Restore AUTH_INTR support, it is still needed.

We still need AUTH_INTR to know when to break out of the password
prompt loop.
This commit is contained in:
Todd C. Miller
2023-08-29 10:02:09 -06:00
parent 3c05e748a4
commit 8cd0d74fbb
8 changed files with 20 additions and 13 deletions

View File

@@ -63,6 +63,10 @@ The member functions can return the following values:
receives AUTH_ERROR from an auth function it stops receives AUTH_ERROR from an auth function it stops
authenticating and returns an error. authenticating and returns an error.
AUTH_INTR An attempt to read the password read was interrupted.
Usually this means the user entered ^C at the
password prompt.
AUTH_NONINTERACTIVE Function failed because user interaction was AUTH_NONINTERACTIVE Function failed because user interaction was
required but sudo was run in non-interactive required but sudo was run in non-interactive
mode. mode.

View File

@@ -257,7 +257,7 @@ sudo_aix_verify(const struct sudoers_context *ctx, struct passwd *pw,
if (sudo_aix_valid_message(message)) if (sudo_aix_valid_message(message))
sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"%s", message); "%s", message);
ret = AUTH_FAILURE; ret = pass ? AUTH_FAILURE : AUTH_INTR;
} }
free(message); free(message);
message = NULL; message = NULL;

View File

@@ -171,10 +171,11 @@ bsdauth_verify(const struct sudoers_context *ctx, struct passwd *pw,
if (authok) if (authok)
debug_return_int(AUTH_SUCCESS); debug_return_int(AUTH_SUCCESS);
if (pass != NULL) { if (pass == NULL)
if ((s = auth_getvalue(as, (char *)"errormsg")) != NULL) debug_return_int(AUTH_INTR);
log_warningx(ctx, 0, "%s", s);
} if ((s = auth_getvalue(as, (char *)"errormsg")) != NULL)
log_warningx(ctx, 0, "%s", s);
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_FAILURE);
} }

View File

@@ -121,8 +121,8 @@ restart:
sudo_warnx("%s", resp); sudo_warnx("%s", resp);
debug_return_int(AUTH_ERROR); debug_return_int(AUTH_ERROR);
} }
if (pass == NULL) { /* ^C or error */ if (pass == NULL) { /* ^C or error */
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_INTR);
} }
/* Send the user's response to the server */ /* Send the user's response to the server */

View File

@@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1999-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws> * Copyright (c) 1999-2005, 2007-2020 Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -332,7 +332,7 @@ sudo_pam_verify(const struct sudoers_context *ctx, struct passwd *pw,
if (getpass_error) { if (getpass_error) {
/* error or ^C from tgetpass() or running non-interactive */ /* error or ^C from tgetpass() or running non-interactive */
debug_return_int(noninteractive ? AUTH_NONINTERACTIVE : AUTH_FAILURE); debug_return_int(noninteractive ? AUTH_NONINTERACTIVE : AUTH_INTR);
} }
switch (*pam_status) { switch (*pam_status) {
case PAM_SUCCESS: case PAM_SUCCESS:

View File

@@ -89,10 +89,10 @@ sudo_sia_verify(const struct sudoers_context *ctx, struct passwd *pw,
if (IS_NONINTERACTIVE(auth)) if (IS_NONINTERACTIVE(auth))
debug_return_int(AUTH_NONINTERACTIVE); debug_return_int(AUTH_NONINTERACTIVE);
/* Get password, return AUTH_FAILURE if we got ^C */ /* Get password, return AUTH_INTR if we got ^C */
pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);
if (pass == NULL) if (pass == NULL)
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_INTR);
/* Check password and zero out plaintext copy. */ /* Check password and zero out plaintext copy. */
rc = sia_ses_authent(NULL, pass, siah); rc = sia_ses_authent(NULL, pass, siah);

View File

@@ -355,6 +355,7 @@ done:
case AUTH_SUCCESS: case AUTH_SUCCESS:
ret = true; ret = true;
break; break;
case AUTH_INTR:
case AUTH_FAILURE: case AUTH_FAILURE:
if (ntries != 0) if (ntries != 0)
SET(validated, FLAG_BAD_PASSWORD); SET(validated, FLAG_BAD_PASSWORD);

View File

@@ -22,8 +22,9 @@
/* Auth function return values. */ /* Auth function return values. */
#define AUTH_SUCCESS 0 #define AUTH_SUCCESS 0
#define AUTH_FAILURE 1 #define AUTH_FAILURE 1
#define AUTH_ERROR 2 #define AUTH_INTR 2
#define AUTH_NONINTERACTIVE 3 #define AUTH_ERROR 3
#define AUTH_NONINTERACTIVE 4
typedef struct sudo_auth { typedef struct sudo_auth {
unsigned int flags; /* various flags, see below */ unsigned int flags; /* various flags, see below */