From 0acd825122c5e2d1b2ba6a0d0f42960cefaafa88 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Thu, 5 Nov 2015 16:27:36 +0200 Subject: [PATCH 3003/3003] su: FEATURE_SU_NULLOK_SECURE When this feature is enabled, blank passwords are not accepted by su unless the user is on a secure TTY defined in /etc/securetty. This resembles the default PAM configuration of some Linux distros which specify the nullok_secure option for pam_unix.so. --- loginutils/Config.src | 5 +++++ loginutils/su.c | 13 ++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/loginutils/Config.src b/loginutils/Config.src index fa2b4f8..a150899 100644 --- a/loginutils/Config.src +++ b/loginutils/Config.src @@ -311,6 +311,11 @@ config FEATURE_SU_CHECKS_SHELLS depends on SU default y +config FEATURE_SU_NULLOK_SECURE + bool "Disallow blank passwords from TTYs other than specified in /etc/securetty" + depends on SU + default n + config SULOGIN bool "sulogin" default y diff --git a/loginutils/su.c b/loginutils/su.c index f812505..bd0cb35 100644 --- a/loginutils/su.c +++ b/loginutils/su.c @@ -51,6 +51,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) struct passwd *pw; uid_t cur_uid = getuid(); const char *tty; + int allow_blank = 1; #if ENABLE_FEATURE_UTMP char user_buf[64]; #endif @@ -71,6 +72,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) argv++; } + tty = xmalloc_ttyname(STDIN_FILENO); + if (!tty) tty = "none"; + tty = skip_dev_pfx(tty); + + if (ENABLE_FEATURE_SU_NULLOK_SECURE) allow_blank = check_securetty(tty); + if (ENABLE_FEATURE_SU_SYSLOG) { /* The utmp entry (via getlogin) is probably the best way to * identify the user, especially if someone su's from a su-shell. @@ -84,16 +91,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) pw = getpwuid(cur_uid); old_user = pw ? xstrdup(pw->pw_name) : ""; } - tty = xmalloc_ttyname(2); - if (!tty) { - tty = "none"; - } openlog(applet_name, 0, LOG_AUTH); } pw = xgetpwnam(opt_username); - if (cur_uid == 0 || ask_and_check_password(pw) > 0) { + if (cur_uid == 0 || ask_and_check_password_extended(pw, 0, allow_blank, "Password: ") > 0) { if (ENABLE_FEATURE_SU_SYSLOG) syslog(LOG_NOTICE, "%c %s %s:%s", '+', tty, old_user, opt_username); -- 2.6.3