From d9c09138d91566af49ef8179d9995c84294e2486 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Thu, 5 Nov 2015 16:27:36 +0200 Subject: [PATCH 10/12] su: FEATURE_SU_NULLOK_SECURE When this feature is enabled, blank passwords are not accepted by su unless the user is on a secure TTY defined in /etc/securetty. This resembles the default PAM configuration of some Linux distros which specify the nullok_secure option for pam_unix.so. --- loginutils/su.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/loginutils/su.c b/loginutils/su.c index 24ffbde86..086445243 100644 --- a/loginutils/su.c +++ b/loginutils/su.c @@ -24,6 +24,11 @@ //config: bool "Enable su to check user's shell to be listed in /etc/shells" //config: depends on SU //config: default y +//config:config FEATURE_SU_NULLOK_SECURE +//config: bool "Disallow blank passwords from TTYs other than specified in /etc/securetty" +//config: depends on SU +//config: default n + //applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */ //applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE)) @@ -76,6 +81,7 @@ int su_main(int argc UNUSED_PARAM, char **argv) struct passwd *pw; uid_t cur_uid = getuid(); const char *tty; + int allow_blank = 1; #if ENABLE_FEATURE_UTMP char user_buf[64]; #endif @@ -100,6 +106,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) argv++; } + tty = xmalloc_ttyname(STDIN_FILENO); + if (!tty) tty = "none"; + tty = skip_dev_pfx(tty); + + if (ENABLE_FEATURE_SU_NULLOK_SECURE) allow_blank = check_securetty(tty); + if (ENABLE_FEATURE_SU_SYSLOG) { /* The utmp entry (via getlogin) is probably the best way to * identify the user, especially if someone su's from a su-shell. @@ -113,16 +125,12 @@ int su_main(int argc UNUSED_PARAM, char **argv) pw = getpwuid(cur_uid); old_user = pw ? xstrdup(pw->pw_name) : ""; } - tty = xmalloc_ttyname(2); - if (!tty) { - tty = "none"; - } openlog(applet_name, 0, LOG_AUTH); } pw = xgetpwnam(opt_username); - if (cur_uid == 0 || ask_and_check_password(pw) > 0) { + if (cur_uid == 0 || ask_and_check_password_extended(pw, 0, allow_blank, "Password: ") > 0) { if (ENABLE_FEATURE_SU_SYSLOG) syslog(LOG_NOTICE, "%c %s %s:%s", '+', tty, old_user, opt_username); -- 2.11.0