logo

skeud

Simple and portable utilities to deal with user accounts (su, login)git clone https://anongit.hacktivis.me/git/skeud.git/

suc.c (4818B)

    

  1. // SPDX-FileCopyrightText: 2022-2023 Haelwenn (lanodan) Monnier <contact+skeud@hacktivis.me>
  2. // SPDX-License-Identifier: MPL-2.0
  4. #define _POSIX_C_SOURCE 202405L
  5. // for explicit_bzero, initgroups
  6. #define _DEFAULT_SOURCE
  8. #ifdef __linux__
  9. // I love linux extensions (no)
  10. #include <shadow.h> /* getspnam */
  11. #endif
  13. #include "common.h" // skeud_getpass, skeud_crypt_check
  15. #include <assert.h>  // assert
  16. #include <errno.h>   // errno
  17. #include <grp.h>     // initgroups
  18. #include <limits.h>  // NAME_MAX
  19. #include <pwd.h>     // getpwnam
  20. #include <stdbool.h> // bool
  21. #include <stdio.h>   // fprintf, perror
  22. #include <stdlib.h>  // abort, setenv
  23. #include <string.h>  // strcmp, explicit_bzero
  24. #include <unistd.h>  // getuid, getopt, opt*, chdir, setuid, setgid
  26. extern char **environ;
  27. char *envclear[]  = {NULL};
  28. const char *argv0 = "suc";
  30. int
  31. main(int argc, char *argv[])
  32. {
  33. 	bool opt_l           = false;
  34. 	bool opt_p           = false;
  35. 	const char *username = "root";
  36. 	struct passwd *pwent = NULL;
  37. 	char *shell          = NULL;
  39. 	if(geteuid() != 0)
  40. 	{
  41. 		fputs("suc: error: Not effectively super-user. Missing setuid?\n", stderr);
  42. 		return 1;
  43. 	}
  45. 	int c = EOF;
  46. 	/* flawfinder: ignore CWE-120, CWE-20 */
  47. 	while((c = getopt(argc, argv, ":ls:pu:")) != EOF)
  48. 	{
  49. 		switch(c)
  50. 		{
  51. 		case 'l': // login-mode
  52. 			opt_l = true;
  53. 			break;
  54. 		case 's': // shell
  55. 			if(getuid() != 0)
  56. 			{
  57. 				fputs("suc: error: Only the super-user can override the target shell\n", stderr);
  58. 				return 1;
  59. 			}
  61. 			shell = optarg;
  62. 			break;
  63. 		case 'p': // preserve environment
  64. 			if(getuid() != 0)
  65. 			{
  66. 				fputs("suc: error: Only the super-user can preserve the environment\n", stderr);
  67. 				return 1;
  68. 			}
  70. 			opt_p = true;
  71. 			break;
  72. 		case 'u': // username
  73. 			username = optarg;
  74. 			break;
  75. 		case ':':
  76. 			fprintf(stderr, "suc: error: Option -%c requires an operand\n", optopt);
  77. 			return 1;
  78. 		case '?':
  79. 			fprintf(stderr, "suc: error: Unrecognized option: '-%c'\n", optopt);
  80. 			return 1;
  81. 		default:
  82. 			fputs("suc: error: Unknown getopt state, aborting\n", stderr);
  83. 			abort();
  84. 		}
  85. 	}
  87. 	argc -= optind;
  88. 	argv += optind;
  90. 	errno = 0;
  91. 	pwent = getpwnam(username);
  93. 	if(pwent == NULL)
  94. 	{
  95. 		if(errno != 0)
  96. 		{
  97. 			perror("suc: error: Failed getting passwd entry");
  98. 		}
  99. 		else
  100. 		{
  101. 			fprintf(stderr, "suc: error: getpwnam: No entry found for user %s\n", username);
  102. 		}
  104. 		return 1;
  105. 	}
  107. 	if(shell == NULL)
  108. 	{
  109. 		if(pwent->pw_shell)
  110. 		{
  111. 			shell = pwent->pw_shell;
  112. 		}
  113. 		else
  114. 		{
  115. 			fprintf(stderr, "suc: error: No shell entry for user %s\n", username);
  117. 			return 1;
  118. 		}
  119. 	}
  121. 	fprintf(stderr, "suc: info: Authenticating as %s\n", username);
  123. 	if(getuid() != 0)
  124. 	{
  125. 		char *pw_hash = NULL;
  126. 		if(pwent->pw_passwd)
  127. 		{
  128. 			pw_hash = pwent->pw_passwd;
  129. 		}
  131. #ifdef __linux__
  132. 		// Always fetched to avoid potentially leaking passwd contents
  133. 		errno              = 0;
  134. 		struct spwd *swent = getspnam(username);
  135. 		if(errno != 0)
  136. 		{
  137. 			perror("suc: warning: getspnam");
  138. 		}
  139. 		else
  140. 		{
  141. 			if(pw_hash && pw_hash[0] == 'x' && pw_hash[1] == 0)
  142. 			{
  143. 				pw_hash = swent->sp_pwdp;
  144. 			}
  146. 			explicit_bzero(swent, sizeof(swent));
  147. 			swent = NULL;
  148. 		}
  149. #endif /* __linux__ */
  151. 		char *password = NULL;
  152. 		ssize_t got    = skeud_getpass(&password);
  153. 		if(got < 0)
  154. 		{
  155. 			free(password);
  156. 			return 1;
  157. 		}
  159. 		bool valid_p = skeud_crypt_check(pw_hash, password);
  160. 		explicit_bzero(password, got);
  161. 		free(password);
  162. 		if(pw_hash) explicit_bzero(pw_hash, sizeof(pw_hash));
  164. 		if(!valid_p)
  165. 		{
  166. 			sleep(2);
  167. 			fprintf(stderr, "suc: error: Invalid username or password\n");
  168. 			return 1;
  169. 		}
  170. 	}
  172. 	if(!opt_p)
  173. 	{
  174. 		char *term = getenv("TERM");
  175. 		environ    = envclear;
  176. 		if(term)
  177. 		{
  178. 			setenv("TERM", term, 1);
  179. 		}
  180. 	}
  182. 	if(setgid(pwent->pw_gid) < 0)
  183. 	{
  184. 		perror("suc: error: setgid");
  185. 		return 1;
  186. 	}
  187. 	if(initgroups(username, pwent->pw_gid) < 0)
  188. 	{
  189. 		perror("suc: error: initgroups");
  190. 		return 1;
  191. 	}
  192. 	if(setuid(pwent->pw_uid) < 0)
  193. 	{
  194. 		perror("suc: error: setuid");
  195. 		return 1;
  196. 	}
  198. 	const char *home = pwent->pw_dir ? pwent->pw_dir : "/";
  199. 	setenv("HOME", home, 1);
  201. 	static char shell0[NAME_MAX] = "sh";
  202. 	if(opt_l)
  203. 	{
  204. 		const char *sh_basename = strrchr(shell, '/');
  206. 		sh_basename = sh_basename ? sh_basename + 1 : shell;
  208. 		strlcpy(shell0, "-sh", NAME_MAX - 1);
  209. 		strlcpy(shell0 + 1, sh_basename, NAME_MAX - 1);
  211. 		if(chdir(home) != 0) perror("suc: chdir");
  212. 	}
  214. 	explicit_bzero(pwent, sizeof(pwent));
  215. 	pwent = NULL;
  217. 	setenv("USER", username, 1);
  218. 	setenv("LOGNAME", username, 1);
  219. 	setenv("SHELL", shell, 1);
  220. 	setenv("IFS", " \t\n", 1);
  222. 	static char *args_shell0[] = {shell0, NULL};
  224. 	char **args = argc > 0 ? argv : args_shell0;
  225. 	char *arg0  = argc > 0 ? argv[0] : shell;
  227. 	errno = 0;
  228. 	/* flawfinder: ignore CWE-78 */
  229. 	int ret = execvp(arg0, args);
  230. 	if(ret < 0)
  231. 	{
  232. 		if(errno == ENOENT)
  233. 		{
  234. 			perror("suc: execve");
  235. 			return 127;
  236. 		}
  237. 		else
  238. 		{
  239. 			perror("suc: execve");
  240. 			return 126;
  241. 		}
  242. 	}
  243. }