diff --git a/plugins/sudoers/auth/API b/plugins/sudoers/auth/API index 4c2bb7d05..bcf1ed44f 100644 --- a/plugins/sudoers/auth/API +++ b/plugins/sudoers/auth/API @@ -57,11 +57,11 @@ The member functions can return the following values: ``setup'' routine, the auth method will be marked as !configured. - AUTH_FATAL A fatal error occurred. The routine should have + AUTH_ERROR A fatal error occurred. The routine should have written an error message to stderr and optionally - sent mail to the administrator. - When verify_user() gets AUTH_FATAL from an auth - function it does an exit(1). + sent mail to the administrator. When verify_user() + receives AUTH_ERROR from an auth function it stops + authenticating and returns an error. AUTH_NONINTERACTIVE Function failed because user interaction was required but sudo was run in non-interactive diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c index b929ef68a..f0b7abaff 100644 --- a/plugins/sudoers/auth/aix_auth.c +++ b/plugins/sudoers/auth/aix_auth.c @@ -280,17 +280,17 @@ sudo_aix_verify(const struct sudoers_context *ctx, struct passwd *pw, /* password expired, user must change it */ if (!sudo_aix_change_password(ctx, pw->pw_name)) { sudo_warnx(U_("unable to change password for %s"), pw->pw_name); - ret = AUTH_FATAL; + ret = AUTH_ERROR; } break; case 2: /* password expired, only admin can change it */ - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; default: /* error (-1) */ sudo_warn("passwdexpired"); - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; } } diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c index de254c49e..b79367638 100644 --- a/plugins/sudoers/auth/bsdauth.c +++ b/plugins/sudoers/auth/bsdauth.c @@ -103,7 +103,7 @@ bsdauth_init(const struct sudoers_context *ctx, struct passwd *pw, bad: auth_close(state.as); login_close(state.lc); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } int @@ -152,7 +152,7 @@ bsdauth_verify(const struct sudoers_context *ctx, struct passwd *pw, len--; if (asprintf(&s, "%.*s [echo on]: ", (int)len, prompt) == -1) { log_warningx(ctx, 0, N_("unable to allocate memory")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } free(pass); pass = auth_getpass(s, SUDO_CONV_PROMPT_ECHO_ON, callback); diff --git a/plugins/sudoers/auth/fwtk.c b/plugins/sudoers/auth/fwtk.c index a17aa3843..126684bd6 100644 --- a/plugins/sudoers/auth/fwtk.c +++ b/plugins/sudoers/auth/fwtk.c @@ -60,22 +60,22 @@ sudo_fwtk_init(const struct sudoers_context *ctx, struct passwd *pw, if ((confp = cfg_read("sudo")) == (Cfg *)-1) { sudo_warnx("%s", U_("unable to read fwtk config")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } if (auth_open(confp)) { sudo_warnx("%s", U_("unable to connect to authentication server")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } /* Get welcome message from auth server */ if (auth_recv(resp, sizeof(resp))) { sudo_warnx("%s", U_("lost connection to authentication server")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } if (strncmp(resp, "Authsrv ready", 13) != 0) { sudo_warnx(U_("authentication server error:\n%s"), resp); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } auth->data = (void *) confp; @@ -97,7 +97,7 @@ sudo_fwtk_verify(const struct sudoers_context *ctx, struct passwd *pw, restart: if (auth_send(buf) || auth_recv(resp, sizeof(resp))) { sudo_warnx("%s", U_("lost connection to authentication server")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } /* Get the password/response from the user. */ @@ -119,7 +119,7 @@ restart: goto restart; } else { sudo_warnx("%s", resp); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } if (pass == NULL) { /* ^C or error */ debug_return_int(AUTH_FAILURE); @@ -129,7 +129,7 @@ restart: (void) snprintf(buf, sizeof(buf), "response '%s'", pass); if (auth_send(buf) || auth_recv(resp, sizeof(resp))) { sudo_warnx("%s", U_("lost connection to authentication server")); - error = AUTH_FATAL; + error = AUTH_ERROR; goto done; } diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c index 47c7eb93c..b51c03bd1 100644 --- a/plugins/sudoers/auth/kerb5.c +++ b/plugins/sudoers/auth/kerb5.c @@ -121,7 +121,7 @@ sudo_krb5_setup(const struct sudoers_context *ctx, struct passwd *pw, if (asprintf(&krb5_prompt, "Password for %s: ", pname) == -1) { log_warningx(ctx, 0, N_("unable to allocate memory")); free(pname); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } free(pname); } @@ -148,7 +148,7 @@ sudo_krb5_init(const struct sudoers_context *ctx, struct passwd *pw, sudo_krb5_instance[0] != '/' ? "/" : "", sudo_krb5_instance); if (len == -1) { log_warningx(ctx, 0, N_("unable to allocate memory")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } } diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index c80da610b..c38ee3ea7 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -231,7 +231,7 @@ sudo_pam_init2(const struct sudoers_context *ctx, struct passwd *pw, &pam_conv, &pamh, errstr); if (!quiet) log_warningx(ctx, 0, N_("unable to initialize PAM: %s"), errstr); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } /* Initialize conversation function message filter. */ @@ -347,7 +347,7 @@ sudo_pam_verify(const struct sudoers_context *ctx, struct passwd *pw, default: s = sudo_pam_strerror(pamh, *pam_status); log_warningx(ctx, 0, N_("PAM authentication error: %s"), s); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } } @@ -368,7 +368,7 @@ sudo_pam_approval(const struct sudoers_context *ctx, struct passwd *pw, case PAM_AUTH_ERR: log_warningx(ctx, 0, N_("account validation failure, " "is your account locked?")); - status = AUTH_FATAL; + status = AUTH_ERROR; break; case PAM_NEW_AUTHTOK_REQD: /* Ignore if user is exempt from password restrictions. */ @@ -396,13 +396,13 @@ sudo_pam_approval(const struct sudoers_context *ctx, struct passwd *pw, /* Password expired, cannot be updated by user. */ log_warningx(ctx, 0, N_("Password expired, contact your system administrator")); - status = AUTH_FATAL; + status = AUTH_ERROR; break; case PAM_ACCT_EXPIRED: log_warningx(ctx, 0, N_("Account expired or PAM config lacks an \"account\" " "section for sudo, contact your system administrator")); - status = AUTH_FATAL; + status = AUTH_ERROR; break; case PAM_AUTHINFO_UNAVAIL: case PAM_MAXTRIES: @@ -414,7 +414,7 @@ sudo_pam_approval(const struct sudoers_context *ctx, struct passwd *pw, default: s = sudo_pam_strerror(pamh, rc); log_warningx(ctx, 0, N_("PAM account management error: %s"), s); - status = AUTH_FATAL; + status = AUTH_ERROR; break; } *pam_status = rc; @@ -523,7 +523,7 @@ sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw, "pam_end: %s", errstr); } pamh = NULL; - status = AUTH_FATAL; + status = AUTH_ERROR; goto done; } } @@ -539,7 +539,7 @@ sudo_pam_begin_session(const struct sudoers_context *ctx, struct passwd *pw, if (pam_envp != NULL) { /* Merge pam env with user env. */ if (!env_init(*user_envp) || !env_merge(ctx, pam_envp)) - status = AUTH_FATAL; + status = AUTH_ERROR; *user_envp = env_get(); free(pam_envp); /* XXX - we leak any duplicates that were in pam_envp */ @@ -580,7 +580,7 @@ sudo_pam_end_session(sudo_auth *auth) errstr = sudo_pam_strerror(pamh, rc); sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "pam_end: %s", errstr); - status = AUTH_FATAL; + status = AUTH_ERROR; } pamh = NULL; } diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c index f197559c7..17c96d4a0 100644 --- a/plugins/sudoers/auth/passwd.c +++ b/plugins/sudoers/auth/passwd.c @@ -57,7 +57,7 @@ sudo_passwd_init(const struct sudoers_context *ctx, struct passwd *pw, sudo_setspent(); auth->data = sudo_getepw(pw); sudo_endspent(); - debug_return_int(auth->data ? AUTH_SUCCESS : AUTH_FATAL); + debug_return_int(auth->data ? AUTH_SUCCESS : AUTH_ERROR); } #ifdef HAVE_CRYPT diff --git a/plugins/sudoers/auth/rfc1938.c b/plugins/sudoers/auth/rfc1938.c index 9215a8986..15219a775 100644 --- a/plugins/sudoers/auth/rfc1938.c +++ b/plugins/sudoers/auth/rfc1938.c @@ -98,7 +98,7 @@ sudo_rfc1938_setup(const struct sudoers_context *ctx, struct passwd *pw, if (rfc1938challenge(&rfc1938, pw->pw_name, challenge, sizeof(challenge))) { if (IS_ONEANDONLY(auth)) { sudo_warnx(U_("you do not exist in the %s database"), auth->name); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } else { debug_return_int(AUTH_FAILURE); } @@ -110,7 +110,7 @@ sudo_rfc1938_setup(const struct sudoers_context *ctx, struct passwd *pw, char *p = realloc(new_prompt, op_len + challenge_len + 7); if (p == NULL) { sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } np_size = op_len + challenge_len + 7; new_prompt = p; diff --git a/plugins/sudoers/auth/secureware.c b/plugins/sudoers/auth/secureware.c index 3d84e1efa..88aedd9bc 100644 --- a/plugins/sudoers/auth/secureware.c +++ b/plugins/sudoers/auth/secureware.c @@ -68,7 +68,7 @@ sudo_secureware_init(const struct sudoers_context *ctx, struct passwd *pw, sudo_setspent(); auth->data = sudo_getepw(pw); sudo_endspent(); - debug_return_int(auth->data ? AUTH_SUCCESS : AUTH_FATAL); + debug_return_int(auth->data ? AUTH_SUCCESS : AUTH_ERROR); } int diff --git a/plugins/sudoers/auth/securid5.c b/plugins/sudoers/auth/securid5.c index 971f69dd6..38e5ffe0b 100644 --- a/plugins/sudoers/auth/securid5.c +++ b/plugins/sudoers/auth/securid5.c @@ -74,7 +74,7 @@ sudo_securid_init(const struct sudoers_context *ctx, struct passwd *pw, /* Start communications */ if (AceInitialize() == SD_FALSE) { sudo_warnx("%s", U_("failed to initialise the ACE API library")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } auth->data = (void *) &sd_dat; /* For method-specific data */ @@ -106,7 +106,7 @@ sudo_securid_setup(const struct sudoers_context *ctx, struct passwd *pw, /* Re-initialize SecurID every time. */ if (SD_Init(sd) != ACM_OK) { sudo_warnx("%s", U_("unable to contact the SecurID server")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } /* Lock new PIN code */ @@ -119,19 +119,19 @@ sudo_securid_setup(const struct sudoers_context *ctx, struct passwd *pw, case ACE_UNDEFINED_USERNAME: sudo_warnx("%s", U_("invalid username length for SecurID")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); case ACE_ERR_INVALID_HANDLE: sudo_warnx("%s", U_("invalid Authentication Handle for SecurID")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); case ACM_ACCESS_DENIED: sudo_warnx("%s", U_("SecurID communication failed")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); default: sudo_warnx("%s", U_("unknown SecurID error")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } } @@ -167,17 +167,17 @@ sudo_securid_verify(const struct sudoers_context *ctx, struct passwd *pw, case ACE_UNDEFINED_PASSCODE: sudo_warnx("%s", U_("invalid passcode length for SecurID")); - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; case ACE_UNDEFINED_USERNAME: sudo_warnx("%s", U_("invalid username length for SecurID")); - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; case ACE_ERR_INVALID_HANDLE: sudo_warnx("%s", U_("invalid Authentication Handle for SecurID")); - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; case ACM_ACCESS_DENIED: @@ -215,12 +215,12 @@ then enter the new token code.\n", \ "Your SecurID access has not yet been set up.\n"); sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, "Please set up a PIN before you try to authenticate.\n"); - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; default: sudo_warnx("%s", U_("unknown SecurID error")); - ret = AUTH_FATAL; + ret = AUTH_ERROR; break; } diff --git a/plugins/sudoers/auth/sia.c b/plugins/sudoers/auth/sia.c index 2188b8ed1..4347c0e7b 100644 --- a/plugins/sudoers/auth/sia.c +++ b/plugins/sudoers/auth/sia.c @@ -59,7 +59,7 @@ sudo_sia_setup(const struct sudoers_context *ctx, struct passwd *pw, sudo_argv = reallocarray(NULL, sudo_argc + 1, sizeof(char *)); if (sudo_argv == NULL) { log_warningx(ctx, 0, N_("unable to allocate memory")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } sudo_argv[0] = "sudo"; for (i = 0; i < ctx->runas.argc; i++) @@ -70,7 +70,7 @@ sudo_sia_setup(const struct sudoers_context *ctx, struct passwd *pw, sudo_tty = ctx->user.ttypath; if (sia_ses_init(&siah, sudo_argc, sudo_argv, NULL, pw->pw_name, sudo_tty, 0, NULL) != SIASUCCESS) { log_warning(ctx, 0, N_("unable to initialize SIA session")); - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); } auth->data = siah; @@ -101,7 +101,7 @@ sudo_sia_verify(const struct sudoers_context *ctx, struct passwd *pw, if (rc == SIASUCCESS) debug_return_int(AUTH_SUCCESS); if (ISSET(rc, SIASTOP)) - debug_return_int(AUTH_FATAL); + debug_return_int(AUTH_ERROR); debug_return_int(AUTH_FAILURE); } @@ -122,7 +122,7 @@ int sudo_sia_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth) { SIAENTITY *siah; - int status = AUTH_FATAL; + int status = AUTH_ERROR; debug_decl(sudo_sia_begin_session, SUDOERS_DEBUG_AUTH); /* Re-init sia for the target user's session. */ diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index d5135ecf6..3aa288123 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -118,7 +118,7 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, status = (auth->init)(ctx, pw, auth); if (status == AUTH_FAILURE) SET(auth->flags, FLAG_DISABLED); - else if (status == AUTH_FATAL) + else if (status == AUTH_ERROR) break; /* assume error msg already printed */ } } @@ -166,7 +166,7 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, } } - debug_return_int(status == AUTH_FATAL ? -1 : 0); + debug_return_int(status == AUTH_ERROR ? -1 : 0); } /* @@ -209,7 +209,7 @@ sudo_auth_cleanup(const struct sudoers_context *ctx, struct passwd *pw, for (auth = auth_switch; auth->name; auth++) { if (auth->cleanup && !IS_DISABLED(auth)) { int status = (auth->cleanup)(ctx, pw, auth, force); - if (status == AUTH_FATAL) { + if (status == AUTH_ERROR) { /* Assume error msg already printed. */ debug_return_int(-1); } @@ -306,7 +306,7 @@ verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt, SET(auth->flags, FLAG_DISABLED); else if (status == AUTH_NONINTERACTIVE) goto done; - else if (status == AUTH_FATAL || user_interrupted()) + else if (status == AUTH_ERROR || user_interrupted()) goto done; /* assume error msg already printed */ } } @@ -364,7 +364,7 @@ done: case AUTH_NONINTERACTIVE: SET(validated, FLAG_NO_USER_INPUT); FALLTHROUGH; - case AUTH_FATAL: + case AUTH_ERROR: default: log_auth_failure(ctx, validated, 0); ret = -1; @@ -427,7 +427,7 @@ sudo_auth_end_session(void) for (auth = auth_switch; auth->name; auth++) { if (auth->end_session && !IS_DISABLED(auth)) { status = (auth->end_session)(auth); - if (status == AUTH_FATAL) { + if (status == AUTH_ERROR) { /* Assume error msg already printed. */ debug_return_int(-1); } diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 50f30220b..172c6df62 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -22,7 +22,7 @@ /* Auth function return values. */ #define AUTH_SUCCESS 0 #define AUTH_FAILURE 1 -#define AUTH_FATAL 2 +#define AUTH_ERROR 2 #define AUTH_NONINTERACTIVE 3 typedef struct sudo_auth {