Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/plugins/sudoers/check.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 1993-1996,1998-2005, 2007-2024

5
 *	Todd C. Miller <[email protected]>

6
 *

7
 * Permission to use, copy, modify, and distribute this software for any

8
 * purpose with or without fee is hereby granted, provided that the above

9
 * copyright notice and this permission notice appear in all copies.

10
 *

11
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

12
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

13
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

14
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

15
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

16
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

17
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

18
 *

19
 * Sponsored in part by the Defense Advanced Research Projects

20
 * Agency (DARPA) and Air Force Research Laboratory, Air Force

21
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.

22
 */

23


24
#include <config.h>

25


26
#include <sys/types.h>			/* for ssize_t */

27
#include <stdio.h>

28
#include <stdlib.h>

29
#include <string.h>

30
#include <unistd.h>

31
#include <fcntl.h>

32
#include <time.h>

33
#include <errno.h>

34
#include <pwd.h>

35
#include <grp.h>

36


37
#include <sudoers.h>

38
#include <timestamp.h>

39


40
/*

41
 * Get passwd entry for the user we are going to authenticate as.

42
 * By default, this is the user invoking sudo.  In the most common

43
 * case, this matches ctx->user.pw or ctx->runas.pw.

44
 */

45
static struct passwd *

46
get_authpw(struct sudoers_context *ctx, unsigned int mode)

47
{

48
    struct passwd *pw = NULL;

49
    debug_decl(get_authpw, SUDOERS_DEBUG_AUTH);

50


51
    if (ISSET(mode, (MODE_CHECK|MODE_LIST))) {

52
	/* In list mode we always prompt for the user's password. */

53
	sudo_pw_addref(ctx->user.pw);

54
	pw = ctx->user.pw;

55
    } else {

56
	if (def_rootpw) {

57
	    if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) {

58
		log_warningx(ctx, SLOG_SEND_MAIL, N_("unknown uid %u"),

59
		    ROOT_UID);

60
	    }

61
	} else if (def_runaspw) {

62
	    if ((pw = sudo_getpwnam(def_runas_default)) == NULL) {

63
		log_warningx(ctx, SLOG_SEND_MAIL,

64
		    N_("unknown user %s"), def_runas_default);

65
	    }

66
	} else if (def_targetpw) {

67
	    if (ctx->runas.pw->pw_name == NULL) {

68
		/* This should never be NULL as we fake up the passwd struct */

69
		log_warningx(ctx, SLOG_RAW_MSG, N_("unknown uid %u"),

70
		    (unsigned int) ctx->runas.pw->pw_uid);

71
	    } else {

72
		sudo_pw_addref(ctx->runas.pw);

73
		pw = ctx->runas.pw;

74
	    }

75
	} else {

76
	    sudo_pw_addref(ctx->user.pw);

77
	    pw = ctx->user.pw;

78
	}

79
    }

80


81
    debug_return_ptr(pw);

82
}

83


84
/*

85
 * Returns true if the user is running the command as themselves

86
 * and no SELinux type/role, AppArmor profile or Solaris privilege

87
 * was specified.

88
 */

89
static bool

90
running_as_user(struct sudoers_context *ctx)

91
{

92
    return ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL ||

93
	user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)) &&

94
	ctx->runas.role == NULL && ctx->runas.type == NULL &&

95
	ctx->runas.apparmor_profile == NULL &&

96
	ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL;

97
}

98


99
/*

100
 * Returns AUTH_SUCCESS if the user successfully authenticates,

101
 * AUTH_FAILURE if not or AUTH_ERROR on error.

102
 */

103
int

104
check_user(struct sudoers_context *ctx, unsigned int validated,

105
    unsigned int mode)

106
{

107
    struct getpass_closure closure = { 0 };

108
    struct sudo_conv_callback callback;

109
    int status = TS_ERROR;

110
    int ret = AUTH_ERROR;

111
    bool exempt = false;

112
    char *prompt;

113
    debug_decl(check_user, SUDOERS_DEBUG_AUTH);

114


115
    /*

116
     * In intercept mode, only check the user if configured to do so.

117
     * We already have a session so no need to init the auth subsystem.

118
     */

119
    if (ISSET(ctx->mode, MODE_POLICY_INTERCEPTED)) {

120
	if (!def_intercept_authenticate) {

121
	    debug_return_int(AUTH_SUCCESS);

122
	}

123
    }

124


125
    /*

126
     * Init authentication system regardless of whether we need a password.

127
     * Required for proper PAM session support.

128
     */

129
    if ((closure.auth_pw = get_authpw(ctx, mode)) == NULL)

130
	debug_return_int(AUTH_ERROR);

131
    if (sudo_auth_init(ctx, closure.auth_pw, mode) != AUTH_SUCCESS) {

132
	sudo_pw_delref(closure.auth_pw);

133
	debug_return_int(AUTH_ERROR);

134
    }

135
    closure.ctx = ctx;

136


137
    if (!def_authenticate || user_is_exempt(ctx)) {

138
	sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,

139
	    !def_authenticate ? "authentication disabled" :

140
	    "user exempt from authentication");

141
	exempt = true;

142
	goto success;

143
    }

144
    if (ctx->user.uid == ROOT_UID) {

145
	/* Do not prompt for the root password. */

146
	goto success;

147
    }

148
    if ((ISSET(mode, MODE_RUN|MODE_EDIT) && running_as_user(ctx))) {

149
	/* If the user is not changing uid/gid, no need for a password. */

150
	sudo_debug_printf(SUDO_DEBUG_INFO,

151
	    "%s: user running command as self", __func__);

152
	goto success;

153
    }

154


155
    /* Construct callback for getpass function. */

156
    memset(&callback, 0, sizeof(callback));

157
    callback.version = SUDO_CONV_CALLBACK_VERSION;

158
    callback.closure = &closure;

159


160
    /* Open, lock and read time stamp file if we are using it. */

161
    if (!ISSET(mode, MODE_IGNORE_TICKET)) {

162
	/* Open time stamp file and check its status. */

163
	closure.cookie = timestamp_open(ctx);

164
	if (closure.cookie != NULL) {

165
	    if (timestamp_lock(closure.cookie, closure.auth_pw)) {

166
		status = timestamp_status(closure.cookie, closure.auth_pw);

167
	    }

168
	}

169
    }

170


171
    switch (status) {

172
    case TS_FATAL:

173
	/* Fatal error (usually setuid failure), unsafe to proceed. */

174
	goto done;

175


176
    case TS_CURRENT:

177
	/* Time stamp file is valid and current. */

178
	if (!ISSET(validated, FLAG_CHECK_USER)) {

179
	    ret = AUTH_SUCCESS;

180
	    break;

181
	}

182
	sudo_debug_printf(SUDO_DEBUG_INFO,

183
	    "%s: check user flag overrides time stamp", __func__);

184
	FALLTHROUGH;

185


186
    default:

187
	if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {

188
	    validated |= FLAG_NO_USER_INPUT;

189
	    log_auth_failure(ctx, validated, 0);

190
	    goto done;

191
	}

192


193
	/* Expand any escapes in the prompt. */

194
	prompt = expand_prompt(ctx,

195
	    ctx->user.prompt ? ctx->user.prompt : def_passprompt,

196
	    closure.auth_pw->pw_name);

197
	if (prompt == NULL)

198
	    goto done;

199


200
	ret = verify_user(ctx, closure.auth_pw, prompt, validated, &callback);

201
	if (ret == AUTH_SUCCESS && closure.lectured)

202
	    (void)set_lectured(ctx);	/* lecture error not fatal */

203
	free(prompt);

204
	break;

205
    }

206


207
    if (ret == AUTH_SUCCESS) {

208
success:

209
	/* The approval function may disallow a user post-authentication. */

210
	ret = sudo_auth_approval(ctx, closure.auth_pw, validated, exempt);

211


212
	/*

213
	 * Only update time stamp if user validated and was approved.

214
	 * Failure to update the time stamp is not a fatal error.

215
	 */

216
	if (ret == AUTH_SUCCESS && ISSET(validated, VALIDATE_SUCCESS)) {

217
	    if (ISSET(mode, MODE_UPDATE_TICKET) && status != TS_ERROR)

218
		(void)timestamp_update(closure.cookie, closure.auth_pw);

219
	}

220
    }

221
done:

222
    timestamp_close(closure.cookie);

223
    sudo_auth_cleanup(ctx, closure.auth_pw, !ISSET(validated, VALIDATE_SUCCESS));

224
    sudo_pw_delref(closure.auth_pw);

225


226
    debug_return_int(ret);

227
}

228


229
/*

230
 * Display sudo lecture (standard or custom).

231
 * Returns true if the user was lectured, else false.

232
 */

233
void

234
display_lecture(struct sudo_conv_callback *callback)

235
{

236
    struct getpass_closure *closure;

237
    struct sudo_conv_message msg[2];

238
    struct sudo_conv_reply repl[2];

239
    char buf[BUFSIZ];

240
    struct stat sb;

241
    ssize_t nread;

242
    int fd, msgcount = 1;

243
    debug_decl(lecture, SUDOERS_DEBUG_AUTH);

244


245
    if (callback == NULL || (closure = callback->closure) == NULL)

246
	debug_return;

247


248
    if (closure->lectured)

249
	debug_return;

250


251
    if (def_lecture == never ||

252
	    (def_lecture == once && already_lectured(closure->ctx)))

253
	debug_return;

254


255
    memset(&msg, 0, sizeof(msg));

256
    memset(&repl, 0, sizeof(repl));

257


258
    if (def_lecture_file) {

259
	fd = open(def_lecture_file, O_RDONLY|O_NONBLOCK);

260
	if (fd != -1 && fstat(fd, &sb) == 0) {

261
	    if (S_ISREG(sb.st_mode)) {

262
		(void) fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);

263
		while ((nread = read(fd, buf, sizeof(buf) - 1)) > 0) {

264
		    buf[nread] = '\0';

265
		    msg[0].msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;

266
		    msg[0].msg = buf;

267
		    sudo_conv(1, msg, repl, NULL);

268
		}

269
		if (nread == 0) {

270
		    close(fd);

271
		    goto done;

272
		}

273
		log_warning(closure->ctx, SLOG_RAW_MSG,

274
		    N_("error reading lecture file %s"), def_lecture_file);

275
	    } else {

276
		log_warningx(closure->ctx, SLOG_RAW_MSG,

277
		    N_("ignoring lecture file %s: not a regular file"),

278
		    def_lecture_file);

279
	    }

280
	} else {

281
	    log_warning(closure->ctx, SLOG_RAW_MSG|SLOG_NO_STDERR,

282
		N_("unable to open %s"), def_lecture_file);

283
	}

284
	if (fd != -1)

285
	    close(fd);

286
    }

287


288
    /* Default sudo lecture. */

289
    msg[0].msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;

290
    msg[0].msg = _("\n"

291
	"We trust you have received the usual lecture from the local System\n"

292
	"Administrator. It usually boils down to these three things:\n\n"

293
	"    #1) Respect the privacy of others.\n"

294
	"    #2) Think before you type.\n"

295
	"    #3) With great power comes great responsibility.\n\n");

296
    if (!def_pwfeedback) {

297
	msg[1].msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;

298
	msg[1].msg = _("For security reasons, the password you type will not be visible.\n\n");

299
	msgcount++;

300
    }

301
    sudo_conv(msgcount, msg, repl, NULL);

302


303
done:

304
    closure->lectured = true;

305
    debug_return;

306
}

307


308
/*

309
 * Checks if the user is exempt from supplying a password.

310
 */

311
bool

312
user_is_exempt(const struct sudoers_context *ctx)

313
{

314
    bool ret = false;

315
    debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH);

316


317
    if (def_exempt_group) {

318
	if (user_in_group(ctx->user.pw, def_exempt_group))

319
	    ret = true;

320
    }

321
    debug_return_bool(ret);

322
}

323


324