From 8a77f45aff366b1cd8c70c43ce63eb16a0c9839c Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 12 Oct 2017 23:00:57 -0500 Subject: [PATCH] Remove appl/su --- .gitignore | 1 - appl/Makefile.am | 1 - appl/su/ChangeLog | 129 ----------- appl/su/Makefile.am | 16 -- appl/su/NTMakefile | 35 --- appl/su/su.1 | 123 ---------- appl/su/su.c | 534 -------------------------------------------- appl/su/supaths.h | 51 ----- configure.ac | 1 - 9 files changed, 891 deletions(-) delete mode 100644 appl/su/ChangeLog delete mode 100644 appl/su/Makefile.am delete mode 100644 appl/su/NTMakefile delete mode 100644 appl/su/su.1 delete mode 100644 appl/su/su.c delete mode 100644 appl/su/supaths.h diff --git a/.gitignore b/.gitignore index 66c05f54f..83a40d3c7 100644 --- a/.gitignore +++ b/.gitignore @@ -98,7 +98,6 @@ asn1_*.[cx] /appl/kf/kfd /appl/otp/otp /appl/otp/otpprint -/appl/su/su /appl/test/gssapi_client /appl/test/gssapi_server /appl/test/http_client diff --git a/appl/Makefile.am b/appl/Makefile.am index 101bf11f5..ec896ff2a 100644 --- a/appl/Makefile.am +++ b/appl/Makefile.am @@ -16,7 +16,6 @@ SUBDIRS = \ dbutils \ $(dir_otp) \ gssmask \ - su \ test \ kf \ $(dir_dce) diff --git a/appl/su/ChangeLog b/appl/su/ChangeLog deleted file mode 100644 index 6e2e56926..000000000 --- a/appl/su/ChangeLog +++ /dev/null @@ -1,129 +0,0 @@ -2008-07-15 Love Hörnquist Åstrand - - * Makefile.am: no krb4 - - * su.c: Drop kerberos 4 support. - -2007-10-19 Love Hörnquist Åstrand - - * su.c: read environment from _PATH_ETC_ENVIRONMENT - - * supaths.c: paths - -2007-08-02 Love Hörnquist Åstrand - - * su.c: Check all local realms when su-ing, from Magnus Holmberg. - -2007-06-19 Love Hörnquist Åstrand - - * su.c: If not root and not setuid, print warning. - -2006-01-17 Love Hörnquist Åstrand - - * su.c (group_member_p): rename from group_member to avoid name - pollution from glibc headers. Fixed based on report from David Love. - -2006-01-12 Johan Danielsson - - * su.c: fix reversed logic when deciding to print tty or not - -2005-10-22 Love Hörnquist Åstrand - - * su.c: Check return value from asprintf instead of string != NULL - since it undefined behavior on Linux. From Björn Sandell - -2005-05-10 Dave Love - - * su.c: Include . - -2003-09-03 Love Hörnquist Åstrand - - * su.c: s/des_read_pw_string/UI_UTIL_read_pw_string/ - -2003-05-06 Johan Danielsson - - * su.c: remove accidentally committed code that prints the command - being executed - -2003-03-18 Love Hörnquist Åstrand - - * su.c (krb5_start_session): krb5_afslog doesn't depend on KRB4 - any more - -2002-02-19 Johan Danielsson - - * su.c: make this build without krb5 - -2002-01-09 Jacques Vidrine - - * su.c: Don't use getlogin() to determine whether we are root. - Patch by joda. - -2001-06-12 Assar Westerlund - - * su.c: check memory allocations. add some const - -2000-12-31 Assar Westerlund - - * su.c (krb5_verify): handle krb5_init_context failure - consistently - -2000-08-28 Johan Danielsson - - * su.c: set KRBTKFILE - -2000-07-10 Assar Westerlund - - * Makefile.am: actually install su - * su.c (krb5_verify): try harder freeing. do not get upset on - interrupted password read - -2000-06-09 Assar Westerlund - - * su.c (main): work-around for setuid and capabilities bug fixed - in Linux 2.2.16 - -2000-06-03 Assar Westerlund - - * su.c (main): just ignore shadow information if getspnam returns - NULL - -1999-10-20 Assar Westerlund - - * Makefile.am: use LIB_roken - -1999-09-28 Assar Westerlund - - * su.c (krb5_verify): use krb5_verify_user_lrealm - -1999-08-04 Assar Westerlund - - * su.c: add support for shadow passwords and rewrite some logic. - From Miroslav Ruda - - * Makefile.am: add libkafs - -1999-06-15 Assar Westerlund - - * su.c (main): conditionalize `getlogin' - -1999-05-11 Assar Westerlund - - * su.c (verfiy_krb5): get the name out of the ccache before - closing it - -1999-05-05 Assar Westerlund - - * su.c: some more error checking - -Wed Apr 21 21:04:36 1999 Assar Westerlund - - * su.c (-f): implement - - * su.c: implement -i - (verify_krb5): correct the ownership on the credential cache - -Tue Apr 20 13:26:13 1999 Johan Danielsson - - * su.c: don't depend on paths.h - diff --git a/appl/su/Makefile.am b/appl/su/Makefile.am deleted file mode 100644 index 605aae349..000000000 --- a/appl/su/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ -# $Id$ - -include $(top_srcdir)/Makefile.am.common - -bin_PROGRAMS = su -bin_SUIDS = su -su_SOURCES = su.c supaths.h -man_MANS = su.1 - -LDADD = $(LIB_kafs) \ - $(top_builddir)/lib/krb5/libkrb5.la \ - $(LIB_hcrypto) \ - $(top_builddir)/lib/asn1/libasn1.la \ - $(LIB_roken) - -EXTRA_DIST = NTMakefile $(man_MANS) diff --git a/appl/su/NTMakefile b/appl/su/NTMakefile deleted file mode 100644 index 7afe814fa..000000000 --- a/appl/su/NTMakefile +++ /dev/null @@ -1,35 +0,0 @@ -######################################################################## -# -# Copyright (c) 2009, Secure Endpoints Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# -# - Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# -# - Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in -# the documentation and/or other materials provided with the -# distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, -# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN -# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# - -RELDIR=appl\su - -!include ../../windows/NTMakefile.w32 - diff --git a/appl/su/su.1 b/appl/su/su.1 deleted file mode 100644 index b57129e07..000000000 --- a/appl/su/su.1 +++ /dev/null @@ -1,123 +0,0 @@ -.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $Id$ -.\" -.Dd January 12, 2006 -.Dt SU 1 -.Os HEIMDAL -.Sh NAME -.Nm su -.Nd substitute user identity -.Sh SYNOPSIS -.Nm su -.Op Fl K | Fl Fl no-kerberos -.Op Fl f -.Op Fl l | Fl Fl full -.Op Fl m -.Oo Fl i Ar instance \*(Ba Xo -.Fl Fl instance= Ns Ar instance -.Xc -.Oc -.Oo Fl c Ar command \*(Ba Xo -.Fl Fl command= Ns Ar command -.Xc -.Oc -.Op Ar login Op Ar "shell arguments" -.Sh DESCRIPTION -.Nm su -will use Kerberos authentication provided that an instance for the -user wanting to change effective UID is present in a file named -.Pa .k5login -in the target user id's home directory -.Pp -A special case exists where -.Ql root Ap s -.Pa ~/.k5login -needs to contain an entry for: -.Ql user Ns / Ns Ao instance Ac Ns @ Ns REALM -for -.Nm su -to succed (where -.Aq instance -is -.Ql root -unless changed with -.Fl i ) . -.Pp -In the absence of either an entry for current user in said file or -other problems like missing -.Ql host/hostname@REALM -keys in the system's -keytab, or user typing the wrong password, -.Nm su -will fall back to traditional -.Pa /etc/passwd -authentication. -.Pp -When using -.Pa /etc/passwd -authentication, -.Nm su -allows -.Ql root -access only to members of the group -.Ql wheel , -or to any user (with knowledge of the -.Ql root -password) if that group -does not exist, or has no members. -.Pp -The options are as follows: -.Bl -item -width Ds -.It -.Fl K , -.Fl Fl no-kerberos -don't use Kerberos. -.It -.Fl f -don't read .cshrc. -.It -.Fl l , -.Fl Fl full -simulate full login. -.It -.Fl m -leave environment unmodified. -.It -.Fl i Ar instance , -.Fl Fl instance= Ns Ar instance -root instance to use. -.It -.Fl c Ar command , -.Fl Fl command= Ns Ar command -command to execute. -.El diff --git a/appl/su/su.c b/appl/su/su.c deleted file mode 100644 index 488fd099c..000000000 --- a/appl/su/su.c +++ /dev/null @@ -1,534 +0,0 @@ -/* - * Copyright (c) 1999 - 2008 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of KTH nor the names of its contributors may be - * used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY - * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR - * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR - * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF - * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - -#include - -RCSID("$Id$"); - -#include -#include -#include - -#include - -#ifdef HAVE_PATHS_H -#include -#endif - -#ifdef HAVE_SHADOW_H -#include -#endif - -#include -#ifdef HAVE_CRYPT_H -#include -#endif - -#include "crypto-headers.h" -#ifdef KRB5 -#include -#endif -#ifndef NO_AFS -#include -#endif -#include -#include -#include - -#include "supaths.h" - -#if !HAVE_DECL_ENVIRON -extern char **environ; -#endif - -int kerberos_flag = 1; -int csh_f_flag; -int full_login; -int env_flag; -char *kerberos_instance = "root"; -int help_flag; -int version_flag; -char *cmd; -char tkfile[256]; - -struct getargs args[] = { - { "kerberos", 'K', arg_negative_flag, &kerberos_flag, - "don't use kerberos", NULL }, - { NULL, 'f', arg_flag, &csh_f_flag, - "don't read .cshrc", NULL }, - { "full", 'l', arg_flag, &full_login, - "simulate full login", NULL }, - { NULL, 'm', arg_flag, &env_flag, - "leave environment unmodified", NULL }, - { "instance", 'i', arg_string, &kerberos_instance, - "root instance to use", NULL }, - { "command", 'c', arg_string, &cmd, - "command to execute", NULL }, - { "help", 'h', arg_flag, &help_flag, NULL, NULL }, - { "version", 0, arg_flag, &version_flag, NULL, NULL }, -}; - - -static void -usage (int ret) -{ - arg_printusage (args, - sizeof(args)/sizeof(*args), - NULL, - "[login [shell arguments]]"); - exit (ret); -} - -static void -free_info(struct passwd *p) -{ - free (p->pw_name); - free (p->pw_passwd); - free (p->pw_dir); - free (p->pw_shell); - free (p); -} - -static struct passwd* -dup_info(const struct passwd *pwd) -{ - struct passwd *info; - - info = malloc(sizeof(*info)); - if(info == NULL) - return NULL; - info->pw_name = strdup(pwd->pw_name); - info->pw_passwd = strdup(pwd->pw_passwd); - info->pw_uid = pwd->pw_uid; - info->pw_gid = pwd->pw_gid; - info->pw_dir = strdup(pwd->pw_dir); - info->pw_shell = strdup(pwd->pw_shell); - if(info->pw_name == NULL || info->pw_passwd == NULL || - info->pw_dir == NULL || info->pw_shell == NULL) { - free_info (info); - return NULL; - } - return info; -} - -#ifdef KRB5 -static krb5_context context; -static krb5_ccache ccache; - -static int -krb5_verify(const struct passwd *login_info, - const struct passwd *su_info, - const char *instance) -{ - krb5_error_code ret; - krb5_principal p; - krb5_realm *realms, *r; - char *login_name = NULL; - int user_ok = 0; - -#if defined(HAVE_GETLOGIN) && !defined(POSIX_GETLOGIN) - login_name = getlogin(); -#endif - ret = krb5_init_context (&context); - if (ret) { -#if 0 - warnx("krb5_init_context failed: %d", ret); -#endif - return 1; - } - - ret = krb5_get_default_realms(context, &realms); - if (ret) - return 1; - - /* Check all local realms */ - for (r = realms; *r != NULL && !user_ok; r++) { - - if (login_name == NULL || strcmp (login_name, "root") == 0) - login_name = login_info->pw_name; - if (strcmp (su_info->pw_name, "root") == 0) - ret = krb5_make_principal(context, &p, *r, - login_name, - instance, - NULL); - else - ret = krb5_make_principal(context, &p, *r, - su_info->pw_name, - NULL); - if (ret) { - krb5_free_host_realm(context, realms); - return 1; - } - - /* if we are su-ing too root, check with krb5_kuserok */ - if (su_info->pw_uid == 0 && !krb5_kuserok(context, p, su_info->pw_name)) - continue; - - ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &ccache); - if(ret) { - krb5_free_host_realm(context, realms); - krb5_free_principal (context, p); - return 1; - } - ret = krb5_verify_user(context, p, ccache, NULL, TRUE, NULL); - krb5_free_principal (context, p); - switch (ret) { - case 0: - user_ok = 1; - break; - case KRB5_LIBOS_PWDINTR : - krb5_cc_destroy(context, ccache); - break; - case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_MODIFIED: - krb5_cc_destroy(context, ccache); - krb5_warnx(context, "Password incorrect"); - break; - default : - krb5_cc_destroy(context, ccache); - krb5_warn(context, ret, "krb5_verify_user"); - break; - } - } - krb5_free_host_realm(context, realms); - if (!user_ok) - return 1; - return 0; -} - -static int -krb5_start_session(void) -{ - krb5_ccache ccache2; - char *cc_name; - int ret; - - ret = krb5_cc_new_unique(context, krb5_cc_type_file, NULL, &ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - return 1; - } - - ret = krb5_cc_copy_cache(context, ccache, ccache2); - if (ret) { - krb5_cc_destroy(context, ccache); - krb5_cc_destroy(context, ccache2); - return 1; - } - - ret = asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2), - krb5_cc_get_name(context, ccache2)); - if (ret == -1) { - krb5_cc_destroy(context, ccache); - krb5_cc_destroy(context, ccache2); - errx(1, "malloc - out of memory"); - } - esetenv("KRB5CCNAME", cc_name, 1); - -#ifndef NO_AFS - /* convert creds? */ - if(k_hasafs()) { - if (k_setpag() == 0) - krb5_afslog(context, ccache2, NULL, NULL); - } -#endif - - krb5_cc_close(context, ccache2); - krb5_cc_destroy(context, ccache); - return 0; -} -#endif - - -#define GROUP_MEMBER 0 -#define GROUP_MISSING 1 -#define GROUP_EMPTY 2 -#define GROUP_NOT_MEMBER 3 - -static int -group_member_p(const char *group, const char *user) -{ - struct group *g; - int i; - g = getgrnam(group); - if(g == NULL) - return GROUP_MISSING; - if(g->gr_mem[0] == NULL) - return GROUP_EMPTY; - for(i = 0; g->gr_mem[i] != NULL; i++) - if(strcmp(user, g->gr_mem[i]) == 0) - return GROUP_MEMBER; - return GROUP_NOT_MEMBER; -} - -static int -verify_unix(struct passwd *login, struct passwd *su) -{ - char prompt[128]; - char pw_buf[1024]; - char *pw; - int r; - if(su->pw_passwd != NULL && *su->pw_passwd != '\0') { - snprintf(prompt, sizeof(prompt), "%s's password: ", su->pw_name); - r = UI_UTIL_read_pw_string(pw_buf, sizeof(pw_buf), prompt, 0); - if(r != 0) - exit(0); - pw = crypt(pw_buf, su->pw_passwd); - memset_s(pw_buf, sizeof(pw_buf), 0, sizeof(pw_buf)); - if(strcmp(pw, su->pw_passwd) != 0) { - syslog (LOG_ERR | LOG_AUTH, "%s to %s: incorrect password", - login->pw_name, su->pw_name); - return 1; - } - } - /* if su:ing to root, check membership of group wheel or root; if - that group doesn't exist, or is empty, allow anyone to su - root */ - if(su->pw_uid == 0) { -#ifndef ROOT_GROUP -#define ROOT_GROUP "wheel" -#endif - int gs = group_member_p(ROOT_GROUP, login->pw_name); - if(gs == GROUP_NOT_MEMBER) { - syslog (LOG_ERR | LOG_AUTH, "%s to %s: not in group %s", - login->pw_name, su->pw_name, ROOT_GROUP); - return 1; - } - return 0; - } - return 0; -} - -int -main(int argc, char **argv) -{ - int i, optidx = 0; - char *su_user; - struct passwd *su_info; - struct passwd *login_info; - - struct passwd *pwd; - - char *shell; - - int ok = 0; - - setprogname (argv[0]); - - if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) - usage(1); - - for (i=0; i < optidx; i++) - if (strcmp(argv[i], "-") == 0) { - full_login = 1; - break; - } - - if(help_flag) - usage(0); - if(version_flag) { - print_version(NULL); - exit(0); - } - if(optidx >= argc) - su_user = "root"; - else - su_user = argv[optidx++]; - - if (geteuid() != 0) - warnx("Not setuid and you are not root, expect this to fail"); - - pwd = k_getpwnam(su_user); - if(pwd == NULL) - errx (1, "unknown login %s", su_user); - if (pwd->pw_uid == 0 && strcmp ("root", su_user) != 0) { - syslog (LOG_ALERT, "NIS attack, user %s has uid 0", su_user); - errx (1, "unknown login %s", su_user); - } - su_info = dup_info(pwd); - if (su_info == NULL) - errx (1, "malloc: out of memory"); - - pwd = getpwuid(getuid()); - if(pwd == NULL) - errx(1, "who are you?"); - login_info = dup_info(pwd); - if (login_info == NULL) - errx (1, "malloc: out of memory"); - if(env_flag) - shell = login_info->pw_shell; - else - shell = su_info->pw_shell; - if(shell == NULL || *shell == '\0') - shell = _PATH_BSHELL; - - -#ifdef KRB5 - if(kerberos_flag && ok == 0 && - krb5_verify(login_info, su_info, kerberos_instance) == 0) - ok = 5; -#endif - - if(ok == 0 && login_info->pw_uid && verify_unix(login_info, su_info) != 0) { - printf("Sorry!\n"); - exit(1); - } - -#ifdef HAVE_GETSPNAM - { struct spwd *sp; - long today; - - sp = getspnam(su_info->pw_name); - if (sp != NULL) { - today = time(0)/(24L * 60 * 60); - if (sp->sp_expire > 0) { - if (today >= sp->sp_expire) { - if (login_info->pw_uid) - errx(1,"Your account has expired."); - else - printf("Your account has expired."); - } - else if (sp->sp_expire - today < 14) - printf("Your account will expire in %d days.\n", - (int)(sp->sp_expire - today)); - } - if (sp->sp_max > 0) { - if (today >= sp->sp_lstchg + sp->sp_max) { - if (login_info->pw_uid) - errx(1,"Your password has expired. Choose a new one."); - else - printf("Your password has expired. Choose a new one."); - } - else if (today >= sp->sp_lstchg + sp->sp_max - sp->sp_warn) - printf("Your account will expire in %d days.\n", - (int)(sp->sp_lstchg + sp->sp_max -today)); - } - } - } -#endif - { - char *tty = ttyname (STDERR_FILENO); - if (tty) - syslog (LOG_NOTICE | LOG_AUTH, "%s to %s on %s", - login_info->pw_name, su_info->pw_name, tty); - else - syslog (LOG_NOTICE | LOG_AUTH, "%s to %s", - login_info->pw_name, su_info->pw_name); - } - - - if(!env_flag) { - if(full_login) { - char *t = getenv ("TERM"); - char **newenv = NULL; - int j; - - i = read_environment(_PATH_ETC_ENVIRONMENT, &newenv); - - environ = malloc ((10 + i) * sizeof (char *)); - if (environ == NULL) - err (1, "malloc"); - environ[0] = NULL; - - for (j = 0; j < i; j++) { - char *p = strchr(newenv[j], '='); - if (p == NULL) - errx(1, "enviroment '%s' missing '='", newenv[j]); - *p++ = 0; - esetenv (newenv[j], p, 1); - } - free(newenv); - - esetenv ("PATH", _PATH_DEFPATH, 1); - if (t) - esetenv ("TERM", t, 1); - if (chdir (su_info->pw_dir) < 0) - errx (1, "no directory"); - } - if (full_login || su_info->pw_uid) - esetenv ("USER", su_info->pw_name, 1); - esetenv("HOME", su_info->pw_dir, 1); - esetenv("SHELL", shell, 1); - } - - { - char **new_argv; - char *p; - - p = strrchr(shell, '/'); - if(p) - p++; - else - p = shell; - - if (strcmp(p, "csh") != 0) - csh_f_flag = 0; - - new_argv = malloc(((cmd ? 2 : 0) + 1 + argc - optidx + 1 + csh_f_flag) - * sizeof(*new_argv)); - if (new_argv == NULL) - err (1, "malloc"); - i = 0; - if(full_login) { - if (asprintf(&new_argv[i++], "-%s", p) == -1) - errx (1, "malloc"); - } else - new_argv[i++] = p; - if (cmd) { - new_argv[i++] = "-c"; - new_argv[i++] = cmd; - } - - if (csh_f_flag) - new_argv[i++] = "-f"; - - for (argv += optidx; *argv; ++argv) - new_argv[i++] = *argv; - new_argv[i] = NULL; - - if(setgid(su_info->pw_gid) < 0) - err(1, "setgid"); - if (initgroups (su_info->pw_name, su_info->pw_gid) < 0) - err (1, "initgroups"); - if(setuid(su_info->pw_uid) < 0 - || (su_info->pw_uid != 0 && setuid(0) == 0)) - err(1, "setuid"); - -#ifdef KRB5 - if (ok == 5) - krb5_start_session(); -#endif - execve(shell, new_argv, environ); - } - - exit(1); -} diff --git a/appl/su/supaths.h b/appl/su/supaths.h deleted file mode 100644 index 9e03a04e4..000000000 --- a/appl/su/supaths.h +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright (c) 2007 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* $Id$ */ - -#ifndef __SU_PATH_H -#define __SU_PATH_H - -#ifndef _PATH_DEFPATH -#define _PATH_DEFPATH "/usr/bin:/bin" -#endif - -#ifndef _PATH_BSHELL -#define _PATH_BSHELL "/bin/sh" -#endif - -#ifndef _PATH_ETC_ENVIRONMENT -#define _PATH_ETC_ENVIRONMENT SYSCONFDIR "/environment" -#endif - -#endif /* __SU_PATH_H */ diff --git a/configure.ac b/configure.ac index 35781d071..2f1bd686d 100644 --- a/configure.ac +++ b/configure.ac @@ -664,7 +664,6 @@ AC_CONFIG_FILES(Makefile \ appl/dbutils/Makefile \ appl/gssmask/Makefile \ appl/otp/Makefile \ - appl/su/Makefile \ appl/test/Makefile \ appl/kf/Makefile \ appl/dceutils/Makefile \