su: FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY

When this feature is enabled, blank passwords are not accepted by su
unless the user is on a secure TTY defined in /etc/securetty. This
resembles the default PAM configuration of some Linux distros which
specify the nullok_secure option for pam_unix.so.

Based on patch by Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/include/libbb.h b/include/libbb.h
index 6b33ffad62d9c733a54cab4f93743ee3684cf957..b889dd7d7666d9b211d5fb9f2d2801821523a169 100644 (file)
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1486,6 +1486,7 @@ int check_securetty(const char *short_tty) FAST_FUNC;
 #else
 static ALWAYS_INLINE int check_securetty(const char *short_tty UNUSED_PARAM) { return 1; }
 #endif
+#define CHECKPASS_PW_HAS_EMPTY_PASSWORD 2
 int check_password(const struct passwd *pw, const char *plaintext) FAST_FUNC;
 int ask_and_check_password_extended(const struct passwd *pw, int timeout, const char *prompt) FAST_FUNC;
 int ask_and_check_password(const struct passwd *pw) FAST_FUNC;

diff --git a/libbb/correct_password.c b/libbb/correct_password.c
index 513c930286feb89565a2895d40c7e2e9eaa18827..3436edc309c5c1c64a1ab9e83abc44a56c07a3a5 100644 (file)
--- a/libbb/correct_password.c
+++ b/libbb/correct_password.c
@@ -88,7 +88,7 @@ int FAST_FUNC check_password(const struct passwd *pw, const char *plaintext)
 
 
 /* Ask the user for a password.
- * Return 1 without asking if PW has an empty password.
+ * Return CHECKPASS_PW_HAS_EMPTY_PASSWORD without asking if PW has an empty password.
  * Return -1 on EOF, error while reading input, or timeout.
  * Return 1 if the user gives the correct password for entry PW,
  * 0 if not.
@@ -105,7 +105,7 @@ int FAST_FUNC ask_and_check_password_extended(const struct passwd *pw,
 
        pw_pass = get_passwd(pw, buffer);
        if (!pw_pass[0]) /* empty password field? */
-               return 1;
+               return CHECKPASS_PW_HAS_EMPTY_PASSWORD;
 
        plaintext = bb_ask(STDIN_FILENO, timeout, prompt);
        if (!plaintext) {

diff --git a/loginutils/su.c b/loginutils/su.c
index d04b85fb13767521c655efe4dd4f46ebad70af43..f2cd799aedbc7919b6958067b7c1ed30ae613825 100644 (file)
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -23,6 +23,11 @@
 //config:      bool "If user's shell is not in /etc/shells, disallow -s PROG"
 //config:      default y
 //config:      depends on SU
+//config:
+//config:config FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY
+//config:      bool "Disallow blank passwords from TTYs other than specified in /etc/securetty"
+//config:      default n
+//config:      depends on SU
 
 //applet:/* Needs to be run by root or be suid root - needs to change uid and gid: */
 //applet:IF_SU(APPLET(su, BB_DIR_BIN, BB_SUID_REQUIRE))
@@ -79,6 +84,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
        char user_buf[64];
 #endif
        const char *old_user;
+       int r;
 
        /* Note: we don't use "'+': stop at first non-option" idiom here.
         * For su, "SCRIPT ARGS" or "-c CMD ARGS" do not stop option parsing:
@@ -99,6 +105,11 @@ int su_main(int argc UNUSED_PARAM, char **argv)
                argv++;
        }
 
+       tty = xmalloc_ttyname(STDIN_FILENO);
+       if (!tty)
+               tty = "none";
+       tty = skip_dev_pfx(tty);
+
        if (ENABLE_FEATURE_SU_SYSLOG) {
                /* The utmp entry (via getlogin) is probably the best way to
                 * identify the user, especially if someone su's from a su-shell.
@@ -112,20 +123,26 @@ int su_main(int argc UNUSED_PARAM, char **argv)
                        pw = getpwuid(cur_uid);
                        old_user = pw ? xstrdup(pw->pw_name) : "";
                }
-               tty = xmalloc_ttyname(2);
-               if (!tty) {
-                       tty = "none";
-               }
                openlog(applet_name, 0, LOG_AUTH);
        }
 
        pw = xgetpwnam(opt_username);
 
-       if (cur_uid == 0 || ask_and_check_password(pw) > 0) {
+       r = 1;
+       if (cur_uid != 0)
+               r = ask_and_check_password(pw);
+       if (r > 0) {
+               if (ENABLE_FEATURE_SU_BLANK_PW_NEEDS_SECURE_TTY
+                && r == CHECKPASS_PW_HAS_EMPTY_PASSWORD
+                && !check_securetty(tty)
+               ) {
+                       goto fail;
+               }
                if (ENABLE_FEATURE_SU_SYSLOG)
                        syslog(LOG_NOTICE, "%c %s %s:%s",
                                '+', tty, old_user, opt_username);
        } else {
+ fail:
                if (ENABLE_FEATURE_SU_SYSLOG)
                        syslog(LOG_NOTICE, "%c %s %s:%s",
                                '-', tty, old_user, opt_username);