2 * Copyright (c) 2015 Nathan Holstein <nathan.holstein@gmail.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/types.h>
31 #include <security/pam_appl.h>
36 #define PAM_SERVICE_NAME "doas"
38 static pam_handle_t *pamh = NULL;
39 static sig_atomic_t volatile caught_signal = 0;
40 static char doas_prompt[128];
49 prompt(const char *msg, int echo_on, int *pam)
52 char *ret, buf[PAM_MAX_RESP_SIZE];
53 int flags = RPP_REQUIRE_TTY | (echo_on ? RPP_ECHO_ON : RPP_ECHO_OFF);
55 /* overwrite default prompt if it matches "Password:[ ]" */
56 if (strncmp(msg,"Password:", 9) == 0 &&
57 (msg[9] == '\0' || (msg[9] == ' ' && msg[10] == '\0')))
62 ret = readpassphrase(prompt, buf, sizeof(buf), flags);
65 else if (!(ret = strdup(ret)))
68 explicit_bzero(buf, sizeof(buf));
73 doas_pam_conv(int nmsgs, const struct pam_message **msgs,
74 struct pam_response **rsps, __UNUSED void *ptr)
76 struct pam_response *rsp;
78 int ret = PAM_SUCCESS;
80 if (!(rsp = calloc(nmsgs, sizeof(struct pam_response))))
81 errx(1, "couldn't malloc pam_response");
83 for (i = 0; i < nmsgs; i++) {
84 switch (style = msgs[i]->msg_style) {
85 case PAM_PROMPT_ECHO_OFF:
86 case PAM_PROMPT_ECHO_ON:
87 rsp[i].resp = prompt(msgs[i]->msg, style == PAM_PROMPT_ECHO_ON, &ret);
88 if (ret != PAM_SUCCESS)
94 if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
95 "%s\n", msgs[i]->msg) < 0)
100 errx(1, "invalid PAM msg_style %d", style);
110 /* overwrite and free response buffers */
111 for (i = 0; i < nmsgs; i++) {
112 if (rsp[i].resp == NULL)
114 switch (style = msgs[i]->msg_style) {
115 case PAM_PROMPT_ECHO_OFF:
116 case PAM_PROMPT_ECHO_ON:
117 explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
127 doas_pam(const char *user, const char* ruser, int interactive, int nopass)
129 static const struct pam_conv conv = {
130 .conv = doas_pam_conv,
133 const char *ttydev, *tty;
140 /* pam needs the real root */
144 ret = pam_start(PAM_SERVICE_NAME, ruser, &conv, &pamh);
145 if (ret != PAM_SUCCESS)
146 errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed\n",
147 PAM_SERVICE_NAME, ruser);
149 ret = pam_set_item(pamh, PAM_RUSER, ruser);
150 if (ret != PAM_SUCCESS)
151 warn("pam_set_item(?, PAM_RUSER, \"%s\"): %s\n",
152 pam_strerror(pamh, ret), ruser);
154 if (isatty(0) && (ttydev = ttyname(0)) != NULL) {
155 if (strncmp(ttydev, "/dev/", 5))
160 ret = pam_set_item(pamh, PAM_TTY, tty);
161 if (ret != PAM_SUCCESS)
162 warn("pam_set_item(?, PAM_TTY, \"%s\"): %s\n",
163 tty, pam_strerror(pamh, ret));
168 errx(1, "Authorization required");
170 /* doas style prompt for pam */
171 char host[HOST_NAME_MAX + 1];
172 if (gethostname(host, sizeof(host)))
173 snprintf(host, sizeof(host), "?");
174 snprintf(doas_prompt, sizeof(doas_prompt),
175 "\rdoas (%.32s@%.32s) password: ", ruser, host);
178 ret = pam_authenticate(pamh, 0);
179 if (ret != PAM_SUCCESS) {
185 ret = pam_acct_mgmt(pamh, 0);
186 if (ret == PAM_NEW_AUTHTOK_REQD)
187 ret = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
189 /* account not vaild or changing the auth token failed */
190 if (ret != PAM_SUCCESS)
193 ret = pam_set_item(pamh, PAM_USER, user);
194 if (ret != PAM_SUCCESS)
195 warn("pam_set_item(?, PAM_USER, \"%s\"): %s\n", user,
196 pam_strerror(pamh, ret));
198 ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
199 if (ret != PAM_SUCCESS)
200 warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s\n", pam_strerror(pamh, ret));
203 ret = pam_open_session(pamh, 0);
204 if (ret != PAM_SUCCESS)
205 errx(1, "pam_open_session(): %s\n", pam_strerror(pamh, ret));
207 if ((child = fork()) == -1) {
208 pam_close_session(pamh, 0);
209 pam_end(pamh, PAM_ABORT);
213 /* return as child */
218 /* parent watches for signals and closes session */
220 struct sigaction act, oldact;
225 if (sigprocmask(SIG_BLOCK, &sigs, NULL)) {
226 warn("failed to block signals");
230 /* setup signal handler */
231 act.sa_handler = catchsig;
232 sigemptyset(&act.sa_mask);
235 /* unblock SIGTERM and SIGALRM to catch them */
237 if (sigaddset(&sigs, SIGTERM) ||
238 sigaddset(&sigs, SIGALRM) ||
239 sigaction(SIGTERM, &act, &oldact) ||
240 sigprocmask(SIG_UNBLOCK, &sigs, NULL)) {
241 warn("failed to set signal handler");
245 if (!caught_signal) {
246 /* wait for child to be terminated */
247 if (waitpid(child, &status, 0) != -1) {
248 if (WIFSIGNALED(status)) {
249 fprintf(stderr, "%s%s\n", strsignal(WTERMSIG(status)),
250 WCOREDUMP(status) ? " (core dumped)" : "");
251 status = WTERMSIG(status) + 128;
253 status = WEXITSTATUS(status);
256 else if (caught_signal)
257 status = caught_signal + 128;
263 fprintf(stderr, "\nSession terminated, killing shell\n");
264 kill(child, SIGTERM);
268 ret = pam_close_session(pamh, 0);
269 if (ret != PAM_SUCCESS)
270 errx(1, "pam_close_session(): %s\n", pam_strerror(pamh, ret));
272 pam_end(pamh, PAM_SUCCESS);
277 kill(child, SIGKILL);
278 fprintf(stderr, " ...killed.\n");
280 /* unblock cached signal and resend */
281 sigaction(SIGTERM, &oldact, NULL);
282 if (caught_signal != SIGTERM)
283 caught_signal = SIGKILL;
284 kill(getpid(), caught_signal);