]>
git.ipfire.org Git - thirdparty/util-linux.git/blob - login-utils/logindefs.c
2 * Copyright (C) 2003, 2004, 2005 Thorsten Kukuk
3 * Author: Thorsten Kukuk <kukuk@suse.de>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain any existing copyright
10 * notice, and this entire permission notice in its entirety,
11 * including the disclaimer of warranties.
13 * 2. Redistributions in binary form must reproduce all prior and current
14 * copyright notices, this list of conditions, and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * 3. The name of any author may not be used to endorse or promote
19 * products derived from this software without their specific prior
29 #include <sys/syslog.h>
31 #include <sys/types.h>
35 #include "closestream.h"
36 #include "logindefs.h"
38 #include "pathnames.h"
42 char *name
; /* name of the option. */
43 char *value
; /* value of the option. */
44 char *path
; /* name of config file for this option. */
46 struct item
*next
; /* pointer to next option. */
49 static struct item
*list
= NULL
;
51 void (*logindefs_load_defaults
)(void) = NULL
;
53 void free_getlogindefs_data(void)
59 struct item
*tmp
= ptr
->next
;
71 static void store(const char *name
, const char *value
, const char *path
)
73 struct item
*new = xmalloc(sizeof(struct item
));
78 new->name
= xstrdup(name
);
79 new->value
= value
&& *value
? xstrdup(value
) : NULL
;
80 new->path
= xstrdup(path
);
85 void logindefs_load_file(const char *filename
)
90 f
= fopen(filename
, "r");
94 while (fgets(buf
, sizeof(buf
), f
)) {
96 char *p
, *name
, *data
= NULL
;
98 if (*buf
== '#' || *buf
== '\n')
99 continue; /* only comment or empty line */
101 p
= strchr(buf
, '#');
105 size_t n
= strlen(buf
);
106 if (n
&& *(buf
+ n
- 1) == '\n')
107 *(buf
+ n
- 1) = '\0';
111 continue; /* empty line */
113 /* ignore space at begin of the line */
115 while (*name
&& isspace((unsigned)*name
))
118 /* go to the end of the name */
120 while (*data
&& !(isspace((unsigned)*data
) || *data
== '='))
122 if (data
> name
&& *data
)
125 if (!*name
|| data
== name
)
128 /* go to the begin of the value */
130 && (isspace((unsigned)*data
) || *data
== '='
134 /* remove space at the end of the value */
135 p
= data
+ strlen(data
);
138 while (p
> data
&& (isspace((unsigned)*p
) || *p
== '"'))
141 store(name
, data
, filename
);
147 static void load_defaults(void)
149 if (logindefs_load_defaults
)
150 logindefs_load_defaults();
152 logindefs_load_file(_PATH_LOGINDEFS
);
155 static struct item
*search(const char *name
)
163 while (ptr
!= NULL
) {
164 if (strcasecmp(name
, ptr
->name
) == 0)
172 static const char *search_config(const char *name
)
177 while (ptr
!= NULL
) {
178 if (strcasecmp(name
, ptr
->name
) == 0)
186 int getlogindefs_bool(const char *name
, int dflt
)
188 struct item
*ptr
= search(name
);
189 return ptr
&& ptr
->value
? (strcasecmp(ptr
->value
, "yes") == 0) : dflt
;
192 unsigned long getlogindefs_num(const char *name
, long dflt
)
194 struct item
*ptr
= search(name
);
196 unsigned long retval
;
198 if (!ptr
|| !ptr
->value
)
202 retval
= strtoul(ptr
->value
, &end
, 0);
203 if (end
&& *end
== '\0' && !errno
)
206 syslog(LOG_NOTICE
, _("%s: %s contains invalid numerical value: %s"),
207 search_config(name
), name
, ptr
->value
);
213 * @dflt if @name not found
214 * "" (empty string) if found, but value not defined
217 const char *getlogindefs_str(const char *name
, const char *dflt
)
219 struct item
*ptr
= search(name
);
229 * For compatibility with shadow-utils we have to support additional
230 * syntax for environment variables in login.defs(5) file. The standard
235 * but shadow-utils supports also
239 * the FOO= prefix has to be remove before we call setenv().
241 int logindefs_setenv(const char *name
, const char *conf
, const char *dflt
)
243 const char *val
= getlogindefs_str(conf
, dflt
);
249 p
= strchr(val
, '=');
251 size_t sz
= strlen(name
);
253 if (strncmp(val
, name
, sz
) == 0 && *(p
+ 1)) {
262 return val
? setenv(name
, val
, 1) : -1;
266 * We need to check the effective UID/GID. For example, $HOME could be on a
267 * root-squashed NFS or on an NFS with UID mapping, and access(2) uses the
268 * real UID/GID. Then open(2) seems as the surest solution.
269 * -- kzak@redhat.com (10-Apr-2009)
271 int effective_access(const char *path
, int mode
)
273 int fd
= open(path
, mode
);
276 return fd
== -1 ? -1 : 0;
281 * Check the per-account or the global hush-login setting.
283 * Hushed mode is enabled:
285 * a) if a global (e.g. /etc/hushlogins) hush file exists:
286 * 1) for ALL ACCOUNTS if the file is empty
287 * 2) for the current user if the username or shell is found in the file
289 * b) if a ~/.hushlogin file exists
291 * The ~/.hushlogin file is ignored if the global hush file exists.
293 * The HUSHLOGIN_FILE login.def variable overrides the default hush filename.
295 * Note that shadow-utils login(1) does not support "a1)". The "a1)" is
296 * necessary if you want to use PAM for "Last login" message.
298 * -- Karel Zak <kzak@redhat.com> (26-Aug-2011)
301 * The per-account check requires some explanation: As root we may not be able
302 * to read the directory of the user if it is on an NFS-mounted filesystem. We
303 * temporarily set our effective uid to the user-uid, making sure that we keep
304 * root privileges in the real uid.
306 * A portable solution would require a fork(), but we rely on Linux having the
310 int get_hushlogin_status(struct passwd
*pwd
, int force_check
)
312 const char *files
[] = { _PATH_HUSHLOGINS
, _PATH_HUSHLOGIN
, NULL
};
317 file
= getlogindefs_str("HUSHLOGIN_FILE", NULL
);
320 return 0; /* empty HUSHLOGIN_FILE defined */
326 for (i
= 0; files
[i
]; i
++) {
331 /* global hush-file */
336 if (stat(file
, &st
) != 0)
337 continue; /* file does not exist */
340 return 1; /* for all accounts */
342 f
= fopen(file
, "r");
344 continue; /* ignore errors... */
346 while (ok
== 0 && fgets(buf
, sizeof(buf
), f
)) {
348 buf
[strlen(buf
) - 1] = '\0';
349 ok
= !strcmp(buf
, *buf
== '/' ? pwd
->pw_shell
:
354 return 1; /* found username/shell */
356 return 0; /* ignore per-account files */
359 /* per-account setting */
360 if (strlen(pwd
->pw_dir
) + sizeof(file
) + 2 > sizeof(buf
))
363 sprintf(buf
, "%s/%s", pwd
->pw_dir
, file
);
366 uid_t ruid
= getuid();
367 gid_t egid
= getegid();
369 if (setregid(-1, pwd
->pw_gid
) == 0 &&
370 setreuid(0, pwd
->pw_uid
) == 0)
371 ok
= effective_access(buf
, O_RDONLY
) == 0;
373 if (setuid(0) != 0 ||
374 setreuid(ruid
, 0) != 0 ||
375 setregid(-1, egid
) != 0) {
376 syslog(LOG_ALERT
, _("hush login status: restore original IDs failed"));
380 return 1; /* enabled by user */
384 rc
= effective_access(buf
, O_RDONLY
);
387 else if (rc
== -1 && errno
== EACCES
)
396 int main(int argc
, char *argv
[])
399 atexit(close_stdout
);
402 errx(EXIT_FAILURE
, "usage: %s <filename> "
403 "[<str|num|bool> <valname>]", argv
[0]);
405 logindefs_load_file(argv
[1]);
407 if (argc
!= 4) { /* list all */
410 for (ptr
= list
; ptr
; ptr
= ptr
->next
)
411 printf("%s: $%s: '%s'\n", ptr
->path
, ptr
->name
,
420 if (strcmp(type
, "str") == 0)
421 printf("$%s: '%s'\n", name
, getlogindefs_str(name
, "DEFAULT"));
422 else if (strcmp(type
, "num") == 0)
423 printf("$%s: '%ld'\n", name
, getlogindefs_num(name
, 0));
424 else if (strcmp(type
, "bool") == 0)
425 printf("$%s: '%s'\n", name
,
426 getlogindefs_bool(name
, 0) ? "Y" : "N");