/**
* cerberus – Minimal login program
*
* Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
#include
#include
#include
#include
#include
#include
#include
#if defined(OWN_VCSA) || defined(OWN_VCS)
#include
#include
#endif
#include "config.h"
#include "security.h"
static inline void fail(char* str)
{
perror(str);
sleep(FAILURE_SLEEP);
_exit(1);
}
/**
* Secure the TTY from spying
*
* @param group The group, -1 for unchanged
*/
void secure_tty(gid_t group)
{
struct termios tty;
struct termios saved_tty;
char* tty_device;
int fd, i;
/* Set ownership of this TTY to root:root */
chown_tty(0, group, 1);
/* Get TTY name for last part of this functions */
tty_device = ttyname(STDIN_FILENO);
/* Kill other processes on this TTY */
tcgetattr(STDIN_FILENO, &tty);
saved_tty = tty;
tty.c_cflag &= ~HUPCL;
tcsetattr(0, TCSANOW, &tty);
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
signal(SIGHUP, SIG_IGN);
vhangup();
signal(SIGHUP, SIG_DFL);
/* Restore terminal and TTY modes */
fd = open(tty_device, O_RDWR | O_NONBLOCK);
if (fd == -1)
fail("open");
fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK);
for (i = 0; i < fd; i++)
close(i);
for (i = 0; i < 3; i++)
if (i != fd)
dup2(fd, i);
if (fd > 2)
close(fd);
tcgetattr(STDIN_FILENO, &saved_tty);
}
/**
* Set ownership and mode of the TTY
*
* @param owner The owner, -1 for unchanged
* @param group The group, -1 for unchanged
* @param with_fail Abort on failure
*/
void chown_tty(uid_t owner, gid_t group, char with_fail)
{
#if defined(OWN_VCSA) || defined(OWN_VCS)
struct vt_stat vtstat;
#endif
/* Set ownership of this TTY */
if (fchown(STDIN_FILENO, owner, group) && with_fail)
fail("fchown");
/* Restrict others from using this TTY */
if (fchmod(STDIN_FILENO, TTY_PERM) && with_fail)
fail("fchmod");
/* Also do the above for /dev/vcs[a][0-9]+ */
#if defined(OWN_VCSA) || defined(OWN_VCS)
if (ioctl(STDIN_FILENO, VT_GETSTATE, &vtstat) == 0)
{
int n = vtstat.v_active;
char _vcs[VCS_LEN + 6];
char _vcsa[VCSA_LEN + 6];
char* vcs = _vcs;
char* vcsa = _vcsa;
vcs += VCS_LEN + 6;
vcsa += VCSA_LEN + 6;
if (n)
{
*--vcs = *--vcsa = 0;
while (n)
{
*--vcs = *--vcsa = (n % 10) + '0';
n /= 10;
}
vcs -= VCS_LEN;
vcsa -= VCSA_LEN;
strcpy(vcs, VCS);
strcpy(vcsa, VCSA);
#ifdef OWN_VCS
if (chown(vcs, owner, group) && with_fail) fail("chown");
if (chmod(vcs, TTY_PERM) && with_fail) fail("chmod");
#endif
#ifdef OWN_VCSA
if (chown(vcsa, owner, group) && with_fail) fail("chown");
if (chmod(vcsa, TTY_PERM) && with_fail) fail("chmod");
#endif
}
}
#endif
}