123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133 |
- /* login.c - Start a session on the system.
- *
- * Copyright 2012 Elie De Brauwer <eliedebrauwer@gmail.com>
- *
- * No support for PAM/securetty/selinux/login script/issue/utmp
- * Relies on libcrypt for hash calculation.
- USE_LOGIN(NEWTOY(login, ">1f:ph:", TOYFLAG_BIN|TOYFLAG_NEEDROOT))
- config LOGIN
- bool "login"
- default y
- depends on TOYBOX_SHADOW
- help
- usage: login [-p] [-h host] [-f USERNAME] [USERNAME]
- Log in as a user, prompting for username and password if necessary.
- -p Preserve environment
- -h The name of the remote host for this login
- -f login as USERNAME without authentication
- */
- #define FOR_login
- #include "toys.h"
- GLOBALS(
- char *h, *f;
- int login_timeout, login_fail_timeout;
- )
- static void login_timeout_handler(int sig __attribute__((unused)))
- {
- printf("\nLogin timed out after %d seconds.\n", TT.login_timeout);
- xexit();
- }
- void login_main(void)
- {
- int hh = FLAG(h), count, tty = tty_fd();
- char *username, *pass = 0, *ss;
- struct passwd *pwd = 0;
- // we read user/password from stdin, but tty can be stderr?
- if (tty == -1) error_exit("no tty");
- openlog("login", LOG_PID | LOG_CONS, LOG_AUTH);
- xsignal(SIGALRM, login_timeout_handler);
- if (TT.f) username = TT.f;
- else username = *toys.optargs;
- for (count = 0; count < 3; count++) {
- alarm(TT.login_timeout = 60);
- tcflush(0, TCIFLUSH);
- if (!username) {
- if (gethostname(toybuf, sizeof(toybuf)-1)) *toybuf = 0;
- printf("%s%slogin: ", *toybuf ? toybuf : "", *toybuf ? " " : "");
- fflush(stdout);
- if(!fgets(toybuf, sizeof(toybuf)-1, stdin)) xexit();
- // Remove trailing \n and so on
- for (ss = toybuf; *ss; ss++) if (*ss<=' ' || *ss==':') break;
- *ss = 0;
- if (!*(username = toybuf)) {
- username = 0;
- continue;
- }
- }
- // If user exists and isn't locked
- if ((pwd = getpwnam(username))) {
- // Pre-authenticated or passwordless
- if (TT.f || !*pwd->pw_passwd) break;
- // fetch shadow password if necessary
- if (*(pass = pwd->pw_passwd) == 'x') {
- struct spwd *spwd = getspnam (username);
- if (spwd) pass = spwd->sp_pwdp;
- }
- } else if (TT.f) error_exit("bad -f '%s'", TT.f);
- // Verify password. (Prompt for password _before_ checking disable state.)
- if (!read_password(toybuf, sizeof(toybuf), "Password: ")) {
- int x = pass && (ss = crypt(toybuf, pass)) && !strcmp(pass, ss);
- // password go bye-bye now.
- memset(toybuf, 0, sizeof(toybuf));
- if (x) break;
- }
- syslog(LOG_WARNING, "invalid password for '%s' on %s %s%s", pwd->pw_name,
- ttyname(tty), hh ? "from " : "", hh ? TT.h : "");
- sleep(3);
- puts("Login incorrect");
- username = 0;
- pwd = 0;
- }
- alarm(0);
- if (!pwd) error_exit("max retries (3)");
- // Check twice because "this file exists" is a security test, and in
- // theory filehandle exhaustion or other error could make open/read fail.
- if (pwd->pw_uid && !access("/etc/nologin", R_OK)) {
- ss = readfile("/etc/nologin", toybuf, sizeof(toybuf));
- puts ((ss && *ss) ? ss : "nologin");
- free(ss);
- toys.exitval = 1;
- return;
- }
- if (fchown(tty, pwd->pw_uid, pwd->pw_gid) || fchmod(tty, 0600))
- printf("can't claim tty");
- xsetuser(pwd);
- reset_env(pwd, !FLAG(p));
- // Message of the day
- if ((ss = readfile("/etc/motd", 0, 0))) puts(ss);
- syslog(LOG_INFO, "%s logged in on %s %s %s", pwd->pw_name,
- ttyname(tty), hh ? "from" : "", hh ? TT.h : "");
- // not using xexec(), login calls absolute path from filesystem so must exec()
- execl(pwd->pw_shell, xmprintf("-%s", pwd->pw_shell), (char *)0);
- perror_exit("exec shell '%s'", pwd->pw_shell);
- }
|