make krb5 compile again. XXX: one function left that is deprecated, what's the new equivalent?diff -r1.52 -r1.53 src/usr.bin/login/Makefile
(christos)
--- src/usr.bin/login/Makefile 2011/04/24 21:42:06 1.52
+++ src/usr.bin/login/Makefile 2012/04/22 23:26:19 1.53
@@ -1,40 +1,42 @@ | @@ -1,40 +1,42 @@ | |||
1 | # $NetBSD: Makefile,v 1.52 2011/04/24 21:42:06 elric Exp $ | 1 | # $NetBSD: Makefile,v 1.53 2012/04/22 23:26:19 christos Exp $ | |
2 | # @(#)Makefile 8.1 (Berkeley) 7/19/93 | 2 | # @(#)Makefile 8.1 (Berkeley) 7/19/93 | |
3 | 3 | |||
4 | WARNS?= 2 # XXX -Wcast-qual issues | 4 | WARNS?= 5 # XXX -Wcast-qual issues | |
5 | 5 | |||
6 | .include <bsd.own.mk> | 6 | .include <bsd.own.mk> | |
7 | 7 | |||
8 | USE_FORT?= yes # setuid | 8 | USE_FORT?= yes # setuid | |
9 | PROG= login | 9 | PROG= login | |
10 | SRCS= copyrightstr.c | 10 | SRCS= copyrightstr.c | |
11 | DPADD+= ${LIBUTIL} ${LIBCRYPT} | 11 | DPADD+= ${LIBUTIL} ${LIBCRYPT} | |
12 | LDADD+= -lutil -lcrypt | 12 | LDADD+= -lutil -lcrypt | |
13 | BINOWN= root | 13 | BINOWN= root | |
14 | BINMODE=4555 | 14 | BINMODE=4555 | |
15 | 15 | |||
16 | SRCS+= common.c | 16 | SRCS+= common.c | |
17 | .if (${USE_PAM} != "no") | 17 | .if (${USE_PAM} != "no") | |
18 | SRCS+= login_pam.c | 18 | SRCS+= login_pam.c | |
19 | LDADD+= -lpam ${PAM_STATIC_LDADD} | 19 | LDADD+= -lpam ${PAM_STATIC_LDADD} | |
20 | DPADD+= ${LIBPAM} ${PAM_STATIC_DPADD} | 20 | DPADD+= ${LIBPAM} ${PAM_STATIC_DPADD} | |
21 | .else # USE_PAM == no | 21 | .else # USE_PAM == no | |
22 | SRCS+= login.c | 22 | SRCS+= login.c | |
23 | CPPFLAGS+=-DLOGIN_CAP -DSUPPORT_UTMP -DSUPPORT_UTMPX | 23 | CPPFLAGS+=-DLOGIN_CAP -DSUPPORT_UTMP -DSUPPORT_UTMPX | |
24 | 24 | |||
25 | .if (${USE_KERBEROS} != "no") | 25 | .if (${USE_KERBEROS} != "no") | |
26 | SRCS+= k5login.c | 26 | SRCS+= k5login.c | |
27 | CPPFLAGS+=-DKERBEROS5 | 27 | CPPFLAGS+=-DKERBEROS5 | |
28 | # XXX: for krb5_get_in_tkt_with_password | |||
29 | CPPFLAGS+=-DKRB5_DEPRECATED= | |||
28 | DPADD+= ${LIBKRB5} ${LIBASN1} | 30 | DPADD+= ${LIBKRB5} ${LIBASN1} | |
29 | LDADD+= -lkrb5 -lasn1 | 31 | LDADD+= -lkrb5 -lasn1 | |
30 | 32 | |||
31 | DPADD+= ${LIBCRYPTO} ${LIBROKEN} ${LIBCOM_ERR} | 33 | DPADD+= ${LIBCRYPTO} ${LIBROKEN} ${LIBCOM_ERR} | |
32 | LDADD+= -lcrypto -lroken -lcom_err | 34 | LDADD+= -lcrypto -lroken -lcom_err | |
33 | .endif | 35 | .endif | |
34 | 36 | |||
35 | .if (${USE_SKEY} != "no") | 37 | .if (${USE_SKEY} != "no") | |
36 | CPPFLAGS+=-DSKEY | 38 | CPPFLAGS+=-DSKEY | |
37 | DPADD+= ${LIBSKEY} | 39 | DPADD+= ${LIBSKEY} | |
38 | LDADD+= -lskey | 40 | LDADD+= -lskey | |
39 | .endif | 41 | .endif | |
40 | .endif # USE_PAM == no | 42 | .endif # USE_PAM == no |
--- src/usr.bin/login/common.c 2009/12/29 20:15:15 1.3
+++ src/usr.bin/login/common.c 2012/04/22 23:26:19 1.4
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: common.c,v 1.3 2009/12/29 20:15:15 christos Exp $ */ | 1 | /* $NetBSD: common.c,v 1.4 2012/04/22 23:26:19 christos Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | 4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | |
5 | * The Regents of the University of California. All rights reserved. | 5 | * The Regents of the University of California. All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -19,27 +19,27 @@ | @@ -19,27 +19,27 @@ | |||
19 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND | 19 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND | |
20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | 20 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | 21 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | 22 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE | |
23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | 23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | 24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
29 | * SUCH DAMAGE. | 29 | * SUCH DAMAGE. | |
30 | */ | 30 | */ | |
31 | #include <sys/cdefs.h> | 31 | #include <sys/cdefs.h> | |
32 | __RCSID("$NetBSD: common.c,v 1.3 2009/12/29 20:15:15 christos Exp $"); | 32 | __RCSID("$NetBSD: common.c,v 1.4 2012/04/22 23:26:19 christos Exp $"); | |
33 | 33 | |||
34 | #include <sys/types.h> | 34 | #include <sys/types.h> | |
35 | #include <sys/param.h> | 35 | #include <sys/param.h> | |
36 | #include <sys/socket.h> | 36 | #include <sys/socket.h> | |
37 | #include <stdio.h> | 37 | #include <stdio.h> | |
38 | #include <string.h> | 38 | #include <string.h> | |
39 | #include <unistd.h> | 39 | #include <unistd.h> | |
40 | #include <stdlib.h> | 40 | #include <stdlib.h> | |
41 | #include <syslog.h> | 41 | #include <syslog.h> | |
42 | #include <fcntl.h> | 42 | #include <fcntl.h> | |
43 | #include <ttyent.h> | 43 | #include <ttyent.h> | |
44 | #include <setjmp.h> | 44 | #include <setjmp.h> | |
45 | #include <time.h> | 45 | #include <time.h> | |
@@ -67,72 +67,80 @@ static void dolastlog(int); | @@ -67,72 +67,80 @@ static void dolastlog(int); | |||
67 | static void doutmpx(void); | 67 | static void doutmpx(void); | |
68 | static void dolastlogx(int); | 68 | static void dolastlogx(int); | |
69 | #endif | 69 | #endif | |
70 | 70 | |||
71 | /* | 71 | /* | |
72 | * This bounds the time given to login. Not a define so it can | 72 | * This bounds the time given to login. Not a define so it can | |
73 | * be patched on machines where it's too small. | 73 | * be patched on machines where it's too small. | |
74 | */ | 74 | */ | |
75 | u_int timeout = 300; | 75 | u_int timeout = 300; | |
76 | 76 | |||
77 | void decode_ss(const char *); | 77 | void decode_ss(const char *); | |
78 | struct passwd *pwd; | 78 | struct passwd *pwd; | |
79 | int failures, have_ss; | 79 | int failures, have_ss; | |
80 | char term[64], *envinit[1], *hostname, *username, *tty, *nested; | 80 | char term[64], *envinit[1], *hostname, *tty, *nested; | |
81 | const char *username; | |||
81 | struct timeval now; | 82 | struct timeval now; | |
82 | struct sockaddr_storage ss; | 83 | struct sockaddr_storage ss; | |
83 | 84 | |||
84 | void | 85 | char * | |
86 | trimloginname(char *u) | |||
87 | { | |||
88 | if (strlen(u) > MAXLOGNAME) | |||
89 | u[MAXLOGNAME] = '\0'; | |||
90 | return u; | |||
91 | } | |||
92 | ||||
93 | char * | |||
85 | getloginname(void) | 94 | getloginname(void) | |
86 | { | 95 | { | |
87 | int ch; | 96 | int ch; | |
88 | char *p; | 97 | char *p; | |
89 | static char nbuf[NBUFSIZ]; | 98 | static char nbuf[NBUFSIZ]; | |
90 | 99 | |||
91 | for (;;) { | 100 | for (;;) { | |
92 | (void)printf("login: "); | 101 | (void)printf("login: "); | |
93 | for (p = nbuf; (ch = getchar()) != '\n'; ) { | 102 | for (p = nbuf; (ch = getchar()) != '\n'; ) { | |
94 | if (ch == EOF) { | 103 | if (ch == EOF) { | |
95 | badlogin(username); | 104 | badlogin(username); | |
96 | exit(EXIT_FAILURE); | 105 | exit(EXIT_FAILURE); | |
97 | } | 106 | } | |
98 | if (p < nbuf + (NBUFSIZ - 1)) | 107 | if (p < nbuf + (NBUFSIZ - 1)) | |
99 | *p++ = ch; | 108 | *p++ = ch; | |
100 | } | 109 | } | |
101 | if (p > nbuf) { | 110 | if (p > nbuf) { | |
102 | if (nbuf[0] == '-') | 111 | if (nbuf[0] == '-') | |
103 | (void)fprintf(stderr, | 112 | (void)fprintf(stderr, | |
104 | "login names may not start with '-'.\n"); | 113 | "login names may not start with '-'.\n"); | |
105 | else { | 114 | else { | |
106 | *p = '\0'; | 115 | *p = '\0'; | |
107 | username = nbuf; | 116 | return nbuf; | |
108 | break; | |||
109 | } | 117 | } | |
110 | } | 118 | } | |
111 | } | 119 | } | |
112 | } | 120 | } | |
113 | 121 | |||
114 | int | 122 | int | |
115 | rootterm(char *ttyn) | 123 | rootterm(char *ttyn) | |
116 | { | 124 | { | |
117 | struct ttyent *t; | 125 | struct ttyent *t; | |
118 | 126 | |||
119 | return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); | 127 | return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); | |
120 | } | 128 | } | |
121 | 129 | |||
122 | static jmp_buf motdinterrupt; | 130 | static jmp_buf motdinterrupt; | |
123 | 131 | |||
124 | void | 132 | void | |
125 | motd(char *fname) | 133 | motd(const char *fname) | |
126 | { | 134 | { | |
127 | int fd, nchars; | 135 | int fd, nchars; | |
128 | sig_t oldint; | 136 | sig_t oldint; | |
129 | char tbuf[8192]; | 137 | char tbuf[8192]; | |
130 | 138 | |||
131 | if ((fd = open(fname ? fname : _PATH_MOTDFILE, O_RDONLY, 0)) < 0) | 139 | if ((fd = open(fname ? fname : _PATH_MOTDFILE, O_RDONLY, 0)) < 0) | |
132 | return; | 140 | return; | |
133 | oldint = signal(SIGINT, sigint); | 141 | oldint = signal(SIGINT, sigint); | |
134 | if (setjmp(motdinterrupt) == 0) | 142 | if (setjmp(motdinterrupt) == 0) | |
135 | while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) | 143 | while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) | |
136 | (void)write(fileno(stdout), tbuf, nchars); | 144 | (void)write(fileno(stdout), tbuf, nchars); | |
137 | (void)signal(SIGINT, oldint); | 145 | (void)signal(SIGINT, oldint); | |
138 | (void)close(fd); | 146 | (void)close(fd); | |
@@ -233,27 +241,27 @@ doutmpx(void) | @@ -233,27 +241,27 @@ doutmpx(void) | |||
233 | char *t; | 241 | char *t; | |
234 | 242 | |||
235 | memset((void *)&utmpx, 0, sizeof(utmpx)); | 243 | memset((void *)&utmpx, 0, sizeof(utmpx)); | |
236 | utmpx.ut_tv = now; | 244 | utmpx.ut_tv = now; | |
237 | (void)strncpy(utmpx.ut_name, username, sizeof(utmpx.ut_name)); | 245 | (void)strncpy(utmpx.ut_name, username, sizeof(utmpx.ut_name)); | |
238 | if (hostname) { | 246 | if (hostname) { | |
239 | (void)strncpy(utmpx.ut_host, hostname, sizeof(utmpx.ut_host)); | 247 | (void)strncpy(utmpx.ut_host, hostname, sizeof(utmpx.ut_host)); | |
240 | utmpx.ut_ss = ss; | 248 | utmpx.ut_ss = ss; | |
241 | } | 249 | } | |
242 | (void)strncpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line)); | 250 | (void)strncpy(utmpx.ut_line, tty, sizeof(utmpx.ut_line)); | |
243 | utmpx.ut_type = USER_PROCESS; | 251 | utmpx.ut_type = USER_PROCESS; | |
244 | utmpx.ut_pid = getpid(); | 252 | utmpx.ut_pid = getpid(); | |
245 | t = tty + strlen(tty); | 253 | t = tty + strlen(tty); | |
246 | if (t - tty >= sizeof(utmpx.ut_id)) { | 254 | if ((size_t)(t - tty) >= sizeof(utmpx.ut_id)) { | |
247 | (void)strncpy(utmpx.ut_id, t - sizeof(utmpx.ut_id), | 255 | (void)strncpy(utmpx.ut_id, t - sizeof(utmpx.ut_id), | |
248 | sizeof(utmpx.ut_id)); | 256 | sizeof(utmpx.ut_id)); | |
249 | } else { | 257 | } else { | |
250 | (void)strncpy(utmpx.ut_id, tty, sizeof(utmpx.ut_id)); | 258 | (void)strncpy(utmpx.ut_id, tty, sizeof(utmpx.ut_id)); | |
251 | } | 259 | } | |
252 | if (pututxline(&utmpx) == NULL) | 260 | if (pututxline(&utmpx) == NULL) | |
253 | syslog(LOG_NOTICE, "Cannot update utmpx: %m"); | 261 | syslog(LOG_NOTICE, "Cannot update utmpx: %m"); | |
254 | endutxent(); | 262 | endutxent(); | |
255 | if (updwtmpx(_PATH_WTMPX, &utmpx) != 0) | 263 | if (updwtmpx(_PATH_WTMPX, &utmpx) != 0) | |
256 | syslog(LOG_NOTICE, "Cannot update wtmpx: %m"); | 264 | syslog(LOG_NOTICE, "Cannot update wtmpx: %m"); | |
257 | } | 265 | } | |
258 | 266 | |||
259 | static void | 267 | static void |
--- src/usr.bin/login/common.h 2009/12/29 19:26:13 1.1
+++ src/usr.bin/login/common.h 2012/04/22 23:26:19 1.2
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: common.h,v 1.1 2009/12/29 19:26:13 christos Exp $ */ | 1 | /* $NetBSD: common.h,v 1.2 2012/04/22 23:26:19 christos Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | 4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | |
5 | * The Regents of the University of California. All rights reserved. | 5 | * The Regents of the University of California. All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -23,31 +23,33 @@ | @@ -23,31 +23,33 @@ | |||
23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | 23 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | 24 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | 25 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | 26 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | 27 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | 28 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
29 | * SUCH DAMAGE. | 29 | * SUCH DAMAGE. | |
30 | */ | 30 | */ | |
31 | 31 | |||
32 | __BEGIN_DECLS | 32 | __BEGIN_DECLS | |
33 | 33 | |||
34 | void badlogin(const char *); | 34 | void badlogin(const char *); | |
35 | void update_db(int, int, int); | 35 | void update_db(int, int, int); | |
36 | void getloginname(void); | 36 | char *trimloginname(char *); | |
37 | void motd(char *); | 37 | char *getloginname(void); | |
38 | void motd(const char *); | |||
38 | int rootterm(char *); | 39 | int rootterm(char *); | |
39 | void sigint(int); | 40 | void sigint(int); | |
40 | void sleepexit(int); | 41 | void sleepexit(int); | |
41 | const char *stypeof(const char *); | 42 | const char *stypeof(const char *); | |
42 | void timedout(int); | 43 | void timedout(int); | |
43 | void decode_ss(const char *); | 44 | void decode_ss(const char *); | |
44 | 45 | |||
45 | extern u_int timeout; | 46 | extern u_int timeout; | |
46 | extern struct passwd *pwd; | 47 | extern struct passwd *pwd; | |
47 | extern int failures, have_ss; | 48 | extern int failures, have_ss; | |
48 | extern char term[64], *envinit[1], *hostname, *username, *tty, *nested; | 49 | extern char term[64], *envinit[1], *hostname, *tty, *nested; | |
50 | extern const char *username; | |||
49 | extern struct timeval now; | 51 | extern struct timeval now; | |
50 | extern struct sockaddr_storage ss; | 52 | extern struct sockaddr_storage ss; | |
51 | extern const char copyrightstr[]; | 53 | extern const char copyrightstr[]; | |
52 | 54 | |||
53 | __END_DECLS | 55 | __END_DECLS |
--- src/usr.bin/login/k5login.c 2006/03/23 23:33:28 1.27
+++ src/usr.bin/login/k5login.c 2012/04/22 23:26:19 1.28
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: k5login.c,v 1.27 2006/03/23 23:33:28 wiz Exp $ */ | 1 | /* $NetBSD: k5login.c,v 1.28 2012/04/22 23:26:19 christos Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 1990 The Regents of the University of California. | 4 | * Copyright (c) 1990 The Regents of the University of California. | |
5 | * All rights reserved. | 5 | * All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -41,27 +41,27 @@ | @@ -41,27 +41,27 @@ | |||
41 | * by the University of California, Berkeley. The name of the | 41 | * by the University of California, Berkeley. The name of the | |
42 | * University may not be used to endorse or promote products derived | 42 | * University may not be used to endorse or promote products derived | |
43 | * from this software without specific prior written permission. | 43 | * from this software without specific prior written permission. | |
44 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR | 44 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR | |
45 | * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED | 45 | * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED | |
46 | * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. | 46 | * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. | |
47 | */ | 47 | */ | |
48 | 48 | |||
49 | #include <sys/cdefs.h> | 49 | #include <sys/cdefs.h> | |
50 | #ifndef lint | 50 | #ifndef lint | |
51 | #if 0 | 51 | #if 0 | |
52 | static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; | 52 | static char sccsid[] = "@(#)klogin.c 5.11 (Berkeley) 7/12/92"; | |
53 | #endif | 53 | #endif | |
54 | __RCSID("$NetBSD: k5login.c,v 1.27 2006/03/23 23:33:28 wiz Exp $"); | 54 | __RCSID("$NetBSD: k5login.c,v 1.28 2012/04/22 23:26:19 christos Exp $"); | |
55 | #endif /* not lint */ | 55 | #endif /* not lint */ | |
56 | 56 | |||
57 | #ifdef KERBEROS5 | 57 | #ifdef KERBEROS5 | |
58 | #include <sys/param.h> | 58 | #include <sys/param.h> | |
59 | #include <sys/syslog.h> | 59 | #include <sys/syslog.h> | |
60 | #include <krb5/krb5.h> | 60 | #include <krb5/krb5.h> | |
61 | #include <pwd.h> | 61 | #include <pwd.h> | |
62 | #include <netdb.h> | 62 | #include <netdb.h> | |
63 | #include <stdio.h> | 63 | #include <stdio.h> | |
64 | #include <stdlib.h> | 64 | #include <stdlib.h> | |
65 | #include <string.h> | 65 | #include <string.h> | |
66 | #include <unistd.h> | 66 | #include <unistd.h> | |
67 | #include <errno.h> | 67 | #include <errno.h> | |
@@ -79,33 +79,26 @@ extern int login_krb5_forwardable_tgt; | @@ -79,33 +79,26 @@ extern int login_krb5_forwardable_tgt; | |||
79 | extern int has_ccache; | 79 | extern int has_ccache; | |
80 | 80 | |||
81 | static char tkt_location[MAXPATHLEN]; | 81 | static char tkt_location[MAXPATHLEN]; | |
82 | static krb5_creds forw_creds; | 82 | static krb5_creds forw_creds; | |
83 | int have_forward; | 83 | int have_forward; | |
84 | static krb5_principal me, server; | 84 | static krb5_principal me, server; | |
85 | 85 | |||
86 | int k5_read_creds(char *); | 86 | int k5_read_creds(char *); | |
87 | int k5_write_creds(void); | 87 | int k5_write_creds(void); | |
88 | int k5_verify_creds(krb5_context, krb5_ccache); | 88 | int k5_verify_creds(krb5_context, krb5_ccache); | |
89 | int k5login(struct passwd *, char *, char *, char *); | 89 | int k5login(struct passwd *, char *, char *, char *); | |
90 | void k5destroy(void); | 90 | void k5destroy(void); | |
91 | 91 | |||
92 | #ifndef krb5_realm_length | |||
93 | #define krb5_realm_length(r) ((r).length) | |||
94 | #endif | |||
95 | #ifndef krb5_realm_data | |||
96 | #define krb5_realm_data(r) ((r).data) | |||
97 | #endif | |||
98 | ||||
99 | /* | 92 | /* | |
100 | * Verify the Kerberos ticket-granting ticket just retrieved for the | 93 | * Verify the Kerberos ticket-granting ticket just retrieved for the | |
101 | * user. If the Kerberos server doesn't respond, assume the user is | 94 | * user. If the Kerberos server doesn't respond, assume the user is | |
102 | * trying to fake us out (since we DID just get a TGT from what is | 95 | * trying to fake us out (since we DID just get a TGT from what is | |
103 | * supposedly our KDC). If the host/<host> service is unknown (i.e., | 96 | * supposedly our KDC). If the host/<host> service is unknown (i.e., | |
104 | * the local keytab doesn't have it), let her in. | 97 | * the local keytab doesn't have it), let her in. | |
105 | * | 98 | * | |
106 | * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. | 99 | * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. | |
107 | */ | 100 | */ | |
108 | int | 101 | int | |
109 | k5_verify_creds(krb5_context c, krb5_ccache ccache) | 102 | k5_verify_creds(krb5_context c, krb5_ccache ccache) | |
110 | { | 103 | { | |
111 | char phost[MAXHOSTNAMELEN]; | 104 | char phost[MAXHOSTNAMELEN]; | |
@@ -153,28 +146,29 @@ k5_verify_creds(krb5_context c, krb5_cca | @@ -153,28 +146,29 @@ k5_verify_creds(krb5_context c, krb5_cca | |||
153 | retval = -1; | 146 | retval = -1; | |
154 | goto EGRESS; | 147 | goto EGRESS; | |
155 | } | 148 | } | |
156 | /* but if it is unknown and we've got no key, we don't | 149 | /* but if it is unknown and we've got no key, we don't | |
157 | * have any security anyhow, so it is ok. */ | 150 | * have any security anyhow, so it is ok. */ | |
158 | else { | 151 | else { | |
159 | retval = 0; | 152 | retval = 0; | |
160 | goto EGRESS; | 153 | goto EGRESS; | |
161 | } | 154 | } | |
162 | } | 155 | } | |
163 | else if (kerror) { | 156 | else if (kerror) { | |
164 | krb5_warn(kcontext, kerror, | 157 | krb5_warn(kcontext, kerror, | |
165 | "Unable to verify Kerberos V5 TGT: %s", phost); | 158 | "Unable to verify Kerberos V5 TGT: %s", phost); | |
166 | syslog(LOG_NOTICE, "Kerberos V5 TGT bad: %s", | 159 | const char *msg = krb5_get_error_message(kcontext, kerror); | |
167 | krb5_get_err_text(kcontext, kerror)); | 160 | syslog(LOG_NOTICE, "Kerberos V5 TGT bad: %s", msg); | |
161 | krb5_free_error_message(kcontext, msg); | |||
168 | retval = -1; | 162 | retval = -1; | |
169 | goto EGRESS; | 163 | goto EGRESS; | |
170 | } | 164 | } | |
171 | /* got ticket, try to use it */ | 165 | /* got ticket, try to use it */ | |
172 | kerror = krb5_rd_req(c, &auth_context, &packet, | 166 | kerror = krb5_rd_req(c, &auth_context, &packet, | |
173 | princ, NULL, NULL, &ticket); | 167 | princ, NULL, NULL, &ticket); | |
174 | if (kerror) { | 168 | if (kerror) { | |
175 | if (!have_keys) { | 169 | if (!have_keys) { | |
176 | /* The krb5 errors aren't specified well, but I think | 170 | /* The krb5 errors aren't specified well, but I think | |
177 | * these values cover the cases we expect. */ | 171 | * these values cover the cases we expect. */ | |
178 | switch (kerror) { | 172 | switch (kerror) { | |
179 | case ENOENT: /* no keytab */ | 173 | case ENOENT: /* no keytab */ | |
180 | case KRB5_KT_NOTFOUND: | 174 | case KRB5_KT_NOTFOUND: | |
@@ -182,31 +176,31 @@ k5_verify_creds(krb5_context c, krb5_cca | @@ -182,31 +176,31 @@ k5_verify_creds(krb5_context c, krb5_cca | |||
182 | break; | 176 | break; | |
183 | default: | 177 | default: | |
184 | /* unexpected error: fail */ | 178 | /* unexpected error: fail */ | |
185 | retval = -1; | 179 | retval = -1; | |
186 | break; | 180 | break; | |
187 | } | 181 | } | |
188 | } | 182 | } | |
189 | else { | 183 | else { | |
190 | /* we have keys, so if we got any error, we could be | 184 | /* we have keys, so if we got any error, we could be | |
191 | * under attack. */ | 185 | * under attack. */ | |
192 | retval = -1; | 186 | retval = -1; | |
193 | } | 187 | } | |
194 | krb5_warn(kcontext, kerror, "Unable to verify host ticket"); | 188 | krb5_warn(kcontext, kerror, "Unable to verify host ticket"); | |
189 | const char *msg = krb5_get_error_message(kcontext, kerror); | |||
195 | syslog(LOG_NOTICE, "can't verify v5 ticket: %s; %s\n", | 190 | syslog(LOG_NOTICE, "can't verify v5 ticket: %s; %s\n", | |
196 | krb5_get_err_text(kcontext, kerror), | 191 | msg, retval ? "keytab found, assuming failure" | |
197 | retval | 192 | : "no keytab found, assuming success"); | |
198 | ? "keytab found, assuming failure" | 193 | krb5_free_error_message(kcontext, msg); | |
199 | : "no keytab found, assuming success"); | |||
200 | goto EGRESS; | 194 | goto EGRESS; | |
201 | } | 195 | } | |
202 | /* | 196 | /* | |
203 | * The host/<host> ticket has been received _and_ verified. | 197 | * The host/<host> ticket has been received _and_ verified. | |
204 | */ | 198 | */ | |
205 | retval = 1; | 199 | retval = 1; | |
206 | 200 | |||
207 | /* do cleanup and return */ | 201 | /* do cleanup and return */ | |
208 | EGRESS: | 202 | EGRESS: | |
209 | if (auth_context) | 203 | if (auth_context) | |
210 | krb5_auth_con_free(c, auth_context); | 204 | krb5_auth_con_free(c, auth_context); | |
211 | krb5_free_principal(c, princ); | 205 | krb5_free_principal(c, princ); | |
212 | /* possibly ticket and packet need freeing here as well */ | 206 | /* possibly ticket and packet need freeing here as well */ | |
@@ -233,33 +227,33 @@ k5_read_creds(char *username) | @@ -233,33 +227,33 @@ k5_read_creds(char *username) | |||
233 | kerror = krb5_cc_default(kcontext, &ccache); | 227 | kerror = krb5_cc_default(kcontext, &ccache); | |
234 | if (kerror) { | 228 | if (kerror) { | |
235 | krb5_warn(kcontext, kerror, "while getting default ccache"); | 229 | krb5_warn(kcontext, kerror, "while getting default ccache"); | |
236 | return(1); | 230 | return(1); | |
237 | } | 231 | } | |
238 | 232 | |||
239 | kerror = krb5_parse_name(kcontext, username, &me); | 233 | kerror = krb5_parse_name(kcontext, username, &me); | |
240 | if (kerror) { | 234 | if (kerror) { | |
241 | krb5_warn(kcontext, kerror, "when parsing name %s", username); | 235 | krb5_warn(kcontext, kerror, "when parsing name %s", username); | |
242 | return(1); | 236 | return(1); | |
243 | } | 237 | } | |
244 | 238 | |||
245 | mcreds.client = me; | 239 | mcreds.client = me; | |
240 | const char *realm = krb5_principal_get_realm(kcontext, me); | |||
241 | size_t rlen = strlen(realm); | |||
246 | kerror = krb5_build_principal_ext(kcontext, &mcreds.server, | 242 | kerror = krb5_build_principal_ext(kcontext, &mcreds.server, | |
247 | krb5_realm_length(*krb5_princ_realm(kcontext, me)), | 243 | rlen, realm, | |
248 | krb5_realm_data(*krb5_princ_realm(kcontext, me)), | |||
249 | KRB5_TGS_NAME_SIZE, | 244 | KRB5_TGS_NAME_SIZE, | |
250 | KRB5_TGS_NAME, | 245 | KRB5_TGS_NAME, | |
251 | krb5_realm_length(*krb5_princ_realm(kcontext, me)), | 246 | rlen, realm, | |
252 | krb5_realm_data(*krb5_princ_realm(kcontext, me)), | |||
253 | 0); | 247 | 0); | |
254 | if (kerror) { | 248 | if (kerror) { | |
255 | krb5_warn(kcontext, kerror, "while building server name"); | 249 | krb5_warn(kcontext, kerror, "while building server name"); | |
256 | goto nuke_ccache; | 250 | goto nuke_ccache; | |
257 | } | 251 | } | |
258 | 252 | |||
259 | kerror = krb5_cc_retrieve_cred(kcontext, ccache, 0, | 253 | kerror = krb5_cc_retrieve_cred(kcontext, ccache, 0, | |
260 | &mcreds, &forw_creds); | 254 | &mcreds, &forw_creds); | |
261 | if (kerror) { | 255 | if (kerror) { | |
262 | krb5_warn(kcontext, kerror, | 256 | krb5_warn(kcontext, kerror, | |
263 | "while retrieving V5 initial ticket for copy"); | 257 | "while retrieving V5 initial ticket for copy"); | |
264 | goto nuke_ccache; | 258 | goto nuke_ccache; | |
265 | } | 259 | } | |
@@ -362,88 +356,93 @@ k5login(struct passwd *pw, char *instanc | @@ -362,88 +356,93 @@ k5login(struct passwd *pw, char *instanc | |||
362 | krb5tkfile_env = tkt_location; | 356 | krb5tkfile_env = tkt_location; | |
363 | has_ccache = 1; | 357 | has_ccache = 1; | |
364 | 358 | |||
365 | if (strlen(instance)) | 359 | if (strlen(instance)) | |
366 | asprintf(&principal, "%s/%s", pw->pw_name, instance); | 360 | asprintf(&principal, "%s/%s", pw->pw_name, instance); | |
367 | else | 361 | else | |
368 | principal = strdup(pw->pw_name); | 362 | principal = strdup(pw->pw_name); | |
369 | if (!principal) { | 363 | if (!principal) { | |
370 | syslog(LOG_NOTICE, "fatal: %s", strerror(errno)); | 364 | syslog(LOG_NOTICE, "fatal: %s", strerror(errno)); | |
371 | return (1); | 365 | return (1); | |
372 | } | 366 | } | |
373 | 367 | |||
374 | if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { | 368 | if ((kerror = krb5_cc_resolve(kcontext, tkt_location, &ccache)) != 0) { | |
369 | const char *msg = krb5_get_error_message(kcontext, kerror); | |||
375 | syslog(LOG_NOTICE, "warning: %s while getting default ccache", | 370 | syslog(LOG_NOTICE, "warning: %s while getting default ccache", | |
376 | krb5_get_err_text(kcontext, kerror)); | 371 | msg); | |
372 | krb5_free_error_message(kcontext, msg); | |||
377 | return (1); | 373 | return (1); | |
378 | } | 374 | } | |
379 | 375 | |||
380 | if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { | 376 | if ((kerror = krb5_parse_name(kcontext, principal, &me)) != 0) { | |
381 | syslog(LOG_NOTICE, "warning: %s when parsing name %s", | 377 | const char *msg = krb5_get_error_message(kcontext, kerror); | |
382 | krb5_get_err_text(kcontext, kerror), principal); | 378 | syslog(LOG_NOTICE, "warning: %s when parsing name %s", msg, | |
379 | principal); | |||
380 | krb5_free_error_message(kcontext, msg); | |||
383 | return (1); | 381 | return (1); | |
384 | } | 382 | } | |
385 | 383 | |||
386 | if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { | 384 | if ((kerror = krb5_unparse_name(kcontext, me, &client_name)) != 0) { | |
385 | const char *msg = krb5_get_error_message(kcontext, kerror); | |||
387 | syslog(LOG_NOTICE, "warning: %s when unparsing name %s", | 386 | syslog(LOG_NOTICE, "warning: %s when unparsing name %s", | |
388 | krb5_get_err_text(kcontext, kerror), principal); | 387 | msg, principal); | |
388 | krb5_free_error_message(kcontext, msg); | |||
389 | return (1); | 389 | return (1); | |
390 | } | 390 | } | |
391 | 391 | |||
392 | kerror = krb5_cc_initialize(kcontext, ccache, me); | 392 | kerror = krb5_cc_initialize(kcontext, ccache, me); | |
393 | if (kerror != 0) { | 393 | if (kerror != 0) { | |
394 | const char *msg = krb5_get_error_message(kcontext, kerror); | |||
394 | syslog(LOG_NOTICE, "%s when initializing cache %s", | 395 | syslog(LOG_NOTICE, "%s when initializing cache %s", | |
395 | krb5_get_err_text(kcontext, kerror), tkt_location); | 396 | msg, tkt_location); | |
397 | krb5_free_error_message(kcontext, msg); | |||
396 | return (1); | 398 | return (1); | |
397 | } | 399 | } | |
398 | 400 | |||
399 | memset((char *)&my_creds, 0, sizeof(my_creds)); | 401 | memset((char *)&my_creds, 0, sizeof(my_creds)); | |
400 | 402 | |||
401 | my_creds.client = me; | 403 | my_creds.client = me; | |
402 | 404 | |||
405 | const char *xrealm = krb5_principal_get_realm(kcontext, me); | |||
406 | size_t rlen = strlen(xrealm); | |||
403 | if ((kerror = krb5_build_principal_ext(kcontext, | 407 | if ((kerror = krb5_build_principal_ext(kcontext, | |
404 | &server, | 408 | &server, | |
405 | krb5_realm_length(*krb5_princ_realm(kcontext, me)), | 409 | rlen, xrealm, | |
406 | krb5_realm_data(*krb5_princ_realm(kcontext, me)), | |||
407 | KRB5_TGS_NAME_SIZE, | 410 | KRB5_TGS_NAME_SIZE, | |
408 | KRB5_TGS_NAME, | 411 | KRB5_TGS_NAME, | |
409 | krb5_realm_length(*krb5_princ_realm(kcontext, me)), | 412 | rlen, xrealm, | |
410 | krb5_realm_data(*krb5_princ_realm(kcontext, me)), | |||
411 | 0)) != 0) { | 413 | 0)) != 0) { | |
412 | syslog(LOG_NOTICE, "%s while building server name", | 414 | const char *msg = krb5_get_error_message(kcontext, kerror); | |
413 | krb5_get_err_text(kcontext, kerror)); | 415 | syslog(LOG_NOTICE, "%s while building server name", msg); | |
416 | krb5_free_error_message(kcontext, msg); | |||
414 | return (1); | 417 | return (1); | |
415 | } | 418 | } | |
416 | 419 | |||
417 | my_creds.server = server; | 420 | my_creds.server = server; | |
418 | 421 | |||
419 | if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { | 422 | if ((kerror = krb5_timeofday(kcontext, &now)) != 0) { | |
420 | syslog(LOG_NOTICE, "%s while getting time of day", | 423 | const char *msg = krb5_get_error_message(kcontext, kerror); | |
421 | krb5_get_err_text(kcontext, kerror)); | 424 | syslog(LOG_NOTICE, "%s while getting time of day", msg); | |
425 | krb5_free_error_message(kcontext, msg); | |||
422 | return (1); | 426 | return (1); | |
423 | } | 427 | } | |
424 | 428 | |||
425 | my_creds.times.starttime = 0; /* start timer when request | 429 | my_creds.times.starttime = 0; /* start timer when request | |
426 | gets to KDC */ | 430 | gets to KDC */ | |
427 | my_creds.times.endtime = now + lifetime; | 431 | my_creds.times.endtime = now + lifetime; | |
428 | my_creds.times.renew_till = 0; | 432 | my_creds.times.renew_till = 0; | |
429 | 433 | |||
430 | kerror = krb5_get_in_tkt_with_password(kcontext, options, | 434 | kerror = krb5_get_in_tkt_with_password(kcontext, options, | |
431 | NULL, | 435 | NULL, NULL, NULL, password, ccache, &my_creds, 0); | |
432 | NULL, | |||
433 | NULL, | |||
434 | password, | |||
435 | ccache, | |||
436 | &my_creds, 0); | |||
437 | 436 | |||
438 | if (my_creds.server != NULL) | 437 | if (my_creds.server != NULL) | |
439 | krb5_free_principal(kcontext, my_creds.server); | 438 | krb5_free_principal(kcontext, my_creds.server); | |
440 | 439 | |||
441 | if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) | 440 | if (chown(&tkt_location[5], pw->pw_uid, pw->pw_gid) < 0) | |
442 | syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); | 441 | syslog(LOG_ERR, "chown tkfile (%s): %m", &tkt_location[5]); | |
443 | 442 | |||
444 | if (kerror) { | 443 | if (kerror) { | |
445 | if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) | 444 | if (kerror == KRB5KRB_AP_ERR_BAD_INTEGRITY) | |
446 | printf("%s: Kerberos Password incorrect\n", principal); | 445 | printf("%s: Kerberos Password incorrect\n", principal); | |
447 | else | 446 | else | |
448 | krb5_warn(kcontext, kerror, | 447 | krb5_warn(kcontext, kerror, | |
449 | "while getting initial credentials"); | 448 | "while getting initial credentials"); |
--- src/usr.bin/login/login.c 2011/08/31 16:24:57 1.98
+++ src/usr.bin/login/login.c 2012/04/22 23:26:19 1.99
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: login.c,v 1.98 2011/08/31 16:24:57 plunky Exp $ */ | 1 | /* $NetBSD: login.c,v 1.99 2012/04/22 23:26:19 christos Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | 4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | |
5 | * The Regents of the University of California. All rights reserved. | 5 | * The Regents of the University of California. All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -29,27 +29,27 @@ | @@ -29,27 +29,27 @@ | |||
29 | * SUCH DAMAGE. | 29 | * SUCH DAMAGE. | |
30 | */ | 30 | */ | |
31 | 31 | |||
32 | #include <sys/cdefs.h> | 32 | #include <sys/cdefs.h> | |
33 | #ifndef lint | 33 | #ifndef lint | |
34 | __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\ | 34 | __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\ | |
35 | The Regents of the University of California. All rights reserved."); | 35 | The Regents of the University of California. All rights reserved."); | |
36 | #endif /* not lint */ | 36 | #endif /* not lint */ | |
37 | 37 | |||
38 | #ifndef lint | 38 | #ifndef lint | |
39 | #if 0 | 39 | #if 0 | |
40 | static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; | 40 | static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; | |
41 | #endif | 41 | #endif | |
42 | __RCSID("$NetBSD: login.c,v 1.98 2011/08/31 16:24:57 plunky Exp $"); | 42 | __RCSID("$NetBSD: login.c,v 1.99 2012/04/22 23:26:19 christos Exp $"); | |
43 | #endif /* not lint */ | 43 | #endif /* not lint */ | |
44 | 44 | |||
45 | /* | 45 | /* | |
46 | * login [ name ] | 46 | * login [ name ] | |
47 | * login -h hostname (for telnetd, etc.) | 47 | * login -h hostname (for telnetd, etc.) | |
48 | * login -f name (for pre-authenticated login: datakit, xterm, etc.) | 48 | * login -f name (for pre-authenticated login: datakit, xterm, etc.) | |
49 | */ | 49 | */ | |
50 | 50 | |||
51 | #include <sys/param.h> | 51 | #include <sys/param.h> | |
52 | #include <sys/stat.h> | 52 | #include <sys/stat.h> | |
53 | #include <sys/time.h> | 53 | #include <sys/time.h> | |
54 | #include <sys/resource.h> | 54 | #include <sys/resource.h> | |
55 | #include <sys/file.h> | 55 | #include <sys/file.h> | |
@@ -73,47 +73,47 @@ __RCSID("$NetBSD: login.c,v 1.98 2011/08 | @@ -73,47 +73,47 @@ __RCSID("$NetBSD: login.c,v 1.98 2011/08 | |||
73 | #include <sysexits.h> | 73 | #include <sysexits.h> | |
74 | #ifdef SUPPORT_UTMP | 74 | #ifdef SUPPORT_UTMP | |
75 | #include <utmp.h> | 75 | #include <utmp.h> | |
76 | #endif | 76 | #endif | |
77 | #ifdef SUPPORT_UTMPX | 77 | #ifdef SUPPORT_UTMPX | |
78 | #include <utmpx.h> | 78 | #include <utmpx.h> | |
79 | #endif | 79 | #endif | |
80 | #include <util.h> | 80 | #include <util.h> | |
81 | #ifdef SKEY | 81 | #ifdef SKEY | |
82 | #include <skey.h> | 82 | #include <skey.h> | |
83 | #endif | 83 | #endif | |
84 | #ifdef KERBEROS5 | 84 | #ifdef KERBEROS5 | |
85 | #include <krb5/krb5.h> | 85 | #include <krb5/krb5.h> | |
86 | #include <com_err.h> | 86 | #include <krb5/com_err.h> | |
87 | #endif | 87 | #endif | |
88 | #ifdef LOGIN_CAP | 88 | #ifdef LOGIN_CAP | |
89 | #include <login_cap.h> | 89 | #include <login_cap.h> | |
90 | #endif | 90 | #endif | |
91 | #include <vis.h> | 91 | #include <vis.h> | |
92 | 92 | |||
93 | #include "pathnames.h" | 93 | #include "pathnames.h" | |
94 | #include "common.h" | 94 | #include "common.h" | |
95 | 95 | |||
96 | #ifdef KERBEROS5 | 96 | #ifdef KERBEROS5 | |
97 | int login_krb5_forwardable_tgt = 0; | 97 | int login_krb5_forwardable_tgt = 0; | |
98 | static int login_krb5_get_tickets = 1; | 98 | static int login_krb5_get_tickets = 1; | |
99 | static int login_krb5_retain_ccache = 0; | 99 | static int login_krb5_retain_ccache = 0; | |
100 | #endif | 100 | #endif | |
101 | 101 | |||
102 | static void checknologin(char *); | 102 | static void checknologin(char *); | |
103 | #ifdef KERBEROS5 | 103 | #ifdef KERBEROS5 | |
104 | int k5login(struct passwd *, char *, char *, char *); | 104 | int k5login(struct passwd *, char *, char *, char *); | |
105 | void k5destroy(void); | 105 | void k5destroy(void); | |
106 | int k5_read_creds(char*); | 106 | int k5_read_creds(const char *); | |
107 | int k5_write_creds(void); | 107 | int k5_write_creds(void); | |
108 | #endif | 108 | #endif | |
109 | #if defined(KERBEROS5) | 109 | #if defined(KERBEROS5) | |
110 | static void dofork(void); | 110 | static void dofork(void); | |
111 | #endif | 111 | #endif | |
112 | static void usage(void); | 112 | static void usage(void); | |
113 | 113 | |||
114 | #define TTYGRPNAME "tty" /* name of group to own ttys */ | 114 | #define TTYGRPNAME "tty" /* name of group to own ttys */ | |
115 | 115 | |||
116 | #define DEFAULT_BACKOFF 3 | 116 | #define DEFAULT_BACKOFF 3 | |
117 | #define DEFAULT_RETRIES 10 | 117 | #define DEFAULT_RETRIES 10 | |
118 | 118 | |||
119 | #if defined(KERBEROS5) | 119 | #if defined(KERBEROS5) | |
@@ -132,27 +132,28 @@ extern int krb5_configured; | @@ -132,27 +132,28 @@ extern int krb5_configured; | |||
132 | 132 | |||
133 | extern char **environ; | 133 | extern char **environ; | |
134 | 134 | |||
135 | int | 135 | int | |
136 | main(int argc, char *argv[]) | 136 | main(int argc, char *argv[]) | |
137 | { | 137 | { | |
138 | struct group *gr; | 138 | struct group *gr; | |
139 | struct stat st; | 139 | struct stat st; | |
140 | int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin, rval; | 140 | int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin, rval; | |
141 | int Fflag; | 141 | int Fflag; | |
142 | uid_t uid, saved_uid; | 142 | uid_t uid, saved_uid; | |
143 | gid_t saved_gid, saved_gids[NGROUPS_MAX]; | 143 | gid_t saved_gid, saved_gids[NGROUPS_MAX]; | |
144 | int nsaved_gids; | 144 | int nsaved_gids; | |
145 | char *domain, *p, *ttyn, *pwprompt; | 145 | char *domain, *p, *ttyn; | |
146 | const char *pwprompt; | |||
146 | char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; | 147 | char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; | |
147 | char localhost[MAXHOSTNAMELEN + 1]; | 148 | char localhost[MAXHOSTNAMELEN + 1]; | |
148 | int need_chpass, require_chpass; | 149 | int need_chpass, require_chpass; | |
149 | int login_retries = DEFAULT_RETRIES, | 150 | int login_retries = DEFAULT_RETRIES, | |
150 | login_backoff = DEFAULT_BACKOFF; | 151 | login_backoff = DEFAULT_BACKOFF; | |
151 | time_t pw_warntime = _PASSWORD_WARNDAYS * SECSPERDAY; | 152 | time_t pw_warntime = _PASSWORD_WARNDAYS * SECSPERDAY; | |
152 | #ifdef KERBEROS5 | 153 | #ifdef KERBEROS5 | |
153 | krb5_error_code kerror; | 154 | krb5_error_code kerror; | |
154 | #endif | 155 | #endif | |
155 | #if defined(KERBEROS5) | 156 | #if defined(KERBEROS5) | |
156 | int got_tickets = 0; | 157 | int got_tickets = 0; | |
157 | #endif | 158 | #endif | |
158 | #ifdef LOGIN_CAP | 159 | #ifdef LOGIN_CAP | |
@@ -231,27 +232,27 @@ main(int argc, char *argv[]) | @@ -231,27 +232,27 @@ main(int argc, char *argv[]) | |||
231 | sflag = 1; | 232 | sflag = 1; | |
232 | break; | 233 | break; | |
233 | default: | 234 | default: | |
234 | case '?': | 235 | case '?': | |
235 | usage(); | 236 | usage(); | |
236 | break; | 237 | break; | |
237 | } | 238 | } | |
238 | 239 | |||
239 | setproctitle(NULL); | 240 | setproctitle(NULL); | |
240 | argc -= optind; | 241 | argc -= optind; | |
241 | argv += optind; | 242 | argv += optind; | |
242 | 243 | |||
243 | if (*argv) { | 244 | if (*argv) { | |
244 | username = *argv; | 245 | username = instance = *argv; | |
245 | ask = 0; | 246 | ask = 0; | |
246 | } else | 247 | } else | |
247 | ask = 1; | 248 | ask = 1; | |
248 | 249 | |||
249 | #ifdef F_CLOSEM | 250 | #ifdef F_CLOSEM | |
250 | (void)fcntl(3, F_CLOSEM, 0); | 251 | (void)fcntl(3, F_CLOSEM, 0); | |
251 | #else | 252 | #else | |
252 | for (cnt = getdtablesize(); cnt > 2; cnt--) | 253 | for (cnt = getdtablesize(); cnt > 2; cnt--) | |
253 | (void)close(cnt); | 254 | (void)close(cnt); | |
254 | #endif | 255 | #endif | |
255 | 256 | |||
256 | ttyn = ttyname(STDIN_FILENO); | 257 | ttyn = ttyname(STDIN_FILENO); | |
257 | if (ttyn == NULL || *ttyn == '\0') { | 258 | if (ttyn == NULL || *ttyn == '\0') { | |
@@ -297,44 +298,44 @@ main(int argc, char *argv[]) | @@ -297,44 +298,44 @@ main(int argc, char *argv[]) | |||
297 | * login succeeds. | 298 | * login succeeds. | |
298 | */ | 299 | */ | |
299 | if (kerror != ENXIO) { /* XXX NetBSD-local Heimdal hack */ | 300 | if (kerror != ENXIO) { /* XXX NetBSD-local Heimdal hack */ | |
300 | syslog(LOG_NOTICE, | 301 | syslog(LOG_NOTICE, | |
301 | "%s when initializing Kerberos context", | 302 | "%s when initializing Kerberos context", | |
302 | error_message(kerror)); | 303 | error_message(kerror)); | |
303 | krb5_configured = 1; | 304 | krb5_configured = 1; | |
304 | } | 305 | } | |
305 | login_krb5_get_tickets = 0; | 306 | login_krb5_get_tickets = 0; | |
306 | } | 307 | } | |
307 | #endif /* KERBEROS5 */ | 308 | #endif /* KERBEROS5 */ | |
308 | 309 | |||
309 | for (cnt = 0;; ask = 1) { | 310 | for (cnt = 0;; ask = 1) { | |
311 | char *ptr; | |||
310 | #if defined(KERBEROS5) | 312 | #if defined(KERBEROS5) | |
311 | if (login_krb5_get_tickets) | 313 | if (login_krb5_get_tickets) | |
312 | k5destroy(); | 314 | k5destroy(); | |
313 | #endif | 315 | #endif | |
314 | if (ask) { | 316 | if (ask) { | |
315 | fflag = 0; | 317 | fflag = 0; | |
316 | getloginname(); | 318 | instance = getloginname(); | |
317 | } | 319 | } | |
318 | rootlogin = 0; | 320 | rootlogin = 0; | |
321 | ptr = instance; | |||
319 | #ifdef KERBEROS5 | 322 | #ifdef KERBEROS5 | |
320 | if ((instance = strchr(username, '/')) != NULL) | 323 | if ((instance = strchr(instance, '/')) != NULL) | |
321 | *instance++ = '\0'; | 324 | *instance++ = '\0'; | |
322 | else | 325 | else | |
323 | instance = ""; | 326 | instance = __UNCONST(""); | |
324 | #endif | 327 | #endif | |
325 | if (strlen(username) > MAXLOGNAME) | 328 | username = trimloginname(ptr); | |
326 | username[MAXLOGNAME] = '\0'; | |||
327 | ||||
328 | /* | 329 | /* | |
329 | * Note if trying multiple user names; log failures for | 330 | * Note if trying multiple user names; log failures for | |
330 | * previous user name, but don't bother logging one failure | 331 | * previous user name, but don't bother logging one failure | |
331 | * for nonexistent name (mistyped username). | 332 | * for nonexistent name (mistyped username). | |
332 | */ | 333 | */ | |
333 | if (failures && strcmp(tbuf, username)) { | 334 | if (failures && strcmp(tbuf, username)) { | |
334 | if (failures > (pwd ? 0 : 1)) | 335 | if (failures > (pwd ? 0 : 1)) | |
335 | badlogin(tbuf); | 336 | badlogin(tbuf); | |
336 | failures = 0; | 337 | failures = 0; | |
337 | } | 338 | } | |
338 | (void)strlcpy(tbuf, username, sizeof(tbuf)); | 339 | (void)strlcpy(tbuf, username, sizeof(tbuf)); | |
339 | 340 | |||
340 | pwd = getpwnam(username); | 341 | pwd = getpwnam(username); | |
@@ -496,27 +497,27 @@ main(int argc, char *argv[]) | @@ -496,27 +497,27 @@ main(int argc, char *argv[]) | |||
496 | (void)seteuid(pwd->pw_uid); | 497 | (void)seteuid(pwd->pw_uid); | |
497 | 498 | |||
498 | if (chdir(pwd->pw_dir) < 0) { | 499 | if (chdir(pwd->pw_dir) < 0) { | |
499 | #ifdef LOGIN_CAP | 500 | #ifdef LOGIN_CAP | |
500 | if (login_getcapbool(lc, "requirehome", 0)) { | 501 | if (login_getcapbool(lc, "requirehome", 0)) { | |
501 | (void)printf("Home directory %s required\n", | 502 | (void)printf("Home directory %s required\n", | |
502 | pwd->pw_dir); | 503 | pwd->pw_dir); | |
503 | sleepexit(EXIT_FAILURE); | 504 | sleepexit(EXIT_FAILURE); | |
504 | } | 505 | } | |
505 | #endif | 506 | #endif | |
506 | (void)printf("No home directory %s!\n", pwd->pw_dir); | 507 | (void)printf("No home directory %s!\n", pwd->pw_dir); | |
507 | if (chdir("/") == -1) | 508 | if (chdir("/") == -1) | |
508 | exit(EXIT_FAILURE); | 509 | exit(EXIT_FAILURE); | |
509 | pwd->pw_dir = "/"; | 510 | pwd->pw_dir = __UNCONST("/"); | |
510 | (void)printf("Logging in with home = \"/\".\n"); | 511 | (void)printf("Logging in with home = \"/\".\n"); | |
511 | } | 512 | } | |
512 | 513 | |||
513 | if (!quietlog) | 514 | if (!quietlog) | |
514 | quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; | 515 | quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; | |
515 | 516 | |||
516 | /* regain special privileges */ | 517 | /* regain special privileges */ | |
517 | (void)seteuid(saved_uid); | 518 | (void)seteuid(saved_uid); | |
518 | setgroups(nsaved_gids, saved_gids); | 519 | setgroups(nsaved_gids, saved_gids); | |
519 | (void)setegid(saved_gid); | 520 | (void)setegid(saved_gid); | |
520 | 521 | |||
521 | #ifdef LOGIN_CAP | 522 | #ifdef LOGIN_CAP | |
522 | pw_warntime = login_getcaptime(lc, "password-warn", | 523 | pw_warntime = login_getcaptime(lc, "password-warn", | |
@@ -582,41 +583,41 @@ main(int argc, char *argv[]) | @@ -582,41 +583,41 @@ main(int argc, char *argv[]) | |||
582 | initgroups(username, pwd->pw_gid); | 583 | initgroups(username, pwd->pw_gid); | |
583 | 584 | |||
584 | if (nested == NULL && setlogin(pwd->pw_name) < 0) | 585 | if (nested == NULL && setlogin(pwd->pw_name) < 0) | |
585 | syslog(LOG_ERR, "setlogin() failure: %m"); | 586 | syslog(LOG_ERR, "setlogin() failure: %m"); | |
586 | 587 | |||
587 | /* Discard permissions last so can't get killed and drop core. */ | 588 | /* Discard permissions last so can't get killed and drop core. */ | |
588 | if (rootlogin) | 589 | if (rootlogin) | |
589 | (void)setuid(0); | 590 | (void)setuid(0); | |
590 | else | 591 | else | |
591 | (void)setuid(pwd->pw_uid); | 592 | (void)setuid(pwd->pw_uid); | |
592 | #endif | 593 | #endif | |
593 | 594 | |||
594 | if (*pwd->pw_shell == '\0') | 595 | if (*pwd->pw_shell == '\0') | |
595 | pwd->pw_shell = _PATH_BSHELL; | 596 | pwd->pw_shell = __UNCONST(_PATH_BSHELL); | |
596 | #ifdef LOGIN_CAP | 597 | #ifdef LOGIN_CAP | |
597 | if ((shell = login_getcapstr(lc, "shell", NULL, NULL)) != NULL) { | 598 | if ((shell = login_getcapstr(lc, "shell", NULL, NULL)) != NULL) { | |
598 | if ((shell = strdup(shell)) == NULL) { | 599 | if ((shell = strdup(shell)) == NULL) { | |
599 | syslog(LOG_ERR, "Cannot alloc mem"); | 600 | syslog(LOG_ERR, "Cannot alloc mem"); | |
600 | sleepexit(EXIT_FAILURE); | 601 | sleepexit(EXIT_FAILURE); | |
601 | } | 602 | } | |
602 | pwd->pw_shell = shell; | 603 | pwd->pw_shell = shell; | |
603 | } | 604 | } | |
604 | #endif | 605 | #endif | |
605 | 606 | |||
606 | (void)setenv("HOME", pwd->pw_dir, 1); | 607 | (void)setenv("HOME", pwd->pw_dir, 1); | |
607 | (void)setenv("SHELL", pwd->pw_shell, 1); | 608 | (void)setenv("SHELL", pwd->pw_shell, 1); | |
608 | if (term[0] == '\0') { | 609 | if (term[0] == '\0') { | |
609 | char *tt = (char *)stypeof(tty); | 610 | const char *tt = stypeof(tty); | |
610 | #ifdef LOGIN_CAP | 611 | #ifdef LOGIN_CAP | |
611 | if (tt == NULL) | 612 | if (tt == NULL) | |
612 | tt = login_getcapstr(lc, "term", NULL, NULL); | 613 | tt = login_getcapstr(lc, "term", NULL, NULL); | |
613 | #endif | 614 | #endif | |
614 | /* unknown term -> "su" */ | 615 | /* unknown term -> "su" */ | |
615 | (void)strlcpy(term, tt != NULL ? tt : "su", sizeof(term)); | 616 | (void)strlcpy(term, tt != NULL ? tt : "su", sizeof(term)); | |
616 | } | 617 | } | |
617 | (void)setenv("TERM", term, 0); | 618 | (void)setenv("TERM", term, 0); | |
618 | (void)setenv("LOGNAME", pwd->pw_name, 1); | 619 | (void)setenv("LOGNAME", pwd->pw_name, 1); | |
619 | (void)setenv("USER", pwd->pw_name, 1); | 620 | (void)setenv("USER", pwd->pw_name, 1); | |
620 | 621 | |||
621 | #ifdef LOGIN_CAP | 622 | #ifdef LOGIN_CAP | |
622 | setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH); | 623 | setusercontext(lc, pwd, pwd->pw_uid, LOGIN_SETPATH); | |
@@ -638,27 +639,27 @@ main(int argc, char *argv[]) | @@ -638,27 +639,27 @@ main(int argc, char *argv[]) | |||
638 | syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", | 639 | syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", | |
639 | username, tty, hostname); | 640 | username, tty, hostname); | |
640 | else | 641 | else | |
641 | syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", | 642 | syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", | |
642 | username, tty); | 643 | username, tty); | |
643 | } | 644 | } | |
644 | 645 | |||
645 | #if defined(KERBEROS5) | 646 | #if defined(KERBEROS5) | |
646 | if (KERBEROS_CONFIGURED && !quietlog && notickets == 1) | 647 | if (KERBEROS_CONFIGURED && !quietlog && notickets == 1) | |
647 | (void)printf("Warning: no Kerberos tickets issued.\n"); | 648 | (void)printf("Warning: no Kerberos tickets issued.\n"); | |
648 | #endif | 649 | #endif | |
649 | 650 | |||
650 | if (!quietlog) { | 651 | if (!quietlog) { | |
651 | char *fname; | 652 | const char *fname; | |
652 | #ifdef LOGIN_CAP | 653 | #ifdef LOGIN_CAP | |
653 | fname = login_getcapstr(lc, "copyright", NULL, NULL); | 654 | fname = login_getcapstr(lc, "copyright", NULL, NULL); | |
654 | if (fname != NULL && access(fname, F_OK) == 0) | 655 | if (fname != NULL && access(fname, F_OK) == 0) | |
655 | motd(fname); | 656 | motd(fname); | |
656 | else | 657 | else | |
657 | #endif | 658 | #endif | |
658 | (void)printf("%s", copyrightstr); | 659 | (void)printf("%s", copyrightstr); | |
659 | 660 | |||
660 | #ifdef LOGIN_CAP | 661 | #ifdef LOGIN_CAP | |
661 | fname = login_getcapstr(lc, "welcome", NULL, NULL); | 662 | fname = login_getcapstr(lc, "welcome", NULL, NULL); | |
662 | if (fname == NULL || access(fname, F_OK) != 0) | 663 | if (fname == NULL || access(fname, F_OK) != 0) | |
663 | #endif | 664 | #endif | |
664 | fname = _PATH_MOTDFILE; | 665 | fname = _PATH_MOTDFILE; |
--- src/usr.bin/login/login_pam.c 2009/12/29 19:26:13 1.20
+++ src/usr.bin/login/login_pam.c 2012/04/22 23:26:19 1.21
@@ -1,14 +1,14 @@ | @@ -1,14 +1,14 @@ | |||
1 | /* $NetBSD: login_pam.c,v 1.20 2009/12/29 19:26:13 christos Exp $ */ | 1 | /* $NetBSD: login_pam.c,v 1.21 2012/04/22 23:26:19 christos Exp $ */ | |
2 | 2 | |||
3 | /*- | 3 | /*- | |
4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | 4 | * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 | |
5 | * The Regents of the University of California. All rights reserved. | 5 | * The Regents of the University of California. All rights reserved. | |
6 | * | 6 | * | |
7 | * Redistribution and use in source and binary forms, with or without | 7 | * Redistribution and use in source and binary forms, with or without | |
8 | * modification, are permitted provided that the following conditions | 8 | * modification, are permitted provided that the following conditions | |
9 | * are met: | 9 | * are met: | |
10 | * 1. Redistributions of source code must retain the above copyright | 10 | * 1. Redistributions of source code must retain the above copyright | |
11 | * notice, this list of conditions and the following disclaimer. | 11 | * notice, this list of conditions and the following disclaimer. | |
12 | * 2. Redistributions in binary form must reproduce the above copyright | 12 | * 2. Redistributions in binary form must reproduce the above copyright | |
13 | * notice, this list of conditions and the following disclaimer in the | 13 | * notice, this list of conditions and the following disclaimer in the | |
14 | * documentation and/or other materials provided with the distribution. | 14 | * documentation and/or other materials provided with the distribution. | |
@@ -29,27 +29,27 @@ | @@ -29,27 +29,27 @@ | |||
29 | * SUCH DAMAGE. | 29 | * SUCH DAMAGE. | |
30 | */ | 30 | */ | |
31 | 31 | |||
32 | #include <sys/cdefs.h> | 32 | #include <sys/cdefs.h> | |
33 | #ifndef lint | 33 | #ifndef lint | |
34 | __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\ | 34 | __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\ | |
35 | The Regents of the University of California. All rights reserved."); | 35 | The Regents of the University of California. All rights reserved."); | |
36 | #endif /* not lint */ | 36 | #endif /* not lint */ | |
37 | 37 | |||
38 | #ifndef lint | 38 | #ifndef lint | |
39 | #if 0 | 39 | #if 0 | |
40 | static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; | 40 | static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; | |
41 | #endif | 41 | #endif | |
42 | __RCSID("$NetBSD: login_pam.c,v 1.20 2009/12/29 19:26:13 christos Exp $"); | 42 | __RCSID("$NetBSD: login_pam.c,v 1.21 2012/04/22 23:26:19 christos Exp $"); | |
43 | #endif /* not lint */ | 43 | #endif /* not lint */ | |
44 | 44 | |||
45 | /* | 45 | /* | |
46 | * login [ name ] | 46 | * login [ name ] | |
47 | * login -h hostname (for telnetd, etc.) | 47 | * login -h hostname (for telnetd, etc.) | |
48 | * login -f name (for pre-authenticated login: datakit, xterm, etc.) | 48 | * login -f name (for pre-authenticated login: datakit, xterm, etc.) | |
49 | */ | 49 | */ | |
50 | 50 | |||
51 | #include <sys/param.h> | 51 | #include <sys/param.h> | |
52 | #include <sys/stat.h> | 52 | #include <sys/stat.h> | |
53 | #include <sys/time.h> | 53 | #include <sys/time.h> | |
54 | #include <sys/resource.h> | 54 | #include <sys/resource.h> | |
55 | #include <sys/file.h> | 55 | #include <sys/file.h> | |
@@ -184,27 +184,27 @@ main(int argc, char *argv[]) | @@ -184,27 +184,27 @@ main(int argc, char *argv[]) | |||
184 | pflag = 1; | 184 | pflag = 1; | |
185 | break; | 185 | break; | |
186 | default: | 186 | default: | |
187 | case '?': | 187 | case '?': | |
188 | usage(); | 188 | usage(); | |
189 | break; | 189 | break; | |
190 | } | 190 | } | |
191 | 191 | |||
192 | setproctitle(NULL); | 192 | setproctitle(NULL); | |
193 | argc -= optind; | 193 | argc -= optind; | |
194 | argv += optind; | 194 | argv += optind; | |
195 | 195 | |||
196 | if (*argv) { | 196 | if (*argv) { | |
197 | username = *argv; | 197 | username = trimloginname(*argv); | |
198 | ask = 0; | 198 | ask = 0; | |
199 | } else | 199 | } else | |
200 | ask = 1; | 200 | ask = 1; | |
201 | 201 | |||
202 | #ifdef F_CLOSEM | 202 | #ifdef F_CLOSEM | |
203 | (void)fcntl(3, F_CLOSEM, 0); | 203 | (void)fcntl(3, F_CLOSEM, 0); | |
204 | #else | 204 | #else | |
205 | for (cnt = getdtablesize(); cnt > 2; cnt--) | 205 | for (cnt = getdtablesize(); cnt > 2; cnt--) | |
206 | (void)close(cnt); | 206 | (void)close(cnt); | |
207 | #endif | 207 | #endif | |
208 | 208 | |||
209 | ttyn = ttyname(STDIN_FILENO); | 209 | ttyn = ttyname(STDIN_FILENO); | |
210 | if (ttyn == NULL || *ttyn == '\0') { | 210 | if (ttyn == NULL || *ttyn == '\0') { | |
@@ -230,32 +230,30 @@ main(int argc, char *argv[]) | @@ -230,32 +230,30 @@ main(int argc, char *argv[]) | |||
230 | if ((lc = login_getclass(NULL)) != NULL) { | 230 | if ((lc = login_getclass(NULL)) != NULL) { | |
231 | login_retries = (int)login_getcapnum(lc, "login-retries", | 231 | login_retries = (int)login_getcapnum(lc, "login-retries", | |
232 | DEFAULT_RETRIES, DEFAULT_RETRIES); | 232 | DEFAULT_RETRIES, DEFAULT_RETRIES); | |
233 | login_backoff = (int)login_getcapnum(lc, "login-backoff", | 233 | login_backoff = (int)login_getcapnum(lc, "login-backoff", | |
234 | DEFAULT_BACKOFF, DEFAULT_BACKOFF); | 234 | DEFAULT_BACKOFF, DEFAULT_BACKOFF); | |
235 | login_close(lc); | 235 | login_close(lc); | |
236 | lc = NULL; | 236 | lc = NULL; | |
237 | } | 237 | } | |
238 | 238 | |||
239 | 239 | |||
240 | for (cnt = 0;; ask = 1) { | 240 | for (cnt = 0;; ask = 1) { | |
241 | if (ask) { | 241 | if (ask) { | |
242 | fflag = 0; | 242 | fflag = 0; | |
243 | getloginname(); | 243 | username = trimusername(getloginname()); | |
244 | } | 244 | } | |
245 | rootlogin = 0; | 245 | rootlogin = 0; | |
246 | auth_passed = 0; | 246 | auth_passed = 0; | |
247 | if (strlen(username) > MAXLOGNAME) | |||
248 | username[MAXLOGNAME] = '\0'; | |||
249 | 247 | |||
250 | /* | 248 | /* | |
251 | * Note if trying multiple user names; log failures for | 249 | * Note if trying multiple user names; log failures for | |
252 | * previous user name, but don't bother logging one failure | 250 | * previous user name, but don't bother logging one failure | |
253 | * for nonexistent name (mistyped username). | 251 | * for nonexistent name (mistyped username). | |
254 | */ | 252 | */ | |
255 | if (failures && strcmp(tbuf, username)) { | 253 | if (failures && strcmp(tbuf, username)) { | |
256 | if (failures > (pwd ? 0 : 1)) | 254 | if (failures > (pwd ? 0 : 1)) | |
257 | badlogin(tbuf); | 255 | badlogin(tbuf); | |
258 | failures = 0; | 256 | failures = 0; | |
259 | } | 257 | } | |
260 | 258 | |||
261 | #define PAM_END(msg) do { \ | 259 | #define PAM_END(msg) do { \ | |
@@ -324,27 +322,27 @@ main(int argc, char *argv[]) | @@ -324,27 +322,27 @@ main(int argc, char *argv[]) | |||
324 | 322 | |||
325 | (void)setpriority(PRIO_PROCESS, 0, -4); | 323 | (void)setpriority(PRIO_PROCESS, 0, -4); | |
326 | 324 | |||
327 | switch(pam_err = pam_authenticate(pamh, pam_silent)) { | 325 | switch(pam_err = pam_authenticate(pamh, pam_silent)) { | |
328 | case PAM_SUCCESS: | 326 | case PAM_SUCCESS: | |
329 | /* | 327 | /* | |
330 | * PAM can change the user, refresh | 328 | * PAM can change the user, refresh | |
331 | * username, pwd, and lc. | 329 | * username, pwd, and lc. | |
332 | */ | 330 | */ | |
333 | pam_err = pam_get_item(pamh, PAM_USER, &newuser); | 331 | pam_err = pam_get_item(pamh, PAM_USER, &newuser); | |
334 | if (pam_err != PAM_SUCCESS) | 332 | if (pam_err != PAM_SUCCESS) | |
335 | PAM_END("pam_get_item(PAM_USER)"); | 333 | PAM_END("pam_get_item(PAM_USER)"); | |
336 | 334 | |||
337 | username = (char *)newuser; | 335 | username = newuser; | |
338 | /* | 336 | /* | |
339 | * Don't check for errors, because we don't want to give | 337 | * Don't check for errors, because we don't want to give | |
340 | * out any information. | 338 | * out any information. | |
341 | */ | 339 | */ | |
342 | pwd = NULL; | 340 | pwd = NULL; | |
343 | (void)getpwnam_r(username, &pwres, pwbuf, sizeof(pwbuf), | 341 | (void)getpwnam_r(username, &pwres, pwbuf, sizeof(pwbuf), | |
344 | &pwd); | 342 | &pwd); | |
345 | lc = login_getpwclass(pwd); | 343 | lc = login_getpwclass(pwd); | |
346 | auth_passed = 1; | 344 | auth_passed = 1; | |
347 | 345 | |||
348 | switch (pam_err = pam_acct_mgmt(pamh, pam_silent)) { | 346 | switch (pam_err = pam_acct_mgmt(pamh, pam_silent)) { | |
349 | case PAM_SUCCESS: | 347 | case PAM_SUCCESS: | |
350 | break; | 348 | break; | |
@@ -431,27 +429,27 @@ skip_auth: | @@ -431,27 +429,27 @@ skip_auth: | |||
431 | if (chdir(pwd->pw_dir) != 0) { | 429 | if (chdir(pwd->pw_dir) != 0) { | |
432 | if (login_getcapbool(lc, "requirehome", 0)) { | 430 | if (login_getcapbool(lc, "requirehome", 0)) { | |
433 | (void)printf("Home directory %s required\n", | 431 | (void)printf("Home directory %s required\n", | |
434 | pwd->pw_dir); | 432 | pwd->pw_dir); | |
435 | pam_end(pamh, PAM_SUCCESS); | 433 | pam_end(pamh, PAM_SUCCESS); | |
436 | exit(EXIT_FAILURE); | 434 | exit(EXIT_FAILURE); | |
437 | } | 435 | } | |
438 | 436 | |||
439 | (void)printf("No home directory %s!\n", pwd->pw_dir); | 437 | (void)printf("No home directory %s!\n", pwd->pw_dir); | |
440 | if (chdir("/") == -1) { | 438 | if (chdir("/") == -1) { | |
441 | pam_end(pamh, PAM_SUCCESS); | 439 | pam_end(pamh, PAM_SUCCESS); | |
442 | exit(EXIT_FAILURE); | 440 | exit(EXIT_FAILURE); | |
443 | } | 441 | } | |
444 | pwd->pw_dir = "/"; | 442 | pwd->pw_dir = __UNCONST("/"); | |
445 | (void)printf("Logging in with home = \"/\".\n"); | 443 | (void)printf("Logging in with home = \"/\".\n"); | |
446 | } | 444 | } | |
447 | 445 | |||
448 | if (!quietlog) { | 446 | if (!quietlog) { | |
449 | quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; | 447 | quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; | |
450 | pam_silent = quietlog ? PAM_SILENT : 0; | 448 | pam_silent = quietlog ? PAM_SILENT : 0; | |
451 | } | 449 | } | |
452 | 450 | |||
453 | /* regain special privileges */ | 451 | /* regain special privileges */ | |
454 | setegid(saved_gid); | 452 | setegid(saved_gid); | |
455 | setgroups(nsaved_gids, saved_gids); | 453 | setgroups(nsaved_gids, saved_gids); | |
456 | seteuid(saved_uid); | 454 | seteuid(saved_uid); | |
457 | 455 | |||
@@ -560,41 +558,41 @@ skip_auth: | @@ -560,41 +558,41 @@ skip_auth: | |||
560 | * job when we exit. | 558 | * job when we exit. | |
561 | * | 559 | * | |
562 | * Destroy environment unless user has requested its preservation. | 560 | * Destroy environment unless user has requested its preservation. | |
563 | * Try to preserve TERM anyway. | 561 | * Try to preserve TERM anyway. | |
564 | */ | 562 | */ | |
565 | saved_term = getenv("TERM"); | 563 | saved_term = getenv("TERM"); | |
566 | if (!pflag) { | 564 | if (!pflag) { | |
567 | environ = envinit; | 565 | environ = envinit; | |
568 | if (saved_term) | 566 | if (saved_term) | |
569 | setenv("TERM", saved_term, 0); | 567 | setenv("TERM", saved_term, 0); | |
570 | } | 568 | } | |
571 | 569 | |||
572 | if (*pwd->pw_shell == '\0') | 570 | if (*pwd->pw_shell == '\0') | |
573 | pwd->pw_shell = _PATH_BSHELL; | 571 | pwd->pw_shell = __UNCONST(_PATH_BSHELL); | |
574 | 572 | |||
575 | shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell); | 573 | shell = login_getcapstr(lc, "shell", pwd->pw_shell, pwd->pw_shell); | |
576 | if (*shell == '\0') | 574 | if (*shell == '\0') | |
577 | shell = pwd->pw_shell; | 575 | shell = pwd->pw_shell; | |
578 | 576 | |||
579 | if ((pwd->pw_shell = strdup(shell)) == NULL) { | 577 | if ((pwd->pw_shell = strdup(shell)) == NULL) { | |
580 | syslog(LOG_ERR, "Cannot alloc mem"); | 578 | syslog(LOG_ERR, "Cannot alloc mem"); | |
581 | exit(EXIT_FAILURE); | 579 | exit(EXIT_FAILURE); | |
582 | } | 580 | } | |
583 | 581 | |||
584 | (void)setenv("HOME", pwd->pw_dir, 1); | 582 | (void)setenv("HOME", pwd->pw_dir, 1); | |
585 | (void)setenv("SHELL", pwd->pw_shell, 1); | 583 | (void)setenv("SHELL", pwd->pw_shell, 1); | |
586 | if (term[0] == '\0') { | 584 | if (term[0] == '\0') { | |
587 | char *tt = (char *)stypeof(tty); | 585 | const char *tt = stypeof(tty); | |
588 | 586 | |||
589 | if (tt == NULL) | 587 | if (tt == NULL) | |
590 | tt = login_getcapstr(lc, "term", NULL, NULL); | 588 | tt = login_getcapstr(lc, "term", NULL, NULL); | |
591 | 589 | |||
592 | /* unknown term -> "su" */ | 590 | /* unknown term -> "su" */ | |
593 | (void)strlcpy(term, tt != NULL ? tt : "su", sizeof(term)); | 591 | (void)strlcpy(term, tt != NULL ? tt : "su", sizeof(term)); | |
594 | } | 592 | } | |
595 | (void)setenv("TERM", term, 0); | 593 | (void)setenv("TERM", term, 0); | |
596 | (void)setenv("LOGNAME", pwd->pw_name, 1); | 594 | (void)setenv("LOGNAME", pwd->pw_name, 1); | |
597 | (void)setenv("USER", pwd->pw_name, 1); | 595 | (void)setenv("USER", pwd->pw_name, 1); | |
598 | 596 | |||
599 | /* | 597 | /* | |
600 | * Add PAM environement | 598 | * Add PAM environement | |
@@ -608,27 +606,27 @@ skip_auth: | @@ -608,27 +606,27 @@ skip_auth: | |||
608 | } | 606 | } | |
609 | 607 | |||
610 | free(pamenv); | 608 | free(pamenv); | |
611 | } | 609 | } | |
612 | 610 | |||
613 | /* This drops root privs */ | 611 | /* This drops root privs */ | |
614 | if (setusercontext(lc, pwd, pwd->pw_uid, | 612 | if (setusercontext(lc, pwd, pwd->pw_uid, | |
615 | (LOGIN_SETALL & ~LOGIN_SETLOGIN)) != 0) { | 613 | (LOGIN_SETALL & ~LOGIN_SETLOGIN)) != 0) { | |
616 | syslog(LOG_ERR, "setusercontext failed"); | 614 | syslog(LOG_ERR, "setusercontext failed"); | |
617 | exit(EXIT_FAILURE); | 615 | exit(EXIT_FAILURE); | |
618 | } | 616 | } | |
619 | 617 | |||
620 | if (!quietlog) { | 618 | if (!quietlog) { | |
621 | char *fname; | 619 | const char *fname; | |
622 | 620 | |||
623 | fname = login_getcapstr(lc, "copyright", NULL, NULL); | 621 | fname = login_getcapstr(lc, "copyright", NULL, NULL); | |
624 | if (fname != NULL && access(fname, F_OK) == 0) | 622 | if (fname != NULL && access(fname, F_OK) == 0) | |
625 | motd(fname); | 623 | motd(fname); | |
626 | else | 624 | else | |
627 | (void)printf("%s", copyrightstr); | 625 | (void)printf("%s", copyrightstr); | |
628 | 626 | |||
629 | fname = login_getcapstr(lc, "welcome", NULL, NULL); | 627 | fname = login_getcapstr(lc, "welcome", NULL, NULL); | |
630 | if (fname == NULL || access(fname, F_OK) != 0) | 628 | if (fname == NULL || access(fname, F_OK) != 0) | |
631 | fname = _PATH_MOTDFILE; | 629 | fname = _PATH_MOTDFILE; | |
632 | motd(fname); | 630 | motd(fname); | |
633 | 631 | |||
634 | (void)snprintf(tbuf, | 632 | (void)snprintf(tbuf, |