ladybird/Userland/Utilities/su.cpp

/*
 * Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>
 *
 * SPDX-License-Identifier: BSD-2-Clause
 */

#include <AK/ScopeGuard.h>
#include <LibCore/Account.h>
#include <LibCore/ArgsParser.h>
#include <LibCore/GetPassword.h>
#include <stdio.h>
#include <unistd.h>

extern "C" int main(int, char**);

int main(int argc, char** argv)
{
    if (pledge("stdio rpath tty exec id", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    if (!isatty(STDIN_FILENO)) {
        warnln("{}: standard in is not a terminal", argv[0]);
        return 1;
    }

    const char* user = nullptr;

    Core::ArgsParser args_parser;
    args_parser.add_positional_argument(user, "User to switch to (defaults to user with UID 0)", "user", Core::ArgsParser::Required::No);
    args_parser.parse(argc, argv);

    if (geteuid() != 0) {
        warnln("Not running as root :(");
        return 1;
    }

    auto account_or_error = (user)
        ? Core::Account::from_name(user)
        : Core::Account::from_uid(0);
    if (account_or_error.is_error()) {
        warnln("Core::Account::from_name: {}", account_or_error.error());
        return 1;
    }

    if (pledge("stdio tty exec id", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    const auto& account = account_or_error.value();

    if (getuid() != 0 && account.has_password()) {
        auto password = Core::get_password();
        if (password.is_error()) {
            warnln("{}", password.error());
            return 1;
        }

        if (!account.authenticate(password.value())) {
            warnln("Incorrect or disabled password.");
            return 1;
        }
    }

    if (pledge("stdio exec id", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    if (!account.login()) {
        perror("Core::Account::login");
        return 1;
    }

    if (pledge("stdio exec", nullptr) < 0) {
        perror("pledge");
        return 1;
    }

    execl(account.shell().characters(), account.shell().characters(), nullptr);
    perror("execl");
    return 1;
}
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header. 2020-01-18 11:38:21 +03:00			`/*`
			`* Copyright (c) 2018-2020, Andreas Kling <kling@serenityos.org>`
			`*`
Everything: Move to SPDX license identifiers in all files. SPDX License Identifiers are a more compact / standardized way of representing file license information. See: https://spdx.dev/resources/use/#identifiers This was done with the `ambr` search and replace tool. ambr --no-parent-ignore --key-from-file --rep-from-file key.txt rep.txt * 2021-04-22 11:24:48 +03:00			`* SPDX-License-Identifier: BSD-2-Clause`
Meta: Add license header to source files As suggested by Joshua, this commit adds the 2-clause BSD license as a comment block to the top of every source file. For the first pass, I've just added myself for simplicity. I encourage everyone to add themselves as copyright holders of any file they've added or modified in some significant way. If I've added myself in error somewhere, feel free to replace it with the appropriate copyright holder instead. Going forward, all new source files should include a license header. 2020-01-18 11:38:21 +03:00			`*/`

LibCore: Make get_password return SecretString instead of String We shouldn't let secrets sit around in memory, as they could potentially be retrieved by an attacker, or left in memory during a core dump. 2021-09-11 19:53:25 +03:00			`#include <AK/ScopeGuard.h>`
Userland: Switch su over to Core::Account 2020-07-31 02:35:30 +03:00			`#include <LibCore/Account.h>`
Meta+Userland: Make clang-format-10 clean 2020-09-18 10:49:51 +03:00			`#include <LibCore/ArgsParser.h>`
Userland: Make su require passwords 2020-07-26 03:36:32 +03:00			`#include <LibCore/GetPassword.h>`
Userland: Run clang-format on everything. 2019-06-07 12:49:31 +03:00			`#include <stdio.h>`
			`#include <unistd.h>`
Kernel+Userland: Implement setuid() and setgid() and add /bin/su Also show setuid and setgid bits in "ls -l" output. :^) 2019-02-22 01:35:07 +03:00
			`extern "C" int main(int, char**);`

			`int main(int argc, char** argv)`
			`{`
su: Use pledge() :^) Not sure why we hadn't done this one sooner, seems like a high-value program to pledge. 2021-01-09 19:53:30 +03:00			`if (pledge("stdio rpath tty exec id", nullptr) < 0) {`
			`perror("pledge");`
			`return 1;`
			`}`

su: Refuse to run if stdin is not a TTY 2020-11-08 16:52:33 +03:00			`if (!isatty(STDIN_FILENO)) {`
			`warnln("{}: standard in is not a terminal", argv[0]);`
			`return 1;`
			`}`

Userland: Use Core::ArgsParser for 'su' 2020-08-05 21:26:32 +03:00			`const char* user = nullptr;`

			`Core::ArgsParser args_parser;`
			`args_parser.add_positional_argument(user, "User to switch to (defaults to user with UID 0)", "user", Core::ArgsParser::Required::No);`
			`args_parser.parse(argc, argv);`

passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-10 00:14:20 +03:00			`if (geteuid() != 0) {`
			`warnln("Not running as root :(");`
			`return 1;`
			`}`
Userland: Compliment the user when running su(1) :^) 2020-06-16 22:16:09 +03:00
LibCore+passwd+su+Base: Add /etc/shadow to hide hashes from users :^) This patch moves the user account password hashes from /etc/passwd, where they were world-readable, to /etc/shadow, where only root can access them. The Core::Account class is extended to support both authentication against, and modification of /etc/shadow. The default password for "anon" as of this commit is "foo" :^) 2021-01-09 19:44:44 +03:00			`auto account_or_error = (user)`
LibCore+su+passwd: Don't keep /etc/passwd and /etc/shadow open Now that we've moved to atomic replacement of these files when altering them, we don't need to keep them open for the lifetime of Core::Account so just simplify this and close them when they are not needed. 2021-01-21 13:17:06 +03:00			`? Core::Account::from_name(user)`
			`: Core::Account::from_uid(0);`
Userland: Switch su over to Core::Account 2020-07-31 02:35:30 +03:00			`if (account_or_error.is_error()) {`
Userland: Replace most printf-style APIs with AK::Format APIs :^) 2021-05-31 17:43:25 +03:00			`warnln("Core::Account::from_name: {}", account_or_error.error());`
su: Use setgroups() to switch over to the target user's extra GIDs Before this, su would leave the process's extra GIDs untouched, simply inheriting them from whoever spawned su. Now we grab the target user's groups from /etc/group and setgroups(). 2020-01-04 15:48:55 +03:00			`return 1;`
			`}`

su: Use pledge() :^) Not sure why we hadn't done this one sooner, seems like a high-value program to pledge. 2021-01-09 19:53:30 +03:00			`if (pledge("stdio tty exec id", nullptr) < 0) {`
			`perror("pledge");`
			`return 1;`
			`}`

su+passwd: Don't copy Core::Account unnecessarily 2021-01-09 19:54:09 +03:00			`const auto& account = account_or_error.value();`
Userland: Switch su over to Core::Account 2020-07-31 02:35:30 +03:00
			`if (getuid() != 0 && account.has_password()) {`
Userland: Make su require passwords 2020-07-26 03:36:32 +03:00			`auto password = Core::get_password();`
			`if (password.is_error()) {`
LibCore: Use OSError in get_password() return type 2021-01-10 15:48:05 +03:00			`warnln("{}", password.error());`
Userland: Make su require passwords 2020-07-26 03:36:32 +03:00			`return 1;`
			`}`

LibCore: Make Account::authenticate take a SecretString To encourage users to use the SecretString API, change the API so that Account::authenticate only accepts a SecretString. 2021-09-12 17:02:17 +03:00			`if (!account.authenticate(password.value())) {`
passwd+su: Convert fprintf(stderr, ...) to warnln() 2021-01-10 00:14:20 +03:00			`warnln("Incorrect or disabled password.");`
Userland: Make su require passwords 2020-07-26 03:36:32 +03:00			`return 1;`
			`}`
			`}`

su: Drop "tty" pledge promise after getting password from user There's not much work left to do at this point, but let's be strict. 2021-01-10 00:19:31 +03:00			`if (pledge("stdio exec id", nullptr) < 0) {`
			`perror("pledge");`
			`return 1;`
			`}`

Userland: Switch su over to Core::Account 2020-07-31 02:35:30 +03:00			`if (!account.login()) {`
			`perror("Core::Account::login");`
Kernel+Userland: Implement setuid() and setgid() and add /bin/su Also show setuid and setgid bits in "ls -l" output. :^) 2019-02-22 01:35:07 +03:00			`return 1;`
			`}`
Userland: Switch su over to Core::Account 2020-07-31 02:35:30 +03:00
su: Drop "id" pledge after switching user 2021-01-22 21:40:30 +03:00			`if (pledge("stdio exec", nullptr) < 0) {`
			`perror("pledge");`
			`return 1;`
			`}`

Userland: Switch su over to Core::Account 2020-07-31 02:35:30 +03:00			`execl(account.shell().characters(), account.shell().characters(), nullptr);`
Userland: Minor tweaks in /bin/su 2019-02-22 01:49:16 +03:00			`perror("execl");`
			`return 1;`
Kernel+Userland: Implement setuid() and setgid() and add /bin/su Also show setuid and setgid bits in "ls -l" output. :^) 2019-02-22 01:35:07 +03:00			`}`