Annotation of src/usr.bin/lock/lock.c, Revision 1.32
1.32 ! tedu 1: /* $OpenBSD: lock.c,v 1.31 2015/10/10 20:35:01 deraadt Exp $ */
1.2 deraadt 2: /* $NetBSD: lock.c,v 1.8 1996/05/07 18:32:31 jtc Exp $ */
1.1 deraadt 3:
4: /*
5: * Copyright (c) 1980, 1987, 1993
6: * The Regents of the University of California. All rights reserved.
7: *
8: * This code is derived from software contributed to Berkeley by
9: * Bob Toxen.
10: *
11: * Redistribution and use in source and binary forms, with or without
12: * modification, are permitted provided that the following conditions
13: * are met:
14: * 1. Redistributions of source code must retain the above copyright
15: * notice, this list of conditions and the following disclaimer.
16: * 2. Redistributions in binary form must reproduce the above copyright
17: * notice, this list of conditions and the following disclaimer in the
18: * documentation and/or other materials provided with the distribution.
1.20 millert 19: * 3. Neither the name of the University nor the names of its contributors
1.1 deraadt 20: * may be used to endorse or promote products derived from this software
21: * without specific prior written permission.
22: *
23: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33: * SUCH DAMAGE.
34: */
35:
36: /*
37: * Lock a terminal up until the given key is entered, until the root
38: * password is entered, or the given interval times out.
39: *
40: * Timeout interval is by default TIMEOUT, it can be changed with
41: * an argument of the form -time where time is in minutes
42: */
43:
44: #include <sys/stat.h>
45: #include <sys/time.h>
46: #include <signal.h>
47:
48: #include <ctype.h>
49: #include <err.h>
50: #include <pwd.h>
1.13 millert 51: #include <readpassphrase.h>
1.1 deraadt 52: #include <stdio.h>
1.2 deraadt 53: #include <stdlib.h>
1.1 deraadt 54: #include <string.h>
55: #include <termios.h>
1.2 deraadt 56: #include <unistd.h>
1.28 deraadt 57: #include <limits.h>
1.1 deraadt 58:
1.13 millert 59: #include <login_cap.h>
60: #include <bsd_auth.h>
1.7 millert 61:
1.1 deraadt 62: #define TIMEOUT 15
63:
1.15 millert 64: void bye(int);
65: void hi(int);
1.1 deraadt 66:
67: struct timeval timeout;
68: struct timeval zerotime;
1.13 millert 69: time_t nexttime; /* keep the timeout time */
1.9 millert 70: int no_timeout; /* lock terminal forever */
1.1 deraadt 71:
1.13 millert 72: extern char *__progname;
73:
1.1 deraadt 74: /*ARGSUSED*/
1.9 millert 75: int
1.18 deraadt 76: main(int argc, char *argv[])
1.1 deraadt 77: {
1.28 deraadt 78: char hostname[HOST_NAME_MAX+1], s[BUFSIZ], s1[BUFSIZ], date[256];
1.18 deraadt 79: char *p, *style, *nstyle, *ttynam;
80: struct itimerval ntimer, otimer;
1.24 martynas 81: int ch, sectimeout, usemine, cnt, tries = 10, backoff = 3;
1.22 deraadt 82: const char *errstr;
1.1 deraadt 83: struct passwd *pw;
84: struct tm *timp;
85: time_t curtime;
1.13 millert 86: login_cap_t *lc;
1.1 deraadt 87:
88: sectimeout = TIMEOUT;
1.13 millert 89: style = NULL;
1.1 deraadt 90: usemine = 0;
1.6 downsj 91: no_timeout = 0;
1.29 deraadt 92:
1.32 ! tedu 93: if (pledge("stdio rpath wpath getpw tty proc exec", NULL) == -1)
1.30 deraadt 94: err(1, "pledge");
1.1 deraadt 95:
96: if (!(pw = getpwuid(getuid())))
1.17 deraadt 97: errx(1, "unknown uid %u.", getuid());
1.13 millert 98:
99: lc = login_getclass(pw->pw_class);
1.24 martynas 100: if (lc != NULL) {
101: /*
102: * We allow "login-tries" attempts to login but start
103: * slowing down after "login-backoff" attempts.
104: */
105: tries = (int)login_getcapnum(lc, "login-tries", 10, 10);
106: backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3);
107: }
108:
1.13 millert 109: while ((ch = getopt(argc, argv, "a:npt:")) != -1)
1.19 deraadt 110: switch (ch) {
1.13 millert 111: case 'a':
112: if (lc) {
113: style = login_getstyle(lc, optarg, "auth-lock");
114: if (style == NULL)
115: errx(1,
116: "invalid authentication style: %s",
117: optarg);
118: }
119: usemine = 1;
120: break;
1.1 deraadt 121: case 't':
1.23 deraadt 122: sectimeout = (int)strtonum(optarg, 1, INT_MAX, &errstr);
1.22 deraadt 123: if (errstr)
124: errx(1, "timeout %s: %s", errstr, optarg);
1.1 deraadt 125: break;
126: case 'p':
127: usemine = 1;
128: break;
1.6 downsj 129: case 'n':
130: no_timeout = 1;
131: break;
1.1 deraadt 132: default:
1.10 millert 133: (void)fprintf(stderr,
1.21 jmc 134: "usage: %s [-np] [-a style] [-t timeout]\n",
1.13 millert 135: __progname);
1.1 deraadt 136: exit(1);
137: }
138: timeout.tv_sec = sectimeout * 60;
139:
140: gethostname(hostname, sizeof(hostname));
1.26 tobias 141: if (usemine && lc == NULL)
142: errx(1, "login class not found");
1.13 millert 143: if (!(ttynam = ttyname(STDIN_FILENO)))
1.1 deraadt 144: errx(1, "not a terminal?");
1.13 millert 145: curtime = time(NULL);
146: nexttime = curtime + (sectimeout * 60);
1.1 deraadt 147: timp = localtime(&curtime);
1.13 millert 148: strftime(date, sizeof(date), "%c", timp);
1.1 deraadt 149:
1.13 millert 150: if (!usemine) {
1.1 deraadt 151: /* get key and check again */
1.13 millert 152: if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
153: *s == '\0')
154: exit(0);
1.1 deraadt 155: /*
156: * Don't need EOF test here, if we get EOF, then s1 != s
157: * and the right things will happen.
158: */
1.13 millert 159: (void)readpassphrase("Again: ", s1, sizeof(s1), RPP_ECHO_OFF);
1.1 deraadt 160: if (strcmp(s1, s)) {
1.13 millert 161: warnx("\apasswords didn't match.");
1.1 deraadt 162: exit(1);
163: }
1.5 deraadt 164: s[0] = '\0';
1.1 deraadt 165: }
166:
167: /* set signal handlers */
168: (void)signal(SIGINT, hi);
169: (void)signal(SIGQUIT, hi);
170: (void)signal(SIGTSTP, hi);
171: (void)signal(SIGALRM, bye);
172:
173: ntimer.it_interval = zerotime;
174: ntimer.it_value = timeout;
1.6 downsj 175: if (!no_timeout)
176: setitimer(ITIMER_REAL, &ntimer, &otimer);
1.1 deraadt 177:
178: /* header info */
1.6 downsj 179: if (no_timeout) {
1.13 millert 180: (void)fprintf(stderr,
181: "%s: %s on %s. no timeout\ntime now is %s\n",
182: __progname, ttynam, hostname, date);
1.6 downsj 183: } else {
1.13 millert 184: (void)fprintf(stderr,
185: "%s: %s on %s. timeout in %d minutes\ntime now is %s\n",
186: __progname, ttynam, hostname, sectimeout, date);
1.6 downsj 187: }
1.1 deraadt 188:
1.24 martynas 189: for (cnt = 0;;) {
1.13 millert 190: if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
191: *s == '\0') {
1.9 millert 192: hi(0);
1.1 deraadt 193: continue;
194: }
195: if (usemine) {
1.13 millert 196: /*
197: * If user entered 's/key' or the style specified via
198: * the '-a' argument, auth_userokay() will prompt
199: * for a new password. Otherwise, use what we have.
200: */
201: if ((strcmp(s, "s/key") == 0 &&
202: (nstyle = login_getstyle(lc, "skey", "auth-lock")))
203: || ((nstyle = style) && strcmp(s, nstyle) == 0))
204: p = NULL;
205: else
206: p = s;
207: if (auth_userokay(pw->pw_name, nstyle, "auth-lock", p))
1.1 deraadt 208: break;
1.13 millert 209: } else if (strcmp(s, s1) == 0)
1.1 deraadt 210: break;
1.13 millert 211: (void)putc('\a', stderr);
1.24 martynas 212: cnt %= tries;
213: if (++cnt > backoff) {
214: sigset_t set, oset;
215: sigfillset(&set);
216: sigprocmask(SIG_BLOCK, &set, &oset);
217: sleep((u_int)((cnt - backoff) * tries / 2));
218: sigprocmask(SIG_SETMASK, &oset, NULL);
219: }
1.1 deraadt 220: }
1.9 millert 221:
1.13 millert 222: exit(0);
1.1 deraadt 223: }
224:
1.23 deraadt 225: /*ARGSUSED*/
1.1 deraadt 226: void
1.23 deraadt 227: hi(int signo)
1.1 deraadt 228: {
1.14 deraadt 229: char buf[1024], buf2[1024];
1.27 guenther 230: time_t left;
1.1 deraadt 231:
1.14 deraadt 232: if (no_timeout)
233: buf2[0] = '\0';
234: else {
1.27 guenther 235: left = nexttime - time(NULL);
236: (void)snprintf(buf2, sizeof buf2, " timeout in %lld:%d minutes",
237: (long long)(left / 60), (int)(left % 60));
1.6 downsj 238: }
1.23 deraadt 239: (void)snprintf(buf, sizeof buf, "%s: type in the unlock key.%s\n",
1.14 deraadt 240: __progname, buf2);
241: (void) write(STDERR_FILENO, buf, strlen(buf));
1.1 deraadt 242: }
243:
1.23 deraadt 244: /*ARGSUSED*/
1.1 deraadt 245: void
1.23 deraadt 246: bye(int signo)
1.1 deraadt 247: {
248:
1.13 millert 249: if (!no_timeout)
1.16 millert 250: warnx("timeout");
251: _exit(1);
1.1 deraadt 252: }