login: make /etc/nologin support configurable. -240 bytes if not selected.

include/libbb.h

@@ -943,12 +943,10 @@ extern const char bb_str_default[];
 extern const char bb_hexdigits_upcase[];
 
 extern const char bb_path_mtab_file[];
-extern const char bb_path_nologin_file[];
 extern const char bb_path_passwd_file[];
 extern const char bb_path_shadow_file[];
 extern const char bb_path_gshadow_file[];
 extern const char bb_path_group_file[];
-extern const char bb_path_securetty_file[];
 extern const char bb_path_motd_file[];
 extern const char bb_path_wtmp_file[];
 extern const char bb_dev_null[];

libbb/messages.c

@@ -34,8 +34,6 @@ const char bb_path_passwd_file[] = "/etc/passwd";
 const char bb_path_shadow_file[] = "/etc/shadow";
 const char bb_path_group_file[] = "/etc/group";
 const char bb_path_gshadow_file[] = "/etc/gshadow";
-const char bb_path_nologin_file[] = "/etc/nologin";
-const char bb_path_securetty_file[] = "/etc/securetty";
 const char bb_path_motd_file[] = "/etc/motd";
 const char bb_dev_null[] = "/dev/null";
 const char bb_busybox_exec_path[] = CONFIG_BUSYBOX_EXEC_PATH;

loginutils/Config.in

@@ -136,12 +136,20 @@ config LOGIN_SCRIPTS
 	  Enable this if you want login to execute $LOGIN_PRE_SUID_SCRIPT
 	  just prior to switching from root to logged-in user.
 
+config FEATURE_NOLOGIN
+	bool "Support for /etc/nologin"
+	default y
+	depends on LOGIN
+	help
+	  The file /etc/nologin is used by (some versions of) login(1).
+	  If it exists, non-root logins are prohibited.
+
 config FEATURE_SECURETTY
 	bool "Support for /etc/securetty"
 	default y
 	depends on LOGIN
 	help
-	  The file  /etc/securetty  is used by (some versions of) login(1).
+	  The file /etc/securetty is used by (some versions of) login(1).
 	  The file contains the device names of tty lines (one per line,
 	  without leading /dev/) on which root is allowed to login.
 

loginutils/login.c

@@ -100,15 +100,16 @@ static void write_utent(struct utmp *utptr, const char *username)
 #define write_utent(utptr, username) ((void)0)
 #endif /* !ENABLE_FEATURE_UTMP */
 
+#if ENABLE_FEATURE_NOLOGIN
 static void die_if_nologin_and_non_root(int amroot)
 {
 	FILE *fp;
 	int c;
 
-	if (access(bb_path_nologin_file, F_OK))
+	if (access("/etc/nologin", F_OK))
 		return;
 
-	fp = fopen(bb_path_nologin_file, "r");
+	fp = fopen("/etc/nologin", "r");
 	if (fp) {
 		while ((c = getc(fp)) != EOF)
 			putchar((c=='\n') ? '\r' : c);
@@ -118,28 +119,31 @@ static void die_if_nologin_and_non_root(int amroot)
 		puts("\r\nSystem closed for routine maintenance\r");
 	if (!amroot)
 		exit(1);
-	puts("\r\n[Disconnect bypassed -- root login allowed.]\r");
+	puts("\r\n[Disconnect bypassed -- root login allowed]\r");
 }
+#else
+static ALWAYS_INLINE void die_if_nologin_and_non_root(int amroot) {}
+#endif
 
 #if ENABLE_FEATURE_SECURETTY
 static int check_securetty(void)
 {
 	FILE *fp;
 	int i;
-	char buf[BUFSIZ];
+	char buf[256];
 
-	fp = fopen(bb_path_securetty_file, "r");
+	fp = fopen("/etc/securetty", "r");
 	if (!fp) {
 		/* A missing securetty file is not an error. */
 		return 1;
 	}
 	while (fgets(buf, sizeof(buf)-1, fp)) {
-		for (i = strlen(buf)-1; i>=0; --i) {
+		for (i = strlen(buf)-1; i >= 0; --i) {
 			if (!isspace(buf[i]))
 				break;
 		}
 		buf[++i] = '\0';
-		if ((buf[0]=='\0') || (buf[0]=='#'))
+		if (!buf[0] || (buf[0] == '#'))
 			continue;
 		if (strcmp(buf, short_tty) == 0) {
 			fclose(fp);
@@ -150,7 +154,7 @@ static int check_securetty(void)
 	return 0;
 }
 #else
-static inline int check_securetty(void) { return 1; }
+static ALWAYS_INLINE int check_securetty(void) { return 1; }
 #endif
 
 static void get_username_or_die(char *buf, int size_buf)
@@ -313,7 +317,7 @@ int login_main(int argc, char **argv)
 
 	write_utent(&utent, username);
 
-#ifdef CONFIG_SELINUX
+#if ENABLE_SELINUX
 	if (is_selinux_enabled()) {
 		security_context_t old_tty_sid, new_tty_sid;
 
@@ -368,7 +372,7 @@ int login_main(int argc, char **argv)
 
 	if (pw->pw_uid == 0)
 		syslog(LOG_INFO, "root login%s", fromhost);
-#ifdef CONFIG_SELINUX
+#if ENABLE_SELINUX
 	/* well, a simple setexeccon() here would do the job as well,
 	 * but let's play the game for now */
 	set_current_security_context(user_sid);