diff options
author | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-07-31 12:21:45 +0000 |
---|---|---|
committer | Theo de Raadt <deraadt@cvs.openbsd.org> | 1996-07-31 12:21:45 +0000 |
commit | 80eb0799635767f31b46a224c305ee4e709a24ce (patch) | |
tree | c62e01218daaae6946d13fa5e5aa7164d773b8e7 | |
parent | 4260a852e052d505e4f248cc768e7866ab27dfa1 (diff) |
fbtab support from wietse
-rw-r--r-- | usr.bin/login/Makefile | 4 | ||||
-rw-r--r-- | usr.bin/login/login.1 | 11 | ||||
-rw-r--r-- | usr.bin/login/login.c | 6 | ||||
-rw-r--r-- | usr.bin/login/login_fbtab.c | 152 | ||||
-rw-r--r-- | usr.bin/login/pathnames.h | 3 |
5 files changed, 170 insertions, 6 deletions
diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile index f61b5e79501..1b43a388568 100644 --- a/usr.bin/login/Makefile +++ b/usr.bin/login/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.4 1996/06/26 05:35:59 deraadt Exp $ +# $OpenBSD: Makefile,v 1.5 1996/07/31 12:21:42 deraadt Exp $ # $NetBSD: Makefile,v 1.10 1994/12/23 06:52:56 jtc Exp $ PROG= login -SRCS= login.c +SRCS= login.c login_fbtab.c #LDADD= -lutil -lcrypt LDADD= -lutil #DPADD= ${LIBUTIL} ${LIBCRYPT} diff --git a/usr.bin/login/login.1 b/usr.bin/login/login.1 index ab9f60eeeed..a54dac71aa9 100644 --- a/usr.bin/login/login.1 +++ b/usr.bin/login/login.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: login.1,v 1.2 1996/06/26 05:36:01 deraadt Exp $ +.\" $OpenBSD: login.1,v 1.3 1996/07/31 12:21:43 deraadt Exp $ .\" $NetBSD: login.1,v 1.7 1995/08/31 22:52:33 jtc Exp $ .\" .\" Copyright (c) 1980, 1990, 1993 @@ -95,6 +95,13 @@ This is used by .Xr shutdown 8 to prevent users from logging in when the system is about to go down. .Pp +If the file +.Pa /etc/fbtab +exists, +.Nm login +changes the protection and ownership of certain devices specified in this +file. +.Pp Immediately after logging a user in, .Nm login displays the system copyright notice, the date and time the user last @@ -126,6 +133,8 @@ do not fork before executing the utility. .Sh FILES .Bl -tag -width /var/mail/userXXX -compact +.It Pa /etc/fbtab +changes device protections .It Pa /etc/motd message-of-the-day .It Pa /etc/nologin diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index d9f4075cc4f..3740bd9d6f4 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login.c,v 1.5 1996/07/20 09:10:59 deraadt Exp $ */ +/* $OpenBSD: login.c,v 1.6 1996/07/31 12:21:43 deraadt Exp $ */ /* $NetBSD: login.c,v 1.13 1996/05/15 23:50:16 jtc Exp $ */ /*- @@ -44,7 +44,7 @@ static char copyright[] = #if 0 static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; #endif -static char rcsid[] = "$OpenBSD: login.c,v 1.5 1996/07/20 09:10:59 deraadt Exp $"; +static char rcsid[] = "$OpenBSD: login.c,v 1.6 1996/07/31 12:21:43 deraadt Exp $"; #endif /* not lint */ /* @@ -384,6 +384,8 @@ main(argc, argv) dolastlog(quietlog); + login_fbtab(tty, pwd->pw_uid, pwd->pw_gid); + (void)chown(ttyn, pwd->pw_uid, (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); #if defined(KERBEROS) || defined(KERBEROS5) diff --git a/usr.bin/login/login_fbtab.c b/usr.bin/login/login_fbtab.c new file mode 100644 index 00000000000..b34cf0871f3 --- /dev/null +++ b/usr.bin/login/login_fbtab.c @@ -0,0 +1,152 @@ +/************************************************************************ +* Copyright 1995 by Wietse Venema. All rights reserved. +* +* This material was originally written and compiled by Wietse Venema at +* Eindhoven University of Technology, The Netherlands, in 1990, 1991, +* 1992, 1993, 1994 and 1995. +* +* Redistribution and use in source and binary forms are permitted +* provided that this entire copyright notice is duplicated in all such +* copies. +* +* This software is provided "as is" and without any expressed or implied +* warranties, including, without limitation, the implied warranties of +* merchantibility and fitness for any particular purpose. +************************************************************************/ +/* + SYNOPSIS + void login_fbtab(tty, uid, gid) + char *tty; + uid_t uid; + gid_t gid; + + DESCRIPTION + This module implements device security as described in the + SunOS 4.1.x fbtab(5) and SunOS 5.x logindevperm(4) manual + pages. The program first looks for /etc/fbtab. If that file + cannot be opened it attempts to process /etc/logindevperm. + We expect entries with the folowing format: + + Comments start with a # and extend to the end of the line. + + Blank lines or lines with only a comment are ignored. + + All other lines consist of three fields delimited by + whitespace: a login device (/dev/console), an octal + permission number (0600), and a ":"-delimited list of + devices (/dev/kbd:/dev/mouse). All device names are + absolute paths. A path that ends in "*" refers to all + directory entries except "." and "..". + + If the tty argument (relative path) matches a login device + name (absolute path), the permissions of the devices in the + ":"-delimited list are set as specified in the second + field, and their ownership is changed to that of the uid + and gid arguments. + + DIAGNOSTICS + Problems are reported via the syslog daemon with severity + LOG_ERR. + + BUGS + This module uses strtok(3), which may cause conflicts with other + uses of that same routine. + + AUTHOR + Wietse Venema (wietse@wzv.win.tue.nl) + Eindhoven University of Technology + The Netherlands + */ + +#include <sys/types.h> +#include <stdio.h> +#include <syslog.h> +#include <string.h> +#include <errno.h> +#include <dirent.h> +#include "pathnames.h" + +void login_protect __P((char *, char *, int, uid_t, gid_t)); +void login_fbtab __P((char *tty, uid_t uid, gid_t gid)); + +#define WSPACE " \t\n" + +/* + * login_fbtab - apply protections specified in /etc/fbtab or logindevperm + */ +void +login_fbtab(tty, uid, gid) + char *tty; + uid_t uid; + gid_t gid; +{ + FILE *fp; + char buf[BUFSIZ], *devname, *cp, *table; + int prot; + + if ((fp = fopen(table = _PATH_FBTAB, "r")) == NULL) + return; + + while (fgets(buf, sizeof(buf), fp)) { + if (cp = strchr(buf, '#')) + *cp = 0; /* strip comment */ + if ((cp = devname = strtok(buf, WSPACE)) == 0) + continue; /* empty or comment */ + if (strncmp(devname, "/dev/", sizeof("/dev/")) != 0 || + (cp = strtok((char *) 0, WSPACE)) == 0 || + *cp != '0' || + sscanf(cp, "%o", &prot) == 0 || + prot == 0 || + (prot & 0777) != prot || + (cp = strtok((char *) 0, WSPACE)) == 0) { + syslog(LOG_ERR, "%s: bad entry: %s", table, + cp ? cp : "(null)"); + continue; + } + if (strcmp(devname + 5, tty) == 0) + for (cp = strtok(cp, ":"); cp; cp = strtok(NULL, ":")) + login_protect(table, cp, prot, uid, gid); + } + fclose(fp); +} + +/* + * login_protect - protect one device entry + */ +void +login_protect(table, path, mask, uid, gid) + char *table; + char *path; + int mask; + uid_t uid; + gid_t gid; +{ + char buf[BUFSIZ]; + int pathlen = strlen(path); + struct dirent *ent; + DIR *dir; + + if (strcmp("/*", path + pathlen - 2) != 0) { + if (chmod(path, mask) && errno != ENOENT) + syslog(LOG_ERR, "%s: chmod(%s): %m", table, path); + if (chown(path, uid, gid) && errno != ENOENT) + syslog(LOG_ERR, "%s: chown(%s): %m", table, path); + } else { + strncpy(buf, path, sizeof buf); + buf[pathlen - 1] = 0; + if ((dir = opendir(buf)) == 0) { + syslog(LOG_ERR, "%s: opendir(%s): %m", table, path); + } else { + while ((ent = readdir(dir))) { + if (strcmp(ent->d_name, ".") && + strcmp(ent->d_name, "..")) { + strncpy(buf + pathlen - 1, ent->d_name, + sizeof(buf) - pathlen - 1); + login_protect(table, buf, mask, + uid, gid); + } + } + closedir(dir); + } + } +} diff --git a/usr.bin/login/pathnames.h b/usr.bin/login/pathnames.h index 1efc8ba67e7..6aa3028d7b2 100644 --- a/usr.bin/login/pathnames.h +++ b/usr.bin/login/pathnames.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.2 1996/06/26 05:36:02 deraadt Exp $ */ +/* $OpenBSD: pathnames.h,v 1.3 1996/07/31 12:21:44 deraadt Exp $ */ /* $NetBSD: pathnames.h,v 1.4 1994/12/23 06:53:03 jtc Exp $ */ /*- @@ -40,3 +40,4 @@ #define _PATH_HUSHLOGIN ".hushlogin" #define _PATH_MOTDFILE "/etc/motd" +#define _PATH_FBTAB "/etc/fbtab" |