4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
23 * Copyright 2013 Nexenta Systems, Inc. All rights reserved.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
28 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
29 * Use is subject to license terms.
33 * Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T
34 * All rights reserved.
36 * Copyright (c) 1987, 1988 Microsoft Corporation.
37 * All rights reserved.
41 * sulogin - special login program exec'd from init to let user
42 * come up single user, or go to default init state straight away.
44 * Explain the scoop to the user, prompt for an authorized user
45 * name or ^D and then prompt for password or ^D. If the password
46 * is correct, check if the user is authorized, if so enter
47 * single user. ^D exits sulogin, and init will go to default init state.
49 * If /etc/passwd is missing, or there's no entry for root,
50 * go single user, no questions asked.
53 #include <sys/types.h>
55 #include <sys/param.h>
56 #include <sys/sysmsg_impl.h>
57 #include <sys/mkdev.h>
58 #include <sys/resource.h>
59 #include <sys/uadmin.h>
61 #include <sys/stermio.h>
79 #include <auth_attr.h>
80 #include <auth_list.h>
81 #include <nss_dbdefs.h>
82 #include <user_attr.h>
87 * Intervals to sleep after failed login
90 #define SLEEPTIME 4 /* sleeptime before login incorrect msg */
93 #define SLEEPTIME_MAX 5 /* maximum sleeptime */
96 * the name of the file containing the login defaults we deliberately
97 * use the same file as login(1)
100 #define DEFAULT_LOGIN "/etc/default/login"
101 #define DEFAULT_SULOGIN "/etc/default/sulogin"
102 #define DEFAULT_CONSOLE "/dev/console"
104 static char shell
[] = "/bin/sh";
105 static char su
[] = "/usr/bin/su";
106 static int sleeptime
= SLEEPTIME
;
107 static int nchild
= 0;
108 static pid_t pidlist
[10];
109 static pid_t masterpid
= 0;
110 static pid_t originalpid
= 0;
111 static struct sigaction sa
;
112 static struct termio ttymodes
;
114 static char *findttyname(int fd
);
115 static char *stripttyname(char *);
116 static char *sulogin_getinput(char *, int);
117 static void noop(int);
118 static void single(const char *, char *);
119 static void main_loop(char *, boolean_t
);
120 static void parenthandler();
121 static void termhandler(int);
122 static void setupsigs(void);
123 static int pathcmp(char *, char *);
124 static void doit(char *, char *);
125 static void childcleanup(int);
132 main(int argc
, char **argv
)
135 int passreq
= B_TRUE
;
138 char *infop
, *ptr
, *p
;
144 char scratchlist
[500];
147 if (geteuid() != 0) {
148 (void) fprintf(stderr
, "%s: must be root\n", argv
[0]);
149 return (EXIT_FAILURE
);
152 /* Do the magic to determine the children */
153 if ((fd
= open(SYSMSG
, O_RDONLY
)) < 0)
154 return (EXIT_FAILURE
);
157 * If the console supports the CIOCTTYCONSOLE ioctl, then fetch
158 * its console device list. If not, then we use the default
161 if (ioctl(fd
, CIOCTTYCONSOLE
, &cttyd
) == 0) {
162 if ((bufsize
= ioctl(fd
, CIOCGETCONSOLE
, NULL
)) < 0)
163 return (EXIT_FAILURE
);
166 if ((infop
= calloc(bufsize
, sizeof (char))) == NULL
)
167 return (EXIT_FAILURE
);
169 if (ioctl(fd
, CIOCGETCONSOLE
, infop
) < 0)
170 return (EXIT_FAILURE
);
172 (void) snprintf(namedlist
, sizeof (namedlist
), "%s %s",
173 DEFAULT_CONSOLE
, infop
);
175 (void) snprintf(namedlist
, sizeof (namedlist
), "%s",
178 (void) snprintf(namedlist
, sizeof (namedlist
), "%s",
184 * The attempt to turn the controlling terminals dev_t into a string
185 * may not be successful, thus leaving the variable cttyname as a
186 * NULL. This occurs if during boot we find
187 * the root partition (or some other partition)
188 * requires manual fsck, thus resulting in sulogin
189 * getting invoked. The ioctl for CIOCTTYCONSOLE
190 * called above returned NODEV for cttyd
191 * in these cases. NODEV gets returned when the vnode pointer
192 * in our session structure is NULL. In these cases it
193 * must be assumed that the default console is used.
195 * See kernel/os/session.c:cttydev().
197 (void) strcpy(cttyname
, DEFAULT_CONSOLE
);
198 (void) strcpy(scratchlist
, namedlist
);
200 while (ptr
!= NULL
) {
201 p
= strchr(ptr
, ' ');
204 return (EXIT_FAILURE
);
205 if (st
.st_rdev
== cttyd
)
206 (void) strcpy(cttyname
, ptr
);
211 return (EXIT_FAILURE
);
212 if (st
.st_rdev
== cttyd
) {
213 (void) strcpy(cttyname
, ptr
);
220 * Use the same value of SLEEPTIME that login(1) uses. This
221 * is obtained by reading the file /etc/default/login using
222 * the def*() functions.
225 if (defopen(DEFAULT_LOGIN
) == 0) {
229 flags
= defcntl(DC_GETFLAGS
, 0);
230 TURNOFF(flags
, DC_CASE
);
231 (void) defcntl(DC_SETFLAGS
, flags
);
233 if ((ptr
= defread("SLEEPTIME=")) != NULL
)
234 sleeptime
= atoi(ptr
);
236 if (sleeptime
< 0 || sleeptime
> SLEEPTIME_MAX
)
237 sleeptime
= SLEEPTIME
;
239 (void) defopen(NULL
); /* closes DEFAULT_LOGIN */
243 * Use our own value of PASSREQ, separate from the one login(1) uses.
244 * This is obtained by reading the file /etc/default/sulogin using
245 * the def*() functions.
248 if (defopen(DEFAULT_SULOGIN
) == 0) {
249 if ((ptr
= defread("PASSREQ=")) != NULL
)
250 if (strcmp("NO", ptr
) == 0)
253 (void) defopen(NULL
); /* closes DEFAULT_SULOGIN */
256 if (passreq
== B_FALSE
)
260 * if no 'root' entry in /etc/shadow, give maint. mode single
264 if ((shpw
= getspnam("root")) == NULL
) {
265 (void) fprintf(stderr
, "\n*** Unable to retrieve `root' entry "
266 "in shadow password file ***\n\n");
271 * if no 'root' entry in /etc/passwd, give maint. mode single
275 if (getpwnam("root") == NULL
) {
276 (void) fprintf(stderr
, "\n*** Unable to retrieve `root' entry "
277 "in password file ***\n\n");
281 /* process with controlling tty treated special */
282 if ((pid
= fork()) != (pid_t
)0) {
284 return (EXIT_FAILURE
);
288 originalpid
= getpid();
290 * init() was invoked from a console that was not
291 * the default console, nor was it an auxiliary.
293 if (cttyname
[0] == '\0')
297 main_loop(cttyname
, B_TRUE
);
301 masterpid
= getpid();
302 originalpid
= getppid();
303 pidlist
[nchild
++] = originalpid
;
305 sa
.sa_handler
= childcleanup
;
307 (void) sigemptyset(&sa
.sa_mask
);
308 (void) sigaction(SIGTERM
, &sa
, NULL
);
309 (void) sigaction(SIGHUP
, &sa
, NULL
);
310 sa
.sa_handler
= parenthandler
;
311 sa
.sa_flags
= SA_SIGINFO
;
312 (void) sigemptyset(&sa
.sa_mask
);
313 (void) sigaction(SIGUSR1
, &sa
, NULL
);
315 sa
.sa_handler
= SIG_IGN
;
317 (void) sigemptyset(&sa
.sa_mask
);
318 (void) sigaction(SIGCHLD
, &sa
, NULL
);
320 * If there isn't a password on root, then don't permit
321 * the fanout capability of sulogin.
323 if (*shpw
->sp_pwdp
!= '\0') {
325 while (ptr
!= NULL
) {
326 p
= strchr(ptr
, ' ');
336 if (pathcmp(cttyname
, DEFAULT_CONSOLE
) != 0) {
337 if ((pid
= fork()) == (pid_t
)0) {
339 main_loop(DEFAULT_CONSOLE
, B_FALSE
);
340 } else if (pid
== -1)
341 return (EXIT_FAILURE
);
342 pidlist
[nchild
++] = pid
;
345 * When parent is all done, it pauses until one of its children
346 * signals that its time to kill the underpriviledged.
354 * These flags are taken from stty's "sane" table entries in
355 * usr/src/cmd/ttymon/sttytable.c
357 #define SET_IFLAG (BRKINT|IGNPAR|ISTRIP|ICRNL|IXON|IMAXBEL)
358 #define RESET_IFLAG (IGNBRK|PARMRK|INPCK|INLCR|IGNCR|IUCLC|IXOFF|IXANY)
359 #define SET_OFLAG (OPOST|ONLCR)
360 #define RESET_OFLAG (OLCUC|OCRNL|ONOCR|ONLRET|OFILL|OFDEL| \
361 NLDLY|CRDLY|TABDLY|BSDLY|VTDLY|FFDLY)
362 #define SET_LFLAG (ISIG|ICANON|IEXTEN|ECHO|ECHOK|ECHOE|ECHOKE|ECHOCTL)
363 #define RESET_LFLAG (XCASE|ECHONL|NOFLSH|STFLUSH|STWRAP|STAPPL)
366 * Do the equivalent of 'stty sane' on the terminal since we don't know
367 * what state it was in on startup.
372 (void) ioctl(fd
, TCGETA
, &ttymodes
);
373 ttymodes
.c_iflag
&= ~RESET_IFLAG
;
374 ttymodes
.c_iflag
|= SET_IFLAG
;
375 ttymodes
.c_oflag
&= ~RESET_OFLAG
;
376 ttymodes
.c_oflag
|= SET_OFLAG
;
377 ttymodes
.c_lflag
&= ~RESET_LFLAG
;
378 ttymodes
.c_lflag
|= SET_LFLAG
;
379 ttymodes
.c_cc
[VERASE
] = CERASE
;
380 ttymodes
.c_cc
[VKILL
] = CKILL
;
381 ttymodes
.c_cc
[VQUIT
] = CQUIT
;
382 ttymodes
.c_cc
[VINTR
] = CINTR
;
383 ttymodes
.c_cc
[VEOF
] = CEOF
;
384 ttymodes
.c_cc
[VEOL
] = CNUL
;
385 (void) ioctl(fd
, TCSETAF
, &ttymodes
);
389 * Fork a child of sulogin for each of the auxiliary consoles.
392 doit(char *ptr
, char *cttyname
)
396 if (pathcmp(ptr
, DEFAULT_CONSOLE
) != 0 &&
397 pathcmp(ptr
, cttyname
) != 0) {
398 if ((pid
= fork()) == (pid_t
)0) {
400 main_loop(ptr
, B_FALSE
);
401 } else if (pid
== -1)
403 pidlist
[nchild
++] = pid
;
408 pathcmp(char *adev
, char *bdev
)
413 if (adev
== NULL
|| bdev
== NULL
)
416 if (strcmp(adev
, bdev
) == 0)
419 if (stat(adev
, &st1
) || !S_ISCHR(st1
.st_mode
))
422 if (stat(bdev
, &st2
) || !S_ISCHR(st2
.st_mode
))
425 if (st1
.st_rdev
== st2
.st_rdev
)
431 /* Handlers for the children at initialization */
435 sa
.sa_handler
= noop
;
437 (void) sigemptyset(&sa
.sa_mask
);
438 (void) sigaction(SIGINT
, &sa
, NULL
);
439 (void) sigaction(SIGQUIT
, &sa
, NULL
);
441 sa
.sa_handler
= termhandler
;
443 (void) sigemptyset(&sa
.sa_mask
);
444 (void) sigaction(SIGTERM
, &sa
, NULL
);
445 (void) sigaction(SIGKILL
, &sa
, NULL
);
446 (void) sigaction(SIGHUP
, &sa
, NULL
);
450 main_loop(char *devname
, boolean_t cttyflag
)
453 char *user
= NULL
; /* authorized user */
454 char *pass
; /* password from user */
455 char *cpass
; /* crypted password */
457 struct spwd
*lshpw
; /* local shadow */
458 char shadow
[NSS_BUFLEN_SHADOW
];
461 for (i
= 0; i
< 3; i
++)
463 if (cttyflag
== B_FALSE
) {
467 if ((fd
= open(devname
, O_RDWR
)) < 0)
471 * In system maintenance mode, all virtual console instances
472 * of the svc:/system/console-login service are not available
473 * any more, and only the system console is available. So here
474 * we always switch to the system console in case at the moment
475 * the active console isn't it.
477 (void) ioctl(fd
, VT_ACTIVATE
, 1);
480 (void) dup2(fd
, STDIN_FILENO
);
482 (void) dup2(fd
, STDOUT_FILENO
);
484 (void) dup2(fd
, STDERR_FILENO
);
488 /* Stop progress bar and reset console mode to text */
489 if ((fb
= open("/dev/fb", O_RDONLY
)) >= 0) {
490 (void) ioctl(fb
, KDSETMODE
, KD_RESETTEXT
);
494 sysmsgfd
= fopen("/dev/sysmsg", "w");
496 sanitize_tty(fileno(stdin
));
500 (void) printf("\nEnter user name for system "
501 "maintenance (control-d to bypass): ");
502 user
= sulogin_getinput(devname
, ECHOON
);
504 /* signal other children to exit */
505 (void) sigsend(P_PID
, masterpid
, SIGUSR1
);
506 /* ^D, so straight to default init state */
509 } while (user
[0] == '\0');
510 (void) printf("Enter %s password (control-d to bypass): ",
513 if ((pass
= sulogin_getinput(devname
, ECHOOFF
)) == NULL
) {
514 /* signal other children to exit */
515 (void) sigsend(P_PID
, masterpid
, SIGUSR1
);
516 /* ^D, so straight to default init state */
520 lshpw
= getspnam_r(user
, &spwd
, shadow
, sizeof (shadow
));
523 * the user entered doesn't exist, too bad.
529 * There is a special case error to catch here:
530 * If the password is hashed with an algorithm
531 * other than the old unix crypt the call to crypt(3c)
532 * could fail if /usr is corrupt or not available
533 * since by default /etc/security/crypt.conf will
534 * have the crypt_ modules located under /usr/lib.
535 * Or it could happen if /etc/security/crypt.conf
538 * If this happens crypt(3c) will return NULL and
539 * set errno to ELIBACC for the former condition or
540 * EINVAL for the latter, in this case we bypass
541 * authentication and just verify that the user is
546 cpass
= crypt(pass
, lshpw
->sp_pwdp
);
547 if (((cpass
== NULL
) && (lshpw
->sp_pwdp
[0] == '$')) &&
548 ((errno
== ELIBACC
) || (errno
== EINVAL
))) {
550 } else if ((cpass
== NULL
) ||
551 (strcmp(cpass
, lshpw
->sp_pwdp
) != 0)) {
557 * There is a special case error here as well.
558 * If /etc/user_attr is corrupt, getusernam("root")
560 * In this case, we just give access because this is similar
561 * to the case of root not existing in /etc/passwd.
564 if ((getusernam("root") != NULL
) &&
565 (chkauthattr(MAINTENANCE_AUTH
, user
) != 1)) {
568 (void) fprintf(sysmsgfd
, "\nsingle-user privilege "
569 "assigned to %s on %s.\n", user
, devname
);
570 (void) sigsend(P_PID
, masterpid
, SIGUSR1
);
575 /* single never returns */
578 (void) printf("\nLogin incorrect or user %s not authorized\n",
582 (void) sleep(sleeptime
);
587 * single() - exec shell for single user mode
591 single(const char *cmd
, char *ttyn
)
594 char found
= B_FALSE
;
597 ttyn
= findttyname(STDIN_FILENO
);
600 * utmpx records on the console device are expected to be "console"
601 * by other processes, such as dtlogin.
603 ttyn
= stripttyname(ttyn
);
605 /* update the utmpx file. */
606 while ((u
= getutxent()) != NULL
) {
607 if (strcmp(u
->ut_line
, ttyn
) == 0) {
608 u
->ut_tv
.tv_sec
= time(NULL
);
609 u
->ut_type
= USER_PROCESS
;
610 u
->ut_pid
= getpid();
611 if (strcmp(u
->ut_user
, "root") != 0)
612 (void) strcpy(u
->ut_user
, "root");
613 (void) pututxline(u
);
621 entryx
.ut_tv
.tv_sec
= time(NULL
);
622 entryx
.ut_type
= USER_PROCESS
;
623 entryx
.ut_pid
= getpid();
624 (void) strcpy(entryx
.ut_user
, "root");
625 (void) strcpy(entryx
.ut_line
, ttyn
);
626 entryx
.ut_tv
.tv_usec
= 0;
627 entryx
.ut_session
= 0;
628 entryx
.ut_id
[0] = 'c';
629 entryx
.ut_id
[1] = 'o';
630 entryx
.ut_id
[2] = 's';
631 entryx
.ut_id
[3] = 'u';
632 entryx
.ut_syslen
= 1;
633 entryx
.ut_host
[0] = '\0';
634 entryx
.ut_exit
.e_termination
= WTERMSIG(0);
635 entryx
.ut_exit
.e_exit
= WEXITSTATUS(0);
636 (void) pututxline(&entryx
);
639 (void) printf("Entering System Maintenance Mode\n\n");
641 if (execl(cmd
, cmd
, "-", (char *)0) < 0)
646 * sulogin_getinput() - hacked from the standard PAM tty conversation
647 * function getpassphrase() library version
648 * so we can distinguish newline and EOF.
649 * also don't need this routine to give a prompt.
651 * returns the password string, or NULL if the used typed EOF.
655 sulogin_getinput(char *devname
, int echooff
)
660 static char input
[PASS_MAX
+ 1];
661 void (*saved_handler
)();
665 if ((fi
= fopen(devname
, "r")) == NULL
) {
669 saved_handler
= signal(SIGINT
, SIG_IGN
);
673 ttyb
.c_lflag
&= ~(ECHO
| ECHOE
| ECHONL
);
674 (void) ioctl(fileno(fi
), TCSETAF
, &ttyb
);
677 /* get characters up to PASS_MAX, but don't overflow */
678 while ((c
= getc(fi
)) != '\n' && (c
!= '\r')) {
679 if (c
== EOF
&& i
== 0) { /* ^D, no input */
684 input
[i
++] = (char)c
;
688 (void) fputc('\n', fi
);
690 (void) ioctl(fileno(fi
), TCSETAW
, &ttymodes
);
693 if (saved_handler
!= SIG_ERR
)
694 (void) signal(SIGINT
, saved_handler
);
695 return (rval
== NULL
? NULL
: strdup(rval
));
701 char *ttyn
= ttyname(fd
);
707 * /dev/syscon and /dev/systty are usually links to
708 * /dev/console. prefer /dev/console.
710 if (((strcmp(ttyn
, "/dev/syscon") == 0) ||
711 (strcmp(ttyn
, "/dev/systty") == 0)) &&
712 access("/dev/console", F_OK
))
713 ttyn
= "/dev/console";
719 stripttyname(char *ttyn
)
721 /* saw off the /dev/ */
722 if (strncmp(ttyn
, "/dev/", sizeof ("/dev/") -1) == 0)
723 return (ttyn
+ sizeof ("/dev/") - 1);
734 * This signal handler does nothing except return. We use it
735 * as the signal disposition in this program instead of
736 * SIG_IGN so that we do not have to restore the disposition
737 * back to SIG_DFL. Instead we allow exec(2) to set the
738 * dispostion to SIG_DFL to avoid a race condition.
744 parenthandler(int sig
, siginfo_t
*si
, ucontext_t
*uc
)
749 * We get here if someone has successfully entered a password
750 * from the auxiliary console and is getting the single-user shell.
751 * When this happens, the parent needs to kill the children
752 * that didn't get the shell.
755 for (i
= 0; i
< nchild
; i
++) {
756 if (pidlist
[i
] != si
->__data
.__proc
.__pid
)
757 (void) sigsend(P_PID
, pidlist
[i
], SIGTERM
);
759 sa
.sa_handler
= SIG_IGN
;
761 (void) sigemptyset(&sa
.sa_mask
);
762 (void) sigaction(SIGINT
, &sa
, NULL
);
763 (void) sigaction(SIGQUIT
, &sa
, NULL
);
764 (void) sigaction(SIGTERM
, &sa
, NULL
);
769 * The master pid will get SIGTERM or SIGHUP from init, and then
770 * has to make sure the shell isn't still running.
775 childcleanup(int sig
)
779 /* Only need to kill the child that became the shell. */
780 for (i
= 0; i
< nchild
; i
++) {
781 /* Don't kill grandparent before it's necessary */
782 if (pidlist
[i
] != getppid())
783 (void) sigsend(P_PID
, pidlist
[i
], SIGHUP
);
794 /* Processes come here when they fail to receive the password. */
795 if ((fi
= fopen("/dev/tty", "r+")) == NULL
)
799 sanitize_tty(fileno(fi
));
800 /* If you're the controlling tty, then just wait */
802 if (pid
== originalpid
|| pid
== masterpid
) {
803 sa
.sa_handler
= SIG_IGN
;
805 (void) sigemptyset(&sa
.sa_mask
);
806 (void) sigaction(SIGINT
, &sa
, NULL
);
807 (void) sigaction(SIGQUIT
, &sa
, NULL
);
808 sa
.sa_handler
= SIG_DFL
;
810 (void) sigemptyset(&sa
.sa_mask
);
811 (void) sigaction(SIGTERM
, &sa
, NULL
);
812 (void) sigaction(SIGHUP
, &sa
, NULL
);