Fix root, runas, and target authentication for non-passwd file auth
methods.
This commit is contained in:
Todd C. Miller
@@ -95,7 +95,8 @@ sudo_auth auth_switch[] = {
|
||||
int nil_pw; /* I hate resorting to globals like this... */
|
||||
|
||||
void
|
||||
verify_user(prompt)
|
||||
verify_user(pw, prompt)
|
||||
struct passwd *pw;
|
||||
char *prompt;
|
||||
{
|
||||
short counter = def_ival(I_PW_TRIES) + 1;
|
||||
@@ -121,7 +122,7 @@ verify_user(prompt)
|
||||
if (NEEDS_USER(auth))
|
||||
set_perms(PERM_USER, 0);
|
||||
|
||||
status = (auth->init)(sudo_user.pw, &prompt, auth);
|
||||
status = (auth->init)(pw, &prompt, auth);
|
||||
if (status == AUTH_FAILURE)
|
||||
auth->flags &= ~FLAG_CONFIGURED;
|
||||
else if (status == AUTH_FATAL) /* XXX log */
|
||||
@@ -139,7 +140,7 @@ verify_user(prompt)
|
||||
if (NEEDS_USER(auth))
|
||||
set_perms(PERM_USER, 0);
|
||||
|
||||
status = (auth->setup)(sudo_user.pw, &prompt, auth);
|
||||
status = (auth->setup)(pw, &prompt, auth);
|
||||
if (status == AUTH_FAILURE)
|
||||
auth->flags &= ~FLAG_CONFIGURED;
|
||||
else if (status == AUTH_FATAL) /* XXX log */
|
||||
@@ -169,7 +170,7 @@ verify_user(prompt)
|
||||
if (NEEDS_USER(auth))
|
||||
set_perms(PERM_USER, 0);
|
||||
|
||||
success = auth->status = (auth->verify)(sudo_user.pw, p, auth);
|
||||
success = auth->status = (auth->verify)(pw, p, auth);
|
||||
|
||||
if (NEEDS_USER(auth))
|
||||
set_perms(PERM_ROOT, 0);
|
||||
@@ -199,7 +200,7 @@ cleanup:
|
||||
if (NEEDS_USER(auth))
|
||||
set_perms(PERM_USER, 0);
|
||||
|
||||
status = (auth->cleanup)(sudo_user.pw, auth);
|
||||
status = (auth->cleanup)(pw, auth);
|
||||
if (status == AUTH_FATAL) /* XXX log */
|
||||
exit(1); /* assume error msg already printed */
|
||||
|
||||
|
||||
2
check.c
2
check.c
@@ -102,7 +102,7 @@ check_user()
|
||||
prompt = expand_prompt(user_prompt ? user_prompt : def_str(I_PASSPROMPT),
|
||||
user_name, user_shost);
|
||||
|
||||
verify_user(prompt);
|
||||
verify_user(auth_pw, prompt);
|
||||
}
|
||||
if (status != TS_ERROR)
|
||||
update_timestamp(timestampdir, timestampfile);
|
||||
|
||||
44
getspwuid.c
44
getspwuid.c
@@ -94,6 +94,7 @@ int crypt_type = INT_MAX;
|
||||
* Local functions not visible outside getspwuid.c
|
||||
*/
|
||||
static char *sudo_getshell __P((struct passwd *));
|
||||
static struct passwd *sudo_pwdup __P((struct passwd *));
|
||||
|
||||
|
||||
/*
|
||||
@@ -191,14 +192,11 @@ sudo_getepw(pw)
|
||||
* Dynamically allocate space for a struct password and the constituent parts
|
||||
* that we care about. Fills in pw_passwd from shadow file if necessary.
|
||||
*/
|
||||
struct passwd *
|
||||
sudo_getpwuid(uid)
|
||||
uid_t uid;
|
||||
static struct passwd *
|
||||
sudo_pwdup(pw)
|
||||
struct passwd *pw;
|
||||
{
|
||||
struct passwd *pw, *local_pw;
|
||||
|
||||
if ((pw = getpwuid(uid)) == NULL)
|
||||
return(NULL);
|
||||
struct passwd *local_pw;
|
||||
|
||||
/* Allocate space for a local copy of pw. */
|
||||
local_pw = (struct passwd *) emalloc(sizeof(struct passwd));
|
||||
@@ -218,3 +216,35 @@ sudo_getpwuid(uid)
|
||||
|
||||
return(local_pw);
|
||||
}
|
||||
|
||||
/*
|
||||
* Get a password entry by uid and allocate space for it.
|
||||
* Fills in pw_passwd from shadow file if necessary.
|
||||
*/
|
||||
struct passwd *
|
||||
sudo_getpwuid(uid)
|
||||
uid_t uid;
|
||||
{
|
||||
struct passwd *pw;
|
||||
|
||||
if ((pw = getpwuid(uid)) == NULL)
|
||||
return(NULL);
|
||||
else
|
||||
return(sudo_pwdup(pw));
|
||||
}
|
||||
|
||||
/*
|
||||
* Get a password entry by name and allocate space for it.
|
||||
* Fills in pw_passwd from shadow file if necessary.
|
||||
*/
|
||||
struct passwd *
|
||||
sudo_getpwnam(name)
|
||||
const char *name;
|
||||
{
|
||||
struct passwd *pw;
|
||||
|
||||
if ((pw = getpwnam(name)) == NULL)
|
||||
return(NULL);
|
||||
else
|
||||
return(sudo_pwdup(pw));
|
||||
}
|
||||
|
||||
36
sudo.c
36
sudo.c
@@ -115,8 +115,9 @@ static int set_loginclass __P((struct passwd *));
|
||||
static void add_env __P((int));
|
||||
static void clean_env __P((char **, struct env_table *));
|
||||
static void initial_setup __P((void));
|
||||
static void update_epasswd __P((void));
|
||||
static struct passwd *get_authpw __P((void));
|
||||
extern struct passwd *sudo_getpwuid __P((uid_t));
|
||||
extern struct passwd *sudo_getpwnam __P((const char *));
|
||||
extern void list_matches __P((void));
|
||||
|
||||
/*
|
||||
@@ -127,6 +128,7 @@ char **Argv;
|
||||
int NewArgc = 0;
|
||||
char **NewArgv = NULL;
|
||||
struct sudo_user sudo_user;
|
||||
struct passwd *auth_pw;
|
||||
FILE *sudoers_fp = NULL;
|
||||
struct interface *interfaces;
|
||||
int num_interfaces;
|
||||
@@ -316,8 +318,8 @@ main(argc, argv)
|
||||
(void) close(fd);
|
||||
}
|
||||
|
||||
/* Update encrypted password in user_password if sudoers said to. */
|
||||
update_epasswd();
|
||||
/* Fill in passwd struct based on user we are authenticating as. */
|
||||
auth_pw = get_authpw();
|
||||
|
||||
/* Require a password unless the NOPASS tag was set. */
|
||||
if (!(validated & FLAG_NOPASS))
|
||||
@@ -1164,39 +1166,35 @@ set_fqdn()
|
||||
}
|
||||
|
||||
/*
|
||||
* If the sudoers file says to prompt for a different user's password,
|
||||
* update the encrypted password in user_passwd accordingly.
|
||||
* Get passwd entry for the user we are going to authenticate as.
|
||||
* By default, this is the user invoking sudo...
|
||||
*/
|
||||
static void
|
||||
update_epasswd()
|
||||
static struct passwd *
|
||||
get_authpw()
|
||||
{
|
||||
struct passwd *pw;
|
||||
|
||||
/* We may be configured to prompt for a password other than the user's */
|
||||
if (def_ival(I_ROOTPW)) {
|
||||
if ((pw = getpwuid(0)) == NULL)
|
||||
if ((pw = sudo_getpwuid(0)) == NULL)
|
||||
log_error(0, "uid 0 does not exist in the passwd file!");
|
||||
free(user_passwd);
|
||||
user_passwd = estrdup(sudo_getepw(pw));
|
||||
} else if (def_ival(I_RUNASPW)) {
|
||||
if ((pw = getpwnam(def_str(I_RUNAS_DEF))) == NULL)
|
||||
if ((pw = sudo_getpwnam(def_str(I_RUNAS_DEF))) == NULL)
|
||||
log_error(0, "user %s does not exist in the passwd file!",
|
||||
def_str(I_RUNAS_DEF));
|
||||
free(user_passwd);
|
||||
user_passwd = estrdup(sudo_getepw(pw));
|
||||
} else if (def_ival(I_TARGETPW)) {
|
||||
if (**user_runas == '#') {
|
||||
if ((pw = getpwuid(atoi(*user_runas + 1))) == NULL)
|
||||
if ((pw = sudo_getpwuid(atoi(*user_runas + 1))) == NULL)
|
||||
log_error(0, "uid %s does not exist in the passwd file!",
|
||||
user_runas);
|
||||
} else {
|
||||
if ((pw = getpwnam(*user_runas)) == NULL)
|
||||
if ((pw = sudo_getpwnam(*user_runas)) == NULL)
|
||||
log_error(0, "user %s does not exist in the passwd file!",
|
||||
user_runas);
|
||||
}
|
||||
free(user_passwd);
|
||||
user_passwd = estrdup(sudo_getepw(pw));
|
||||
}
|
||||
} else
|
||||
pw = sudo_user.pw;
|
||||
|
||||
return(pw);
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
3
sudo.h
3
sudo.h
@@ -196,7 +196,7 @@ int sudo_setenv __P((char *, char *));
|
||||
char *tgetpass __P((const char *, int, int));
|
||||
int find_path __P((char *, char **));
|
||||
void check_user __P((void));
|
||||
void verify_user __P((char *));
|
||||
void verify_user __P((struct passwd *, char *));
|
||||
int sudoers_lookup __P((int));
|
||||
void set_perms __P((int, int));
|
||||
void remove_timestamp __P((int));
|
||||
@@ -222,6 +222,7 @@ YY_DECL;
|
||||
/* Only provide extern declarations outside of sudo.c. */
|
||||
#ifndef _SUDO_SUDO_C
|
||||
extern struct sudo_user sudo_user;
|
||||
extern struct passwd *auth_pw;
|
||||
|
||||
extern int Argc;
|
||||
extern char **Argv;
|
||||
|
||||
Reference in New Issue
Block a user