xref: /illumos-gate/usr/src/cmd/login/login.c (revision d9c3e05c)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
57d080b24Sas  * Common Development and Distribution License (the "License").
67d080b24Sas  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
21aecfc01dSrui zang - Sun Microsystems - Beijing China 
227c478bd9Sstevel@tonic-gate /*
23de81e71eSTim Marsland  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
247c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
257c478bd9Sstevel@tonic-gate  */
267c478bd9Sstevel@tonic-gate 
277c478bd9Sstevel@tonic-gate /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
28723f377cSToomas Soome /*	  All Rights Reserved	*/
297c478bd9Sstevel@tonic-gate 
307c478bd9Sstevel@tonic-gate /*
317c478bd9Sstevel@tonic-gate  * University Copyright- Copyright (c) 1982, 1986, 1988
327c478bd9Sstevel@tonic-gate  * The Regents of the University of California
337c478bd9Sstevel@tonic-gate  * All Rights Reserved
347c478bd9Sstevel@tonic-gate  *
357c478bd9Sstevel@tonic-gate  * University Acknowledgment- Portions of this document are derived from
367c478bd9Sstevel@tonic-gate  * software developed by the University of California, Berkeley, and its
377c478bd9Sstevel@tonic-gate  * contributors.
387c478bd9Sstevel@tonic-gate  */
397c478bd9Sstevel@tonic-gate 
407c478bd9Sstevel@tonic-gate /*	Copyright (c) 1987, 1988 Microsoft Corporation	*/
417c478bd9Sstevel@tonic-gate /*	  All Rights Reserved	*/
427c478bd9Sstevel@tonic-gate 
437c478bd9Sstevel@tonic-gate /*
447c478bd9Sstevel@tonic-gate  * For a complete reference to login(1), see the manual page.  However,
457c478bd9Sstevel@tonic-gate  * login has accreted some intentionally undocumented options, which are
467c478bd9Sstevel@tonic-gate  * explained here:
477c478bd9Sstevel@tonic-gate  *
487c478bd9Sstevel@tonic-gate  * -a: This legacy flag appears to be unused.
497c478bd9Sstevel@tonic-gate  *
507c478bd9Sstevel@tonic-gate  * -f <username>: This flag was introduced by PSARC 1995/039 in support
517c478bd9Sstevel@tonic-gate  *    of Kerberos.  But it's not used by Sun's Kerberos implementation.
527c478bd9Sstevel@tonic-gate  *    It is however employed by zlogin(1), since it allows one to tell
537c478bd9Sstevel@tonic-gate  *    login: "This user is authenticated."  In the case of zlogin that's
547c478bd9Sstevel@tonic-gate  *    true because the zone always trusts the global zone.
557c478bd9Sstevel@tonic-gate  *
567c478bd9Sstevel@tonic-gate  * -z <zonename>: This flag is passed to login when zlogin(1) executes a
577c478bd9Sstevel@tonic-gate  *    zone login.  This tells login(1) to skip it's normal CONSOLE check
587c478bd9Sstevel@tonic-gate  *    (i.e. that the root login must be on /dev/console) and tells us the
59da6c28aaSamw  *    name of the zone from which the login is occurring.
607c478bd9Sstevel@tonic-gate  */
617c478bd9Sstevel@tonic-gate 
627c478bd9Sstevel@tonic-gate #include <sys/types.h>
637c478bd9Sstevel@tonic-gate #include <sys/param.h>
647c478bd9Sstevel@tonic-gate #include <unistd.h>	/* For logfile locking */
657c478bd9Sstevel@tonic-gate #include <signal.h>
667c478bd9Sstevel@tonic-gate #include <stdio.h>
677c478bd9Sstevel@tonic-gate #include <sys/stat.h>
687c478bd9Sstevel@tonic-gate #include <string.h>
697c478bd9Sstevel@tonic-gate #include <deflt.h>
707c478bd9Sstevel@tonic-gate #include <grp.h>
717c478bd9Sstevel@tonic-gate #include <fcntl.h>
722de0a7d6SDan McDonald #include <lastlog.h>
737c478bd9Sstevel@tonic-gate #include <termio.h>
747c478bd9Sstevel@tonic-gate #include <utmpx.h>
757c478bd9Sstevel@tonic-gate #include <stdlib.h>
767c478bd9Sstevel@tonic-gate #include <wait.h>
777c478bd9Sstevel@tonic-gate #include <errno.h>
787c478bd9Sstevel@tonic-gate #include <ctype.h>
797c478bd9Sstevel@tonic-gate #include <syslog.h>
807c478bd9Sstevel@tonic-gate #include <ulimit.h>
817c478bd9Sstevel@tonic-gate #include <libgen.h>
827c478bd9Sstevel@tonic-gate #include <pwd.h>
837c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
847c478bd9Sstevel@tonic-gate #include <strings.h>
857c478bd9Sstevel@tonic-gate #include <libdevinfo.h>
867c478bd9Sstevel@tonic-gate #include <zone.h>
877c478bd9Sstevel@tonic-gate #include "login_audit.h"
887c478bd9Sstevel@tonic-gate 
897c478bd9Sstevel@tonic-gate #include <krb5_repository.h>
907c478bd9Sstevel@tonic-gate /*
917c478bd9Sstevel@tonic-gate  *
927c478bd9Sstevel@tonic-gate  *	    *** Defines, Macros, and String Constants  ***
937c478bd9Sstevel@tonic-gate  *
947c478bd9Sstevel@tonic-gate  *
957c478bd9Sstevel@tonic-gate  */
967c478bd9Sstevel@tonic-gate 
977c478bd9Sstevel@tonic-gate #define	ISSUEFILE "/etc/issue"	/* file to print before prompt */
987c478bd9Sstevel@tonic-gate #define	NOLOGIN	"/etc/nologin"	/* file to lock users out during shutdown */
997c478bd9Sstevel@tonic-gate 
1007c478bd9Sstevel@tonic-gate /*
1017c478bd9Sstevel@tonic-gate  * These need to be defined for UTMPX management.
1027c478bd9Sstevel@tonic-gate  * If we add in the utility functions later, we
1037c478bd9Sstevel@tonic-gate  * can remove them.
1047c478bd9Sstevel@tonic-gate  */
1057c478bd9Sstevel@tonic-gate #define	__UPDATE_ENTRY	1
1067c478bd9Sstevel@tonic-gate #define	__LOGIN		2
1077c478bd9Sstevel@tonic-gate 
1087c478bd9Sstevel@tonic-gate /*
1097c478bd9Sstevel@tonic-gate  * Intervals to sleep after failed login
1107c478bd9Sstevel@tonic-gate  */
1117c478bd9Sstevel@tonic-gate #ifndef	SLEEPTIME
1127c478bd9Sstevel@tonic-gate #define	SLEEPTIME 4	/* sleeptime before login incorrect msg */
1137c478bd9Sstevel@tonic-gate #endif
1147c478bd9Sstevel@tonic-gate static int	Sleeptime = SLEEPTIME;
1157c478bd9Sstevel@tonic-gate 
1167c478bd9Sstevel@tonic-gate /*
1177c478bd9Sstevel@tonic-gate  * seconds login disabled after allowable number of unsuccessful attempts
1187c478bd9Sstevel@tonic-gate  */
1197c478bd9Sstevel@tonic-gate #ifndef	DISABLETIME
1207c478bd9Sstevel@tonic-gate #define	DISABLETIME	20
1217c478bd9Sstevel@tonic-gate #endif
1227c478bd9Sstevel@tonic-gate static int	Disabletime = DISABLETIME;
1237c478bd9Sstevel@tonic-gate 
1247c478bd9Sstevel@tonic-gate #define	MAXTRYS		5
1257c478bd9Sstevel@tonic-gate 
1267c478bd9Sstevel@tonic-gate static int	retry = MAXTRYS;
1277c478bd9Sstevel@tonic-gate 
1287c478bd9Sstevel@tonic-gate /*
1297c478bd9Sstevel@tonic-gate  * Login logging support
1307c478bd9Sstevel@tonic-gate  */
1317c478bd9Sstevel@tonic-gate #define	LOGINLOG	"/var/adm/loginlog"	/* login log file */
1327c478bd9Sstevel@tonic-gate #define	LNAME_SIZE	20	/* size of logged logname */
1337c478bd9Sstevel@tonic-gate #define	TTYN_SIZE	15	/* size of logged tty name */
1347c478bd9Sstevel@tonic-gate #define	TIME_SIZE	30	/* size of logged time string */
1357c478bd9Sstevel@tonic-gate #define	ENT_SIZE	(LNAME_SIZE + TTYN_SIZE + TIME_SIZE + 3)
1367c478bd9Sstevel@tonic-gate #define	L_WAITTIME	5	/* waittime for log file to unlock */
1377c478bd9Sstevel@tonic-gate #define	LOGTRYS		10	/* depth of 'try' logging */
1387c478bd9Sstevel@tonic-gate 
1397c478bd9Sstevel@tonic-gate /*
1407c478bd9Sstevel@tonic-gate  * String manipulation macros: SCPYN, SCPYL, EQN and ENVSTRNCAT
1417c478bd9Sstevel@tonic-gate  * SCPYL is the safer version of SCPYN
1427c478bd9Sstevel@tonic-gate  */
1437c478bd9Sstevel@tonic-gate #define	SCPYL(a, b)	(void) strlcpy(a, b, sizeof (a))
1447c478bd9Sstevel@tonic-gate #define	SCPYN(a, b)	(void) strncpy(a, b, sizeof (a))
1457c478bd9Sstevel@tonic-gate #define	EQN(a, b)	(strncmp(a, b, sizeof (a)-1) == 0)
1467c478bd9Sstevel@tonic-gate #define	ENVSTRNCAT(to, from) {int deflen; deflen = strlen(to); \
1477c478bd9Sstevel@tonic-gate 	(void) strncpy((to)+ deflen, (from), sizeof (to) - (1 + deflen)); }
1487c478bd9Sstevel@tonic-gate 
1497c478bd9Sstevel@tonic-gate /*
1507c478bd9Sstevel@tonic-gate  * Other macros
1517c478bd9Sstevel@tonic-gate  */
1527c478bd9Sstevel@tonic-gate #define	NMAX	sizeof (((struct utmpx *)0)->ut_name)
1537c478bd9Sstevel@tonic-gate #define	HMAX	sizeof (((struct utmpx *)0)->ut_host)
1547c478bd9Sstevel@tonic-gate #define	min(a, b)	(((a) < (b)) ? (a) : (b))
1557c478bd9Sstevel@tonic-gate 
1567c478bd9Sstevel@tonic-gate /*
1577c478bd9Sstevel@tonic-gate  * Various useful files and string constants
1587c478bd9Sstevel@tonic-gate  */
1597c478bd9Sstevel@tonic-gate #define	SHELL		"/usr/bin/sh"
1607c478bd9Sstevel@tonic-gate #define	SHELL2		"/sbin/sh"
1617c478bd9Sstevel@tonic-gate #define	SUBLOGIN	"<!sublogin>"
1622de0a7d6SDan McDonald #define	LASTLOG		"/var/adm/lastlog"
1637c478bd9Sstevel@tonic-gate #define	PROG_NAME	"login"
1647c478bd9Sstevel@tonic-gate #define	HUSHLOGIN	".hushlogin"
1657c478bd9Sstevel@tonic-gate 
1667c478bd9Sstevel@tonic-gate /*
1677c478bd9Sstevel@tonic-gate  * Array and Buffer sizes
1687c478bd9Sstevel@tonic-gate  */
1697c478bd9Sstevel@tonic-gate #define	PBUFSIZE 8	/* max significant characters in a password */
1707c478bd9Sstevel@tonic-gate #define	MAXARGS 63	/* change value below if changing this */
1717c478bd9Sstevel@tonic-gate #define	MAXARGSWIDTH 2	/* log10(MAXARGS) */
1727c478bd9Sstevel@tonic-gate #define	MAXENV 1024
1737c478bd9Sstevel@tonic-gate #define	MAXLINE 2048
1747c478bd9Sstevel@tonic-gate 
1757c478bd9Sstevel@tonic-gate /*
1767c478bd9Sstevel@tonic-gate  * Miscellaneous constants
1777c478bd9Sstevel@tonic-gate  */
1787c478bd9Sstevel@tonic-gate #define	ROOTUID		0
1797c478bd9Sstevel@tonic-gate #define	ERROR		1
1807c478bd9Sstevel@tonic-gate #define	OK		0
1817c478bd9Sstevel@tonic-gate #define	LOG_ERROR	1
1827c478bd9Sstevel@tonic-gate #define	DONT_LOG_ERROR	0
1837c478bd9Sstevel@tonic-gate #define	TRUE		1
1847c478bd9Sstevel@tonic-gate #define	FALSE		0
1857c478bd9Sstevel@tonic-gate 
1867c478bd9Sstevel@tonic-gate /*
1877c478bd9Sstevel@tonic-gate  * Counters for counting the number of failed login attempts
1887c478bd9Sstevel@tonic-gate  */
1897c478bd9Sstevel@tonic-gate static int trys = 0;
1907c478bd9Sstevel@tonic-gate static int count = 1;
1917c478bd9Sstevel@tonic-gate 
1927c478bd9Sstevel@tonic-gate /*
1937c478bd9Sstevel@tonic-gate  * error value for login_exit() audit output (0 == no audit record)
1947c478bd9Sstevel@tonic-gate  */
1957c478bd9Sstevel@tonic-gate static int	audit_error = 0;
1967c478bd9Sstevel@tonic-gate 
1977c478bd9Sstevel@tonic-gate /*
1987c478bd9Sstevel@tonic-gate  * Externs a plenty
1997c478bd9Sstevel@tonic-gate  */
2007c478bd9Sstevel@tonic-gate extern	int	getsecretkey();
2017c478bd9Sstevel@tonic-gate 
2027c478bd9Sstevel@tonic-gate /*
2037c478bd9Sstevel@tonic-gate  * The current user name
2047c478bd9Sstevel@tonic-gate  */
2057c478bd9Sstevel@tonic-gate static	char	user_name[NMAX];
2067c478bd9Sstevel@tonic-gate static	char	minusnam[16] = "-";
2077c478bd9Sstevel@tonic-gate 
208f0243e0aSrz /*
209f0243e0aSrz  * login_pid, used to find utmpx entry to update.
210f0243e0aSrz  */
211f0243e0aSrz static pid_t	login_pid;
212f0243e0aSrz 
2137c478bd9Sstevel@tonic-gate /*
2147c478bd9Sstevel@tonic-gate  * locale environments to be passed to shells.
2157c478bd9Sstevel@tonic-gate  */
2167c478bd9Sstevel@tonic-gate static char *localeenv[] = {
2177c478bd9Sstevel@tonic-gate 	"LANG",
2187c478bd9Sstevel@tonic-gate 	"LC_CTYPE", "LC_NUMERIC", "LC_TIME", "LC_COLLATE",
2197c478bd9Sstevel@tonic-gate 	"LC_MONETARY", "LC_MESSAGES", "LC_ALL", 0};
2207c478bd9Sstevel@tonic-gate static int locale_envmatch(char *, char *);
2217c478bd9Sstevel@tonic-gate 
2227c478bd9Sstevel@tonic-gate /*
2237c478bd9Sstevel@tonic-gate  * Environment variable support
2247c478bd9Sstevel@tonic-gate  */
2257c478bd9Sstevel@tonic-gate static	char	shell[256] = { "SHELL=" };
2267c478bd9Sstevel@tonic-gate static	char	home[MAXPATHLEN] = { "HOME=" };
2277c478bd9Sstevel@tonic-gate static	char	term[64] = { "TERM=" };
2287c478bd9Sstevel@tonic-gate static	char	logname[30] = { "LOGNAME=" };
2297c478bd9Sstevel@tonic-gate static	char	timez[100] = { "TZ=" };
2307c478bd9Sstevel@tonic-gate static	char	hertz[10] = { "HZ=" };
2317c478bd9Sstevel@tonic-gate static	char	path[MAXPATHLEN] = { "PATH=" };
2327c478bd9Sstevel@tonic-gate static	char	*newenv[10+MAXARGS] =
2337c478bd9Sstevel@tonic-gate 	{home, path, logname, hertz, term, 0, 0};
2347c478bd9Sstevel@tonic-gate static	char	**envinit = newenv;
2357c478bd9Sstevel@tonic-gate static	int	basicenv;
2367c478bd9Sstevel@tonic-gate static	char	*zero = (char *)0;
237723f377cSToomas Soome static	char	**envp;
2387c478bd9Sstevel@tonic-gate #ifndef	NO_MAIL
2397c478bd9Sstevel@tonic-gate static	char	mail[30] = { "MAIL=/var/mail/" };
2407c478bd9Sstevel@tonic-gate #endif
2417c478bd9Sstevel@tonic-gate extern char **environ;
2427c478bd9Sstevel@tonic-gate static	char inputline[MAXLINE];
2437c478bd9Sstevel@tonic-gate 
2447c478bd9Sstevel@tonic-gate #define	MAX_ID_LEN 256
2457c478bd9Sstevel@tonic-gate #define	MAX_REPOSITORY_LEN 256
2467c478bd9Sstevel@tonic-gate #define	MAX_PAMSERVICE_LEN 256
2477c478bd9Sstevel@tonic-gate 
2487c478bd9Sstevel@tonic-gate static char identity[MAX_ID_LEN];
2497c478bd9Sstevel@tonic-gate static char repository[MAX_REPOSITORY_LEN];
2507c478bd9Sstevel@tonic-gate static char progname[MAX_PAMSERVICE_LEN];
2517c478bd9Sstevel@tonic-gate 
2527c478bd9Sstevel@tonic-gate 
2537c478bd9Sstevel@tonic-gate /*
2547c478bd9Sstevel@tonic-gate  * Strings used to prompt the user.
2557c478bd9Sstevel@tonic-gate  */
2567c478bd9Sstevel@tonic-gate static	char	loginmsg[] = "login: ";
2577c478bd9Sstevel@tonic-gate static	char	passwdmsg[] = "Password:";
2587c478bd9Sstevel@tonic-gate static	char	incorrectmsg[] = "Login incorrect\n";
2597c478bd9Sstevel@tonic-gate 
2607c478bd9Sstevel@tonic-gate /*
2617c478bd9Sstevel@tonic-gate  * Password file support
2627c478bd9Sstevel@tonic-gate  */
2637c478bd9Sstevel@tonic-gate static	struct	passwd *pwd = NULL;
2647c478bd9Sstevel@tonic-gate static	char	remote_host[HMAX];
2657c478bd9Sstevel@tonic-gate static	char	zone_name[ZONENAME_MAX];
2667c478bd9Sstevel@tonic-gate 
2677c478bd9Sstevel@tonic-gate /*
2687c478bd9Sstevel@tonic-gate  * Illegal passwd entries.
2697c478bd9Sstevel@tonic-gate  */
270f48205beScasper static	struct	passwd nouser = { "", "no:password", (uid_t)-1 };
2717c478bd9Sstevel@tonic-gate 
2727c478bd9Sstevel@tonic-gate /*
2737c478bd9Sstevel@tonic-gate  * Log file support
2747c478bd9Sstevel@tonic-gate  */
2757c478bd9Sstevel@tonic-gate static	char	*log_entry[LOGTRYS];
2767c478bd9Sstevel@tonic-gate static	int	writelog = 0;
2772de0a7d6SDan McDonald static	int	lastlogok = 0;
2782de0a7d6SDan McDonald static	struct lastlog ll;
2797c478bd9Sstevel@tonic-gate static	int	dosyslog = 0;
2807c478bd9Sstevel@tonic-gate static	int	flogin = MAXTRYS;	/* flag for SYSLOG_FAILED_LOGINS */
2817c478bd9Sstevel@tonic-gate 
2827c478bd9Sstevel@tonic-gate /*
2837c478bd9Sstevel@tonic-gate  * Default file toggles
2847c478bd9Sstevel@tonic-gate  */
2857c478bd9Sstevel@tonic-gate static	char	*Pndefault	= "/etc/default/login";
2867c478bd9Sstevel@tonic-gate static	char	*Altshell	= NULL;
2877c478bd9Sstevel@tonic-gate static	char	*Console	= NULL;
2887c478bd9Sstevel@tonic-gate static	int	Passreqflag	= 0;
2897c478bd9Sstevel@tonic-gate 
2907c478bd9Sstevel@tonic-gate #define	DEFUMASK	022
2917c478bd9Sstevel@tonic-gate static	mode_t	Umask		= DEFUMASK;
292723f377cSToomas Soome static	char	*Def_tz		= NULL;
293723f377cSToomas Soome static	char	*tmp_tz		= NULL;
294723f377cSToomas Soome static	char	*Def_hertz	= NULL;
2957c478bd9Sstevel@tonic-gate #define	SET_FSIZ	2			/* ulimit() command arg */
2967c478bd9Sstevel@tonic-gate static	long	Def_ulimit	= 0;
2977c478bd9Sstevel@tonic-gate #define	MAX_TIMEOUT	(15 * 60)
2987c478bd9Sstevel@tonic-gate #define	DEF_TIMEOUT	(5 * 60)
2997c478bd9Sstevel@tonic-gate static	unsigned Def_timeout	= DEF_TIMEOUT;
3007c478bd9Sstevel@tonic-gate static	char	*Def_path	= NULL;
3017c478bd9Sstevel@tonic-gate static	char	*Def_supath	= NULL;
302723f377cSToomas Soome #define	DEF_PATH	"/usr/bin:"	/* same as PATH */
3037c478bd9Sstevel@tonic-gate #define	DEF_SUPATH	"/usr/sbin:/usr/bin" /* same as ROOTPATH */
3047c478bd9Sstevel@tonic-gate 
3057c478bd9Sstevel@tonic-gate /*
3067c478bd9Sstevel@tonic-gate  * Defaults for updating expired passwords
3077c478bd9Sstevel@tonic-gate  */
3087c478bd9Sstevel@tonic-gate #define	DEF_ATTEMPTS	3
3097c478bd9Sstevel@tonic-gate 
3107c478bd9Sstevel@tonic-gate /*
3117c478bd9Sstevel@tonic-gate  * ttyprompt will point to the environment variable TTYPROMPT.
3127c478bd9Sstevel@tonic-gate  * TTYPROMPT is set by ttymon if ttymon already wrote out the prompt.
3137c478bd9Sstevel@tonic-gate  */
3147c478bd9Sstevel@tonic-gate static	char	*ttyprompt = NULL;
315723f377cSToomas Soome static	char	*ttyn = NULL;
3167c478bd9Sstevel@tonic-gate 
3177c478bd9Sstevel@tonic-gate /*
3187c478bd9Sstevel@tonic-gate  * Pass inherited environment.  Used by telnetd in support of the telnet
3197c478bd9Sstevel@tonic-gate  * ENVIRON option.
3207c478bd9Sstevel@tonic-gate  */
3217c478bd9Sstevel@tonic-gate static	boolean_t pflag = B_FALSE;
3227c478bd9Sstevel@tonic-gate static  boolean_t uflag = B_FALSE;
3237c478bd9Sstevel@tonic-gate static  boolean_t Rflag = B_FALSE;
3247c478bd9Sstevel@tonic-gate static  boolean_t sflag = B_FALSE;
3257c478bd9Sstevel@tonic-gate static  boolean_t Uflag = B_FALSE;
3267c478bd9Sstevel@tonic-gate static  boolean_t tflag = B_FALSE;
3277c478bd9Sstevel@tonic-gate static	boolean_t hflag = B_FALSE;
3287c478bd9Sstevel@tonic-gate static  boolean_t rflag = B_FALSE;
3297c478bd9Sstevel@tonic-gate static  boolean_t zflag = B_FALSE;
3307c478bd9Sstevel@tonic-gate 
3317c478bd9Sstevel@tonic-gate /*
3327c478bd9Sstevel@tonic-gate  * Remote login support
3337c478bd9Sstevel@tonic-gate  */
3347c478bd9Sstevel@tonic-gate static	char	rusername[NMAX+1], lusername[NMAX+1];
3357c478bd9Sstevel@tonic-gate static	char	terminal[MAXPATHLEN];
3367c478bd9Sstevel@tonic-gate 
3377c478bd9Sstevel@tonic-gate /*
3387c478bd9Sstevel@tonic-gate  * Pre-authentication flag support
3397c478bd9Sstevel@tonic-gate  */
3407c478bd9Sstevel@tonic-gate static	int	fflag;
3417c478bd9Sstevel@tonic-gate 
3427c478bd9Sstevel@tonic-gate static char ** getargs(char *);
3437c478bd9Sstevel@tonic-gate 
3447c478bd9Sstevel@tonic-gate static int login_conv(int, struct pam_message **,
3457c478bd9Sstevel@tonic-gate     struct pam_response **, void *);
3467c478bd9Sstevel@tonic-gate 
3477c478bd9Sstevel@tonic-gate static struct pam_conv pam_conv = {login_conv, NULL};
3487c478bd9Sstevel@tonic-gate static pam_handle_t *pamh;	/* Authentication handle */
3497c478bd9Sstevel@tonic-gate 
3507c478bd9Sstevel@tonic-gate /*
3517c478bd9Sstevel@tonic-gate  * Function declarations
3527c478bd9Sstevel@tonic-gate  */
3537c478bd9Sstevel@tonic-gate static	void	turn_on_logging(void);
3547c478bd9Sstevel@tonic-gate static	void	defaults(void);
3557c478bd9Sstevel@tonic-gate static	void	usage(void);
3567c478bd9Sstevel@tonic-gate static	void	process_rlogin(void);
3577c478bd9Sstevel@tonic-gate static	void	login_authenticate();
3587c478bd9Sstevel@tonic-gate static	void	setup_credentials(void);
3597c478bd9Sstevel@tonic-gate static	void	adjust_nice(void);
3602de0a7d6SDan McDonald static	void	update_utmpx_entry(int);
3617c478bd9Sstevel@tonic-gate static	void	establish_user_environment(char **);
3622de0a7d6SDan McDonald static	void	print_banner(void);
3632de0a7d6SDan McDonald static	void	display_last_login_time(void);
3647c478bd9Sstevel@tonic-gate static	void	exec_the_shell(void);
3657c478bd9Sstevel@tonic-gate static	int	process_chroot_logins(void);
366723f377cSToomas Soome static	void	chdir_to_dir_user(void);
3672de0a7d6SDan McDonald static	void	check_log(void);
3687c478bd9Sstevel@tonic-gate static	void	validate_account(void);
3697c478bd9Sstevel@tonic-gate static	void	doremoteterm(char *);
3707c478bd9Sstevel@tonic-gate static	int	get_options(int, char **);
3717c478bd9Sstevel@tonic-gate static	void	getstr(char *, int, char *);
372723f377cSToomas Soome static	int	legalenvvar(char *);
3737c478bd9Sstevel@tonic-gate static	void	check_for_console(void);
3747c478bd9Sstevel@tonic-gate static	void	check_for_dueling_unix(char *);
3757c478bd9Sstevel@tonic-gate static	void	get_user_name(void);
3767c478bd9Sstevel@tonic-gate static	uint_t	get_audit_id(void);
377032624d5Sbasabi static	void	login_exit(int)__NORETURN;
3787c478bd9Sstevel@tonic-gate static	int	logins_disabled(char *);
3797c478bd9Sstevel@tonic-gate static	void	log_bad_attempts(void);
3807c478bd9Sstevel@tonic-gate static	int	is_number(char *);
3817c478bd9Sstevel@tonic-gate 
3827c478bd9Sstevel@tonic-gate /*
3837c478bd9Sstevel@tonic-gate  *			*** main ***
3847c478bd9Sstevel@tonic-gate  *
3857c478bd9Sstevel@tonic-gate  *	The primary flow of control is directed in this routine.
3867c478bd9Sstevel@tonic-gate  *	Control moves in line from top to bottom calling subfunctions
3877c478bd9Sstevel@tonic-gate  *	which perform the bulk of the work.  Many of these calls exit
3887c478bd9Sstevel@tonic-gate  *	when a fatal error is encountered and do not return to main.
3897c478bd9Sstevel@tonic-gate  *
3907c478bd9Sstevel@tonic-gate  *
3917c478bd9Sstevel@tonic-gate  */
3927c478bd9Sstevel@tonic-gate 
393032624d5Sbasabi int
main(int argc,char * argv[],char ** renvp)3947c478bd9Sstevel@tonic-gate main(int argc, char *argv[], char **renvp)
3957c478bd9Sstevel@tonic-gate {
3967c478bd9Sstevel@tonic-gate 	int sublogin;
3977c478bd9Sstevel@tonic-gate 	int pam_rc;
3987c478bd9Sstevel@tonic-gate 
399f0243e0aSrz 	login_pid = getpid();
400f0243e0aSrz 
4017c478bd9Sstevel@tonic-gate 	/*
4027c478bd9Sstevel@tonic-gate 	 * Set up Defaults and flags
4037c478bd9Sstevel@tonic-gate 	 */
4047c478bd9Sstevel@tonic-gate 	defaults();
4057c478bd9Sstevel@tonic-gate 	SCPYL(progname, PROG_NAME);
4067c478bd9Sstevel@tonic-gate 
4077c478bd9Sstevel@tonic-gate 	/*
4087c478bd9Sstevel@tonic-gate 	 * Set up default umask
4097c478bd9Sstevel@tonic-gate 	 */
4107c478bd9Sstevel@tonic-gate 	if (Umask > ((mode_t)0777))
4117c478bd9Sstevel@tonic-gate 		Umask = DEFUMASK;
4127c478bd9Sstevel@tonic-gate 	(void) umask(Umask);
4137c478bd9Sstevel@tonic-gate 
4147c478bd9Sstevel@tonic-gate 	/*
4157c478bd9Sstevel@tonic-gate 	 * Set up default timeouts and delays
4167c478bd9Sstevel@tonic-gate 	 */
4177c478bd9Sstevel@tonic-gate 	if (Def_timeout > MAX_TIMEOUT)
4187c478bd9Sstevel@tonic-gate 		Def_timeout = MAX_TIMEOUT;
4197c478bd9Sstevel@tonic-gate 	if (Sleeptime < 0 || Sleeptime > 5)
4207c478bd9Sstevel@tonic-gate 		Sleeptime = SLEEPTIME;
4217c478bd9Sstevel@tonic-gate 
4227c478bd9Sstevel@tonic-gate 	(void) alarm(Def_timeout);
4237c478bd9Sstevel@tonic-gate 
4247c478bd9Sstevel@tonic-gate 	/*
4257c478bd9Sstevel@tonic-gate 	 * Ignore SIGQUIT and SIGINT and set nice to 0
4267c478bd9Sstevel@tonic-gate 	 */
4277c478bd9Sstevel@tonic-gate 	(void) signal(SIGQUIT, SIG_IGN);
4287c478bd9Sstevel@tonic-gate 	(void) signal(SIGINT, SIG_IGN);
4297c478bd9Sstevel@tonic-gate 	(void) nice(0);
4307c478bd9Sstevel@tonic-gate 
4317c478bd9Sstevel@tonic-gate 	/*
4327c478bd9Sstevel@tonic-gate 	 * Set flag to disable the pid check if you find that you are
4337c478bd9Sstevel@tonic-gate 	 * a subsystem login.
4347c478bd9Sstevel@tonic-gate 	 */
4357c478bd9Sstevel@tonic-gate 	sublogin = 0;
4367c478bd9Sstevel@tonic-gate 	if (*renvp && strcmp(*renvp, SUBLOGIN) == 0)
4377c478bd9Sstevel@tonic-gate 		sublogin = 1;
4387c478bd9Sstevel@tonic-gate 
4397c478bd9Sstevel@tonic-gate 	/*
4407c478bd9Sstevel@tonic-gate 	 * Parse Arguments
4417c478bd9Sstevel@tonic-gate 	 */
4427c478bd9Sstevel@tonic-gate 	if (get_options(argc, argv) == -1) {
4437c478bd9Sstevel@tonic-gate 		usage();
4447c478bd9Sstevel@tonic-gate 		audit_error = ADT_FAIL_VALUE_BAD_CMD;
4457c478bd9Sstevel@tonic-gate 		login_exit(1);
4467c478bd9Sstevel@tonic-gate 	}
4477c478bd9Sstevel@tonic-gate 
4487c478bd9Sstevel@tonic-gate 	/*
4497c478bd9Sstevel@tonic-gate 	 * if devicename is not passed as argument, call ttyname(0)
4507c478bd9Sstevel@tonic-gate 	 */
4517c478bd9Sstevel@tonic-gate 	if (ttyn == NULL) {
4527c478bd9Sstevel@tonic-gate 		ttyn = ttyname(0);
4537c478bd9Sstevel@tonic-gate 		if (ttyn == NULL)
4547c478bd9Sstevel@tonic-gate 			ttyn = "/dev/???";
4557c478bd9Sstevel@tonic-gate 	}
4567c478bd9Sstevel@tonic-gate 
4577c478bd9Sstevel@tonic-gate 	/*
4587c478bd9Sstevel@tonic-gate 	 * Call pam_start to initiate a PAM authentication operation
4597c478bd9Sstevel@tonic-gate 	 */
4607c478bd9Sstevel@tonic-gate 
4617c478bd9Sstevel@tonic-gate 	if ((pam_rc = pam_start(progname, user_name, &pam_conv, &pamh))
4627c478bd9Sstevel@tonic-gate 	    != PAM_SUCCESS) {
4637c478bd9Sstevel@tonic-gate 		audit_error = ADT_FAIL_PAM + pam_rc;
4647c478bd9Sstevel@tonic-gate 		login_exit(1);
4657c478bd9Sstevel@tonic-gate 	}
4667c478bd9Sstevel@tonic-gate 	if ((pam_rc = pam_set_item(pamh, PAM_TTY, ttyn)) != PAM_SUCCESS) {
4677c478bd9Sstevel@tonic-gate 		audit_error = ADT_FAIL_PAM + pam_rc;
4687c478bd9Sstevel@tonic-gate 		login_exit(1);
4697c478bd9Sstevel@tonic-gate 	}
4707c478bd9Sstevel@tonic-gate 	if ((pam_rc = pam_set_item(pamh, PAM_RHOST, remote_host)) !=
4717c478bd9Sstevel@tonic-gate 	    PAM_SUCCESS) {
4727c478bd9Sstevel@tonic-gate 		audit_error = ADT_FAIL_PAM + pam_rc;
4737c478bd9Sstevel@tonic-gate 		login_exit(1);
4747c478bd9Sstevel@tonic-gate 	}
4757c478bd9Sstevel@tonic-gate 
4767c478bd9Sstevel@tonic-gate 	/*
4777c478bd9Sstevel@tonic-gate 	 * We currently only support special handling of the KRB5 PAM repository
4787c478bd9Sstevel@tonic-gate 	 */
4797c478bd9Sstevel@tonic-gate 	if ((Rflag && strlen(repository)) &&
4807c478bd9Sstevel@tonic-gate 	    strcmp(repository, KRB5_REPOSITORY_NAME) == 0 &&
4817c478bd9Sstevel@tonic-gate 	    (uflag && strlen(identity))) {
4827c478bd9Sstevel@tonic-gate 		krb5_repository_data_t krb5_data;
4837c478bd9Sstevel@tonic-gate 		pam_repository_t pam_rep_data;
4847c478bd9Sstevel@tonic-gate 
4857c478bd9Sstevel@tonic-gate 		krb5_data.principal = identity;
4867c478bd9Sstevel@tonic-gate 		krb5_data.flags = SUNW_PAM_KRB5_ALREADY_AUTHENTICATED;
4877c478bd9Sstevel@tonic-gate 
4887c478bd9Sstevel@tonic-gate 		pam_rep_data.type = repository;
4897c478bd9Sstevel@tonic-gate 		pam_rep_data.scope = (void *)&krb5_data;
4907c478bd9Sstevel@tonic-gate 		pam_rep_data.scope_len = sizeof (krb5_data);
4917c478bd9Sstevel@tonic-gate 
4927c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_REPOSITORY,
4937c478bd9Sstevel@tonic-gate 		    (void *)&pam_rep_data);
4947c478bd9Sstevel@tonic-gate 	}
4957c478bd9Sstevel@tonic-gate 
4967c478bd9Sstevel@tonic-gate 	/*
4977c478bd9Sstevel@tonic-gate 	 * Open the log file which contains a record of successful and failed
4987c478bd9Sstevel@tonic-gate 	 * login attempts
4997c478bd9Sstevel@tonic-gate 	 */
5007c478bd9Sstevel@tonic-gate 	turn_on_logging();
5017c478bd9Sstevel@tonic-gate 
5027c478bd9Sstevel@tonic-gate 	/*
5037c478bd9Sstevel@tonic-gate 	 * say "hi" to syslogd ..
5047c478bd9Sstevel@tonic-gate 	 */
5057c478bd9Sstevel@tonic-gate 	openlog("login", 0, LOG_AUTH);
5067c478bd9Sstevel@tonic-gate 
5077c478bd9Sstevel@tonic-gate 	/*
5087c478bd9Sstevel@tonic-gate 	 * Do special processing for -r (rlogin) flag
5097c478bd9Sstevel@tonic-gate 	 */
5107c478bd9Sstevel@tonic-gate 	if (rflag)
5117c478bd9Sstevel@tonic-gate 		process_rlogin();
5127c478bd9Sstevel@tonic-gate 
5137c478bd9Sstevel@tonic-gate 	/*
5147c478bd9Sstevel@tonic-gate 	 * validate user
5157c478bd9Sstevel@tonic-gate 	 */
5167c478bd9Sstevel@tonic-gate 	/* we are already authenticated. fill in what we must, then continue */
5177c478bd9Sstevel@tonic-gate 	if (fflag) {
5187c478bd9Sstevel@tonic-gate 		if ((pwd = getpwnam(user_name)) == NULL) {
5197c478bd9Sstevel@tonic-gate 			audit_error = ADT_FAIL_VALUE_USERNAME;
5207c478bd9Sstevel@tonic-gate 
5217c478bd9Sstevel@tonic-gate 			log_bad_attempts();
5227c478bd9Sstevel@tonic-gate 			(void) printf("Login failed: unknown user '%s'.\n",
5237c478bd9Sstevel@tonic-gate 			    user_name);
5247c478bd9Sstevel@tonic-gate 			login_exit(1);
5257c478bd9Sstevel@tonic-gate 		}
5267c478bd9Sstevel@tonic-gate 	} else {
5277c478bd9Sstevel@tonic-gate 		/*
5287c478bd9Sstevel@tonic-gate 		 * Perform the primary login authentication activity.
5297c478bd9Sstevel@tonic-gate 		 */
5307c478bd9Sstevel@tonic-gate 		login_authenticate();
5317c478bd9Sstevel@tonic-gate 	}
5327c478bd9Sstevel@tonic-gate 
5337c478bd9Sstevel@tonic-gate 	/* change root login, then we exec another login and try again */
5347c478bd9Sstevel@tonic-gate 	if (process_chroot_logins() != OK)
5357c478bd9Sstevel@tonic-gate 		login_exit(1);
5367c478bd9Sstevel@tonic-gate 
5377c478bd9Sstevel@tonic-gate 	/*
5387c478bd9Sstevel@tonic-gate 	 * If root login and not on system console then call exit(2)
5397c478bd9Sstevel@tonic-gate 	 */
5407c478bd9Sstevel@tonic-gate 	check_for_console();
5417c478bd9Sstevel@tonic-gate 
5427c478bd9Sstevel@tonic-gate 	/*
5437c478bd9Sstevel@tonic-gate 	 * Check to see if a shutdown is in progress, if it is and
5447c478bd9Sstevel@tonic-gate 	 * we are not root then throw the user off the system
5457c478bd9Sstevel@tonic-gate 	 */
5467c478bd9Sstevel@tonic-gate 	if (logins_disabled(user_name) == TRUE) {
5477c478bd9Sstevel@tonic-gate 		audit_error = ADT_FAIL_VALUE_LOGIN_DISABLED;
5487c478bd9Sstevel@tonic-gate 		login_exit(1);
5497c478bd9Sstevel@tonic-gate 	}
5507c478bd9Sstevel@tonic-gate 
5517c478bd9Sstevel@tonic-gate 	if (pwd->pw_uid == 0) {
5527c478bd9Sstevel@tonic-gate 		if (Def_supath != NULL)
5537c478bd9Sstevel@tonic-gate 			Def_path = Def_supath;
5547c478bd9Sstevel@tonic-gate 		else
5557c478bd9Sstevel@tonic-gate 			Def_path = DEF_SUPATH;
5567c478bd9Sstevel@tonic-gate 	}
5577c478bd9Sstevel@tonic-gate 
5587c478bd9Sstevel@tonic-gate 	/*
5597c478bd9Sstevel@tonic-gate 	 * Check account expiration and passwd aging
5607c478bd9Sstevel@tonic-gate 	 */
5617c478bd9Sstevel@tonic-gate 	validate_account();
5627c478bd9Sstevel@tonic-gate 
5637c478bd9Sstevel@tonic-gate 	/*
5647c478bd9Sstevel@tonic-gate 	 * We only get here if we've been authenticated.
5657c478bd9Sstevel@tonic-gate 	 */
5667c478bd9Sstevel@tonic-gate 
5677c478bd9Sstevel@tonic-gate 	/*
5687c478bd9Sstevel@tonic-gate 	 * Now we set up the environment for the new user, which includes
5697c478bd9Sstevel@tonic-gate 	 * the users ulimit, nice value, ownership of this tty, uid, gid,
5707c478bd9Sstevel@tonic-gate 	 * and environment variables.
5717c478bd9Sstevel@tonic-gate 	 */
5727c478bd9Sstevel@tonic-gate 	if (Def_ulimit > 0L && ulimit(SET_FSIZ, Def_ulimit) < 0L)
5737c478bd9Sstevel@tonic-gate 		(void) printf("Could not set ULIMIT to %ld\n", Def_ulimit);
5747c478bd9Sstevel@tonic-gate 
5757c478bd9Sstevel@tonic-gate 	/* di_devperm_login() sends detailed errors to syslog */
5767c478bd9Sstevel@tonic-gate 	if (di_devperm_login((const char *)ttyn, pwd->pw_uid, pwd->pw_gid,
5777c478bd9Sstevel@tonic-gate 	    NULL) == -1) {
5787c478bd9Sstevel@tonic-gate 		(void) fprintf(stderr, "error processing /etc/logindevperm,"
5797c478bd9Sstevel@tonic-gate 		    " see syslog for more details\n");
5807c478bd9Sstevel@tonic-gate 	}
5817c478bd9Sstevel@tonic-gate 
5827c478bd9Sstevel@tonic-gate 	adjust_nice();		/* passwd file can specify nice value */
5837c478bd9Sstevel@tonic-gate 
584f0243e0aSrz 	setup_credentials();	/* Set user credentials  - exits on failure */
585f0243e0aSrz 
586f0243e0aSrz 	/*
587f0243e0aSrz 	 * NOTE: telnetd and rlogind rely upon this updating of utmpx
588f0243e0aSrz 	 * to indicate that the authentication completed  successfully,
589f0243e0aSrz 	 * pam_open_session was called and therefore they are required to
590f0243e0aSrz 	 * call pam_close_session.
591f0243e0aSrz 	 */
5922de0a7d6SDan McDonald 	update_utmpx_entry(sublogin);
593f0243e0aSrz 
594f0243e0aSrz 	/* set the real (and effective) UID */
595f0243e0aSrz 	if (setuid(pwd->pw_uid) == -1) {
596f0243e0aSrz 		login_exit(1);
597f0243e0aSrz 	}
5987c478bd9Sstevel@tonic-gate 
5997c478bd9Sstevel@tonic-gate 	/*
6007c478bd9Sstevel@tonic-gate 	 * Set up the basic environment for the exec.  This includes
6017c478bd9Sstevel@tonic-gate 	 * HOME, PATH, LOGNAME, SHELL, TERM, TZ, HZ, and MAIL.
6027c478bd9Sstevel@tonic-gate 	 */
6037c478bd9Sstevel@tonic-gate 	chdir_to_dir_user();
6047c478bd9Sstevel@tonic-gate 
6057c478bd9Sstevel@tonic-gate 	establish_user_environment(renvp);
6067c478bd9Sstevel@tonic-gate 
6077c478bd9Sstevel@tonic-gate 	(void) pam_end(pamh, PAM_SUCCESS);	/* Done using PAM */
6087c478bd9Sstevel@tonic-gate 	pamh = NULL;
6097c478bd9Sstevel@tonic-gate 
6107c478bd9Sstevel@tonic-gate 	if (pwd->pw_uid == 0) {
6117c478bd9Sstevel@tonic-gate 		if (dosyslog) {
6127c478bd9Sstevel@tonic-gate 			if (remote_host[0]) {
6132a0352b4Sgww 				syslog(LOG_NOTICE, "ROOT LOGIN %s FROM %.*s",
6142a0352b4Sgww 				    ttyn, HMAX, remote_host);
6157c478bd9Sstevel@tonic-gate 			} else
6167c478bd9Sstevel@tonic-gate 				syslog(LOG_NOTICE, "ROOT LOGIN %s", ttyn);
6177c478bd9Sstevel@tonic-gate 		}
6187c478bd9Sstevel@tonic-gate 	}
6197c478bd9Sstevel@tonic-gate 	closelog();
6207c478bd9Sstevel@tonic-gate 
6217c478bd9Sstevel@tonic-gate 	(void) signal(SIGQUIT, SIG_DFL);
6227c478bd9Sstevel@tonic-gate 	(void) signal(SIGINT, SIG_DFL);
6237c478bd9Sstevel@tonic-gate 
6242de0a7d6SDan McDonald 	/*
6252de0a7d6SDan McDonald 	 * Display some useful information to the new user like the banner
6262de0a7d6SDan McDonald 	 * and last login time if not a quiet login.
6272de0a7d6SDan McDonald 	 */
6282de0a7d6SDan McDonald 
6292de0a7d6SDan McDonald 	if (access(HUSHLOGIN, F_OK) != 0) {
6302de0a7d6SDan McDonald 		print_banner();
6312de0a7d6SDan McDonald 		display_last_login_time();
6322de0a7d6SDan McDonald 	}
6332de0a7d6SDan McDonald 
6347c478bd9Sstevel@tonic-gate 	/*
6357c478bd9Sstevel@tonic-gate 	 * Set SIGXCPU and SIGXFSZ to default disposition.
6367c478bd9Sstevel@tonic-gate 	 * Shells inherit signal disposition from parent.
6377c478bd9Sstevel@tonic-gate 	 * And the shells should have default dispositions
6387c478bd9Sstevel@tonic-gate 	 * for the two below signals.
6397c478bd9Sstevel@tonic-gate 	 */
6407c478bd9Sstevel@tonic-gate 	(void) signal(SIGXCPU, SIG_DFL);
6417c478bd9Sstevel@tonic-gate 	(void) signal(SIGXFSZ, SIG_DFL);
6427c478bd9Sstevel@tonic-gate 
6437c478bd9Sstevel@tonic-gate 	/*
6447c478bd9Sstevel@tonic-gate 	 * Now fire off the shell of choice
6457c478bd9Sstevel@tonic-gate 	 */
6467c478bd9Sstevel@tonic-gate 	exec_the_shell();
6477c478bd9Sstevel@tonic-gate 
6487c478bd9Sstevel@tonic-gate 	/*
6497c478bd9Sstevel@tonic-gate 	 * All done
6507c478bd9Sstevel@tonic-gate 	 */
6517c478bd9Sstevel@tonic-gate 	login_exit(1);
652032624d5Sbasabi 	return (0);
6537c478bd9Sstevel@tonic-gate }
6547c478bd9Sstevel@tonic-gate 
6557c478bd9Sstevel@tonic-gate 
6567c478bd9Sstevel@tonic-gate /*
6577c478bd9Sstevel@tonic-gate  *			*** Utility functions ***
6587c478bd9Sstevel@tonic-gate  */
6597c478bd9Sstevel@tonic-gate 
6607c478bd9Sstevel@tonic-gate 
6617c478bd9Sstevel@tonic-gate 
6627c478bd9Sstevel@tonic-gate /*
6637c478bd9Sstevel@tonic-gate  * donothing & catch	- Signal catching functions
6647c478bd9Sstevel@tonic-gate  */
6657c478bd9Sstevel@tonic-gate 
6667c478bd9Sstevel@tonic-gate /*ARGSUSED*/
6677c478bd9Sstevel@tonic-gate static void
donothing(int sig)6687c478bd9Sstevel@tonic-gate donothing(int sig)
6697c478bd9Sstevel@tonic-gate {
6707c478bd9Sstevel@tonic-gate 	if (pamh)
6717c478bd9Sstevel@tonic-gate 		(void) pam_end(pamh, PAM_ABORT);
6727c478bd9Sstevel@tonic-gate }
6737c478bd9Sstevel@tonic-gate 
6747c478bd9Sstevel@tonic-gate #ifdef notdef
6757c478bd9Sstevel@tonic-gate static	int	intrupt;
6767c478bd9Sstevel@tonic-gate 
6777c478bd9Sstevel@tonic-gate /*ARGSUSED*/
6787c478bd9Sstevel@tonic-gate static void
catch(int sig)6797c478bd9Sstevel@tonic-gate catch(int sig)
6807c478bd9Sstevel@tonic-gate {
6817c478bd9Sstevel@tonic-gate 	++intrupt;
6827c478bd9Sstevel@tonic-gate }
6837c478bd9Sstevel@tonic-gate #endif
6847c478bd9Sstevel@tonic-gate 
6857c478bd9Sstevel@tonic-gate /*
6867c478bd9Sstevel@tonic-gate  *			*** Bad login logging support ***
6877c478bd9Sstevel@tonic-gate  */
6887c478bd9Sstevel@tonic-gate 
6897c478bd9Sstevel@tonic-gate /*
690723f377cSToomas Soome  * badlogin()		- log to the log file 'trys'
6917c478bd9Sstevel@tonic-gate  *			  unsuccessful attempts
6927c478bd9Sstevel@tonic-gate  */
6937c478bd9Sstevel@tonic-gate 
6947c478bd9Sstevel@tonic-gate static void
badlogin(void)6957c478bd9Sstevel@tonic-gate badlogin(void)
6967c478bd9Sstevel@tonic-gate {
6977c478bd9Sstevel@tonic-gate 	int retval, count1, fildes;
6987c478bd9Sstevel@tonic-gate 
6997c478bd9Sstevel@tonic-gate 	/*
7007c478bd9Sstevel@tonic-gate 	 * Tries to open the log file. If succeed, lock it and write
7017c478bd9Sstevel@tonic-gate 	 * in the failed attempts
7027c478bd9Sstevel@tonic-gate 	 */
7037c478bd9Sstevel@tonic-gate 	if ((fildes = open(LOGINLOG, O_APPEND|O_WRONLY)) != -1) {
7047c478bd9Sstevel@tonic-gate 
7057c478bd9Sstevel@tonic-gate 		(void) sigset(SIGALRM, donothing);
7067c478bd9Sstevel@tonic-gate 		(void) alarm(L_WAITTIME);
7077c478bd9Sstevel@tonic-gate 		retval = lockf(fildes, F_LOCK, 0L);
7087c478bd9Sstevel@tonic-gate 		(void) alarm(0);
7097c478bd9Sstevel@tonic-gate 		(void) sigset(SIGALRM, SIG_DFL);
7107c478bd9Sstevel@tonic-gate 		if (retval == 0) {
7117c478bd9Sstevel@tonic-gate 			for (count1 = 0; count1 < trys; count1++)
7127c478bd9Sstevel@tonic-gate 				(void) write(fildes, log_entry[count1],
7137c478bd9Sstevel@tonic-gate 				    (unsigned)strlen(log_entry[count1]));
7147c478bd9Sstevel@tonic-gate 			(void) lockf(fildes, F_ULOCK, 0L);
7157c478bd9Sstevel@tonic-gate 		}
7167c478bd9Sstevel@tonic-gate 		(void) close(fildes);
7177c478bd9Sstevel@tonic-gate 	}
7187c478bd9Sstevel@tonic-gate }
7197c478bd9Sstevel@tonic-gate 
7207c478bd9Sstevel@tonic-gate 
7217c478bd9Sstevel@tonic-gate /*
722723f377cSToomas Soome  * log_bad_attempts	- log each bad login attempt - called from
7237c478bd9Sstevel@tonic-gate  *			  login_authenticate.  Exits when the maximum attempt
7247c478bd9Sstevel@tonic-gate  *			  count is exceeded.
7257c478bd9Sstevel@tonic-gate  */
7267c478bd9Sstevel@tonic-gate 
7277c478bd9Sstevel@tonic-gate static void
log_bad_attempts(void)7287c478bd9Sstevel@tonic-gate log_bad_attempts(void)
7297c478bd9Sstevel@tonic-gate {
7307c478bd9Sstevel@tonic-gate 	time_t timenow;
7317c478bd9Sstevel@tonic-gate 
7327c478bd9Sstevel@tonic-gate 	if (trys >= LOGTRYS)
7337c478bd9Sstevel@tonic-gate 		return;
7347c478bd9Sstevel@tonic-gate 	if (writelog) {
7357c478bd9Sstevel@tonic-gate 		(void) time(&timenow);
7367c478bd9Sstevel@tonic-gate 		(void) strncat(log_entry[trys], user_name, LNAME_SIZE);
7377c478bd9Sstevel@tonic-gate 		(void) strncat(log_entry[trys], ":", (size_t)1);
7387c478bd9Sstevel@tonic-gate 		(void) strncat(log_entry[trys], ttyn, TTYN_SIZE);
7397c478bd9Sstevel@tonic-gate 		(void) strncat(log_entry[trys], ":", (size_t)1);
7402a0352b4Sgww 		(void) strncat(log_entry[trys], ctime(&timenow), TIME_SIZE);
7417c478bd9Sstevel@tonic-gate 		trys++;
7427c478bd9Sstevel@tonic-gate 	}
7437c478bd9Sstevel@tonic-gate 	if (count > flogin) {
7447c478bd9Sstevel@tonic-gate 		if ((pwd = getpwnam(user_name)) != NULL) {
7457c478bd9Sstevel@tonic-gate 			if (remote_host[0]) {
7467c478bd9Sstevel@tonic-gate 				syslog(LOG_NOTICE,
7477c478bd9Sstevel@tonic-gate 				    "Login failure on %s from %.*s, "
7487c478bd9Sstevel@tonic-gate 				    "%.*s", ttyn, HMAX, remote_host,
7497c478bd9Sstevel@tonic-gate 				    NMAX, user_name);
7507c478bd9Sstevel@tonic-gate 			} else {
7517c478bd9Sstevel@tonic-gate 				syslog(LOG_NOTICE,
7527c478bd9Sstevel@tonic-gate 				    "Login failure on %s, %.*s",
7537c478bd9Sstevel@tonic-gate 				    ttyn, NMAX, user_name);
7547c478bd9Sstevel@tonic-gate 			}
755723f377cSToomas Soome 		} else {
7567c478bd9Sstevel@tonic-gate 			if (remote_host[0]) {
7577c478bd9Sstevel@tonic-gate 				syslog(LOG_NOTICE,
7587c478bd9Sstevel@tonic-gate 				    "Login failure on %s from %.*s",
7597c478bd9Sstevel@tonic-gate 				    ttyn, HMAX, remote_host);
7607c478bd9Sstevel@tonic-gate 			} else {
7617c478bd9Sstevel@tonic-gate 				syslog(LOG_NOTICE,
7627c478bd9Sstevel@tonic-gate 				    "Login failure on %s", ttyn);
7637c478bd9Sstevel@tonic-gate 			}
7647c478bd9Sstevel@tonic-gate 		}
7657c478bd9Sstevel@tonic-gate 	}
7667c478bd9Sstevel@tonic-gate }
7677c478bd9Sstevel@tonic-gate 
7687c478bd9Sstevel@tonic-gate 
7697c478bd9Sstevel@tonic-gate /*
770723f377cSToomas Soome  * turn_on_logging	- if the logfile exist, turn on attempt logging and
7717c478bd9Sstevel@tonic-gate  *			  initialize the string storage area
7727c478bd9Sstevel@tonic-gate  */
7737c478bd9Sstevel@tonic-gate 
7747c478bd9Sstevel@tonic-gate static void
turn_on_logging(void)7757c478bd9Sstevel@tonic-gate turn_on_logging(void)
7767c478bd9Sstevel@tonic-gate {
7777c478bd9Sstevel@tonic-gate 	struct stat dbuf;
7787c478bd9Sstevel@tonic-gate 	int i;
7797c478bd9Sstevel@tonic-gate 
7807c478bd9Sstevel@tonic-gate 	if (stat(LOGINLOG, &dbuf) == 0) {
7817c478bd9Sstevel@tonic-gate 		writelog = 1;
7827c478bd9Sstevel@tonic-gate 		for (i = 0; i < LOGTRYS; i++) {
7837c478bd9Sstevel@tonic-gate 			if (!(log_entry[i] = malloc((size_t)ENT_SIZE))) {
7847c478bd9Sstevel@tonic-gate 				writelog = 0;
7857c478bd9Sstevel@tonic-gate 				break;
7867c478bd9Sstevel@tonic-gate 			}
7877c478bd9Sstevel@tonic-gate 			*log_entry[i] = '\0';
7887c478bd9Sstevel@tonic-gate 		}
7897c478bd9Sstevel@tonic-gate 	}
7907c478bd9Sstevel@tonic-gate }
7917c478bd9Sstevel@tonic-gate 
7927c478bd9Sstevel@tonic-gate 
7937c478bd9Sstevel@tonic-gate /*
7947c478bd9Sstevel@tonic-gate  * login_conv():
7957c478bd9Sstevel@tonic-gate  *	This is the conv (conversation) function called from
7967c478bd9Sstevel@tonic-gate  *	a PAM authentication module to print error messages
7977c478bd9Sstevel@tonic-gate  *	or garner information from the user.
7987c478bd9Sstevel@tonic-gate  */
7997c478bd9Sstevel@tonic-gate /*ARGSUSED*/
8007c478bd9Sstevel@tonic-gate static int
login_conv(int num_msg,struct pam_message ** msg,struct pam_response ** response,void * appdata_ptr)8017c478bd9Sstevel@tonic-gate login_conv(int num_msg, struct pam_message **msg,
8027c478bd9Sstevel@tonic-gate     struct pam_response **response, void *appdata_ptr)
8037c478bd9Sstevel@tonic-gate {
8047c478bd9Sstevel@tonic-gate 	struct pam_message	*m;
8057c478bd9Sstevel@tonic-gate 	struct pam_response	*r;
806723f377cSToomas Soome 	char			*temp;
8077c478bd9Sstevel@tonic-gate 	int			k, i;
8087c478bd9Sstevel@tonic-gate 
8097c478bd9Sstevel@tonic-gate 	if (num_msg <= 0)
8107c478bd9Sstevel@tonic-gate 		return (PAM_CONV_ERR);
8117c478bd9Sstevel@tonic-gate 
8127c478bd9Sstevel@tonic-gate 	*response = calloc(num_msg, sizeof (struct pam_response));
8137c478bd9Sstevel@tonic-gate 	if (*response == NULL)
8147c478bd9Sstevel@tonic-gate 		return (PAM_BUF_ERR);
8157c478bd9Sstevel@tonic-gate 
8167c478bd9Sstevel@tonic-gate 	k = num_msg;
8177c478bd9Sstevel@tonic-gate 	m = *msg;
8187c478bd9Sstevel@tonic-gate 	r = *response;
8197c478bd9Sstevel@tonic-gate 	while (k--) {
8207c478bd9Sstevel@tonic-gate 
8217c478bd9Sstevel@tonic-gate 		switch (m->msg_style) {
8227c478bd9Sstevel@tonic-gate 
8237c478bd9Sstevel@tonic-gate 		case PAM_PROMPT_ECHO_OFF:
8247d080b24Sas 			errno = 0;
8257c478bd9Sstevel@tonic-gate 			temp = getpassphrase(m->msg);
8267c478bd9Sstevel@tonic-gate 			if (temp != NULL) {
8277d080b24Sas 				if (errno == EINTR)
8287d080b24Sas 					return (PAM_CONV_ERR);
8297d080b24Sas 
8307c478bd9Sstevel@tonic-gate 				r->resp = strdup(temp);
8317c478bd9Sstevel@tonic-gate 				if (r->resp == NULL) {
8327c478bd9Sstevel@tonic-gate 					/* free responses */
8337c478bd9Sstevel@tonic-gate 					r = *response;
8347c478bd9Sstevel@tonic-gate 					for (i = 0; i < num_msg; i++, r++) {
8357c478bd9Sstevel@tonic-gate 						if (r->resp)
8367c478bd9Sstevel@tonic-gate 							free(r->resp);
8377c478bd9Sstevel@tonic-gate 					}
8387c478bd9Sstevel@tonic-gate 					free(*response);
8397c478bd9Sstevel@tonic-gate 					*response = NULL;
8407c478bd9Sstevel@tonic-gate 					return (PAM_BUF_ERR);
8417c478bd9Sstevel@tonic-gate 				}
8427c478bd9Sstevel@tonic-gate 			}
8437c478bd9Sstevel@tonic-gate 
8447c478bd9Sstevel@tonic-gate 			m++;
8457c478bd9Sstevel@tonic-gate 			r++;
8467c478bd9Sstevel@tonic-gate 			break;
8477c478bd9Sstevel@tonic-gate 
8487c478bd9Sstevel@tonic-gate 		case PAM_PROMPT_ECHO_ON:
8497c478bd9Sstevel@tonic-gate 			if (m->msg != NULL)
8507c478bd9Sstevel@tonic-gate 				(void) fputs(m->msg, stdout);
8517c478bd9Sstevel@tonic-gate 			r->resp = calloc(1, PAM_MAX_RESP_SIZE);
8527c478bd9Sstevel@tonic-gate 			if (r->resp == NULL) {
8537c478bd9Sstevel@tonic-gate 				/* free responses */
8547c478bd9Sstevel@tonic-gate 				r = *response;
8557c478bd9Sstevel@tonic-gate 				for (i = 0; i < num_msg; i++, r++) {
8567c478bd9Sstevel@tonic-gate 					if (r->resp)
8577c478bd9Sstevel@tonic-gate 						free(r->resp);
8587c478bd9Sstevel@tonic-gate 				}
8597c478bd9Sstevel@tonic-gate 				free(*response);
8607c478bd9Sstevel@tonic-gate 				*response = NULL;
8617c478bd9Sstevel@tonic-gate 				return (PAM_BUF_ERR);
8627c478bd9Sstevel@tonic-gate 			}
8637c478bd9Sstevel@tonic-gate 			/*
8647c478bd9Sstevel@tonic-gate 			 * The response might include environment variables
8657c478bd9Sstevel@tonic-gate 			 * information. We should store that information in
8667c478bd9Sstevel@tonic-gate 			 * envp if there is any; otherwise, envp is set to
8677c478bd9Sstevel@tonic-gate 			 * NULL.
8687c478bd9Sstevel@tonic-gate 			 */
8697c478bd9Sstevel@tonic-gate 			bzero((void *)inputline, MAXLINE);
8707c478bd9Sstevel@tonic-gate 
8717c478bd9Sstevel@tonic-gate 			envp = getargs(inputline);
8727c478bd9Sstevel@tonic-gate 
8737c478bd9Sstevel@tonic-gate 			/* If we read in any input, process it. */
8747c478bd9Sstevel@tonic-gate 			if (inputline[0] != '\0') {
8757c478bd9Sstevel@tonic-gate 				int len;
8767c478bd9Sstevel@tonic-gate 
8777c478bd9Sstevel@tonic-gate 				if (envp != (char **)NULL)
8787c478bd9Sstevel@tonic-gate 					/*
8797c478bd9Sstevel@tonic-gate 					 * If getargs() did not return NULL,
8807c478bd9Sstevel@tonic-gate 					 * *envp is the first string in
8817c478bd9Sstevel@tonic-gate 					 * inputline. envp++ makes envp point
8827c478bd9Sstevel@tonic-gate 					 * to environment variables information
8837c478bd9Sstevel@tonic-gate 					 *  or be NULL.
8847c478bd9Sstevel@tonic-gate 					 */
8857c478bd9Sstevel@tonic-gate 					envp++;
8867c478bd9Sstevel@tonic-gate 
8877c478bd9Sstevel@tonic-gate 				(void) strncpy(r->resp, inputline,
8882a0352b4Sgww 				    PAM_MAX_RESP_SIZE-1);
889723f377cSToomas Soome 				r->resp[PAM_MAX_RESP_SIZE-1] = '\0';
8907c478bd9Sstevel@tonic-gate 				len = strlen(r->resp);
8917c478bd9Sstevel@tonic-gate 				if (r->resp[len-1] == '\n')
8927c478bd9Sstevel@tonic-gate 					r->resp[len-1] = '\0';
8937c478bd9Sstevel@tonic-gate 			} else {
8947c478bd9Sstevel@tonic-gate 				login_exit(1);
8957c478bd9Sstevel@tonic-gate 			}
8967c478bd9Sstevel@tonic-gate 			m++;
8977c478bd9Sstevel@tonic-gate 			r++;
8987c478bd9Sstevel@tonic-gate 			break;
8997c478bd9Sstevel@tonic-gate 
9007c478bd9Sstevel@tonic-gate 		case PAM_ERROR_MSG:
9017c478bd9Sstevel@tonic-gate 			if (m->msg != NULL) {
9027c478bd9Sstevel@tonic-gate 				(void) fputs(m->msg, stderr);
9037c478bd9Sstevel@tonic-gate 				(void) fputs("\n", stderr);
9047c478bd9Sstevel@tonic-gate 			}
9057c478bd9Sstevel@tonic-gate 			m++;
9067c478bd9Sstevel@tonic-gate 			r++;
9077c478bd9Sstevel@tonic-gate 			break;
9087c478bd9Sstevel@tonic-gate 		case PAM_TEXT_INFO:
9097c478bd9Sstevel@tonic-gate 			if (m->msg != NULL) {
9107c478bd9Sstevel@tonic-gate 				(void) fputs(m->msg, stdout);
9117c478bd9Sstevel@tonic-gate 				(void) fputs("\n", stdout);
9127c478bd9Sstevel@tonic-gate 			}
9137c478bd9Sstevel@tonic-gate 			m++;
9147c478bd9Sstevel@tonic-gate 			r++;
9157c478bd9Sstevel@tonic-gate 			break;
9167c478bd9Sstevel@tonic-gate 
9177c478bd9Sstevel@tonic-gate 		default:
9187c478bd9Sstevel@tonic-gate 			break;
9197c478bd9Sstevel@tonic-gate 		}
9207c478bd9Sstevel@tonic-gate 	}
9217c478bd9Sstevel@tonic-gate 	return (PAM_SUCCESS);
9227c478bd9Sstevel@tonic-gate }
9237c478bd9Sstevel@tonic-gate 
9247c478bd9Sstevel@tonic-gate /*
9257c478bd9Sstevel@tonic-gate  * verify_passwd - Authenticates the user.
9267c478bd9Sstevel@tonic-gate  *	Returns: PAM_SUCCESS if authentication successful,
9277c478bd9Sstevel@tonic-gate  *		 PAM error code if authentication fails.
9287c478bd9Sstevel@tonic-gate  */
9297c478bd9Sstevel@tonic-gate 
9307c478bd9Sstevel@tonic-gate static int
verify_passwd(void)931032624d5Sbasabi verify_passwd(void)
9327c478bd9Sstevel@tonic-gate {
9337c478bd9Sstevel@tonic-gate 	int error;
9347c478bd9Sstevel@tonic-gate 	char *user;
93557c40785SJoep Vesseur 	int flag = (Passreqflag ? PAM_DISALLOW_NULL_AUTHTOK : 0);
9367c478bd9Sstevel@tonic-gate 
9377c478bd9Sstevel@tonic-gate 	/*
9387c478bd9Sstevel@tonic-gate 	 * PAM authenticates the user for us.
9397c478bd9Sstevel@tonic-gate 	 */
9402a0352b4Sgww 	error = pam_authenticate(pamh, flag);
9417c478bd9Sstevel@tonic-gate 
9427c478bd9Sstevel@tonic-gate 	/* get the user_name from the pam handle */
9437c478bd9Sstevel@tonic-gate 	(void) pam_get_item(pamh, PAM_USER, (void**)&user);
9447c478bd9Sstevel@tonic-gate 
9457c478bd9Sstevel@tonic-gate 	if (user == NULL || *user == '\0')
9467c478bd9Sstevel@tonic-gate 		return (PAM_SYSTEM_ERR);
9477c478bd9Sstevel@tonic-gate 
9487c478bd9Sstevel@tonic-gate 	SCPYL(user_name, user);
9497c478bd9Sstevel@tonic-gate 	check_for_dueling_unix(user_name);
9507c478bd9Sstevel@tonic-gate 
9512a0352b4Sgww 	if (((pwd = getpwnam(user_name)) == NULL) &&
9522a0352b4Sgww 	    (error != PAM_USER_UNKNOWN)) {
9537c478bd9Sstevel@tonic-gate 		return (PAM_SYSTEM_ERR);
9547c478bd9Sstevel@tonic-gate 	}
9557c478bd9Sstevel@tonic-gate 
9567c478bd9Sstevel@tonic-gate 	return (error);
9577c478bd9Sstevel@tonic-gate }
9587c478bd9Sstevel@tonic-gate 
9597c478bd9Sstevel@tonic-gate /*
9607c478bd9Sstevel@tonic-gate  * quotec		- Called by getargs
9617c478bd9Sstevel@tonic-gate  */
9627c478bd9Sstevel@tonic-gate 
9637c478bd9Sstevel@tonic-gate static int
quotec(void)9647c478bd9Sstevel@tonic-gate quotec(void)
9657c478bd9Sstevel@tonic-gate {
9667c478bd9Sstevel@tonic-gate 	int c, i, num;
9677c478bd9Sstevel@tonic-gate 
9687c478bd9Sstevel@tonic-gate 	switch (c = getc(stdin)) {
9697c478bd9Sstevel@tonic-gate 
9707c478bd9Sstevel@tonic-gate 		case 'n':
9717c478bd9Sstevel@tonic-gate 			c = '\n';
9727c478bd9Sstevel@tonic-gate 			break;
9737c478bd9Sstevel@tonic-gate 
9747c478bd9Sstevel@tonic-gate 		case 'r':
9757c478bd9Sstevel@tonic-gate 			c = '\r';
9767c478bd9Sstevel@tonic-gate 			break;
9777c478bd9Sstevel@tonic-gate 
9787c478bd9Sstevel@tonic-gate 		case 'v':
9797c478bd9Sstevel@tonic-gate 			c = '\013';
9807c478bd9Sstevel@tonic-gate 			break;
9817c478bd9Sstevel@tonic-gate 
9827c478bd9Sstevel@tonic-gate 		case 'b':
9837c478bd9Sstevel@tonic-gate 			c = '\b';
9847c478bd9Sstevel@tonic-gate 			break;
9857c478bd9Sstevel@tonic-gate 
9867c478bd9Sstevel@tonic-gate 		case 't':
9877c478bd9Sstevel@tonic-gate 			c = '\t';
9887c478bd9Sstevel@tonic-gate 			break;
9897c478bd9Sstevel@tonic-gate 
9907c478bd9Sstevel@tonic-gate 		case 'f':
9917c478bd9Sstevel@tonic-gate 			c = '\f';
9927c478bd9Sstevel@tonic-gate 			break;
9937c478bd9Sstevel@tonic-gate 
9947c478bd9Sstevel@tonic-gate 		case '0':
9957c478bd9Sstevel@tonic-gate 		case '1':
9967c478bd9Sstevel@tonic-gate 		case '2':
9977c478bd9Sstevel@tonic-gate 		case '3':
9987c478bd9Sstevel@tonic-gate 		case '4':
9997c478bd9Sstevel@tonic-gate 		case '5':
10007c478bd9Sstevel@tonic-gate 		case '6':
10017c478bd9Sstevel@tonic-gate 		case '7':
10027c478bd9Sstevel@tonic-gate 			for (num = 0, i = 0; i < 3; i++) {
10037c478bd9Sstevel@tonic-gate 				num = num * 8 + (c - '0');
10047c478bd9Sstevel@tonic-gate 				if ((c = getc(stdin)) < '0' || c > '7')
10057c478bd9Sstevel@tonic-gate 					break;
10067c478bd9Sstevel@tonic-gate 			}
10077c478bd9Sstevel@tonic-gate 			(void) ungetc(c, stdin);
10087c478bd9Sstevel@tonic-gate 			c = num & 0377;
10097c478bd9Sstevel@tonic-gate 			break;
10107c478bd9Sstevel@tonic-gate 
10117c478bd9Sstevel@tonic-gate 		default:
10127c478bd9Sstevel@tonic-gate 			break;
10137c478bd9Sstevel@tonic-gate 	}
10147c478bd9Sstevel@tonic-gate 	return (c);
10157c478bd9Sstevel@tonic-gate }
10167c478bd9Sstevel@tonic-gate 
10177c478bd9Sstevel@tonic-gate /*
10187c478bd9Sstevel@tonic-gate  * getargs		- returns an input line.  Exits if EOF encountered.
10197c478bd9Sstevel@tonic-gate  */
10207c478bd9Sstevel@tonic-gate #define	WHITESPACE	0
10217c478bd9Sstevel@tonic-gate #define	ARGUMENT	1
10227c478bd9Sstevel@tonic-gate 
10237c478bd9Sstevel@tonic-gate static char **
getargs(char * input_line)10247c478bd9Sstevel@tonic-gate getargs(char *input_line)
10257c478bd9Sstevel@tonic-gate {
10267c478bd9Sstevel@tonic-gate 	static char envbuf[MAXLINE];
10277c478bd9Sstevel@tonic-gate 	static char *args[MAXARGS];
10287c478bd9Sstevel@tonic-gate 	char *ptr, **answer;
10297c478bd9Sstevel@tonic-gate 	int c;
10307c478bd9Sstevel@tonic-gate 	int state;
10317c478bd9Sstevel@tonic-gate 	char *p = input_line;
10327c478bd9Sstevel@tonic-gate 
10337c478bd9Sstevel@tonic-gate 	ptr = envbuf;
10347c478bd9Sstevel@tonic-gate 	answer = &args[0];
10357c478bd9Sstevel@tonic-gate 	state = WHITESPACE;
10367c478bd9Sstevel@tonic-gate 
10377c478bd9Sstevel@tonic-gate 	while ((c = getc(stdin)) != EOF && answer < &args[MAXARGS-1]) {
10387c478bd9Sstevel@tonic-gate 
10397c478bd9Sstevel@tonic-gate 		*(input_line++) = c;
10407c478bd9Sstevel@tonic-gate 
10417c478bd9Sstevel@tonic-gate 		switch (c) {
10427c478bd9Sstevel@tonic-gate 
10437c478bd9Sstevel@tonic-gate 		case '\n':
10447c478bd9Sstevel@tonic-gate 			if (ptr == &envbuf[0])
10457c478bd9Sstevel@tonic-gate 				return ((char **)NULL);
10467c478bd9Sstevel@tonic-gate 			*input_line = *ptr = '\0';
10477c478bd9Sstevel@tonic-gate 			*answer = NULL;
10487c478bd9Sstevel@tonic-gate 			return (&args[0]);
10497c478bd9Sstevel@tonic-gate 
10507c478bd9Sstevel@tonic-gate 		case ' ':
10517c478bd9Sstevel@tonic-gate 		case '\t':
10527c478bd9Sstevel@tonic-gate 			if (state == ARGUMENT) {
10537c478bd9Sstevel@tonic-gate 				*ptr++ = '\0';
10547c478bd9Sstevel@tonic-gate 				state = WHITESPACE;
10557c478bd9Sstevel@tonic-gate 			}
10567c478bd9Sstevel@tonic-gate 			break;
10577c478bd9Sstevel@tonic-gate 
10587c478bd9Sstevel@tonic-gate 		case '\\':
10597c478bd9Sstevel@tonic-gate 			c = quotec();
10605196acaeSToomas Soome 			/* FALLTHROUGH */
10617c478bd9Sstevel@tonic-gate 
10627c478bd9Sstevel@tonic-gate 		default:
10637c478bd9Sstevel@tonic-gate 			if (state == WHITESPACE) {
10647c478bd9Sstevel@tonic-gate 				*answer++ = ptr;
10657c478bd9Sstevel@tonic-gate 				state = ARGUMENT;
10667c478bd9Sstevel@tonic-gate 			}
10677c478bd9Sstevel@tonic-gate 			*ptr++ = c;
10687c478bd9Sstevel@tonic-gate 		}
10697c478bd9Sstevel@tonic-gate 
10707c478bd9Sstevel@tonic-gate 		/* Attempt at overflow, exit */
10717c478bd9Sstevel@tonic-gate 		if (input_line - p >= MAXLINE - 1 ||
10727c478bd9Sstevel@tonic-gate 		    ptr >= &envbuf[sizeof (envbuf) - 1]) {
10737c478bd9Sstevel@tonic-gate 			audit_error = ADT_FAIL_VALUE_INPUT_OVERFLOW;
10747c478bd9Sstevel@tonic-gate 			login_exit(1);
10757c478bd9Sstevel@tonic-gate 		}
10767c478bd9Sstevel@tonic-gate 	}
10777c478bd9Sstevel@tonic-gate 
10787c478bd9Sstevel@tonic-gate 	/*
10797c478bd9Sstevel@tonic-gate 	 * If we left loop because an EOF was received or we've overflown
10807c478bd9Sstevel@tonic-gate 	 * args[], exit immediately.
10817c478bd9Sstevel@tonic-gate 	 */
10827c478bd9Sstevel@tonic-gate 	login_exit(0);
10837c478bd9Sstevel@tonic-gate 	/* NOTREACHED */
10847c478bd9Sstevel@tonic-gate }
10857c478bd9Sstevel@tonic-gate 
10867c478bd9Sstevel@tonic-gate /*
10877c478bd9Sstevel@tonic-gate  * get_user_name	- Gets the user name either passed in, or from the
10887c478bd9Sstevel@tonic-gate  *			  login: prompt.
10897c478bd9Sstevel@tonic-gate  */
10907c478bd9Sstevel@tonic-gate 
10917c478bd9Sstevel@tonic-gate static void
get_user_name(void)1092032624d5Sbasabi get_user_name(void)
10937c478bd9Sstevel@tonic-gate {
10947c478bd9Sstevel@tonic-gate 	FILE	*fp;
10957c478bd9Sstevel@tonic-gate 
10967c478bd9Sstevel@tonic-gate 	if ((fp = fopen(ISSUEFILE, "r")) != NULL) {
10977c478bd9Sstevel@tonic-gate 		char    *ptr, buffer[BUFSIZ];
10982a0352b4Sgww 		while ((ptr = fgets(buffer, sizeof (buffer), fp)) != NULL) {
10997c478bd9Sstevel@tonic-gate 			(void) fputs(ptr, stdout);
11007c478bd9Sstevel@tonic-gate 		}
11017c478bd9Sstevel@tonic-gate 		(void) fclose(fp);
11027c478bd9Sstevel@tonic-gate 	}
11037c478bd9Sstevel@tonic-gate 
11047c478bd9Sstevel@tonic-gate 	/*
11057c478bd9Sstevel@tonic-gate 	 * if TTYPROMPT is not set, use our own prompt
11067c478bd9Sstevel@tonic-gate 	 * otherwise, use ttyprompt. We just set PAM_USER_PROMPT
11077c478bd9Sstevel@tonic-gate 	 * and let the module do the prompting.
11087c478bd9Sstevel@tonic-gate 	 */
11097c478bd9Sstevel@tonic-gate 
11107c478bd9Sstevel@tonic-gate 	if ((ttyprompt == NULL) || (*ttyprompt == '\0'))
11117c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_USER_PROMPT, (void *)loginmsg);
11127c478bd9Sstevel@tonic-gate 	else
11137c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_USER_PROMPT, (void *)ttyprompt);
11147c478bd9Sstevel@tonic-gate 
11157c478bd9Sstevel@tonic-gate 	envp = &zero; /* XXX: is this right? */
11167c478bd9Sstevel@tonic-gate }
11177c478bd9Sstevel@tonic-gate 
11187c478bd9Sstevel@tonic-gate 
11197c478bd9Sstevel@tonic-gate /*
11207c478bd9Sstevel@tonic-gate  * Check_for_dueling_unix   -	Check to see if the another login is talking
11217c478bd9Sstevel@tonic-gate  *				to the line we've got open as a login port
11227c478bd9Sstevel@tonic-gate  *				Exits if we're talking to another unix system
11237c478bd9Sstevel@tonic-gate  */
11247c478bd9Sstevel@tonic-gate 
11257c478bd9Sstevel@tonic-gate static void
check_for_dueling_unix(char * inputline)11267c478bd9Sstevel@tonic-gate check_for_dueling_unix(char *inputline)
11277c478bd9Sstevel@tonic-gate {
11287c478bd9Sstevel@tonic-gate 	if (EQN(loginmsg, inputline) || EQN(passwdmsg, inputline) ||
11297c478bd9Sstevel@tonic-gate 	    EQN(incorrectmsg, inputline)) {
11307c478bd9Sstevel@tonic-gate 		(void) printf("Looking at a login line.\n");
11317c478bd9Sstevel@tonic-gate 		login_exit(8);
11327c478bd9Sstevel@tonic-gate 	}
11337c478bd9Sstevel@tonic-gate }
11347c478bd9Sstevel@tonic-gate 
11357c478bd9Sstevel@tonic-gate /*
1136723f377cSToomas Soome  * logins_disabled -	if the file /etc/nologin exists and the user is not
11377c478bd9Sstevel@tonic-gate  *			root then do not permit them to login
11387c478bd9Sstevel@tonic-gate  */
11397c478bd9Sstevel@tonic-gate static int
logins_disabled(char * user_name)11407c478bd9Sstevel@tonic-gate logins_disabled(char *user_name)
11417c478bd9Sstevel@tonic-gate {
11427c478bd9Sstevel@tonic-gate 	FILE	*nlfd;
11437c478bd9Sstevel@tonic-gate 	int	c;
11447c478bd9Sstevel@tonic-gate 	if (!EQN("root", user_name) &&
11452a0352b4Sgww 	    ((nlfd = fopen(NOLOGIN, "r")) != (FILE *)NULL)) {
11467c478bd9Sstevel@tonic-gate 		while ((c = getc(nlfd)) != EOF)
11477c478bd9Sstevel@tonic-gate 			(void) putchar(c);
11487c478bd9Sstevel@tonic-gate 		(void) fflush(stdout);
11497c478bd9Sstevel@tonic-gate 		(void) sleep(5);
11507c478bd9Sstevel@tonic-gate 		return (TRUE);
11517c478bd9Sstevel@tonic-gate 	}
11527c478bd9Sstevel@tonic-gate 	return (FALSE);
11537c478bd9Sstevel@tonic-gate }
11547c478bd9Sstevel@tonic-gate 
1155aecfc01dSrui zang - Sun Microsystems - Beijing China #define	DEFAULT_CONSOLE	"/dev/console"
1156aecfc01dSrui zang - Sun Microsystems - Beijing China 
11577c478bd9Sstevel@tonic-gate /*
11587c478bd9Sstevel@tonic-gate  * check_for_console -  Checks if we're getting a root login on the
1159aecfc01dSrui zang - Sun Microsystems - Beijing China  *			console, or a login from the global zone. Exits if not.
11607c478bd9Sstevel@tonic-gate  *
1161aecfc01dSrui zang - Sun Microsystems - Beijing China  * If CONSOLE is set to /dev/console in /etc/default/login, then root logins
1162aecfc01dSrui zang - Sun Microsystems - Beijing China  * on /dev/vt/# are permitted as well. /dev/vt/# does not exist in non-global
1163aecfc01dSrui zang - Sun Microsystems - Beijing China  * zones, but checking them does no harm.
11647c478bd9Sstevel@tonic-gate  */
11657c478bd9Sstevel@tonic-gate static void
check_for_console(void)11667c478bd9Sstevel@tonic-gate check_for_console(void)
11677c478bd9Sstevel@tonic-gate {
1168aecfc01dSrui zang - Sun Microsystems - Beijing China 	const char *consoles[] = { "/dev/console", "/dev/vt/", NULL };
1169aecfc01dSrui zang - Sun Microsystems - Beijing China 	int i;
1170aecfc01dSrui zang - Sun Microsystems - Beijing China 
1171aecfc01dSrui zang - Sun Microsystems - Beijing China 	if (pwd == NULL || pwd->pw_uid != 0 || zflag != B_FALSE ||
1172aecfc01dSrui zang - Sun Microsystems - Beijing China 	    Console == NULL)
1173aecfc01dSrui zang - Sun Microsystems - Beijing China 		return;
11747c478bd9Sstevel@tonic-gate 
1175aecfc01dSrui zang - Sun Microsystems - Beijing China 	if (strcmp(Console, DEFAULT_CONSOLE) == 0) {
1176aecfc01dSrui zang - Sun Microsystems - Beijing China 		for (i = 0; consoles[i] != NULL; i ++) {
1177aecfc01dSrui zang - Sun Microsystems - Beijing China 			if (strncmp(ttyn, consoles[i],
1178aecfc01dSrui zang - Sun Microsystems - Beijing China 			    strlen(consoles[i])) == 0)
1179aecfc01dSrui zang - Sun Microsystems - Beijing China 				return;
11807c478bd9Sstevel@tonic-gate 		}
1181aecfc01dSrui zang - Sun Microsystems - Beijing China 	} else {
1182aecfc01dSrui zang - Sun Microsystems - Beijing China 		if (strcmp(ttyn, Console) == 0)
1183aecfc01dSrui zang - Sun Microsystems - Beijing China 			return;
11847c478bd9Sstevel@tonic-gate 	}
1185aecfc01dSrui zang - Sun Microsystems - Beijing China 
1186aecfc01dSrui zang - Sun Microsystems - Beijing China 	(void) printf("Not on system console\n");
1187aecfc01dSrui zang - Sun Microsystems - Beijing China 
1188aecfc01dSrui zang - Sun Microsystems - Beijing China 	audit_error = ADT_FAIL_VALUE_CONSOLE;
1189aecfc01dSrui zang - Sun Microsystems - Beijing China 	login_exit(10);
1190aecfc01dSrui zang - Sun Microsystems - Beijing China 
11917c478bd9Sstevel@tonic-gate }
11927c478bd9Sstevel@tonic-gate 
11937c478bd9Sstevel@tonic-gate /*
11947c478bd9Sstevel@tonic-gate  * List of environment variables or environment variable prefixes that should
11957c478bd9Sstevel@tonic-gate  * not be propagated across logins, such as when the login -p option is used.
11967c478bd9Sstevel@tonic-gate  */
11977c478bd9Sstevel@tonic-gate static const char *const illegal[] = {
11987c478bd9Sstevel@tonic-gate 	"SHELL=",
11997c478bd9Sstevel@tonic-gate 	"HOME=",
12007c478bd9Sstevel@tonic-gate 	"LOGNAME=",
12017c478bd9Sstevel@tonic-gate #ifndef	NO_MAIL
12027c478bd9Sstevel@tonic-gate 	"MAIL=",
12037c478bd9Sstevel@tonic-gate #endif
12047c478bd9Sstevel@tonic-gate 	"CDPATH=",
12057c478bd9Sstevel@tonic-gate 	"IFS=",
12067c478bd9Sstevel@tonic-gate 	"PATH=",
12077c478bd9Sstevel@tonic-gate 	"LD_",
12087c478bd9Sstevel@tonic-gate 	"SMF_",
12097c478bd9Sstevel@tonic-gate 	NULL
12107c478bd9Sstevel@tonic-gate };
12117c478bd9Sstevel@tonic-gate 
12127c478bd9Sstevel@tonic-gate /*
12137c478bd9Sstevel@tonic-gate  * legalenvvar		- Is it legal to insert this environmental variable?
12147c478bd9Sstevel@tonic-gate  */
12157c478bd9Sstevel@tonic-gate 
12167c478bd9Sstevel@tonic-gate static int
legalenvvar(char * s)12177c478bd9Sstevel@tonic-gate legalenvvar(char *s)
12187c478bd9Sstevel@tonic-gate {
12197c478bd9Sstevel@tonic-gate 	const char *const *p;
12207c478bd9Sstevel@tonic-gate 
12217c478bd9Sstevel@tonic-gate 	for (p = &illegal[0]; *p; p++) {
12227c478bd9Sstevel@tonic-gate 		if (strncmp(s, *p, strlen(*p)) == 0)
12237c478bd9Sstevel@tonic-gate 			return (0);
12247c478bd9Sstevel@tonic-gate 	}
12257c478bd9Sstevel@tonic-gate 
12267c478bd9Sstevel@tonic-gate 	return (1);
12277c478bd9Sstevel@tonic-gate }
12287c478bd9Sstevel@tonic-gate 
12297c478bd9Sstevel@tonic-gate 
12307c478bd9Sstevel@tonic-gate /*
12317c478bd9Sstevel@tonic-gate  * getstr		- Get a string from standard input
12327c478bd9Sstevel@tonic-gate  *			  Calls exit if read(2) fails.
12337c478bd9S