#include <grp.h>
#include <syslog.h>
#include <errno.h>
+#if HAVE_SHADOW_H
+#include <shadow.h>
+#endif
#include "includes.h"
parseconfig("/etc/doas.conf", 1);
/* cmdline is used only for logging, no need to abort on truncate */
- (void) strlcpy(cmdline, argv[0], sizeof(cmdline));
+ (void)strlcpy(cmdline, argv[0], sizeof(cmdline));
for (i = 1; i < argc; i++) {
if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline))
break;
cmd = argv[0];
if (!permit(uid, groups, ngroups, &rule, target, cmd,
- (const char**)argv + 1)) {
+ (const char **)argv + 1)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE,
"failed command for %s: %s", myname, cmdline);
errc(1, EPERM, NULL);
}
- pw = getpwuid(target);
- if (!pw)
- errx(1, "no passwd entry for target");
-
#ifdef HAVE_BSD_AUTH_H
if (!(rule->options & NOPASS)) {
if (nflag)
explicit_bzero(rbuf, sizeof(rbuf));
}
#elif HAVE_PAM_APPL_H
+ pw = getpwuid(target);
+ if (!pw)
+ errx(1, "no passwd entry for target");
+
if (!pamauth(pw->pw_name, myname, !nflag, rule->options & NOPASS)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
errc(1, EPERM, NULL);
}
-#else
+#elif HAVE_SHADOW_H
+ const char *pass;
+
if (!(rule->options & NOPASS)) {
+ if (nflag)
errx(1, "Authorization required");
+
+ pass = pw->pw_passwd;
+ if (pass[0] == 'x' && pass[1] == '\0') {
+ struct spwd *sp;
+ if (!(sp = getspnam(myname)))
+ errx(1, "Authorization failed");
+ pass = sp->sp_pwdp;
+ }
+
+ char *challenge, *response, rbuf[1024], cbuf[128], host[HOST_NAME_MAX + 1];
+ if (gethostname(host, sizeof(host)))
+ snprintf(host, sizeof(host), "?");
+ snprintf(cbuf, sizeof(cbuf),
+ "\rdoas (%.32s@%.32s) password: ", myname, host);
+ challenge = cbuf;
+
+ response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
+ if (response == NULL && errno == ENOTTY) {
+ syslog(LOG_AUTHPRIV | LOG_NOTICE,
+ "tty required for %s", myname);
+ errx(1, "a tty is required");
+ }
+ if (strcmp(crypt(response, pass), pass) != 0) {
+ syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
+ errc(1, EPERM, NULL);
+ }
+ explicit_bzero(rbuf, sizeof(rbuf));
+ }
+#else
+ if (!(rule->options & NOPASS))
+ errx(1, "Authorization required");
#endif /* HAVE_BSD_AUTH_H */
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
+ pw = getpwuid(target);
+ if (!pw)
+ errx(1, "no passwd entry for target");
+
#ifdef HAVE_BSD_AUTH_H
if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
errx(1, "failed to set user context for target");
#else
if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
- errx(1, "setgid");
+ errx(1, "setresgid");
if (initgroups(pw->pw_name, pw->pw_gid) != 0)
errx(1, "initgroups");
if (setresuid(target, target, target) != 0)
- errx(1, "setuid");
+ errx(1, "setresuid");
#endif
if (pledge("stdio rpath exec", NULL) == -1)