Add proper pam session handling

[opendoas.git] / doas.c

diff --git a/doas.c b/doas.c
index 8094aad4efd7cd0826b68929456f06a4a4d078ef..cceeac17d07317224bb396a420e2204ee168cb13 100644 (file)
--- a/doas.c
+++ b/doas.c
@@ -438,11 +438,11 @@ main(int argc, char **argv, char **envp)
                errc(1, EPERM, NULL);
        }
 
+#ifdef HAVE_BSD_AUTH_H
        if (!(rule->options & NOPASS)) {
                if (nflag)
                        errx(1, "Authorization required");
 
-#ifdef HAVE_BSD_AUTH_H
                char *challenge = NULL, *response, rbuf[1024], cbuf[128];
                auth_session_t *as;
 
@@ -470,14 +470,17 @@ main(int argc, char **argv, char **envp)
                        errc(1, EPERM, NULL);
                }
                explicit_bzero(rbuf, sizeof(rbuf));
+       }
+#elif HAVE_PAM_APPL_H
+       if (!doas_pam(myname, !nflag, rule->options & NOPASS)) {
+               syslog(LOG_AUTHPRIV | LOG_NOTICE,
+                               "failed auth for %s", myname);
+               errc(1, EPERM, NULL);
+       }
 #else
-               if (!auth_userokay(myname, NULL, NULL, NULL)) {
-                       syslog(LOG_AUTHPRIV | LOG_NOTICE,
-                           "failed auth for %s", myname);
-                       errc(1, EPERM, NULL);
-               }
+       if (!(rule->options & NOPASS)) {
+                       errx(1, "Authorization required");
 #endif /* HAVE_BSD_AUTH_H */
-       }
 
        if (pledge("stdio rpath getpw exec id", NULL) == -1)
                err(1, "pledge");