Annotation of embedaddon/sudo/plugins/sudoers/auth/sudo_auth.c, revision 1.1.1.6
1.1 misho 1: /*
1.1.1.4 misho 2: * Copyright (c) 1999-2005, 2008-2013 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 misho 3: *
4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
7: *
8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: *
16: * Sponsored in part by the Defense Advanced Research Projects
17: * Agency (DARPA) and Air Force Research Laboratory, Air Force
18: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
19: */
20:
21: #include <config.h>
22:
23: #include <sys/types.h>
24: #include <stdio.h>
25: #ifdef STDC_HEADERS
26: # include <stdlib.h>
27: # include <stddef.h>
28: #else
29: # ifdef HAVE_STDLIB_H
30: # include <stdlib.h>
31: # endif
32: #endif /* STDC_HEADERS */
33: #ifdef HAVE_STRING_H
34: # include <string.h>
35: #endif /* HAVE_STRING_H */
36: #ifdef HAVE_STRINGS_H
37: # include <strings.h>
38: #endif /* HAVE_STRINGS_H */
39: #ifdef HAVE_UNISTD_H
40: # include <unistd.h>
41: #endif /* HAVE_UNISTD_H */
42: #include <pwd.h>
43: #include <time.h>
44: #include <signal.h>
45:
46: #include "sudoers.h"
47: #include "sudo_auth.h"
48: #include "insults.h"
49:
50: static sudo_auth auth_switch[] = {
51: /* Standalone entries first */
52: #ifdef HAVE_PAM
1.1.1.2 misho 53: AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session)
1.1 misho 54: #endif
55: #ifdef HAVE_SECURID
1.1.1.2 misho 56: AUTH_ENTRY("SecurId", FLAG_STANDALONE, sudo_securid_init, sudo_securid_setup, sudo_securid_verify, NULL, NULL, NULL)
1.1 misho 57: #endif
58: #ifdef HAVE_SIA_SES_INIT
1.1.1.2 misho 59: AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, sudo_sia_cleanup, NULL, NULL)
1.1 misho 60: #endif
61: #ifdef HAVE_AIXAUTH
1.1.1.2 misho 62: AUTH_ENTRY("aixauth", FLAG_STANDALONE, NULL, NULL, sudo_aix_verify, sudo_aix_cleanup, NULL, NULL)
1.1 misho 63: #endif
64: #ifdef HAVE_FWTK
1.1.1.2 misho 65: AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, sudo_fwtk_cleanup, NULL, NULL)
1.1 misho 66: #endif
67: #ifdef HAVE_BSD_AUTH_H
68: AUTH_ENTRY("bsdauth", FLAG_STANDALONE, bsdauth_init, NULL, bsdauth_verify, bsdauth_cleanup, NULL, NULL)
69: #endif
70:
71: /* Non-standalone entries */
72: #ifndef WITHOUT_PASSWD
1.1.1.2 misho 73: AUTH_ENTRY("passwd", 0, sudo_passwd_init, NULL, sudo_passwd_verify, sudo_passwd_cleanup, NULL, NULL)
1.1 misho 74: #endif
75: #if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD)
1.1.1.2 misho 76: AUTH_ENTRY("secureware", 0, sudo_secureware_init, NULL, sudo_secureware_verify, sudo_secureware_cleanup, NULL, NULL)
1.1 misho 77: #endif
78: #ifdef HAVE_AFS
1.1.1.2 misho 79: AUTH_ENTRY("afs", 0, NULL, NULL, sudo_afs_verify, NULL, NULL, NULL)
1.1 misho 80: #endif
81: #ifdef HAVE_DCE
1.1.1.2 misho 82: AUTH_ENTRY("dce", 0, NULL, NULL, sudo_dce_verify, NULL, NULL, NULL)
1.1 misho 83: #endif
84: #ifdef HAVE_KERB5
1.1.1.2 misho 85: AUTH_ENTRY("kerb5", 0, sudo_krb5_init, sudo_krb5_setup, sudo_krb5_verify, sudo_krb5_cleanup, NULL, NULL)
1.1 misho 86: #endif
87: #ifdef HAVE_SKEY
1.1.1.2 misho 88: AUTH_ENTRY("S/Key", 0, NULL, sudo_rfc1938_setup, sudo_rfc1938_verify, NULL, NULL, NULL)
1.1 misho 89: #endif
90: #ifdef HAVE_OPIE
1.1.1.2 misho 91: AUTH_ENTRY("OPIE", 0, NULL, sudo_rfc1938_setup, sudo_rfc1938_verify, NULL, NULL, NULL)
1.1 misho 92: #endif
93: AUTH_ENTRY(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)
94: };
95:
96: static int standalone;
97:
98: extern char **NewArgv; /* XXX - for auditing */
99:
100: static void pass_warn(void);
101:
1.1.1.3 misho 102: /*
103: * Initialize sudoers authentication method(s).
104: * Returns 0 on success and -1 on error.
105: */
1.1 misho 106: int
107: sudo_auth_init(struct passwd *pw)
108: {
109: sudo_auth *auth;
110: int status = AUTH_SUCCESS;
1.1.1.2 misho 111: debug_decl(sudo_auth_init, SUDO_DEBUG_AUTH)
1.1 misho 112:
113: if (auth_switch[0].name == NULL)
1.1.1.3 misho 114: debug_return_int(0);
1.1 misho 115:
116: /* Make sure we haven't mixed standalone and shared auth methods. */
117: standalone = IS_STANDALONE(&auth_switch[0]);
118: if (standalone && auth_switch[1].name != NULL) {
1.1.1.4 misho 119: audit_failure(NewArgv, N_("invalid authentication methods"));
120: log_fatal(0, N_("Invalid authentication methods compiled into sudo! "
121: "You may not mix standalone and non-standalone authentication."));
1.1.1.2 misho 122: debug_return_int(-1);
1.1 misho 123: }
124:
125: /* Set FLAG_ONEANDONLY if there is only one auth method. */
126: if (auth_switch[1].name == NULL)
127: SET(auth_switch[0].flags, FLAG_ONEANDONLY);
128:
129: /* Initialize auth methods and unconfigure the method if necessary. */
130: for (auth = auth_switch; auth->name; auth++) {
131: if (auth->init && !IS_DISABLED(auth)) {
132: if (NEEDS_USER(auth))
133: set_perms(PERM_USER);
134:
135: status = (auth->init)(pw, auth);
136:
137: if (NEEDS_USER(auth))
138: restore_perms();
139:
1.1.1.3 misho 140: /* Disable if it failed to init unless there was a fatal error. */
1.1 misho 141: if (status == AUTH_FAILURE)
142: SET(auth->flags, FLAG_DISABLED);
1.1.1.3 misho 143: else if (status == AUTH_FATAL)
1.1 misho 144: break; /* assume error msg already printed */
145: }
146: }
1.1.1.3 misho 147: debug_return_int(status == AUTH_FATAL ? -1 : 0);
1.1 misho 148: }
149:
1.1.1.3 misho 150: /*
151: * Cleanup all authentication methods.
152: * Returns 0 on success and -1 on error.
153: */
1.1 misho 154: int
155: sudo_auth_cleanup(struct passwd *pw)
156: {
157: sudo_auth *auth;
158: int status = AUTH_SUCCESS;
1.1.1.2 misho 159: debug_decl(sudo_auth_cleanup, SUDO_DEBUG_AUTH)
1.1 misho 160:
161: /* Call cleanup routines. */
162: for (auth = auth_switch; auth->name; auth++) {
163: if (auth->cleanup && !IS_DISABLED(auth)) {
164: if (NEEDS_USER(auth))
165: set_perms(PERM_USER);
166:
167: status = (auth->cleanup)(pw, auth);
168:
169: if (NEEDS_USER(auth))
170: restore_perms();
171:
1.1.1.3 misho 172: if (status == AUTH_FATAL)
1.1 misho 173: break; /* assume error msg already printed */
174: }
175: }
1.1.1.3 misho 176: debug_return_int(status == AUTH_FATAL ? -1 : 0);
1.1 misho 177: }
178:
1.1.1.3 misho 179: /*
180: * Verify the specified user.
181: * Returns true if verified, false if not or -1 on error.
182: */
1.1 misho 183: int
1.1.1.3 misho 184: verify_user(struct passwd *pw, char *prompt, int validated)
1.1 misho 185: {
1.1.1.6 ! misho 186: unsigned int counter = def_passwd_tries + 1;
1.1 misho 187: int success = AUTH_FAILURE;
1.1.1.3 misho 188: int status, rval;
1.1 misho 189: char *p;
190: sudo_auth *auth;
191: sigaction_t sa, osa;
1.1.1.2 misho 192: debug_decl(verify_user, SUDO_DEBUG_AUTH)
1.1 misho 193:
194: /* Enable suspend during password entry. */
195: sigemptyset(&sa.sa_mask);
196: sa.sa_flags = SA_RESTART;
197: sa.sa_handler = SIG_DFL;
198: (void) sigaction(SIGTSTP, &sa, &osa);
199:
200: /* Make sure we have at least one auth method. */
201: /* XXX - check FLAG_DISABLED too */
202: if (auth_switch[0].name == NULL) {
1.1.1.4 misho 203: audit_failure(NewArgv, N_("no authentication methods"));
204: log_warning(0,
205: N_("There are no authentication methods compiled into sudo! "
1.1 misho 206: "If you want to turn off authentication, use the "
207: "--disable-authentication configure option."));
1.1.1.2 misho 208: debug_return_int(-1);
1.1 misho 209: }
210:
211: while (--counter) {
212: /* Do any per-method setup and unconfigure the method if needed */
213: for (auth = auth_switch; auth->name; auth++) {
214: if (auth->setup && !IS_DISABLED(auth)) {
215: if (NEEDS_USER(auth))
216: set_perms(PERM_USER);
217:
218: status = (auth->setup)(pw, &prompt, auth);
219:
220: if (NEEDS_USER(auth))
221: restore_perms();
222:
223: if (status == AUTH_FAILURE)
224: SET(auth->flags, FLAG_DISABLED);
1.1.1.3 misho 225: else if (status == AUTH_FATAL)
226: goto done; /* assume error msg already printed */
1.1 misho 227: }
228: }
229:
230: /* Get the password unless the auth function will do it for us */
231: if (standalone) {
232: p = prompt;
233: } else {
234: p = auth_getpass(prompt, def_passwd_timeout * 60,
235: SUDO_CONV_PROMPT_ECHO_OFF);
236: if (p == NULL)
237: break;
238: }
239:
240: /* Call authentication functions. */
241: for (auth = auth_switch; auth->name; auth++) {
242: if (IS_DISABLED(auth))
243: continue;
244:
245: if (NEEDS_USER(auth))
246: set_perms(PERM_USER);
247:
248: success = auth->status = (auth->verify)(pw, p, auth);
249:
250: if (NEEDS_USER(auth))
251: restore_perms();
252:
253: if (auth->status != AUTH_FAILURE)
254: goto done;
255: }
256: if (!standalone)
1.1.1.5 misho 257: memset_s(p, SUDO_CONV_REPL_MAX, 0, strlen(p));
1.1 misho 258: pass_warn();
259: }
260:
261: done:
262: switch (success) {
263: case AUTH_SUCCESS:
264: (void) sigaction(SIGTSTP, &osa, NULL);
1.1.1.2 misho 265: rval = true;
1.1 misho 266: break;
267: case AUTH_INTR:
268: case AUTH_FAILURE:
1.1.1.3 misho 269: if (counter != def_passwd_tries)
270: validated |= FLAG_BAD_PASSWORD;
271: log_auth_failure(validated, def_passwd_tries - counter);
1.1.1.2 misho 272: rval = false;
1.1 misho 273: break;
274: case AUTH_FATAL:
275: default:
1.1.1.3 misho 276: log_auth_failure(validated | FLAG_AUTH_ERROR, 0);
1.1 misho 277: rval = -1;
278: break;
279: }
280:
1.1.1.2 misho 281: debug_return_int(rval);
1.1 misho 282: }
283:
1.1.1.3 misho 284: /*
285: * Call authentication method begin session hooks.
286: * Returns 1 on success and -1 on error.
287: */
1.1 misho 288: int
1.1.1.2 misho 289: sudo_auth_begin_session(struct passwd *pw, char **user_env[])
1.1 misho 290: {
291: sudo_auth *auth;
1.1.1.3 misho 292: int status = AUTH_SUCCESS;
1.1.1.4 misho 293: debug_decl(sudo_auth_begin_session, SUDO_DEBUG_AUTH)
1.1 misho 294:
295: for (auth = auth_switch; auth->name; auth++) {
296: if (auth->begin_session && !IS_DISABLED(auth)) {
1.1.1.2 misho 297: status = (auth->begin_session)(pw, user_env, auth);
1.1.1.3 misho 298: if (status == AUTH_FATAL)
299: break; /* assume error msg already printed */
1.1 misho 300: }
301: }
1.1.1.3 misho 302: debug_return_int(status == AUTH_FATAL ? -1 : 1);
1.1 misho 303: }
304:
1.1.1.4 misho 305: bool
306: sudo_auth_needs_end_session(void)
307: {
308: sudo_auth *auth;
309: bool needed = false;
310: debug_decl(sudo_auth_needs_end_session, SUDO_DEBUG_AUTH)
311:
312: for (auth = auth_switch; auth->name; auth++) {
313: if (auth->end_session && !IS_DISABLED(auth)) {
314: needed = true;
315: break;
316: }
317: }
318: debug_return_bool(needed);
319: }
320:
1.1.1.3 misho 321: /*
322: * Call authentication method end session hooks.
323: * Returns 1 on success and -1 on error.
324: */
1.1 misho 325: int
326: sudo_auth_end_session(struct passwd *pw)
327: {
328: sudo_auth *auth;
1.1.1.3 misho 329: int status = AUTH_SUCCESS;
1.1.1.4 misho 330: debug_decl(sudo_auth_end_session, SUDO_DEBUG_AUTH)
1.1 misho 331:
332: for (auth = auth_switch; auth->name; auth++) {
333: if (auth->end_session && !IS_DISABLED(auth)) {
334: status = (auth->end_session)(pw, auth);
1.1.1.3 misho 335: if (status == AUTH_FATAL)
336: break; /* assume error msg already printed */
1.1 misho 337: }
338: }
1.1.1.3 misho 339: debug_return_int(status == AUTH_FATAL ? -1 : 1);
1.1 misho 340: }
341:
342: static void
343: pass_warn(void)
344: {
345: const char *warning = def_badpass_message;
1.1.1.2 misho 346: debug_decl(pass_warn, SUDO_DEBUG_AUTH)
1.1 misho 347:
348: #ifdef INSULT
349: if (def_insults)
350: warning = INSULT;
351: #endif
352: sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", warning);
1.1.1.2 misho 353:
354: debug_return;
1.1 misho 355: }
356:
357: char *
358: auth_getpass(const char *prompt, int timeout, int type)
359: {
360: struct sudo_conv_message msg;
361: struct sudo_conv_reply repl;
1.1.1.2 misho 362: debug_decl(auth_getpass, SUDO_DEBUG_AUTH)
1.1 misho 363:
364: /* Mask user input if pwfeedback set and echo is off. */
365: if (type == SUDO_CONV_PROMPT_ECHO_OFF && def_pwfeedback)
366: type = SUDO_CONV_PROMPT_MASK;
367:
368: /* If visiblepw set, do not error out if there is no tty. */
369: if (def_visiblepw)
370: type |= SUDO_CONV_PROMPT_ECHO_OK;
371:
372: /* Call conversation function */
373: memset(&msg, 0, sizeof(msg));
374: msg.msg_type = type;
375: msg.timeout = def_passwd_timeout * 60;
376: msg.msg = prompt;
377: memset(&repl, 0, sizeof(repl));
378: sudo_conv(1, &msg, &repl);
379: /* XXX - check for ENOTTY? */
1.1.1.2 misho 380: debug_return_str_masked(repl.reply);
1.1 misho 381: }
382:
383: void
384: dump_auth_methods(void)
385: {
386: sudo_auth *auth;
1.1.1.2 misho 387: debug_decl(dump_auth_methods, SUDO_DEBUG_AUTH)
1.1 misho 388:
389: sudo_printf(SUDO_CONV_INFO_MSG, _("Authentication methods:"));
390: for (auth = auth_switch; auth->name; auth++)
391: sudo_printf(SUDO_CONV_INFO_MSG, " '%s'", auth->name);
392: sudo_printf(SUDO_CONV_INFO_MSG, "\n");
1.1.1.2 misho 393:
394: debug_return;
1.1 misho 395: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>