2 * Copyright (c) 2015 Nathan Holstein <nathan.holstein@gmail.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/types.h>
28 #include <security/pam_appl.h>
33 #define PAM_SERVICE_NAME "doas"
35 static pam_handle_t *pamh = NULL;
36 static sig_atomic_t volatile caught_signal = 0;
39 prompt(const char *msg, int echo_on, int *pam)
41 char buf[PAM_MAX_RESP_SIZE];
42 int flags = RPP_REQUIRE_TTY | (echo_on ? RPP_ECHO_ON : RPP_ECHO_OFF);
43 char *ret = readpassphrase(msg, buf, sizeof(buf), flags);
46 else if (!(ret = strdup(ret)))
48 explicit_bzero(buf, sizeof(buf));
53 doas_pam_conv(int nmsgs, const struct pam_message **msgs,
54 struct pam_response **rsps, __UNUSED void *ptr)
56 struct pam_response *rsp;
58 int ret = PAM_SUCCESS;
60 if (!(rsp = calloc(nmsgs, sizeof(struct pam_response))))
61 errx(1, "couldn't malloc pam_response");
63 for (i = 0; i < nmsgs; i++) {
64 switch (style = msgs[i]->msg_style) {
65 case PAM_PROMPT_ECHO_OFF:
66 case PAM_PROMPT_ECHO_ON:
67 rsp[i].resp = prompt(msgs[i]->msg, style == PAM_PROMPT_ECHO_ON, &ret);
68 if (ret != PAM_SUCCESS)
74 if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
75 "%s\n", msgs[i]->msg) < 0)
80 errx(1, "invalid PAM msg_style %d", style);
90 /* overwrite and free response buffers */
91 for (i = 0; i < nmsgs; i++) {
92 if (rsp[i].resp == NULL)
94 switch (style = msgs[i]->msg_style) {
95 case PAM_PROMPT_ECHO_OFF:
96 case PAM_PROMPT_ECHO_ON:
97 explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
113 doas_pam(char *name, int interactive, int nopass)
115 static const struct pam_conv conv = {
116 .conv = doas_pam_conv,
119 const char *ttydev, *tty;
126 ret = pam_start(PAM_SERVICE_NAME, name, &conv, &pamh);
127 if (ret != PAM_SUCCESS)
128 errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed\n",
129 PAM_SERVICE_NAME, name);
131 ret = pam_set_item(pamh, PAM_USER, name);
132 if (ret != PAM_SUCCESS)
133 errx(1, "pam_set_item(?, PAM_USER, \"%s\"): %s\n",
134 name, pam_strerror(pamh, ret));
136 ret = pam_set_item(pamh, PAM_RUSER, name);
137 if (ret != PAM_SUCCESS)
138 errx(1, "pam_set_item(?, PAM_RUSER, \"%s\"): %s\n",
139 name, pam_strerror(pamh, ret));
141 if (isatty(0) && (ttydev = ttyname(0)) != NULL) {
142 if (strncmp(ttydev, "/dev/", 5))
147 ret = pam_set_item(pamh, PAM_TTY, tty);
148 if (ret != PAM_SUCCESS)
149 errx(1, "pam_set_item(?, PAM_TTY, \"%s\"): %s\n",
150 tty, pam_strerror(pamh, ret));
155 errx(1, "Authorization required");
157 ret = pam_authenticate(pamh, 0);
158 if (ret != PAM_SUCCESS) {
159 ret = pam_end(pamh, ret);
160 if (ret != PAM_SUCCESS)
161 errx(1, "pam_end(): %s\n", pam_strerror(pamh, ret));
166 ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
167 if (ret != PAM_SUCCESS)
168 errx(1, "pam_setcred(?, PAM_ESTABLISH_CRED): %s\n",
169 pam_strerror(pamh, ret));
171 ret = pam_acct_mgmt(pamh, 0);
172 if (ret != PAM_SUCCESS)
173 errx(1, "pam_setcred(): %s\n", pam_strerror(pamh, ret));
176 ret = pam_open_session(pamh, 0);
177 if (ret != PAM_SUCCESS)
178 errx(1, "pam_open_session(): %s\n", pam_strerror(pamh, ret));
180 if ((child = fork()) == -1) {
181 ret = pam_close_session(pamh, 0);
182 if (ret != PAM_SUCCESS)
183 errx(1, "pam_close_session(): %s\n", pam_strerror(pamh, ret));
185 ret = pam_end(pamh, PAM_ABORT);
186 if (ret != PAM_SUCCESS)
187 errx(1, "pam_end(): %s\n", pam_strerror(pamh, ret));
192 /* return as child */
197 /* parent watches for signals and closes session */
199 struct sigaction act, oldact;
204 if (sigprocmask(SIG_BLOCK, &sigs, NULL)) {
205 errx(1, "sigprocmask()");
208 /* setup signal handler */
209 act.sa_handler = catchsig;
210 sigemptyset(&act.sa_mask);
214 /* unblock SIGTERM and SIGALRM to catch them */
215 if(sigaddset(&sigs, SIGTERM) ||
216 sigaddset(&sigs, SIGALRM) ||
217 sigaction(SIGTERM, &act, &oldact) ||
218 sigprocmask(SIG_UNBLOCK, &sigs, NULL)) {
219 errx(1, "failed to set signal handler");
222 /* wait for child to be terminated */
223 if (waitpid(child, &status, 0) != -1) {
224 if (WIFSIGNALED(status)) {
225 fprintf(stderr, "%s%s\n", strsignal(WTERMSIG(status)),
226 WCOREDUMP(status) ? " (core dumped)" : "");
227 status = WTERMSIG(status) + 128;
229 status = WEXITSTATUS(status);
232 else if (caught_signal)
233 status = caught_signal + 128;
238 fprintf(stderr, "\nSession terminated, killing shell\n");
239 kill(child, SIGTERM);
243 ret = pam_close_session(pamh, 0);
244 if (ret != PAM_SUCCESS)
245 errx(1, "pam_close_session(): %s\n", pam_strerror(pamh, ret));
247 ret = pam_end(pamh, PAM_SUCCESS);
248 if (ret != PAM_SUCCESS)
249 errx(1, "pam_end(): %s\n", pam_strerror(pamh, ret));
254 kill(child, SIGKILL);
255 fprintf(stderr, " ...killed.\n");
257 /* unblock cached signal and resend */
258 sigaction(SIGTERM, &oldact, NULL);
259 if (caught_signal != SIGTERM)
260 caught_signal = SIGKILL;
261 kill(getpid(), caught_signal);