Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/plugins/sudoers/auth/aix_auth.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 1999-2005, 2007-2018 Todd C. Miller <[email protected]>

5
 *

6
 * Permission to use, copy, modify, and distribute this software for any

7
 * purpose with or without fee is hereby granted, provided that the above

8
 * copyright notice and this permission notice appear in all copies.

9
 *

10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

17
 *

18
 * Sponsored in part by the Defense Advanced Research Projects

19
 * Agency (DARPA) and Air Force Research Laboratory, Air Force

20
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.

21
 */

22


23
#include <config.h>

24


25
#ifdef HAVE_AIXAUTH

26


27
#include <sys/types.h>

28
#include <sys/wait.h>

29
#include <stdio.h>

30
#include <stdlib.h>

31
#include <string.h>

32
#include <unistd.h>

33
#include <ctype.h>

34
#include <errno.h>

35
#include <pwd.h>

36
#include <signal.h>

37
#include <usersec.h>

38


39
#include <sudoers.h>

40
#include "sudo_auth.h"

41


42
/*

43
 * For a description of the AIX authentication API, see

44
 * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm

45
 */

46


47
#ifdef HAVE_PAM

48
# define AIX_AUTH_UNKNOWN	0

49
# define AIX_AUTH_STD		1

50
# define AIX_AUTH_PAM		2

51


52
static int

53
sudo_aix_authtype(void)

54
{

55
    size_t linesize = 0;

56
    ssize_t len;

57
    char *cp, *line = NULL;

58
    bool in_stanza = false;

59
    int authtype = AIX_AUTH_UNKNOWN;

60
    FILE *fp;

61
    debug_decl(sudo_aix_authtype, SUDOERS_DEBUG_AUTH);

62


63
    if ((fp = fopen("/etc/security/login.cfg", "r")) == NULL)

64
	debug_return_int(AIX_AUTH_UNKNOWN);

65


66
    while ((len = getdelim(&line, &linesize, '\n', fp)) != -1) {

67
	/* First remove comments. */

68
	if ((cp = strchr(line, '#')) != NULL) {

69
	    *cp = '\0';

70
	    len = (ssize_t)(cp - line);

71
	}

72


73
	/* Next remove trailing newlines and whitespace. */

74
	while (len > 0 && isspace((unsigned char)line[len - 1]))

75
	    line[--len] = '\0';

76


77
	/* Skip blank lines. */

78
	if (len == 0)

79
	    continue;

80


81
	/* Match start of the usw stanza. */

82
	if (!in_stanza) {

83
	    if (strncmp(line, "usw:", 4) == 0)

84
		in_stanza = true;

85
	    continue;

86
	}

87


88
	/* Check for end of the usw stanza. */

89
	if (!isblank((unsigned char)line[0])) {

90
	    in_stanza = false;

91
	    break;

92
	}

93


94
	/* Skip leading blanks. */

95
	cp = line;

96
	do {

97
	    cp++;

98
	} while (isblank((unsigned char)*cp));

99


100
	/* Match "auth_type = (PAM_AUTH|STD_AUTH)". */

101
	if (strncmp(cp, "auth_type", 9) != 0)

102
	    continue;

103
	cp += 9;

104
	while (isblank((unsigned char)*cp))

105
	    cp++;

106
	if (*cp++ != '=')

107
	    continue;

108
	while (isblank((unsigned char)*cp))

109
	    cp++;

110
	if (strcmp(cp, "PAM_AUTH") == 0) {

111
	    authtype = AIX_AUTH_PAM;

112
	    break;

113
	}

114
	if (strcmp(cp, "STD_AUTH") == 0) {

115
	    authtype = AIX_AUTH_STD;

116
	    break;

117
	}

118
    }

119
    free(line);

120
    fclose(fp);

121


122
    debug_return_int(authtype);

123
}

124
#endif /* HAVE_PAM */

125


126
int

127
sudo_aix_init(const struct sudoers_context *ctx, struct passwd *pw,

128
    sudo_auth *auth)

129
{

130
    debug_decl(sudo_aix_init, SUDOERS_DEBUG_AUTH);

131


132
#ifdef HAVE_PAM

133
    /* Check auth_type in /etc/security/login.cfg. */

134
    if (sudo_aix_authtype() == AIX_AUTH_PAM) {

135
	if (sudo_pam_init_quiet(ctx, pw, auth) == AUTH_SUCCESS) {

136
	    /* Fail AIX authentication so we can use PAM instead. */

137
	    debug_return_int(AUTH_FAILURE);

138
	}

139
    }

140
#endif

141
    debug_return_int(AUTH_SUCCESS);

142
}

143


144
/* Ignore AIX password incorrect message */

145
static bool

146
sudo_aix_valid_message(const char *message)

147
{

148
    const char *cp;

149
    const char badpass_msgid[] = "3004-300";

150
    debug_decl(sudo_aix_valid_message, SUDOERS_DEBUG_AUTH);

151


152
    if (message == NULL || message[0] == '\0')

153
	debug_return_bool(false);

154


155
    /* Match "3004-300: You entered an invalid login name or password" */

156
    for (cp = message; *cp != '\0'; cp++) {

157
	if (isdigit((unsigned char)*cp)) {

158
	    if (strncmp(cp, badpass_msgid, strlen(badpass_msgid)) == 0)

159
		debug_return_bool(false);

160
	    break;

161
	}

162
    }

163
    debug_return_bool(true);

164
}

165


166
/* 

167
 * Change the user's password.  If root changes the user's password

168
 * the ADMCHG flag is set on the account (and the user must change

169
 * it again) so we run passwd(1) as the user.  This does mean that

170
 * the user will need to re-enter their original password again,

171
 * unlike with su(1).  We may consider using pwdadm(1) as root to

172
 * change the password and then clear the flag in the future.

173
 */

174
static bool

175
sudo_aix_change_password(const struct sudoers_context *ctx, const char *user)

176
{

177
    struct sigaction sa, savechld;

178
    pid_t child, pid;

179
    bool ret = false;

180
    sigset_t mask;

181
    int status;

182
    debug_decl(sudo_aix_change_password, SUDOERS_DEBUG_AUTH);

183


184
    /* Set SIGCHLD handler to default since we call waitpid() below. */

185
    memset(&sa, 0, sizeof(sa));                

186
    sigemptyset(&sa.sa_mask);

187
    sa.sa_flags = SA_RESTART;     

188
    sa.sa_handler = SIG_DFL;

189
    (void) sigaction(SIGCHLD, &sa, &savechld);

190


191
    switch (child = sudo_debug_fork()) {

192
    case -1:

193
	/* error */

194
	sudo_warn("%s", U_("unable to fork"));

195
	break;

196
    case 0:

197
	/* child, run passwd(1) */

198
	sigemptyset(&mask);

199
	sigaddset(&mask, SIGINT);

200
	sigaddset(&mask, SIGQUIT);

201
	(void) sigprocmask(SIG_UNBLOCK, &mask, NULL);

202
	set_perms(ctx, PERM_USER);

203
	execl("/usr/bin/passwd", "passwd", user, (char *)NULL);

204
	sudo_warn("passwd");

205
	_exit(127);

206
	/* NOTREACHED */

207
    default:

208
	/* parent */

209
	break;

210
    }

211


212
    /* Wait for passwd(1) to complete. */

213
    do {

214
	pid = waitpid(child, &status, 0);

215
    } while (pid == -1 && errno == EINTR);

216
    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,

217
	"child (%d) exit value %d", (int)child, status);

218
    if (pid != -1 && WIFEXITED(status) && WEXITSTATUS(status) == 0)

219
	ret = true;

220


221
    /* Restore saved SIGCHLD handler. */

222
    (void) sigaction(SIGCHLD, &savechld, NULL);

223


224
    debug_return_bool(ret);

225
}

226


227
int

228
sudo_aix_verify(const struct sudoers_context *ctx, struct passwd *pw,

229
    const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)

230
{

231
    char *pass, *message = NULL;

232
    int result = 1, reenter = 0;

233
    int ret = AUTH_SUCCESS;

234
    debug_decl(sudo_aix_verify, SUDOERS_DEBUG_AUTH);

235


236
    if (IS_NONINTERACTIVE(auth))

237
        debug_return_int(AUTH_NONINTERACTIVE);

238


239
    do {

240
	pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);

241
	if (pass == NULL)

242
	    break;

243
	free(message);

244
	message = NULL;

245
	result = authenticate(pw->pw_name, pass, &reenter, &message);

246
	freezero(pass, strlen(pass));

247
	prompt = message;

248
    } while (reenter);

249


250
    if (result != 0) {

251
	/* Display error message, if any. */

252
	if (sudo_aix_valid_message(message))

253
	    sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,

254
		"%s", message);

255
	ret = pass ? AUTH_FAILURE : AUTH_INTR;

256
    }

257
    free(message);

258
    message = NULL;

259


260
    /* Check if password expired and allow user to change it if possible. */

261
    if (ret == AUTH_SUCCESS) {

262
	result = passwdexpired(pw->pw_name, &message);

263
	if (message != NULL && message[0] != '\0') {

264
	    int msg_type = SUDO_CONV_PREFER_TTY;

265
	    msg_type |= result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG,

266
	    sudo_printf(msg_type, "%s", message);

267
	    free(message);

268
	    message = NULL;

269
	}

270
	switch (result) {

271
	case 0:

272
	    /* password not expired. */

273
	    break;

274
	case 1:

275
	    /* password expired, user must change it */

276
	    if (!sudo_aix_change_password(ctx, pw->pw_name)) {

277
		sudo_warnx(U_("unable to change password for %s"), pw->pw_name);

278
		ret = AUTH_ERROR;

279
	    }

280
	    break;

281
	case 2:

282
	    /* password expired, only admin can change it */

283
	    ret = AUTH_ERROR;

284
	    break;

285
	default:

286
	    /* error (-1) */

287
	    sudo_warn("passwdexpired");

288
	    ret = AUTH_ERROR;

289
	    break;

290
	}

291
    }

292


293
    debug_return_int(ret);

294
}

295


296
int

297
sudo_aix_cleanup(const struct sudoers_context *ctx, struct passwd *pw,

298
    sudo_auth *auth, bool force)

299
{

300
    debug_decl(sudo_aix_cleanup, SUDOERS_DEBUG_AUTH);

301


302
    /* Unset AUTHSTATE as it may not be correct for the runas user. */

303
    if (sudo_unsetenv("AUTHSTATE") == -1)

304
	debug_return_int(AUTH_FAILURE);

305


306
    debug_return_int(AUTH_SUCCESS);

307
}

308


309
#endif /* HAVE_AIXAUTH */

310


311