From 71ff2d08cdf0688ea6f2a2dd754556093e65c502 Mon Sep 17 00:00:00 2001
From: David Schultz <das@FreeBSD.org>
Date: Mon, 17 Nov 2003 06:39:38 +0000
Subject: [PATCH] Reimplement nologin(8) as a C program.  This allows us to
 statically link it at low cost and avoid environment poisoning attacks
 associated with LD_LIBRARY_PATH.

Suggested by:	rwatson
---
 sbin/nologin/Makefile       |  9 ++++++++-
 sbin/nologin/nologin.c      | 21 ++++++++++++++++++++
 sbin/nologin/nologin.sh     | 39 -------------------------------------
 usr.sbin/nologin/Makefile   |  9 ++++++++-
 usr.sbin/nologin/nologin.c  | 21 ++++++++++++++++++++
 usr.sbin/nologin/nologin.sh | 39 -------------------------------------
 6 files changed, 58 insertions(+), 80 deletions(-)
 create mode 100644 sbin/nologin/nologin.c
 delete mode 100644 sbin/nologin/nologin.sh
 create mode 100644 usr.sbin/nologin/nologin.c
 delete mode 100644 usr.sbin/nologin/nologin.sh

diff --git a/sbin/nologin/Makefile b/sbin/nologin/Makefile
index b1611c06f4c7..31ac9f06e1ea 100644
--- a/sbin/nologin/Makefile
+++ b/sbin/nologin/Makefile
@@ -1,7 +1,14 @@
 #	@(#)Makefile	8.2 (Berkeley) 4/22/94
 # $FreeBSD$
 
-SCRIPTS=nologin.sh
+PROG=	nologin
 MAN=	nologin.5 nologin.8
 
+# It is important that nologin be statically linked for security
+# reasons.  A dynamic non-setuid binary can be linked against a trojan
+# libc by setting LD_LIBRARY_PATH appropriately.  Both sshd(8) and
+# login(1) make it possible to log in with an unsanitized environment,
+# rendering a dynamic nologin binary virtually useless.
+NOSHARED=	YES
+
 .include <bsd.prog.mk>
diff --git a/sbin/nologin/nologin.c b/sbin/nologin/nologin.c
new file mode 100644
index 000000000000..2454df4bf785
--- /dev/null
+++ b/sbin/nologin/nologin.c
@@ -0,0 +1,21 @@
+/*-
+ * This program is in the public domain.  I couldn't bring myself to
+ * declare Copyright on a variant of Hello World.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#define	MESSAGE	"This account is currently not available.\n"
+
+int
+main(int argc, char *argv[])
+{
+
+	write(STDOUT_FILENO, MESSAGE, sizeof(MESSAGE));
+	_exit(1);
+}
diff --git a/sbin/nologin/nologin.sh b/sbin/nologin/nologin.sh
deleted file mode 100644
index 52279c19ea9a..000000000000
--- a/sbin/nologin/nologin.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/sh -p
-#
-# Copyright (c) 1992, 1993
-#	The Regents of the University of California.  All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-# 3. All advertising materials mentioning features or use of this software
-#    must display the following acknowledgement:
-#	This product includes software developed by the University of
-#	California, Berkeley and its contributors.
-# 4. Neither the name of the University nor the names of its contributors
-#    may be used to endorse or promote products derived from this software
-#    without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-#	@(#)nologin.sh	8.1 (Berkeley) 6/5/93
-# $FreeBSD$
-#
-
-echo 'This account is currently not available.'
-exit 1
diff --git a/usr.sbin/nologin/Makefile b/usr.sbin/nologin/Makefile
index b1611c06f4c7..31ac9f06e1ea 100644
--- a/usr.sbin/nologin/Makefile
+++ b/usr.sbin/nologin/Makefile
@@ -1,7 +1,14 @@
 #	@(#)Makefile	8.2 (Berkeley) 4/22/94
 # $FreeBSD$
 
-SCRIPTS=nologin.sh
+PROG=	nologin
 MAN=	nologin.5 nologin.8
 
+# It is important that nologin be statically linked for security
+# reasons.  A dynamic non-setuid binary can be linked against a trojan
+# libc by setting LD_LIBRARY_PATH appropriately.  Both sshd(8) and
+# login(1) make it possible to log in with an unsanitized environment,
+# rendering a dynamic nologin binary virtually useless.
+NOSHARED=	YES
+
 .include <bsd.prog.mk>
diff --git a/usr.sbin/nologin/nologin.c b/usr.sbin/nologin/nologin.c
new file mode 100644
index 000000000000..2454df4bf785
--- /dev/null
+++ b/usr.sbin/nologin/nologin.c
@@ -0,0 +1,21 @@
+/*-
+ * This program is in the public domain.  I couldn't bring myself to
+ * declare Copyright on a variant of Hello World.
+ */
+
+#include <sys/cdefs.h>
+__FBSDID("$FreeBSD$");
+
+#include <sys/types.h>
+#include <sys/uio.h>
+#include <unistd.h>
+
+#define	MESSAGE	"This account is currently not available.\n"
+
+int
+main(int argc, char *argv[])
+{
+
+	write(STDOUT_FILENO, MESSAGE, sizeof(MESSAGE));
+	_exit(1);
+}
diff --git a/usr.sbin/nologin/nologin.sh b/usr.sbin/nologin/nologin.sh
deleted file mode 100644
index 52279c19ea9a..000000000000
--- a/usr.sbin/nologin/nologin.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/sh -p
-#
-# Copyright (c) 1992, 1993
-#	The Regents of the University of California.  All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in the
-#    documentation and/or other materials provided with the distribution.
-# 3. All advertising materials mentioning features or use of this software
-#    must display the following acknowledgement:
-#	This product includes software developed by the University of
-#	California, Berkeley and its contributors.
-# 4. Neither the name of the University nor the names of its contributors
-#    may be used to endorse or promote products derived from this software
-#    without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-# SUCH DAMAGE.
-#
-#	@(#)nologin.sh	8.1 (Berkeley) 6/5/93
-# $FreeBSD$
-#
-
-echo 'This account is currently not available.'
-exit 1