Add support for the -F flag --- allow logins by anyone, including root

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3734 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c
index e09a80f33a1991ff0d89975ff58857cd08bd83a3..4b58b72c8d9f765b8d1601f922ad88ba1e892b4a 100644 (file)
--- a/src/appl/bsd/login.c
+++ b/src/appl/bsd/login.c
@@ -40,6 +40,8 @@ static char sccsid[] = "@(#)login.c   5.25 (Berkeley) 1/6/89";
  * login -r hostname   (for rlogind)
  * login -h hostname   (for telnetd, etc.)
  * login -f name       (for pre-authenticated login: datakit, xterm, etc.)
+ * login -F name       (for pre-authenticated login: datakit, xterm, etc.,
+ *                      allows preauthenticated login as root)
  * login -e name       (for pre-authenticated encrypted, must do term
  *                      negotiation)
  * ifdef KRB4
@@ -47,7 +49,7 @@ static char sccsid[] = "@(#)login.c   5.25 (Berkeley) 1/6/89";
  * login -K hostname (for Kerberos V4 rlogind with restricted access)
  * endif KRB4 
  *
- * only one of: -r -f -e -k -K
+ * only one of: -r -f -e -k -K -F
  * only one of: -r -h -k -K
  */
 
@@ -193,9 +195,9 @@ typedef void sigtype;
 typedef int sigtype;
 #endif /* POSIX */
 
-#define EXCL_AUTH_TEST if (rflag || kflag || Kflag || eflag) { \
+#define EXCL_AUTH_TEST if (rflag || kflag || Kflag || eflag || fflag || Fflag ) { \
                                fprintf(stderr, \
-                                   "login: only one of -r, -k, -K, -e, and -f allowed.\n"); \
+                                   "login: only one of -r, -k, -K, -e, -F, and -f allowed.\n"); \
                                exit(1);\
                        }
 
@@ -214,7 +216,7 @@ main(argc, argv)
        struct group *gr;
        register int ch, i;
        register char *p;
-       int fflag, hflag, pflag, rflag, cnt;
+       int fflag, hflag, pflag, rflag, Fflag, cnt;
        int kflag, Kflag, eflag;
        int quietlog, passwd_req, ioctlval;
        sigtype timedout();
@@ -240,6 +242,7 @@ main(argc, argv)
         * -p is used by getty to tell login not to destroy the environment
         * -r is used by rlogind to cause the autologin protocol;
         * -f is used to skip a second login authentication 
+        * -F is used to skip a second login authentication, allows login as root 
         * -e is used to skip a second login authentication, but allows
         *      login as root.
         * -h is used by other servers to pass the name of the
@@ -251,14 +254,18 @@ main(argc, argv)
        (void)gethostname(tbuf, sizeof(tbuf));
        domain = strchr(tbuf, '.');
 
-       fflag = hflag = pflag = rflag = kflag = Kflag = eflag = 0;
+       Fflag = fflag = hflag = pflag = rflag = kflag = Kflag = eflag = 0;
        passwd_req = 1;
-       while ((ch = getopt(argc, argv, "feh:pr:k:K:")) != EOF)
+       while ((ch = getopt(argc, argv, "Ffeh:pr:k:K:")) != EOF)
                switch (ch) {
                case 'f':
                        EXCL_AUTH_TEST;
                        fflag = 1;
                        break;
+               case 'F':
+                       EXCL_AUTH_TEST;
+                       Fflag = 1;
+                       break;
                case 'h':
                        EXCL_HOST_TEST;
                        if (getuid()) {
@@ -450,7 +457,7 @@ main(argc, argv)
 #endif
 
                if (username == NULL) {
-                       fflag = 0;
+                       fflag = Fflag = 0;
                        getloginname();
                }
 
@@ -474,6 +481,16 @@ main(argc, argv)
                            (uid && uid != pwd->pw_uid);
                }
 
+               /*
+                * Allows automatic login by root.
+                * If not invoked by root, disallow if the uid's differ.
+                */
+
+               if (Fflag && pwd) {
+                       int uid = (int) getuid();
+                       passwd_req = uid && uid != pwd->pw_uid;
+               }
+
                /*
                 * If no remote login authentication and a password exists
                 * for this user, prompt for one and verify it.