comparison toys/login.c @ 572:8a88a9e3c30b

Adding initial version of login.c
author Elie De Brauwer <eliedebrauwer@gmail.com>
date Tue, 24 Apr 2012 23:09:27 +0200
parents
children 98bde84a888c
comparison
equal deleted inserted replaced
571:1a06fcaa1775 572:8a88a9e3c30b
1 /* vi: set sw=4 ts=4:
2 *
3 * login.c - Start a session on the system.
4 *
5 * Copyright 2012 Elie De Brauwer <eliedebrauwer@gmail.com>
6 *
7 * Not in SUSv4.
8 * No support for PAM/securetty/selinux/login script/issue/utmp
9 * Relies on libcrypt for hash calculation.
10
11 USE_LOGIN(NEWTOY(login, ">1fph:", TOYFLAG_BIN))
12
13 config LOGIN
14 bool "login"
15 default y
16 help
17 usage: login [-p] [-h host] [[-f] username]
18
19 Establish a new session with the system.
20 -p Preserve environment
21 -h The name of the remote host for this login
22 -f Do not perform authentication
23 */
24
25 #include "toys.h"
26
27 #define LOGIN_TIMEOUT 60
28 #define LOGIN_FAIL_TIMEOUT 3
29 #define USER_NAME_MAX_SIZE 32
30 #define HOSTNAME_SIZE 32
31
32 DEFINE_GLOBALS(
33 char * hostname;
34 )
35 #define TT this.login
36
37 static void login_timeout_handler(int sig __attribute__((unused)))
38 {
39 printf("\nLogin timed out after %d seconds.\n", LOGIN_TIMEOUT);
40 exit(0);
41 }
42
43 static const char *forbid[] = {
44 "BASH_ENV",
45 "ENV",
46 "HOME",
47 "IFS",
48 "LD_LIBRARY_PATH",
49 "LD_PRELOAD",
50 "LD_TRACE_LOADED_OBJECTS",
51 "LD_BIND_NOW",
52 "LD_AOUT_LIBRARY_PATH",
53 "LD_AOUT_PRELOAD",
54 "LD_NOWARN",
55 "LD_KEEPDIR",
56 "SHELL",
57 NULL
58 };
59
60 // Unset dangerous environment variables.
61 void sanitize_env()
62 {
63 const char **p = forbid;
64 do {
65 unsetenv(*p);
66 p++;
67 } while (*p);
68 }
69
70 int read_password(char * buff, int buflen)
71 {
72 int i = 0;
73 struct termios termio, oldtermio;
74 tcgetattr(0, &oldtermio);
75 tcflush(0, TCIFLUSH);
76 termio = oldtermio;
77
78 termio.c_iflag &= ~(IUCLC|IXON|IXOFF|IXANY);
79 termio.c_lflag &= ~(ECHO|ECHOE|ECHOK|ECHONL|TOSTOP);
80 tcsetattr(0, TCSANOW, &termio);
81
82 fputs("Password: ", stdout);
83 fflush(stdout);
84
85 while (1) {
86 int ret = read(0, &buff[i], 1);
87 if ( ret < 0 )
88 {
89 buff[0] = 0;
90 tcsetattr(0, TCSANOW, &oldtermio);
91 return 1;
92 }
93 else if ( ret == 0 || buff[i] == '\n' ||
94 buff[i] == '\r' || buflen == i+1)
95 {
96 buff[i] = '\0';
97 break;
98 }
99 i++;
100 }
101
102 tcsetattr(0, TCSANOW, &oldtermio);
103 puts("\n");
104 fflush(stdout);
105 return 0;
106 }
107
108 int verify_password(char * pwd)
109 {
110 char * pass;
111
112 if (read_password(toybuf, sizeof(toybuf)))
113 return 1;
114 if (!pwd)
115 return 1;
116 if (pwd[0] == '!' || pwd[0] == '*')
117 return 1;
118
119 pass = crypt(toybuf, pwd);
120 if (pass != NULL && strcmp(pass, pwd)==0)
121 return 0;
122
123 return 1;
124 }
125
126 void read_user(char * buff, int size)
127 {
128 char hostname[HOSTNAME_SIZE+1];
129 int i = 0;
130 hostname[HOSTNAME_SIZE] = 0;
131 if(!gethostname(hostname, HOSTNAME_SIZE))
132 fputs(hostname, stdout);
133
134 fputs(" login: ", stdout);
135 fflush(stdout);
136
137 do {
138 buff[0] = getchar();
139 if (buff[0] == EOF)
140 exit(EXIT_FAILURE);
141 } while (isblank(buff[0]));
142
143 if (buff[0] != '\n')
144 if(!fgets(&buff[1], HOSTNAME_SIZE-1, stdin))
145 _exit(1);
146
147 while(i<HOSTNAME_SIZE-1 && isgraph(buff[i]))
148 {
149 i++;
150 }
151 buff[i] = 0;
152 }
153
154 void handle_nologin(void)
155 {
156 int fd = open("/etc/nologin", O_RDONLY);
157 int size;
158 if (fd == -1)
159 return;
160
161 size = readall(fd, toybuf,sizeof(toybuf)-1);
162 toybuf[size] = 0;
163 if (!size)
164 puts("System closed for routine maintenance\n");
165 else
166 puts(toybuf);
167
168 close(fd);
169 fflush(stdout);
170 exit(EXIT_FAILURE);
171 }
172
173 void handle_motd(void)
174 {
175 int fd = open("/etc/motd", O_RDONLY);
176 int size;
177 if (fd == -1)
178 return;
179
180 size = readall(fd, toybuf,sizeof(toybuf)-1);
181 toybuf[size] = 0;
182 puts(toybuf);
183
184 close(fd);
185 fflush(stdout);
186 }
187
188 int change_identity(const struct passwd *pwd)
189 {
190 if (initgroups(pwd->pw_name,pwd->pw_gid))
191 return 1;
192 if (setgid(pwd->pw_uid))
193 return 1;
194 if (setuid(pwd->pw_uid))
195 return 1;
196
197 return 0;
198 }
199
200 void spawn_shell(const char *shell)
201 {
202 const char * exec_name = strrchr(shell,'/');
203 if (exec_name)
204 exec_name++;
205 else
206 exec_name = shell;
207
208 snprintf(toybuf,sizeof(toybuf)-1, "-%s", shell);
209 execl(shell, toybuf, NULL);
210 error_exit("Failed to spawn shell");
211 }
212
213 void setup_environment(const struct passwd *pwd, int clear_env)
214 {
215 if (chdir(pwd->pw_dir))
216 printf("can't chdir to home directory: %s\n", pwd->pw_dir);
217
218 if (clear_env)
219 {
220 const char * term = getenv("TERM");
221 clearenv();
222 if (term) setenv("TERM", term, 1);
223 }
224
225 setenv("USER", pwd->pw_name, 1);
226 setenv("LOGNAME", pwd->pw_name, 1);
227 setenv("HOME", pwd->pw_dir, 1);
228 setenv("SHELL", pwd->pw_shell, 1);
229 }
230
231 void login_main(void)
232 {
233 int f_flag = (toys.optflags & 4) >> 2;
234 int p_flag = (toys.optflags & 2) >> 1;
235 int h_flag = toys.optflags & 1;
236 char username[USER_NAME_MAX_SIZE+1];
237 struct passwd * pwd = NULL;
238 struct spwd * spwd = NULL;
239 char *pass = NULL;
240 int auth_fail_cnt = 0;
241
242 if (f_flag && toys.optc != 1)
243 error_exit("-f requires username");
244
245 if (geteuid() != 0 )
246 error_exit("Cannot possibly work without effective root");
247
248 if (!isatty(0) || !isatty(1) || !isatty(2))
249 error_exit("Not connected to a tty");
250
251 openlog("login", LOG_PID | LOG_CONS, LOG_AUTH);
252 signal(SIGALRM, login_timeout_handler);
253 alarm(LOGIN_TIMEOUT);
254 sanitize_env();
255
256 while (1) {
257 tcflush(0, TCIFLUSH);
258
259 username[USER_NAME_MAX_SIZE] = 0;
260 if (toys.optargs[0])
261 strncpy(username, toys.optargs[0], USER_NAME_MAX_SIZE);
262 else {
263 read_user(username, USER_NAME_MAX_SIZE+1);
264 if (username[0] == 0)
265 continue;
266 }
267
268 pwd = getpwnam(username);
269 if (!pwd)
270 goto query_pass; // Non-existing user
271
272 if (pwd->pw_passwd[0] == '!' || pwd->pw_passwd[0] == '*')
273 goto query_pass; // Locked account
274
275 if (f_flag)
276 break; // Pre-authenticated
277
278 if (pwd->pw_passwd[0] == '\0')
279 break; // Password-less account
280
281 pass = pwd->pw_passwd;
282 if (pwd->pw_passwd[0] == 'x') {
283 spwd = getspnam (username);
284 if (spwd)
285 pass = spwd->sp_pwdp;
286 }
287
288 query_pass:
289 if (!verify_password(pass))
290 break;
291
292 f_flag = 0;
293 syslog(LOG_WARNING, "invalid password for '%s' on %s %s %s", username,
294 ttyname(0),
295 (h_flag)?"from":"",
296 (h_flag)?TT.hostname:"");
297
298 sleep(LOGIN_FAIL_TIMEOUT);
299 puts("Login incorrect");
300
301 if (++auth_fail_cnt == 3)
302 {
303 error_exit("Maximum number of tries exceeded (%d)\n", auth_fail_cnt);
304 }
305
306 username[0] = 0;
307 pwd = NULL;
308 spwd = NULL;
309 }
310
311 alarm(0);
312
313 if (pwd->pw_uid)
314 handle_nologin();
315
316 if (change_identity(pwd))
317 error_exit("Failed to change identity");
318
319 setup_environment(pwd, !p_flag);
320
321 handle_motd();
322
323 syslog(LOG_INFO, "%s logged in on %s %s %s", pwd->pw_name,
324 ttyname(0),
325 (h_flag)?"from":"",
326 (h_flag)?TT.hostname:"");
327
328 spawn_shell(pwd->pw_shell);
329 }