isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use the SUDO_CONV_PREFER_TTY flag during authentication.

Browse Source 
This prevents the password and PAM prompts from being redirected.
Bug #895
This commit is contained in:
Todd C. Miller
2019-08-26 19:30:11 -06:00
parent 5a22865131
commit 972670bfca
9 changed files with 51 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/sudoers/auth/aix_auth.c
View File

@@ -256,7 +256,8 @@ sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
if (result != 0) { if (result != 0) {
/* Display error message, if any. */ /* Display error message, if any. */
if (sudo_aix_valid_message(message)) if (sudo_aix_valid_message(message))
sudo_printf(SUDO_CONV_ERROR_MSG, "%s", message); sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"%s", message);
ret = pass ? AUTH_FAILURE : AUTH_INTR; ret = pass ? AUTH_FAILURE : AUTH_INTR;
} }
free(message); free(message);
@@ -266,8 +267,9 @@ sudo_aix_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co
if (ret == AUTH_SUCCESS) { if (ret == AUTH_SUCCESS) {
result = passwdexpired(pw->pw_name, &message); result = passwdexpired(pw->pw_name, &message);
if (message != NULL && message[0] != '\0') { if (message != NULL && message[0] != '\0') {
sudo_printf(result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG, int msg_type = SUDO_CONV_PREFER_TTY;
"%s", message); msg_type |= result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG,
sudo_printf(msg_type, "%s", message);
free(message); free(message);
message = NULL; message = NULL;
} }

9
plugins/sudoers/auth/dce.c
View File

@@ -103,7 +103,7 @@ sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_
* sure that we didn't get spoofed by another DCE server. * sure that we didn't get spoofed by another DCE server.
*/ */
if (!sec_login_certify_identity(login_context, &status)) { if (!sec_login_certify_identity(login_context, &status)) {
sudo_printf(SUDO_CONV_ERROR_MSG, sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"Whoa! Bogus authentication server!\n"); "Whoa! Bogus authentication server!\n");
(void) check_dce_status(status,"sec_login_certify_identity(1):"); (void) check_dce_status(status,"sec_login_certify_identity(1):");
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_FAILURE);
@@ -125,13 +125,13 @@ sudo_dce_verify(struct passwd *pw, char *plain_pw, sudo_auth *auth, struct sudo_
* DCE client and DCE security server... * DCE client and DCE security server...
*/ */
if (auth_src != sec_login_auth_src_network) { if (auth_src != sec_login_auth_src_network) {
sudo_printf(SUDO_CONV_ERROR_MSG, sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"You have no network credentials.\n"); "You have no network credentials.\n");
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_FAILURE);
} }
/* Check if the password has aged and is thus no good */ /* Check if the password has aged and is thus no good */
if (reset_passwd) { if (reset_passwd) {
sudo_printf(SUDO_CONV_ERROR_MSG, sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"Your DCE password needs resetting.\n"); "Your DCE password needs resetting.\n");
debug_return_int(AUTH_FAILURE); debug_return_int(AUTH_FAILURE);
} }
@@ -191,7 +191,8 @@ check_dce_status(error_status_t input_status, char *comment)
if (input_status == rpc_s_ok) if (input_status == rpc_s_ok)
debug_return_int(0); debug_return_int(0);
dce_error_inq_text(input_status, error_string, &error_stat); dce_error_inq_text(input_status, error_string, &error_stat);
sudo_printf(SUDO_CONV_ERROR_MSG, "%s %s\n", comment, error_string); sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"%s %s\n", comment, error_string);
debug_return_int(1); debug_return_int(1);
} }

2
plugins/sudoers/auth/fwtk.c
View File

@@ -109,7 +109,7 @@ restart:
} else if (strncmp(resp, "password", 8) == 0) { } else if (strncmp(resp, "password", 8) == 0) {
pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);
} else if (strncmp(resp, "display ", 8) == 0) { } else if (strncmp(resp, "display ", 8) == 0) {
sudo_printf(SUDO_CONV_INFO_MSG, "%s\n", &resp[8]); sudo_printf(SUDO_CONV_INFO_MSG|SUDO_CONV_PREFER_TTY, "%s\n", &resp[8]);
strlcpy(buf, "response dummy", sizeof(buf)); strlcpy(buf, "response dummy", sizeof(buf));
goto restart; goto restart;
} else { } else {

6
plugins/sudoers/auth/pam.c
View File

@@ -696,11 +696,13 @@ converse(int num_msg, PAM_CONST struct pam_message **msg,
break; break;
case PAM_TEXT_INFO: case PAM_TEXT_INFO:
if (pm->msg != NULL && !is_filtered(pm->msg)) if (pm->msg != NULL && !is_filtered(pm->msg))
sudo_printf(SUDO_CONV_INFO_MSG, "%s\n", pm->msg); sudo_printf(SUDO_CONV_INFO_MSG|SUDO_CONV_PREFER_TTY,
"%s\n", pm->msg);
break; break;
case PAM_ERROR_MSG: case PAM_ERROR_MSG:
if (pm->msg != NULL) if (pm->msg != NULL)
sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", pm->msg); sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"%s\n", pm->msg);
break; break;
default: default:
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,

4
plugins/sudoers/auth/securid5.c
View File

@@ -206,9 +206,9 @@ then enter the new token code.\n", \
*/ */
/* XXX - Is setting up a new PIN within sudo's scope? */ /* XXX - Is setting up a new PIN within sudo's scope? */
SD_Pin(*sd, ""); SD_Pin(*sd, "");
sudo_printf(SUDO_CONV_ERROR_MSG, sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"Your SecurID access has not yet been set up.\n"); "Your SecurID access has not yet been set up.\n");
sudo_printf(SUDO_CONV_ERROR_MSG, sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY,
"Please set up a PIN before you try to authenticate.\n"); "Please set up a PIN before you try to authenticate.\n");
ret = AUTH_FATAL; ret = AUTH_FATAL;
break; break;

2
plugins/sudoers/auth/sudo_auth.c
View File

@@ -227,7 +227,7 @@ pass_warn(void)
if (def_insults) if (def_insults)
warning = INSULT; warning = INSULT;
#endif #endif
sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", warning); sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, "%s\n", warning);
debug_return; debug_return;
} }

4
plugins/sudoers/check.c
View File

@@ -259,13 +259,13 @@ display_lecture(int status)
if (def_lecture_file && (fp = fopen(def_lecture_file, "r")) != NULL) { if (def_lecture_file && (fp = fopen(def_lecture_file, "r")) != NULL) {
while ((nread = fread(buf, sizeof(char), sizeof(buf) - 1, fp)) != 0) { while ((nread = fread(buf, sizeof(char), sizeof(buf) - 1, fp)) != 0) {
buf[nread] = '\0'; buf[nread] = '\0';
msg.msg_type = SUDO_CONV_ERROR_MSG; msg.msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;
msg.msg = buf; msg.msg = buf;
sudo_conv(1, &msg, &repl, NULL); sudo_conv(1, &msg, &repl, NULL);
} }
fclose(fp); fclose(fp);
} else { } else {
msg.msg_type = SUDO_CONV_ERROR_MSG; msg.msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;
msg.msg = _("\n" msg.msg = _("\n"
"We trust you have received the usual lecture from the local System\n" "We trust you have received the usual lecture from the local System\n"
"Administrator. It usually boils down to these three things:\n\n" "Administrator. It usually boils down to these three things:\n\n"

23
plugins/sudoers/sudo_printf.c
View File

@@ -32,22 +32,28 @@
#include "sudo_compat.h" #include "sudo_compat.h"
#include "sudo_plugin.h" #include "sudo_plugin.h"
#include "sudo_debug.h" #include "sudo_debug.h"
#include "pathnames.h"
static int static int
sudo_printf_int(int msg_type, const char *fmt, ...) sudo_printf_int(int msg_type, const char *fmt, ...)
{ {
FILE *fp = stdout;
FILE *ttyfp = NULL;
va_list ap; va_list ap;
int len; int len;
switch (msg_type) { if (ISSET(msg_type, SUDO_CONV_PREFER_TTY)) {
/* Try writing to /dev/tty first. */
ttyfp = fopen(_PATH_TTY, "w");
}
switch (msg_type & 0xff) {
case SUDO_CONV_ERROR_MSG:
fp = stderr;
/* FALLTHROUGH */
case SUDO_CONV_INFO_MSG: case SUDO_CONV_INFO_MSG:
va_start(ap, fmt); va_start(ap, fmt);
len = vfprintf(stdout, fmt, ap); len = vfprintf(ttyfp ? ttyfp : fp, fmt, ap);
va_end(ap);
break;
case SUDO_CONV_ERROR_MSG:
va_start(ap, fmt);
len = vfprintf(stderr, fmt, ap);
va_end(ap); va_end(ap);
break; break;
default: default:
@@ -56,6 +62,9 @@ sudo_printf_int(int msg_type, const char *fmt, ...)
break; break;
} }
if (ttyfp != NULL)
fclose(ttyfp);
return len; return len;
} }

22
src/conversation.c
View File

@@ -140,21 +140,26 @@ sudo_conversation_1_7(int num_msgs, const struct sudo_conv_message msgs[],
int int
sudo_conversation_printf(int msg_type, const char *fmt, ...) sudo_conversation_printf(int msg_type, const char *fmt, ...)
{ {
FILE *fp = stdout;
FILE *ttyfp = NULL;
va_list ap; va_list ap;
int len; int len;
const int conv_debug_instance = sudo_debug_get_active_instance(); const int conv_debug_instance = sudo_debug_get_active_instance();
sudo_debug_set_active_instance(sudo_debug_instance); sudo_debug_set_active_instance(sudo_debug_instance);
switch (msg_type) { if (ISSET(msg_type, SUDO_CONV_PREFER_TTY)) {
/* Try writing to /dev/tty first. */
ttyfp = fopen(_PATH_TTY, "w");
}
switch (msg_type & 0xff) {
case SUDO_CONV_ERROR_MSG:
fp = stderr;
/* FALLTHROUGH */
case SUDO_CONV_INFO_MSG: case SUDO_CONV_INFO_MSG:
va_start(ap, fmt); va_start(ap, fmt);
len = vfprintf(stdout, fmt, ap); len = vfprintf(ttyfp ? ttyfp : fp, fmt, ap);
va_end(ap);
break;
case SUDO_CONV_ERROR_MSG:
va_start(ap, fmt);
len = vfprintf(stderr, fmt, ap);
va_end(ap); va_end(ap);
break; break;
default: default:
@@ -163,6 +168,9 @@ sudo_conversation_printf(int msg_type, const char *fmt, ...)
break; break;
} }
if (ttyfp != NULL)
fclose(ttyfp);
sudo_debug_set_active_instance(conv_debug_instance); sudo_debug_set_active_instance(conv_debug_instance);
return len; return len;
} }