errc(1, EPERM, NULL);
}
+ pw = getpwuid(target);
+ if (!pw)
+ errx(1, "no passwd entry for target");
+
#ifdef HAVE_BSD_AUTH_H
if (!(rule->options & NOPASS)) {
if (nflag)
explicit_bzero(rbuf, sizeof(rbuf));
}
#elif HAVE_PAM_APPL_H
- if (!doas_pam(myname, !nflag, rule->options & NOPASS)) {
- syslog(LOG_AUTHPRIV | LOG_NOTICE,
- "failed auth for %s", myname);
+ if (!doas_pam(pw->pw_name, myname, !nflag, rule->options & NOPASS)) {
+ syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
errc(1, EPERM, NULL);
}
#else
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
- pw = getpwuid(target);
- if (!pw)
- errx(1, "no passwd entry for target");
-
+#ifdef HAVE_BSD_AUTH_H
if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
LOGIN_SETUSER) != 0)
errx(1, "failed to set user context for target");
+#else
+ if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
+ errx(1, "setgid");
+ if (initgroups(pw->pw_name, pw->pw_gid) != 0)
+ errx(1, "initgroups");
+ if (setresuid(target, target, target) != 0)
+ errx(1, "setuid");
+#endif
if (pledge("stdio rpath exec", NULL) == -1)
err(1, "pledge");
static sig_atomic_t volatile caught_signal = 0;
static char doas_prompt[128];
+static void
+catchsig(int sig)
+{
+ caught_signal = sig;
+}
+
static char *
prompt(const char *msg, int echo_on, int *pam)
{
/* overwrite default prompt if it matches "Password:[ ]" */
if (strncmp(msg,"Password:", 9) == 0 &&
- (msg[9] == '\0' || (msg[9] == ' ' && msg[10] == '\0')))
+ (msg[9] == '\0' || (msg[9] == ' ' && msg[10] == '\0')))
prompt = doas_prompt;
else
prompt = msg;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
- "%s\n", msgs[i]->msg) < 0)
+ "%s\n", msgs[i]->msg) < 0)
goto fail;
break;
return PAM_CONV_ERR;
}
-static void
-catchsig(int sig)
-{
- caught_signal = sig;
-}
-
int
-doas_pam(char *name, int interactive, int nopass)
+doas_pam(const char *user, const char* ruser, int interactive, int nopass)
{
static const struct pam_conv conv = {
.conv = doas_pam_conv,
pid_t child;
int ret;
- if (!name)
+ if (!user || !ruser)
return 0;
- ret = pam_start(PAM_SERVICE_NAME, name, &conv, &pamh);
- if (ret != PAM_SUCCESS)
- errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed\n",
- PAM_SERVICE_NAME, name);
+ /* pam needs the real root */
+ if(setuid(0))
+ errx(1, "setuid");
- ret = pam_set_item(pamh, PAM_USER, name);
+ ret = pam_start(PAM_SERVICE_NAME, ruser, &conv, &pamh);
if (ret != PAM_SUCCESS)
- errx(1, "pam_set_item(?, PAM_USER, \"%s\"): %s\n",
- name, pam_strerror(pamh, ret));
+ errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed\n",
+ PAM_SERVICE_NAME, ruser);
- ret = pam_set_item(pamh, PAM_RUSER, name);
+ ret = pam_set_item(pamh, PAM_RUSER, ruser);
if (ret != PAM_SUCCESS)
- errx(1, "pam_set_item(?, PAM_RUSER, \"%s\"): %s\n",
- name, pam_strerror(pamh, ret));
+ warn("pam_set_item(?, PAM_RUSER, \"%s\"): %s\n",
+ pam_strerror(pamh, ret), ruser);
if (isatty(0) && (ttydev = ttyname(0)) != NULL) {
if (strncmp(ttydev, "/dev/", 5))
ret = pam_set_item(pamh, PAM_TTY, tty);
if (ret != PAM_SUCCESS)
- errx(1, "pam_set_item(?, PAM_TTY, \"%s\"): %s\n",
- tty, pam_strerror(pamh, ret));
+ warn("pam_set_item(?, PAM_TTY, \"%s\"): %s\n",
+ tty, pam_strerror(pamh, ret));
}
if (!nopass) {
if (gethostname(host, sizeof(host)))
snprintf(host, sizeof(host), "?");
snprintf(doas_prompt, sizeof(doas_prompt),
- "\rdoas (%.32s@%.32s) password: ", name, host);
+ "\rdoas (%.32s@%.32s) password: ", ruser, host);
/* authenticate */
ret = pam_authenticate(pamh, 0);
if (ret != PAM_SUCCESS) {
- ret = pam_end(pamh, ret);
- if (ret != PAM_SUCCESS)
- errx(1, "pam_end(): %s\n", pam_strerror(pamh, ret));
+ pam_end(pamh, ret);
return 0;
}
}
if (ret != PAM_SUCCESS)
return 0;
+ ret = pam_set_item(pamh, PAM_USER, user);
+ if (ret != PAM_SUCCESS)
+ warn("pam_set_item(?, PAM_USER, \"%s\"): %s\n", user,
+ pam_strerror(pamh, ret));
+
ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
if (ret != PAM_SUCCESS)
- errx(1, "pam_setcred(?, PAM_ESTABLISH_CRED): %s\n",
- pam_strerror(pamh, ret));
+ warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s\n", pam_strerror(pamh, ret));
/* open session */
ret = pam_open_session(pamh, 0);
/* unblock SIGTERM and SIGALRM to catch them */
sigemptyset(&sigs);
- if(sigaddset(&sigs, SIGTERM) ||
- sigaddset(&sigs, SIGALRM) ||
- sigaction(SIGTERM, &act, &oldact) ||
- sigprocmask(SIG_UNBLOCK, &sigs, NULL)) {
+ if (sigaddset(&sigs, SIGTERM) ||
+ sigaddset(&sigs, SIGALRM) ||
+ sigaction(SIGTERM, &act, &oldact) ||
+ sigprocmask(SIG_UNBLOCK, &sigs, NULL)) {
warn("failed to set signal handler");
caught_signal = 1;
}
if (waitpid(child, &status, 0) != -1) {
if (WIFSIGNALED(status)) {
fprintf(stderr, "%s%s\n", strsignal(WTERMSIG(status)),
- WCOREDUMP(status) ? " (core dumped)" : "");
+ WCOREDUMP(status) ? " (core dumped)" : "");
status = WTERMSIG(status) + 128;
} else {
status = WEXITSTATUS(status);
+++ /dev/null
-/*
- * Copyright (c) 2015 Nathan Holstein <nathan.holstein@gmail.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include <sys/resource.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <errno.h>
-#include <pwd.h>
-#include <stdlib.h>
-#include <unistd.h>
-#include <grp.h>
-
-#include "includes.h"
-
-int
-setusercontext(login_cap_t *lc, struct passwd *pw, uid_t uid, unsigned int flags)
-{
- int ret;
-
- if (lc != NULL || pw == NULL ||
- (flags & ~(LOGIN_SETGROUP | LOGIN_SETPRIORITY |
- LOGIN_SETRESOURCES | LOGIN_SETUMASK |
- LOGIN_SETUSER)) != 0) {
- errno = EINVAL;
- return -1;
- }
-
- if (flags & LOGIN_SETGROUP) {
- if ((ret = setgid(pw->pw_gid)) != 0)
- return ret;
- if ((ret = initgroups(pw->pw_name, pw->pw_gid)) != 0)
- return ret;
- }
-
- if (flags & LOGIN_SETPRIORITY) {
- if ((ret = setpriority(PRIO_PROCESS, getpid(), 0)) != 0)
- return ret;
- if ((ret = setpriority(PRIO_USER, uid, 0)) != 0)
- return ret;
- }
-
- if (flags & LOGIN_SETRESOURCES) {
- }
-
- if (flags & LOGIN_SETUMASK)
- umask(S_IWGRP | S_IWOTH);
-
- if (flags & LOGIN_SETUSER)
- return setuid(uid);
-
- return 0;
-}
-