1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 1999-2005, 2007-2018 Todd C. Miller <[email protected]>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 *
18
 * Sponsored in part by the Defense Advanced Research Projects
19
 * Agency (DARPA) and Air Force Research Laboratory, Air Force
20
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
21
 */
22

23
#include <config.h>
24

25
#ifdef HAVE_AIXAUTH
26

27
#include <sys/types.h>
28
#include <sys/wait.h>
29
#include <stdio.h>
30
#include <stdlib.h>
31
#include <string.h>
32
#include <unistd.h>
33
#include <ctype.h>
34
#include <errno.h>
35
#include <pwd.h>
36
#include <signal.h>
37
#include <usersec.h>
38

39
#include <sudoers.h>
40
#include "sudo_auth.h"
41

42
/*
43
 * For a description of the AIX authentication API, see
44
 * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm
45
 */
46

47
/* AIX usersec.h is missing the passwdexpiredx() prototype. */
48
#if defined(HAVE_DECL_PASSWDEXPIREDX) && !HAVE_DECL_PASSWDEXPIREDX
49
int passwdexpiredx(char *, char **, void **);
50
#endif
51

52
#ifdef HAVE_PAM
53
# define AIX_AUTH_UNKNOWN	0
54
# define AIX_AUTH_STD		1
55
# define AIX_AUTH_PAM		2
56

57
static int
58
sudo_aix_authtype(void)
59
{
60
    size_t linesize = 0;
61
    ssize_t len;
62
    char *cp, *line = NULL;
63
    bool in_stanza = false;
64
    int authtype = AIX_AUTH_UNKNOWN;
65
    FILE *fp;
66
    debug_decl(sudo_aix_authtype, SUDOERS_DEBUG_AUTH);
67

68
    if ((fp = fopen("/etc/security/login.cfg", "r")) == NULL)
69
	debug_return_int(AIX_AUTH_UNKNOWN);
70

71
    while ((len = getdelim(&line, &linesize, '\n', fp)) != -1) {
72
	/* First remove comments. */
73
	if ((cp = strchr(line, '#')) != NULL) {
74
	    *cp = '\0';
75
	    len = (ssize_t)(cp - line);
76
	}
77

78
	/* Next remove trailing newlines and whitespace. */
79
	while (len > 0 && isspace((unsigned char)line[len - 1]))
80
	    line[--len] = '\0';
81

82
	/* Skip blank lines. */
83
	if (len == 0)
84
	    continue;
85

86
	/* Match start of the usw stanza. */
87
	if (!in_stanza) {
88
	    if (strncmp(line, "usw:", 4) == 0)
89
		in_stanza = true;
90
	    continue;
91
	}
92

93
	/* Check for end of the usw stanza. */
94
	if (!isblank((unsigned char)line[0])) {
95
	    in_stanza = false;
96
	    break;
97
	}
98

99
	/* Skip leading blanks. */
100
	cp = line;
101
	do {
102
	    cp++;
103
	} while (isblank((unsigned char)*cp));
104

105
	/* Match "auth_type = (PAM_AUTH|STD_AUTH)". */
106
	if (strncmp(cp, "auth_type", 9) != 0)
107
	    continue;
108
	cp += 9;
109
	while (isblank((unsigned char)*cp))
110
	    cp++;
111
	if (*cp++ != '=')
112
	    continue;
113
	while (isblank((unsigned char)*cp))
114
	    cp++;
115
	if (strcmp(cp, "PAM_AUTH") == 0) {
116
	    authtype = AIX_AUTH_PAM;
117
	    break;
118
	}
119
	if (strcmp(cp, "STD_AUTH") == 0) {
120
	    authtype = AIX_AUTH_STD;
121
	    break;
122
	}
123
    }
124
    free(line);
125
    fclose(fp);
126

127
    debug_return_int(authtype);
128
}
129
#endif /* HAVE_PAM */
130

131
int
132
sudo_aix_init(const struct sudoers_context *ctx, struct passwd *pw,
133
    sudo_auth *auth)
134
{
135
    debug_decl(sudo_aix_init, SUDOERS_DEBUG_AUTH);
136

137
#ifdef HAVE_PAM
138
    /* Check auth_type in /etc/security/login.cfg. */
139
    if (sudo_aix_authtype() == AIX_AUTH_PAM) {
140
	if (sudo_pam_init_quiet(ctx, pw, auth) == AUTH_SUCCESS) {
141
	    /* Fail AIX authentication so we can use PAM instead. */
142
	    debug_return_int(AUTH_FAILURE);
143
	}
144
    }
145
#endif
146
    debug_return_int(AUTH_SUCCESS);
147
}
148

149
/* Ignore AIX password incorrect message */
150
static bool
151
sudo_aix_valid_message(const char *message)
152
{
153
    const char *cp;
154
    const char badpass_msgid[] = "3004-300";
155
    debug_decl(sudo_aix_valid_message, SUDOERS_DEBUG_AUTH);
156

157
    if (message == NULL || message[0] == '\0')
158
	debug_return_bool(false);
159

160
    /* Match "3004-300: You entered an invalid login name or password" */
161
    for (cp = message; *cp != '\0'; cp++) {
162
	if (isdigit((unsigned char)*cp)) {
163
	    if (strncmp(cp, badpass_msgid, strlen(badpass_msgid)) == 0)
164
		debug_return_bool(false);
165
	    break;
166
	}
167
    }
168
    debug_return_bool(true);
169
}
170

171
/*
172
 * Change the user's password.  If root changes the user's password
173
 * the ADMCHG flag is set on the account (and the user must change
174
 * it again) so we run passwd(1) as the user.  This does mean that
175
 * the user will need to re-enter their original password again,
176
 * unlike with su(1).  We may consider using pwdadm(1) as root to
177
 * change the password and then clear the flag in the future.
178
 * TODO: investigate using chpassx(3) instead.
179
 */
180
static bool
181
sudo_aix_change_password(const struct sudoers_context *ctx, const char *user)
182
{
183
    struct sigaction sa, savechld;
184
    pid_t child, pid;
185
    bool ret = false;
186
    sigset_t mask;
187
    int status;
188
    debug_decl(sudo_aix_change_password, SUDOERS_DEBUG_AUTH);
189

190
    /* Set SIGCHLD handler to default since we call waitpid() below. */
191
    memset(&sa, 0, sizeof(sa));
192
    sigemptyset(&sa.sa_mask);
193
    sa.sa_flags = SA_RESTART;
194
    sa.sa_handler = SIG_DFL;
195
    (void) sigaction(SIGCHLD, &sa, &savechld);
196

197
    switch (child = sudo_debug_fork()) {
198
    case -1:
199
	/* error */
200
	sudo_warn("%s", U_("unable to fork"));
201
	break;
202
    case 0:
203
	/* child, run passwd(1) */
204
	sigemptyset(&mask);
205
	sigaddset(&mask, SIGINT);
206
	sigaddset(&mask, SIGQUIT);
207
	(void) sigprocmask(SIG_UNBLOCK, &mask, NULL);
208
	set_perms(ctx, PERM_USER);
209
	execl("/usr/bin/passwd", "passwd", user, (char *)NULL);
210
	sudo_warn("passwd");
211
	_exit(127);
212
	/* NOTREACHED */
213
    default:
214
	/* parent */
215
	break;
216
    }
217

218
    /* Wait for passwd(1) to complete. */
219
    do {
220
	pid = waitpid(child, &status, 0);
221
    } while (pid == -1 && errno == EINTR);
222
    sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
223
	"child (%d) exit value %d", (int)child, status);
224
    if (pid != -1 && WIFEXITED(status) && WEXITSTATUS(status) == 0)
225
	ret = true;
226

227
    /* Restore saved SIGCHLD handler. */
228
    (void) sigaction(SIGCHLD, &savechld, NULL);
229

230
    debug_return_bool(ret);
231
}
232

233
int
234
sudo_aix_verify(const struct sudoers_context *ctx, struct passwd *pw,
235
    const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
236
{
237
    char *pass, *message = NULL;
238
    int result, reenter = 0;
239
    int ret = AUTH_SUCCESS;
240
    void *state = NULL;
241
    debug_decl(sudo_aix_verify, SUDOERS_DEBUG_AUTH);
242

243
    if (IS_NONINTERACTIVE(auth))
244
	debug_return_int(AUTH_NONINTERACTIVE);
245

246
    /* Use newer APIs to propagate the state information. */
247
    result = loginrestrictionsx(pw->pw_name, 0, NULL, &message, &state);
248
    if (result != 0) {
249
	if (message != NULL && message[0] != '\0') {
250
	    sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
251
		"%s", message);
252
	} else {
253
	    sudo_warn("loginrestrictionsx");
254
	}
255
	free(message);
256
	free(state);
257
	debug_return_int(AUTH_ERROR);
258
    }
259

260
    do {
261
	pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);
262
	if (pass == NULL) {
263
	    result = -1;
264
	    break;
265
	}
266
	free(message);
267
	message = NULL;
268
	result = authenticatex(pw->pw_name, pass, &reenter, &message, &state);
269
	freezero(pass, strlen(pass));
270
	prompt = message;
271
    } while (reenter);
272

273
    if (result != 0) {
274
	if (pass == NULL) {
275
	    /* User interrupted password prompt with ^C. */
276
	    ret = AUTH_INTR;
277
	} else {
278
	    /* Display error message, if any. */
279
	    if (sudo_aix_valid_message(message)) {
280
		sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
281
		    "%s", message);
282
	    }
283
	    ret = AUTH_FAILURE;
284
	}
285
    }
286

287
    /* Check if password expired and allow user to change it if possible. */
288
    if (ret == AUTH_SUCCESS) {
289
	free(message);
290
	message = NULL;
291
	result = passwdexpiredx(pw->pw_name, &message, &state);
292
	if (message != NULL && message[0] != '\0') {
293
	    int msg_type = SUDO_CONV_PREFER_TTY;
294
	    msg_type |= result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG,
295
	    sudo_printf(msg_type, "%s", message);
296
	}
297
	switch (result) {
298
	case 0:
299
	    /* password not expired */
300
	    break;
301
	case 1:
302
	    /* password expired, user must change it */
303
	    if (!sudo_aix_change_password(ctx, pw->pw_name)) {
304
		sudo_warnx(U_("unable to change password for %s"), pw->pw_name);
305
		ret = AUTH_ERROR;
306
	    }
307
	    break;
308
	case 2:
309
	case 3:
310
	    /* password expired, cannot be updated by user */
311
	    if (message == NULL) {
312
		sudo_warnx(
313
		    U_("Password expired, contact your system administrator"));
314
	    }
315
	    ret = AUTH_ERROR;
316
	    break;
317
	default:
318
	    /* error (-1) */
319
	    sudo_warn("passwdexpiredx");
320
	    ret = AUTH_ERROR;
321
	    break;
322
	}
323
    }
324
    free(message);
325
    free(state);
326

327
    debug_return_int(ret);
328
}
329

330
int
331
sudo_aix_cleanup(const struct sudoers_context *ctx, struct passwd *pw,
332
    sudo_auth *auth, bool force)
333
{
334
    debug_decl(sudo_aix_cleanup, SUDOERS_DEBUG_AUTH);
335

336
    /* Unset AUTHSTATE as it may not be correct for the runas user. */
337
    if (sudo_unsetenv("AUTHSTATE") == -1)
338
	debug_return_int(AUTH_FAILURE);
339

340
    debug_return_int(AUTH_SUCCESS);
341
}
342

343
#endif /* HAVE_AIXAUTH */
344

345