Annotation of src/usr.bin/skeyaudit/skeyaudit.c, Revision 1.18
1.18 ! mpech 1: /* $OpenBSD: skeyaudit.c,v 1.17 2003/05/02 20:10:46 millert Exp $ */
1.2 millert 2:
3: /*
1.17 millert 4: * Copyright (c) 1997, 2000, 2003 Todd C. Miller <Todd.Miller@courtesan.com>
1.2 millert 5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
1.8 millert 15: * 3. The name of the author may not be used to endorse or promote products
1.2 millert 16: * derived from this software without specific prior written permission.
17: *
18: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
19: * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
20: * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
21: * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
22: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
23: * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
24: * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
25: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
26: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
27: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.17 millert 28: *
29: * Sponsored in part by the Defense Advanced Research Projects
30: * Agency (DARPA) and Air Force Research Laboratory, Air Force
31: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
1.2 millert 32: */
33:
1.9 millert 34: #include <sys/param.h>
35: #include <sys/wait.h>
36:
1.1 millert 37: #include <err.h>
38: #include <errno.h>
1.17 millert 39: #include <fcntl.h>
1.1 millert 40: #include <limits.h>
1.9 millert 41: #include <login_cap.h>
1.1 millert 42: #include <paths.h>
43: #include <pwd.h>
44: #include <stdio.h>
45: #include <stdlib.h>
46: #include <string.h>
47: #include <unistd.h>
48: #include <skey.h>
49:
1.12 millert 50: void notify(struct passwd *, int, int);
51: FILE *runsendmail(struct passwd *, int *);
1.14 millert 52: __dead void usage(void);
1.1 millert 53:
54: int
1.14 millert 55: main(int argc, char **argv)
1.1 millert 56: {
57: struct passwd *pw;
58: struct skey key;
1.6 millert 59: char *name;
1.14 millert 60: int ch, left, aflag, iflag, limit;
1.6 millert 61:
1.17 millert 62: aflag = iflag = 0;
1.14 millert 63: limit = 12;
1.6 millert 64: while ((ch = getopt(argc, argv, "ail:")) != -1)
1.1 millert 65: switch(ch) {
1.6 millert 66: case 'a':
67: if (getuid() != 0)
68: errx(1, "only root may use the -a flag");
1.14 millert 69: aflag = 1;
1.6 millert 70: break;
1.1 millert 71: case 'i':
72: iflag = 1;
73: break;
74: case 'l':
75: errno = 0;
76: if ((limit = (int)strtol(optarg, NULL, 10)) == 0)
77: errno = ERANGE;
78: if (errno) {
79: warn("key limit");
80: usage();
81: }
82: break;
83: default:
84: usage();
85: }
86:
1.17 millert 87: /*
88: * Make sure STDIN_FILENO, STDOUT_FILENO, and STDERR_FILENO are open.
89: * If not, open /dev/null in their place or bail.
90: * If we are in interactive mode, STDOUT_FILENO *must* be open.
91: */
92: for (ch = STDIN_FILENO; ch <= STDERR_FILENO; ch++) {
93: if (fcntl(ch, F_GETFL, &left) == -1 && errno == EBADF) {
94: if (ch == STDOUT_FILENO && iflag)
95: exit(1); /* need stdout for -i */
96: if (open(_PATH_DEVNULL, O_RDWR, 0644) == -1)
97: exit(1); /* just bail */
98: }
99: }
100:
1.1 millert 101: if (argc - optind > 0)
102: usage();
103:
1.6 millert 104: /* Need key.keyfile zero'd at the very least */
105: (void)memset(&key, 0, sizeof(key));
106:
1.17 millert 107: left = 0;
1.6 millert 108: if (aflag) {
109: while ((ch = skeygetnext(&key)) == 0) {
1.1 millert 110: left = key.n - 1;
1.6 millert 111: if ((pw = getpwnam(key.logname)) == NULL)
112: continue;
113: if (left >= limit)
114: continue;
1.17 millert 115: (void)fclose(key.keyfile);
116: key.keyfile = NULL;
1.9 millert 117: notify(pw, left, iflag);
1.6 millert 118: }
119: if (ch == -1)
1.13 millert 120: errx(-1, "cannot open %s", _PATH_SKEYDIR);
1.6 millert 121: } else {
122: if ((pw = getpwuid(getuid())) == NULL)
123: errx(1, "no passwd entry for uid %u", getuid());
124: if ((name = strdup(pw->pw_name)) == NULL)
125: err(1, "cannot allocate memory");
126: sevenbit(name);
127:
1.14 millert 128: switch (skeylookup(&key, name)) {
1.6 millert 129: case 0: /* Success! */
130: left = key.n - 1;
131: break;
132: case -1: /* File error */
1.14 millert 133: errx(1, "cannot open %s/%s", _PATH_SKEYDIR,
134: name);
1.6 millert 135: break;
136: case 1: /* Unknown user */
1.14 millert 137: errx(1, "user %s is not listed in %s", name,
1.13 millert 138: _PATH_SKEYDIR);
1.6 millert 139: }
140: (void)fclose(key.keyfile);
141:
1.14 millert 142: if (left < limit)
1.9 millert 143: notify(pw, left, iflag);
1.1 millert 144: }
1.6 millert 145:
1.14 millert 146: exit(0);
1.6 millert 147: }
1.1 millert 148:
1.6 millert 149: void
1.14 millert 150: notify(struct passwd *pw, int seq, int interactive)
1.6 millert 151: {
152: static char hostname[MAXHOSTNAMELEN];
1.14 millert 153: pid_t pid;
1.6 millert 154: FILE *out;
1.1 millert 155:
1.6 millert 156: /* Only set this once */
157: if (hostname[0] == '\0' && gethostname(hostname, sizeof(hostname)) == -1)
1.15 millert 158: strlcpy(hostname, "unknown", sizeof(hostname));
1.1 millert 159:
1.6 millert 160: if (interactive)
1.1 millert 161: out = stdout;
1.6 millert 162: else
1.9 millert 163: out = runsendmail(pw, &pid);
1.1 millert 164:
1.6 millert 165: if (!interactive)
1.1 millert 166: (void)fprintf(out,
1.9 millert 167: "To: %s\nSubject: IMPORTANT action required\n", pw->pw_name);
1.1 millert 168:
1.10 pjanzen 169: if (seq)
170: (void)fprintf(out,
1.1 millert 171: "\nYou are nearing the end of your current S/Key sequence for account\n\
172: %s on system %s.\n\n\
1.10 pjanzen 173: Your S/Key sequence number is now %d. When it reaches zero\n\
174: you will no longer be able to use S/Key to log into the system.\n\n",
1.9 millert 175: pw->pw_name, hostname, seq);
1.10 pjanzen 176: else
177: (void)fprintf(out,
178: "\nYou are at the end of your current S/Key sequence for account\n\
179: %s on system %s.\n\n\
180: At this point you can no longer use S/Key to log into the system.\n\n",
181: pw->pw_name, hostname);
182: (void)fprintf(out,
183: "Type \"skeyinit -s\" to reinitialize your sequence number.\n\n");
1.1 millert 184:
1.17 millert 185: if (!interactive) {
186: (void)fclose(out);
1.6 millert 187: (void)waitpid(pid, NULL, 0);
1.17 millert 188: }
1.1 millert 189: }
190:
1.6 millert 191: FILE *
1.14 millert 192: runsendmail(struct passwd *pw, pid_t *pidp)
1.6 millert 193: {
194: FILE *fp;
1.14 millert 195: int pfd[2];
196: pid_t pid;
1.6 millert 197:
198: if (pipe(pfd) < 0)
199: return(NULL);
200:
201: switch (pid = fork()) {
202: case -1: /* fork(2) failed */
203: (void)close(pfd[0]);
204: (void)close(pfd[1]);
205: return(NULL);
206: case 0: /* In child */
207: (void)close(pfd[1]);
208: (void)dup2(pfd[0], STDIN_FILENO);
209: (void)close(pfd[0]);
210:
211: /* Run sendmail as target user not root */
1.9 millert 212: if (setusercontext(NULL, pw, pw->pw_uid, LOGIN_SETALL) != 0) {
213: warn("cannot set user context");
214: _exit(127);
215: }
1.6 millert 216:
1.11 deraadt 217: execl(_PATH_SENDMAIL, "sendmail", "-t", (char *)NULL);
1.6 millert 218: warn("cannot run \"%s -t\"", _PATH_SENDMAIL);
219: _exit(127);
220: }
221:
222: /* In parent */
223: *pidp = pid;
224: fp = fdopen(pfd[1], "w");
225: (void)close(pfd[0]);
226:
227: return(fp);
228: }
1.14 millert 229:
230: __dead void
231: usage(void)
1.1 millert 232: {
1.14 millert 233: extern char *__progname;
234:
1.18 ! mpech 235: (void)fprintf(stderr, "Usage: %s [-a] [-i] [-l limit]\n",
1.1 millert 236: __progname);
237: exit(1);
238: }
![[BACK]](/icons/back.gif){kind=icon}
Return to skeyaudit.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / skeyaudit