version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.5, 2014/06/15 16:12:54
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2000-2005, 2007-2008, 2010-2011 | * Copyright (c) 2000-2005, 2007-2008, 2010-2013 |
* Todd C. Miller <Todd.Miller@courtesan.com> |
* Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
Line 22
|
Line 22
|
#include <config.h> |
#include <config.h> |
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/param.h> |
|
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
# include <stdlib.h> |
# include <stdlib.h> |
Line 51
|
Line 50
|
#include "sudoers.h" |
#include "sudoers.h" |
#include "sudo_auth.h" |
#include "sudo_auth.h" |
|
|
extern char *login_style; /* from sudo.c */ | # ifndef LOGIN_DEFROOTCLASS |
| # define LOGIN_DEFROOTCLASS "daemon" |
| # endif |
|
|
|
struct bsdauth_state { |
|
auth_session_t *as; |
|
login_cap_t *lc; |
|
}; |
|
|
int |
int |
bsdauth_init(struct passwd *pw, sudo_auth *auth) |
bsdauth_init(struct passwd *pw, sudo_auth *auth) |
{ |
{ |
static auth_session_t *as; | static struct bsdauth_state state; |
extern login_cap_t *lc; /* from sudo.c */ | debug_decl(bsdauth_init, SUDO_DEBUG_AUTH) |
|
|
if ((as = auth_open()) == NULL) { | /* Get login class based on auth user, which may not be invoking user. */ |
log_error(USE_ERRNO|NO_EXIT|NO_MAIL, | if (pw->pw_class && *pw->pw_class) |
_("unable to begin bsd authentication")); | state.lc = login_getclass(pw->pw_class); |
return AUTH_FATAL; | else |
| state.lc = login_getclass(pw->pw_uid ? LOGIN_DEFCLASS : LOGIN_DEFROOTCLASS); |
| if (state.lc == NULL) { |
| log_warning(USE_ERRNO|NO_MAIL, |
| N_("unable to get login class for user %s"), pw->pw_name); |
| debug_return_int(AUTH_FATAL); |
} |
} |
|
|
|
if ((state.as = auth_open()) == NULL) { |
|
log_warning(USE_ERRNO|NO_MAIL, |
|
N_("unable to begin bsd authentication")); |
|
login_close(state.lc); |
|
debug_return_int(AUTH_FATAL); |
|
} |
|
|
/* XXX - maybe sanity check the auth style earlier? */ |
/* XXX - maybe sanity check the auth style earlier? */ |
login_style = login_getstyle(lc, login_style, "auth-sudo"); | login_style = login_getstyle(state.lc, login_style, "auth-sudo"); |
if (login_style == NULL) { |
if (login_style == NULL) { |
log_error(NO_EXIT|NO_MAIL, _("invalid authentication type")); | log_warning(NO_MAIL, N_("invalid authentication type")); |
auth_close(as); | auth_close(state.as); |
return AUTH_FATAL; | login_close(state.lc); |
| debug_return_int(AUTH_FATAL); |
} |
} |
|
|
if (auth_setitem(as, AUTHV_STYLE, login_style) < 0 || | if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 || |
auth_setitem(as, AUTHV_NAME, pw->pw_name) < 0 || | auth_setitem(state.as, AUTHV_NAME, pw->pw_name) < 0 || |
auth_setitem(as, AUTHV_CLASS, login_class) < 0) { | auth_setitem(state.as, AUTHV_CLASS, login_class) < 0) { |
log_error(NO_EXIT|NO_MAIL, _("unable to setup authentication")); | log_warning(NO_MAIL, N_("unable to initialize BSD authentication")); |
auth_close(as); | auth_close(state.as); |
return AUTH_FATAL; | login_close(state.lc); |
| debug_return_int(AUTH_FATAL); |
} |
} |
|
|
auth->data = (void *) as; | auth->data = (void *) &state; |
return AUTH_SUCCESS; | debug_return_int(AUTH_SUCCESS); |
} |
} |
|
|
int |
int |
Line 93 bsdauth_verify(struct passwd *pw, char *prompt, sudo_a
|
Line 113 bsdauth_verify(struct passwd *pw, char *prompt, sudo_a
|
size_t len; |
size_t len; |
int authok = 0; |
int authok = 0; |
sigaction_t sa, osa; |
sigaction_t sa, osa; |
auth_session_t *as = (auth_session_t *) auth->data; | auth_session_t *as = ((struct bsdauth_state *) auth->data)->as; |
| debug_decl(bsdauth_verify, SUDO_DEBUG_AUTH) |
|
|
/* save old signal handler */ |
/* save old signal handler */ |
sigemptyset(&sa.sa_mask); |
sigemptyset(&sa.sa_mask); |
Line 133 bsdauth_verify(struct passwd *pw, char *prompt, sudo_a
|
Line 154 bsdauth_verify(struct passwd *pw, char *prompt, sudo_a
|
|
|
if (pass) { |
if (pass) { |
authok = auth_userresponse(as, pass, 1); |
authok = auth_userresponse(as, pass, 1); |
zero_bytes(pass, strlen(pass)); | memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass)); |
} |
} |
|
|
/* restore old signal handler */ |
/* restore old signal handler */ |
(void) sigaction(SIGCHLD, &osa, NULL); |
(void) sigaction(SIGCHLD, &osa, NULL); |
|
|
if (authok) |
if (authok) |
return AUTH_SUCCESS; | debug_return_int(AUTH_SUCCESS); |
|
|
if (!pass) |
if (!pass) |
return AUTH_INTR; | debug_return_int(AUTH_INTR); |
|
|
if ((s = auth_getvalue(as, "errormsg")) != NULL) |
if ((s = auth_getvalue(as, "errormsg")) != NULL) |
log_error(NO_EXIT|NO_MAIL, "%s", s); | log_warning(NO_MAIL, "%s", s); |
return AUTH_FAILURE; | debug_return_int(AUTH_FAILURE); |
} |
} |
|
|
int |
int |
bsdauth_cleanup(struct passwd *pw, sudo_auth *auth) |
bsdauth_cleanup(struct passwd *pw, sudo_auth *auth) |
{ |
{ |
auth_session_t *as = (auth_session_t *) auth->data; | struct bsdauth_state *state = auth->data; |
| debug_decl(bsdauth_cleanup, SUDO_DEBUG_AUTH) |
|
|
auth_close(as); | if (state != NULL) { |
| auth_close(state->as); |
| login_close(state->lc); |
| } |
|
|
return AUTH_SUCCESS; | debug_return_int(AUTH_SUCCESS); |
} |
} |