[Midnightbsd-cvs] src: usr.bin/su: sync su

laffer1 at midnightbsd.org laffer1 at midnightbsd.org
Tue Dec 9 13:26:22 EST 2008 

Log Message:
-----------
sync su

Modified Files:
--------------
    src/usr.bin/su:
        Makefile (r1.1.1.1 -> r1.2)
        su.1 (r1.1.1.2 -> r1.2)
        su.c (r1.1.1.1 -> r1.2)

-------------- next part --------------
Index: su.c
===================================================================
RCS file: /home/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L usr.bin/su/su.c -L usr.bin/su/su.c -u -r1.1.1.1 -r1.2
--- usr.bin/su/su.c
+++ usr.bin/su/su.c
@@ -74,13 +74,18 @@
 #endif
 
 #include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/usr.bin/su/su.c,v 1.76 2005/01/17 19:57:59 rwatson Exp $");
+__FBSDID("$FreeBSD: src/usr.bin/su/su.c,v 1.86.2.1 2007/10/24 01:04:10 davidxu Exp $");
 
 #include <sys/param.h>
 #include <sys/time.h>
 #include <sys/resource.h>
 #include <sys/wait.h>
 
+#ifdef USE_BSM_AUDIT
+#include <bsm/libbsm.h>
+#include <bsm/audit_uevents.h>
+#endif
+
 #include <err.h>
 #include <errno.h>
 #include <grp.h>
@@ -93,6 +98,7 @@
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
+#include <stdarg.h>
 
 #include <security/pam_appl.h>
 #include <security/openpam.h>
@@ -164,6 +170,10 @@
 	const char	*p, *user, *shell, *mytty, **nargv;
 	struct sigaction sa, sa_int, sa_quit, sa_pipe;
 	int temp, fds[2];
+#ifdef USE_BSM_AUDIT
+	const char	*aerr;
+	au_id_t		 auid;
+#endif
 
 	shell = class = cleanenv = NULL;
 	asme = asthem = fastlogin = statusp = 0;
@@ -204,9 +214,6 @@
 		usage();
 	/* NOTREACHED */
 
-	if (strlen(user) > MAXLOGNAME - 1)
-		errx(1, "username too long");
-
 	/*
 	 * Try to provide more helpful debugging output if su(1) is running
 	 * non-setuid, or was run from a file system not mounted setuid.
@@ -214,6 +221,21 @@
 	if (geteuid() != 0)
 		errx(1, "not running setuid");
 
+#ifdef USE_BSM_AUDIT
+	if (getauid(&auid) < 0 && errno != ENOSYS) {
+		syslog(LOG_AUTH | LOG_ERR, "getauid: %s", strerror(errno));
+		errx(1, "Permission denied");
+	}
+#endif
+	if (strlen(user) > MAXLOGNAME - 1) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid,
+		    1, EPERM, "username too long: '%s'", user))
+			errx(1, "Permission denied");
+#endif
+		errx(1, "username too long");
+	}
+
 	nargv = malloc(sizeof(char *) * (size_t)(argc + 4));
 	if (nargv == NULL)
 		errx(1, "malloc failure");
@@ -239,8 +261,14 @@
 	pwd = getpwnam(username);
 	if (username == NULL || pwd == NULL || pwd->pw_uid != ruid)
 		pwd = getpwuid(ruid);
-	if (pwd == NULL)
+	if (pwd == NULL) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM,
+		    "unable to determine invoking subject: '%s'", username))
+			errx(1, "Permission denied");
+#endif
 		errx(1, "who are you?");
+	}
 
 	username = strdup(pwd->pw_name);
 	if (username == NULL)
@@ -275,10 +303,19 @@
 
 	retcode = pam_authenticate(pamh, 0);
 	if (retcode != PAM_SUCCESS) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM, "bad su %s to %s on %s",
+		    username, user, mytty))
+			errx(1, "Permission denied");
+#endif
 		syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s",
 		    username, user, mytty);
 		errx(1, "Sorry");
 	}
+#ifdef USE_BSM_AUDIT
+	if (audit_submit(AUE_su, auid, 0, 0, "successful authentication"))
+		errx(1, "Permission denied");
+#endif
 	retcode = pam_get_item(pamh, PAM_USER, (const void **)&p);
 	if (retcode == PAM_SUCCESS)
 		user = p;
@@ -286,20 +323,39 @@
 		syslog(LOG_ERR, "pam_get_item(PAM_USER): %s",
 		    pam_strerror(pamh, retcode));
 	pwd = getpwnam(user);
-	if (pwd == NULL)
+	if (pwd == NULL) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM,
+		    "unknown subject: %s", user))
+			errx(1, "Permission denied");
+#endif
 		errx(1, "unknown login: %s", user);
+	}
 
 	retcode = pam_acct_mgmt(pamh, 0);
 	if (retcode == PAM_NEW_AUTHTOK_REQD) {
 		retcode = pam_chauthtok(pamh,
 			PAM_CHANGE_EXPIRED_AUTHTOK);
 		if (retcode != PAM_SUCCESS) {
+#ifdef USE_BSM_AUDIT
+			aerr = pam_strerror(pamh, retcode);
+			if (aerr == NULL)
+				aerr = "Unknown PAM error";
+			if (audit_submit(AUE_su, auid, 1, EPERM,
+			    "pam_chauthtok: %s", aerr))
+				errx(1, "Permission denied");
+#endif
 			syslog(LOG_ERR, "pam_chauthtok: %s",
 			    pam_strerror(pamh, retcode));
 			errx(1, "Sorry");
 		}
 	}
 	if (retcode != PAM_SUCCESS) {
+#ifdef USE_BSM_AUDIT
+		if (audit_submit(AUE_su, auid, 1, EPERM, "pam_acct_mgmt: %s",
+		    pam_strerror(pamh, retcode)))
+			errx(1, "Permission denied");
+#endif
 		syslog(LOG_ERR, "pam_acct_mgmt: %s",
 			pam_strerror(pamh, retcode));
 		errx(1, "Sorry");
@@ -309,8 +365,14 @@
 	if (class == NULL)
 		lc = login_getpwclass(pwd);
 	else {
-		if (ruid != 0)
+		if (ruid != 0) {
+#ifdef USE_BSM_AUDIT
+			if (audit_submit(AUE_su, auid, 1, EPERM,
+			    "only root may use -c"))
+				errx(1, "Permission denied");
+#endif
 			errx(1, "only root may use -c");
+		}
 		lc = login_getclass(class);
 		if (lc == NULL)
 			errx(1, "unknown class: %s", class);
@@ -341,12 +403,6 @@
 	}
 	setpriority(PRIO_PROCESS, 0, prio);
 
-	/* Switch to home directory */
-	if (asthem) {
-		if (chdir(pwd->pw_dir) < 0)
-			errx(1, "no directory");
-	}
-
 	/*
 	 * PAM modules might add supplementary groups in pam_setcred(), so
 	 * initialize them first.
@@ -393,14 +449,20 @@
 		sigaction(SIGTTOU, &sa, NULL);
 		close(fds[0]);
 		setpgid(child_pid, child_pid);
-		tcsetpgrp(STDERR_FILENO, child_pid);
+		if (tcgetpgrp(STDERR_FILENO) == getpgrp())
+			tcsetpgrp(STDERR_FILENO, child_pid);
 		close(fds[1]);
 		sigaction(SIGPIPE, &sa_pipe, NULL);
 		while ((pid = waitpid(child_pid, &statusp, WUNTRACED)) != -1) {
 			if (WIFSTOPPED(statusp)) {
-				kill(getpid(), SIGSTOP);
 				child_pgrp = getpgid(child_pid);
-				tcsetpgrp(1, child_pgrp);
+				if (tcgetpgrp(STDERR_FILENO) == child_pgrp)
+					tcsetpgrp(STDERR_FILENO, getpgrp());
+				kill(getpid(), SIGSTOP);
+				if (tcgetpgrp(STDERR_FILENO) == getpgrp()) {
+					child_pgrp = getpgid(child_pid);
+					tcsetpgrp(STDERR_FILENO, child_pgrp);
+				}
 				kill(child_pid, SIGCONT);
 				statusp = 1;
 				continue;
@@ -470,6 +532,10 @@
 					LOGIN_SETENV);
 				if (p)
 					setenv("TERM", p, 1);
+
+				p = pam_getenv(pamh, "HOME");
+				if (chdir(p ? p : pwd->pw_dir) < 0)
+					errx(1, "no directory");
 			}
 		}
 		login_close(lc);
@@ -496,10 +562,14 @@
 export_pam_environment(void)
 {
 	char	**pp;
+	char	*p;
 
 	for (pp = environ_pam; *pp != NULL; pp++) {
-		if (ok_to_export(*pp))
-			putenv(*pp);
+		if (ok_to_export(*pp)) {
+			p = strchr(*pp, '=');
+			*p = '\0';
+			setenv(*pp, p + 1, 1);
+		}
 		free(*pp);
 	}
 }
Index: Makefile
===================================================================
RCS file: /home/cvs/src/usr.bin/su/Makefile,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -L usr.bin/su/Makefile -L usr.bin/su/Makefile -u -r1.1.1.1 -r1.2
--- usr.bin/su/Makefile
+++ usr.bin/su/Makefile
@@ -1,11 +1,19 @@
 #	@(#)Makefile	8.1 (Berkeley) 7/19/93
-# $FreeBSD: src/usr.bin/su/Makefile,v 1.40 2004/11/03 18:01:21 ru Exp $
+# $FreeBSD: src/usr.bin/su/Makefile,v 1.41 2006/09/01 13:39:02 csjp Exp $
+
+.include <bsd.own.mk>
 
 PROG=	su
 
 DPADD=	${LIBUTIL} ${LIBPAM}
 LDADD=	-lutil ${MINUSLPAM}
 
+.if ${MK_AUDIT} != "no"
+CFLAGS+= -DUSE_BSM_AUDIT
+DPADD+=  ${LIBBSM}
+LDADD+=  -lbsm
+.endif
+
 BINOWN=	root
 BINMODE=4555
 PRECIOUSPROG=
Index: su.1
===================================================================
RCS file: /home/cvs/src/usr.bin/su/su.1,v
retrieving revision 1.1.1.2
retrieving revision 1.2
diff -L usr.bin/su/su.1 -L usr.bin/su/su.1 -u -r1.1.1.2 -r1.2
--- usr.bin/su/su.1
+++ usr.bin/su/su.1
@@ -30,9 +30,9 @@
 .\" SUCH DAMAGE.
 .\"
 .\"	@(#)su.1	8.2 (Berkeley) 4/18/94
-.\" $FreeBSD: src/usr.bin/su/su.1,v 1.36.2.1 2006/01/31 20:32:36 brd Exp $
+.\" $FreeBSD: src/usr.bin/su/su.1,v 1.40 2007/07/24 06:41:07 delphij Exp $
 .\"
-.Dd January 27, 2006
+.Dd September 13, 2006
 .Dt SU 1
 .Os
 .Sh NAME
@@ -59,11 +59,11 @@
 .Dq Li wheel
 group can switch to UID 0
 .Pq Dq Li root .
-This group requirement may be changed by modifying the 
+This group requirement may be changed by modifying the
 .Dq Li pam_group
-section of 
+section of
 .Pa /etc/pam.d/su .
-See 
+See
 .Xr pam_group 8
 for details on how to modify this setting.
 .Pp
@@ -202,7 +202,7 @@
 as user
 .Li man .
 You will be asked for man's password unless your real UID is 0.
-.It Li "su man -c 'catman /usr/share/man /usr/local/man /usr/X11R6/man'"
+.It Li "su man -c 'catman /usr/share/man /usr/local/man'"
 Same as above, but the target command consists of more than a
 single word and hence is quoted for use with the
 .Fl c
@@ -210,7 +210,7 @@
 (Most shells expect the argument to
 .Fl c
 to be a single word).
-.It Li "su -c staff man -c 'catman /usr/share/man /usr/local/man /usr/X11R6/man'"
+.It Li "su -c staff man -c 'catman /usr/share/man /usr/local/man'"
 Same as above, but the target command is run with the resource limits of
 the login class
 .Dq staff .
@@ -233,7 +233,6 @@
 .Xr login.conf 5 ,
 .Xr passwd 5 ,
 .Xr environ 7 ,
-.Xr pam 8 ,
 .Xr pam_group 8
 .Sh HISTORY
 A

More information about the Midnightbsd-cvs mailing list