1 /* su for GNU. Run a shell with substitute user and group IDs.
2 Copyright (C) 92, 93, 1994 Free Software Foundation, Inc.
4 This program is free software; you can redistribute it and/or modify
5 it under the terms of the GNU General Public License as published by
6 the Free Software Foundation; either version 2, or (at your option)
9 This program is distributed in the hope that it will be useful,
10 but WITHOUT ANY WARRANTY; without even the implied warranty of
11 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 GNU General Public License for more details.
14 You should have received a copy of the GNU General Public License
15 along with this program; if not, write to the Free Software
16 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. */
18 /* Run a shell with the real and effective UID and GID and groups
19 of USER, default `root'.
21 The shell run is taken from USER's password entry, /bin/sh if
22 none is specified there. If the account has a password, su
23 prompts for a password unless run by a user with real UID 0.
25 Does not change the current directory.
26 Sets `HOME' and `SHELL' from the password entry for USER, and if
27 USER is not root, sets `USER' and `LOGNAME' to USER.
28 The subshell is not a login shell.
30 If one or more ARGs are given, they are passed as additional
31 arguments to the subshell.
33 Does not handle /bin/sh or other shells specially
34 (setting argv[0] to "-su", passing -c only to certain shells, etc.).
35 I don't see the point in doing that, and it's ugly.
37 This program intentionally does not support a "wheel group" that
38 restricts who can su to UID 0 accounts. RMS considers that to
42 -, -l, --login Make the subshell a login shell.
43 Unset all environment variables except
44 TERM, HOME and SHELL (set as above), and USER
45 and LOGNAME (set unconditionally as above), and
46 set PATH to a default value.
47 Change to USER's home directory.
48 Prepend "-" to the shell's name.
49 -c, --commmand=COMMAND
50 Pass COMMAND to the subshell with a -c option
51 instead of starting an interactive shell.
52 -f, --fast Pass the -f option to the subshell.
53 -m, -p, --preserve-environment
54 Do not change HOME, USER, LOGNAME, SHELL.
55 Run $SHELL instead of USER's shell from /etc/passwd
56 unless not the superuser and USER's shell is
58 Overridden by --login and --shell.
59 -s, --shell=shell Run SHELL instead of USER's shell from /etc/passwd
60 unless not the superuser and USER's shell is
64 -DSYSLOG_SUCCESS Log successful su's (by default, to root) with syslog.
65 -DSYSLOG_FAILURE Log failed su's (by default, to root) with syslog.
67 -DSYSLOG_NON_ROOT Log all su's, not just those to root (UID 0).
68 Never logs attempted su's to nonexistent accounts.
70 Written by David MacKenzie <djm@gnu.ai.mit.edu>. */
73 #if defined (CONFIG_BROKETS)
74 /* We use <config.h> instead of "config.h" so that a compilation
75 using -I. -I$srcdir will use ./config.h rather than $srcdir/config.h
76 (which it would do because it found this file in $srcdir). */
85 #include <sys/types.h>
92 static void log_su ();
93 #else /* !HAVE_SYSLOG_H */
100 #ifdef SYSLOG_NON_ROOT
101 #undef SYSLOG_NON_ROOT
103 #endif /* !HAVE_SYSLOG_H */
105 #ifdef _POSIX_VERSION
110 #define NGROUPS_MAX sysconf (_SC_NGROUPS_MAX)
111 #else /* not _POSIX_VERSION */
112 struct passwd *getpwuid ();
113 struct group *getgrgid ();
115 #include <sys/param.h>
116 #if !defined(NGROUPS_MAX) && defined(NGROUPS)
117 #define NGROUPS_MAX NGROUPS
119 #endif /* not _POSIX_VERSION */
132 /* The default PATH for simulated logins to non-superuser accounts. */
133 #define DEFAULT_LOGIN_PATH ":/usr/ucb:/bin:/usr/bin"
135 /* The default PATH for simulated logins to superuser accounts. */
136 #define DEFAULT_ROOT_LOGIN_PATH "/usr/ucb:/bin:/usr/bin:/etc"
138 /* The shell to run if none is given in the user's passwd entry. */
139 #define DEFAULT_SHELL "/bin/sh"
141 /* The user to become if none is specified. */
142 #define DEFAULT_USER "root"
146 char *getusershell ();
147 void endusershell ();
148 void setusershell ();
156 static char *concat ();
157 static int correct_password ();
158 static int elements ();
159 static int restricted_shell ();
160 static void change_identity ();
161 static void modify_environment ();
162 static void run_shell ();
163 static void usage ();
164 static void xputenv ();
166 extern char **environ;
168 /* The name this program was run with. */
171 /* If non-zero, display usage information and exit. */
172 static int show_help;
174 /* If non-zero, print the version on standard output and exit. */
175 static int show_version;
177 /* If nonzero, pass the `-f' option to the subshell. */
178 static int fast_startup;
180 /* If nonzero, simulate a login instead of just starting a shell. */
181 static int simulate_login;
183 /* If nonzero, change some environment vars to indicate the user su'd to. */
184 static int change_environment;
186 static struct option const longopts[] =
188 {"command", required_argument, 0, 'c'},
189 {"fast", no_argument, &fast_startup, 1},
190 {"help", no_argument, &show_help, 1},
191 {"login", no_argument, &simulate_login, 1},
192 {"preserve-environment", no_argument, &change_environment, 0},
193 {"shell", required_argument, 0, 's'},
194 {"version", no_argument, &show_version, 1},
204 char *new_user = DEFAULT_USER;
206 char **additional_args = 0;
209 struct passwd pw_copy;
211 program_name = argv[0];
214 change_environment = 1;
216 while ((optc = getopt_long (argc, argv, "c:flmps:", longopts, (int *) 0))
238 change_environment = 0;
252 printf ("su - %s\n", version_string);
259 if (optind < argc && !strcmp (argv[optind], "-"))
265 new_user = argv[optind++];
267 additional_args = argv + optind;
269 pw = getpwnam (new_user);
271 error (1, 0, "user %s does not exist", new_user);
274 /* Make a copy of the password information and point pw at the local
275 copy instead. Otherwise, some systems (e.g. Linux) would clobber
276 the static data through the getlogin call from log_su. */
279 pw->pw_name = xstrdup (pw->pw_name);
280 pw->pw_dir = xstrdup (pw->pw_dir);
281 pw->pw_shell = xstrdup (pw->pw_shell);
283 if (!correct_password (pw))
285 #ifdef SYSLOG_FAILURE
288 error (1, 0, "incorrect password");
290 #ifdef SYSLOG_SUCCESS
297 if (pw->pw_shell == 0 || pw->pw_shell[0] == 0)
298 pw->pw_shell = DEFAULT_SHELL;
299 if (shell == 0 && change_environment == 0)
300 shell = getenv ("SHELL");
301 if (shell != 0 && getuid () && restricted_shell (pw->pw_shell))
303 /* The user being su'd to has a nonstandard shell, and so is
304 probably a uucp account or has restricted access. Don't
305 compromise the account by allowing access with a standard
307 error (0, 0, "using restricted shell %s", pw->pw_shell);
312 shell = xstrdup (pw->pw_shell);
314 modify_environment (pw, shell);
316 change_identity (pw);
317 if (simulate_login && chdir (pw->pw_dir))
318 error (0, errno, "warning: cannot change directory to %s", pw->pw_dir);
320 run_shell (shell, command, additional_args);
323 /* Ask the user for a password.
324 Return 1 if the user gives the correct password for entry PW,
325 0 if not. Return 1 without asking for a password if run by UID 0
326 or if PW has an empty password. */
329 correct_password (pw)
332 char *unencrypted, *encrypted, *correct;
334 /* Shadow passwd stuff for SVR3 and maybe other systems. */
335 struct spwd *sp = getspnam (pw->pw_name);
339 correct = sp->sp_pwdp;
342 correct = pw->pw_passwd;
344 if (getuid () == 0 || correct == 0 || correct[0] == '\0')
347 unencrypted = getpass ("Password:");
348 if (unencrypted == NULL)
350 error (0, 0, "getpass: cannot open /dev/tty");
353 encrypted = crypt (unencrypted, correct);
354 bzero (unencrypted, strlen (unencrypted));
355 return strcmp (encrypted, correct) == 0;
358 /* Update `environ' for the new shell based on PW, with SHELL being
359 the value for the SHELL environment variable. */
362 modify_environment (pw, shell)
370 /* Leave TERM unchanged. Set HOME, SHELL, USER, LOGNAME, PATH.
371 Unset all other environment variables. */
372 term = getenv ("TERM");
373 environ = (char **) xmalloc (2 * sizeof (char *));
376 xputenv (concat ("TERM", "=", term));
377 xputenv (concat ("HOME", "=", pw->pw_dir));
378 xputenv (concat ("SHELL", "=", shell));
379 xputenv (concat ("USER", "=", pw->pw_name));
380 xputenv (concat ("LOGNAME", "=", pw->pw_name));
381 xputenv (concat ("PATH", "=", pw->pw_uid
382 ? DEFAULT_LOGIN_PATH : DEFAULT_ROOT_LOGIN_PATH));
386 /* Set HOME, SHELL, and if not becoming a super-user,
388 if (change_environment)
390 xputenv (concat ("HOME", "=", pw->pw_dir));
391 xputenv (concat ("SHELL", "=", shell));
394 xputenv (concat ("USER", "=", pw->pw_name));
395 xputenv (concat ("LOGNAME", "=", pw->pw_name));
401 /* Become the user and group(s) specified by PW. */
409 if (initgroups (pw->pw_name, pw->pw_gid) == -1)
410 error (1, errno, "cannot set groups");
413 if (setgid (pw->pw_gid))
414 error (1, errno, "cannot set group id");
415 if (setuid (pw->pw_uid))
416 error (1, errno, "cannot set user id");
419 /* Run SHELL, or DEFAULT_SHELL if SHELL is empty.
420 If COMMAND is nonzero, pass it to the shell with the -c option.
421 If ADDITIONAL_ARGS is nonzero, pass it to the shell as more
425 run_shell (shell, command, additional_args)
428 char **additional_args;
434 args = (char **) xmalloc (sizeof (char *)
435 * (10 + elements (additional_args)));
437 args = (char **) xmalloc (sizeof (char *) * 10);
440 args[0] = xmalloc (strlen (shell) + 2);
442 strcpy (args[0] + 1, basename (shell));
445 args[0] = basename (shell);
447 args[argno++] = "-f";
450 args[argno++] = "-c";
451 args[argno++] = command;
454 for (; *additional_args; ++additional_args)
455 args[argno++] = *additional_args;
458 error (1, errno, "cannot run %s", shell);
461 #if defined (SYSLOG_SUCCESS) || defined (SYSLOG_FAILURE)
462 /* Log the fact that someone has run su to the user given by PW;
463 if SUCCESSFUL is nonzero, they gave the correct password, etc. */
466 log_su (pw, successful)
470 char *new_user, *old_user, *tty;
472 #ifndef SYSLOG_NON_ROOT
476 new_user = pw->pw_name;
477 /* The utmp entry (via getlogin) is probably the best way to identify
478 the user, especially if someone su's from a su-shell. */
479 old_user = getlogin ();
480 if (old_user == NULL)
485 /* 4.2BSD openlog doesn't have the third parameter. */
486 openlog (basename (program_name), 0
492 #ifdef SYSLOG_NON_ROOT
493 "%s(to %s) %s on %s",
497 successful ? "" : "FAILED SU ",
498 #ifdef SYSLOG_NON_ROOT
506 /* Return 1 if SHELL is a restricted shell (one not returned by
507 getusershell), else 0, meaning it is a standard shell. */
510 restricted_shell (shell)
516 while ((line = getusershell ()) != NULL)
518 if (*line != '#' && strcmp (line, shell) == 0)
528 /* Return the number of elements in ARR, a null-terminated array. */
536 for (n = 0; *arr; ++arr)
541 /* Add VAL to the environment, checking for out of memory errors. */
548 error (1, 0, "virtual memory exhausted");
551 /* Return a newly-allocated string whose contents concatenate
552 those of S1, S2, S3. */
558 int len1 = strlen (s1), len2 = strlen (s2), len3 = strlen (s3);
559 char *result = (char *) xmalloc (len1 + len2 + len3 + 1);
562 strcpy (result + len1, s2);
563 strcpy (result + len1 + len2, s3);
564 result[len1 + len2 + len3] = 0;
574 fprintf (stderr, "Try `%s --help' for more information.\n",
578 printf ("Usage: %s [OPTION]... [-] [USER [ARG]...]\n", program_name);
581 -l, --login make the shell a login shell\n\
582 -c, --commmand=COMMAND pass a single COMMAND to the shell with -c\n\
583 -f, --fast pass -f to the shell (for csh or tcsh)\n\
584 -m, --preserve-environment do not reset environment variables\n\
586 -s, --shell=SHELL run SHELL if /etc/shells allows it\n\
587 --help display this help and exit\n\
588 --version output version information and exit\n\
590 A mere - implies -l. If USER not given, assume root.\n\