Long-overdue cleanup on login.
Only tested that it compiled so far.
diff --git a/toys/other/login.c b/toys/other/login.c
index b728286..c44a887 100644
--- a/toys/other/login.c
+++ b/toys/other/login.c
@@ -8,30 +8,28 @@
* TODO: this command predates "pending" but needs cleanup. It #defines
* random stuff, calls exit() form a signal handler... yeah.
-USE_LOGIN(NEWTOY(login, ">1fph:", TOYFLAG_BIN))
+USE_LOGIN(NEWTOY(login, ">1f:ph:", TOYFLAG_BIN|TOYFLAG_NEEDROOT))
config LOGIN
bool "login"
default y
depends on TOYBOX_SHADOW
help
- usage: login [-p] [-h host] [[-f] username]
+ usage: login [-p] [-h host] [-f USERNAME] [USERNAME]
- Establish a new session with the system.
+ Log in as a user, prompting for username and password if necessary.
-p Preserve environment
-h The name of the remote host for this login
- -f Do not perform authentication
+ -f login as USERNAME without authentication
*/
#define FOR_login
#include "toys.h"
-#define USER_NAME_MAX_SIZE 32
-#define HOSTNAME_SIZE 32
-
GLOBALS(
char *hostname;
+ char *username;
int login_timeout, login_fail_timeout;
)
@@ -42,97 +40,107 @@
exit(0);
}
-static char *forbid[] = {
- "BASH_ENV", "ENV", "HOME", "IFS", "LD_LIBRARY_PATH", "LD_PRELOAD",
- "LD_TRACE_LOADED_OBJECTS", "LD_BIND_NOW", "LD_AOUT_LIBRARY_PATH",
- "LD_AOUT_PRELOAD", "LD_NOWARN", "LD_KEEPDIR", "SHELL", NULL
-};
-
-int verify_password(char * pwd)
+void login_main(void)
{
- char *pass;
+ char *forbid[] = {
+ "BASH_ENV", "ENV", "HOME", "IFS", "LD_LIBRARY_PATH", "LD_PRELOAD",
+ "LD_TRACE_LOADED_OBJECTS", "LD_BIND_NOW", "LD_AOUT_LIBRARY_PATH",
+ "LD_AOUT_PRELOAD", "LD_NOWARN", "LD_KEEPDIR", "SHELL"
+ };
+ int hh = toys.optflags&FLAG_h, count, tty;
+ char uu[33], *username, *pass = 0, *ss;
+ struct passwd *pwd = 0;
- if (read_password(toybuf, sizeof(toybuf), "Password: ")) return 1;
- if (!pwd) return 1;
- if (pwd[0] == '!' || pwd[0] == '*') return 1;
+ for (tty=0; tty<3; tty++) if (isatty(tty)) break;
+ if (tty == 3) error_exit("no tty");
- pass = crypt(toybuf, pwd);
- if (pass && !strcmp(pass, pwd)) return 0;
+ for (count = 0; count < ARRAY_LEN(forbid); count++) unsetenv(forbid[count]);
- return 1;
-}
+ openlog("login", LOG_PID | LOG_CONS, LOG_AUTH);
+ xsignal(SIGALRM, login_timeout_handler);
-void read_user(char * buff, int size)
-{
- char hostname[HOSTNAME_SIZE+1];
- int i = 0;
+ if (TT.username) username = TT.username;
+ else username = *toys.optargs;
+ for (count = 0; count < 3; count++) {
+ alarm(TT.login_timeout = 60);
+ tcflush(0, TCIFLUSH);
- hostname[HOSTNAME_SIZE] = 0;
- if (!gethostname(hostname, HOSTNAME_SIZE)) fputs(hostname, stdout);
+ if (!username) {
+ int i;
- fputs(" login: ", stdout);
- fflush(stdout);
+ memset(username = uu, 0, sizeof(uu));
+ gethostname(uu, sizeof(uu)-1);
+ printf("%s%slogin: ", *uu ? uu : "", *uu ? " " : "");
+ fflush(stdout);
- do {
- int c = getchar();
- if (c == EOF) exit(EXIT_FAILURE);
- *buff = c;
- } while (isblank(*buff));
+ if(!fgets(uu, sizeof(uu)-1, stdin)) _exit(1);
- if (*buff != '\n') if(!fgets(&buff[1], HOSTNAME_SIZE-1, stdin)) _exit(1);
+ // Remove trailing \n and so on
+ for (i = 0; i<sizeof(uu); i++) if (uu[i]<=' ' || uu[i]==':') uu[i]=0;
+ if (!*uu) {
+ username = 0;
+ continue;
+ }
+ }
- while(i<HOSTNAME_SIZE-1 && isgraph(buff[i])) i++;
- buff[i] = 0;
-}
+ // If user exists and isn't locked
+ pwd = getpwnam(username);
+ if (pwd && *pwd->pw_passwd != '!' && *pwd->pw_passwd != '*') {
-void handle_nologin(void)
-{
- int fd = open("/etc/nologin", O_RDONLY);
- int size;
+ // Pre-authenticated or passwordless
+ if (TT.username || !*pwd->pw_passwd) break;
- if (fd == -1) return;
+ // fetch shadow password if necessary
+ if (*(pass = pwd->pw_passwd) == 'x') {
+ struct spwd *spwd = getspnam (username);
- size = readall(fd, toybuf,sizeof(toybuf)-1);
- toybuf[size] = 0;
- if (!size) puts("System closed for routine maintenance\n");
- else puts(toybuf);
+ if (spwd) pass = spwd->sp_pwdp;
+ }
+ } else if (TT.username) error_exit("bad -f '%s'", TT.username);
- close(fd);
- fflush(stdout);
- exit(1);
-}
+ // Verify password. (Prompt for password _before_ checking disable state.)
+ if (!read_password(toybuf, sizeof(toybuf), "Password: ")) {
+ int x = pass && (ss = crypt(toybuf, pass)) && !strcmp(pass, ss);
-void handle_motd(void)
-{
- int fd = open("/etc/motd", O_RDONLY);
- int size;
- if (fd == -1) return;
+ // password go bye-bye now.
+ memset(toybuf, 0, sizeof(toybuf));
+ if (x) break;
+ }
- size = readall(fd, toybuf,sizeof(toybuf)-1);
- toybuf[size] = 0;
- puts(toybuf);
+ syslog(LOG_WARNING, "invalid password for '%s' on %s %s%s", pwd->pw_name,
+ ttyname(tty), hh ? "from " : "", hh ? TT.hostname : "");
- close(fd);
- fflush(stdout);
-}
+ sleep(3);
+ puts("Login incorrect");
-void spawn_shell(const char *shell)
-{
- const char * exec_name = strrchr(shell,'/');
- if (exec_name) exec_name++;
- else exec_name = shell;
+ username = 0;
+ pwd = 0;
+ }
- snprintf(toybuf,sizeof(toybuf)-1, "-%s", shell);
- execl(shell, toybuf, NULL);
- error_exit("Failed to spawn shell");
-}
+ alarm(0);
+ // This had password data in it, and we reuse for motd below
+ memset(toybuf, 0, sizeof(toybuf));
-void setup_environment(const struct passwd *pwd, int clear_env)
-{
- if (chdir(pwd->pw_dir)) printf("bad home dir: %s\n", pwd->pw_dir);
+ if (!pwd) error_exit("max retries (3)");
- if (clear_env) {
- const char *term = getenv("TERM");
+ // Check twice because "this file exists" is a security test, and in
+ // theory filehandle exhaustion or other error could make open/read fail.
+ if (pwd->pw_uid && !access("/etc/nologin", R_OK)) {
+ ss = readfile("/etc/nologin", toybuf, sizeof(toybuf));
+ puts ((ss && *ss) ? ss : "nologin");
+ free(ss);
+ toys.exitval = 1;
+
+ return;
+ }
+
+ xsetuser(pwd);
+
+ if (chdir(pwd->pw_dir)) printf("bad $HOME: %s\n", pwd->pw_dir);
+
+ if (!(toys.optflags&FLAG_p)) {
+ char *term = getenv("TERM");
+
clearenv();
if (term) setenv("TERM", term, 1);
}
@@ -141,85 +149,19 @@
setenv("LOGNAME", pwd->pw_name, 1);
setenv("HOME", pwd->pw_dir, 1);
setenv("SHELL", pwd->pw_shell, 1);
-}
-void login_main(void)
-{
- int f_flag = toys.optflags & FLAG_f;
- int h_flag = toys.optflags & FLAG_h;
- char username[33], *pass = NULL, **ss;
- struct passwd * pwd = NULL;
- struct spwd * spwd = NULL;
- int auth_fail_cnt = 0;
-
- if (f_flag && toys.optc != 1) error_exit("-f requires username");
-
- if (geteuid()) error_exit("not root");
-
- if (!isatty(0) || !isatty(1) || !isatty(2)) error_exit("no tty");
-
- openlog("login", LOG_PID | LOG_CONS, LOG_AUTH);
- xsignal(SIGALRM, login_timeout_handler);
- alarm(TT.login_timeout = 60);
-
- for (ss = forbid; *ss; ss++) unsetenv(*ss);
-
- while (1) {
- tcflush(0, TCIFLUSH);
-
- username[sizeof(username)-1] = 0;
- if (*toys.optargs) xstrncpy(username, *toys.optargs, sizeof(username));
- else {
- read_user(username, sizeof(username));
- if (!*username) continue;
- }
-
- pwd = getpwnam(username);
- if (!pwd) goto query_pass; // Non-existing user
-
- if (pwd->pw_passwd[0] == '!' || pwd->pw_passwd[0] == '*')
- goto query_pass; // Locked account
-
- if (f_flag) break; // Pre-authenticated
-
- if (!pwd->pw_passwd[0]) break; // Password-less account
-
- pass = pwd->pw_passwd;
- if (pwd->pw_passwd[0] == 'x') {
- spwd = getspnam (username);
- if (spwd) pass = spwd->sp_pwdp;
- }
-
-query_pass:
- if (!verify_password(pass)) break;
-
- f_flag = 0;
- syslog(LOG_WARNING, "invalid password for '%s' on %s %s %s", username,
- ttyname(0), h_flag?"from":"", h_flag?TT.hostname:"");
-
- sleep(3);
- puts("Login incorrect");
-
- if (++auth_fail_cnt == 3)
- error_exit("Maximum number of tries exceeded (3)\n");
-
- *username = 0;
- pwd = 0;
- spwd = 0;
+ // Message of the day
+ if ((ss = readfile("/etc/motd", 0, 0))) {
+ puts(ss);
+ free(ss);
}
- alarm(0);
-
- if (pwd->pw_uid) handle_nologin();
-
- xsetuser(pwd);
-
- setup_environment(pwd, !(toys.optflags & FLAG_p));
-
- handle_motd();
-
syslog(LOG_INFO, "%s logged in on %s %s %s", pwd->pw_name,
- ttyname(0), h_flag?"from":"", h_flag?TT.hostname:"");
+ ttyname(tty), hh ? "from" : "", hh ? TT.hostname : "");
- spawn_shell(pwd->pw_shell);
+ // can't xexec here because name doesn't match argv[0]
+ snprintf(toybuf, sizeof(toybuf)-1, "-%s", ss = basename_r(pwd->pw_shell));
+ toy_exec((char *[]){toybuf, 0});
+ execl(ss, toybuf, NULL);
+ error_exit("Failed to spawn shell");
}