#include <grp.h>
#include <syslog.h>
#include <errno.h>
+#if HAVE_SHADOW_H
+#include <shadow.h>
+#endif
#include "includes.h"
}
int
-main(int argc, char **argv, char **envp)
+main(int argc, char **argv)
{
const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
"/usr/local/bin:/usr/local/sbin";
char *shargv[] = { NULL, NULL };
char *sh;
const char *cmd;
- struct env *env;
char cmdline[LINE_MAX];
char myname[_PW_NAME_LEN + 1];
struct passwd *pw;
int vflag = 0;
char cwdpath[PATH_MAX];
const char *cwd;
+ char **envp;
#ifdef HAVE_BSD_AUTH_H
char *login_style = NULL;
#endif
errc(1, EPERM, NULL);
}
- pw = getpwuid(target);
- if (!pw)
- errx(1, "no passwd entry for target");
-
#ifdef HAVE_BSD_AUTH_H
if (!(rule->options & NOPASS)) {
if (nflag)
explicit_bzero(rbuf, sizeof(rbuf));
}
#elif HAVE_PAM_APPL_H
- if (!doas_pam(pw->pw_name, myname, !nflag, rule->options & NOPASS)) {
+ pw = getpwuid(target);
+ if (!pw)
+ errx(1, "no passwd entry for target");
+
+ if (!pamauth(pw->pw_name, myname, !nflag, rule->options & NOPASS)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
errc(1, EPERM, NULL);
}
-#else
+#elif HAVE_SHADOW_H
+ const char *pass;
+
if (!(rule->options & NOPASS)) {
+ if (nflag)
errx(1, "Authorization required");
+
+ pass = pw->pw_passwd;
+ if (pass[0] == 'x' && pass[1] == '\0') {
+ struct spwd *sp;
+ if (!(sp = getspnam(myname)))
+ errx(1, "Authorization failed");
+ pass = sp->sp_pwdp;
+ }
+
+ char *challenge, *response, rbuf[1024], cbuf[128], host[HOST_NAME_MAX + 1];
+ if (gethostname(host, sizeof(host)))
+ snprintf(host, sizeof(host), "?");
+ snprintf(cbuf, sizeof(cbuf),
+ "\rdoas (%.32s@%.32s) password: ", myname, host);
+ challenge = cbuf;
+
+ response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
+ if (response == NULL && errno == ENOTTY) {
+ syslog(LOG_AUTHPRIV | LOG_NOTICE,
+ "tty required for %s", myname);
+ errx(1, "a tty is required");
+ }
+ if (strcmp(crypt(response, pass), pass) != 0) {
+ syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
+ errc(1, EPERM, NULL);
+ }
+ explicit_bzero(rbuf, sizeof(rbuf));
+ }
+#else
+ if (!(rule->options & NOPASS))
+ errx(1, "Authorization required");
#endif /* HAVE_BSD_AUTH_H */
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
+ pw = getpwuid(target);
+ if (!pw)
+ errx(1, "no passwd entry for target");
+
#ifdef HAVE_BSD_AUTH_H
if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
errx(1, "failed to set user context for target");
#else
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
- errx(1, "setgid");
+ errx(1, "setresgid");
if (initgroups(pw->pw_name, pw->pw_gid) != 0)
errx(1, "initgroups");
if (setresuid(target, target, target) != 0)
- errx(1, "setuid");
+ errx(1, "setresuid");
#endif
if (pledge("stdio rpath exec", NULL) == -1)
syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
myname, cmdline, pw->pw_name, cwd);
- env = createenv(envp);
- env = filterenv(env, rule);
- envp = flattenenv(env);
+ envp = prepenv(rule);
if (rule->cmd) {
if (setenv("PATH", safepath, 1) == -1)