summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTheo de Raadt <deraadt@cvs.openbsd.org>1996-07-31 12:21:45 +0000
committerTheo de Raadt <deraadt@cvs.openbsd.org>1996-07-31 12:21:45 +0000
commit80eb0799635767f31b46a224c305ee4e709a24ce (patch)
treec62e01218daaae6946d13fa5e5aa7164d773b8e7
parent4260a852e052d505e4f248cc768e7866ab27dfa1 (diff)
fbtab support from wietse
-rw-r--r--usr.bin/login/Makefile4
-rw-r--r--usr.bin/login/login.111
-rw-r--r--usr.bin/login/login.c6
-rw-r--r--usr.bin/login/login_fbtab.c152
-rw-r--r--usr.bin/login/pathnames.h3
5 files changed, 170 insertions, 6 deletions
diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile
index f61b5e79501..1b43a388568 100644
--- a/usr.bin/login/Makefile
+++ b/usr.bin/login/Makefile
@@ -1,8 +1,8 @@
-# $OpenBSD: Makefile,v 1.4 1996/06/26 05:35:59 deraadt Exp $
+# $OpenBSD: Makefile,v 1.5 1996/07/31 12:21:42 deraadt Exp $
# $NetBSD: Makefile,v 1.10 1994/12/23 06:52:56 jtc Exp $
PROG= login
-SRCS= login.c
+SRCS= login.c login_fbtab.c
#LDADD= -lutil -lcrypt
LDADD= -lutil
#DPADD= ${LIBUTIL} ${LIBCRYPT}
diff --git a/usr.bin/login/login.1 b/usr.bin/login/login.1
index ab9f60eeeed..a54dac71aa9 100644
--- a/usr.bin/login/login.1
+++ b/usr.bin/login/login.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: login.1,v 1.2 1996/06/26 05:36:01 deraadt Exp $
+.\" $OpenBSD: login.1,v 1.3 1996/07/31 12:21:43 deraadt Exp $
.\" $NetBSD: login.1,v 1.7 1995/08/31 22:52:33 jtc Exp $
.\"
.\" Copyright (c) 1980, 1990, 1993
@@ -95,6 +95,13 @@ This is used by
.Xr shutdown 8
to prevent users from logging in when the system is about to go down.
.Pp
+If the file
+.Pa /etc/fbtab
+exists,
+.Nm login
+changes the protection and ownership of certain devices specified in this
+file.
+.Pp
Immediately after logging a user in,
.Nm login
displays the system copyright notice, the date and time the user last
@@ -126,6 +133,8 @@ do not fork before executing the
utility.
.Sh FILES
.Bl -tag -width /var/mail/userXXX -compact
+.It Pa /etc/fbtab
+changes device protections
.It Pa /etc/motd
message-of-the-day
.It Pa /etc/nologin
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index d9f4075cc4f..3740bd9d6f4 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: login.c,v 1.5 1996/07/20 09:10:59 deraadt Exp $ */
+/* $OpenBSD: login.c,v 1.6 1996/07/31 12:21:43 deraadt Exp $ */
/* $NetBSD: login.c,v 1.13 1996/05/15 23:50:16 jtc Exp $ */
/*-
@@ -44,7 +44,7 @@ static char copyright[] =
#if 0
static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
#endif
-static char rcsid[] = "$OpenBSD: login.c,v 1.5 1996/07/20 09:10:59 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: login.c,v 1.6 1996/07/31 12:21:43 deraadt Exp $";
#endif /* not lint */
/*
@@ -384,6 +384,8 @@ main(argc, argv)
dolastlog(quietlog);
+ login_fbtab(tty, pwd->pw_uid, pwd->pw_gid);
+
(void)chown(ttyn, pwd->pw_uid,
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
#if defined(KERBEROS) || defined(KERBEROS5)
diff --git a/usr.bin/login/login_fbtab.c b/usr.bin/login/login_fbtab.c
new file mode 100644
index 00000000000..b34cf0871f3
--- /dev/null
+++ b/usr.bin/login/login_fbtab.c
@@ -0,0 +1,152 @@
+/************************************************************************
+* Copyright 1995 by Wietse Venema. All rights reserved.
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
+/*
+ SYNOPSIS
+ void login_fbtab(tty, uid, gid)
+ char *tty;
+ uid_t uid;
+ gid_t gid;
+
+ DESCRIPTION
+ This module implements device security as described in the
+ SunOS 4.1.x fbtab(5) and SunOS 5.x logindevperm(4) manual
+ pages. The program first looks for /etc/fbtab. If that file
+ cannot be opened it attempts to process /etc/logindevperm.
+ We expect entries with the folowing format:
+
+ Comments start with a # and extend to the end of the line.
+
+ Blank lines or lines with only a comment are ignored.
+
+ All other lines consist of three fields delimited by
+ whitespace: a login device (/dev/console), an octal
+ permission number (0600), and a ":"-delimited list of
+ devices (/dev/kbd:/dev/mouse). All device names are
+ absolute paths. A path that ends in "*" refers to all
+ directory entries except "." and "..".
+
+ If the tty argument (relative path) matches a login device
+ name (absolute path), the permissions of the devices in the
+ ":"-delimited list are set as specified in the second
+ field, and their ownership is changed to that of the uid
+ and gid arguments.
+
+ DIAGNOSTICS
+ Problems are reported via the syslog daemon with severity
+ LOG_ERR.
+
+ BUGS
+ This module uses strtok(3), which may cause conflicts with other
+ uses of that same routine.
+
+ AUTHOR
+ Wietse Venema (wietse@wzv.win.tue.nl)
+ Eindhoven University of Technology
+ The Netherlands
+ */
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+#include <errno.h>
+#include <dirent.h>
+#include "pathnames.h"
+
+void login_protect __P((char *, char *, int, uid_t, gid_t));
+void login_fbtab __P((char *tty, uid_t uid, gid_t gid));
+
+#define WSPACE " \t\n"
+
+/*
+ * login_fbtab - apply protections specified in /etc/fbtab or logindevperm
+ */
+void
+login_fbtab(tty, uid, gid)
+ char *tty;
+ uid_t uid;
+ gid_t gid;
+{
+ FILE *fp;
+ char buf[BUFSIZ], *devname, *cp, *table;
+ int prot;
+
+ if ((fp = fopen(table = _PATH_FBTAB, "r")) == NULL)
+ return;
+
+ while (fgets(buf, sizeof(buf), fp)) {
+ if (cp = strchr(buf, '#'))
+ *cp = 0; /* strip comment */
+ if ((cp = devname = strtok(buf, WSPACE)) == 0)
+ continue; /* empty or comment */
+ if (strncmp(devname, "/dev/", sizeof("/dev/")) != 0 ||
+ (cp = strtok((char *) 0, WSPACE)) == 0 ||
+ *cp != '0' ||
+ sscanf(cp, "%o", &prot) == 0 ||
+ prot == 0 ||
+ (prot & 0777) != prot ||
+ (cp = strtok((char *) 0, WSPACE)) == 0) {
+ syslog(LOG_ERR, "%s: bad entry: %s", table,
+ cp ? cp : "(null)");
+ continue;
+ }
+ if (strcmp(devname + 5, tty) == 0)
+ for (cp = strtok(cp, ":"); cp; cp = strtok(NULL, ":"))
+ login_protect(table, cp, prot, uid, gid);
+ }
+ fclose(fp);
+}
+
+/*
+ * login_protect - protect one device entry
+ */
+void
+login_protect(table, path, mask, uid, gid)
+ char *table;
+ char *path;
+ int mask;
+ uid_t uid;
+ gid_t gid;
+{
+ char buf[BUFSIZ];
+ int pathlen = strlen(path);
+ struct dirent *ent;
+ DIR *dir;
+
+ if (strcmp("/*", path + pathlen - 2) != 0) {
+ if (chmod(path, mask) && errno != ENOENT)
+ syslog(LOG_ERR, "%s: chmod(%s): %m", table, path);
+ if (chown(path, uid, gid) && errno != ENOENT)
+ syslog(LOG_ERR, "%s: chown(%s): %m", table, path);
+ } else {
+ strncpy(buf, path, sizeof buf);
+ buf[pathlen - 1] = 0;
+ if ((dir = opendir(buf)) == 0) {
+ syslog(LOG_ERR, "%s: opendir(%s): %m", table, path);
+ } else {
+ while ((ent = readdir(dir))) {
+ if (strcmp(ent->d_name, ".") &&
+ strcmp(ent->d_name, "..")) {
+ strncpy(buf + pathlen - 1, ent->d_name,
+ sizeof(buf) - pathlen - 1);
+ login_protect(table, buf, mask,
+ uid, gid);
+ }
+ }
+ closedir(dir);
+ }
+ }
+}
diff --git a/usr.bin/login/pathnames.h b/usr.bin/login/pathnames.h
index 1efc8ba67e7..6aa3028d7b2 100644
--- a/usr.bin/login/pathnames.h
+++ b/usr.bin/login/pathnames.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pathnames.h,v 1.2 1996/06/26 05:36:02 deraadt Exp $ */
+/* $OpenBSD: pathnames.h,v 1.3 1996/07/31 12:21:44 deraadt Exp $ */
/* $NetBSD: pathnames.h,v 1.4 1994/12/23 06:53:03 jtc Exp $ */
/*-
@@ -40,3 +40,4 @@
#define _PATH_HUSHLOGIN ".hushlogin"
#define _PATH_MOTDFILE "/etc/motd"
+#define _PATH_FBTAB "/etc/fbtab"