diff --git a/auth/fwtk.c b/auth/fwtk.c index 5f3693c13..9c8486d39 100644 --- a/auth/fwtk.c +++ b/auth/fwtk.c @@ -54,7 +54,7 @@ static const char rcsid[] = "$Sudo$"; #endif /* lint */ int -fwtk_setup(pw, promptp, data) +fwtk_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; @@ -62,9 +62,6 @@ fwtk_setup(pw, promptp, data) static Cfg *confp; /* Configuration entry struct */ char resp[128]; /* Response from the server */ - if (confp) - return(AUTH_SUCCESS); /* Already initialized */ - if ((confp = cfg_read("sudo")) == (Cfg *)-1) { (void) fprintf(stderr, "%s: cannot read fwtk config.\n", Argv[0]); return(AUTH_FATAL); diff --git a/auth/kerb4.c b/auth/kerb4.c index 4a4313a10..7d7b2864b 100644 --- a/auth/kerb4.c +++ b/auth/kerb4.c @@ -53,16 +53,13 @@ static const char rcsid[] = "$Sudo$"; #endif /* lint */ int -kerb4_setup(pw, promptp, data) +kerb4_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; { static char realm[REALM_SZ]; - if (*data) - return(AUTH_SUCCESS); /* Already initialized */ - /* Don't try to verify root */ if (pw->pw_uid == 0) return(AUTH_FAILURE); diff --git a/auth/kerb5.c b/auth/kerb5.c index 6dc788226..d89e7a859 100644 --- a/auth/kerb5.c +++ b/auth/kerb5.c @@ -62,7 +62,7 @@ static krb5_context sudo_context = NULL; static int verify_krb_v5_tgt __P((krb5_ccache)); int -kerb5_setup(pw, promptp, data) +kerb5_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; @@ -71,9 +71,6 @@ kerb5_setup(pw, promptp, data) krb5_error_code retval; extern int arg_prompt; - if (*data) - return(AUTH_SUCCESS); /* Already initialized */ - /* XXX - make these errors non-fatal for better fallback? */ if (retval = krb5_init_context(&sudo_context)) { /* XXX - how to map retval to error string? */ diff --git a/auth/pam.c b/auth/pam.c index e10f25c74..de695ec43 100644 --- a/auth/pam.c +++ b/auth/pam.c @@ -58,7 +58,7 @@ static int sudo_conv __P((int, PAM_CONST struct pam_message **, static char *def_prompt; int -pam_setup(pw, promptp, data) +pam_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; @@ -66,9 +66,6 @@ pam_setup(pw, promptp, data) static struct pam_conv pam_conv; pam_handle_t *pamh; - if (*data) - return(AUTH_SUCCESS); /* Already initialized */ - /* Initial PAM setup */ pam_conv.conv = sudo_conv; if (pam_start("sudo", pw->pw_name, &pam_conv, &pamh) != PAM_SUCCESS) { diff --git a/auth/rfc1938.c b/auth/rfc1938.c index 8c71ca580..03e8b81b2 100644 --- a/auth/rfc1938.c +++ b/auth/rfc1938.c @@ -106,7 +106,7 @@ rfc1938_setup(pw, promptp, data) #endif /* OTP_ONLY */ } - /* Get space for new prompt with embedded S/Key challenge */ + /* Get space for new prompt with embedded challenge */ if (np_size < op_len + strlen(challenge) + 7) { np_size = op_len + strlen(challenge) + 7; new_prompt = (char *) erealloc(new_prompt, np_size); diff --git a/auth/secureware.c b/auth/secureware.c index 35d82e369..c414c1e58 100644 --- a/auth/secureware.c +++ b/auth/secureware.c @@ -58,7 +58,7 @@ static const char rcsid[] = "$Sudo$"; #endif /* lint */ int -secureware_setup(pw, promptp, data) +secureware_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; diff --git a/auth/securid.c b/auth/securid.c index 7400b9399..ba408b81d 100644 --- a/auth/securid.c +++ b/auth/securid.c @@ -60,6 +60,17 @@ static const char rcsid[] = "$Sudo$"; union config_record configure; +int +securid_init(pw, promptp, data) + struct passwd *pw; + char **promptp; + void **data; +{ + + creadcfg(); /* Only read config file once */ + return(AUTH_SUCCESS); +} + int securid_setup(pw, promptp, data) struct passwd *pw; @@ -68,10 +79,7 @@ securid_setup(pw, promptp, data) { static SD_CLIENT sd_dat; /* SecurID data block */ - if (!*data) - creadcfg(); /* Only read config file once */ - - /* Initialize SecurID every time. */ + /* Re-initialize SecurID every time. */ *data = &sd_dat; if (sd_init(sd) == 0) return(AUTH_SUCCESS); diff --git a/auth/sudo_auth.c b/auth/sudo_auth.c index 3f854bac5..9e325ac7d 100644 --- a/auth/sudo_auth.c +++ b/auth/sudo_auth.c @@ -59,25 +59,25 @@ sudo_auth auth_switch[] = { AUTH_STANDALONE #else # ifndef WITHOUT_PASSWD - AUTH_ENTRY(0, "passwd", NULL, passwd_verify, NULL) + AUTH_ENTRY(0, "passwd", NULL, NULL, passwd_verify, NULL) # endif # if defined(HAVE_SECUREWARE) && !defined(WITHOUT_PASSWD) - AUTH_ENTRY(0, "secureware", secureware_setup, secureware_verify, NULL) + AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL) # endif # ifdef HAVE_AFS - AUTH_ENTRY(1, "afs", NULL, afs_verify, NULL) + AUTH_ENTRY(1, "afs", NULL, NULL, afs_verify, NULL) # endif # ifdef HAVE_KERB4 - AUTH_ENTRY(1, "kerb4", kerb4_setup, kerb4_verify, NULL) + AUTH_ENTRY(1, "kerb4", kerb4_init, NULL, kerb4_verify, NULL) # endif # ifdef HAVE_KERB5 - AUTH_ENTRY(1, "kerb5", kerb5_setup, kerb5_verify, NULL) + AUTH_ENTRY(1, "kerb5", kerb5_init, NULL, kerb5_verify, NULL) # endif # if defined(HAVE_SKEY) || defined(HAVE_OPIE) - AUTH_ENTRY(1, "skey", rfc1938_setup, rfc1938_verify, NULL) + AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL) # endif #endif /* AUTH_STANDALONE */ - AUTH_ENTRY(0, NULL, NULL, NULL, NULL) + AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL) }; int nil_pw; /* I hate resorting to globals like this... */ @@ -90,6 +90,23 @@ verify_user() char *p; sudo_auth *auth; + /* Initialize auth methods and unconfigure the method if necessary. */ + for (auth = auth_switch; auth->name; auth++) { + if (auth->init && auth->configured) { + if (auth->need_root) + set_perms(PERM_ROOT, 0); + + status = (auth->init)(sudo_user.pw, &user_prompt, &auth->data); + if (status == AUTH_FAILURE) + auth->configured = 0; + else if (status == AUTH_FATAL) /* XXX log */ + exit(1); /* assume error msg already printed */ + + if (auth->need_root) + set_perms(PERM_USER, 0); + } + } + while (--counter) { /* Do any per-method setup and unconfigure the method if needed */ for (auth = auth_switch; auth->name; auth++) { diff --git a/auth/sudo_auth.h b/auth/sudo_auth.h index 42a7e4269..3c949d696 100644 --- a/auth/sudo_auth.h +++ b/auth/sudo_auth.h @@ -40,16 +40,17 @@ typedef struct sudo_auth { int status; /* status from verify routine */ char *name; void *data; /* method-specific data pointer */ + int (*init) __P((struct passwd *pw, char **prompt, void **data)); int (*setup) __P((struct passwd *pw, char **prompt, void **data)); int (*verify) __P((struct passwd *pw, char *p, void **data)); int (*cleanup) __P((struct passwd *pw, int status, void **data)); } sudo_auth; /* Prototypes for standalone methods */ -int fwtk_setup __P((struct passwd *pw, char **prompt, void **data)); +int fwtk_init __P((struct passwd *pw, char **prompt, void **data)); int fwtk_verify __P((struct passwd *pw, char *prompt, void **data)); int fwtk_cleanup __P((struct passwd *pw, int status, void **data)); -int pam_setup __P((struct passwd *pw, char **prompt, void **data)); +int pam_init __P((struct passwd *pw, char **prompt, void **data)); int pam_verify __P((struct passwd *pw, char *prompt, void **data)); int pam_cleanup __P((struct passwd *pw, int status, void **data)); int sia_setup __P((struct passwd *pw, char **prompt, void **data)); @@ -60,41 +61,44 @@ int dce_verify __P((struct passwd *pw, char *pass, void **data)); /* Prototypes for normal methods */ int passwd_verify __P((struct passwd *pw, char *pass, void **data)); -int secureware_setup __P((struct passwd *pw, char **prompt, void **data)); +int secureware_init __P((struct passwd *pw, char **prompt, void **data)); int secureware_verify __P((struct passwd *pw, char *pass, void **data)); int rfc1938_setup __P((struct passwd *pw, char **prompt, void **data)); int rfc1938_verify __P((struct passwd *pw, char *pass, void **data)); int afs_verify __P((struct passwd *pw, char *pass, void **data)); -int kerb4_setup __P((struct passwd *pw, char **prompt, void **data)); +int kerb4_init __P((struct passwd *pw, char **prompt, void **data)); int kerb4_verify __P((struct passwd *pw, char *pass, void **data)); -int kerb5_setup __P((struct passwd *pw, char **prompt, void **data)); +int kerb5_init __P((struct passwd *pw, char **prompt, void **data)); int kerb5_verify __P((struct passwd *pw, char *pass, void **data)); +int securid_init __P((struct passwd *pw, char **prompt, void **data)); +int securid_setup __P((struct passwd *pw, char **prompt, void **data)); +int securid_verify __P((struct passwd *pw, char *pass, void **data)); -/* Fields: need_root, name, setup, verify, cleanup */ -#define AUTH_ENTRY(r, n, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, s, v, c }, +/* Fields: need_root, name, init, setup, verify, cleanup */ +#define AUTH_ENTRY(r, n, i, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, i, s, v, c }, /* Some methods cannots (or should not) interoperate with any others */ #if defined(HAVE_PAM) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "pam", pam_setup, pam_verify, pam_cleanup) + AUTH_ENTRY(1, "pam", pam_init, NULL, pam_verify, pam_cleanup) #elif defined(HAVE_SECURID) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "SecurId", securid_setup, securid_verify, NULL) + AUTH_ENTRY(1, "SecurId", securid_init, securid_setup, securid_verify, NULL) #elif defined(HAVE_SIA) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "sia", sia_setup, sia_verify, sia_cleanup) + AUTH_ENTRY(1, "sia", NULL, sia_setup, sia_verify, sia_cleanup) #elif defined(HAVE_DCE) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "dce", NULL, dce_verify, NULL) + AUTH_ENTRY(1, "dce", NULL, NULL, dce_verify, NULL) #elif defined(HAVE_AUTHENTICATE) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "aixauth", NULL, aixauth_verify, NULL) + AUTH_ENTRY(1, "aixauth", NULL, NULL, aixauth_verify, NULL) #elif defined(HAVE_FWTK) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "fwtk", fwtk_setup, fwtk_verify, fwtk_cleanup) + AUTH_ENTRY(1, "fwtk", fwtk_init, NULL, fwtk_verify, fwtk_cleanup) #elif defined(OTP_ONLY) && (defined(HAVE_SKEY) || defined(HAVE_OPIE)) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "rfc1938", rfc1938_setup, rfc1938_verify, NULL) + AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL) # define AUTH_STANDALONE_GETPASS #endif