diff options
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/su/su.1 | 27 | ||||
| -rw-r--r-- | usr.bin/su/su.c | 176 |
2 files changed, 14 insertions, 189 deletions
diff --git a/usr.bin/su/su.1 b/usr.bin/su/su.1 index 5024849..00ff324 100644 --- a/usr.bin/su/su.1 +++ b/usr.bin/su/su.1 @@ -42,27 +42,29 @@ .Sh SYNOPSIS .Nm .Op Fl -.Op Fl Kflm +.Op Fl flm .Op Fl c Ar class .Op Ar login Op Ar args .Sh DESCRIPTION .Nm Su -requests the Kerberos password for +requests the superuser password for .Ar login -(or for -.Dq Ar login Ns .root , -if no login is provided), and switches to -that user and group ID after obtaining a Kerberos ticket granting ticket. +(or if Kerberos PAMs are used for +.Dq Ar login Ns .root +or +.Dq Ar login Ns /root +as appropriate), +and switches to that user ID. A shell is then executed. .Nm Su will resort to the local password file to find the password for .Ar login -if there is a Kerberos error. +if there is a PAM error. If .Nm is executed by root, no password is requested and a shell -with the appropriate user ID is executed; no additional Kerberos tickets -are obtained. +with the appropriate user ID is executed; +no additional PAM work is done. .Pp By default, the environment is unmodified with the exception of .Ev USER , @@ -76,7 +78,7 @@ are set to the target login's default values. .Ev USER is set to the target login, unless the target login has a user ID of 0, in which case it is unmodified. -The invoked shell is the target login's. +The invoked shell is the one belonging to the target login. This is the traditional behavior of .Nm . Resource limits and session priority applicable to the original user's @@ -86,8 +88,6 @@ are also normally retained unless the target login as a user ID of 0. .Pp The options are as follows: .Bl -tag -width Ds -.It Fl K -Do not attempt to use Kerberos to authenticate the user. .It Fl f If the invoked shell is .Xr csh 1 , @@ -190,7 +190,8 @@ entries with service name .Xr group 5 , .Xr login.conf 5 , .Xr passwd 5 , -.Xr environ 7 +.Xr environ 7 , +.Xr pam 8 .Sh ENVIRONMENT Environment variables used by .Nm : diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c index efd46b8..bbe93fc 100644 --- a/usr.bin/su/su.c +++ b/usr.bin/su/su.c @@ -88,20 +88,7 @@ static char **environ_pam; #endif #endif /* USE_PAM */ -#ifdef KERBEROS -#include <openssl/des.h> -#include <krb.h> -#include <netdb.h> - -#define ARGSTR "-Kflmc:" - -static int kerberos(char *username, char *user, int uid, char *pword); -static int koktologin(char *name, char *toname); - -int use_kerberos = 1; -#else /* !KERBEROS */ #define ARGSTR "-flmc:" -#endif /* KERBEROS */ char *ontty __P((void)); int chshell __P((char *)); @@ -136,9 +123,6 @@ main(argc, argv) char **g; struct group *gr; #endif /* USE_PAM */ -#ifdef KERBEROS - char *k; -#endif char shellbuf[MAXPATHLEN]; #ifdef WHEELSU @@ -148,11 +132,6 @@ main(argc, argv) user = "root"; while((ch = getopt(argc, argv, ARGSTR)) != -1) switch((char)ch) { -#ifdef KERBEROS - case 'K': - use_kerberos = 0; - break; -#endif case 'f': fastlogin = 1; break; @@ -194,11 +173,6 @@ main(argc, argv) argv += optind; -#ifdef KERBEROS - k = auth_getval("auth_list"); - if (k && !strstr(k, "kerberos")) - use_kerberos = 0; -#endif errno = 0; prio = getpriority(PRIO_PROCESS, 0); if (errno) @@ -300,13 +274,6 @@ main(argc, argv) #endif /* WHEELSU */ if (ruid) { -#ifdef KERBEROS - if (use_kerberos && koktologin(username, user) - && !pwd->pw_uid) { - warnx("kerberos: not in %s's ACL.", user); - use_kerberos = 0; - } -#endif { /* * Only allow those with pw_gid==0 or those listed in @@ -351,9 +318,6 @@ main(argc, argv) if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) #endif /* SKEY */ { -#ifdef KERBEROS - if (!use_kerberos || (use_kerberos && kerberos(username, user, pwd->pw_uid, p))) -#endif { syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s%s", username, user, ontty()); errx(1, "Sorry"); @@ -464,9 +428,6 @@ main(argc, argv) if (!asme) { if (asthem) { p = getenv("TERM"); -#ifdef KERBEROS - k = getenv("KRBTKFILE"); -#endif environ = &cleanenv; #ifdef USE_PAM @@ -483,10 +444,6 @@ main(argc, argv) setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH|LOGIN_SETUMASK|LOGIN_SETENV); if (p) (void)setenv("TERM", p, 1); -#ifdef KERBEROS - if (k) - (void)setenv("KRBTKFILE", k, 1); -#endif if (chdir(pwd->pw_dir) < 0) errx(1, "no directory"); } @@ -596,136 +553,3 @@ ontty() snprintf(buf, sizeof(buf), " on %s", p); return (buf); } - -#ifdef KERBEROS -int -kerberos(username, user, uid, pword) - char *username, *user; - int uid; - char *pword; -{ - KTEXT_ST ticket; - AUTH_DAT authdata; - int kerno; - u_long faddr; - char lrealm[REALM_SZ], krbtkfile[MAXPATHLEN]; - char hostname[MAXHOSTNAMELEN], savehost[MAXHOSTNAMELEN]; - char *krb_get_phost(); - struct hostent *hp; - - if (krb_get_lrealm(lrealm, 1) != KSUCCESS) - return (1); - (void)sprintf(krbtkfile, "%s_%s_%lu", TKT_ROOT, user, - (unsigned long)getuid()); - - (void)setenv("KRBTKFILE", krbtkfile, 1); - (void)krb_set_tkt_string(krbtkfile); - /* - * Set real as well as effective ID to 0 for the moment, - * to make the kerberos library do the right thing. - */ - if (setuid(0) < 0) { - warn("setuid"); - return (1); - } - - /* - * Little trick here -- if we are su'ing to root, - * we need to get a ticket for "xxx.root", where xxx represents - * the name of the person su'ing. Otherwise (non-root case), - * we need to get a ticket for "yyy.", where yyy represents - * the name of the person being su'd to, and the instance is null - * - * We should have a way to set the ticket lifetime, - * with a system default for root. - */ - kerno = krb_get_pw_in_tkt((uid == 0 ? username : user), - (uid == 0 ? "root" : ""), lrealm, - "krbtgt", lrealm, DEFAULT_TKT_LIFE, pword); - - if (kerno != KSUCCESS) { - if (kerno == KDC_PR_UNKNOWN) { - warnx("kerberos: principal unknown: %s.%s@%s", - (uid == 0 ? username : user), - (uid == 0 ? "root" : ""), lrealm); - return (1); - } - warnx("kerberos: unable to su: %s", krb_err_txt[kerno]); - syslog(LOG_NOTICE, - "BAD Kerberos SU: %s to %s%s: %s", - username, user, ontty(), krb_err_txt[kerno]); - return (1); - } - - if (chown(krbtkfile, uid, -1) < 0) { - warn("chown"); - (void)unlink(krbtkfile); - return (1); - } - - (void)setpriority(PRIO_PROCESS, 0, -2); - - if (gethostname(hostname, sizeof(hostname)) == -1) { - warn("gethostname"); - dest_tkt(); - return (1); - } - - (void)strncpy(savehost, krb_get_phost(hostname), sizeof(savehost)); - savehost[sizeof(savehost) - 1] = '\0'; - - kerno = krb_mk_req(&ticket, "rcmd", savehost, lrealm, 33); - - if (kerno == KDC_PR_UNKNOWN) { - warnx("Warning: TGT not verified."); - syslog(LOG_NOTICE, - "%s to %s%s, TGT not verified (%s); %s.%s not registered?", - username, user, ontty(), krb_err_txt[kerno], - "rcmd", savehost); - } else if (kerno != KSUCCESS) { - warnx("Unable to use TGT: %s", krb_err_txt[kerno]); - syslog(LOG_NOTICE, "failed su: %s to %s%s: %s", - username, user, ontty(), krb_err_txt[kerno]); - dest_tkt(); - return (1); - } else { - if (!(hp = gethostbyname(hostname))) { - warnx("can't get addr of %s", hostname); - dest_tkt(); - return (1); - } - memmove((char *)&faddr, (char *)hp->h_addr, sizeof(faddr)); - - if ((kerno = krb_rd_req(&ticket, "rcmd", savehost, faddr, - &authdata, "")) != KSUCCESS) { - warnx("kerberos: unable to verify rcmd ticket: %s", - krb_err_txt[kerno]); - syslog(LOG_NOTICE, - "failed su: %s to %s%s: %s", username, - user, ontty(), krb_err_txt[kerno]); - dest_tkt(); - return (1); - } - } - return (0); -} - -int -koktologin(name, toname) - char *name, *toname; -{ - AUTH_DAT *kdata; - AUTH_DAT kdata_st; - char realm[REALM_SZ]; - - if (krb_get_lrealm(realm, 1) != KSUCCESS) - return (1); - kdata = &kdata_st; - memset((char *)kdata, 0, sizeof(*kdata)); - (void)strncpy(kdata->pname, name, sizeof kdata->pname - 1); - (void)strncpy(kdata->pinst, - ((strcmp(toname, "root") == 0) ? "root" : ""), sizeof kdata->pinst - 1); - (void)strncpy(kdata->prealm, realm, sizeof kdata->prealm - 1); - return (kuserok(kdata, toname)); -} -#endif |
