diff --git a/plugins/sudoers/auth/API b/plugins/sudoers/auth/API index bcf1ed44f..b38a1c4ef 100644 --- a/plugins/sudoers/auth/API +++ b/plugins/sudoers/auth/API @@ -63,6 +63,10 @@ The member functions can return the following values: receives AUTH_ERROR from an auth function it stops authenticating and returns an error. + AUTH_INTR An attempt to read the password read was interrupted. + Usually this means the user entered ^C at the + password prompt. + AUTH_NONINTERACTIVE Function failed because user interaction was required but sudo was run in non-interactive mode. diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c index f0b7abaff..37ab3291a 100644 --- a/plugins/sudoers/auth/aix_auth.c +++ b/plugins/sudoers/auth/aix_auth.c @@ -257,7 +257,7 @@ sudo_aix_verify(const struct sudoers_context *ctx, struct passwd *pw, if (sudo_aix_valid_message(message)) sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, "%s", message); - ret = AUTH_FAILURE; + ret = pass ? AUTH_FAILURE : AUTH_INTR; } free(message); message = NULL; diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c index b79367638..a4c18204f 100644 --- a/plugins/sudoers/auth/bsdauth.c +++ b/plugins/sudoers/auth/bsdauth.c @@ -171,10 +171,11 @@ bsdauth_verify(const struct sudoers_context *ctx, struct passwd *pw, if (authok) debug_return_int(AUTH_SUCCESS); - if (pass != NULL) { - if ((s = auth_getvalue(as, (char *)"errormsg")) != NULL) - log_warningx(ctx, 0, "%s", s); - } + if (pass == NULL) + debug_return_int(AUTH_INTR); + + if ((s = auth_getvalue(as, (char *)"errormsg")) != NULL) + log_warningx(ctx, 0, "%s", s); debug_return_int(AUTH_FAILURE); } diff --git a/plugins/sudoers/auth/fwtk.c b/plugins/sudoers/auth/fwtk.c index 126684bd6..466810f97 100644 --- a/plugins/sudoers/auth/fwtk.c +++ b/plugins/sudoers/auth/fwtk.c @@ -121,8 +121,8 @@ restart: sudo_warnx("%s", resp); debug_return_int(AUTH_ERROR); } - if (pass == NULL) { /* ^C or error */ - debug_return_int(AUTH_FAILURE); + if (pass == NULL) { /* ^C or error */ + debug_return_int(AUTH_INTR); } /* Send the user's response to the server */ diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index c38ee3ea7..8a17f0d30 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1999-2005, 2007-2023 Todd C. Miller + * Copyright (c) 1999-2005, 2007-2020 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -332,7 +332,7 @@ sudo_pam_verify(const struct sudoers_context *ctx, struct passwd *pw, if (getpass_error) { /* error or ^C from tgetpass() or running non-interactive */ - debug_return_int(noninteractive ? AUTH_NONINTERACTIVE : AUTH_FAILURE); + debug_return_int(noninteractive ? AUTH_NONINTERACTIVE : AUTH_INTR); } switch (*pam_status) { case PAM_SUCCESS: diff --git a/plugins/sudoers/auth/sia.c b/plugins/sudoers/auth/sia.c index 4347c0e7b..575198acb 100644 --- a/plugins/sudoers/auth/sia.c +++ b/plugins/sudoers/auth/sia.c @@ -89,10 +89,10 @@ sudo_sia_verify(const struct sudoers_context *ctx, struct passwd *pw, if (IS_NONINTERACTIVE(auth)) debug_return_int(AUTH_NONINTERACTIVE); - /* Get password, return AUTH_FAILURE if we got ^C */ + /* Get password, return AUTH_INTR if we got ^C */ pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); if (pass == NULL) - debug_return_int(AUTH_FAILURE); + debug_return_int(AUTH_INTR); /* Check password and zero out plaintext copy. */ rc = sia_ses_authent(NULL, pass, siah); diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 3aa288123..0fc62ee65 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -355,6 +355,7 @@ done: case AUTH_SUCCESS: ret = true; break; + case AUTH_INTR: case AUTH_FAILURE: if (ntries != 0) SET(validated, FLAG_BAD_PASSWORD); diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 172c6df62..89e6b8422 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -22,8 +22,9 @@ /* Auth function return values. */ #define AUTH_SUCCESS 0 #define AUTH_FAILURE 1 -#define AUTH_ERROR 2 -#define AUTH_NONINTERACTIVE 3 +#define AUTH_INTR 2 +#define AUTH_ERROR 3 +#define AUTH_NONINTERACTIVE 4 typedef struct sudo_auth { unsigned int flags; /* various flags, see below */