su: move restricted_shell into su.c (the only user)

function old new delta su_main 448 468 +20 buffer_fill_and_print 179 196 +17 scriptreplay_main 205 208 +3 localcmd 275 277 +2 hash_find 233 234 +1 devmem_main 469 463 -6 install_main 724 716 -8 setusershell 11 - -11 find_pair 187 169 -18 restricted_shell 49 - -49 ------------------------------------------------------------------------------ (add/remove: 0/3 grow/shrink: 5/3 up/down: 43/-92) Total: -49 bytes Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko <vda.linux@googlemail.com> 2010-02-26 10:01:18 +0100
committer: Denys Vlasenko <vda.linux@googlemail.com> 2010-02-26 10:01:18 +0100
commit: 26ffe81188a5555824bc86b1953517f7ba4524a9 (patch)
tree: 79b05ca36349747f5bf5eee0cfcf87a29db5f233
parent: fd686a262fa34b71900b010b4b31d7e2e3f3385c (diff)
download: busybox-w32-26ffe81188a5555824bc86b1953517f7ba4524a9.tar.gz
busybox-w32-26ffe81188a5555824bc86b1953517f7ba4524a9.tar.bz2
busybox-w32-26ffe81188a5555824bc86b1953517f7ba4524a9.zip
4 files changed, 18 insertions, 49 deletions
diff --git a/include/libbb.h b/include/libbb.h
index 98080e841..515e995d0 100644
--- a/include/libbb.h
+++ b/include/libbb.h
@@ -1139,7 +1139,6 @@ extern void selinux_preserve_fcontext(int fdesc) FAST_FUNC;
 #define selinux_preserve_fcontext(fdesc) ((void)0)
 #endif
 extern void selinux_or_die(void) FAST_FUNC;
-extern int restricted_shell(const char *shell) FAST_FUNC;
 /* setup_environment:
 * if chdir pw->pw_dir: ok: else if to_tmp == 1: goto /tmp else: goto / or die
diff --git a/libbb/Kbuild b/libbb/Kbuild
index c205ceb4c..49cf4b8ad 100644
--- a/libbb/Kbuild
+++ b/libbb/Kbuild
@@ -84,7 +84,6 @@ lib-y += read.o
 lib-y += read_key.o
 lib-y += recursive_action.o
 lib-y += remove_file.o
-lib-y += restricted_shell.o
 lib-y += run_shell.o
 lib-y += safe_gethostname.o
 lib-y += safe_poll.o
diff --git a/libbb/restricted_shell.c b/libbb/restricted_shell.c
deleted file mode 100644
index 2a5073f03..000000000
--- a/libbb/restricted_shell.c
+++ /dev/null
@@ -1,46 +0,0 @@
-/* vi: set sw=4 ts=4: */
-/*
- * Copyright 1989 - 1991, Julianne Frances Haugh <jockgrrl@austin.rr.com>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of Julianne F. Haugh nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-#include "libbb.h"
-/* Return 1 if SHELL is a restricted shell (one not returned by
-   getusershell), else 0, meaning it is a standard shell.  */
-int FAST_FUNC restricted_shell(const char *shell)
-{
-        char *line;
-        setusershell();
-        while ((line = getusershell())) {
-                if (*line != '#' && strcmp(line, shell) == 0)
-                        return 0;
-        }
-        endusershell();
-        return 1;
-}
diff --git a/loginutils/su.c b/loginutils/su.c
index 6356631b8..af25655fd 100644
--- a/loginutils/su.c
+++ b/loginutils/su.c
@@ -8,6 +8,23 @@
 #include "libbb.h"
 #include <syslog.h>
+#if ENABLE_FEATURE_SU_CHECKS_SHELLS
+/* Return 1 if SHELL is a restricted shell (one not returned by
+   getusershell), else 0, meaning it is a standard shell.  */
+static int restricted_shell(const char *shell)
+{
+        char *line;
+        /*setusershell(); - getusershell does it itself*/
+        while ((line = getusershell()) != NULL) {
+                if (/* *line != '#' && */ strcmp(line, shell) == 0)
+                        return 0;
+        }
+        endusershell();
+        return 1;
+}
+#endif
 #define SU_OPT_mp (3)
 #define SU_OPT_l (4)
@@ -89,7 +106,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
                opt_shell = getenv("SHELL");
 #if ENABLE_FEATURE_SU_CHECKS_SHELLS
-        if (opt_shell && cur_uid && restricted_shell(pw->pw_shell)) {
+        if (opt_shell && cur_uid != 0 && restricted_shell(pw->pw_shell)) {
                /* The user being su'd to has a nonstandard shell, and so is
                   probably a uucp account or has restricted access.  Don't
                   compromise the account by allowing access with a standard
author	Denys Vlasenko <vda.linux@googlemail.com>	2010-02-26 10:01:18 +0100
committer	Denys Vlasenko <vda.linux@googlemail.com>	2010-02-26 10:01:18 +0100
commit	26ffe81188a5555824bc86b1953517f7ba4524a9 (patch)
tree	79b05ca36349747f5bf5eee0cfcf87a29db5f233
parent	fd686a262fa34b71900b010b4b31d7e2e3f3385c (diff)
download	busybox-w32-26ffe81188a5555824bc86b1953517f7ba4524a9.tar.gz busybox-w32-26ffe81188a5555824bc86b1953517f7ba4524a9.tar.bz2 busybox-w32-26ffe81188a5555824bc86b1953517f7ba4524a9.zip

diff --git a/include/libbb.h b/include/libbb.h index 98080e841..515e995d0 100644 --- a/include/libbb.h +++ b/include/libbb.h
@@ -1139,7 +1139,6 @@ extern void selinux_preserve_fcontext(int fdesc) FAST_FUNC;
1139	#define selinux_preserve_fcontext(fdesc) ((void)0)	1139	#define selinux_preserve_fcontext(fdesc) ((void)0)
1140	#endif	1140	#endif
1141	extern void selinux_or_die(void) FAST_FUNC;	1141	extern void selinux_or_die(void) FAST_FUNC;
1142	extern int restricted_shell(const char *shell) FAST_FUNC;
1143		1142
1144	/* setup_environment:	1143	/* setup_environment:
1145	* if chdir pw->pw_dir: ok: else if to_tmp == 1: goto /tmp else: goto / or die	1144	* if chdir pw->pw_dir: ok: else if to_tmp == 1: goto /tmp else: goto / or die


diff --git a/libbb/Kbuild b/libbb/Kbuild index c205ceb4c..49cf4b8ad 100644 --- a/libbb/Kbuild +++ b/libbb/Kbuild
@@ -84,7 +84,6 @@ lib-y += read.o
84	lib-y += read_key.o	84	lib-y += read_key.o
85	lib-y += recursive_action.o	85	lib-y += recursive_action.o
86	lib-y += remove_file.o	86	lib-y += remove_file.o
87	lib-y += restricted_shell.o
88	lib-y += run_shell.o	87	lib-y += run_shell.o
89	lib-y += safe_gethostname.o	88	lib-y += safe_gethostname.o
90	lib-y += safe_poll.o	89	lib-y += safe_poll.o


diff --git a/libbb/restricted_shell.c b/libbb/restricted_shell.c deleted file mode 100644 index 2a5073f03..000000000 --- a/libbb/restricted_shell.c +++ /dev/null
@@ -1,46 +0,0 @@
1	/* vi: set sw=4 ts=4: */
2	/*
3	* Copyright 1989 - 1991, Julianne Frances Haugh <jockgrrl@austin.rr.com>
4	* All rights reserved.
5	*
6	* Redistribution and use in source and binary forms, with or without
7	* modification, are permitted provided that the following conditions
8	* are met:
9	* 1. Redistributions of source code must retain the above copyright
10	* notice, this list of conditions and the following disclaimer.
11	* 2. Redistributions in binary form must reproduce the above copyright
12	* notice, this list of conditions and the following disclaimer in the
13	* documentation and/or other materials provided with the distribution.
14	* 3. Neither the name of Julianne F. Haugh nor the names of its contributors
15	* may be used to endorse or promote products derived from this software
16	* without specific prior written permission.
17	*
18	* THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
19	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
21	* ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
22	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
24	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
26	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
27	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
28	* SUCH DAMAGE.
29	*/
30
31	#include "libbb.h"
32
33	/* Return 1 if SHELL is a restricted shell (one not returned by
34	getusershell), else 0, meaning it is a standard shell. */
35	int FAST_FUNC restricted_shell(const char *shell)
36	{
37	char *line;
38
39	setusershell();
40	while ((line = getusershell())) {
41	if (*line != '#' && strcmp(line, shell) == 0)
42	return 0;
43	}
44	endusershell();
45	return 1;
46	}


diff --git a/loginutils/su.c b/loginutils/su.c index 6356631b8..af25655fd 100644 --- a/loginutils/su.c +++ b/loginutils/su.c
@@ -8,6 +8,23 @@
8	#include "libbb.h"	8	#include "libbb.h"
9	#include <syslog.h>	9	#include <syslog.h>
10		10
		11	#if ENABLE_FEATURE_SU_CHECKS_SHELLS
		12	/* Return 1 if SHELL is a restricted shell (one not returned by
		13	getusershell), else 0, meaning it is a standard shell. */
		14	static int restricted_shell(const char *shell)
		15	{
		16	char *line;
		17
		18	/setusershell(); - getusershell does it itself/
		19	while ((line = getusershell()) != NULL) {
		20	if (/* line != '#' && / strcmp(line, shell) == 0)
		21	return 0;
		22	}
		23	endusershell();
		24	return 1;
		25	}
		26	#endif
		27
11	#define SU_OPT_mp (3)	28	#define SU_OPT_mp (3)
12	#define SU_OPT_l (4)	29	#define SU_OPT_l (4)
13		30
@@ -89,7 +106,7 @@ int su_main(int argc UNUSED_PARAM, char **argv)
89	opt_shell = getenv("SHELL");	106	opt_shell = getenv("SHELL");
90		107
91	#if ENABLE_FEATURE_SU_CHECKS_SHELLS	108	#if ENABLE_FEATURE_SU_CHECKS_SHELLS
92	if (opt_shell && cur_uid && restricted_shell(pw->pw_shell)) {	109	if (opt_shell && cur_uid != 0 && restricted_shell(pw->pw_shell)) {
93	/* The user being su'd to has a nonstandard shell, and so is	110	/* The user being su'd to has a nonstandard shell, and so is
94	probably a uucp account or has restricted access. Don't	111	probably a uucp account or has restricted access. Don't
95	compromise the account by allowing access with a standard	112	compromise the account by allowing access with a standard