|
version 1.1.1.2, 2012/05/29 12:26:49
|
version 1.1.1.5, 2013/10/14 07:56:35
|
|
Line 1
|
Line 1
|
| /* |
/* |
| * Copyright (c) 1999-2005, 2008-2010 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 1999-2005, 2008-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
| * |
* |
| * Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
| * purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
|
Line 21
|
Line 21
|
| #include <config.h> |
#include <config.h> |
| |
|
| #include <sys/types.h> |
#include <sys/types.h> |
| #include <sys/param.h> |
|
| #include <stdio.h> |
#include <stdio.h> |
| #ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
| # include <stdlib.h> |
# include <stdlib.h> |
|
Line 100 extern char **NewArgv; /* XXX - for auditing */
|
Line 99 extern char **NewArgv; /* XXX - for auditing */
|
| |
|
| static void pass_warn(void); |
static void pass_warn(void); |
| |
|
| |
/* |
| |
* Initialize sudoers authentication method(s). |
| |
* Returns 0 on success and -1 on error. |
| |
*/ |
| int |
int |
| sudo_auth_init(struct passwd *pw) |
sudo_auth_init(struct passwd *pw) |
| { |
{ |
|
Line 108 sudo_auth_init(struct passwd *pw)
|
Line 111 sudo_auth_init(struct passwd *pw)
|
| debug_decl(sudo_auth_init, SUDO_DEBUG_AUTH) |
debug_decl(sudo_auth_init, SUDO_DEBUG_AUTH) |
| |
|
| if (auth_switch[0].name == NULL) |
if (auth_switch[0].name == NULL) |
| debug_return_int(true); | debug_return_int(0); |
| |
|
| /* Make sure we haven't mixed standalone and shared auth methods. */ |
/* Make sure we haven't mixed standalone and shared auth methods. */ |
| standalone = IS_STANDALONE(&auth_switch[0]); |
standalone = IS_STANDALONE(&auth_switch[0]); |
| if (standalone && auth_switch[1].name != NULL) { |
if (standalone && auth_switch[1].name != NULL) { |
| audit_failure(NewArgv, "invalid authentication methods"); | audit_failure(NewArgv, N_("invalid authentication methods")); |
| log_fatal(0, _("Invalid authentication methods compiled into sudo! " | log_fatal(0, N_("Invalid authentication methods compiled into sudo! " |
| "You may mix standalone and non-standalone authentication.")); | "You may not mix standalone and non-standalone authentication.")); |
| debug_return_int(-1); |
debug_return_int(-1); |
| } |
} |
| |
|
|
Line 134 sudo_auth_init(struct passwd *pw)
|
Line 137 sudo_auth_init(struct passwd *pw)
|
| if (NEEDS_USER(auth)) |
if (NEEDS_USER(auth)) |
| restore_perms(); |
restore_perms(); |
| |
|
| |
/* Disable if it failed to init unless there was a fatal error. */ |
| if (status == AUTH_FAILURE) |
if (status == AUTH_FAILURE) |
| SET(auth->flags, FLAG_DISABLED); |
SET(auth->flags, FLAG_DISABLED); |
| else if (status == AUTH_FATAL) { | else if (status == AUTH_FATAL) |
| /* XXX log */ | |
| audit_failure(NewArgv, "authentication failure"); | |
| break; /* assume error msg already printed */ |
break; /* assume error msg already printed */ |
| } |
|
| } |
} |
| } |
} |
| debug_return_int(status == AUTH_FATAL ? -1 : true); | debug_return_int(status == AUTH_FATAL ? -1 : 0); |
| } |
} |
| |
|
| |
/* |
| |
* Cleanup all authentication methods. |
| |
* Returns 0 on success and -1 on error. |
| |
*/ |
| int |
int |
| sudo_auth_cleanup(struct passwd *pw) |
sudo_auth_cleanup(struct passwd *pw) |
| { |
{ |
|
Line 164 sudo_auth_cleanup(struct passwd *pw)
|
Line 169 sudo_auth_cleanup(struct passwd *pw)
|
| if (NEEDS_USER(auth)) |
if (NEEDS_USER(auth)) |
| restore_perms(); |
restore_perms(); |
| |
|
| if (status == AUTH_FATAL) { | if (status == AUTH_FATAL) |
| /* XXX log */ | |
| audit_failure(NewArgv, "authentication failure"); | |
| break; /* assume error msg already printed */ |
break; /* assume error msg already printed */ |
| } |
|
| } |
} |
| } |
} |
| debug_return_int(status == AUTH_FATAL ? -1 : true); | debug_return_int(status == AUTH_FATAL ? -1 : 0); |
| } |
} |
| |
|
| |
/* |
| |
* Verify the specified user. |
| |
* Returns true if verified, false if not or -1 on error. |
| |
*/ |
| int |
int |
| verify_user(struct passwd *pw, char *prompt) | verify_user(struct passwd *pw, char *prompt, int validated) |
| { |
{ |
| int counter = def_passwd_tries + 1; |
int counter = def_passwd_tries + 1; |
| int success = AUTH_FAILURE; |
int success = AUTH_FAILURE; |
| int flags, status, rval; | int status, rval; |
| char *p; |
char *p; |
| sudo_auth *auth; |
sudo_auth *auth; |
| sigaction_t sa, osa; |
sigaction_t sa, osa; |
|
Line 194 verify_user(struct passwd *pw, char *prompt)
|
Line 200 verify_user(struct passwd *pw, char *prompt)
|
| /* Make sure we have at least one auth method. */ |
/* Make sure we have at least one auth method. */ |
| /* XXX - check FLAG_DISABLED too */ |
/* XXX - check FLAG_DISABLED too */ |
| if (auth_switch[0].name == NULL) { |
if (auth_switch[0].name == NULL) { |
| audit_failure(NewArgv, "no authentication methods"); | audit_failure(NewArgv, N_("no authentication methods")); |
| log_fatal(0, | log_warning(0, |
| _("There are no authentication methods compiled into sudo! " | N_("There are no authentication methods compiled into sudo! " |
| "If you want to turn off authentication, use the " |
"If you want to turn off authentication, use the " |
| "--disable-authentication configure option.")); |
"--disable-authentication configure option.")); |
| debug_return_int(-1); |
debug_return_int(-1); |
|
Line 216 verify_user(struct passwd *pw, char *prompt)
|
Line 222 verify_user(struct passwd *pw, char *prompt)
|
| |
|
| if (status == AUTH_FAILURE) |
if (status == AUTH_FAILURE) |
| SET(auth->flags, FLAG_DISABLED); |
SET(auth->flags, FLAG_DISABLED); |
| else if (status == AUTH_FATAL) { | else if (status == AUTH_FATAL) |
| /* XXX log */ | goto done; /* assume error msg already printed */ |
| audit_failure(NewArgv, "authentication failure"); | |
| debug_return_int(-1);/* assume error msg already printed */ | |
| } | |
| } |
} |
| } |
} |
| |
|
|
Line 251 verify_user(struct passwd *pw, char *prompt)
|
Line 254 verify_user(struct passwd *pw, char *prompt)
|
| goto done; |
goto done; |
| } |
} |
| if (!standalone) |
if (!standalone) |
| zero_bytes(p, strlen(p)); | memset_s(p, SUDO_CONV_REPL_MAX, 0, strlen(p)); |
| pass_warn(); |
pass_warn(); |
| } |
} |
| |
|
|
Line 263 done:
|
Line 266 done:
|
| break; |
break; |
| case AUTH_INTR: |
case AUTH_INTR: |
| case AUTH_FAILURE: |
case AUTH_FAILURE: |
| if (counter != def_passwd_tries) { | if (counter != def_passwd_tries) |
| if (def_mail_badpass || def_mail_always) | validated |= FLAG_BAD_PASSWORD; |
| flags = 0; | log_auth_failure(validated, def_passwd_tries - counter); |
| else | |
| flags = NO_MAIL; | |
| log_fatal(flags, ngettext("%d incorrect password attempt", | |
| "%d incorrect password attempts", | |
| def_passwd_tries - counter), def_passwd_tries - counter); | |
| } | |
| audit_failure(NewArgv, "authentication failure"); | |
| rval = false; |
rval = false; |
| break; |
break; |
| case AUTH_FATAL: |
case AUTH_FATAL: |
| default: |
default: |
| audit_failure(NewArgv, "authentication failure"); | log_auth_failure(validated | FLAG_AUTH_ERROR, 0); |
| rval = -1; |
rval = -1; |
| break; |
break; |
| } |
} |
|
Line 285 done:
|
Line 281 done:
|
| debug_return_int(rval); |
debug_return_int(rval); |
| } |
} |
| |
|
| |
/* |
| |
* Call authentication method begin session hooks. |
| |
* Returns 1 on success and -1 on error. |
| |
*/ |
| int |
int |
| sudo_auth_begin_session(struct passwd *pw, char **user_env[]) |
sudo_auth_begin_session(struct passwd *pw, char **user_env[]) |
| { |
{ |
| sudo_auth *auth; |
sudo_auth *auth; |
| int status; | int status = AUTH_SUCCESS; |
| debug_decl(auth_begin_session, SUDO_DEBUG_AUTH) | debug_decl(sudo_auth_begin_session, SUDO_DEBUG_AUTH) |
| |
|
| for (auth = auth_switch; auth->name; auth++) { |
for (auth = auth_switch; auth->name; auth++) { |
| if (auth->begin_session && !IS_DISABLED(auth)) { |
if (auth->begin_session && !IS_DISABLED(auth)) { |
| status = (auth->begin_session)(pw, user_env, auth); |
status = (auth->begin_session)(pw, user_env, auth); |
| if (status == AUTH_FATAL) { | if (status == AUTH_FATAL) |
| /* XXX log */ | break; /* assume error msg already printed */ |
| audit_failure(NewArgv, "authentication failure"); | |
| debug_return_bool(-1); /* assume error msg already printed */ | |
| } | |
| } |
} |
| } |
} |
| debug_return_bool(true); | debug_return_int(status == AUTH_FATAL ? -1 : 1); |
| } |
} |
| |
|
| |
bool |
| |
sudo_auth_needs_end_session(void) |
| |
{ |
| |
sudo_auth *auth; |
| |
bool needed = false; |
| |
debug_decl(sudo_auth_needs_end_session, SUDO_DEBUG_AUTH) |
| |
|
| |
for (auth = auth_switch; auth->name; auth++) { |
| |
if (auth->end_session && !IS_DISABLED(auth)) { |
| |
needed = true; |
| |
break; |
| |
} |
| |
} |
| |
debug_return_bool(needed); |
| |
} |
| |
|
| |
/* |
| |
* Call authentication method end session hooks. |
| |
* Returns 1 on success and -1 on error. |
| |
*/ |
| int |
int |
| sudo_auth_end_session(struct passwd *pw) |
sudo_auth_end_session(struct passwd *pw) |
| { |
{ |
| sudo_auth *auth; |
sudo_auth *auth; |
| int status; | int status = AUTH_SUCCESS; |
| debug_decl(auth_end_session, SUDO_DEBUG_AUTH) | debug_decl(sudo_auth_end_session, SUDO_DEBUG_AUTH) |
| |
|
| for (auth = auth_switch; auth->name; auth++) { |
for (auth = auth_switch; auth->name; auth++) { |
| if (auth->end_session && !IS_DISABLED(auth)) { |
if (auth->end_session && !IS_DISABLED(auth)) { |
| status = (auth->end_session)(pw, auth); |
status = (auth->end_session)(pw, auth); |
| if (status == AUTH_FATAL) { | if (status == AUTH_FATAL) |
| /* XXX log */ | break; /* assume error msg already printed */ |
| debug_return_bool(-1); /* assume error msg already printed */ | |
| } | |
| } |
} |
| } |
} |
| debug_return_bool(true); | debug_return_int(status == AUTH_FATAL ? -1 : 1); |
| } |
} |
| |
|
| static void |
static void |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to sudo_auth.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers / auth