isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use the auth_getpass (and the plugin conversation fuction) for Tru64

Browse Source 
SIA.  This prevents sudo from sleeping while holding the tty ticket
lock.
This commit is contained in:
Todd C. Miller
2015-10-06 10:25:53 -06:00
parent 588460405f
commit 2ecda6d65c
3 changed files with 64 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
plugins/sudoers/auth/sia.c
View File

@@ -42,64 +42,13 @@
#include "sudoers.h" #include "sudoers.h"
#include "sudo_auth.h" #include "sudo_auth.h"
static int sudo_collect(int, int, uchar_t *, int, prompt_t *);
static char *def_prompt;
static char **sudo_argv; static char **sudo_argv;
static int sudo_argc; static int sudo_argc;
#define PROMPT_IS_PASSWORD(_p) \
(strncmp((_p), "Password:", 9) == 0 && \
((_p)[9] == '\0' || ((_p)[9] == ' ' && (_p)[10] == '\0')))
/*
* Collection routine (callback) for limiting the timeouts in SIA
* prompts and (possibly) setting a custom prompt.
*/
static int
sudo_collect(int timeout, int rendition, uchar_t *title, int nprompts,
prompt_t *prompts)
{
int rval;
sigset_t mask, omask;
debug_decl(sudo_collect, SUDOERS_DEBUG_AUTH)
switch (rendition) {
case SIAFORM:
case SIAONELINER:
if (timeout <= 0 || timeout > def_passwd_timeout * 60)
timeout = def_passwd_timeout * 60;
/*
* Substitute custom prompt if a) the sudo prompt is not "Password:"
* and b) the SIA prompt is "Password:" (so we know it is safe).
* This keeps us from overwriting things like S/Key challenges.
*/
if (!PROMPT_IS_PASSWORD(def_prompt) &&
PROMPT_IS_PASSWORD((char *)prompts[0].prompt))
prompts[0].prompt = (unsigned char *)def_prompt;
break;
default:
break;
}
/* Unblock SIGINT and SIGQUIT during password entry. */
sigemptyset(&mask);
sigaddset(&mask, SIGINT);
sigaddset(&mask, SIGQUIT);
sigprocmask(SIG_UNBLOCK, &mask, &omask);
rval = sia_collect_trm(timeout, rendition, title, nprompts, prompts);
/* Restore previous signal mask. */
sigprocmask(SIG_SETMASK, &omask, NULL);
debug_return_int(rval);
}
int int
sudo_sia_setup(struct passwd *pw, char **promptp, sudo_auth *auth) sudo_sia_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
{ {
SIAENTITY *siah = NULL; SIAENTITY *siah;
int i; int i;
debug_decl(sudo_sia_setup, SUDOERS_DEBUG_AUTH) debug_decl(sudo_sia_setup, SUDOERS_DEBUG_AUTH)
@@ -115,40 +64,90 @@ sudo_sia_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
sudo_argv[i + 1] = NewArgv[i]; sudo_argv[i + 1] = NewArgv[i];
sudo_argv[sudo_argc] = NULL; sudo_argv[sudo_argc] = NULL;
if (sia_ses_init(&siah, sudo_argc, sudo_argv, NULL, pw->pw_name, user_ttypath, 1, NULL) != SIASUCCESS) { /* We don't let SIA prompt the user for input. */
if (sia_ses_init(&siah, sudo_argc, sudo_argv, NULL, pw->pw_name, user_ttypath, 0, NULL) != SIASUCCESS) {
log_warning(0, N_("unable to initialize SIA session")); log_warning(0, N_("unable to initialize SIA session"));
debug_return_int(AUTH_FATAL); debug_return_int(AUTH_FATAL);
} }
auth->data = (void *) siah; auth->data = siah;
debug_return_int(AUTH_SUCCESS); debug_return_int(AUTH_SUCCESS);
} }
int int
sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth,
struct sudo_conv_callback *callback)
{ {
SIAENTITY *siah = (SIAENTITY *) auth->data; SIAENTITY *siah = auth->data;
char *pass;
int rc;
debug_decl(sudo_sia_verify, SUDOERS_DEBUG_AUTH) debug_decl(sudo_sia_verify, SUDOERS_DEBUG_AUTH)
def_prompt = prompt; /* for sudo_collect */ /* Get password, return AUTH_INTR if we got ^C */
pass = auth_getpass(prompt, def_passwd_timeout * 60,
SUDO_CONV_PROMPT_ECHO_OFF, callback);
if (pass == NULL)
debug_return_int(AUTH_INTR);
/* XXX - need a way to detect user hitting ^C or EOF at prompt */ /* Check password and zero out plaintext copy. */
if (sia_ses_reauthent(sudo_collect, siah) == SIASUCCESS) rc = sia_ses_authent(NULL, pass, siah);
memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass));
if (rc == SIASUCCESS)
debug_return_int(AUTH_SUCCESS); debug_return_int(AUTH_SUCCESS);
else if (ISSET(rc, SIASTOP))
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_FATAL);
debug_return_int(AUTH_FAILURE);
} }
int int
sudo_sia_cleanup(struct passwd *pw, sudo_auth *auth) sudo_sia_cleanup(struct passwd *pw, sudo_auth *auth)
{ {
SIAENTITY *siah = (SIAENTITY *) auth->data; SIAENTITY *siah = auth->data;
debug_decl(sudo_sia_cleanup, SUDOERS_DEBUG_AUTH) debug_decl(sudo_sia_cleanup, SUDOERS_DEBUG_AUTH)
(void) sia_ses_release(&siah); (void) sia_ses_release(&siah);
auth->data = NULL;
free(sudo_argv); free(sudo_argv);
debug_return_int(AUTH_SUCCESS); debug_return_int(AUTH_SUCCESS);
} }
int
sudo_sia_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
{
SIAENTITY *siah;
int status = AUTH_FATAL;
debug_decl(sudo_sia_begin_session, SUDOERS_DEBUG_AUTH)
/* Re-init sia for the target user's session. */
if (sia_ses_init(&siah, NewArgc, NewArgv, NULL, pw->pw_name, user_ttypath, 0, NULL) != SIASUCCESS) {
log_warning(0, N_("unable to initialize SIA session"));
goto done;
}
if (sia_make_entity_pwd(pw, siah) != SIASUCCESS) {
sudo_warn("sia_make_entity_pwd");
goto done;
}
status = AUTH_FAILURE; /* no more fatal errors. */
siah->authtype = SIA_A_NONE;
if (sia_ses_estab(sia_collect_trm, siah) != SIASUCCESS) {
sudo_warn("sia_ses_estab");
goto done;
}
if (sia_ses_launch(sia_collect_trm, siah) != SIASUCCESS) {
sudo_warn("sia_ses_launch");
goto done;
}
status = AUTH_SUCCESS;
done:
(void) sia_ses_release(&siah);
debug_return_int(status);
}
#endif /* HAVE_SIA_SES_INIT */ #endif /* HAVE_SIA_SES_INIT */

2
plugins/sudoers/auth/sudo_auth.c
View File

@@ -50,7 +50,7 @@ static sudo_auth auth_switch[] = {
AUTH_ENTRY("SecurId", FLAG_STANDALONE, sudo_securid_init, sudo_securid_setup, sudo_securid_verify, NULL, NULL, NULL) AUTH_ENTRY("SecurId", FLAG_STANDALONE, sudo_securid_init, sudo_securid_setup, sudo_securid_verify, NULL, NULL, NULL)
#endif #endif
#ifdef HAVE_SIA_SES_INIT #ifdef HAVE_SIA_SES_INIT
AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, sudo_sia_cleanup, NULL, NULL) AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, sudo_sia_cleanup, sudo_sia_begin_session, NULL)
#endif #endif
#ifdef HAVE_FWTK #ifdef HAVE_FWTK
AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, sudo_fwtk_cleanup, NULL, NULL) AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, sudo_fwtk_cleanup, NULL, NULL)

1
plugins/sudoers/auth/sudo_auth.h
View File

@@ -74,6 +74,7 @@ int sudo_securid_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct s
int sudo_sia_setup(struct passwd *pw, char **prompt, sudo_auth *auth); int sudo_sia_setup(struct passwd *pw, char **prompt, sudo_auth *auth);
int sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_sia_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback);
int sudo_sia_cleanup(struct passwd *pw, sudo_auth *auth); int sudo_sia_cleanup(struct passwd *pw, sudo_auth *auth);
int sudo_sia_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth);
/* Prototypes for normal methods */ /* Prototypes for normal methods */
int sudo_afs_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_afs_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback);