2 * Copyright (c) 2015 Nathan Holstein <nathan.holstein@gmail.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/types.h>
24 #ifdef HAVE_READPASSPHRASE_H
25 # include <readpassphrase.h>
27 # include "readpassphrase.h"
36 #include <security/pam_appl.h>
41 #define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
44 #define PAM_SERVICE_NAME "doas"
46 static pam_handle_t *pamh = NULL;
47 static char doas_prompt[128];
48 static sig_atomic_t volatile caught_signal = 0;
57 pamprompt(const char *msg, int echo_on, int *ret)
60 char *pass, buf[PAM_MAX_RESP_SIZE];
61 int flags = RPP_REQUIRE_TTY | (echo_on ? RPP_ECHO_ON : RPP_ECHO_OFF);
63 /* overwrite default prompt if it matches "Password:[ ]" */
64 if (strncmp(msg,"Password:", 9) == 0 &&
65 (msg[9] == '\0' || (msg[9] == ' ' && msg[10] == '\0')))
70 pass = readpassphrase(prompt, buf, sizeof(buf), flags);
73 else if (!(pass = strdup(pass)))
78 explicit_bzero(buf, sizeof(buf));
83 pamconv(int nmsgs, const struct pam_message **msgs,
84 struct pam_response **rsps, __UNUSED void *ptr)
86 struct pam_response *rsp;
90 if (!(rsp = calloc(nmsgs, sizeof(struct pam_response))))
91 err(1, "could not allocate pam_response");
93 for (i = 0; i < nmsgs; i++) {
94 switch (style = msgs[i]->msg_style) {
95 case PAM_PROMPT_ECHO_OFF:
96 case PAM_PROMPT_ECHO_ON:
97 rsp[i].resp = pamprompt(msgs[i]->msg, style == PAM_PROMPT_ECHO_ON, &ret);
98 if (ret != PAM_SUCCESS)
104 if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
105 "%s\n", msgs[i]->msg) < 0)
110 errx(1, "invalid PAM msg_style %d", style);
120 /* overwrite and free response buffers */
121 for (i = 0; i < nmsgs; i++) {
122 if (rsp[i].resp == NULL)
124 switch (style = msgs[i]->msg_style) {
125 case PAM_PROMPT_ECHO_OFF:
126 case PAM_PROMPT_ECHO_ON:
127 explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
137 pamcleanup(int ret, int sess, int cred)
140 ret = pam_close_session(pamh, 0);
141 if (ret != PAM_SUCCESS)
142 errx(1, "pam_close_session: %s", pam_strerror(pamh, ret));
145 ret = pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
146 if (ret != PAM_SUCCESS)
147 warn("pam_setcred(?, PAM_DELETE_CRED | PAM_SILENT): %s",
148 pam_strerror(pamh, ret));
154 watchsession(pid_t child, int sess, int cred)
157 struct sigaction act, oldact;
162 if (sigprocmask(SIG_BLOCK, &sigs, NULL)) {
163 warn("failed to block signals");
168 /* setup signal handler */
169 act.sa_handler = catchsig;
170 sigemptyset(&act.sa_mask);
173 /* unblock SIGTERM and SIGALRM to catch them */
175 if (sigaddset(&sigs, SIGTERM) ||
176 sigaddset(&sigs, SIGALRM) ||
177 sigaddset(&sigs, SIGTSTP) ||
178 sigaction(SIGTERM, &act, &oldact) ||
179 sigprocmask(SIG_UNBLOCK, &sigs, NULL)) {
180 warn("failed to set signal handler");
185 /* wait for child to be terminated */
186 if (waitpid(child, &status, 0) != -1) {
187 if (WIFSIGNALED(status)) {
188 fprintf(stderr, "%s%s\n", strsignal(WTERMSIG(status)),
189 WCOREDUMP(status) ? " (core dumped)" : "");
190 status = WTERMSIG(status) + 128;
192 status = WEXITSTATUS(status);
194 else if (caught_signal)
195 status = caught_signal + 128;
200 if (caught_signal && child != (pid_t)-1) {
201 fprintf(stderr, "\nSession terminated, killing shell\n");
202 kill(child, SIGTERM);
205 pamcleanup(PAM_SUCCESS, sess, cred);
208 if (child != (pid_t)-1) {
211 kill(child, SIGKILL);
212 fprintf(stderr, " ...killed.\n");
215 /* unblock cached signal and resend */
216 sigaction(SIGTERM, &oldact, NULL);
217 if (caught_signal != SIGTERM)
218 caught_signal = SIGKILL;
219 kill(getpid(), caught_signal);
226 pamauth(const char *user, const char *myname, int interactive, int nopass, int persist)
228 static const struct pam_conv conv = {
234 int ret, sess = 0, cred = 0;
243 if (!user || !myname)
244 errx(1, "Authorization failed");
246 ret = pam_start(PAM_SERVICE_NAME, myname, &conv, &pamh);
247 if (ret != PAM_SUCCESS)
248 errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed",
249 PAM_SERVICE_NAME, myname);
251 ret = pam_set_item(pamh, PAM_RUSER, myname);
252 if (ret != PAM_SUCCESS)
253 warn("pam_set_item(?, PAM_RUSER, \"%s\"): %s",
254 pam_strerror(pamh, ret), myname);
256 if (isatty(0) && (ttydev = ttyname(0)) != NULL) {
257 if (strncmp(ttydev, "/dev/", 5) == 0)
260 ret = pam_set_item(pamh, PAM_TTY, ttydev);
261 if (ret != PAM_SUCCESS)
262 warn("pam_set_item(?, PAM_TTY, \"%s\"): %s",
263 ttydev, pam_strerror(pamh, ret));
269 fd = timestamp_open(&valid, 5 * 60);
270 if (fd != -1 && valid == 1)
276 errx(1, "Authorization required");
278 /* doas style prompt for pam */
279 char host[HOST_NAME_MAX + 1];
280 if (gethostname(host, sizeof(host)))
281 snprintf(host, sizeof(host), "?");
282 snprintf(doas_prompt, sizeof(doas_prompt),
283 "\rdoas (%.32s@%.32s) password: ", myname, host);
286 ret = pam_authenticate(pamh, 0);
287 if (ret != PAM_SUCCESS) {
288 pamcleanup(ret, sess, cred);
289 syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
290 errx(1, "Authorization failed");
295 ret = pam_acct_mgmt(pamh, 0);
296 if (ret == PAM_NEW_AUTHTOK_REQD)
297 ret = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
299 /* account not vaild or changing the auth token failed */
300 if (ret != PAM_SUCCESS) {
301 pamcleanup(ret, sess, cred);
302 syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
303 errx(1, "Authorization failed");
306 /* set PAM_USER to the user we want to be */
307 ret = pam_set_item(pamh, PAM_USER, user);
308 if (ret != PAM_SUCCESS)
309 warn("pam_set_item(?, PAM_USER, \"%s\"): %s", user,
310 pam_strerror(pamh, ret));
312 ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
313 if (ret != PAM_SUCCESS)
314 warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s", pam_strerror(pamh, ret));
319 ret = pam_open_session(pamh, 0);
320 if (ret != PAM_SUCCESS)
321 errx(1, "pam_open_session: %s", pam_strerror(pamh, ret));
324 if ((child = fork()) == -1) {
325 pamcleanup(PAM_ABORT, sess, cred);
329 /* return as child */
340 timestamp_set(fd, 5 * 60);
344 watchsession(child, sess, cred);