE);
786 }
MINIX 3 (repo.or.cz mirror)