/* login.c - Start a session on the system.
 *
 * Copyright 2012 Elie De Brauwer <eliedebrauwer@gmail.com>
 *
 * No support for PAM/securetty/selinux/login script/issue/utmp
 * Relies on libcrypt for hash calculation.

USE_LOGIN(NEWTOY(login, ">1fph:", TOYFLAG_BIN))

config LOGIN
  bool "login"
  default y
  help
    usage: login [-p] [-h host] [[-f] username]

    Establish a new session with the system.
    -p	Preserve environment
    -h	The name of the remote host for this login
    -f	Do not perform authentication
*/

#define FOR_login
#include "toys.h"

#define LOGIN_TIMEOUT 60
#define LOGIN_FAIL_TIMEOUT 3
#define USER_NAME_MAX_SIZE 32
#define HOSTNAME_SIZE 32

GLOBALS(
  char *hostname;
)

static void login_timeout_handler(int sig __attribute__((unused)))
{
  printf("\nLogin timed out after %d seconds.\n", LOGIN_TIMEOUT);
  exit(0);
}

static char *forbid[] = {
  "BASH_ENV", "ENV", "HOME", "IFS", "LD_LIBRARY_PATH", "LD_PRELOAD",
  "LD_TRACE_LOADED_OBJECTS", "LD_BIND_NOW", "LD_AOUT_LIBRARY_PATH",
  "LD_AOUT_PRELOAD", "LD_NOWARN", "LD_KEEPDIR", "SHELL", NULL
};

int verify_password(char * pwd)
{
  char *pass;

  if (read_password(toybuf, sizeof(toybuf), "Password: ")) return 1;
  if (!pwd) return 1;
  if (pwd[0] == '!' || pwd[0] == '*') return 1;

  pass = crypt(toybuf, pwd);
  if (pass && !strcmp(pass, pwd)) return 0;

  return 1;
}

void read_user(char * buff, int size)
{
  char hostname[HOSTNAME_SIZE+1];
  int i = 0;
  hostname[HOSTNAME_SIZE] = 0;
  if(!gethostname(hostname, HOSTNAME_SIZE)) fputs(hostname, stdout);

  fputs(" login: ", stdout);
  fflush(stdout);

  do {
    int c = getchar();
    if (c == EOF) exit(EXIT_FAILURE);
    buff[0] = c;
  } while (isblank(buff[0]));

  if (buff[0] != '\n') if(!fgets(&buff[1], HOSTNAME_SIZE-1, stdin)) _exit(1);

  while(i<HOSTNAME_SIZE-1 && isgraph(buff[i])) i++;
  buff[i] = 0;
}

void handle_nologin(void)
{
  int fd = open("/etc/nologin", O_RDONLY);
  int size;
  if (fd == -1) return;

  size = readall(fd, toybuf,sizeof(toybuf)-1);
  toybuf[size] = 0;
  if (!size) puts("System closed for routine maintenance\n");
  else puts(toybuf);

  close(fd);
  fflush(stdout);
  exit(EXIT_FAILURE);
}

void handle_motd(void)
{
  int fd = open("/etc/motd", O_RDONLY);
  int size;
  if (fd == -1) return;

  size = readall(fd, toybuf,sizeof(toybuf)-1);
  toybuf[size] = 0;
  puts(toybuf);

  close(fd);
  fflush(stdout);
}

int change_identity(const struct passwd *pwd)
{
  if (initgroups(pwd->pw_name,pwd->pw_gid)) return 1;
  if (setgid(pwd->pw_uid)) return 1;
  if (setuid(pwd->pw_uid)) return 1;

  return 0;
}

void spawn_shell(const char *shell)
{
  const char * exec_name = strrchr(shell,'/');
  if (exec_name) exec_name++;
  else exec_name = shell;

  snprintf(toybuf,sizeof(toybuf)-1, "-%s", shell);
  execl(shell, toybuf, NULL);
  error_exit("Failed to spawn shell");
}

void setup_environment(const struct passwd *pwd, int clear_env)
{
  if (chdir(pwd->pw_dir)) printf("bad home dir: %s\n", pwd->pw_dir);

  if (clear_env) {
    const char * term = getenv("TERM");
    clearenv();
    if (term) setenv("TERM", term, 1);
  }

  setenv("USER", pwd->pw_name, 1);
  setenv("LOGNAME", pwd->pw_name, 1);
  setenv("HOME", pwd->pw_dir, 1);
  setenv("SHELL", pwd->pw_shell, 1);
}

void login_main(void)
{
  int f_flag = toys.optflags & FLAG_f;
  int h_flag = toys.optflags & FLAG_h;
  char username[USER_NAME_MAX_SIZE+1], *pass = NULL, **ss;
  struct passwd * pwd = NULL;
  struct spwd * spwd = NULL;
  int auth_fail_cnt = 0;

  if (f_flag && toys.optc != 1) error_exit("-f requires username");

  if (geteuid()) error_exit("not root");

  if (!isatty(0) || !isatty(1) || !isatty(2)) error_exit("no tty");

  openlog("login", LOG_PID | LOG_CONS, LOG_AUTH);
  signal(SIGALRM, login_timeout_handler);
  alarm(LOGIN_TIMEOUT);

  for (ss = forbid; *ss; ss++) unsetenv(*ss);

  while (1) {
    tcflush(0, TCIFLUSH);

    username[USER_NAME_MAX_SIZE] = 0;
    if (toys.optargs[0]) strncpy(username, toys.optargs[0], USER_NAME_MAX_SIZE);
    else {
      read_user(username, USER_NAME_MAX_SIZE+1);
      if (username[0] == 0) continue;
    }

    pwd = getpwnam(username);
    if (!pwd) goto query_pass; // Non-existing user

    if (pwd->pw_passwd[0] == '!' || pwd->pw_passwd[0] == '*')
      goto query_pass;  // Locked account

    if (f_flag) break; // Pre-authenticated

    if (!pwd->pw_passwd[0]) break; // Password-less account

    pass = pwd->pw_passwd;
    if (pwd->pw_passwd[0] == 'x') {
      spwd = getspnam (username);
      if (spwd) pass = spwd->sp_pwdp;
    }

query_pass:
    if (!verify_password(pass)) break;

    f_flag = 0;
    syslog(LOG_WARNING, "invalid password for '%s' on %s %s %s", username,
      ttyname(0), h_flag?"from":"", h_flag?TT.hostname:"");

    sleep(LOGIN_FAIL_TIMEOUT);
    puts("Login incorrect");

    if (++auth_fail_cnt == 3)
      error_exit("Maximum number of tries exceeded (%d)\n", auth_fail_cnt);

    username[0] = 0;
    pwd = NULL;
    spwd = NULL;
  }

  alarm(0);

  if (pwd->pw_uid) handle_nologin();

  if (change_identity(pwd)) error_exit("Failed to change identity");

  setup_environment(pwd, !(toys.optflags & FLAG_p));

  handle_motd();

  syslog(LOG_INFO, "%s logged in on %s %s %s", pwd->pw_name,
    ttyname(0), h_flag?"from":"", h_flag?TT.hostname:"");

  spawn_shell(pwd->pw_shell);
}