Annotation of embedaddon/sudo/plugins/sudoers/auth/sudo_auth.c, revision 1.1.1.3
1.1 misho 1: /*
2: * Copyright (c) 1999-2005, 2008-2010 Todd C. Miller <Todd.Miller@courtesan.com>
3: *
4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
7: *
8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: *
16: * Sponsored in part by the Defense Advanced Research Projects
17: * Agency (DARPA) and Air Force Research Laboratory, Air Force
18: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
19: */
20:
21: #include <config.h>
22:
23: #include <sys/types.h>
24: #include <sys/param.h>
25: #include <stdio.h>
26: #ifdef STDC_HEADERS
27: # include <stdlib.h>
28: # include <stddef.h>
29: #else
30: # ifdef HAVE_STDLIB_H
31: # include <stdlib.h>
32: # endif
33: #endif /* STDC_HEADERS */
34: #ifdef HAVE_STRING_H
35: # include <string.h>
36: #endif /* HAVE_STRING_H */
37: #ifdef HAVE_STRINGS_H
38: # include <strings.h>
39: #endif /* HAVE_STRINGS_H */
40: #ifdef HAVE_UNISTD_H
41: # include <unistd.h>
42: #endif /* HAVE_UNISTD_H */
43: #include <pwd.h>
44: #include <time.h>
45: #include <signal.h>
46:
47: #include "sudoers.h"
48: #include "sudo_auth.h"
49: #include "insults.h"
50:
51: static sudo_auth auth_switch[] = {
52: /* Standalone entries first */
53: #ifdef HAVE_PAM
1.1.1.2 misho 54: AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session)
1.1 misho 55: #endif
56: #ifdef HAVE_SECURID
1.1.1.2 misho 57: AUTH_ENTRY("SecurId", FLAG_STANDALONE, sudo_securid_init, sudo_securid_setup, sudo_securid_verify, NULL, NULL, NULL)
1.1 misho 58: #endif
59: #ifdef HAVE_SIA_SES_INIT
1.1.1.2 misho 60: AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, sudo_sia_cleanup, NULL, NULL)
1.1 misho 61: #endif
62: #ifdef HAVE_AIXAUTH
1.1.1.2 misho 63: AUTH_ENTRY("aixauth", FLAG_STANDALONE, NULL, NULL, sudo_aix_verify, sudo_aix_cleanup, NULL, NULL)
1.1 misho 64: #endif
65: #ifdef HAVE_FWTK
1.1.1.2 misho 66: AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, sudo_fwtk_cleanup, NULL, NULL)
1.1 misho 67: #endif
68: #ifdef HAVE_BSD_AUTH_H
69: AUTH_ENTRY("bsdauth", FLAG_STANDALONE, bsdauth_init, NULL, bsdauth_verify, bsdauth_cleanup, NULL, NULL)
70: #endif
71:
72: /* Non-standalone entries */
73: #ifndef WITHOUT_PASSWD
1.1.1.2 misho 74: AUTH_ENTRY("passwd", 0, sudo_passwd_init, NULL, sudo_passwd_verify, sudo_passwd_cleanup, NULL, NULL)
1.1 misho 75: #endif
76: #if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD)
1.1.1.2 misho 77: AUTH_ENTRY("secureware", 0, sudo_secureware_init, NULL, sudo_secureware_verify, sudo_secureware_cleanup, NULL, NULL)
1.1 misho 78: #endif
79: #ifdef HAVE_AFS
1.1.1.2 misho 80: AUTH_ENTRY("afs", 0, NULL, NULL, sudo_afs_verify, NULL, NULL, NULL)
1.1 misho 81: #endif
82: #ifdef HAVE_DCE
1.1.1.2 misho 83: AUTH_ENTRY("dce", 0, NULL, NULL, sudo_dce_verify, NULL, NULL, NULL)
1.1 misho 84: #endif
85: #ifdef HAVE_KERB5
1.1.1.2 misho 86: AUTH_ENTRY("kerb5", 0, sudo_krb5_init, sudo_krb5_setup, sudo_krb5_verify, sudo_krb5_cleanup, NULL, NULL)
1.1 misho 87: #endif
88: #ifdef HAVE_SKEY
1.1.1.2 misho 89: AUTH_ENTRY("S/Key", 0, NULL, sudo_rfc1938_setup, sudo_rfc1938_verify, NULL, NULL, NULL)
1.1 misho 90: #endif
91: #ifdef HAVE_OPIE
1.1.1.2 misho 92: AUTH_ENTRY("OPIE", 0, NULL, sudo_rfc1938_setup, sudo_rfc1938_verify, NULL, NULL, NULL)
1.1 misho 93: #endif
94: AUTH_ENTRY(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)
95: };
96:
97: static int standalone;
98:
99: extern char **NewArgv; /* XXX - for auditing */
100:
101: static void pass_warn(void);
102:
1.1.1.3 ! misho 103: /*
! 104: * Initialize sudoers authentication method(s).
! 105: * Returns 0 on success and -1 on error.
! 106: */
1.1 misho 107: int
108: sudo_auth_init(struct passwd *pw)
109: {
110: sudo_auth *auth;
111: int status = AUTH_SUCCESS;
1.1.1.2 misho 112: debug_decl(sudo_auth_init, SUDO_DEBUG_AUTH)
1.1 misho 113:
114: if (auth_switch[0].name == NULL)
1.1.1.3 ! misho 115: debug_return_int(0);
1.1 misho 116:
117: /* Make sure we haven't mixed standalone and shared auth methods. */
118: standalone = IS_STANDALONE(&auth_switch[0]);
119: if (standalone && auth_switch[1].name != NULL) {
120: audit_failure(NewArgv, "invalid authentication methods");
1.1.1.2 misho 121: log_fatal(0, _("Invalid authentication methods compiled into sudo! "
1.1 misho 122: "You may mix standalone and non-standalone authentication."));
1.1.1.2 misho 123: debug_return_int(-1);
1.1 misho 124: }
125:
126: /* Set FLAG_ONEANDONLY if there is only one auth method. */
127: if (auth_switch[1].name == NULL)
128: SET(auth_switch[0].flags, FLAG_ONEANDONLY);
129:
130: /* Initialize auth methods and unconfigure the method if necessary. */
131: for (auth = auth_switch; auth->name; auth++) {
132: if (auth->init && !IS_DISABLED(auth)) {
133: if (NEEDS_USER(auth))
134: set_perms(PERM_USER);
135:
136: status = (auth->init)(pw, auth);
137:
138: if (NEEDS_USER(auth))
139: restore_perms();
140:
1.1.1.3 ! misho 141: /* Disable if it failed to init unless there was a fatal error. */
1.1 misho 142: if (status == AUTH_FAILURE)
143: SET(auth->flags, FLAG_DISABLED);
1.1.1.3 ! misho 144: else if (status == AUTH_FATAL)
1.1 misho 145: break; /* assume error msg already printed */
146: }
147: }
1.1.1.3 ! misho 148: debug_return_int(status == AUTH_FATAL ? -1 : 0);
1.1 misho 149: }
150:
1.1.1.3 ! misho 151: /*
! 152: * Cleanup all authentication methods.
! 153: * Returns 0 on success and -1 on error.
! 154: */
1.1 misho 155: int
156: sudo_auth_cleanup(struct passwd *pw)
157: {
158: sudo_auth *auth;
159: int status = AUTH_SUCCESS;
1.1.1.2 misho 160: debug_decl(sudo_auth_cleanup, SUDO_DEBUG_AUTH)
1.1 misho 161:
162: /* Call cleanup routines. */
163: for (auth = auth_switch; auth->name; auth++) {
164: if (auth->cleanup && !IS_DISABLED(auth)) {
165: if (NEEDS_USER(auth))
166: set_perms(PERM_USER);
167:
168: status = (auth->cleanup)(pw, auth);
169:
170: if (NEEDS_USER(auth))
171: restore_perms();
172:
1.1.1.3 ! misho 173: if (status == AUTH_FATAL)
1.1 misho 174: break; /* assume error msg already printed */
175: }
176: }
1.1.1.3 ! misho 177: debug_return_int(status == AUTH_FATAL ? -1 : 0);
1.1 misho 178: }
179:
1.1.1.3 ! misho 180: /*
! 181: * Verify the specified user.
! 182: * Returns true if verified, false if not or -1 on error.
! 183: */
1.1 misho 184: int
1.1.1.3 ! misho 185: verify_user(struct passwd *pw, char *prompt, int validated)
1.1 misho 186: {
187: int counter = def_passwd_tries + 1;
188: int success = AUTH_FAILURE;
1.1.1.3 ! misho 189: int status, rval;
1.1 misho 190: char *p;
191: sudo_auth *auth;
192: sigaction_t sa, osa;
1.1.1.2 misho 193: debug_decl(verify_user, SUDO_DEBUG_AUTH)
1.1 misho 194:
195: /* Enable suspend during password entry. */
196: sigemptyset(&sa.sa_mask);
197: sa.sa_flags = SA_RESTART;
198: sa.sa_handler = SIG_DFL;
199: (void) sigaction(SIGTSTP, &sa, &osa);
200:
201: /* Make sure we have at least one auth method. */
202: /* XXX - check FLAG_DISABLED too */
203: if (auth_switch[0].name == NULL) {
204: audit_failure(NewArgv, "no authentication methods");
1.1.1.3 ! misho 205: log_error(0,
1.1 misho 206: _("There are no authentication methods compiled into sudo! "
207: "If you want to turn off authentication, use the "
208: "--disable-authentication configure option."));
1.1.1.2 misho 209: debug_return_int(-1);
1.1 misho 210: }
211:
212: while (--counter) {
213: /* Do any per-method setup and unconfigure the method if needed */
214: for (auth = auth_switch; auth->name; auth++) {
215: if (auth->setup && !IS_DISABLED(auth)) {
216: if (NEEDS_USER(auth))
217: set_perms(PERM_USER);
218:
219: status = (auth->setup)(pw, &prompt, auth);
220:
221: if (NEEDS_USER(auth))
222: restore_perms();
223:
224: if (status == AUTH_FAILURE)
225: SET(auth->flags, FLAG_DISABLED);
1.1.1.3 ! misho 226: else if (status == AUTH_FATAL)
! 227: goto done; /* assume error msg already printed */
1.1 misho 228: }
229: }
230:
231: /* Get the password unless the auth function will do it for us */
232: if (standalone) {
233: p = prompt;
234: } else {
235: p = auth_getpass(prompt, def_passwd_timeout * 60,
236: SUDO_CONV_PROMPT_ECHO_OFF);
237: if (p == NULL)
238: break;
239: }
240:
241: /* Call authentication functions. */
242: for (auth = auth_switch; auth->name; auth++) {
243: if (IS_DISABLED(auth))
244: continue;
245:
246: if (NEEDS_USER(auth))
247: set_perms(PERM_USER);
248:
249: success = auth->status = (auth->verify)(pw, p, auth);
250:
251: if (NEEDS_USER(auth))
252: restore_perms();
253:
254: if (auth->status != AUTH_FAILURE)
255: goto done;
256: }
257: if (!standalone)
258: zero_bytes(p, strlen(p));
259: pass_warn();
260: }
261:
262: done:
263: switch (success) {
264: case AUTH_SUCCESS:
265: (void) sigaction(SIGTSTP, &osa, NULL);
1.1.1.2 misho 266: rval = true;
1.1 misho 267: break;
268: case AUTH_INTR:
269: case AUTH_FAILURE:
1.1.1.3 ! misho 270: if (counter != def_passwd_tries)
! 271: validated |= FLAG_BAD_PASSWORD;
! 272: log_auth_failure(validated, def_passwd_tries - counter);
1.1.1.2 misho 273: rval = false;
1.1 misho 274: break;
275: case AUTH_FATAL:
276: default:
1.1.1.3 ! misho 277: log_auth_failure(validated | FLAG_AUTH_ERROR, 0);
1.1 misho 278: rval = -1;
279: break;
280: }
281:
1.1.1.2 misho 282: debug_return_int(rval);
1.1 misho 283: }
284:
1.1.1.3 ! misho 285: /*
! 286: * Call authentication method begin session hooks.
! 287: * Returns 1 on success and -1 on error.
! 288: */
1.1 misho 289: int
1.1.1.2 misho 290: sudo_auth_begin_session(struct passwd *pw, char **user_env[])
1.1 misho 291: {
292: sudo_auth *auth;
1.1.1.3 ! misho 293: int status = AUTH_SUCCESS;
1.1.1.2 misho 294: debug_decl(auth_begin_session, SUDO_DEBUG_AUTH)
1.1 misho 295:
296: for (auth = auth_switch; auth->name; auth++) {
297: if (auth->begin_session && !IS_DISABLED(auth)) {
1.1.1.2 misho 298: status = (auth->begin_session)(pw, user_env, auth);
1.1.1.3 ! misho 299: if (status == AUTH_FATAL)
! 300: break; /* assume error msg already printed */
1.1 misho 301: }
302: }
1.1.1.3 ! misho 303: debug_return_int(status == AUTH_FATAL ? -1 : 1);
1.1 misho 304: }
305:
1.1.1.3 ! misho 306: /*
! 307: * Call authentication method end session hooks.
! 308: * Returns 1 on success and -1 on error.
! 309: */
1.1 misho 310: int
311: sudo_auth_end_session(struct passwd *pw)
312: {
313: sudo_auth *auth;
1.1.1.3 ! misho 314: int status = AUTH_SUCCESS;
1.1.1.2 misho 315: debug_decl(auth_end_session, SUDO_DEBUG_AUTH)
1.1 misho 316:
317: for (auth = auth_switch; auth->name; auth++) {
318: if (auth->end_session && !IS_DISABLED(auth)) {
319: status = (auth->end_session)(pw, auth);
1.1.1.3 ! misho 320: if (status == AUTH_FATAL)
! 321: break; /* assume error msg already printed */
1.1 misho 322: }
323: }
1.1.1.3 ! misho 324: debug_return_int(status == AUTH_FATAL ? -1 : 1);
1.1 misho 325: }
326:
327: static void
328: pass_warn(void)
329: {
330: const char *warning = def_badpass_message;
1.1.1.2 misho 331: debug_decl(pass_warn, SUDO_DEBUG_AUTH)
1.1 misho 332:
333: #ifdef INSULT
334: if (def_insults)
335: warning = INSULT;
336: #endif
337: sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", warning);
1.1.1.2 misho 338:
339: debug_return;
1.1 misho 340: }
341:
342: char *
343: auth_getpass(const char *prompt, int timeout, int type)
344: {
345: struct sudo_conv_message msg;
346: struct sudo_conv_reply repl;
1.1.1.2 misho 347: debug_decl(auth_getpass, SUDO_DEBUG_AUTH)
1.1 misho 348:
349: /* Mask user input if pwfeedback set and echo is off. */
350: if (type == SUDO_CONV_PROMPT_ECHO_OFF && def_pwfeedback)
351: type = SUDO_CONV_PROMPT_MASK;
352:
353: /* If visiblepw set, do not error out if there is no tty. */
354: if (def_visiblepw)
355: type |= SUDO_CONV_PROMPT_ECHO_OK;
356:
357: /* Call conversation function */
358: memset(&msg, 0, sizeof(msg));
359: msg.msg_type = type;
360: msg.timeout = def_passwd_timeout * 60;
361: msg.msg = prompt;
362: memset(&repl, 0, sizeof(repl));
363: sudo_conv(1, &msg, &repl);
364: /* XXX - check for ENOTTY? */
1.1.1.2 misho 365: debug_return_str_masked(repl.reply);
1.1 misho 366: }
367:
368: void
369: dump_auth_methods(void)
370: {
371: sudo_auth *auth;
1.1.1.2 misho 372: debug_decl(dump_auth_methods, SUDO_DEBUG_AUTH)
1.1 misho 373:
374: sudo_printf(SUDO_CONV_INFO_MSG, _("Authentication methods:"));
375: for (auth = auth_switch; auth->name; auth++)
376: sudo_printf(SUDO_CONV_INFO_MSG, " '%s'", auth->name);
377: sudo_printf(SUDO_CONV_INFO_MSG, "\n");
1.1.1.2 misho 378:
379: debug_return;
1.1 misho 380: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>