version 1.62, 2016/09/01 17:30:52 |
version 1.63, 2016/09/02 18:12:30 |
|
|
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/stat.h> |
#include <sys/stat.h> |
|
#include <sys/ioctl.h> |
|
|
#include <limits.h> |
#include <limits.h> |
#include <login_cap.h> |
#include <login_cap.h> |
|
|
#include <grp.h> |
#include <grp.h> |
#include <syslog.h> |
#include <syslog.h> |
#include <errno.h> |
#include <errno.h> |
|
#include <fcntl.h> |
|
|
#include "doas.h" |
#include "doas.h" |
|
|
static void __dead |
static void __dead |
usage(void) |
usage(void) |
{ |
{ |
fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]" |
fprintf(stderr, "usage: doas [-Lns] [-a style] [-C config] [-u user]" |
" command [args]\n"); |
" command [args]\n"); |
exit(1); |
exit(1); |
} |
} |
|
|
} |
} |
|
|
static void |
static void |
authuser(char *myname, char *login_style) |
authuser(char *myname, char *login_style, int persist) |
{ |
{ |
char *challenge = NULL, *response, rbuf[1024], cbuf[128]; |
char *challenge = NULL, *response, rbuf[1024], cbuf[128]; |
auth_session_t *as; |
auth_session_t *as; |
|
int fd = -1; |
|
|
|
if (persist) |
|
fd = open("/dev/tty", O_RDWR); |
|
if (fd != -1) { |
|
if (ioctl(fd, TIOCCHKVERAUTH) == 0) |
|
goto good; |
|
} |
|
|
if (!(as = auth_userchallenge(myname, login_style, "auth-doas", |
if (!(as = auth_userchallenge(myname, login_style, "auth-doas", |
&challenge))) |
&challenge))) |
errx(1, "Authorization failed"); |
errx(1, "Authorization failed"); |
|
|
errc(1, EPERM, NULL); |
errc(1, EPERM, NULL); |
} |
} |
explicit_bzero(rbuf, sizeof(rbuf)); |
explicit_bzero(rbuf, sizeof(rbuf)); |
|
good: |
|
if (fd != -1) { |
|
int secs = 10 * 60; |
|
ioctl(fd, TIOCSETVERAUTH, &secs); |
|
close(fd); |
|
} |
} |
} |
|
|
int |
int |
|
|
|
|
setprogname("doas"); |
setprogname("doas"); |
|
|
if (pledge("stdio rpath getpw tty recvfd proc exec id", NULL) == -1) |
|
err(1, "pledge"); |
|
|
|
closefrom(STDERR_FILENO + 1); |
closefrom(STDERR_FILENO + 1); |
|
|
uid = getuid(); |
uid = getuid(); |
|
|
while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) { |
while ((ch = getopt(argc, argv, "a:C:Lnsu:")) != -1) { |
switch (ch) { |
switch (ch) { |
case 'a': |
case 'a': |
login_style = optarg; |
login_style = optarg; |
|
|
case 'C': |
case 'C': |
confpath = optarg; |
confpath = optarg; |
break; |
break; |
|
case 'L': |
|
i = open("/dev/tty", O_RDWR); |
|
if (i != -1) |
|
ioctl(i, TIOCCLRVERAUTH); |
|
exit(i != -1); |
case 'u': |
case 'u': |
if (parseuid(optarg, &target) != 0) |
if (parseuid(optarg, &target) != 0) |
errx(1, "unknown user"); |
errx(1, "unknown user"); |
|
|
if (nflag) |
if (nflag) |
errx(1, "Authorization required"); |
errx(1, "Authorization required"); |
|
|
authuser(myname, login_style); |
authuser(myname, login_style, rule->options & PERSIST); |
} |
} |
|
|
if (pledge("stdio rpath getpw exec id", NULL) == -1) |
if (pledge("stdio rpath getpw exec id", NULL) == -1) |