From 02d38d33976eea6ac765d2ff701fc98770a26e2f Mon Sep 17 00:00:00 2001
From: Theodore Tso <tytso@mit.edu>
Date: Fri, 10 Jun 1994 22:28:32 +0000
Subject: [PATCH] Add support for the -F flag --- allow logins by anyone,
 including root

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@3734 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/appl/bsd/login.c | 31 ++++++++++++++++++++++++-------
 1 file changed, 24 insertions(+), 7 deletions(-)

diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c
index e09a80f33..4b58b72c8 100644
--- a/src/appl/bsd/login.c
+++ b/src/appl/bsd/login.c
@@ -40,6 +40,8 @@ static char sccsid[] = "@(#)login.c	5.25 (Berkeley) 1/6/89";
  * login -r hostname	(for rlogind)
  * login -h hostname	(for telnetd, etc.)
  * login -f name	(for pre-authenticated login: datakit, xterm, etc.)
+ * login -F name	(for pre-authenticated login: datakit, xterm, etc.,
+ *			 allows preauthenticated login as root)
  * login -e name	(for pre-authenticated encrypted, must do term
  *			 negotiation)
  * ifdef KRB4
@@ -47,7 +49,7 @@ static char sccsid[] = "@(#)login.c	5.25 (Berkeley) 1/6/89";
  * login -K hostname (for Kerberos V4 rlogind with restricted access)
  * endif KRB4 
  *
- * only one of: -r -f -e -k -K
+ * only one of: -r -f -e -k -K -F
  * only one of: -r -h -k -K
  */
 
@@ -193,9 +195,9 @@ typedef void sigtype;
 typedef int sigtype;
 #endif /* POSIX */
 
-#define EXCL_AUTH_TEST if (rflag || kflag || Kflag || eflag) { \
+#define EXCL_AUTH_TEST if (rflag || kflag || Kflag || eflag || fflag || Fflag ) { \
 				fprintf(stderr, \
-				    "login: only one of -r, -k, -K, -e, and -f allowed.\n"); \
+				    "login: only one of -r, -k, -K, -e, -F, and -f allowed.\n"); \
 				exit(1);\
 			}
 
@@ -214,7 +216,7 @@ main(argc, argv)
 	struct group *gr;
 	register int ch, i;
 	register char *p;
-	int fflag, hflag, pflag, rflag, cnt;
+	int fflag, hflag, pflag, rflag, Fflag, cnt;
 	int kflag, Kflag, eflag;
 	int quietlog, passwd_req, ioctlval;
 	sigtype timedout();
@@ -240,6 +242,7 @@ main(argc, argv)
 	 * -p is used by getty to tell login not to destroy the environment
 	 * -r is used by rlogind to cause the autologin protocol;
  	 * -f is used to skip a second login authentication 
+ 	 * -F is used to skip a second login authentication, allows login as root 
 	 * -e is used to skip a second login authentication, but allows
 	 * 	login as root.
 	 * -h is used by other servers to pass the name of the
@@ -251,14 +254,18 @@ main(argc, argv)
 	(void)gethostname(tbuf, sizeof(tbuf));
 	domain = strchr(tbuf, '.');
 
-	fflag = hflag = pflag = rflag = kflag = Kflag = eflag = 0;
+	Fflag = fflag = hflag = pflag = rflag = kflag = Kflag = eflag = 0;
 	passwd_req = 1;
-	while ((ch = getopt(argc, argv, "feh:pr:k:K:")) != EOF)
+	while ((ch = getopt(argc, argv, "Ffeh:pr:k:K:")) != EOF)
 		switch (ch) {
 		case 'f':
 			EXCL_AUTH_TEST;
 			fflag = 1;
 			break;
+		case 'F':
+			EXCL_AUTH_TEST;
+			Fflag = 1;
+			break;
 		case 'h':
 			EXCL_HOST_TEST;
 			if (getuid()) {
@@ -450,7 +457,7 @@ main(argc, argv)
 #endif
 
 		if (username == NULL) {
-			fflag = 0;
+			fflag = Fflag = 0;
 			getloginname();
 		}
 
@@ -474,6 +481,16 @@ main(argc, argv)
 			    (uid && uid != pwd->pw_uid);
 		}
 
+		/*
+		 * Allows automatic login by root.
+		 * If not invoked by root, disallow if the uid's differ.
+		 */
+
+		if (Fflag && pwd) {
+			int uid = (int) getuid();
+			passwd_req = uid && uid != pwd->pw_uid;
+		}
+
 		/*
 		 * If no remote login authentication and a password exists
 		 * for this user, prompt for one and verify it.
-- 
2.26.2