Added support for an LCS-style `wheel su' which allows users in group wheel

to su to root by authenticating as themselves (using a password or S/Key) rather than by using the root password. This is useful in contexts like ours, where a large group of people need root access to a set of machines. (However, the security implications are such that this should not be enabled by default.) The code is conditionalized on WHEELSU.
svn path=/head/; revision=9502
1995-07-12 20:11:19 +00:00 · 1995-07-12 20:11:19 +00:00 · 99005ad98e · 2020-12-20 02:59:44 +00:00
commit 99005ad98e
parent 926e94cd40
1 changed files with 36 additions and 6 deletions
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@ -82,6 +82,10 @@ main(argc, argv)
 {
 	extern char **environ;
 	struct passwd *pwd;
+#ifdef WHEELSU
+	char *targetpass;
+	int iswheelsu;
+#endif /* WHEELSU */
 	char *p, **g, *user, *shell, *username, *cleanenv[20], *nargv[4], **np;
 	struct group *gr;
 	uid_t ruid;
@ -91,6 +95,9 @@ main(argc, argv)

 	np = &nargv[3];
 	*np-- = NULL;
+#ifdef WHEELSU
+	iswheelsu =
+#endif /* WHEELSU */
 	asme = asthem = fastlogin = 0;
 	while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
 		switch((char)ch) {
@ -148,10 +155,13 @@ main(argc, argv)
 	/* get target login information, default to root */
 	user = *argv ? *argv : "root";
 	if ((pwd = getpwnam(user)) == NULL) {
-		fprintf(stderr, "su: unknown login %s\n", user);
-		exit(1);
+		errx(1, "unknown login: %s", user);
 	}

+#ifdef WHEELSU
+	targetpass = strdup(pwd->pw_passwd);
+#endif /* WHEELSU */
+
 	if (ruid) {
 #ifdef KERBEROS
 	    if (!use_kerberos || kerberos(username, user, pwd->pw_uid))
@ -164,15 +174,30 @@ main(argc, argv)
 					errx(1,
 			    "you are not in the correct group to su %s.",
 					    user);
-				if (strcmp(username, *g) == 0)
+				if (strcmp(username, *g) == 0) {
+#ifdef WHEELSU
+					iswheelsu = 1;
+#endif /* WHEELSU */
 					break;
-		}
+				}
+			}
 		/* if target requires a password, verify it */
 		if (*pwd->pw_passwd) {
 #ifdef	SKEY
+#ifdef WHEELSU
+			if (iswheelsu) {
+				pwd = getpwnam(username);
+			}
+#endif /* WHEELSU */
 			p = skey_getpass("Password:", pwd, 1);
-			if (strcmp(pwd->pw_passwd,
-				   skey_crypt(p, pwd->pw_passwd, pwd, 1))) {
+			if (!(!strcmp(pwd->pw_passwd,
+				      skey_crypt(p, pwd->pw_passwd, pwd, 1))
+#ifdef WHEELSU
+			      || (iswheelsu && !strcmp(targetpass, 
+						       crypt(p, 
+							     targetpass)))
+#endif /* WHEELSU */
+			      )) {
 #else
 			p = getpass("Password:");
 			if (strcmp(pwd->pw_passwd, crypt(p, pwd->pw_passwd))) {
@ -183,6 +208,11 @@ main(argc, argv)
 					user, ontty());
 				exit(1);
 			}
+#ifdef WHEELSU
+			if (iswheelsu) {
+				pwd = getpwnam(user);
+			}
+#endif /* WHEELSU */
 		}
 	    }
 	}