[86] | 1 | /* |
---|
[87] | 2 | * $Source: /afs/dev.mit.edu/source/repository/athena/bin/login/login.c,v $ |
---|
[1975] | 3 | * $Header: /afs/dev.mit.edu/source/repository/athena/bin/login/login.c,v 1.25 1989-07-19 20:24:16 raeburn Exp $ |
---|
[87] | 4 | */ |
---|
| 5 | |
---|
| 6 | #ifndef lint |
---|
[1513] | 7 | static char *rcsid_login_c = |
---|
[1975] | 8 | "$Header: /afs/dev.mit.edu/source/repository/athena/bin/login/login.c,v 1.25 1989-07-19 20:24:16 raeburn Exp $"; |
---|
[1513] | 9 | #endif /* lint */ |
---|
[87] | 10 | |
---|
| 11 | /* |
---|
[86] | 12 | * Copyright (c) 1980 Regents of the University of California. |
---|
| 13 | * All rights reserved. The Berkeley software License Agreement |
---|
| 14 | * specifies the terms and conditions for redistribution. |
---|
| 15 | */ |
---|
| 16 | |
---|
| 17 | #ifndef lint |
---|
| 18 | char copyright[] = |
---|
| 19 | "@(#) Copyright (c) 1980 Regents of the University of California.\n\ |
---|
| 20 | All rights reserved.\n"; |
---|
| 21 | #endif not lint |
---|
| 22 | |
---|
| 23 | #ifndef lint |
---|
| 24 | static char sccsid[] = "@(#)login.c 5.15 (Berkeley) 4/12/86"; |
---|
| 25 | #endif not lint |
---|
| 26 | |
---|
| 27 | /* |
---|
| 28 | * login [ name ] |
---|
| 29 | * login -r hostname (for rlogind) |
---|
[692] | 30 | * login -k hostname (for Kerberos rlogind with password access) |
---|
| 31 | * login -K hostname (for Kerberos rlogind with restricted access) |
---|
[86] | 32 | * login -h hostname (for telnetd, etc.) |
---|
| 33 | */ |
---|
| 34 | |
---|
| 35 | #include <sys/param.h> |
---|
[692] | 36 | #ifndef VFS |
---|
[86] | 37 | #include <sys/quota.h> |
---|
[692] | 38 | #endif !VFS |
---|
[86] | 39 | #include <sys/stat.h> |
---|
| 40 | #include <sys/time.h> |
---|
| 41 | #include <sys/resource.h> |
---|
| 42 | #include <sys/file.h> |
---|
[692] | 43 | #include <sys/dir.h> |
---|
| 44 | #include <sys/wait.h> |
---|
[86] | 45 | |
---|
| 46 | #include <sgtty.h> |
---|
| 47 | #include <utmp.h> |
---|
| 48 | #include <signal.h> |
---|
| 49 | #include <pwd.h> |
---|
| 50 | #include <stdio.h> |
---|
| 51 | #include <lastlog.h> |
---|
| 52 | #include <errno.h> |
---|
| 53 | #include <ttyent.h> |
---|
| 54 | #include <syslog.h> |
---|
[692] | 55 | #include <strings.h> |
---|
| 56 | #include <krb.h> |
---|
| 57 | #include <netdb.h> |
---|
| 58 | #include <sys/types.h> |
---|
[742] | 59 | #include <netinet/in.h> |
---|
[86] | 60 | #include <grp.h> |
---|
[692] | 61 | typedef struct in_addr inaddr_t; |
---|
| 62 | #include <attach.h> |
---|
[86] | 63 | |
---|
| 64 | #define TTYGRPNAME "tty" /* name of group to own ttys */ |
---|
| 65 | #define TTYGID(gid) tty_gid(gid) /* gid that owns all ttys */ |
---|
| 66 | |
---|
| 67 | #define SCMPN(a, b) strncmp(a, b, sizeof(a)) |
---|
| 68 | #define SCPYN(a, b) strncpy(a, b, sizeof(a)) |
---|
| 69 | |
---|
| 70 | #define NMAX sizeof(utmp.ut_name) |
---|
| 71 | #define HMAX sizeof(utmp.ut_host) |
---|
| 72 | |
---|
| 73 | #define FALSE 0 |
---|
| 74 | #define TRUE -1 |
---|
| 75 | |
---|
[692] | 76 | #ifdef VFS |
---|
| 77 | #define QUOTAWARN "/usr/ucb/quota" /* warn user about quotas */ |
---|
| 78 | #endif VFS |
---|
| 79 | |
---|
| 80 | #ifndef KRB_REALM |
---|
| 81 | #define KRB_REALM "ATHENA.MIT.EDU" |
---|
| 82 | #endif |
---|
| 83 | |
---|
| 84 | #define KRB_ENVIRON "KRBTKFILE" /* Ticket file environment variable */ |
---|
| 85 | #define KRB_TK_DIR "/tmp/tkt_" /* Where to put the ticket */ |
---|
| 86 | #define KRBTKLIFETIME 96 /* 8 hours */ |
---|
| 87 | |
---|
| 88 | #define PROTOTYPE_DIR "/usr/prototype_user" /* Source for temp files */ |
---|
| 89 | #define TEMP_DIR_PERM 0755 /* Permission on temporary directories */ |
---|
| 90 | |
---|
| 91 | #define MAXPWSIZE 128 /* Biggest key getlongpass will return */ |
---|
| 92 | |
---|
| 93 | #define START_UID 200 /* start assigning arbitrary UID's here */ |
---|
| 94 | #define MIT_GID 101 /* standard primary group "mit" */ |
---|
| 95 | |
---|
| 96 | extern char *krb_err_txt[]; /* From libkrb */ |
---|
| 97 | |
---|
[86] | 98 | char nolog[] = "/etc/nologin"; |
---|
| 99 | char qlog[] = ".hushlogin"; |
---|
| 100 | char maildir[30] = "/usr/spool/mail/"; |
---|
| 101 | char lastlog[] = "/usr/adm/lastlog"; |
---|
[692] | 102 | char inhibit[] = "/etc/nocreate"; |
---|
| 103 | char noattach[] = "/etc/noattach"; |
---|
[757] | 104 | char go_register[] = "/usr/etc/go_register"; |
---|
[1513] | 105 | char get_motd[] = "/bin/athena/get_message"; |
---|
[692] | 106 | |
---|
| 107 | /* uid, gid, etc. used to be -1; guess what setreuid does with that --asp */ |
---|
| 108 | struct passwd nouser = {"", "nope", -2, -2, -2, "", "", "", "" }; |
---|
| 109 | |
---|
| 110 | struct passwd newuser = {"\0\0\0\0\0\0\0\0", "*", START_UID, MIT_GID, 0, |
---|
| 111 | NULL, NULL, "/mit/\0\0\0\0\0\0\0\0", NULL }; |
---|
| 112 | |
---|
[86] | 113 | struct sgttyb ttyb; |
---|
| 114 | struct utmp utmp; |
---|
| 115 | char minusnam[16] = "-"; |
---|
| 116 | char *envinit[] = { 0 }; /* now set by setenv calls */ |
---|
| 117 | /* |
---|
| 118 | * This bounds the time given to login. We initialize it here |
---|
| 119 | * so it can be patched on machines where it's too small. |
---|
| 120 | */ |
---|
| 121 | int timeout = 60; |
---|
| 122 | |
---|
| 123 | char term[64]; |
---|
| 124 | |
---|
| 125 | struct passwd *pwd; |
---|
[692] | 126 | struct passwd *hes_getpwnam(); |
---|
[86] | 127 | char *strcat(), *rindex(), *index(), *malloc(), *realloc(); |
---|
| 128 | int timedout(); |
---|
| 129 | char *ttyname(); |
---|
| 130 | char *crypt(); |
---|
[692] | 131 | char *getlongpass(); |
---|
[86] | 132 | char *stypeof(); |
---|
| 133 | extern char **environ; |
---|
| 134 | extern int errno; |
---|
| 135 | |
---|
| 136 | struct tchars tc = { |
---|
| 137 | CINTR, CQUIT, CSTART, CSTOP, CEOT, CBRK |
---|
| 138 | }; |
---|
| 139 | struct ltchars ltc = { |
---|
| 140 | CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT |
---|
| 141 | }; |
---|
| 142 | |
---|
| 143 | struct winsize win = { 0, 0, 0, 0 }; |
---|
| 144 | |
---|
[692] | 145 | int rflag=0; |
---|
| 146 | int kflag=0; |
---|
| 147 | int Kflag=0; |
---|
[86] | 148 | int usererr = -1; |
---|
[692] | 149 | int krbflag = FALSE; /* True if Kerberos-authenticated login */ |
---|
| 150 | int tmppwflag = FALSE; /* True if passwd entry is temporary */ |
---|
| 151 | int tmpdirflag = FALSE; /* True if home directory is temporary */ |
---|
| 152 | int inhibitflag = FALSE; /* inhibit account creation on the fly */ |
---|
| 153 | int attachable = FALSE; /* True if /etc/noattach doesn't exist */ |
---|
| 154 | int attachedflag = FALSE; /* True if homedir attached */ |
---|
[700] | 155 | int errorprtflag = FALSE; /* True if login error already printed */ |
---|
[86] | 156 | char rusername[NMAX+1], lusername[NMAX+1]; |
---|
| 157 | char rpassword[NMAX+1]; |
---|
| 158 | char name[NMAX+1]; |
---|
| 159 | char *rhost; |
---|
| 160 | |
---|
[692] | 161 | AUTH_DAT *kdata = (AUTH_DAT *)NULL; |
---|
| 162 | |
---|
| 163 | union wait waitstat; |
---|
| 164 | |
---|
[86] | 165 | main(argc, argv) |
---|
[692] | 166 | char *argv[]; |
---|
[86] | 167 | { |
---|
[692] | 168 | register char *namep; |
---|
| 169 | int pflag = 0, hflag = 0, t, f, c; |
---|
| 170 | int invalid, quietlog, forkval; |
---|
| 171 | FILE *nlfd; |
---|
| 172 | char *ttyn, *tty, saltc[2]; |
---|
| 173 | long salt; |
---|
| 174 | int ldisc = 0, zero = 0, found = 0, i; |
---|
| 175 | char **envnew; |
---|
[86] | 176 | |
---|
[692] | 177 | signal(SIGALRM, timedout); |
---|
| 178 | alarm(timeout); |
---|
| 179 | signal(SIGQUIT, SIG_IGN); |
---|
| 180 | signal(SIGINT, SIG_IGN); |
---|
| 181 | setpriority(PRIO_PROCESS, 0, 0); |
---|
| 182 | #ifndef VFS |
---|
| 183 | quota(Q_SETUID, 0, 0, 0); |
---|
| 184 | #endif !VFS |
---|
| 185 | /* |
---|
| 186 | * -p is used by getty to tell login not to destroy the environment |
---|
| 187 | * -r is used by rlogind to cause the autologin protocol; |
---|
| 188 | * -k is used by klogind to cause the Kerberos autologin protocol; |
---|
| 189 | * -K is used by klogind to cause the Kerberos autologin protocol with |
---|
| 190 | * restricted access.; |
---|
| 191 | * -h is used by other servers to pass the name of the |
---|
| 192 | * remote host to login so that it may be placed in utmp and wtmp |
---|
| 193 | */ |
---|
| 194 | while (argc > 1) { |
---|
| 195 | if (strcmp(argv[1], "-r") == 0) { |
---|
| 196 | if (rflag || kflag || Kflag || hflag) { |
---|
| 197 | printf("Only one of -r -k -K or -h allowed\n"); |
---|
| 198 | exit(1); |
---|
| 199 | } |
---|
[907] | 200 | if (argv[2] == 0) |
---|
| 201 | exit(1); |
---|
[692] | 202 | rflag = 1; |
---|
| 203 | usererr = doremotelogin(argv[2]); |
---|
| 204 | SCPYN(utmp.ut_host, argv[2]); |
---|
| 205 | argc -= 2; |
---|
| 206 | argv += 2; |
---|
| 207 | continue; |
---|
| 208 | } |
---|
| 209 | if (strcmp(argv[1], "-k") == 0) { |
---|
| 210 | if (rflag || kflag || Kflag || hflag) { |
---|
| 211 | printf("Only one of -r -k -K or -h allowed\n"); |
---|
[86] | 212 | exit(1); |
---|
| 213 | } |
---|
[692] | 214 | kflag = 1; |
---|
| 215 | usererr = doKerberosLogin(argv[2]); |
---|
[86] | 216 | SCPYN(utmp.ut_host, argv[2]); |
---|
| 217 | argc -= 2; |
---|
| 218 | argv += 2; |
---|
| 219 | continue; |
---|
| 220 | } |
---|
[692] | 221 | if (strcmp(argv[1], "-K") == 0) { |
---|
| 222 | if (rflag || kflag || Kflag || hflag) { |
---|
| 223 | printf("Only one of -r -k -K or -h allowed\n"); |
---|
[86] | 224 | exit(1); |
---|
| 225 | } |
---|
[692] | 226 | Kflag = 1; |
---|
| 227 | usererr = doKerberosLogin(argv[2]); |
---|
[86] | 228 | SCPYN(utmp.ut_host, argv[2]); |
---|
| 229 | argc -= 2; |
---|
| 230 | argv += 2; |
---|
| 231 | continue; |
---|
| 232 | } |
---|
[692] | 233 | if (strcmp(argv[1], "-h") == 0 && getuid() == 0) { |
---|
| 234 | if (rflag || kflag || Kflag || hflag) { |
---|
| 235 | printf("Only one of -r -k -K or -h allowed\n"); |
---|
| 236 | exit(1); |
---|
| 237 | } |
---|
| 238 | hflag = 1; |
---|
| 239 | SCPYN(utmp.ut_host, argv[2]); |
---|
| 240 | argc -= 2; |
---|
| 241 | argv += 2; |
---|
| 242 | continue; |
---|
[86] | 243 | } |
---|
[692] | 244 | if (strcmp(argv[1], "-p") == 0) { |
---|
| 245 | argc--; |
---|
| 246 | argv++; |
---|
| 247 | pflag = 1; |
---|
| 248 | continue; |
---|
| 249 | } |
---|
| 250 | break; |
---|
| 251 | } |
---|
| 252 | ioctl(0, TIOCLSET, &zero); |
---|
| 253 | ioctl(0, TIOCNXCL, 0); |
---|
| 254 | ioctl(0, FIONBIO, &zero); |
---|
| 255 | ioctl(0, FIOASYNC, &zero); |
---|
| 256 | ioctl(0, TIOCGETP, &ttyb); |
---|
| 257 | /* |
---|
| 258 | * If talking to an rlogin process, |
---|
| 259 | * propagate the terminal type and |
---|
| 260 | * baud rate across the network. |
---|
| 261 | */ |
---|
| 262 | if (rflag || kflag || Kflag) |
---|
| 263 | doremoteterm(term, &ttyb); |
---|
| 264 | ttyb.sg_erase = CERASE; |
---|
| 265 | ttyb.sg_kill = CKILL; |
---|
| 266 | ioctl(0, TIOCSLTC, <c); |
---|
| 267 | ioctl(0, TIOCSETC, &tc); |
---|
| 268 | ioctl(0, TIOCSETP, &ttyb); |
---|
| 269 | for (t = getdtablesize(); t > 2; t--) |
---|
| 270 | close(t); |
---|
| 271 | ttyn = ttyname(0); |
---|
| 272 | if (ttyn == (char *)0 || *ttyn == '\0') |
---|
| 273 | ttyn = "/dev/tty??"; |
---|
| 274 | tty = rindex(ttyn, '/'); |
---|
| 275 | if (tty == NULL) |
---|
| 276 | tty = ttyn; |
---|
| 277 | else |
---|
| 278 | tty++; |
---|
| 279 | openlog("login", LOG_ODELAY, LOG_AUTH); |
---|
| 280 | |
---|
| 281 | /* destroy environment unless user has asked to preserve it */ |
---|
| 282 | /* (Moved before passwd stuff by asp) */ |
---|
| 283 | if (!pflag) |
---|
| 284 | environ = envinit; |
---|
| 285 | |
---|
| 286 | /* set up environment, this time without destruction */ |
---|
| 287 | /* copy the environment before setenving */ |
---|
| 288 | i = 0; |
---|
| 289 | while (environ[i] != NULL) |
---|
| 290 | i++; |
---|
| 291 | envnew = (char **) malloc(sizeof (char *) * (i + 1)); |
---|
| 292 | for (; i >= 0; i--) |
---|
| 293 | envnew[i] = environ[i]; |
---|
| 294 | environ = envnew; |
---|
| 295 | |
---|
| 296 | t = 0; |
---|
| 297 | invalid = FALSE; |
---|
| 298 | inhibitflag = !access(inhibit,F_OK); |
---|
| 299 | attachable = access(noattach, F_OK); |
---|
| 300 | do { |
---|
[700] | 301 | errorprtflag = 0; |
---|
| 302 | ldisc = 0; |
---|
[692] | 303 | found = 0; |
---|
| 304 | ioctl(0, TIOCSETD, &ldisc); |
---|
| 305 | SCPYN(utmp.ut_name, ""); |
---|
[86] | 306 | /* |
---|
[692] | 307 | * Name specified, take it. |
---|
[86] | 308 | */ |
---|
[692] | 309 | if (argc > 1) { |
---|
| 310 | SCPYN(utmp.ut_name, argv[1]); |
---|
| 311 | argc = 0; |
---|
| 312 | } |
---|
| 313 | /* |
---|
| 314 | * If remote login take given name, |
---|
| 315 | * otherwise prompt user for something. |
---|
| 316 | */ |
---|
| 317 | if ((rflag || kflag || Kflag) && !invalid) { |
---|
| 318 | SCPYN(utmp.ut_name, lusername); |
---|
| 319 | if((pwd = getpwnam(lusername)) == NULL) { |
---|
| 320 | pwd = &nouser; |
---|
| 321 | found = 0; |
---|
| 322 | } else found = 1; |
---|
[907] | 323 | } else { |
---|
| 324 | found = getloginname(&utmp); |
---|
| 325 | if (utmp.ut_name[0] == '-') { |
---|
| 326 | puts("login names may not start with '-'."); |
---|
| 327 | invalid = TRUE; |
---|
| 328 | continue; |
---|
| 329 | } |
---|
| 330 | } |
---|
| 331 | |
---|
[86] | 332 | invalid = FALSE; |
---|
[692] | 333 | if (!strcmp(pwd->pw_shell, "/bin/csh")) { |
---|
| 334 | ldisc = NTTYDISC; |
---|
| 335 | ioctl(0, TIOCSETD, &ldisc); |
---|
| 336 | } |
---|
| 337 | /* |
---|
| 338 | * If no remote login authentication and |
---|
| 339 | * a password exists for this user, prompt |
---|
| 340 | * for one and verify it. |
---|
| 341 | */ |
---|
| 342 | if (usererr == -1 && *pwd->pw_passwd != '\0') { |
---|
| 343 | /* we need to be careful to overwrite the password once it has |
---|
| 344 | * been checked, so that it can't be recovered from a core image. |
---|
[86] | 345 | */ |
---|
| 346 | |
---|
[692] | 347 | char *pp, pp2[MAXPWSIZE+1]; |
---|
| 348 | int krbval; |
---|
| 349 | char tkfile[32]; |
---|
| 350 | char realm[REALM_SZ]; |
---|
| 351 | |
---|
| 352 | /* Set up the ticket file environment variable */ |
---|
| 353 | SCPYN(tkfile, KRB_TK_DIR); |
---|
| 354 | strncat(tkfile, rindex(ttyn, '/')+1, |
---|
| 355 | sizeof(tkfile) - strlen(tkfile)); |
---|
| 356 | (void) unlink (tkfile); |
---|
| 357 | setenv(KRB_ENVIRON, tkfile); |
---|
| 358 | |
---|
| 359 | setpriority(PRIO_PROCESS, 0, -4); |
---|
| 360 | pp = getlongpass("Password:"); |
---|
| 361 | |
---|
| 362 | if (!found) /* check if we can create an entry */ |
---|
| 363 | if (inhibitflag) |
---|
| 364 | invalid = TRUE; |
---|
| 365 | else /* we are allowed to create an entry */ |
---|
| 366 | pwd = &newuser; |
---|
| 367 | |
---|
| 368 | /* Modifications for Kerberos authentication -- asp */ |
---|
| 369 | SCPYN(pp2, pp); |
---|
| 370 | pp[8]='\0'; |
---|
| 371 | if (found) |
---|
| 372 | namep = crypt(pp, pwd->pw_passwd); |
---|
| 373 | else { |
---|
| 374 | salt = 9 * getpid(); |
---|
| 375 | saltc[0] = salt & 077; |
---|
| 376 | saltc[1] = (salt>>6) & 077; |
---|
| 377 | for (i=0;i<2;i++) { |
---|
| 378 | c = saltc[i] + '.'; |
---|
| 379 | if (c > '9') |
---|
| 380 | c += 7; |
---|
| 381 | if (c > 'Z') |
---|
| 382 | c += 6; |
---|
| 383 | saltc[i] = c; |
---|
| 384 | } |
---|
| 385 | pwd->pw_passwd = namep = crypt(pp, saltc); |
---|
| 386 | } |
---|
| 387 | |
---|
| 388 | bzero(pp, 8); /* No, Senator, I don't recall |
---|
| 389 | anything of that nature ... */ |
---|
| 390 | setpriority(PRIO_PROCESS, 0, 0); |
---|
| 391 | |
---|
| 392 | if (!invalid && (pwd->pw_uid != 0)) { |
---|
| 393 | /* if not root, get Kerberos tickets */ |
---|
| 394 | if(get_krbrlm(realm, 1) != KSUCCESS) { |
---|
| 395 | SCPYN(realm, KRB_REALM); |
---|
[86] | 396 | } |
---|
[692] | 397 | strncpy(lusername, utmp.ut_name, NMAX); |
---|
| 398 | lusername[NMAX] = '\0'; |
---|
| 399 | krbval = get_in_tkt(lusername, "", realm, |
---|
| 400 | "krbtgt", realm, KRBTKLIFETIME, pp2); |
---|
| 401 | bzero(pp2, MAXPWSIZE+1); /* Yes, he's senile. He doesn't know |
---|
| 402 | what his administration is doing */ |
---|
| 403 | switch (krbval) { |
---|
[1975] | 404 | case INTK_OK: |
---|
[906] | 405 | alarm(0); /* Authentic, so don't time out. */ |
---|
[1975] | 406 | if (verify_krb_tgt(realm) < 0) { |
---|
| 407 | /* Oops. He tried to fool us. Tsk, tsk. */ |
---|
| 408 | invalid = TRUE; |
---|
| 409 | goto leavethis; |
---|
| 410 | } |
---|
[692] | 411 | invalid = FALSE; |
---|
| 412 | krbflag = TRUE; |
---|
| 413 | if (!found) { |
---|
| 414 | /* create a password entry: first ask the nameserver */ |
---|
| 415 | /* to get us finger and shell info */ |
---|
| 416 | struct passwd *nspwd; |
---|
| 417 | if ((nspwd = hes_getpwnam(lusername)) != NULL) { |
---|
| 418 | pwd->pw_uid = nspwd->pw_uid; |
---|
| 419 | pwd->pw_gid = nspwd->pw_gid; |
---|
| 420 | pwd->pw_gecos = nspwd->pw_gecos; |
---|
| 421 | pwd->pw_shell = nspwd->pw_shell; |
---|
| 422 | } else { |
---|
| 423 | pwd->pw_uid = 200; |
---|
| 424 | pwd->pw_gid = MIT_GID; |
---|
| 425 | pwd->pw_gecos = ""; |
---|
| 426 | pwd->pw_shell = "/bin/csh"; |
---|
| 427 | } |
---|
| 428 | strncpy(pwd->pw_name, utmp.ut_name, NMAX); |
---|
| 429 | strncat(pwd->pw_dir, utmp.ut_name, NMAX); |
---|
| 430 | (void) insert_pwent(pwd); |
---|
| 431 | tmppwflag = TRUE; |
---|
| 432 | } |
---|
[1146] | 433 | chown(getenv(KRB_ENVIRON), pwd->pw_uid, pwd->pw_gid); |
---|
[692] | 434 | /* If we already have a homedir, use it. |
---|
| 435 | * Otherwise, try to attach. If that fails, |
---|
| 436 | * try to create. |
---|
| 437 | */ |
---|
| 438 | tmpdirflag = FALSE; |
---|
| 439 | if (!goodhomedir()) { |
---|
| 440 | if (attach_homedir()) { |
---|
[742] | 441 | puts("\nWarning: Unable to attach home directory."); |
---|
[692] | 442 | if (make_homedir() >= 0) { |
---|
[742] | 443 | puts("\nNOTE -- Your home directory is temporary."); |
---|
[692] | 444 | puts("It will be deleted when this workstation deactivates.\n"); |
---|
| 445 | tmpdirflag = TRUE; |
---|
| 446 | } |
---|
| 447 | else if (chdir("/") < 0) { |
---|
[742] | 448 | printf("No directory '/'!\n"); |
---|
[692] | 449 | invalid = TRUE; |
---|
| 450 | } else { |
---|
| 451 | puts("Can't find or build home directory! Logging in with home=/"); |
---|
| 452 | pwd->pw_dir = "/"; |
---|
| 453 | tmpdirflag = FALSE; |
---|
| 454 | } |
---|
| 455 | } |
---|
| 456 | else { |
---|
| 457 | attachedflag = TRUE; |
---|
| 458 | } |
---|
| 459 | } |
---|
[742] | 460 | else |
---|
| 461 | puts("\nWarning: Using local home directory."); |
---|
[692] | 462 | break; |
---|
| 463 | |
---|
| 464 | case KDC_NULL_KEY: |
---|
[906] | 465 | invalid = TRUE; |
---|
[692] | 466 | /* tell the luser to go register with kerberos */ |
---|
[690] | 467 | |
---|
[742] | 468 | if (found) |
---|
| 469 | goto good_anyway; |
---|
| 470 | |
---|
[692] | 471 | alarm(0); /* If we are changing password, |
---|
| 472 | he won't be logging in in this |
---|
| 473 | process anyway, so we can reset */ |
---|
[742] | 474 | |
---|
| 475 | (void) insert_pwent(pwd); |
---|
[692] | 476 | |
---|
| 477 | if (forkval = fork()) { /* parent */ |
---|
| 478 | if (forkval < 0) { |
---|
| 479 | perror("forking for registration program"); |
---|
| 480 | sleep(3); |
---|
[86] | 481 | exit(1); |
---|
[692] | 482 | } |
---|
| 483 | while(wait(0) != forkval); |
---|
[742] | 484 | remove_pwent(pwd); |
---|
[692] | 485 | exit(0); |
---|
[86] | 486 | } |
---|
[692] | 487 | /* run the passwd program as the user */ |
---|
| 488 | setuid(pwd->pw_uid); |
---|
| 489 | |
---|
| 490 | execl(go_register, go_register, lusername, 0); |
---|
| 491 | perror("executing registration program"); |
---|
| 492 | sleep(2); |
---|
| 493 | exit(1); |
---|
| 494 | /* These errors should be printed and are fatal */ |
---|
| 495 | case KDC_PR_UNKNOWN: |
---|
[742] | 496 | case KDC_PR_N_UNIQUE: |
---|
[906] | 497 | invalid = TRUE; |
---|
[742] | 498 | if (found) |
---|
| 499 | goto good_anyway; |
---|
[692] | 500 | case INTK_BADPW: |
---|
| 501 | invalid = TRUE; |
---|
[700] | 502 | errorprtflag = TRUE; |
---|
| 503 | fprintf(stderr, "%s\n", |
---|
[692] | 504 | krb_err_txt[krbval]); |
---|
[700] | 505 | goto leavethis; |
---|
[692] | 506 | /* These should be printed but are not fatal */ |
---|
[1975] | 507 | case INTK_W_NOTALL: |
---|
[692] | 508 | invalid = FALSE; |
---|
| 509 | krbflag = TRUE; |
---|
| 510 | fprintf(stderr, "Kerberos error: %s\n", |
---|
| 511 | krb_err_txt[krbval]); |
---|
[700] | 512 | goto leavethis; |
---|
[692] | 513 | default: |
---|
| 514 | fprintf(stderr, "Kerberos error: %s\n", |
---|
| 515 | krb_err_txt[krbval]); |
---|
| 516 | invalid = TRUE; |
---|
[700] | 517 | errorprtflag = TRUE; |
---|
| 518 | goto leavethis; |
---|
[86] | 519 | } |
---|
[692] | 520 | } else { /* root logging in or inhibited; check password */ |
---|
| 521 | bzero(pp2, MAXPWSIZE+1); /* Yes, he's senile. He doesn't know |
---|
| 522 | * what his administration is doing */ |
---|
| 523 | invalid = TRUE; |
---|
[700] | 524 | } |
---|
[692] | 525 | /* if password is good, user is good */ |
---|
[742] | 526 | good_anyway: |
---|
[692] | 527 | invalid = invalid && strcmp(namep, pwd->pw_passwd); |
---|
| 528 | } |
---|
[86] | 529 | |
---|
[700] | 530 | leavethis: |
---|
[692] | 531 | /* |
---|
| 532 | * If our uid < 0, we must be a bogus user. |
---|
| 533 | */ |
---|
| 534 | if(pwd->pw_uid < 0) invalid = TRUE; |
---|
| 535 | |
---|
| 536 | /* |
---|
| 537 | * If user not super-user, check for logins disabled. |
---|
| 538 | */ |
---|
[736] | 539 | if (pwd->pw_uid != 0 && (nlfd = fopen(nolog, "r")) != 0) { |
---|
[692] | 540 | while ((c = getc(nlfd)) != EOF) |
---|
| 541 | putchar(c); |
---|
| 542 | fflush(stdout); |
---|
| 543 | sleep(5); |
---|
| 544 | if (krbflag) |
---|
| 545 | (void) dest_tkt(); |
---|
| 546 | exit(0); |
---|
| 547 | } |
---|
| 548 | /* |
---|
| 549 | * If valid so far and root is logging in, |
---|
| 550 | * see if root logins on this terminal are permitted. |
---|
| 551 | */ |
---|
| 552 | if (!invalid && pwd->pw_uid == 0 && !rootterm(tty)) { |
---|
| 553 | if (utmp.ut_host[0]) |
---|
| 554 | syslog(LOG_CRIT, |
---|
| 555 | "ROOT LOGIN REFUSED ON %s FROM %.*s", |
---|
| 556 | tty, HMAX, utmp.ut_host); |
---|
| 557 | else |
---|
| 558 | syslog(LOG_CRIT, |
---|
| 559 | "ROOT LOGIN REFUSED ON %s", tty); |
---|
| 560 | invalid = TRUE; |
---|
| 561 | } |
---|
| 562 | if (invalid) { |
---|
[700] | 563 | if (!errorprtflag) |
---|
| 564 | printf("Login incorrect\n"); |
---|
[742] | 565 | if (++t >= 5) { |
---|
[692] | 566 | if (utmp.ut_host[0]) |
---|
| 567 | syslog(LOG_CRIT, |
---|
| 568 | "REPEATED LOGIN FAILURES ON %s FROM %.*s, %.*s", |
---|
| 569 | tty, HMAX, utmp.ut_host, |
---|
| 570 | NMAX, utmp.ut_name); |
---|
[86] | 571 | else |
---|
[692] | 572 | syslog(LOG_CRIT, |
---|
| 573 | "REPEATED LOGIN FAILURES ON %s, %.*s", |
---|
| 574 | tty, NMAX, utmp.ut_name); |
---|
| 575 | ioctl(0, TIOCHPCL, (struct sgttyb *) 0); |
---|
| 576 | close(0), close(1), close(2); |
---|
| 577 | sleep(10); |
---|
| 578 | exit(1); |
---|
| 579 | } |
---|
[86] | 580 | } |
---|
[692] | 581 | if (*pwd->pw_shell == '\0') |
---|
| 582 | pwd->pw_shell = "/bin/sh"; |
---|
| 583 | if (chdir(pwd->pw_dir) < 0 && !invalid ) { |
---|
| 584 | if (chdir("/") < 0) { |
---|
| 585 | printf("No directory!\n"); |
---|
| 586 | invalid = TRUE; |
---|
| 587 | } else { |
---|
| 588 | puts("No directory! Logging in with home=/\n"); |
---|
| 589 | pwd->pw_dir = "/"; |
---|
| 590 | } |
---|
[86] | 591 | } |
---|
[692] | 592 | /* |
---|
| 593 | * Remote login invalid must have been because |
---|
| 594 | * of a restriction of some sort, no extra chances. |
---|
| 595 | */ |
---|
| 596 | if (!usererr && invalid) |
---|
| 597 | exit(1); |
---|
[86] | 598 | |
---|
[692] | 599 | } while (invalid); |
---|
| 600 | /* committed to login turn off timeout */ |
---|
| 601 | alarm(0); |
---|
| 602 | |
---|
| 603 | if (tmppwflag) { |
---|
| 604 | remove_pwent(pwd); |
---|
| 605 | insert_pwent(pwd); |
---|
| 606 | } |
---|
| 607 | |
---|
| 608 | if (!krbflag) puts("Warning: no Kerberos tickets obtained."); |
---|
[700] | 609 | get_groups(); |
---|
[692] | 610 | #ifndef VFS |
---|
| 611 | if (quota(Q_SETUID, pwd->pw_uid, 0, 0) < 0 && errno != EINVAL) { |
---|
| 612 | if (errno == EUSERS) |
---|
| 613 | printf("%s.\n%s.\n", |
---|
| 614 | "Too many users logged on already", |
---|
| 615 | "Try again later"); |
---|
| 616 | else if (errno == EPROCLIM) |
---|
| 617 | printf("You have too many processes running.\n"); |
---|
| 618 | else |
---|
| 619 | perror("quota (Q_SETUID)"); |
---|
| 620 | sleep(5); |
---|
| 621 | if (krbflag) |
---|
| 622 | (void) dest_tkt(); |
---|
| 623 | exit(0); |
---|
| 624 | } |
---|
| 625 | #endif VFS |
---|
| 626 | time(&utmp.ut_time); |
---|
| 627 | t = ttyslot(); |
---|
| 628 | if (t > 0 && (f = open("/etc/utmp", O_WRONLY)) >= 0) { |
---|
| 629 | lseek(f, (long)(t*sizeof(utmp)), 0); |
---|
| 630 | SCPYN(utmp.ut_line, tty); |
---|
| 631 | write(f, (char *)&utmp, sizeof(utmp)); |
---|
| 632 | close(f); |
---|
| 633 | } |
---|
| 634 | if ((f = open("/usr/adm/wtmp", O_WRONLY|O_APPEND)) >= 0) { |
---|
| 635 | write(f, (char *)&utmp, sizeof(utmp)); |
---|
| 636 | close(f); |
---|
| 637 | } |
---|
| 638 | quietlog = access(qlog, F_OK) == 0; |
---|
| 639 | if ((f = open(lastlog, O_RDWR)) >= 0) { |
---|
| 640 | struct lastlog ll; |
---|
| 641 | |
---|
| 642 | lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); |
---|
| 643 | if (read(f, (char *) &ll, sizeof ll) == sizeof ll && |
---|
| 644 | ll.ll_time != 0 && !quietlog) { |
---|
| 645 | printf("Last login: %.*s ", |
---|
| 646 | 24-5, (char *)ctime(&ll.ll_time)); |
---|
| 647 | if (*ll.ll_host != '\0') |
---|
| 648 | printf("from %.*s\n", |
---|
| 649 | sizeof (ll.ll_host), ll.ll_host); |
---|
| 650 | else |
---|
| 651 | printf("on %.*s\n", |
---|
| 652 | sizeof (ll.ll_line), ll.ll_line); |
---|
[86] | 653 | } |
---|
[692] | 654 | lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0); |
---|
| 655 | time(&ll.ll_time); |
---|
| 656 | SCPYN(ll.ll_line, tty); |
---|
| 657 | SCPYN(ll.ll_host, utmp.ut_host); |
---|
| 658 | write(f, (char *) &ll, sizeof ll); |
---|
| 659 | close(f); |
---|
| 660 | } |
---|
| 661 | chown(ttyn, pwd->pw_uid, TTYGID(pwd->pw_gid)); |
---|
[86] | 662 | |
---|
[692] | 663 | if (!hflag && !rflag && !pflag && !kflag && !Kflag) /* XXX */ |
---|
| 664 | ioctl(0, TIOCSWINSZ, &win); |
---|
| 665 | chmod(ttyn, 0620); |
---|
[86] | 666 | |
---|
[700] | 667 | init_wgfile(); |
---|
| 668 | |
---|
[692] | 669 | /* Fork so that we can call kdestroy, notification server */ |
---|
| 670 | dofork(); |
---|
| 671 | |
---|
| 672 | setgid(pwd->pw_gid); |
---|
| 673 | strncpy(name, utmp.ut_name, NMAX); |
---|
| 674 | name[NMAX] = '\0'; |
---|
| 675 | initgroups(name, pwd->pw_gid); |
---|
| 676 | #ifndef VFS |
---|
| 677 | quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0); |
---|
| 678 | #endif !VFS |
---|
[86] | 679 | |
---|
[692] | 680 | /* This call MUST succeed */ |
---|
| 681 | if(setuid(pwd->pw_uid) < 0) { |
---|
| 682 | perror("setuid"); |
---|
| 683 | if (krbflag) |
---|
| 684 | (void) dest_tkt(); |
---|
| 685 | exit(1); |
---|
| 686 | } |
---|
| 687 | |
---|
| 688 | setenv("HOME", pwd->pw_dir, 1); |
---|
| 689 | setenv("SHELL", pwd->pw_shell, 1); |
---|
| 690 | if (term[0] == '\0') |
---|
| 691 | strncpy(term, stypeof(tty), sizeof(term)); |
---|
| 692 | setenv("TERM", term, 0); |
---|
| 693 | setenv("USER", pwd->pw_name, 1); |
---|
| 694 | setenv("PATH", ":/usr/athena:/bin/athena:/usr/new:/usr/new/mh/bin:\ |
---|
| 695 | /usr/local:/usr/ucb:/bin:/usr/bin", 0); |
---|
| 696 | |
---|
| 697 | if ((namep = rindex(pwd->pw_shell, '/')) == NULL) |
---|
| 698 | namep = pwd->pw_shell; |
---|
| 699 | else |
---|
| 700 | namep++; |
---|
| 701 | strcat(minusnam, namep); |
---|
| 702 | if (tty[sizeof("tty")-1] == 'd') |
---|
| 703 | syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); |
---|
| 704 | if (pwd->pw_uid == 0) |
---|
| 705 | if (utmp.ut_host[0]) |
---|
| 706 | if (kdata) { |
---|
| 707 | syslog(LOG_NOTICE, "ROOT LOGIN via Kerberos from %.*s", |
---|
| 708 | HMAX, utmp.ut_host); |
---|
| 709 | syslog(LOG_NOTICE, " (name=%s, instance=%s, realm=%s).", |
---|
| 710 | kdata->pname, kdata->pinst, kdata->prealm ); |
---|
| 711 | } else { |
---|
| 712 | syslog(LOG_NOTICE, "ROOT LOGIN %s FROM %.*s", |
---|
| 713 | tty, HMAX, utmp.ut_host); |
---|
| 714 | } |
---|
[86] | 715 | else |
---|
[692] | 716 | if (kdata) { |
---|
| 717 | syslog(LOG_NOTICE, "ROOT LOGIN via Kerberos %s ", tty); |
---|
| 718 | syslog(LOG_NOTICE, " (name=%s, instance=%s, realm=%s).", |
---|
| 719 | kdata->pname,kdata->pinst,kdata->prealm); |
---|
| 720 | } else { |
---|
| 721 | syslog(LOG_NOTICE, "ROOT LOGIN %s", tty); |
---|
| 722 | } |
---|
| 723 | if (!quietlog) { |
---|
| 724 | struct stat st; |
---|
[86] | 725 | |
---|
[692] | 726 | showmotd(); |
---|
| 727 | strcat(maildir, pwd->pw_name); |
---|
| 728 | if (stat(maildir, &st) == 0 && st.st_size != 0) |
---|
| 729 | printf("You have %smail.\n", |
---|
| 730 | (st.st_mtime > st.st_atime) ? "new " : ""); |
---|
| 731 | } |
---|
| 732 | #ifdef VFS |
---|
[732] | 733 | if (! access( QUOTAWARN, X_OK)) system(QUOTAWARN); |
---|
[692] | 734 | #endif VFS |
---|
| 735 | signal(SIGALRM, SIG_DFL); |
---|
| 736 | signal(SIGQUIT, SIG_DFL); |
---|
| 737 | signal(SIGINT, SIG_DFL); |
---|
| 738 | signal(SIGTSTP, SIG_IGN); |
---|
| 739 | execlp(pwd->pw_shell, minusnam, 0); |
---|
| 740 | perror(pwd->pw_shell); |
---|
| 741 | printf("No shell\n"); |
---|
| 742 | if (krbflag) |
---|
| 743 | (void) dest_tkt(); |
---|
| 744 | exit(0); |
---|
[86] | 745 | } |
---|
| 746 | |
---|
| 747 | getloginname(up) |
---|
| 748 | register struct utmp *up; |
---|
| 749 | { |
---|
| 750 | register char *namep; |
---|
[692] | 751 | int c; |
---|
[86] | 752 | |
---|
| 753 | while (up->ut_name[0] == '\0') { |
---|
| 754 | namep = up->ut_name; |
---|
| 755 | printf("login: "); |
---|
| 756 | while ((c = getchar()) != '\n') { |
---|
| 757 | if (c == ' ') |
---|
| 758 | c = '_'; |
---|
| 759 | if (c == EOF) |
---|
| 760 | exit(0); |
---|
| 761 | if (namep < up->ut_name+NMAX) |
---|
| 762 | *namep++ = c; |
---|
| 763 | } |
---|
| 764 | } |
---|
| 765 | strncpy(lusername, up->ut_name, NMAX); |
---|
| 766 | lusername[NMAX] = 0; |
---|
[692] | 767 | if((pwd = getpwnam(lusername)) == NULL) { |
---|
| 768 | pwd = &nouser; |
---|
| 769 | return(0); /* NOT FOUND */ |
---|
| 770 | } |
---|
| 771 | return(1); /* FOUND */ |
---|
[86] | 772 | } |
---|
| 773 | |
---|
| 774 | timedout() |
---|
| 775 | { |
---|
| 776 | |
---|
| 777 | printf("Login timed out after %d seconds\n", timeout); |
---|
| 778 | exit(0); |
---|
| 779 | } |
---|
| 780 | |
---|
| 781 | int stopmotd; |
---|
| 782 | catch() |
---|
| 783 | { |
---|
| 784 | |
---|
| 785 | signal(SIGINT, SIG_IGN); |
---|
| 786 | stopmotd++; |
---|
| 787 | } |
---|
| 788 | |
---|
| 789 | rootterm(tty) |
---|
| 790 | char *tty; |
---|
| 791 | { |
---|
| 792 | register struct ttyent *t; |
---|
| 793 | |
---|
| 794 | if ((t = getttynam(tty)) != NULL) { |
---|
| 795 | if (t->ty_status & TTY_SECURE) |
---|
| 796 | return (1); |
---|
| 797 | } |
---|
| 798 | return (0); |
---|
| 799 | } |
---|
| 800 | |
---|
| 801 | showmotd() |
---|
| 802 | { |
---|
| 803 | FILE *mf; |
---|
| 804 | register c; |
---|
[1077] | 805 | int forkval; |
---|
[86] | 806 | |
---|
| 807 | signal(SIGINT, catch); |
---|
[1077] | 808 | if (forkval = fork()) { /* parent */ |
---|
| 809 | if (forkval < 0) { |
---|
| 810 | perror("forking for motd service"); |
---|
| 811 | sleep(3); |
---|
| 812 | } |
---|
| 813 | else { |
---|
| 814 | while (wait(0) != forkval) |
---|
| 815 | ; |
---|
| 816 | } |
---|
[86] | 817 | } |
---|
[1077] | 818 | else { |
---|
[1513] | 819 | if ((mf = fopen("/etc/motd", "r")) != NULL) { |
---|
| 820 | while ((c = getc(mf)) != EOF && stopmotd == 0) |
---|
| 821 | putchar(c); |
---|
| 822 | fclose(mf); |
---|
| 823 | } |
---|
| 824 | if (execl(get_motd, get_motd, "-login", 0) < 0) { |
---|
| 825 | /* hide error code if any... */ |
---|
[1077] | 826 | exit(0); |
---|
| 827 | } |
---|
| 828 | } |
---|
[86] | 829 | signal(SIGINT, SIG_IGN); |
---|
| 830 | } |
---|
| 831 | |
---|
| 832 | #undef UNKNOWN |
---|
| 833 | #define UNKNOWN "su" |
---|
| 834 | |
---|
| 835 | char * |
---|
| 836 | stypeof(ttyid) |
---|
| 837 | char *ttyid; |
---|
| 838 | { |
---|
| 839 | register struct ttyent *t; |
---|
| 840 | |
---|
| 841 | if (ttyid == NULL || (t = getttynam(ttyid)) == NULL) |
---|
| 842 | return (UNKNOWN); |
---|
| 843 | return (t->ty_type); |
---|
| 844 | } |
---|
| 845 | |
---|
| 846 | doremotelogin(host) |
---|
| 847 | char *host; |
---|
| 848 | { |
---|
| 849 | getstr(rusername, sizeof (rusername), "remuser"); |
---|
| 850 | getstr(lusername, sizeof (lusername), "locuser"); |
---|
| 851 | getstr(term, sizeof(term), "Terminal type"); |
---|
| 852 | if (getuid()) { |
---|
| 853 | pwd = &nouser; |
---|
| 854 | return(-1); |
---|
| 855 | } |
---|
[692] | 856 | if((pwd = getpwnam(lusername)) == NULL) { |
---|
| 857 | pwd = &nouser; |
---|
| 858 | return(-1); |
---|
| 859 | } |
---|
| 860 | return(ruserok(host, (pwd->pw_uid == 0), rusername, lusername)); |
---|
| 861 | } |
---|
| 862 | |
---|
| 863 | doKerberosLogin(host) |
---|
| 864 | char *host; |
---|
| 865 | { |
---|
| 866 | int rc; |
---|
[1413] | 867 | struct hostent *hp = gethostbyname(host); |
---|
| 868 | struct sockaddr_in sin; |
---|
[692] | 869 | |
---|
[1413] | 870 | /* |
---|
| 871 | * Kerberos autologin protocol. |
---|
| 872 | */ |
---|
| 873 | |
---|
| 874 | (void) bzero(&sin, sizeof(sin)); |
---|
| 875 | |
---|
| 876 | if (hp) |
---|
| 877 | (void) bcopy (hp->h_addr, &sin.sin_addr, sizeof(sin.sin_addr)); |
---|
| 878 | else |
---|
| 879 | /* |
---|
| 880 | * No host addr prevents auth, so |
---|
| 881 | * punt krb and require password |
---|
| 882 | */ |
---|
| 883 | if (Kflag) { |
---|
| 884 | goto paranoid; |
---|
| 885 | } else { |
---|
| 886 | pwd = &nouser; |
---|
| 887 | return(-1); |
---|
| 888 | } |
---|
| 889 | |
---|
[692] | 890 | kdata = (AUTH_DAT *)malloc( sizeof(AUTH_DAT) ); |
---|
[1413] | 891 | if (rc=GetKerberosData(0, sin.sin_addr, kdata, "rcmd" )) { |
---|
[692] | 892 | printf("Kerberos rlogin failed: %s\r\n",krb_err_txt[rc]); |
---|
| 893 | if (Kflag) { |
---|
[1413] | 894 | paranoid: |
---|
[692] | 895 | /* |
---|
| 896 | * Paranoid hosts, such as a Kerberos server, specify the Klogind |
---|
| 897 | * daemon to disallow even password access here. |
---|
| 898 | */ |
---|
| 899 | printf("Sorry, you must have Kerberos authentication to access this host.\r\n"); |
---|
| 900 | exit(1); |
---|
| 901 | } |
---|
| 902 | } |
---|
| 903 | getstr(lusername, sizeof (lusername), "locuser"); |
---|
| 904 | getstr(term, sizeof(term), "Terminal type"); |
---|
| 905 | if (getuid()) { |
---|
| 906 | pwd = &nouser; |
---|
| 907 | return(-1); |
---|
| 908 | } |
---|
[86] | 909 | pwd = getpwnam(lusername); |
---|
| 910 | if (pwd == NULL) { |
---|
| 911 | pwd = &nouser; |
---|
| 912 | return(-1); |
---|
| 913 | } |
---|
[692] | 914 | |
---|
| 915 | /* |
---|
| 916 | * if Kerberos login failed because of an error in GetKerberosData, |
---|
| 917 | * return the indication of a bad attempt. User will be prompted |
---|
| 918 | * for a password. We CAN'T check the .rhost file, because we need |
---|
| 919 | * the remote username to do that, and the remote username is in the |
---|
| 920 | * Kerberos ticket. This affects ONLY the case where there is Kerberos |
---|
| 921 | * on both ends, but Kerberos fails on the server end. |
---|
| 922 | */ |
---|
| 923 | if (rc) { |
---|
| 924 | return(-1); |
---|
| 925 | } |
---|
| 926 | |
---|
| 927 | if (rc=kuserok(kdata,lusername)) { |
---|
| 928 | printf("login: %s has not given you permission to login without a password.\r\n",lusername); |
---|
| 929 | if (Kflag) { |
---|
| 930 | exit(1); |
---|
| 931 | } |
---|
| 932 | return(-1); |
---|
| 933 | } |
---|
| 934 | return(0); |
---|
| 935 | |
---|
[86] | 936 | } |
---|
| 937 | |
---|
| 938 | getstr(buf, cnt, err) |
---|
| 939 | char *buf; |
---|
| 940 | int cnt; |
---|
| 941 | char *err; |
---|
| 942 | { |
---|
| 943 | char c; |
---|
| 944 | |
---|
| 945 | do { |
---|
| 946 | if (read(0, &c, 1) != 1) |
---|
| 947 | exit(1); |
---|
| 948 | if (--cnt < 0) { |
---|
| 949 | printf("%s too long\r\n", err); |
---|
| 950 | exit(1); |
---|
| 951 | } |
---|
| 952 | *buf++ = c; |
---|
| 953 | } while (c != 0); |
---|
| 954 | } |
---|
| 955 | |
---|
| 956 | char *speeds[] = |
---|
| 957 | { "0", "50", "75", "110", "134", "150", "200", "300", |
---|
| 958 | "600", "1200", "1800", "2400", "4800", "9600", "19200", "38400" }; |
---|
| 959 | #define NSPEEDS (sizeof (speeds) / sizeof (speeds[0])) |
---|
| 960 | |
---|
| 961 | doremoteterm(term, tp) |
---|
| 962 | char *term; |
---|
| 963 | struct sgttyb *tp; |
---|
| 964 | { |
---|
| 965 | register char *cp = index(term, '/'), **cpp; |
---|
| 966 | char *speed; |
---|
| 967 | |
---|
| 968 | if (cp) { |
---|
| 969 | *cp++ = '\0'; |
---|
| 970 | speed = cp; |
---|
| 971 | cp = index(speed, '/'); |
---|
| 972 | if (cp) |
---|
| 973 | *cp++ = '\0'; |
---|
| 974 | for (cpp = speeds; cpp < &speeds[NSPEEDS]; cpp++) |
---|
| 975 | if (strcmp(*cpp, speed) == 0) { |
---|
| 976 | tp->sg_ispeed = tp->sg_ospeed = cpp-speeds; |
---|
| 977 | break; |
---|
| 978 | } |
---|
| 979 | } |
---|
| 980 | tp->sg_flags = ECHO|CRMOD|ANYP|XTABS; |
---|
| 981 | } |
---|
| 982 | |
---|
[692] | 983 | /* BEGIN TRASH |
---|
| 984 | * |
---|
| 985 | * This is here only long enough to get us by to the revised rlogin |
---|
| 986 | */ |
---|
| 987 | compatsiz(cp) |
---|
| 988 | char *cp; |
---|
| 989 | { |
---|
| 990 | struct winsize ws; |
---|
| 991 | |
---|
| 992 | ws.ws_row = ws.ws_col = -1; |
---|
| 993 | ws.ws_xpixel = ws.ws_ypixel = -1; |
---|
| 994 | if (cp) { |
---|
| 995 | ws.ws_row = atoi(cp); |
---|
| 996 | cp = index(cp, ','); |
---|
| 997 | if (cp == 0) |
---|
| 998 | goto done; |
---|
| 999 | ws.ws_col = atoi(++cp); |
---|
| 1000 | cp = index(cp, ','); |
---|
| 1001 | if (cp == 0) |
---|
| 1002 | goto done; |
---|
| 1003 | ws.ws_xpixel = atoi(++cp); |
---|
| 1004 | cp = index(cp, ','); |
---|
| 1005 | if (cp == 0) |
---|
| 1006 | goto done; |
---|
| 1007 | ws.ws_ypixel = atoi(++cp); |
---|
| 1008 | } |
---|
| 1009 | done: |
---|
| 1010 | if (ws.ws_row != -1 && ws.ws_col != -1 && |
---|
| 1011 | ws.ws_xpixel != -1 && ws.ws_ypixel != -1) |
---|
| 1012 | ioctl(0, TIOCSWINSZ, &ws); |
---|
| 1013 | } |
---|
| 1014 | /* END TRASH */ |
---|
| 1015 | |
---|
[86] | 1016 | /* |
---|
| 1017 | * Set the value of var to be arg in the Unix 4.2 BSD environment env. |
---|
[692] | 1018 | * Var should NOT end in '='; setenv inserts it. |
---|
[86] | 1019 | * (bindings are of the form "var=value") |
---|
| 1020 | * This procedure assumes the memory for the first level of environ |
---|
| 1021 | * was allocated using malloc. |
---|
| 1022 | */ |
---|
| 1023 | setenv(var, value, clobber) |
---|
| 1024 | char *var, *value; |
---|
| 1025 | { |
---|
| 1026 | extern char **environ; |
---|
| 1027 | int index = 0; |
---|
| 1028 | int varlen = strlen(var); |
---|
| 1029 | int vallen = strlen(value); |
---|
| 1030 | |
---|
| 1031 | for (index = 0; environ[index] != NULL; index++) { |
---|
| 1032 | if (strncmp(environ[index], var, varlen) == 0) { |
---|
| 1033 | /* found it */ |
---|
| 1034 | if (!clobber) |
---|
| 1035 | return; |
---|
[692] | 1036 | environ[index] = malloc(varlen + vallen + 2); |
---|
[86] | 1037 | strcpy(environ[index], var); |
---|
[692] | 1038 | strcat(environ[index], "="); |
---|
[86] | 1039 | strcat(environ[index], value); |
---|
| 1040 | return; |
---|
| 1041 | } |
---|
| 1042 | } |
---|
| 1043 | environ = (char **) realloc(environ, sizeof (char *) * (index + 2)); |
---|
| 1044 | if (environ == NULL) { |
---|
| 1045 | fprintf(stderr, "login: malloc out of memory\n"); |
---|
[692] | 1046 | if (krbflag) |
---|
| 1047 | (void) dest_tkt(); |
---|
[86] | 1048 | exit(1); |
---|
| 1049 | } |
---|
[692] | 1050 | environ[index] = malloc(varlen + vallen + 2); |
---|
[86] | 1051 | strcpy(environ[index], var); |
---|
[692] | 1052 | strcat(environ[index], "="); |
---|
[86] | 1053 | strcat(environ[index], value); |
---|
| 1054 | environ[++index] = NULL; |
---|
| 1055 | } |
---|
| 1056 | |
---|
[692] | 1057 | |
---|
| 1058 | /* |
---|
| 1059 | * This routine handles cleanup stuff, notification service, and the like. |
---|
| 1060 | * It exits only in the child process. |
---|
| 1061 | */ |
---|
| 1062 | dofork() |
---|
| 1063 | { |
---|
[1975] | 1064 | int child; |
---|
[692] | 1065 | |
---|
[742] | 1066 | if(!(child=fork())) |
---|
| 1067 | return; /* Child process */ |
---|
[692] | 1068 | |
---|
| 1069 | /* Setup stuff? This would be things we could do in parallel with login */ |
---|
| 1070 | chdir("/"); /* Let's not keep the fs busy... */ |
---|
| 1071 | |
---|
[700] | 1072 | |
---|
[692] | 1073 | /* If we're the parent, watch the child until it dies */ |
---|
[700] | 1074 | while(wait(0) != child) |
---|
| 1075 | ; |
---|
[692] | 1076 | |
---|
| 1077 | /* Cleanup stuff */ |
---|
| 1078 | |
---|
[1413] | 1079 | /* Send a SIGHUP to everything in the process group, but not us. |
---|
| 1080 | * Originally included to support Zephyr over rlogin/telnet |
---|
| 1081 | * connections, but it has some general use, since any personal |
---|
| 1082 | * daemon can setpgrp(0, getpgrp(getppid())) before forking to be |
---|
| 1083 | * sure of receiving a HUP when the user logs out. |
---|
| 1084 | * |
---|
| 1085 | * Note that we are assuming that the shell will set its process |
---|
| 1086 | * group to its process id. Our csh does, anyway, and there is no |
---|
| 1087 | * other way to reliably find out what that shell's pgrp is. |
---|
| 1088 | */ |
---|
| 1089 | signal(SIGHUP, SIG_IGN); |
---|
| 1090 | if(-1 == killpg(child, SIGHUP)) |
---|
| 1091 | { |
---|
| 1092 | /* EINVAL shouldn't happen (SIGHUP is a constant), |
---|
| 1093 | * ESRCH could, but we ignore it |
---|
| 1094 | * EPERM means something actually is wrong, so log it |
---|
| 1095 | * (in this case, the signal didn't get delivered but |
---|
| 1096 | * something might have wanted it...) |
---|
| 1097 | */ |
---|
| 1098 | if(errno == EPERM) |
---|
| 1099 | syslog(LOG_DEBUG, |
---|
| 1100 | "EPERM trying to kill login process group: child_pgrp %d", |
---|
| 1101 | child); |
---|
| 1102 | } |
---|
| 1103 | |
---|
[692] | 1104 | /* Run dest_tkt to destroy tickets */ |
---|
| 1105 | (void) dest_tkt(); /* If this fails, we lose quietly */ |
---|
| 1106 | |
---|
| 1107 | |
---|
| 1108 | /* Detach home directory if previously attached */ |
---|
| 1109 | if (attachedflag) |
---|
| 1110 | (void) detach_homedir(); |
---|
| 1111 | |
---|
| 1112 | if (tmppwflag) |
---|
| 1113 | if (remove_pwent(pwd)) |
---|
| 1114 | puts("Couldn't remove password entry"); |
---|
| 1115 | |
---|
| 1116 | /* Leave */ |
---|
| 1117 | exit(0); |
---|
| 1118 | } |
---|
| 1119 | |
---|
| 1120 | |
---|
[86] | 1121 | tty_gid(default_gid) |
---|
[692] | 1122 | int default_gid; |
---|
[86] | 1123 | { |
---|
[742] | 1124 | struct group *getgrnam(), *gr; |
---|
| 1125 | int gid = default_gid; |
---|
| 1126 | |
---|
| 1127 | gr = getgrnam(TTYGRPNAME); |
---|
| 1128 | if (gr != (struct group *) 0) |
---|
| 1129 | gid = gr->gr_gid; |
---|
[692] | 1130 | |
---|
[742] | 1131 | endgrent(); |
---|
[692] | 1132 | |
---|
[742] | 1133 | return (gid); |
---|
[692] | 1134 | } |
---|
[86] | 1135 | |
---|
[692] | 1136 | char * |
---|
| 1137 | getlongpass(prompt) |
---|
| 1138 | char *prompt; |
---|
| 1139 | { |
---|
| 1140 | struct sgttyb ttyb; |
---|
| 1141 | int flags; |
---|
| 1142 | register char *p; |
---|
| 1143 | register c; |
---|
| 1144 | FILE *fi; |
---|
| 1145 | static char pbuf[MAXPWSIZE+1]; |
---|
| 1146 | int (*signal())(); |
---|
| 1147 | int (*sig)(); |
---|
[86] | 1148 | |
---|
[692] | 1149 | if ((fi = fdopen(open("/dev/tty", 2), "r")) == NULL) |
---|
| 1150 | fi = stdin; |
---|
| 1151 | else |
---|
| 1152 | setbuf(fi, (char *)NULL); |
---|
| 1153 | sig = signal(SIGINT, SIG_IGN); |
---|
| 1154 | ioctl(fileno(fi), TIOCGETP, &ttyb); |
---|
| 1155 | flags = ttyb.sg_flags; |
---|
| 1156 | ttyb.sg_flags &= ~ECHO; |
---|
| 1157 | ioctl(fileno(fi), TIOCSETP, &ttyb); |
---|
| 1158 | fprintf(stderr, "%s", prompt); fflush(stderr); |
---|
| 1159 | for (p=pbuf; (c = getc(fi))!='\n' && c!=EOF;) { |
---|
| 1160 | if (p < &pbuf[MAXPWSIZE]) |
---|
| 1161 | *p++ = c; |
---|
| 1162 | } |
---|
| 1163 | *p = '\0'; |
---|
| 1164 | fprintf(stderr, "\n"); fflush(stderr); |
---|
| 1165 | ttyb.sg_flags = flags; |
---|
| 1166 | ioctl(fileno(fi), TIOCSETP, &ttyb); |
---|
| 1167 | signal(SIGINT, sig); |
---|
| 1168 | if (fi != stdin) |
---|
| 1169 | fclose(fi); |
---|
| 1170 | pbuf[MAXPWSIZE]='\0'; |
---|
| 1171 | return(pbuf); |
---|
| 1172 | } |
---|
[86] | 1173 | |
---|
[692] | 1174 | /* Attach the user's home directory if "attachable" is set. |
---|
| 1175 | */ |
---|
| 1176 | attach_homedir() |
---|
| 1177 | { |
---|
| 1178 | union wait status; |
---|
| 1179 | int attachpid; |
---|
| 1180 | |
---|
| 1181 | if (!attachable) |
---|
| 1182 | return (1); |
---|
[1453] | 1183 | chdir("/"); /* XXX This is a temproary hack to fix the |
---|
| 1184 | * fact that home directories sometimes do |
---|
| 1185 | * not get attached if the user types his |
---|
| 1186 | * password wrong the first time. Some how |
---|
| 1187 | * working direcotyr becomes the users home |
---|
| 1188 | * directory BEFORE we try to attach. and it |
---|
| 1189 | * of course fails. |
---|
| 1190 | */ |
---|
| 1191 | |
---|
[692] | 1192 | if (!(attachpid = fork())) { |
---|
| 1193 | setuid(pwd->pw_uid); |
---|
| 1194 | freopen("/dev/null","w",stdout); |
---|
[1462] | 1195 | execl("/bin/athena/attach","attach","-q", lusername,0); |
---|
[692] | 1196 | exit (-1); |
---|
| 1197 | } |
---|
| 1198 | while (wait(&status) != attachpid) |
---|
| 1199 | ; |
---|
[789] | 1200 | if (status.w_retcode == ATTACH_OK || |
---|
| 1201 | status.w_retcode == ATTACH_ERR_ATTACHED) { |
---|
[692] | 1202 | chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid); |
---|
| 1203 | chdir(pwd->pw_dir); |
---|
| 1204 | return (0); |
---|
| 1205 | } |
---|
| 1206 | return (1); |
---|
| 1207 | } |
---|
| 1208 | |
---|
| 1209 | /* Detach the user's home directory */ |
---|
| 1210 | detach_homedir() |
---|
| 1211 | { |
---|
| 1212 | union wait status; |
---|
[1975] | 1213 | int pid; |
---|
[692] | 1214 | |
---|
| 1215 | #ifdef notdef |
---|
[1975] | 1216 | int i; |
---|
| 1217 | char *level; |
---|
[692] | 1218 | for (i=0;i<3;i++) { |
---|
| 1219 | #endif |
---|
| 1220 | if (!(pid = fork())) { |
---|
| 1221 | setuid(pwd->pw_uid); |
---|
| 1222 | freopen("/dev/null","w",stdout); |
---|
| 1223 | freopen("/dev/null","w",stderr); |
---|
| 1224 | execl("/bin/athena/detach","detach",lusername,0); |
---|
| 1225 | exit (-1); |
---|
| 1226 | } |
---|
| 1227 | while (wait(&status) != pid) |
---|
| 1228 | ; |
---|
| 1229 | #ifdef notdef |
---|
[789] | 1230 | if (status.w_retcode == DETACH_OK) |
---|
[692] | 1231 | return; |
---|
| 1232 | level = "1"; |
---|
| 1233 | if (i == 1) |
---|
| 1234 | level = "9"; |
---|
| 1235 | if (i == 2) |
---|
| 1236 | level = "9"; |
---|
| 1237 | printf("Killing processes using %s with signal %s\n", |
---|
| 1238 | pwd->pw_dir,level); |
---|
| 1239 | if (!(pid = fork())) { |
---|
| 1240 | freopen("/dev/null","w",stdout); |
---|
| 1241 | freopen("/dev/null","w",stderr); |
---|
| 1242 | execl("/etc/athena/ofiles","ofiles","-k", |
---|
| 1243 | level,pwd->pw_dir,0); |
---|
| 1244 | exit (-1); |
---|
| 1245 | } |
---|
| 1246 | while (wait(0) != pid) |
---|
| 1247 | ; |
---|
| 1248 | } |
---|
| 1249 | #endif notdef |
---|
| 1250 | return; |
---|
| 1251 | #ifdef notdef |
---|
| 1252 | printf("Couldn't detach home directory!\n"); |
---|
| 1253 | #endif notdef |
---|
[86] | 1254 | } |
---|
[692] | 1255 | |
---|
[789] | 1256 | isremotedir(dname) |
---|
| 1257 | char *dname; |
---|
| 1258 | { |
---|
| 1259 | int fh, c; |
---|
| 1260 | |
---|
| 1261 | /* |
---|
| 1262 | * The following lines rely on the |
---|
| 1263 | * behavior of Sun's NFS (present in 3.0 and 3.2) |
---|
| 1264 | * which causes a read on an NFS directory (actually any non-reg file) |
---|
| 1265 | * to return -1 with errno set to EISDIR. |
---|
| 1266 | * |
---|
| 1267 | * This is a fast, cheap way to discover whether a user's |
---|
| 1268 | * homedir is a remote NFS filesystem. Naturally, if the NFS semantics |
---|
| 1269 | * change, this must also change. |
---|
| 1270 | * |
---|
| 1271 | * We return 1 if it is any remote filesystem so that the |
---|
| 1272 | * attach_homedir command will run again (sending an "nfsid map" |
---|
| 1273 | * command and cleaning up attachtab, if it happens to be out of sync.) |
---|
| 1274 | * |
---|
| 1275 | * Might want to handle RVD filesystems at some point... |
---|
| 1276 | */ |
---|
| 1277 | |
---|
| 1278 | fh = open(dname, O_RDONLY); |
---|
| 1279 | if (fh < 0) |
---|
| 1280 | return(0); |
---|
| 1281 | if (read(fh, &c, 1) < 0 && errno == EISDIR) { |
---|
| 1282 | close(fh); |
---|
| 1283 | return(1); |
---|
| 1284 | } |
---|
| 1285 | close(fh); |
---|
| 1286 | return(0); |
---|
| 1287 | } |
---|
| 1288 | |
---|
[692] | 1289 | goodhomedir() |
---|
| 1290 | { |
---|
| 1291 | DIR *dp; |
---|
| 1292 | |
---|
| 1293 | if (access(pwd->pw_dir,F_OK)) |
---|
| 1294 | return (0); |
---|
[789] | 1295 | |
---|
| 1296 | if (isremotedir(pwd->pw_dir)) |
---|
| 1297 | return(0); |
---|
| 1298 | |
---|
[692] | 1299 | dp = opendir(pwd->pw_dir); |
---|
| 1300 | if (!dp) |
---|
| 1301 | return (0); |
---|
| 1302 | readdir(dp); |
---|
| 1303 | readdir(dp); |
---|
| 1304 | if (readdir(dp)) { |
---|
| 1305 | closedir(dp); |
---|
| 1306 | return (1); |
---|
| 1307 | } |
---|
| 1308 | closedir(dp); |
---|
| 1309 | return (0); |
---|
| 1310 | } |
---|
| 1311 | |
---|
| 1312 | /* |
---|
| 1313 | * Make a home directory, copying over files from PROTOTYPE_DIR. |
---|
| 1314 | * Ownership and group will be set to the user's uid and gid. Default |
---|
| 1315 | * permission is TEMP_DIR_PERM. Returns 0 on success, -1 on failure. |
---|
| 1316 | */ |
---|
| 1317 | make_homedir() |
---|
| 1318 | { |
---|
| 1319 | DIR *proto; |
---|
| 1320 | struct direct *dp; |
---|
| 1321 | char tempname[MAXPATHLEN+1]; |
---|
| 1322 | char buf[MAXBSIZE]; |
---|
| 1323 | struct stat statbuf; |
---|
| 1324 | int fold, fnew; |
---|
| 1325 | int n; |
---|
| 1326 | extern int errno; |
---|
| 1327 | |
---|
| 1328 | if (inhibitflag) |
---|
| 1329 | return (-1); |
---|
| 1330 | |
---|
| 1331 | strcpy(pwd->pw_dir,"/tmp/"); |
---|
| 1332 | strcat(pwd->pw_dir,lusername); |
---|
[906] | 1333 | setenv("TMPHOME", "", 1); |
---|
[692] | 1334 | /* Make the home dir and chdir to it */ |
---|
| 1335 | unlink(pwd->pw_dir); |
---|
| 1336 | if(mkdir(pwd->pw_dir) < 0) { |
---|
| 1337 | if (errno == EEXIST) |
---|
| 1338 | return (0); |
---|
| 1339 | else |
---|
| 1340 | return(-1); |
---|
| 1341 | } |
---|
| 1342 | chown(pwd->pw_dir, pwd->pw_uid, pwd->pw_gid); |
---|
| 1343 | chmod(pwd->pw_dir, TEMP_DIR_PERM); |
---|
| 1344 | chdir(pwd->pw_dir); |
---|
| 1345 | |
---|
| 1346 | /* Copy over the proto files */ |
---|
| 1347 | if((proto = opendir(PROTOTYPE_DIR)) == NULL) { |
---|
| 1348 | puts("Can't open prototype directory!"); |
---|
| 1349 | unlink(pwd->pw_dir); |
---|
| 1350 | return(-1); |
---|
| 1351 | } |
---|
| 1352 | |
---|
| 1353 | for(dp = readdir(proto); dp != NULL; dp = readdir(proto)) { |
---|
| 1354 | /* Don't try to copy . or .. */ |
---|
| 1355 | if(!strcmp(dp->d_name, ".") || !strcmp(dp->d_name, "..")) continue; |
---|
| 1356 | |
---|
| 1357 | /* Copy the file */ |
---|
| 1358 | SCPYN(tempname, PROTOTYPE_DIR); |
---|
| 1359 | strcat(tempname, "/"); |
---|
| 1360 | strncat(tempname, dp->d_name, sizeof(tempname) - strlen(tempname) - 1); |
---|
| 1361 | if(stat(tempname, &statbuf) < 0) { |
---|
| 1362 | perror(tempname); |
---|
| 1363 | continue; |
---|
| 1364 | } |
---|
| 1365 | /* Only copy plain files */ |
---|
| 1366 | if(!(statbuf.st_mode & S_IFREG)) continue; |
---|
| 1367 | |
---|
| 1368 | /* Try to open the source file */ |
---|
| 1369 | if((fold = open(tempname, O_RDONLY, 0)) < 0) { |
---|
| 1370 | perror(tempname); |
---|
| 1371 | continue; |
---|
| 1372 | } |
---|
| 1373 | |
---|
| 1374 | /* Open the destination file */ |
---|
| 1375 | if((fnew = open(dp->d_name, O_WRONLY|O_CREAT|O_EXCL, |
---|
| 1376 | statbuf.st_mode)) < 0) { |
---|
| 1377 | perror(dp->d_name); |
---|
| 1378 | continue; |
---|
| 1379 | } |
---|
| 1380 | |
---|
| 1381 | /* Change the ownership */ |
---|
| 1382 | fchown(fnew, pwd->pw_uid, pwd->pw_gid); |
---|
| 1383 | |
---|
| 1384 | /* Do the copy */ |
---|
| 1385 | for (;;) { |
---|
| 1386 | n = read(fold, buf, sizeof buf); |
---|
| 1387 | if(n==0) break; |
---|
| 1388 | if(n<0) { |
---|
| 1389 | perror(tempname); |
---|
| 1390 | break; |
---|
| 1391 | } |
---|
| 1392 | if (write(fnew, buf, n) != n) { |
---|
| 1393 | perror(dp->d_name); |
---|
| 1394 | break; |
---|
| 1395 | } |
---|
| 1396 | } |
---|
| 1397 | close(fnew); |
---|
| 1398 | close(fold); |
---|
| 1399 | } |
---|
| 1400 | return(0); |
---|
| 1401 | } |
---|
| 1402 | |
---|
| 1403 | insert_pwent(pwd) |
---|
| 1404 | struct passwd *pwd; |
---|
| 1405 | { |
---|
| 1406 | FILE *pfile; |
---|
[700] | 1407 | int cnt; |
---|
[692] | 1408 | |
---|
| 1409 | while (getpwuid(pwd->pw_uid)) |
---|
| 1410 | (pwd->pw_uid)++; |
---|
| 1411 | |
---|
[700] | 1412 | cnt = 10; |
---|
| 1413 | while (!access("/etc/ptmp",0) && --cnt) |
---|
[692] | 1414 | sleep(1); |
---|
[700] | 1415 | unlink("/etc/ptmp"); |
---|
[692] | 1416 | |
---|
| 1417 | if((pfile=fopen("/etc/passwd", "a")) != NULL) { |
---|
| 1418 | fprintf(pfile, "%s:%s:%d:%d:%s:%s:%s\n", |
---|
| 1419 | pwd->pw_name, |
---|
| 1420 | pwd->pw_passwd, |
---|
| 1421 | pwd->pw_uid, |
---|
| 1422 | pwd->pw_gid, |
---|
| 1423 | pwd->pw_gecos, |
---|
| 1424 | pwd->pw_dir, |
---|
| 1425 | pwd->pw_shell); |
---|
| 1426 | fclose(pfile); |
---|
| 1427 | } |
---|
| 1428 | } |
---|
| 1429 | |
---|
| 1430 | remove_pwent(pwd) |
---|
| 1431 | struct passwd *pwd; |
---|
| 1432 | { |
---|
| 1433 | FILE *newfile; |
---|
| 1434 | struct passwd *copypw; |
---|
[700] | 1435 | int cnt; |
---|
[692] | 1436 | |
---|
[700] | 1437 | cnt = 10; |
---|
| 1438 | while (!access("/etc/ptmp",0) && --cnt) |
---|
[692] | 1439 | sleep(1); |
---|
[700] | 1440 | unlink("/etc/ptmp"); |
---|
[692] | 1441 | |
---|
| 1442 | if ((newfile = fopen("/etc/ptmp", "w")) != NULL) { |
---|
| 1443 | setpwent(); |
---|
| 1444 | while ((copypw = getpwent()) != 0) |
---|
| 1445 | if (copypw->pw_uid != pwd->pw_uid) |
---|
| 1446 | fprintf(newfile, "%s:%s:%d:%d:%s:%s:%s\n", |
---|
| 1447 | copypw->pw_name, |
---|
| 1448 | copypw->pw_passwd, |
---|
| 1449 | copypw->pw_uid, |
---|
| 1450 | copypw->pw_gid, |
---|
| 1451 | copypw->pw_gecos, |
---|
| 1452 | copypw->pw_dir, |
---|
| 1453 | copypw->pw_shell); |
---|
| 1454 | endpwent(); |
---|
| 1455 | fclose(newfile); |
---|
| 1456 | rename("/etc/ptmp", "/etc/passwd"); |
---|
| 1457 | return(0); |
---|
| 1458 | } else return(1); |
---|
| 1459 | } |
---|
[700] | 1460 | |
---|
| 1461 | get_groups() |
---|
| 1462 | { |
---|
| 1463 | FILE *grin,*grout; |
---|
| 1464 | char **cp,grbuf[4096],*ptr,*pwptr,*numptr,*lstptr,**grname,**grnum; |
---|
| 1465 | char grlst[4096],grtmp[4096],*tmpptr; |
---|
| 1466 | int ngroups,i,cnt; |
---|
| 1467 | |
---|
[701] | 1468 | if (inhibitflag) |
---|
[700] | 1469 | return; |
---|
| 1470 | |
---|
| 1471 | cp = (char **)hes_resolve(pwd->pw_name,"grplist"); |
---|
| 1472 | if (!cp || !*cp) |
---|
| 1473 | return; |
---|
| 1474 | |
---|
| 1475 | cnt = 10; |
---|
| 1476 | while (!access("/etc/gtmp",0) && --cnt) |
---|
| 1477 | sleep(1); |
---|
| 1478 | unlink("/etc/gtmp"); |
---|
| 1479 | |
---|
| 1480 | grin = fopen("/etc/group","r"); |
---|
| 1481 | if (!grin) { |
---|
| 1482 | fprintf(stderr,"Can't open /etc/group!\n"); |
---|
| 1483 | return; |
---|
| 1484 | } |
---|
| 1485 | grout = fopen("/etc/gtmp","w"); |
---|
| 1486 | if (!grout) { |
---|
| 1487 | fprintf(stderr,"Can't open /etc/gtmp!\n"); |
---|
| 1488 | fclose(grin); |
---|
| 1489 | return; |
---|
| 1490 | } |
---|
| 1491 | |
---|
| 1492 | ngroups = 0; |
---|
| 1493 | for (ptr=cp[0];*ptr;ptr++) |
---|
| 1494 | if (*ptr == ':') |
---|
| 1495 | ngroups++; |
---|
| 1496 | |
---|
| 1497 | ngroups = (ngroups+1)/2; |
---|
| 1498 | |
---|
| 1499 | if (ngroups > NGROUPS-1) |
---|
| 1500 | ngroups = NGROUPS-1; |
---|
| 1501 | |
---|
| 1502 | grname = (char **)malloc(ngroups * sizeof(char *)); |
---|
| 1503 | if (!grname) { |
---|
| 1504 | fprintf(stderr,"Out of memory!\n"); |
---|
| 1505 | fclose(grin); |
---|
| 1506 | fclose(grout); |
---|
| 1507 | unlink("/etc/gtmp"); |
---|
| 1508 | return; |
---|
| 1509 | } |
---|
| 1510 | |
---|
| 1511 | grnum = (char **)malloc(ngroups * sizeof(char *)); |
---|
| 1512 | if (!grnum) { |
---|
| 1513 | fprintf(stderr,"Out of memory!\n"); |
---|
| 1514 | fclose(grin); |
---|
| 1515 | fclose(grout); |
---|
| 1516 | unlink("/etc/gtmp"); |
---|
| 1517 | return; |
---|
| 1518 | } |
---|
| 1519 | |
---|
| 1520 | for (i=0,ptr=cp[0];i<ngroups;i++) { |
---|
| 1521 | grname[i] = ptr; |
---|
| 1522 | ptr = (char *)index(ptr,':'); |
---|
| 1523 | if (!ptr) { |
---|
| 1524 | fprintf(stderr,"Internal failure while initializing groups\n"); |
---|
| 1525 | fclose(grin); |
---|
| 1526 | fclose(grout); |
---|
| 1527 | free(grname); |
---|
| 1528 | free(grnum); |
---|
| 1529 | unlink("/etc/gtmp"); |
---|
| 1530 | return; |
---|
| 1531 | } |
---|
| 1532 | *ptr++ = '\0'; |
---|
| 1533 | grnum[i] = ptr; |
---|
| 1534 | ptr = (char *)index(ptr,':'); |
---|
| 1535 | if (!ptr) |
---|
| 1536 | ptr = grnum[i]+strlen(grnum[i]); |
---|
| 1537 | *ptr++ = '\0'; |
---|
| 1538 | } |
---|
| 1539 | |
---|
[736] | 1540 | while (fgets(grbuf,sizeof grbuf,grin) != 0) { |
---|
[700] | 1541 | if (!*grbuf) |
---|
| 1542 | break; |
---|
| 1543 | grbuf[strlen(grbuf)-1] = '\0'; |
---|
| 1544 | pwptr = (char *)index(grbuf,':'); |
---|
| 1545 | if (!pwptr) |
---|
| 1546 | continue; |
---|
| 1547 | *pwptr++ = '\0'; |
---|
| 1548 | numptr = (char *)index(pwptr,':'); |
---|
| 1549 | if (!numptr) |
---|
| 1550 | continue; |
---|
| 1551 | *numptr++ = '\0'; |
---|
| 1552 | lstptr = (char *)index(numptr,':'); |
---|
| 1553 | if (!lstptr) |
---|
| 1554 | continue; |
---|
| 1555 | *lstptr++ = '\0'; |
---|
| 1556 | strcpy(grlst,lstptr); |
---|
| 1557 | for (i=0;i<ngroups;i++) { |
---|
| 1558 | if (strcmp(grname[i],grbuf)) |
---|
| 1559 | continue; |
---|
| 1560 | lstptr = grlst; |
---|
| 1561 | while (lstptr) { |
---|
| 1562 | strcpy(grtmp,lstptr); |
---|
| 1563 | tmpptr = (char *)index(grtmp,','); |
---|
| 1564 | if (tmpptr) |
---|
| 1565 | *tmpptr = '\0'; |
---|
[714] | 1566 | if (!strcmp(grtmp,pwd->pw_name)) { |
---|
| 1567 | grname[i] = "*"; |
---|
[700] | 1568 | break; |
---|
[714] | 1569 | } |
---|
[700] | 1570 | lstptr = (char *)index(lstptr,','); |
---|
| 1571 | if (lstptr) |
---|
| 1572 | lstptr++; |
---|
| 1573 | } |
---|
| 1574 | if (lstptr) |
---|
| 1575 | break; |
---|
| 1576 | strcat(grlst,","); |
---|
| 1577 | strcat(grlst,pwd->pw_name); |
---|
| 1578 | grname[i] = "*"; |
---|
| 1579 | break; |
---|
| 1580 | } |
---|
| 1581 | fprintf(grout,"%s:%s:%s:%s\n",grbuf,pwptr,numptr,grlst); |
---|
| 1582 | } |
---|
| 1583 | |
---|
| 1584 | for (i=0;i<ngroups;i++) |
---|
| 1585 | if (strcmp(grname[i],"*")) |
---|
| 1586 | fprintf(grout,"%s:%s:%s:%s\n",grname[i],"*", |
---|
| 1587 | grnum[i],pwd->pw_name); |
---|
| 1588 | |
---|
| 1589 | fclose(grin); |
---|
| 1590 | fclose(grout); |
---|
| 1591 | rename("/etc/gtmp","/etc/group"); |
---|
| 1592 | unlink("/etc/gtmp"); |
---|
| 1593 | free(grname); |
---|
| 1594 | free(grnum); |
---|
| 1595 | } |
---|
| 1596 | |
---|
| 1597 | init_wgfile() |
---|
| 1598 | { |
---|
| 1599 | char *wgfile; |
---|
| 1600 | |
---|
| 1601 | wgfile = "/tmp/wg.XXXXXX"; |
---|
| 1602 | |
---|
| 1603 | mktemp(wgfile); |
---|
| 1604 | |
---|
| 1605 | setenv("WGFILE",wgfile,1); |
---|
| 1606 | } |
---|
[1975] | 1607 | |
---|
| 1608 | /* |
---|
| 1609 | * Verify the Kerberos ticket-granting ticket just retrieved for the |
---|
| 1610 | * user. If the Kerberos server doesn't respond, assume the user is |
---|
| 1611 | * trying to fake us out (since we DID just get a TGT from what is |
---|
| 1612 | * supposedly our KDC). If the rcmd.<host> service is unknown (i.e., |
---|
| 1613 | * the local /etc/srvtab doesn't have it), let her in. |
---|
| 1614 | * |
---|
| 1615 | * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. |
---|
| 1616 | */ |
---|
| 1617 | int verify_krb_tgt (realm) |
---|
| 1618 | char *realm; |
---|
| 1619 | { |
---|
| 1620 | char hostname[MAXHOSTNAMELEN], phost[BUFSIZ]; |
---|
| 1621 | struct hostent *hp; |
---|
| 1622 | KTEXT_ST ticket; |
---|
| 1623 | AUTH_DAT authdata; |
---|
| 1624 | unsigned long addr; |
---|
| 1625 | static /*const*/ char rcmd[] = "rcmd"; |
---|
| 1626 | char key[8]; |
---|
| 1627 | int krbval, retval, have_keys; |
---|
| 1628 | |
---|
| 1629 | if (gethostname(hostname, sizeof(hostname)) == -1) { |
---|
| 1630 | perror ("cannot retrieve local hostname"); |
---|
| 1631 | return -1; |
---|
| 1632 | } |
---|
| 1633 | strncpy (phost, get_phost (hostname), sizeof (phost)); |
---|
| 1634 | phost[sizeof(phost)-1] = 0; |
---|
| 1635 | hp = gethostbyname (hostname); |
---|
| 1636 | if (!hp) { |
---|
| 1637 | perror ("cannot retrieve local host address"); |
---|
| 1638 | return -1; |
---|
| 1639 | } |
---|
| 1640 | bcopy ((char *)hp->h_addr, (char *) &addr, sizeof (addr)); |
---|
| 1641 | /* Do we have rcmd.<host> keys? */ |
---|
| 1642 | have_keys = read_service_key (rcmd, phost, realm, 0, "/etc/srvtab", key) |
---|
| 1643 | ? 0 : 1; |
---|
| 1644 | krbval = krb_mk_req (&ticket, rcmd, phost, realm, 0); |
---|
| 1645 | if (krbval == KDC_PR_UNKNOWN) { |
---|
| 1646 | /* |
---|
| 1647 | * Our rcmd.<host> principal isn't known -- just assume valid |
---|
| 1648 | * for now? This is one case that the user _could_ fake out. |
---|
| 1649 | */ |
---|
| 1650 | if (have_keys) |
---|
| 1651 | return -1; |
---|
| 1652 | else |
---|
| 1653 | return 0; |
---|
| 1654 | } |
---|
| 1655 | else if (krbval != KSUCCESS) { |
---|
| 1656 | printf ("Unable to verify Kerberos TGT: %s\n", krb_err_txt[krbval]); |
---|
| 1657 | syslog (LOG_NOTICE|LOG_AUTH, "Kerberos TGT bad: %s", |
---|
| 1658 | krb_err_txt[krbval]); |
---|
| 1659 | return -1; |
---|
| 1660 | } |
---|
| 1661 | /* got ticket, try to use it */ |
---|
| 1662 | krbval = krb_rd_req (&ticket, rcmd, phost, addr, &authdata, ""); |
---|
| 1663 | if (krbval != KSUCCESS) { |
---|
| 1664 | if (krbval == RD_AP_UNDEC && !have_keys) |
---|
| 1665 | retval = 0; |
---|
| 1666 | else { |
---|
| 1667 | retval = -1; |
---|
| 1668 | printf ("Unable to verify `rcmd' ticket: %s\n", |
---|
| 1669 | krb_err_txt[krbval]); |
---|
| 1670 | } |
---|
| 1671 | syslog (LOG_NOTICE|LOG_AUTH, "can't verify rcmd ticket: %s;%s\n", |
---|
| 1672 | krb_err_txt[krbval], |
---|
| 1673 | retval |
---|
| 1674 | ? "srvtab found, assuming failure" |
---|
| 1675 | : "no srvtab found, assuming success"); |
---|
| 1676 | goto EGRESS; |
---|
| 1677 | } |
---|
| 1678 | /* |
---|
| 1679 | * The rcmd.<host> ticket has been received _and_ verified. |
---|
| 1680 | */ |
---|
| 1681 | retval = 1; |
---|
| 1682 | /* do cleanup and return */ |
---|
| 1683 | EGRESS: |
---|
| 1684 | bzero (&ticket, sizeof (ticket)); |
---|
| 1685 | bzero (&authdata, sizeof (authdata)); |
---|
| 1686 | return retval; |
---|
| 1687 | } |
---|