Commit Graph

143 Commits

Author SHA1 Message Date
Alejandro Colomar d6a9b72603 src/login.c: Fix off-by-one bugss
These functions expect a size, not a length.  Don't subtract 1 to the
size.

Link: <https://github.com/shadow-maint/shadow/pull/935>
Link: <https://github.com/shadow-maint/shadow/issues/920#issuecomment-1926002209>
Link: <https://github.com/shadow-maint/shadow/pull/757>
Link: <https://github.com/shadow-maint/shadow/issues/674>
See-also: 0656a90bfd0d ("src/login.c: Fix off-by-one buggs")
See-also: 403a2e3771 ("lib/chkname.c: Take NUL byte into account")
Fixes: 3b7cc05387 ("lib: replace `USER_NAME_MAX_LENGTH` macro")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 15882a5f90 ("src/login.c: Fix off-by-one bugss")
Link: <https://github.com/shadow-maint/shadow/pull/936>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2024-02-14 04:10:03 +01:00
Alejandro Colomar cc2970c3a1 src/login.c: Fix off-by-one buggs
Before 3b7cc05387 ("lib: replace `USER_NAME_MAX_LENGTH` macro"), this
code did use a length.  It used a utmp(5) fixed-width buffer, so the
length matches the buffer size (there was no terminating NUL byte).
However, sysconf(_SC_LOGIN_NAME_MAX) returns a buffer size that accounts
for the terminating null byte; see sysconf(3).  Thus, the commit that
introduced the call to sysconf(3), should have taken that detail into
account.

403a2e3771 ("lib/chkname.c: Take NUL byte into account"), by Tobias,
caught that bug in <lib/chkname.c>, but missed that the same commit that
introduced that bug, introduced the same bug in two other places.
This fixes all remaining calls to sysconf(_SC_LOGIN_NAME_MAX).

I still observe some suspicious code after this fix:

	if (do_rlogin(hostname, username, max_size - 1, term, sizeof(term)))

	...

	login_prompt(username, max_size - 1);

We're passing size-1 to functions that want a size.  But since the fix
to those will be different, let's do that in the following commits.

Link: <https://github.com/shadow-maint/shadow/pull/935>
Link: <https://github.com/shadow-maint/shadow/issues/920#issuecomment-1926002209>
Link: <https://github.com/shadow-maint/shadow/pull/757>
Link: <https://github.com/shadow-maint/shadow/issues/674>
See-also: 403a2e3771 ("lib/chkname.c: Take NUL byte into account")
Fixes: 3b7cc05387 ("lib: replace `USER_NAME_MAX_LENGTH` macro")
Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Cc: Tobias Stoeckmann <tobias@stoeckmann.org>
Cc: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
Cherry-picked-from: 6551709e96 ("src/login.c: Fix off-by-one buggs")
Link: <https://github.com/shadow-maint/shadow/pull/936>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2024-02-14 04:10:03 +01:00
Christian Göttsche 969549fdf0 Add wrapper for write(2)
write(2) may not write the complete given buffer.  Add a wrapper to
avoid short writes.
2023-08-04 17:15:42 -05:00
Iker Pedrosa 3b7cc05387 lib: replace USER_NAME_MAX_LENGTH macro
Replace it by `sysconf(_SC_LOGIN_NAME_MAX)`, which is the maximum
username length supported by the kernel.

Resolves: https://github.com/shadow-maint/shadow/issues/674

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-08-02 10:13:28 -05:00
Iker Pedrosa 1f368e1c18 utmp: update update_utmp()
Remove `utmp` structure as an argument and include its logic inside the
function. This will help remove any reference to utmp from login.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-08-02 10:13:28 -05:00
Iker Pedrosa 6b7108e347 utmp: move update_utmp
The functionality from this function is related to utmp. Restrict access
to `setutmp()` to the same file.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-08-02 10:13:28 -05:00
Iker Pedrosa 84a10ca019 login: conditionally build lastlog functionality
Resolves: https://github.com/shadow-maint/shadow/issues/674

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2023-07-15 07:39:53 -05:00
Alejandro Colomar 09775d3718 Simplify allocation APIs
If we consider simple objects as arrays of size 1, we can considerably
simplify these APIs, merging the *ARRAY and the non-array variants.

That will produce more readable code, since lines will be shorter (by
not having ARRAY in the macro names, as all macros will consistently
handle arrays), and the allocated size will be also more explicit.

The syntax will now be of the form:

    p = MALLOC(42, foo_t);  // allocate 42 elements of type foo_t.
    p = MALLOC(1, bar_t);   // allocate 1 element of type foo_t.

The _array() allocation functions should _never_ be called directly, and
instead these macros should be used.

The non-array functions (e.g., malloc(3)) still have their place, but
are limited to allocating structures with flexible array members.  For
any other uses, the macros should be used.

Thus, we don't use any array or ARRAY variants in any code any more, and
they are only used as implementation details of these macros.

Link: <https://software.codidact.com/posts/285898/288023#answer-288023>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-06-08 09:05:39 -05:00
Samanta Navarro 7109b7c066 login_prompt: Simplify login_prompt API
The only user of login_prompt is the login tool. This implies that the
first argument is always the same.

It is much easier to verify printf's format string and its argument if
both are next to each other.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2023-05-03 07:54:28 -05:00
Alejandro Colomar efbbcade43 Use safer allocation macros
Use of these macros, apart from the benefits mentioned in the commit
that adds the macros, has some other good side effects:

-  Consistency in getting the size of the object from sizeof(type),
   instead of a mix of sizeof(type) sometimes and sizeof(*p) other
   times.

-  More readable code: no casts, and no sizeof(), so also shorter lines
   that we don't need to cut.

-  Consistency in using array allocation calls for allocations of arrays
   of objects, even when the object size is 1.

Cc: Valentin V. Bartenev <vbartenev@gmail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-23 20:28:43 -06:00
Samanta Navarro d5d1932370 Fix typos
It is a user, not an user.

Signed-off-by: Samanta Navarro <ferivoz@riseup.net>
2023-02-16 13:23:08 -06:00
Alejandro Colomar bddcd9b095 Remove superfluous casts
-  Every non-const pointer converts automatically to void *.
-  Every pointer converts automatically to void *.
-  void * converts to any other pointer.
-  const void * converts to any other const pointer.
-  Integer variables convert to each other.

I changed the declaration of a few variables in order to allow removing
a cast.

However, I didn't attempt to edit casts inside comparisons, since they
are very delicate.  I also kept casts in variadic functions, since they
are necessary, and in allocation functions, because I have other plans
for them.

I also changed a few casts to int that are better as ptrdiff_t.

This change has triggered some warnings about const correctness issues,
which have also been fixed in this patch (see for example src/login.c).

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-09 10:03:03 -06:00
Alejandro Colomar 62172f6fb5 Call NULL by its name
In variadic functions we still do the cast.  In POSIX, it's not
necessary, since NULL is required to be of type 'void *', and 'void *'
is guaranteed to have the same alignment and representation as 'char *'.
However, since ISO C still doesn't mandate that, and moreover they're
doing dubious stuff by adding nullptr, let's be on the cautious side.
Also, C++ requires that NULL is _not_ 'void *', but either plain 0 or
some magic stuff.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-02 13:08:30 -06:00
Christian Göttsche 43508ac476 Drop redundant declaration
environ is exported in <unistd.h>.

    env.c:29:15: warning: redundant redeclaration of 'environ' [-Wredundant-decls]
       29 | extern char **environ;
          |               ^~~~~~~
    login.c:92:15: warning: redundant redeclaration of ‘environ’ [-Wredundant-decls]
       92 | extern char **environ;
          |               ^~~~~~~
    sulogin.c:40:15: warning: redundant redeclaration of ‘environ’ [-Wredundant-decls]
       40 | extern char **environ;
          |               ^~~~~~~
    newgrp.c:32:15: warning: redundant redeclaration of ‘environ’ [-Wredundant-decls]
       32 | extern char **environ;
          |               ^~~~~~~
2023-01-25 12:31:17 +01:00
SoumyaWind 670cae8348 shadow: Fix can not print full login timeout message
Login timed out message prints only first few bytes when write is immediately followed by exit.
Calling exit from new handler provides enough time to display full message.
2023-01-12 18:30:32 -06:00
Alejandro Colomar b990b167d4 Cosmetic fixes
Previous commits, to keep readability of the diffs, left the code that
was previously wrapped by preprocessor coditionals untouched.  Apply
some minor cosmetic changes to merge it in the surrounding code.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-22 10:31:43 +01:00
Alejandro Colomar 170b76cdd1 Disable utmpx permanently
On Linux, utmpx and utmp are identical.  However, documentation (manual
pages) covers utmp, and just says about utmpx that it's identical to
utmp.  It seems that it's preferred to use utmp, at least by reading the
manual pages.

Moreover, we were defaulting to utmp (utmpx had to be explicitly enabled
at configuration time).  So, it seems safer to just make it permanent,
which should not affect default builds.

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-12-22 10:31:43 +01:00
Alex Colomar 0d9799de04 Don't test for NULL before calling free(3)
free(3) accepts NULL, since the oldest ISO C.  I guess the
paranoid code was taking care of prehistoric implementations of
free(3).  I've never known of an implementation that doesn't
conform to this, so let's simplify this.

Remove xfree(3), which was effectively an equivalent of free(3).

Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-29 16:03:53 +02:00
Alejandro Colomar fd5945e533 Use 'void' instead of 'RETSIGTYPE'. Use 'sighandler_t' too.
C89 and POSIX.1-2001 define signal(2) as returning a pointer to a
function returning 'void'.  K&R C signal(2) signature is obsolete.
Use 'void' directly.

Also, instead of writing the function pointer type explicitly, use
POSIX's 'sighandler_t'.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2022-01-15 08:25:53 -06:00
Serge Hallyn e8a2cfa7dc Merge pull request #451 from hallyn/2021-12-05/license 2022-01-02 18:38:42 -06:00
Alejandro Colomar 3e602b58a2 Remove HAVE_STRFTIME ifdefs
strftime(3) has been in standard C since C89.  It is also in
POSIX.1-2001, and in SVr4 (see strftime(3) and strftime(3p)).
We can assume that this function is always available.

Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
2021-12-27 20:50:13 +01:00
Serge Hallyn f93cf255d4 Update licensing info
Closes #238

Update all files to list SPDX license shortname.  Most files are
BSD 3 clause license.

The exceptions are:

serge@sl ~/src/shadow$ git grep SPDX-License | grep -v BSD-3-Clause
contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause
lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD
libmisc/salt.c: * SPDX-License-Identifier: Unlicense
src/login_nopam.c: * SPDX-License-Identifier: Unlicense
src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause
src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-23 19:36:50 -06:00
Serge Hallyn 79157cbad8 Make shadow_logfd and Prog not extern
Closes #444
Closes #465

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-12-23 15:18:07 -06:00
Serge Hallyn c628caf174 Merge pull request #408 from bjorn-fischer/ambient_caps
Add support for ambient capabilities
2021-12-05 08:05:06 -06:00
Björn Fischer 6938bab429 Call pam_end() after fork in child code path
This conforms to PAM documentation and it is needed to support
ambient capabilities with PAM + libcap-2.58+.

Signed-off-by: Björn Fischer <bf@CeBiTec.Uni-Bielefeld.DE>
2021-12-05 08:03:56 -06:00
a1346054 7687ae4dbd fix spelling and unify whitespace 2021-08-18 18:06:02 +00:00
Serge Hallyn 2b22a6909d libsubid: don't print error messages on stderr by default
Closes #325

Add a new subid_init() function which can be used to specify the
stream on which error messages should be printed.  (If you want to
get fancy you can redirect that to memory :)  If subid_init() is
not called, use stderr.  If NULL is passed, then /dev/null will
be used.

This patch also fixes up the 'Prog', which previously had to be
defined by any program linking against libsubid.  Now, by default
in libsubid it will show (subid).  Once subid_init() is called,
it will use the first variable passed to subid_init().

Signed-off-by: Serge Hallyn <serge@hallyn.com>
2021-05-15 12:38:55 -05:00
Haelwenn Monnier b865e14f25 login & su: Treat an empty passwd field as invalid (#315)
* login & su: Treat an empty passwd field as invalid

Otherwise it's treated like the “require no password” clause while it probably
should be treated like a normal su that can't validate anyway.

A similar change should be done for USE_PAM.

* su & login: Introduce PREVENT_NO_AUTH
2021-03-28 22:16:03 -05:00
Serge Hallyn ed4a0157c4 silence more compiler warnings
And don't reuse the cp variable for two different purposes.

Signed-off-by: Serge Hallyn <shallyn@cisco.com>
2020-01-12 08:20:50 -06:00
Tomas Mraz 4633164857 login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
As the large uids are usually provided by remote user identity and
authentication service, which also provide user login tracking,
there is no need to create a huge sparse file for them on every local
machine.

fixup! login.defs: Add LASTLOG_UID_MAX variable to limit lastlog to small uids.
2018-12-10 13:25:56 -06:00
A. Wilcox 99dbd4b9ee Support systems that only have utmpx
This allows shadow-utils to build on systems like Adélie, which have no
<utmp.h> header or `struct utmp`.  We use a <utmpx.h>-based daemon,
utmps[1], which uses `struct utmpx` only.

Tested both `login` and `logoutd` with utmps and both work correctly.

[1]: http://skarnet.org/software/utmps/
2018-06-24 00:13:12 -05:00
Josh Soref 62ace035c6 spelling: getxxyyy 2017-10-22 19:16:30 +00:00
Tobias Stoeckmann dd50014055 Fixed signal races in shadow tools.
Some of the supplied tools use functions which are not signal-safe.

Most of the times it's exit() vs. _exit().

In other times it's how the standard output or standard error is
handled. FILE-related functions shall be avoided, therefore I replaced
them with write().

Also there is no need to call closelog(). At worst, it allows to
trigger a deadlock by issuing different signal types at bad timings.
But as these fixes are about race conditions, expect bad timings in
general for these bugs to be triggered. :)
2016-07-02 18:11:09 +02:00
nekral-guest 9151e673e4 * NEWS: Set release date. 2012-05-25 11:51:53 +00:00
nekral-guest f243d4077d * NEWS, src/login.c: Log in utmp / utmpx / wtmp also when PAM is
enabled. This is not done by pam_lastlog. This was broken on
	2011-07-23.
	* NEWS, libmisc/utmp.c: Do not log in wtmp when PAM is enabled.
	This is done by pam_lastlog.
2012-05-18 17:57:52 +00:00
nekral-guest d15f2c6214 * src/login.c: re-indent.
* src/login.c: Fix support for sub-logins.
2011-11-06 18:38:51 +00:00
nekral-guest 2aefca0f2e * NEWS, src/login.c: Do not log in utmp / utmpx / wtmp when PAM is
enabled. This is already done by pam_lastlog.
2011-07-23 11:03:50 +00:00
nekral-guest ab9427420e * src/newgrp.c, src/userdel.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/pwconv.c, src/chpasswd.c, src/logoutd.c,
	src/chfn.c, src/groupmems.c, src/usermod.c, src/pwunconv.c,
	src/expiry.c, src/groupdel.c, src/chgpasswd.c, src/useradd.c,
	src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/chage.c,
	src/groupadd.c, src/login.c, src/grpconv.c, src/groups.c,
	src/grpunconv.c, src/chsh.c: Prog changed to a constant string.
2010-08-22 19:36:09 +00:00
nekral-guest 7eb6a4b3a4 Updated copyrights. 2010-08-22 13:04:54 +00:00
nekral-guest f7a00a2334 * libmisc/console.c, libmisc/motd.c, libmisc/setupenv.c,
libmisc/sulog.c, libmisc/hushed.c, libmisc/failure.c,
	libmisc/loginprompt.c, libmisc/ttytype.c,
	libmisc/pam_pass_non_interractive.c, src/userdel.c, src/login.c,
	lib/commonio.c, lib/commonio.h: Fix some const issues.
	* libmisc/motd.c: Avoid multi-statements lines.
	* libmisc/motd.c: Support long MOTD_FILE.
	* libmisc/list.c, lib/prototypes.h: Revert previous change.
	dup_list and is_on_list are used with members as defined for the
	group structure, and thus even if the list is not modified, the
	list elements cannot be constant strings.
	* libmisc/system.c: Avoid C++ comments.
	* src/vipw.c: WITH_TCB cannot be tested inside a gettextized
	string. Split the Usage string.
	* lib/commonio.h: Re-indent.
2010-08-21 15:32:53 +00:00
nekral-guest 052e9105f7 * src/newgrp.c: Limit the scope of variable pid.
* src/login_nopam.c: Limit the scope of variables end, lineno, i,
	str_len.
	* src/logoutd.c: Limit the scope of variable c.
	* src/vipw.c: Re-indent.
	* src/vipw.c: Close the file after the creation of the backup.
	* src/useradd.c (set_default): Close input file on failure.
	* src/useradd.c: Limit the scope of variables spool, file, fd, gr,
	gid, mode.
	* src/passwd.c: Limit the scope of variables last and ok.
	* src/chage.c: Fix typo (non breaking space).
	* src/login.c: Limit the scope of variables erasechar killchar, c,
	failed.
	* src/groups.c: Limit the scope of variable ngroups, pri_grp, i.
	* src/id.c: Limit the scope of variable i.
2010-03-23 11:26:34 +00:00
nekral-guest 9ee294ba70 * src/login.c: Fix failure of non PAM enabled versions when an
empty username is entered after a first prompt.
2009-05-16 15:43:13 +00:00
nekral-guest b60e8b6b45 * src/login.c: failcount does not need to be signed. 2009-05-09 13:14:50 +00:00
nekral-guest 4e75bb57bb * src/newgrp.c, src/chfn.c, src/groupmems.c, src/usermod.c,
src/userdel.c, src/chpasswd.c, src/grpck.c, src/gpasswd.c,
	src/groupdel.c, src/chgpasswd.c, src/vipw.c, src/useradd.c,
	src/su.c, src/groupmod.c, src/passwd.c, src/pwck.c,
	src/groupadd.c, src/chage.c, src/login.c, src/faillog.c,
	src/sulogin.c, src/chsh.c, src/pwconv.c: Added splint annotations.
	* src/userdel.c, src/pwconv.c, src/lastlog.c, src/grpck.c,
	src/vipw.c, src/groupmod.c, src/passwd.c, src/pwck.c, src/login.c,
	src/sulogin.c, src/usermod.c: Use return instead of exit at the
	end of main().
	* src/gpasswd.c, src/passwd.c, src/faillog.c: Use the exitcodes.h
	exit codes.
	* src/chpasswd.c: Added missing ||.
	* src/nologin.c: Do not include exitcodes.h.
	* src/nologin.c: Added brackets.
	* src/nologin.c: Avoid assignments in comparisons.
2009-04-30 21:39:38 +00:00
nekral-guest 1e75786616 * src/login.c: Change a snprintf() to strncpy(). There are no
format.
2009-04-28 20:59:31 +00:00
nekral-guest 91fc51387c * src/login.c: Move update_utmp() after the PID or session ID
changed in order to get more accurate data in UTMP. This also
	fixes "exec login" when login in installed setuid.
2009-04-27 20:25:23 +00:00
nekral-guest 009125484e * src/login.c: Reuse a string and avoid an untranslated message
"Login incorrect".
2009-04-27 20:21:48 +00:00
nekral-guest 8112a12521 * src/login.c: Replace HAVE_UTMPX_H by USE_UTMPX.
* src/login.c: Avoid name clash between global variables and the
	update_utmp() arguments.
2009-04-27 20:20:37 +00:00
nekral-guest 614c79defc * libmisc/xgetXXbyYY.c, libmisc/myname.c, libmisc/getgr_nam_gid.c,
libmisc/salt.c, libmisc/list.c, libmisc/cleanup.c, src/login.c,
	lib/getdef.h, lib/groupio.c, lib/getlong.c, lib/gshadow_.h,
	lib/sgroupio.c, lib/shadowio.c, lib/pwio.c, lib/commonio.h,
	lib/fputsx.c, lib/prototypes.h: Added splint annotations.
	* lib/groupio.c: Avoid implicit conversion of pointers to
	booleans.
	* lib/groupio.c: Free allocated buffers in case of failure.
2009-04-23 09:57:03 +00:00
nekral-guest 54302f6006 * src/login.c: Added splint annotations. 2009-04-22 20:53:15 +00:00