Add proper pam session handling

[opendoas.git] / doas.c

diff --git a/doas.c b/doas.c
index 643d3d809235d8dead863739fcf4b6e17fdd4dff..cceeac17d07317224bb396a420e2204ee168cb13 100644 (file)
--- a/doas.c
+++ b/doas.c
@@ -334,7 +334,9 @@ main(int argc, char **argv, char **envp)
        int vflag = 0;
        char cwdpath[PATH_MAX];
        const char *cwd;
+#ifdef HAVE_BSD_AUTH_H
        char *login_style = NULL;
+#endif
 
        setprogname("doas");
 
@@ -345,11 +347,19 @@ main(int argc, char **argv, char **envp)
 
        uid = getuid();
 
-       while ((ch = getopt(argc, argv, "a:C:nsu:v")) != -1) {
+#ifdef HAVE_BSD_AUTH_H
+# define OPTSTRING "a:C:nsu:v"
+#else
+# define OPTSTRING "C:nsu:v"
+#endif
+
+       while ((ch = getopt(argc, argv, OPTSTRING)) != -1) {
                switch (ch) {
+#ifdef HAVE_BSD_AUTH_H
                case 'a':
                        login_style = optarg;
                        break;
+#endif
                case 'C':
                        confpath = optarg;
                        break;
@@ -428,11 +438,11 @@ main(int argc, char **argv, char **envp)
                errc(1, EPERM, NULL);
        }
 
+#ifdef HAVE_BSD_AUTH_H
        if (!(rule->options & NOPASS)) {
                if (nflag)
                        errx(1, "Authorization required");
 
-#ifdef HAVE_BSD_AUTH_H
                char *challenge = NULL, *response, rbuf[1024], cbuf[128];
                auth_session_t *as;
 
@@ -460,14 +470,17 @@ main(int argc, char **argv, char **envp)
                        errc(1, EPERM, NULL);
                }
                explicit_bzero(rbuf, sizeof(rbuf));
+       }
+#elif HAVE_PAM_APPL_H
+       if (!doas_pam(myname, !nflag, rule->options & NOPASS)) {
+               syslog(LOG_AUTHPRIV | LOG_NOTICE,
+                               "failed auth for %s", myname);
+               errc(1, EPERM, NULL);
+       }
 #else
-               if (!auth_userokay(myname, NULL, NULL, NULL)) {
-                       syslog(LOG_AUTHPRIV | LOG_NOTICE,
-                           "failed auth for %s", myname);
-                       errc(1, EPERM, NULL);
-               }
+       if (!(rule->options & NOPASS)) {
+                       errx(1, "Authorization required");
 #endif /* HAVE_BSD_AUTH_H */
-       }
 
        if (pledge("stdio rpath getpw exec id", NULL) == -1)
                err(1, "pledge");