Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/plugins/sudoers/auth/bsdauth.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 2000-2005, 2007-2008, 2010-2015

5
 *	Todd C. Miller <[email protected]>

6
 *

7
 * Permission to use, copy, modify, and distribute this software for any

8
 * purpose with or without fee is hereby granted, provided that the above

9
 * copyright notice and this permission notice appear in all copies.

10
 *

11
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

12
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

13
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

14
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

15
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

16
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

17
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

18
 *

19
 * Sponsored in part by the Defense Advanced Research Projects

20
 * Agency (DARPA) and Air Force Research Laboratory, Air Force

21
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.

22
 */

23


24
#include <config.h>

25


26
#ifdef HAVE_BSD_AUTH_H

27


28
#include <sys/types.h>

29
#include <stdio.h>

30
#include <stdlib.h>

31
#include <string.h>

32
#include <unistd.h>

33
#include <ctype.h>

34
#include <pwd.h>

35
#include <signal.h>

36


37
#include <login_cap.h>

38
#include <bsd_auth.h>

39


40
#include <sudoers.h>

41
#include "sudo_auth.h"

42


43
# ifndef LOGIN_DEFROOTCLASS

44
#  define LOGIN_DEFROOTCLASS	"daemon"

45
# endif

46


47
struct bsdauth_state {

48
    auth_session_t *as;

49
    login_cap_t *lc;

50
};

51


52
static char *login_style;	/* user may set style via -a option */

53


54
int

55
bsdauth_init(const struct sudoers_context *ctx, struct passwd *pw,

56
    sudo_auth *auth)

57
{

58
    static struct bsdauth_state state;

59
    debug_decl(bsdauth_init, SUDOERS_DEBUG_AUTH);

60


61
    /* Only initialize once. */

62
    if (auth->data != NULL)

63
	debug_return_int(AUTH_SUCCESS);

64


65
    /* Get login class based on auth user, which may not be invoking user. */

66
    if (pw->pw_class && *pw->pw_class) {

67
	state.lc = login_getclass(pw->pw_class);

68
    } else {

69
	state.lc = login_getclass(

70
	    pw->pw_uid ? (char *)LOGIN_DEFCLASS : (char *)LOGIN_DEFROOTCLASS);

71
    }

72
    if (state.lc == NULL) {

73
	log_warning(ctx, 0, N_("unable to get login class for user %s"),

74
	    pw->pw_name);

75
	goto bad;

76
    }

77


78
    login_style = login_getstyle(state.lc, login_style, (char *)"auth-sudo");

79
    if (login_style == NULL) {

80
	log_warningx(ctx, 0, N_("invalid authentication type"));

81
	goto bad;

82
    }

83


84
    if ((state.as = auth_open()) == NULL) {

85
	log_warning(ctx, 0, N_("unable to begin BSD authentication"));

86
	goto bad;

87
    }

88


89
    if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 ||

90
	auth_setitem(state.as, AUTHV_NAME, pw->pw_name) < 0 ||

91
	auth_setitem(state.as, AUTHV_CLASS, ctx->runas.class) < 0) {

92
	log_warningx(ctx, 0, N_("unable to initialize BSD authentication"));

93
	goto bad;

94
    }

95


96
    auth->data = (void *) &state;

97
    debug_return_int(AUTH_SUCCESS);

98
bad:

99
    auth_close(state.as);

100
    login_close(state.lc);

101
    debug_return_int(AUTH_ERROR);

102
}

103


104
int

105
bsdauth_verify(const struct sudoers_context *ctx, struct passwd *pw,

106
    const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)

107
{

108
    char *pass;

109
    char *s;

110
    size_t len;

111
    int authok = 0;

112
    struct sigaction sa, osa;

113
    auth_session_t *as = ((struct bsdauth_state *) auth->data)->as;

114
    debug_decl(bsdauth_verify, SUDOERS_DEBUG_AUTH);

115


116
    if (IS_NONINTERACTIVE(auth))

117
        debug_return_int(AUTH_NONINTERACTIVE);

118


119
    /* save old signal handler */

120
    sigemptyset(&sa.sa_mask);

121
    sa.sa_flags = SA_RESTART;

122
    sa.sa_handler = SIG_DFL;

123
    (void) sigaction(SIGCHLD, &sa, &osa);

124


125
    /*

126
     * If there is a challenge then print that instead of the normal

127
     * prompt.  If the user just hits return we prompt again with echo

128
     * turned on, which is useful for challenge/response things like

129
     * S/Key.

130
     */

131
    if ((s = auth_challenge(as)) == NULL) {

132
	pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);

133
    } else {

134
	pass = auth_getpass(s, SUDO_CONV_PROMPT_ECHO_OFF, callback);

135
	if (pass != NULL && *pass == '\0') {

136
	    if ((prompt = strrchr(s, '\n')))

137
		prompt++;

138
	    else

139
		prompt = s;

140


141
	    /*

142
	     * Append '[echo on]' to the last line of the challenge and

143
	     * re-prompt with echo turned on.

144
	     */

145
	    len = strlen(prompt);

146
	    while (len > 0 && (isspace((unsigned char)prompt[len - 1]) || prompt[len - 1] == ':'))

147
		len--;

148
	    if (asprintf(&s, "%.*s [echo on]: ", (int)len, prompt) == -1) {

149
		log_warningx(ctx, 0, N_("unable to allocate memory"));

150
		debug_return_int(AUTH_ERROR);

151
	    }

152
	    free(pass);

153
	    pass = auth_getpass(s, SUDO_CONV_PROMPT_ECHO_ON, callback);

154
	    free(s);

155
	}

156
    }

157


158
    if (pass != NULL) {

159
	authok = auth_userresponse(as, pass, 1);

160
	freezero(pass, strlen(pass));

161
    }

162


163
    /* restore old signal handler */

164
    (void) sigaction(SIGCHLD, &osa, NULL);

165


166
    if (authok)

167
	debug_return_int(AUTH_SUCCESS);

168


169
    if (pass == NULL)

170
	debug_return_int(AUTH_INTR);

171


172
    if ((s = auth_getvalue(as, (char *)"errormsg")) != NULL)

173
	log_warningx(ctx, 0, "%s", s);

174
    debug_return_int(AUTH_FAILURE);

175
}

176


177
int

178
bsdauth_approval(const struct sudoers_context *ctx, struct passwd *pw,

179
    sudo_auth *auth, bool exempt)

180
{

181
    struct bsdauth_state *state = auth->data;

182
    debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH);

183


184
    if (auth_approval(state->as, state->lc, pw->pw_name, (char *)"auth-sudo") == 0) {

185
	if (auth_getstate(state->as) & AUTH_EXPIRED)

186
	    log_warningx(ctx, 0, "%s", N_("your account has expired"));

187
	else

188
	    log_warningx(ctx, 0, "%s", N_("approval failed"));

189
	debug_return_int(AUTH_FAILURE);

190
    }

191
    debug_return_int(AUTH_SUCCESS);

192
}

193


194
int

195
bsdauth_cleanup(const struct sudoers_context *ctx, struct passwd *pw,

196
    sudo_auth *auth, bool force)

197
{

198
    struct bsdauth_state *state = auth->data;

199
    debug_decl(bsdauth_cleanup, SUDOERS_DEBUG_AUTH);

200


201
    if (state != NULL) {

202
	auth_close(state->as);

203
	state->as = NULL;

204
	login_close(state->lc);

205
	state->lc = NULL;

206
	auth->data = NULL;

207
    }

208
    login_style = NULL;

209


210
    debug_return_int(AUTH_SUCCESS);

211
}

212


213
void

214
bsdauth_set_style(const char *style)

215
{

216
    login_style = (char *)style;

217
}

218


219
#endif /* HAVE_BSD_AUTH_H */

220


221