Changeset 3232 in MondoRescue for branches/3.2/mindi-busybox/loginutils/login.c

Timestamp:

Jan 1, 2014, 12:47:38 AM (10 years ago)

Author:

Bruno Cornec

Message:

• Update mindi-busybox to 1.21.1

File:

• branches/3.2/mindi-busybox/loginutils/login.c (modified) (18 diffs)

branches/3.2/mindi-busybox/loginutils/login.c

@@ -3 +3 @@
  * Licensed under GPLv2 or later, see file LICENSE in this source tree.
  */
+
+//usage:#define login_trivial_usage
+//usage:       "[-p] [-h HOST] [[-f] USER]"
+//usage:#define login_full_usage "\n\n"
+//usage:       "Begin a new session on the system\n"
+//usage:     "\n    -f  Don't authenticate (user already authenticated)"
+//usage:     "\n    -h  Name of the remote host"
+//usage:     "\n    -p  Preserve environment"
+
 #include "libbb.h"
 #include <syslog.h>
-#if ENABLE_FEATURE_UTMP
-# include <utmp.h> /* USER_PROCESS */
-#endif
 #include <sys/resource.h>
 
@@ -32 +38 @@
     TIMEOUT = 60,
     EMPTY_USERNAME_COUNT = 10,
-    USERNAME_SIZE = 32,
+    /* Some users found 32 chars limit to be too low: */
+    USERNAME_SIZE = 64,
     TTYNAME_SIZE = 32,
 };
 
-static char* short_tty;
+struct globals {
+    struct termios tty_attrs;
+} FIX_ALIASING;
+#define G (*(struct globals*)&bb_common_bufsiz1)
+#define INIT_G() do { } while (0)
+
 
 #if ENABLE_FEATURE_NOLOGIN
@@ -69 +81 @@
 
 #if ENABLE_FEATURE_SECURETTY && !ENABLE_PAM
-static int check_securetty(void)
+static int check_securetty(const char *short_tty)
 {
     char *buf = (char*)"/etc/securetty"; /* any non-NULL is ok */
@@ -84 +96 @@
 }
 #else
-static ALWAYS_INLINE int check_securetty(void) { return 1; }
+static ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; }
 #endif
 
@@ -137 +149 @@
 #endif
 
+#if ENABLE_LOGIN_SESSION_AS_CHILD && ENABLE_PAM
+static void login_pam_end(pam_handle_t *pamh)
+{
+    int pamret;
+
+    pamret = pam_setcred(pamh, PAM_DELETE_CRED);
+    if (pamret != PAM_SUCCESS) {
+        bb_error_msg("pam_%s failed: %s (%d)", "setcred",
+            pam_strerror(pamh, pamret), pamret);
+    }
+    pamret = pam_close_session(pamh, 0);
+    if (pamret != PAM_SUCCESS) {
+        bb_error_msg("pam_%s failed: %s (%d)", "close_session",
+            pam_strerror(pamh, pamret), pamret);
+    }
+    pamret = pam_end(pamh, pamret);
+    if (pamret != PAM_SUCCESS) {
+        bb_error_msg("pam_%s failed: %s (%d)", "end",
+            pam_strerror(pamh, pamret), pamret);
+    }
+}
+#endif /* ENABLE_PAM */
+
 static void get_username_or_die(char *buf, int size_buf)
 {
@@ -180 +215 @@
 static void alarm_handler(int sig UNUSED_PARAM)
 {
-    /* This is the escape hatch!  Poor serial line users and the like
+    /* This is the escape hatch! Poor serial line users and the like
      * arrive here when their connection is broken.
      * We don't want to block here */
-    ndelay_on(1);
-    printf("\r\nLogin timed out after %d seconds\r\n", TIMEOUT);
+    ndelay_on(STDOUT_FILENO);
+    /* Test for correct attr restoring:
+     * run "getty 0 -" from a shell, enter bogus username, stop at
+     * password prompt, let it time out. Without the tcsetattr below,
+     * when you are back at shell prompt, echo will be still off.
+     */
+    tcsetattr_stdin_TCSANOW(&G.tty_attrs);
+    printf("\r\nLogin timed out after %u seconds\r\n", TIMEOUT);
     fflush_all();
     /* unix API is brain damaged regarding O_NONBLOCK,
      * we should undo it, or else we can affect other processes */
-    ndelay_off(1);
+    ndelay_off(STDOUT_FILENO);
     _exit(EXIT_SUCCESS);
 }
@@ -202 +243 @@
     char *fromhost;
     char username[USERNAME_SIZE];
-    const char *shell;
     int run_by_root;
     unsigned opt;
@@ -210 +250 @@
     char *opt_user = opt_user; /* for compiler */
     char *full_tty;
+    char *short_tty;
     IF_SELINUX(security_context_t user_sid = NULL;)
 #if ENABLE_PAM
@@ -218 +259 @@
     struct passwd pwdstruct;
     char pwdbuf[256];
-#endif
-
-    username[0] = '\0';
-    signal(SIGALRM, alarm_handler);
-    alarm(TIMEOUT);
+    char **pamenv;
+#endif
+#if ENABLE_LOGIN_SESSION_AS_CHILD
+    pid_t child_pid;
+#endif
+
+    INIT_G();
 
     /* More of suid paranoia if called by non-root: */
@@ -234 +277 @@
     bb_daemonize_or_rexec(DAEMON_ONLY_SANITIZE | DAEMON_CLOSE_EXTRA_FDS, NULL);
 
+    username[0] = '\0';
     opt = getopt32(argv, "f:h:p", &opt_user, &opt_host);
     if (opt & LOGIN_OPT_f) {
@@ -244 +288 @@
         safe_strncpy(username, argv[0], sizeof(username));
 
-    /* Let's find out and memorize our tty */
-    if (!isatty(STDIN_FILENO) || !isatty(STDOUT_FILENO) || !isatty(STDERR_FILENO))
+    /* Save tty attributes - and by doing it, check that it's indeed a tty */
+    if (tcgetattr(STDIN_FILENO, &G.tty_attrs) < 0
+     || !isatty(STDOUT_FILENO)
+     /*|| !isatty(STDERR_FILENO) - no, guess some people might want to redirect this */
+    ) {
         return EXIT_FAILURE;  /* Must be a terminal */
+    }
+
+    /* We install timeout handler only _after_ we saved G.tty_attrs */
+    signal(SIGALRM, alarm_handler);
+    alarm(TIMEOUT);
+
+    /* Find out and memorize our tty name */
     full_tty = xmalloc_ttyname(STDIN_FILENO);
     if (!full_tty)
@@ -282 +336 @@
             goto pam_auth_failed;
         }
-        pamret = pam_authenticate(pamh, 0);
-        if (pamret != PAM_SUCCESS) {
-            failed_msg = "authenticate";
-            goto pam_auth_failed;
-            /* TODO: or just "goto auth_failed"
-             * since user seems to enter wrong password
-             * (in this case pamret == 7)
-             */
+        /* set RHOST */
+        if (opt_host) {
+            pamret = pam_set_item(pamh, PAM_RHOST, opt_host);
+            if (pamret != PAM_SUCCESS) {
+                failed_msg = "set_item(RHOST)";
+                goto pam_auth_failed;
+            }
+        }
+        if (!(opt & LOGIN_OPT_f)) {
+            pamret = pam_authenticate(pamh, 0);
+            if (pamret != PAM_SUCCESS) {
+                failed_msg = "authenticate";
+                goto pam_auth_failed;
+                /* TODO: or just "goto auth_failed"
+                 * since user seems to enter wrong password
+                 * (in this case pamret == 7)
+                 */
+            }
         }
         /* check that the account is healthy */
@@ -346 +410 @@
             break; /* -f USER: success without asking passwd */
 
-        if (pw->pw_uid == 0 && !check_securetty())
+        if (pw->pw_uid == 0 && !check_securetty(short_tty))
             goto auth_failed;
 
@@ -353 +417 @@
             break;
  fake_it:
-        /* authorization takes place here */
+        /* Password reading and authorization takes place here.
+         * Note that reads (in no-echo mode) trash tty attributes.
+         * If we get interrupted by SIGALRM, we need to restore attrs.
+         */
         if (correct_password(pw))
             break;
@@ -359 +426 @@
  auth_failed:
         opt &= ~LOGIN_OPT_f;
-        bb_do_delay(FAIL_DELAY);
+        bb_do_delay(LOGIN_FAIL_DELAY);
         /* TODO: doesn't sound like correct English phrase to me */
         puts("Login incorrect");
@@ -380 +447 @@
         die_if_nologin();
 
-    IF_SELINUX(initselinux(username, full_tty, &user_sid));
+#if ENABLE_LOGIN_SESSION_AS_CHILD
+    child_pid = vfork();
+    if (child_pid != 0) {
+        if (child_pid < 0)
+            bb_perror_msg("vfork");
+        else {
+            if (safe_waitpid(child_pid, NULL, 0) == -1)
+                bb_perror_msg("waitpid");
+            update_utmp(child_pid, DEAD_PROCESS, NULL, NULL, NULL);
+        }
+        IF_PAM(login_pam_end(pamh);)
+        return 0;
+    }
+#endif
+
+    IF_SELINUX(initselinux(username, full_tty, &user_sid);)
 
     /* Try these, but don't complain if they fail.
@@ -394 +476 @@
 
     change_identity(pw);
-    shell = pw->pw_shell;
-    if (!shell || !shell[0])
-        shell = DEFAULT_SHELL;
-    setup_environment(shell,
+    setup_environment(pw->pw_shell,
             (!(opt & LOGIN_OPT_p) * SETUP_ENV_CLEARENV) + SETUP_ENV_CHANGEENV,
             pw);
+
+#if ENABLE_PAM
+    /* Modules such as pam_env will setup the PAM environment,
+     * which should be copied into the new environment. */
+    pamenv = pam_getenvlist(pamh);
+    if (pamenv) while (*pamenv) {
+        putenv(*pamenv);
+        pamenv++;
+    }
+#endif
 
     motd();
@@ -435 +524 @@
 
     /* Exec login shell with no additional parameters */
-    run_shell(shell, 1, NULL, NULL);
+    run_shell(pw->pw_shell, 1, NULL, NULL);
 
     /* return EXIT_FAILURE; - not reached */