isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid touching the time stamp directory for "sudo -k command"

Browse Source
This commit is contained in:
Todd C. Miller
2015-09-07 06:06:08 -06:00
parent 69050f9345
commit 9dedc65a7f
1 changed files with 27 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
plugins/sudoers/check.c
View File

@@ -87,23 +87,34 @@ getpass_resume(int signo, void *vclosure)
static int static int
check_user_interactive(int validated, int mode, struct passwd *auth_pw) check_user_interactive(int validated, int mode, struct passwd *auth_pw)
{ {
struct sudo_conv_callback callback; struct sudo_conv_callback cb, *callback = NULL;
struct getpass_closure closure; struct getpass_closure closure;
void *cookie = NULL;
int status = TS_ERROR; int status = TS_ERROR;
int rval = -1; int rval = -1;
char *prompt; char *prompt;
bool lectured; bool lectured;
debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH) debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH)
/* Always need a password when -k was specified with the command. */ /* Open, lock and read time stamp file if we are using it. */
if (ISSET(mode, MODE_IGNORE_TICKET)) if (!ISSET(mode, MODE_IGNORE_TICKET)) {
SET(validated, FLAG_CHECK_USER); /* Open time stamp file and check its status. */
cookie = timestamp_open(user_name, user_sid);
if (timestamp_lock(cookie, auth_pw))
status = timestamp_status(cookie, auth_pw);
/* Open timestamp file and check its status. */ /* Construct callback for getpass function. */
closure.auth_pw = auth_pw; memset(&cb, 0, sizeof(cb));
closure.cookie = timestamp_open(user_name, user_sid); cb.version = SUDO_CONV_CALLBACK_VERSION;
if (timestamp_lock(closure.cookie, auth_pw)) cb.closure = &closure;
status = timestamp_status(closure.cookie, auth_pw); cb.on_suspend = getpass_suspend;
cb.on_resume = getpass_resume;
callback = &cb;
/* Closure for getpass_{suspend,resume} */
closure.auth_pw = auth_pw;
closure.cookie = cookie;
}
switch (status) { switch (status) {
case TS_FATAL: case TS_FATAL:
@@ -135,14 +146,7 @@ check_user_interactive(int validated, int mode, struct passwd *auth_pw)
if (prompt == NULL) if (prompt == NULL)
goto done; goto done;
/* Construct callback for getpass function. */ rval = verify_user(auth_pw, prompt, validated, callback);
memset(&callback, 0, sizeof(callback));
callback.version = SUDO_CONV_CALLBACK_VERSION;
callback.closure = &closure;
callback.on_suspend = getpass_suspend;
callback.on_resume = getpass_resume;
rval = verify_user(auth_pw, prompt, validated, &callback);
if (rval == true && lectured) if (rval == true && lectured)
(void)set_lectured(); /* lecture error not fatal */ (void)set_lectured(); /* lecture error not fatal */
free(prompt); free(prompt);
@@ -150,16 +154,14 @@ check_user_interactive(int validated, int mode, struct passwd *auth_pw)
} }
/* /*
* Only update timestamp if user was validated. * Only update time stamp if user was validated.
* Failure to update the timestamp is not a fatal error. * Failure to update the time stamp is not a fatal error.
*/ */
if (rval == true && ISSET(validated, VALIDATE_SUCCESS) && if (rval == true && ISSET(validated, VALIDATE_SUCCESS) && status != TS_ERROR)
!ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR) { (void)timestamp_update(cookie, auth_pw);
(void)timestamp_update(closure.cookie, auth_pw);
}
done: done:
if (closure.cookie != NULL) if (cookie != NULL)
timestamp_close(closure.cookie); timestamp_close(cookie);
debug_return_int(rval); debug_return_int(rval);
} }