opendoas.git
6 months agoHandle empty argv master
Armaan Bhojwani [Thu, 3 Feb 2022 18:36:28 +0000 (13:36 -0500)]
Handle empty argv

15 months agoAdd -std=c99 to Makefile
Armaan Bhojwani [Thu, 6 May 2021 23:17:37 +0000 (19:17 -0400)]
Add -std=c99 to Makefile

15 months agoRemove unused include
Armaan Bhojwani [Mon, 3 May 2021 23:49:38 +0000 (19:49 -0400)]
Remove unused include

15 months agoFix compatibility with GNU make
Armaan Bhojwani [Mon, 3 May 2021 23:40:18 +0000 (19:40 -0400)]
Fix compatibility with GNU make

In my attempts to make it compatible with bmake, I made it
incompatible with gmake.

15 months agoConvert Makefile to being POSIX compatible
Armaan Bhojwani [Mon, 3 May 2021 22:34:58 +0000 (18:34 -0400)]
Convert Makefile to being POSIX compatible

15 months agoCleanup comment in insults.c
Armaan Bhojwani [Mon, 3 May 2021 18:27:42 +0000 (14:27 -0400)]
Cleanup comment in insults.c

15 months agoCleanup configure script
Armaan Bhojwani [Mon, 3 May 2021 18:25:25 +0000 (14:25 -0400)]
Cleanup configure script

15 months agoUpdate README
Armaan Bhojwani [Mon, 3 May 2021 18:22:57 +0000 (14:22 -0400)]
Update README

15 months agoRemove PAM authentication option
Armaan Bhojwani [Mon, 3 May 2021 15:26:18 +0000 (11:26 -0400)]
Remove PAM authentication option

I don't use it and don't want the potential security risk of having it
there

16 months agoAdd insult option to doas.conf v6.9
Armaan Bhojwani [Sun, 4 Apr 2021 16:27:50 +0000 (12:27 -0400)]
Add insult option to doas.conf

16 months agoChange the way insults are enabled
Armaan Bhojwani [Sun, 4 Apr 2021 14:57:02 +0000 (10:57 -0400)]
Change the way insults are enabled

Now they are configured entirely with the configure script.

Will be working on a config file option as well.

16 months agoFix configuration
Armaan Bhojwani [Sun, 4 Apr 2021 01:43:28 +0000 (21:43 -0400)]
Fix configuration

16 months agoRemove extra include
Armaan Bhojwani [Sun, 4 Apr 2021 01:43:20 +0000 (21:43 -0400)]
Remove extra include

16 months agoUpdate LICENSE and README
Armaan Bhojwani [Sun, 4 Apr 2021 01:25:28 +0000 (21:25 -0400)]
Update LICENSE and README

16 months agoAdd basic insult capability
Armaan Bhojwani [Sun, 4 Apr 2021 01:20:55 +0000 (21:20 -0400)]
Add basic insult capability

18 months agofix some wording in README.md
Duncan Overbruck [Wed, 3 Feb 2021 19:55:44 +0000 (20:55 +0100)]
fix some wording in README.md

18 months agofixed typo in README.md
Lukas Hannen [Wed, 3 Feb 2021 00:49:20 +0000 (01:49 +0100)]
fixed typo in README.md

Closes: #54 [via git-merge-pr]
18 months agoReplace build/installation instructions with discouragements
Duncan Overbruck [Thu, 28 Jan 2021 23:28:46 +0000 (00:28 +0100)]
Replace build/installation instructions with discouragements

18 months agoremove pam.d configuration files
Duncan Overbruck [Thu, 28 Jan 2021 23:00:23 +0000 (00:00 +0100)]
remove pam.d configuration files

pam configuration files are not portable, its the job of the
package maintainer or user who builds opendoas themselves to
configure pam in a safe and usable way.

18 months agoapply missing man page changes v6.8.1
Duncan Overbruck [Thu, 28 Jan 2021 19:12:48 +0000 (20:12 +0100)]
apply missing man page changes

18 months agoespie reminds me that EOF can happen for errors as well, so check for that
tedu [Fri, 4 Dec 2015 09:41:49 +0000 (09:41 +0000)]
espie reminds me that EOF can happen for errors as well, so check for that
happening and print a message.

18 months agoPromote nrules/maxrules to size_t and make sure they can't overflow. reallocarray...
millert [Wed, 27 Jan 2021 17:02:50 +0000 (17:02 +0000)]
Promote nrules/maxrules to size_t and make sure they can't overflow. reallocarray(3) will fail if nmemb * size would overflow. OK tb@ martijn@

18 months agos/authorization/authentication/g
martijn [Sat, 16 Jan 2021 09:18:41 +0000 (09:18 +0000)]
s/authorization/authentication/g

OK kn@ tedu@

18 months agoBe more explicit by stating that the -n flag is linked to the nopass option in doas...
martijn [Fri, 15 Jan 2021 08:32:55 +0000 (08:32 +0000)]
Be more explicit by stating that the -n flag is linked to the nopass option in doas.conf instead of a generic "would prompt for password", which could lead people into believing that persist could work with this option.

OK tedu@
Feedback and OK kn@

18 months agocorrectly reset path for rules without specific command
Duncan Overbruck [Thu, 28 Jan 2021 16:58:34 +0000 (17:58 +0100)]
correctly reset path for rules without specific command

This is a fixup for commit 01c658f8c45cb92a343be5f32aa6da70b2032168
where the behaviour was changed to not inherit the PATH variable
by default.

18 months agoafter reading a too long line, restart at the beginning of the buffer so
tedu [Fri, 27 Nov 2015 21:10:17 +0000 (21:10 +0000)]
after reading a too long line, restart at the beginning of the buffer so
we don't keep writing past the end. (the perils of trying to recover from
parse errors.)
noticed by Jan Schreiber

18 months agoincrement the line number after the line continuation; ok tedu
mikeb [Tue, 1 Sep 2015 16:20:55 +0000 (16:20 +0000)]
increment the line number after the line continuation; ok tedu

20 months agoremove unused pam.d file v6.8
Duncan Overbruck [Sat, 14 Nov 2020 15:30:28 +0000 (16:30 +0100)]
remove unused pam.d file

20 months agopam: use PAM_REINITIALIZE_CRED
Duncan Overbruck [Sat, 14 Nov 2020 15:28:27 +0000 (16:28 +0100)]
pam: use PAM_REINITIALIZE_CRED

Both work fine, PAM_REINITIALIZE_CRED is the more correct
choice and is required on Solaris, see sudo bug #642;

https://bugzilla.sudo.ws/show_bug.cgi?id=642

20 months agoconfigure: respect environment and make CFLAGS
Duncan Overbruck [Sat, 14 Nov 2020 15:27:07 +0000 (16:27 +0100)]
configure: respect environment and make CFLAGS

20 months agopam.d: include system-auth for auth, account and session
Duncan Overbruck [Sat, 14 Nov 2020 15:19:31 +0000 (16:19 +0100)]
pam.d: include system-auth for auth, account and session

20 months agoconfigure: use LDLIBS instead of setting LDFLAGS
Duncan Overbruck [Sat, 14 Nov 2020 15:13:16 +0000 (16:13 +0100)]
configure: use LDLIBS instead of setting LDFLAGS

20 months agoconfigure: fix verrc check
Duncan Overbruck [Sat, 14 Nov 2020 15:02:10 +0000 (16:02 +0100)]
configure: fix verrc check

21 months agoconfigure: add setresgid, setreuid and setregid checks
Duncan Overbruck [Thu, 12 Nov 2020 20:26:04 +0000 (21:26 +0100)]
configure: add setresgid, setreuid and setregid checks

21 months agoconfigure: add freebsd support
Duncan Overbruck [Thu, 12 Nov 2020 20:19:55 +0000 (21:19 +0100)]
configure: add freebsd support

21 months agoadd pam.d file for MacOSX
Duncan Overbruck [Thu, 12 Nov 2020 17:29:08 +0000 (18:29 +0100)]
add pam.d file for MacOSX

21 months agouse wheel group on MacOSX
Duncan Overbruck [Thu, 12 Nov 2020 17:20:34 +0000 (18:20 +0100)]
use wheel group on MacOSX

21 months agoconfigure: don't set --no-as-needed on MacOSX while running checks
Duncan Overbruck [Thu, 12 Nov 2020 17:02:11 +0000 (18:02 +0100)]
configure: don't set --no-as-needed on MacOSX while running checks

21 months agolibopenbsd/closefrom.h: include path.h for _PATH_DEV on MacOSX
Duncan Overbruck [Thu, 12 Nov 2020 17:01:09 +0000 (18:01 +0100)]
libopenbsd/closefrom.h: include path.h for _PATH_DEV on MacOSX

21 months agoadd back execvpe fallback
Duncan Overbruck [Thu, 12 Nov 2020 16:48:28 +0000 (17:48 +0100)]
add back execvpe fallback

21 months agosimplify makefile
Duncan Overbruck [Thu, 12 Nov 2020 16:22:54 +0000 (17:22 +0100)]
simplify makefile

21 months agoconfigure: define CURDIR for all targets
Duncan Overbruck [Thu, 12 Nov 2020 16:11:09 +0000 (17:11 +0100)]
configure: define CURDIR for all targets

21 months agofix portability issues with configure script
Duncan Overbruck [Thu, 12 Nov 2020 16:02:05 +0000 (17:02 +0100)]
fix portability issues with configure script

21 months agolink libutil for setusercontext on NetBSD
Duncan Overbruck [Thu, 12 Nov 2020 15:55:16 +0000 (16:55 +0100)]
link libutil for setusercontext on NetBSD

21 months agoset _OPENBSD_SOURCE on NetBSD
Duncan Overbruck [Thu, 12 Nov 2020 15:49:13 +0000 (16:49 +0100)]
set _OPENBSD_SOURCE on NetBSD

21 months agopam.c: free rsp in case of failure
Duncan Overbruck [Thu, 12 Nov 2020 15:22:16 +0000 (16:22 +0100)]
pam.c: free rsp in case of failure

21 months agopam.c: remove dead assignment
Duncan Overbruck [Thu, 12 Nov 2020 15:21:04 +0000 (16:21 +0100)]
pam.c: remove dead assignment

21 months agoremove includes.h and move the prototypes to doas.h
Duncan Overbruck [Thu, 12 Nov 2020 15:17:42 +0000 (16:17 +0100)]
remove includes.h and move the prototypes to doas.h

21 months agolibopenbsd: clean up readpassphrase compat and fix ifdefs
Duncan Overbruck [Thu, 12 Nov 2020 15:15:04 +0000 (16:15 +0100)]
libopenbsd: clean up readpassphrase compat and fix ifdefs

21 months agouse config.h and link objects instead of libopenbsd.a
Duncan Overbruck [Thu, 12 Nov 2020 15:11:40 +0000 (16:11 +0100)]
use config.h and link objects instead of libopenbsd.a

21 months agoopendoas: Fallback for setresuid(2).
Sunil Nimmagadda [Thu, 12 Nov 2020 12:32:47 +0000 (18:02 +0530)]
opendoas: Fallback for setresuid(2).

This approach borrows from openssh-portable. The bsd-setres_id.c
is adapted with openssh-portable specific bits (log.h inclusion
and error() function) removed.

Closes: #40 [via git-merge-pr]
21 months agomove HOST_NAME_MAX to the top and add it to shadow.c
Duncan Overbruck [Thu, 12 Nov 2020 13:11:05 +0000 (14:11 +0100)]
move HOST_NAME_MAX to the top and add it to shadow.c

21 months agocheck for login_cap.h and use setusercontext if available
Duncan Overbruck [Thu, 5 Nov 2020 20:00:16 +0000 (21:00 +0100)]
check for login_cap.h and use setusercontext if available

21 months agofix SEE ALSO;
jmc [Fri, 9 Oct 2020 10:24:33 +0000 (10:24 +0000)]
fix SEE ALSO;

21 months agoAdd nolog option to avoid syslog(3)
kn [Fri, 9 Oct 2020 07:43:38 +0000 (07:43 +0000)]
Add nolog option to avoid syslog(3)

doas(1) unconditionally logs all executions but syslog.conf(5) provides no
means to filter messages by user, target or command.

Add the "nolog" option to doas.conf(5) such that syslog becomes an opt-out
feature;  this keeps configuration simple enough yet powerful since rule
definition is the best place to decide whether to log commands or not on a
per rule basis - this also aoids duplicating information or logic in any
other log processing tool.

OK tedu martijn

21 months agoImprove error message on missing permission
kn [Fri, 9 Oct 2020 00:04:05 +0000 (00:04 +0000)]
Improve error message on missing permission

In case "cmd" (and "args") in doas.conf(5) mismatch, the log syslog(3)
message might be read as if the command was executed but failed, i.e.
returned non-zero.

Be unambiguous and help admins spot execution *attempts* as such:

-Oct  9 01:05:20 eru doas: failed command for kn: echo bar
+Oct  9 01:05:20 eru doas: command not permitted for kn: echo bar

OK tedu deraadt

21 months agolist example files in FILES with a short description: generally, "Example configurati...
jmc [Sat, 16 May 2020 16:58:11 +0000 (16:58 +0000)]
list example files in FILES with a short description: generally, "Example configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent;

original diff from clematis

21 months agobriefly mention /etc/examples/ in the FILES section of all the manual pages that...
schwarze [Mon, 10 Feb 2020 13:18:20 +0000 (13:18 +0000)]
briefly mention /etc/examples/ in the FILES section of all the manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many

21 months agoFallback definition for HOST_NAME_MAX.
Sunil Nimmagadda [Thu, 5 Nov 2020 07:03:09 +0000 (12:33 +0530)]
Fallback definition for HOST_NAME_MAX.

On some platforms(NetBSD) where HOST_NAME_MAX is not defined,
provide a fallback definition to _POSIX_HOST_NAME_MAX.

21 months agoHonor --sysconfdir option for doas.conf path.
Sunil Nimmagadda [Mon, 2 Nov 2020 06:24:29 +0000 (11:54 +0530)]
Honor --sysconfdir option for doas.conf path.

Some distributions may choose to place configuration files in a different
directory than /etc. The configure script provides --sysconfdir
option already, use it to find doas.conf path instead of hardcoding
'/etc/doas.conf'.

2 years agotimestamp.c: remove warning for normal case v6.6.1
Duncan Overbruck [Mon, 3 Feb 2020 21:26:55 +0000 (22:26 +0100)]
timestamp.c: remove warning for normal case

2 years agotimestamp.c: check fstat(2) instead of separate stat(2)
Duncan Overbruck [Mon, 3 Feb 2020 21:19:45 +0000 (22:19 +0100)]
timestamp.c: check fstat(2) instead of separate stat(2)

2 years agotimestamp.c: correctly NUL terminate buffer read from /proc/pid/stat
Duncan Overbruck [Mon, 3 Feb 2020 21:17:43 +0000 (22:17 +0100)]
timestamp.c: correctly NUL terminate buffer read from /proc/pid/stat

This solves buf #28.

2 years agotimestamp.c: add some more error/warning messages
Duncan Overbruck [Mon, 3 Feb 2020 21:11:34 +0000 (22:11 +0100)]
timestamp.c: add some more error/warning messages

This might help to identify bugs/misbehaving systems
or attempts to mess with timestamp files.

2 years agotimestamp.c: already return on 22th field of /proc/ppid/stat
Duncan Overbruck [Fri, 6 Dec 2019 01:45:22 +0000 (02:45 +0100)]
timestamp.c: already return on 22th field of /proc/ppid/stat

this is the last field we are interested in and if we didn't reach it,
return an error.

2 years agodoas.c: initialize mygetpwuid_r result
Duncan Overbruck [Fri, 6 Dec 2019 01:44:46 +0000 (02:44 +0100)]
doas.c: initialize mygetpwuid_r result

This can't happen really happen, but makes scan-build happy.

2 years agolibopenbsd: define __dead as noreturn
Duncan Overbruck [Fri, 6 Dec 2019 01:43:57 +0000 (02:43 +0100)]
libopenbsd: define __dead as noreturn

2 years agoChange binary permissions to 4755. Closes #26
Ivy Foster [Wed, 8 Jan 2020 17:33:51 +0000 (11:33 -0600)]
Change binary permissions to 4755. Closes #26

The owner can be trusted to read and write their own files, and
there's no reason not to let others read the file.

2 years agoconfigure: remove version v6.6
Duncan Overbruck [Sat, 23 Nov 2019 15:21:04 +0000 (16:21 +0100)]
configure: remove version

2 years agodoas.c: remove dead ifdefs to unclutter code
Duncan Overbruck [Sat, 23 Nov 2019 14:18:44 +0000 (15:18 +0100)]
doas.c: remove dead ifdefs to unclutter code

2 years agotimestamp: simplify
Duncan Overbruck [Thu, 21 Nov 2019 17:01:36 +0000 (18:01 +0100)]
timestamp: simplify

2 years agoconfigure: make {UID,GID}_MAX configurable
Duncan Overbruck [Thu, 21 Nov 2019 16:14:43 +0000 (17:14 +0100)]
configure: make {UID,GID}_MAX configurable

2 years agoadd some checks to avoid UID_MAX (-1) here. this is not problematic with the current...
tedu [Fri, 18 Oct 2019 17:15:45 +0000 (17:15 +0000)]
add some checks to avoid UID_MAX (-1) here. this is not problematic with the current code, but it's probably safer this way. ok deraadt

2 years agocorrect some unveil(2) violations due to "login.conf.db" access (the .db version...
semarie [Sat, 14 Sep 2019 17:47:00 +0000 (17:47 +0000)]
correct some unveil(2) violations due to "login.conf.db" access (the .db version of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

2 years agofixup unveil
Duncan Overbruck [Sat, 19 Oct 2019 13:02:58 +0000 (15:02 +0200)]
fixup unveil

2 years agofix one last edge case regarding PATH, allows simpler config.
tedu [Sun, 7 Jul 2019 19:21:28 +0000 (19:21 +0000)]
fix one last edge case regarding PATH, allows simpler config.

2 years agonote that authentication is required, unless otherwise configured. ok sthen
tedu [Thu, 4 Jul 2019 19:04:17 +0000 (19:04 +0000)]
note that authentication is required, unless otherwise configured. ok sthen

2 years agosnprintf/vsnprintf return < 0 on error, rather than -1.
deraadt [Wed, 3 Jul 2019 03:24:02 +0000 (03:24 +0000)]
snprintf/vsnprintf return < 0 on error, rather than -1.

2 years agofix some more fallout from setting path in setusercontext. restore previous behavior...
tedu [Sat, 29 Jun 2019 22:35:37 +0000 (22:35 +0000)]
fix some more fallout from setting path in setusercontext. restore previous behavior of using user PATH if no cmd restriction in the rule. run into by espie

2 years agoadd an example hint that shows how original path can be retained
tedu [Mon, 24 Jun 2019 14:45:52 +0000 (14:45 +0000)]
add an example hint that shows how original path can be retained

2 years agotweak wording a bit. always talk about creating a new environment. also document...
tedu [Fri, 21 Jun 2019 17:02:27 +0000 (17:02 +0000)]
tweak wording a bit. always talk about creating a new environment. also document DOAS_USER. ok deraadt jmc

2 years agomore precisely describe what happens to the environment without keepenv; OK tedu@
schwarze [Wed, 19 Jun 2019 09:55:55 +0000 (09:55 +0000)]
more precisely describe what happens to the environment without keepenv; OK tedu@

2 years agomention that doas(1) resets the umask(2); OK tedu@
schwarze [Wed, 19 Jun 2019 09:50:13 +0000 (09:50 +0000)]
mention that doas(1) resets the umask(2); OK tedu@

2 years agosetusercontext resets PATH (which we want). but then it becomes impossible to access...
tedu [Mon, 17 Jun 2019 19:51:23 +0000 (19:51 +0000)]
setusercontext resets PATH (which we want). but then it becomes impossible to access the old PATH. save a copy in case we need it later. bug report from espie.

2 years agomention environment resetting here as well. ok millert
tedu [Mon, 17 Jun 2019 18:44:44 +0000 (18:44 +0000)]
mention environment resetting here as well. ok millert

2 years agoalways reset the "su" variables, which is more consistent and predictable. ok martijn...
tedu [Mon, 17 Jun 2019 16:01:26 +0000 (16:01 +0000)]
always reset the "su" variables, which is more consistent and predictable. ok martijn millert

2 years agoredo the environment inheritance to not inherit. it was intended to make life easier...
tedu [Sun, 16 Jun 2019 18:16:34 +0000 (18:16 +0000)]
redo the environment inheritance to not inherit. it was intended to make life easier, but it can be surprising or even unsafe. instead, reset just about everything to the target user's values. ok deraadt martijn Thanks to Sander Bos in particular for pointing out some nasty edge cases.

2 years agoa few cleanups and simplifications possible now that static pw is gone. noted by...
tedu [Wed, 12 Jun 2019 02:50:29 +0000 (02:50 +0000)]
a few cleanups and simplifications possible now that static pw is gone. noted by martijn. ok martijn.

2 years agouse getpwuid_r to avoid problems with hidden static storage. ok deraadt lteo martijn
tedu [Mon, 10 Jun 2019 18:11:27 +0000 (18:11 +0000)]
use getpwuid_r to avoid problems with hidden static storage. ok deraadt lteo martijn

3 years agolibopenbsd/closefrom.c: remove config.h include
Duncan Overbruck [Fri, 26 Jul 2019 15:46:17 +0000 (17:46 +0200)]
libopenbsd/closefrom.c: remove config.h include

3 years agoREADME.md: update the readme to match the current state
Duncan Overbruck [Fri, 26 Jul 2019 15:39:27 +0000 (17:39 +0200)]
README.md: update the readme to match the current state

3 years agolibopenbsd: remove MacOSX compat functions, its not supported anyways
Duncan Overbruck [Fri, 26 Jul 2019 15:13:55 +0000 (17:13 +0200)]
libopenbsd: remove MacOSX compat functions, its not supported anyways

3 years agolibopenbsd/closefrom.c: sync with sudo
Duncan Overbruck [Fri, 26 Jul 2019 15:01:54 +0000 (17:01 +0200)]
libopenbsd/closefrom.c: sync with sudo

3 years agotimestamp: error out if fstat and lstat st_ino and st_dev are not the same
Duncan Overbruck [Fri, 26 Jul 2019 14:39:36 +0000 (16:39 +0200)]
timestamp: error out if fstat and lstat st_ino and st_dev are not the same

3 years agopam: close timestamp fd in both both processes
Duncaen [Wed, 30 Jan 2019 22:43:12 +0000 (23:43 +0100)]
pam: close timestamp fd in both both processes

3 years agoshadow: clear phassphrase earlier
Duncaen [Wed, 30 Jan 2019 22:35:25 +0000 (23:35 +0100)]
shadow: clear phassphrase earlier

3 years agoAdd generated file parse.c to .gitignore and 'make clean'
Ivy Foster [Wed, 30 Jan 2019 19:39:50 +0000 (13:39 -0600)]
Add generated file parse.c to .gitignore and 'make clean'

Closes: #24 [via git-merge-pr]
3 years agoconfigure: list --with-timestamp in help, since without is default
Ivy Foster [Wed, 30 Jan 2019 19:35:14 +0000 (13:35 -0600)]
configure: list --with-timestamp in help, since without is default

3 years agoshadow: clear the password even after a mismatch
Duncaen [Wed, 30 Jan 2019 22:17:49 +0000 (23:17 +0100)]
shadow: clear the password even after a mismatch

3 years agoclear the password even after a mismatch
tedu [Thu, 17 Jan 2019 05:35:35 +0000 (05:35 +0000)]
clear the password even after a mismatch