From acf9a8dd54d1b1cb01e361784146a062a29e1487 Mon Sep 17 00:00:00 2001 From: Sebastian Huber Date: Fri, 14 Nov 2014 14:31:54 +0100 Subject: shell: Use crypt_r() in rtems_shell_login_check() Use '*" to disable shell login instead of '!' according to the Linux man page. Use getpwnam_r() instead of getpwnam(). Do not access the user environment directly. Update the user environment only after a successful login check. --- cpukit/libmisc/shell/login_check.c | 55 +++++++----- testsuites/libtests/Makefile.am | 1 + testsuites/libtests/configure.ac | 1 + testsuites/libtests/shell01/Makefile.am | 19 +++++ testsuites/libtests/shell01/init.c | 145 ++++++++++++++++++++++++++++++++ testsuites/libtests/shell01/shell01.doc | 11 +++ testsuites/libtests/shell01/shell01.scn | 2 + testsuites/samples/fileio/init.c | 13 ++- 8 files changed, 224 insertions(+), 23 deletions(-) create mode 100644 testsuites/libtests/shell01/Makefile.am create mode 100644 testsuites/libtests/shell01/init.c create mode 100644 testsuites/libtests/shell01/shell01.doc create mode 100644 testsuites/libtests/shell01/shell01.scn diff --git a/cpukit/libmisc/shell/login_check.c b/cpukit/libmisc/shell/login_check.c index 8be5be2c1a..372d059631 100644 --- a/cpukit/libmisc/shell/login_check.c +++ b/cpukit/libmisc/shell/login_check.c @@ -5,10 +5,10 @@ */ /* - * Copyright (c) 2009 embedded brains GmbH and others. + * Copyright (c) 2009-2014 embedded brains GmbH and others. * * embedded brains GmbH - * Obere Lagerstr. 30 + * Dornierstr. 4 * D-82178 Puchheim * Germany * @@ -30,36 +30,53 @@ #include #include #include +#include #include -#include bool rtems_shell_login_check( const char *user, const char *passphrase ) { - struct passwd *pw = getpwnam( user); + char buf[256]; + struct passwd *pw_res; + struct passwd pw; + int eno; + bool ok; + + eno = getpwnam_r(user, &pw, &buf[0], sizeof(buf), &pw_res); /* Valid user? */ - if (pw != NULL && strcmp( pw->pw_passwd, "!") != 0) { - rtems_shell_env_t *env = rtems_shell_get_current_env(); - setuid( pw->pw_uid); - setgid( pw->pw_gid); - rtems_current_user_env->euid = 0; - rtems_current_user_env->egid = 0; - if (env) - chown( env->devname, pw->pw_uid, 0); - rtems_current_user_env->euid = pw->pw_uid; - rtems_current_user_env->egid = pw->pw_gid; - if (strcmp( pw->pw_passwd, "*") == 0) { + if (eno == 0 && strcmp(pw.pw_passwd, "*") != 0) { + if (strcmp(pw.pw_passwd, "") == 0) { + ok = true; + } else if (strcmp(pw.pw_passwd, "x") == 0) { /* TODO: /etc/shadow */ - return true; + ok = false; } else { - /* TODO: crypt() */ - return true; + struct crypt_data data; + char *s; + + s = crypt_r(passphrase, pw.pw_passwd, &data); + ok = strcmp(s, pw.pw_passwd) == 0; } + } else { + ok = false; + } + + if (ok) { + rtems_shell_env_t *env = rtems_shell_get_current_env(); + + if (env != NULL) { + chown(env->devname, pw.pw_uid, 0); + } + + setuid(pw.pw_uid); + setgid(pw.pw_gid); + seteuid(pw.pw_uid); + setegid(pw.pw_gid); } - return false; + return ok; } diff --git a/testsuites/libtests/Makefile.am b/testsuites/libtests/Makefile.am index b04535c927..a5261a484b 100644 --- a/testsuites/libtests/Makefile.am +++ b/testsuites/libtests/Makefile.am @@ -1,6 +1,7 @@ ACLOCAL_AMFLAGS = -I ../aclocal _SUBDIRS = POSIX +_SUBDIRS += shell01 _SUBDIRS += pwdgrp01 _SUBDIRS += crypt01 _SUBDIRS += sha diff --git a/testsuites/libtests/configure.ac b/testsuites/libtests/configure.ac index b1a7277948..80245f9c64 100644 --- a/testsuites/libtests/configure.ac +++ b/testsuites/libtests/configure.ac @@ -66,6 +66,7 @@ AS_IF([test x"$HAVE_LIBDL" = x"yes"],[ # Explicitly list all Makefiles here AC_CONFIG_FILES([Makefile +shell01/Makefile pwdgrp01/Makefile crypt01/Makefile sha/Makefile diff --git a/testsuites/libtests/shell01/Makefile.am b/testsuites/libtests/shell01/Makefile.am new file mode 100644 index 0000000000..c44ba8fda0 --- /dev/null +++ b/testsuites/libtests/shell01/Makefile.am @@ -0,0 +1,19 @@ +rtems_tests_PROGRAMS = shell01 +shell01_SOURCES = init.c + +dist_rtems_tests_DATA = shell01.scn shell01.doc + +include $(RTEMS_ROOT)/make/custom/@RTEMS_BSP@.cfg +include $(top_srcdir)/../automake/compile.am +include $(top_srcdir)/../automake/leaf.am + +AM_CPPFLAGS += -I$(top_srcdir)/../support/include + +LINK_OBJS = $(shell01_OBJECTS) +LINK_LIBS = $(shell01_LDLIBS) + +shell01$(EXEEXT): $(shell01_OBJECTS) $(shell01_DEPENDENCIES) + @rm -f shell01$(EXEEXT) + $(make-exe) + +include $(top_srcdir)/../automake/local.am diff --git a/testsuites/libtests/shell01/init.c b/testsuites/libtests/shell01/init.c new file mode 100644 index 0000000000..413ce6ebb6 --- /dev/null +++ b/testsuites/libtests/shell01/init.c @@ -0,0 +1,145 @@ +/* + * Copyright (c) 2014 embedded brains GmbH. All rights reserved. + * + * embedded brains GmbH + * Dornierstr. 4 + * 82178 Puchheim + * Germany + * + * + * The license and distribution terms for this file may be + * found in the file LICENSE in this distribution or at + * http://www.rtems.org/license/LICENSE. + */ + +#ifdef HAVE_CONFIG_H + #include "config.h" +#endif + +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "tmacros.h" + +const char rtems_test_name[] = "SHELL 1"; + +static void create_file(const char *name, const char *content) +{ + FILE *fp; + int rv; + + fp = fopen(name, "wx"); + rtems_test_assert(fp != NULL); + + rv = fputs(content, fp); + rtems_test_assert(rv == 0); + + rv = fclose(fp); + rtems_test_assert(rv == 0); +} + +static void test(void) +{ + bool ok; + int rv; + + rv = mkdir("/etc", S_IRWXU | S_IRGRP | S_IXGRP | S_IROTH | S_IXOTH); + rtems_test_assert(rv == 0); + + create_file( + "/etc/passwd", + "moop:foo:1:3:blob:a::c\n" + "no:*:2:4::::\n" + "zero::3:5::::\n" + "shadow:x:4:6::::\n" + ); + + create_file( + "/etc/group", + "A::1:moop,u,v,w,zero\n" + "B::2:moop\n" + "blub:bar:3:moop\n" + "C::4:l,m,n,moop\n" + "D::5:moop,moop\n" + "E::6:x\n" + "E::7:y,z\n" + "F::8:s,moop,t\n" + ); + + rv = setuid(0); + rtems_test_assert(rv == 0); + + rv = seteuid(0); + rtems_test_assert(rv == 0); + + ok = rtems_shell_login_check("inv", NULL); + rtems_test_assert(!ok); + + ok = rtems_shell_login_check("no", NULL); + rtems_test_assert(!ok); + + ok = rtems_shell_login_check("shadow", NULL); + rtems_test_assert(!ok); + + ok = rtems_shell_login_check("moop", "false"); + rtems_test_assert(!ok); + + rtems_test_assert(getuid() == 0); + rtems_test_assert(geteuid() == 0); + rtems_test_assert(getgid() == 0); + rtems_test_assert(getegid() == 0); + + ok = rtems_shell_login_check("zero", NULL); + rtems_test_assert(ok); + rtems_test_assert(getuid() == 3); + rtems_test_assert(geteuid() == 3); + rtems_test_assert(getgid() == 5); + rtems_test_assert(getegid() == 5); + + ok = rtems_shell_login_check("moop", "foo"); + rtems_test_assert(ok); + rtems_test_assert(getuid() == 1); + rtems_test_assert(geteuid() == 1); + rtems_test_assert(getgid() == 3); + rtems_test_assert(getegid() == 3); +} + +static void Init(rtems_task_argument arg) +{ + TEST_BEGIN(); + + test(); + + TEST_END(); + rtems_test_exit(0); +} + +#define CONFIGURE_APPLICATION_DOES_NOT_NEED_CLOCK_DRIVER +#define CONFIGURE_APPLICATION_NEEDS_CONSOLE_DRIVER + +#define CONFIGURE_USE_IMFS_AS_BASE_FILESYSTEM + +#define CONFIGURE_LIBIO_MAXIMUM_FILE_DESCRIPTORS 4 + +#define CONFIGURE_MAXIMUM_TASKS 1 +#define CONFIGURE_MAXIMUM_POSIX_KEYS 1 +#define CONFIGURE_MAXIMUM_POSIX_KEY_VALUE_PAIRS 1 + +#define CONFIGURE_INITIAL_EXTENSIONS RTEMS_TEST_INITIAL_EXTENSION + +#define CONFIGURE_RTEMS_INIT_TASKS_TABLE + +#define CONFIGURE_INIT + +#include + +#define CONFIGURE_SHELL_COMMANDS_INIT + +#include diff --git a/testsuites/libtests/shell01/shell01.doc b/testsuites/libtests/shell01/shell01.doc new file mode 100644 index 0000000000..e3b004478b --- /dev/null +++ b/testsuites/libtests/shell01/shell01.doc @@ -0,0 +1,11 @@ +This file describes the directives and concepts tested by this test set. + +test set name: shell01 + +directives: + + - rtems_shell_login_check + +concepts: + + - Ensure that rtems_shell_login_check() works as expected. diff --git a/testsuites/libtests/shell01/shell01.scn b/testsuites/libtests/shell01/shell01.scn new file mode 100644 index 0000000000..cf6082fbf8 --- /dev/null +++ b/testsuites/libtests/shell01/shell01.scn @@ -0,0 +1,2 @@ +*** BEGIN OF TEST SHELL 1 *** +*** END OF TEST SHELL 1 *** diff --git a/testsuites/samples/fileio/init.c b/testsuites/samples/fileio/init.c index 2b60922b1c..735b5883bc 100644 --- a/testsuites/samples/fileio/init.c +++ b/testsuites/samples/fileio/init.c @@ -13,6 +13,7 @@ #define CONFIGURE_INIT #include "system.h" +#include #include #include #include @@ -641,10 +642,11 @@ static void fileio_start_shell(void) writeFile( "/etc/passwd", 0644, - "root:7QR4o148UPtb.:0:0:root::/:/bin/sh\n" - "rtems:*:1:1:RTEMS Application::/:/bin/sh\n" - "test:8Yy.AaxynxbLI:2:2:test account::/:/bin/sh\n" - "tty:!:3:3:tty owner::/:/bin/false\n" + "root:$6$$FuPOhnllx6lhW2qqlnmWvZQLJ8Thr/09I7ESTdb9VbnTOn5.65" + "/Vh2Mqa6FoKXwT0nHS/O7F0KfrDc6Svb/sH.:0:0:root::/:/bin/sh\n" + "rtems::1:1:RTEMS Application::/:/bin/sh\n" + "test:$1$$oPu1Xt2Pw0ngIc7LyDHqu1:2:2:test account::/:/bin/sh\n" + "tty:*:3:3:tty owner::/:/bin/false\n" ); writeFile( "/etc/group", @@ -1225,6 +1227,9 @@ Init (rtems_task_argument ignored) TEST_BEGIN(); + crypt_add_format(&crypt_md5_format); + crypt_add_format(&crypt_sha512_format); + status = rtems_shell_wait_for_input( STDIN_FILENO, 20, -- cgit v1.2.3