[PATCH 3/3] su: FEATURE_SU_NULLOK_SECURE

Thu, 05 Nov 2015 06:29:46 -0800 

When this feature is enabled, blank passwords are not accepted by su
unless the user is on a secure TTY defined in /etc/securetty. This
resembles the default PAM configuration of some Linux distros which
specify the nullok_secure option for pam_unix.so.
---
 loginutils/su.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/loginutils/su.c b/loginutils/su.c
index 3c0e8c1..85d8e11 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -24,6 +24,11 @@
 //config:      bool "Enable su to check user's shell to be listed in 
/etc/shells"
 //config:      depends on SU
 //config:      default y
+//config:
+//config:config FEATURE_SU_NULLOK_SECURE
+//config:      bool "Disallow blank passwords from TTYs other than specified 
in /etc/securetty"
+//config:      depends on SU
+//config:      default n
 
 //applet:/* Needs to be run by root or be suid root - needs to change uid and 
gid: */
 //applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE))
@@ -76,6 +81,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
        struct passwd *pw;
        uid_t cur_uid = getuid();
        const char *tty;
+       int allow_blank = 1;
 #if ENABLE_FEATURE_UTMP
        char user_buf[64];
 #endif
@@ -96,6 +102,12 @@ int su_main(int argc UNUSED_PARAM, char **argv)
                argv++;
        }
 
+       tty = xmalloc_ttyname(STDIN_FILENO);
+       if (!tty) tty = "none";
+       tty = skip_dev_pfx(tty);
+
+       if (ENABLE_FEATURE_SU_NULLOK_SECURE) allow_blank = check_securetty(tty);
+
        if (ENABLE_FEATURE_SU_SYSLOG) {
                /* The utmp entry (via getlogin) is probably the best way to
                 * identify the user, especially if someone su's from a 
su-shell.
@@ -109,16 +121,12 @@ int su_main(int argc UNUSED_PARAM, char **argv)
                        pw = getpwuid(cur_uid);
                        old_user = pw ? xstrdup(pw->pw_name) : "";
                }
-               tty = xmalloc_ttyname(2);
-               if (!tty) {
-                       tty = "none";
-               }
                openlog(applet_name, 0, LOG_AUTH);
        }
 
        pw = xgetpwnam(opt_username);
 
-       if (cur_uid == 0 || ask_and_check_password(pw) > 0) {
+       if (cur_uid == 0 || ask_and_check_password_extended(pw, 0, allow_blank, 
"Password: ") > 0) {
                if (ENABLE_FEATURE_SU_SYSLOG)
                        syslog(LOG_NOTICE, "%c %s %s:%s",
                                '+', tty, old_user, opt_username);
-- 
2.1.0

_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox

Reply via email to