diff options
author | wollman <wollman@FreeBSD.org> | 1995-07-12 20:11:19 +0000 |
---|---|---|
committer | wollman <wollman@FreeBSD.org> | 1995-07-12 20:11:19 +0000 |
commit | f6045b76109f3c9b55c0276165309e34c7e9be50 (patch) | |
tree | 1906d0df688a252d522a47b3acb966145e549a51 /usr.bin/su | |
parent | 7228eed75580cf66a88246575baf780b4d84c134 (diff) | |
download | FreeBSD-src-f6045b76109f3c9b55c0276165309e34c7e9be50.zip FreeBSD-src-f6045b76109f3c9b55c0276165309e34c7e9be50.tar.gz |
Added support for an LCS-style `wheel su' which allows users in group wheel
to su to root by authenticating as themselves (using a password or S/Key)
rather than by using the root password. This is useful in contexts like
ours, where a large group of people need root access to a set of machines.
(However, the security implications are such that this should not be
enabled by default.)
The code is conditionalized on WHEELSU.
Diffstat (limited to 'usr.bin/su')
-rw-r--r-- | usr.bin/su/su.c | 42 |
1 files changed, 36 insertions, 6 deletions
diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c index bbc4dc0..df7165b 100644 --- a/usr.bin/su/su.c +++ b/usr.bin/su/su.c @@ -82,6 +82,10 @@ main(argc, argv) { extern char **environ; struct passwd *pwd; +#ifdef WHEELSU + char *targetpass; + int iswheelsu; +#endif /* WHEELSU */ char *p, **g, *user, *shell, *username, *cleanenv[20], *nargv[4], **np; struct group *gr; uid_t ruid; @@ -91,6 +95,9 @@ main(argc, argv) np = &nargv[3]; *np-- = NULL; +#ifdef WHEELSU + iswheelsu = +#endif /* WHEELSU */ asme = asthem = fastlogin = 0; while ((ch = getopt(argc, argv, ARGSTR)) != EOF) switch((char)ch) { @@ -148,10 +155,13 @@ main(argc, argv) /* get target login information, default to root */ user = *argv ? *argv : "root"; if ((pwd = getpwnam(user)) == NULL) { - fprintf(stderr, "su: unknown login %s\n", user); - exit(1); + errx(1, "unknown login: %s", user); } +#ifdef WHEELSU + targetpass = strdup(pwd->pw_passwd); +#endif /* WHEELSU */ + if (ruid) { #ifdef KERBEROS if (!use_kerberos || kerberos(username, user, pwd->pw_uid)) @@ -164,15 +174,30 @@ main(argc, argv) errx(1, "you are not in the correct group to su %s.", user); - if (strcmp(username, *g) == 0) + if (strcmp(username, *g) == 0) { +#ifdef WHEELSU + iswheelsu = 1; +#endif /* WHEELSU */ break; - } + } + } /* if target requires a password, verify it */ if (*pwd->pw_passwd) { #ifdef SKEY +#ifdef WHEELSU + if (iswheelsu) { + pwd = getpwnam(username); + } +#endif /* WHEELSU */ p = skey_getpass("Password:", pwd, 1); - if (strcmp(pwd->pw_passwd, - skey_crypt(p, pwd->pw_passwd, pwd, 1))) { + if (!(!strcmp(pwd->pw_passwd, + skey_crypt(p, pwd->pw_passwd, pwd, 1)) +#ifdef WHEELSU + || (iswheelsu && !strcmp(targetpass, + crypt(p, + targetpass))) +#endif /* WHEELSU */ + )) { #else p = getpass("Password:"); if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) { @@ -183,6 +208,11 @@ main(argc, argv) user, ontty()); exit(1); } +#ifdef WHEELSU + if (iswheelsu) { + pwd = getpwnam(user); + } +#endif /* WHEELSU */ } } } |