#include <config.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
# include <string.h>
#endif
#ifdef HAVE_STRINGS_H
# include <strings.h>
#endif
#include <unistd.h>
#include <time.h>
#include <errno.h>
#include <fcntl.h>
#include <pwd.h>
#include <grp.h>
#include "sudoers.h"
#include "check.h"
static bool display_lecture(int);
static struct passwd *get_authpw(int);
struct getpass_closure {
void *cookie;
struct passwd *auth_pw;
};
static int
getpass_suspend(int signo, void *vclosure)
{
struct getpass_closure *closure = vclosure;
timestamp_close(closure->cookie);
closure->cookie = NULL;
return 0;
}
static int
getpass_resume(int signo, void *vclosure)
{
struct getpass_closure *closure = vclosure;
closure->cookie = timestamp_open(user_name, user_sid);
if (closure->cookie == NULL)
return -1;
if (!timestamp_lock(closure->cookie, closure->auth_pw))
return -1;
return 0;
}
static int
check_user_interactive(int validated, int mode, struct passwd *auth_pw)
{
struct sudo_conv_callback cb, *callback = NULL;
struct getpass_closure closure;
int status = TS_ERROR;
int ret = -1;
char *prompt;
bool lectured;
debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH)
closure.auth_pw = auth_pw;
closure.cookie = NULL;
sudo_pw_addref(closure.auth_pw);
if (!ISSET(mode, MODE_IGNORE_TICKET)) {
closure.cookie = timestamp_open(user_name, user_sid);
if (timestamp_lock(closure.cookie, closure.auth_pw))
status = timestamp_status(closure.cookie, closure.auth_pw);
memset(&cb, 0, sizeof(cb));
cb.version = SUDO_CONV_CALLBACK_VERSION;
cb.closure = &closure;
cb.on_suspend = getpass_suspend;
cb.on_resume = getpass_resume;
callback = &cb;
}
switch (status) {
case TS_FATAL:
goto done;
case TS_CURRENT:
if (!ISSET(validated, FLAG_CHECK_USER)) {
ret = true;
break;
}
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: check user flag overrides time stamp", __func__);
default:
if (ISSET(mode, MODE_NONINTERACTIVE)) {
validated |= FLAG_NON_INTERACTIVE;
log_auth_failure(validated, 0);
goto done;
}
lectured = display_lecture(status);
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
closure.auth_pw->pw_name);
if (prompt == NULL)
goto done;
ret = verify_user(closure.auth_pw, prompt, validated, callback);
if (ret == true && lectured)
(void)set_lectured();
free(prompt);
break;
}
if (ret == true && ISSET(validated, VALIDATE_SUCCESS) && status != TS_ERROR)
(void)timestamp_update(closure.cookie, closure.auth_pw);
done:
if (closure.cookie != NULL)
timestamp_close(closure.cookie);
sudo_pw_delref(closure.auth_pw);
debug_return_int(ret);
}
int
check_user(int validated, int mode)
{
struct passwd *auth_pw;
int ret = -1;
bool exempt = false;
debug_decl(check_user, SUDOERS_DEBUG_AUTH)
if ((auth_pw = get_authpw(mode)) == NULL)
goto done;
if (sudo_auth_init(auth_pw) == -1)
goto done;
if (!def_authenticate || user_is_exempt()) {
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
!def_authenticate ? "authentication disabled" :
"user exempt from authentication");
exempt = true;
ret = true;
goto done;
}
if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))) {
#ifdef HAVE_SELINUX
if (user_role == NULL && user_type == NULL)
#endif
#ifdef HAVE_PRIV_SET
if (runas_privs == NULL && runas_limitprivs == NULL)
#endif
{
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: user running command as self", __func__);
ret = true;
goto done;
}
}
ret = check_user_interactive(validated, mode, auth_pw);
done:
if (ret == true) {
ret = sudo_auth_approval(auth_pw, validated, exempt);
}
sudo_auth_cleanup(auth_pw);
sudo_pw_delref(auth_pw);
debug_return_int(ret);
}
static bool
display_lecture(int status)
{
FILE *fp;
char buf[BUFSIZ];
ssize_t nread;
struct sudo_conv_message msg;
struct sudo_conv_reply repl;
debug_decl(lecture, SUDOERS_DEBUG_AUTH)
if (def_lecture == never ||
(def_lecture == once && already_lectured(status)))
debug_return_bool(false);
memset(&msg, 0, sizeof(msg));
memset(&repl, 0, sizeof(repl));
if (def_lecture_file && (fp = fopen(def_lecture_file, "r")) != NULL) {
while ((nread = fread(buf, sizeof(char), sizeof(buf) - 1, fp)) != 0) {
buf[nread] = '\0';
msg.msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;
msg.msg = buf;
sudo_conv(1, &msg, &repl, NULL);
}
fclose(fp);
} else {
msg.msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;
msg.msg = _("\n"
"We trust you have received the usual lecture from the local System\n"
"Administrator. It usually boils down to these three things:\n\n"
" #1) Respect the privacy of others.\n"
" #2) Think before you type.\n"
" #3) With great power comes great responsibility.\n\n");
sudo_conv(1, &msg, &repl, NULL);
}
debug_return_bool(true);
}
bool
user_is_exempt(void)
{
bool ret = false;
debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH)
if (def_exempt_group)
ret = user_in_group(sudo_user.pw, def_exempt_group);
debug_return_bool(ret);
}
static struct passwd *
get_authpw(int mode)
{
struct passwd *pw = NULL;
debug_decl(get_authpw, SUDOERS_DEBUG_AUTH)
if (ISSET(mode, (MODE_CHECK|MODE_LIST))) {
sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
} else {
if (def_rootpw) {
if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) {
log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"), ROOT_UID);
}
} else if (def_runaspw) {
if ((pw = sudo_getpwnam(def_runas_default)) == NULL) {
log_warningx(SLOG_SEND_MAIL,
N_("unknown user: %s"), def_runas_default);
}
} else if (def_targetpw) {
if (runas_pw->pw_name == NULL) {
log_warningx(SLOG_RAW_MSG, N_("unknown uid: %u"),
(unsigned int) runas_pw->pw_uid);
} else {
sudo_pw_addref(runas_pw);
pw = runas_pw;
}
} else {
sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
}
}
debug_return_ptr(pw);
}