386 lines
10 KiB
Diff
386 lines
10 KiB
Diff
--- coreutils-6.10/tests/misc/help-version.runuser
|
|
+++ coreutils-6.10/tests/misc/help-version
|
|
@@ -168,6 +168,7 @@
|
|
seq_args=10
|
|
sleep_args=0
|
|
su_args=--version
|
|
+runuser_args=--version
|
|
|
|
# I'd rather not run sync, since it spins up disks that I've
|
|
# deliberately caused to spin down (but not unmounted).
|
|
--- coreutils-6.10/README.runuser
|
|
+++ coreutils-6.10/README
|
|
@@ -11,8 +11,8 @@
|
|
factor false fmt fold groups head hostid hostname id install join kill
|
|
link ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup
|
|
od paste pathchk pinky pr printenv printf ptx pwd readlink rm rmdir
|
|
- runcon seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf
|
|
- sleep sort split stat stty su sum sync tac tail tee test touch tr true
|
|
+ runcon runuser seq sha1sum sha224sum sha256sum sha384sum sha512sum shred
|
|
+ shuf sleep sort split stat stty su sum sync tac tail tee test touch tr true
|
|
tsort tty uname unexpand uniq unlink uptime users vdir wc who whoami yes
|
|
|
|
See the file NEWS for a list of major changes in the current release.
|
|
--- coreutils-6.7/src/su.c.runuser 2007-01-09 17:27:56.000000000 +0000
|
|
+++ coreutils-6.7/src/su.c 2007-01-09 17:30:12.000000000 +0000
|
|
@@ -110,9 +110,15 @@
|
|
#include "error.h"
|
|
|
|
/* The official name of this program (e.g., no `g' prefix). */
|
|
+#ifndef RUNUSER
|
|
#define PROGRAM_NAME "su"
|
|
+#else
|
|
+#define PROGRAM_NAME "runuser"
|
|
+#endif
|
|
|
|
+#ifndef AUTHORS
|
|
#define AUTHORS proper_name ("David MacKenzie")
|
|
+#endif
|
|
|
|
#if HAVE_PATHS_H
|
|
# include <paths.h>
|
|
@@ -150,6 +156,10 @@
|
|
#ifndef USE_PAM
|
|
char *crypt ();
|
|
#endif
|
|
+#ifndef CHECKPASSWD
|
|
+#define CHECKPASSWD 1
|
|
+#endif
|
|
+
|
|
char *getusershell ();
|
|
void endusershell ();
|
|
void setusershell ();
|
|
@@ -157,7 +167,11 @@
|
|
extern char **environ;
|
|
|
|
static void run_shell (char const *, char const *, char **, size_t,
|
|
- const struct passwd *)
|
|
+ const struct passwd *
|
|
+#ifdef RUNUSER
|
|
+ , gid_t *groups, int num_groups
|
|
+#endif
|
|
+ )
|
|
#ifdef USE_PAM
|
|
;
|
|
#else
|
|
@@ -187,6 +201,10 @@
|
|
{"login", no_argument, NULL, 'l'},
|
|
{"preserve-environment", no_argument, NULL, 'p'},
|
|
{"shell", required_argument, NULL, 's'},
|
|
+#ifdef RUNUSER
|
|
+ {"group", required_argument, NULL, 'g'},
|
|
+ {"supp-group", required_argument, NULL, 'G'},
|
|
+#endif
|
|
{GETOPT_HELP_OPTION_DECL},
|
|
{GETOPT_VERSION_OPTION_DECL},
|
|
{NULL, 0, NULL, 0}
|
|
@@ -288,10 +306,12 @@
|
|
retval = pam_start(PROGRAM_NAME, pw->pw_name, &conv, &pamh);
|
|
PAM_BAIL_P;
|
|
|
|
+#ifndef RUNUSER
|
|
if (getuid() != 0 && !isatty(0)) {
|
|
fprintf(stderr, "standard in must be a tty\n");
|
|
exit(1);
|
|
}
|
|
+#endif
|
|
|
|
caller = getpwuid(getuid());
|
|
if(caller != NULL && caller->pw_name != NULL) {
|
|
@@ -308,6 +328,11 @@
|
|
retval = pam_set_item(pamh, PAM_TTY, tty_name);
|
|
PAM_BAIL_P;
|
|
}
|
|
+#ifdef RUNUSER
|
|
+ if (getuid() != geteuid())
|
|
+ /* safety net: deny operation if we are suid by accident */
|
|
+ error(EXIT_FAILURE, 1, "runuser may not be setuid");
|
|
+#else
|
|
retval = pam_authenticate(pamh, 0);
|
|
PAM_BAIL_P;
|
|
retval = pam_acct_mgmt(pamh, 0);
|
|
@@ -317,6 +342,7 @@
|
|
PAM_BAIL_P;
|
|
}
|
|
PAM_BAIL_P;
|
|
+#endif
|
|
/* must be authenticated if this point was reached */
|
|
return 1;
|
|
#else /* !USE_PAM */
|
|
@@ -398,11 +424,22 @@
|
|
/* Become the user and group(s) specified by PW. */
|
|
|
|
static void
|
|
-change_identity (const struct passwd *pw)
|
|
+change_identity (const struct passwd *pw
|
|
+#ifdef RUNUSER
|
|
+ , gid_t *groups, int num_groups
|
|
+#endif
|
|
+ )
|
|
{
|
|
#ifdef HAVE_INITGROUPS
|
|
+ int rc = 0;
|
|
errno = 0;
|
|
- if (initgroups (pw->pw_name, pw->pw_gid) == -1) {
|
|
+#ifdef RUNUSER
|
|
+ if (num_groups)
|
|
+ rc = setgroups(num_groups, groups);
|
|
+ else
|
|
+#endif
|
|
+ rc = initgroups(pw->pw_name, pw->pw_gid);
|
|
+ if (rc == -1) {
|
|
#ifdef USE_PAM
|
|
pam_close_session(pamh, 0);
|
|
pam_end(pamh, PAM_ABORT);
|
|
@@ -449,7 +486,11 @@
|
|
|
|
static void
|
|
run_shell (char const *shell, char const *command, char **additional_args,
|
|
- size_t n_additional_args, const struct passwd *pw)
|
|
+ size_t n_additional_args, const struct passwd *pw
|
|
+#ifdef RUNUSER
|
|
+ , gid_t *groups, int num_groups
|
|
+#endif
|
|
+ )
|
|
{
|
|
size_t n_args = 1 + fast_startup + 2 * !!command + n_additional_args + 1;
|
|
char const **args = xnmalloc (n_args, sizeof *args);
|
|
@@ -480,7 +521,11 @@
|
|
|
|
child = fork();
|
|
if (child == 0) { /* child shell */
|
|
- change_identity (pw);
|
|
+ change_identity (pw
|
|
+#ifdef RUNUSER
|
|
+ , groups, num_groups
|
|
+#endif
|
|
+ );
|
|
pam_end(pamh, 0);
|
|
if (!same_session)
|
|
setsid ();
|
|
@@ -657,6 +702,12 @@
|
|
char *shell = NULL;
|
|
struct passwd *pw;
|
|
struct passwd pw_copy;
|
|
+#ifdef RUNUSER
|
|
+ struct group *gr;
|
|
+ gid_t groups[NGROUPS_MAX];
|
|
+ int num_supp_groups = 0;
|
|
+ int use_gid = 0;
|
|
+#endif
|
|
|
|
initialize_main (&argc, &argv);
|
|
program_name = argv[0];
|
|
@@ -671,7 +722,11 @@
|
|
simulate_login = false;
|
|
change_environment = true;
|
|
|
|
- while ((optc = getopt_long (argc, argv, "c:flmps:", longopts, NULL)) != -1)
|
|
+ while ((optc = getopt_long (argc, argv, "c:flmps:"
|
|
+#ifdef RUNUSER
|
|
+ "g:G:"
|
|
+#endif
|
|
+ , longopts, NULL)) != -1)
|
|
{
|
|
switch (optc)
|
|
{
|
|
@@ -701,6 +756,28 @@
|
|
shell = optarg;
|
|
break;
|
|
|
|
+#ifdef RUNUSER
|
|
+ case 'g':
|
|
+ gr = getgrnam(optarg);
|
|
+ if (!gr)
|
|
+ error (EXIT_FAILURE, 0, _("group %s does not exist"), optarg);
|
|
+ use_gid = 1;
|
|
+ groups[0] = gr->gr_gid;
|
|
+ break;
|
|
+
|
|
+ case 'G':
|
|
+ num_supp_groups++;
|
|
+ if (num_supp_groups >= NGROUPS_MAX)
|
|
+ error (EXIT_FAILURE, 0,
|
|
+ _("Can't specify more than %d supplemental groups"),
|
|
+ NGROUPS_MAX - 1);
|
|
+ gr = getgrnam(optarg);
|
|
+ if (!gr)
|
|
+ error (EXIT_FAILURE, 0, _("group %s does not exist"), optarg);
|
|
+ groups[num_supp_groups] = gr->gr_gid;
|
|
+ break;
|
|
+#endif
|
|
+
|
|
case_GETOPT_HELP_CHAR;
|
|
|
|
case_GETOPT_VERSION_CHAR (PROGRAM_NAME, AUTHORS);
|
|
@@ -739,7 +816,20 @@
|
|
: DEFAULT_SHELL);
|
|
endpwent ();
|
|
|
|
- if (!correct_password (pw))
|
|
+#ifdef RUNUSER
|
|
+ if (num_supp_groups && !use_gid)
|
|
+ {
|
|
+ pw->pw_gid = groups[1];
|
|
+ memmove (groups, groups + 1, sizeof(gid_t) * num_supp_groups);
|
|
+ }
|
|
+ else if (use_gid)
|
|
+ {
|
|
+ pw->pw_gid = groups[0];
|
|
+ num_supp_groups++;
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ if (CHECKPASSWD && !correct_password (pw))
|
|
{
|
|
#ifdef SYSLOG_FAILURE
|
|
log_su (pw, false);
|
|
@@ -771,8 +861,16 @@
|
|
modify_environment (pw, shell);
|
|
|
|
#ifndef USE_PAM
|
|
- change_identity (pw);
|
|
+ change_identity (pw
|
|
+#ifdef RUNUSER
|
|
+ , groups, num_supp_groups
|
|
+#endif
|
|
+ );
|
|
#endif
|
|
|
|
- run_shell (shell, command, argv + optind, MAX (0, argc - optind), pw);
|
|
+ run_shell (shell, command, argv + optind, MAX (0, argc - optind), pw
|
|
+#ifdef RUNUSER
|
|
+ , groups, num_supp_groups
|
|
+#endif
|
|
+ );
|
|
}
|
|
--- coreutils-6.10/src/Makefile.am.runuser
|
|
+++ coreutils-6.10/src/Makefile.am
|
|
@@ -38,7 +38,7 @@
|
|
shuf sort split sum tac tail tr tsort unexpand uniq wc \
|
|
basename date dirname echo env expr factor false \
|
|
id kill logname pathchk printenv printf pwd \
|
|
- runcon seq sleep tee \
|
|
+ runcon runuser seq sleep tee \
|
|
test true tty whoami yes \
|
|
base64
|
|
|
|
@@ -112,6 +112,10 @@
|
|
mv_LDADD += $(LIB_ACL)
|
|
ginstall_LDADD += $(LIB_ACL)
|
|
|
|
+runuser_SOURCES = su.c
|
|
+runuser_CFLAGS = -DRUNUSER -DAUTHORS="\"David MacKenzie, Dan Walsh\""
|
|
+runuser_LDADD = $(LDADD) $(LIB_CRYPT) @LIB_PAM@
|
|
+
|
|
$(PROGRAMS): ../lib/libcoreutils.a
|
|
|
|
SUFFIXES = .sh
|
|
@@ -126,7 +130,7 @@
|
|
chmod +x $@-t
|
|
mv $@-t $@
|
|
|
|
-all-local: su$(EXEEXT)
|
|
+all-local: su$(EXEEXT) runuser
|
|
|
|
installed_su = $(DESTDIR)$(bindir)/`echo su|sed '$(transform)'`
|
|
|
|
--- coreutils-6.10/AUTHORS.runuser
|
|
+++ coreutils-6.10/AUTHORS
|
|
@@ -60,6 +60,7 @@
|
|
readlink: Dmitry V. Levin
|
|
rm: Paul Rubin, David MacKenzie, Richard Stallman, Jim Meyering
|
|
rmdir: David MacKenzie
|
|
+runuser: David MacKenzie, Dan Walsh
|
|
runcon: Russell Coker
|
|
seq: Ulrich Drepper
|
|
sha1sum: Ulrich Drepper, Scott Miller, David Madore
|
|
--- coreutils-6.10/man/Makefile.am.runuser
|
|
+++ coreutils-6.10/man/Makefile.am
|
|
@@ -92,6 +92,7 @@
|
|
rm.1: $(common_dep) $(srcdir)/rm.x ../src/rm.c
|
|
rmdir.1: $(common_dep) $(srcdir)/rmdir.x ../src/rmdir.c
|
|
runcon.1: $(common_dep) $(srcdir)/runcon.x ../src/runcon.c
|
|
+runuser.1: $(common_dep) $(srcdir)/runuser.x ../src/su.c
|
|
seq.1: $(common_dep) $(srcdir)/seq.x ../src/seq.c
|
|
sha1sum.1: $(common_dep) $(srcdir)/sha1sum.x ../src/md5sum.c
|
|
sha224sum.1: $(common_dep) $(srcdir)/sha224sum.x ../src/md5sum.c
|
|
--- /dev/null 2007-01-09 09:38:07.860075128 +0000
|
|
+++ coreutils-6.7/man/runuser.x 2007-01-09 17:27:56.000000000 +0000
|
|
@@ -0,0 +1,4 @@
|
|
+[NAME]
|
|
+runuser \- run a shell with substitute user and group IDs
|
|
+[DESCRIPTION]
|
|
+.\" Add any additional description here
|
|
--- /dev/null 2007-01-09 09:38:07.860075128 +0000
|
|
+++ coreutils-6.10/man/runuser.1 2007-01-09 17:27:56.000000000 +0000
|
|
@@ -0,0 +1,68 @@
|
|
+.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.33.
|
|
+.TH RUNUSER "1" "September 2004" "runuser (coreutils) 5.2.1" "User Commands"
|
|
+.SH NAME
|
|
+runuser \- run a shell with substitute user and group IDs, similar to su, but will not run PAM hooks
|
|
+.SH SYNOPSIS
|
|
+.B runuser
|
|
+[\fIOPTION\fR]... [\fI-\fR] [\fIUSER \fR[\fIARG\fR]...]
|
|
+.SH DESCRIPTION
|
|
+.\" Add any additional description here
|
|
+.PP
|
|
+Change the effective user id and group id to that of USER. No PAM hooks
|
|
+are run, and there will be no password prompt. This command is useful
|
|
+when run as the root user. If run as a non-root user without privilege
|
|
+to set user ID, the command will fail.
|
|
+.TP
|
|
+-, \fB\-l\fR, \fB\-\-login\fR
|
|
+make the shell a login shell, uses runuser-l PAM file instead of default one.
|
|
+.TP
|
|
+\fB\-c\fR, \fB\-\-command\fR=\fICOMMAND\fR
|
|
+pass a single COMMAND to the shell with \fB\-c\fR
|
|
+.TP
|
|
+\fB\-f\fR, \fB\-\-fast\fR
|
|
+pass \fB\-f\fR to the shell (for csh or tcsh)
|
|
+.TP
|
|
+\fB\-g\fR, \fB\-\-group\fR=\fIGROUP\fR
|
|
+specify the primary group
|
|
+.TP
|
|
+\fB\-G\fR, \fB\-\-supp-group\fR=\fIGROUP\fR
|
|
+specify a supplemental group
|
|
+.TP
|
|
+\fB\-m\fR, \fB\-\-preserve\-environment\fR
|
|
+do not reset environment variables
|
|
+.TP
|
|
+\fB\-p\fR
|
|
+same as \fB\-m\fR
|
|
+.TP
|
|
+\fB\-s\fR, \fB\-\-shell\fR=\fISHELL\fR
|
|
+run SHELL if /etc/shells allows it
|
|
+.TP
|
|
+\fB\-\-help\fR
|
|
+display this help and exit
|
|
+.TP
|
|
+\fB\-\-version\fR
|
|
+output version information and exit
|
|
+.PP
|
|
+A mere - implies \fB\-l\fR. If USER not given, assume root.
|
|
+.SH AUTHOR
|
|
+Written by David MacKenzie, Dan Walsh.
|
|
+.SH "REPORTING BUGS"
|
|
+Report bugs to <bug-coreutils@gnu.org>.
|
|
+.SH COPYRIGHT
|
|
+Copyright \(co 2004 Free Software Foundation, Inc.
|
|
+.br
|
|
+This is free software; see the source for copying conditions. There is NO
|
|
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
+.SH "SEE ALSO"
|
|
+Since this command is trimmed down version of su use you can use the su manual.
|
|
+The full documentation for
|
|
+.B su
|
|
+is maintained as a Texinfo manual. If the
|
|
+.B info
|
|
+and
|
|
+.B su
|
|
+programs are properly installed at your site, the command
|
|
+.IP
|
|
+.B info coreutils su
|
|
+.PP
|
|
+should give you access to the complete manual.
|