summaryrefslogtreecommitdiff
path: root/loginutils
diff options
context:
space:
mode:
authorDenys Vlasenko2016-11-03 22:13:08 +0100
committerDenys Vlasenko2016-11-03 22:13:08 +0100
commit79e2598c48ad7e41d523f62368454c7d74f48268 (patch)
treeb061ea33e433dcd509a99dc9726251f2e0f785e5 /loginutils
parent2b288236e80938d29324072a823f46861bd07cd3 (diff)
downloadbusybox-79e2598c48ad7e41d523f62368454c7d74f48268.zip
busybox-79e2598c48ad7e41d523f62368454c7d74f48268.tar.gz
su: expand help; simplify passing of -c CMD to run_shell()
Also, added a comment about bug 9401 (TIOCSTI input injection). function old new delta packed_usage 30909 30932 +23 su_main 470 487 +17 sulogin_main 260 258 -2 run_applet_and_exit 681 678 -3 run_shell 166 126 -40 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'loginutils')
-rw-r--r--loginutils/login.c2
-rw-r--r--loginutils/su.c33
-rw-r--r--loginutils/sulogin.c2
3 files changed, 31 insertions, 6 deletions
diff --git a/loginutils/login.c b/loginutils/login.c
index 94b6c45..52abc18 100644
--- a/loginutils/login.c
+++ b/loginutils/login.c
@@ -618,7 +618,7 @@ int login_main(int argc UNUSED_PARAM, char **argv)
signal(SIGINT, SIG_DFL);
/* Exec login shell with no additional parameters */
- run_shell(pw->pw_shell, 1, NULL, NULL);
+ run_shell(pw->pw_shell, 1, NULL);
/* return EXIT_FAILURE; - not reached */
}
diff --git a/loginutils/su.c b/loginutils/su.c
index 3c0e8c1..24ffbde 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -31,10 +31,10 @@
//kbuild:lib-$(CONFIG_SU) += su.o
//usage:#define su_trivial_usage
-//usage: "[OPTIONS] [-] [USER]"
+//usage: "[-lmp] [-] [-s SH] [USER [SCRIPT ARGS / -c 'CMD' ARG0 ARGS]]"
//usage:#define su_full_usage "\n\n"
//usage: "Run shell under USER (by default, root)\n"
-//usage: "\n -,-l Clear environment, run shell as login shell"
+//usage: "\n -,-l Clear environment, go to home dir, run shell as login shell"
//usage: "\n -p,-m Do not set new $HOME, $SHELL, $USER, $LOGNAME"
//usage: "\n -c CMD Command to pass to 'sh -c'"
//usage: "\n -s SH Shell to use instead of user's default"
@@ -81,8 +81,12 @@ int su_main(int argc UNUSED_PARAM, char **argv)
#endif
const char *old_user;
+ /* Note: we don't use "'+': stop at first non-option" idiom here.
+ * For su, "SCRIPT ARGS" or "-c CMD ARGS" do not stop option parsing:
+ * ARGS starting with dash will be treated as su options,
+ * not passed to shell. (Tested on util-linux 2.28).
+ */
flags = getopt32(argv, "mplc:s:", &opt_command, &opt_shell);
- //argc -= optind;
argv += optind;
if (argv[0] && LONE_DASH(argv[0])) {
@@ -162,8 +166,29 @@ int su_main(int argc UNUSED_PARAM, char **argv)
pw);
IF_SELINUX(set_current_security_context(NULL);)
+ if (opt_command) {
+ *--argv = opt_command;
+ *--argv = (char*)"-c";
+ }
+
+ /* A nasty ioctl exists which can stuff data into input queue:
+ * #include <sys/ioctl.h>
+ * int main() {
+ * const char *msg = "echo $UID\n";
+ * while (*msg) ioctl(0, TIOCSTI, *msg++);
+ * return 0;
+ * }
+ * With "su USER -c EXPLOIT" run by root, exploit can make root shell
+ * read as input and execute arbitrary command.
+ * It's debatable whether we need to protect against this
+ * (root may hesitate to run unknown scripts interactively).
+ *
+ * Some versions of su run -c CMD in a different session:
+ * ioctl(TIOCSTI) works only on the controlling tty.
+ */
+
/* Never returns */
- run_shell(opt_shell, flags & SU_OPT_l, opt_command, (const char**)argv);
+ run_shell(opt_shell, flags & SU_OPT_l, (const char**)argv);
/* return EXIT_FAILURE; - not reached */
}
diff --git a/loginutils/sulogin.c b/loginutils/sulogin.c
index 6befea9..2e32e2b 100644
--- a/loginutils/sulogin.c
+++ b/loginutils/sulogin.c
@@ -89,5 +89,5 @@ int sulogin_main(int argc UNUSED_PARAM, char **argv)
shell = pwd->pw_shell;
/* Exec login shell with no additional parameters. Never returns. */
- run_shell(shell, 1, NULL, NULL);
+ run_shell(shell, 1, NULL);
}