mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity
sudo/plugins/sudoers/auth/sudo_auth.c

527 lines
14 KiB
C
Raw Normal View History

New authentication API and methods
1999-07-11 00:32:11 +00:00
/*
Add SPDX-License-Identifier to files.
2019-04-29 07:21:51 -06:00
* SPDX-License-Identifier: ISC
*
Add a force flag to sudo_auth_cleanup() to force immediate cleanup. This is used for PAM authentication to make sure pam_end() is called via sudo_auth_cleanup() when the user authenticates successfully but sudoers denies the command. Debian bug #669687
2020-04-01 14:41:38 -06:00
* Copyright (c) 1999-2005, 2008-2020 Todd C. Miller <Todd.Miller@sudo.ws>
New authentication API and methods
1999-07-11 00:32:11 +00:00
*
More to a less restrictive, ISC-style license.
2004-02-13 21:36:49 +00:00
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
add 4th term to license similar to term 5 in the apache license
1999-07-31 16:19:50 +00:00
*
More to a less restrictive, ISC-style license.
2004-02-13 21:36:49 +00:00
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
add DARPA credit on affected files
2003-04-16 00:42:10 +00:00
*
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
New authentication API and methods
1999-07-11 00:32:11 +00:00
*/
Convert PVS-Studio comment to ANSI C.
2018-10-26 08:39:09 -06:00
/*
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
*/
Add comments in .c files so PVS-Studio will check them.
2018-10-21 08:46:05 -06:00
Use: #include <config.h> Not: #include "config.h" That way we get the correct config.h when build dir != src dir
2004-11-19 18:39:14 +00:00
#include <config.h>
New authentication API and methods
1999-07-11 00:32:11 +00:00
Be carefule now that tgetpass() can return NULL (user hit ^C). PAM version needs testing. Set SIGTSTP to SIG_DFL during password entry so user can suspend us.
2001-12-09 05:17:00 +00:00
#include <sys/types.h>
New authentication API and methods
1999-07-11 00:32:11 +00:00
#include <stdio.h>
We require ANSI C so stop using the obsolete STDC_HEADERS.
2015-06-19 14:29:27 -06:00
#include <stdlib.h>
Use arc4random for mkstemp() and insults.
2018-05-24 21:04:23 -06:00
#if defined(HAVE_STDINT_H)
# include <stdint.h>
#elif defined(HAVE_INTTYPES_H)
# include <inttypes.h>
#endif
Include string.h unconditionally and only use strings.h for strn?casecmp() In the pre-POSIX days BSD had strings.h, not string.h. Now strings.h is only used for non-ANSI string functions.
2020-05-18 07:59:24 -06:00
#include <string.h>
There's no need to conditionalize the #include <unistd.h>, we require a POSIX system.
2015-07-02 09:08:28 -06:00
#include <unistd.h>
New authentication API and methods
1999-07-11 00:32:11 +00:00
#include <pwd.h>
o Digital UNIX needs to check for *snprintf() before -ldb is added to LIBS since -ldb includes a bogus snprintf(). o Add forward refs for struct mbuf and struct rtentry for Digital UNIX. o Reorder some functions in snprintf.c to fix -Wall o Add missing includes to fix more -Wall
1999-08-12 16:24:10 +00:00
#include <time.h>
Be carefule now that tgetpass() can return NULL (user hit ^C). PAM version needs testing. Set SIGTSTP to SIG_DFL during password entry so user can suspend us.
2001-12-09 05:17:00 +00:00
#include <signal.h>
New authentication API and methods
1999-07-11 00:32:11 +00:00
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
#include "sudoers.h"
New authentication API and methods
1999-07-11 00:32:11 +00:00
#include "sudo_auth.h"
#include "insults.h"
Rename check.h -> timestamp.h and add remaining timestamp.c prototypes.
2023-08-29 11:16:23 -06:00
#include "timestamp.h"
New authentication API and methods
1999-07-11 00:32:11 +00:00
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
static sudo_auth auth_switch[] = {
/* Standalone entries first */
On AIX use the value of auth_type in /etc/security/login.cfg to determine whether to use LAM or PAM unless the user specified the --with-pam or --with-aixauth configure flags.
2015-02-23 11:12:43 -07:00
#ifdef HAVE_AIXAUTH
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("aixauth", FLAG_STANDALONE, sudo_aix_init, NULL, sudo_aix_verify, NULL, sudo_aix_cleanup, NULL, NULL)
On AIX use the value of auth_type in /etc/security/login.cfg to determine whether to use LAM or PAM unless the user specified the --with-pam or --with-aixauth configure flags.
2015-02-23 11:12:43 -07:00
#endif
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#ifdef HAVE_PAM
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_approval, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_SECURID
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("SecurId", FLAG_STANDALONE, sudo_securid_init, sudo_securid_setup, sudo_securid_verify, NULL, NULL, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_SIA_SES_INIT
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("sia", FLAG_STANDALONE, NULL, sudo_sia_setup, sudo_sia_verify, NULL, sudo_sia_cleanup, sudo_sia_begin_session, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_FWTK
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("fwtk", FLAG_STANDALONE, sudo_fwtk_init, NULL, sudo_fwtk_verify, NULL, sudo_fwtk_cleanup, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_BSD_AUTH_H
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("bsdauth", FLAG_STANDALONE, bsdauth_init, NULL, bsdauth_verify, bsdauth_approval, bsdauth_cleanup, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
/* Non-standalone entries */
#ifndef WITHOUT_PASSWD
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("passwd", 0, sudo_passwd_init, NULL, sudo_passwd_verify, NULL, sudo_passwd_cleanup, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD)
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("secureware", 0, sudo_secureware_init, NULL, sudo_secureware_verify, NULL, sudo_secureware_cleanup, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_AFS
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("afs", 0, NULL, NULL, sudo_afs_verify, NULL, NULL, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_DCE
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("dce", 0, NULL, NULL, sudo_dce_verify, NULL, NULL, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_KERB5
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("kerb5", 0, sudo_krb5_init, sudo_krb5_setup, sudo_krb5_verify, NULL, sudo_krb5_cleanup, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_SKEY
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("S/Key", 0, NULL, sudo_rfc1938_setup, sudo_rfc1938_verify, NULL, NULL, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
#ifdef HAVE_OPIE
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY("OPIE", 0, NULL, sudo_rfc1938_setup, sudo_rfc1938_verify, NULL, NULL, NULL, NULL)
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
#endif
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
AUTH_ENTRY(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL, NULL)
New authentication API and methods
1999-07-11 00:32:11 +00:00
};
Try to deconfuse static analyzers a bit.
2016-01-27 16:19:22 -07:00
static bool standalone;
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
/*
* Initialize sudoers authentication method(s).
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
* Returns AUTH_SUCCESS on success and AUTH_ERROR on error.
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
*/
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw,
unsigned int mode)
New authentication API and methods
1999-07-11 00:32:11 +00:00
{
sudo_auth *auth;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudo_auth_init, SUDOERS_DEBUG_AUTH);
New authentication API and methods
1999-07-11 00:32:11 +00:00
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
if (auth_switch[0].name == NULL)
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_SUCCESS);
add check for case where there are no auth methods
1999-08-28 09:50:27 +00:00
auth API change. There is now an init method that gets run before the main loop. This allows auth routines to differentiate between initialization that happens once vs. setup that needs to run each time through the loop.
1999-07-22 19:48:27 +00:00
/* Initialize auth methods and unconfigure the method if necessary. */
for (auth = auth_switch; auth->name; auth++) {
Push non-interactive mode checking down into the auth methods. For "sudo -n" we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83
2022-01-04 18:57:36 -07:00
if (ISSET(mode, MODE_NONINTERACTIVE))
SET(auth->flags, FLAG_NONINTERACTIVE);
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
if (auth->init && !IS_DISABLED(auth)) {
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
/* Disable if it failed to init unless there was a fatal error. */
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
switch ((auth->init)(ctx, pw, auth)) {
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
case AUTH_SUCCESS:
break;
case AUTH_FAILURE:
Do not return without restoring permissions.
2011-09-27 15:22:08 -04:00
SET(auth->flags, FLAG_DISABLED);
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
break;
default:
/* Assume error msg already printed. */
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_ERROR);
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
}
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
}
}
On AIX use the value of auth_type in /etc/security/login.cfg to determine whether to use LAM or PAM unless the user specified the --with-pam or --with-aixauth configure flags.
2015-02-23 11:12:43 -07:00
/*
* Make sure we haven't mixed standalone and shared auth methods.
* If there are multiple standalone methods, only use the first one.
*/
if ((standalone = IS_STANDALONE(&auth_switch[0]))) {
bool found = false;
for (auth = auth_switch; auth->name; auth++) {
if (IS_DISABLED(auth))
continue;
if (!IS_STANDALONE(auth)) {
Move NewArgv, NewArgc and saved_argv into struct sudoers_context.
2023-08-21 09:22:24 -06:00
audit_failure(ctx, ctx->runas.argv,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
N_("invalid authentication methods"));
log_warningx(ctx, SLOG_SEND_MAIL,
On AIX use the value of auth_type in /etc/security/login.cfg to determine whether to use LAM or PAM unless the user specified the --with-pam or --with-aixauth configure flags.
2015-02-23 11:12:43 -07:00
N_("Invalid authentication methods compiled into sudo! "
"You may not mix standalone and non-standalone authentication."));
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_ERROR);
On AIX use the value of auth_type in /etc/security/login.cfg to determine whether to use LAM or PAM unless the user specified the --with-pam or --with-aixauth configure flags.
2015-02-23 11:12:43 -07:00
}
if (!found) {
/* Found first standalone method. */
found = true;
continue;
}
/* Disable other standalone methods. */
SET(auth->flags, FLAG_DISABLED);
}
}
/* Set FLAG_ONEANDONLY if there is only one auth method. */
for (auth = auth_switch; auth->name; auth++) {
/* Find first enabled auth method. */
if (!IS_DISABLED(auth)) {
sudo_auth *first = auth;
/* Check for others. */
for (; auth->name; auth++) {
if (!IS_DISABLED(auth))
break;
}
if (auth->name == NULL)
SET(first->flags, FLAG_ONEANDONLY);
break;
}
}
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_SUCCESS);
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
}
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
/*
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
* Call all authentication approval methods, if any.
* Returns AUTH_SUCCESS, AUTH_FAILURE or AUTH_ERROR.
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
*/
int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudo_auth_approval(const struct sudoers_context *ctx, struct passwd *pw,
unsigned int validated, bool exempt)
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
{
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
int ret = AUTH_SUCCESS;
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
sudo_auth *auth;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH);
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
/* Call approval routines. */
for (auth = auth_switch; auth->name; auth++) {
if (auth->approval && !IS_DISABLED(auth)) {
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
ret = (auth->approval)(ctx, pw, auth, exempt);
if (ret != AUTH_SUCCESS) {
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
/* Assume error msg already printed. */
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
log_auth_failure(ctx, validated, 0);
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
break;
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
}
}
}
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(ret);
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
}
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
/*
* Cleanup all authentication methods.
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
* Returns AUTH_SUCCESS on success and AUTH_ERROR on error.
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
*/
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudo_auth_cleanup(const struct sudoers_context *ctx, struct passwd *pw,
bool force)
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
{
sudo_auth *auth;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudo_auth_cleanup, SUDOERS_DEBUG_AUTH);
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
/* Call cleanup routines. */
for (auth = auth_switch; auth->name; auth++) {
if (auth->cleanup && !IS_DISABLED(auth)) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
int status = (auth->cleanup)(ctx, pw, auth, force);
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (status != AUTH_SUCCESS) {
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
/* Assume error msg already printed. */
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_ERROR);
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
}
auth API change. There is now an init method that gets run before the main loop. This allows auth routines to differentiate between initialization that happens once vs. setup that needs to run each time through the loop.
1999-07-22 19:48:27 +00:00
}
}
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_SUCCESS);
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
}
Move pass_warn() so that it is defined before it is called().
2014-09-26 20:39:40 -06:00
static void
pass_warn(void)
{
const char *warning = def_badpass_message;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(pass_warn, SUDOERS_DEBUG_AUTH);
Move pass_warn() so that it is defined before it is called().
2014-09-26 20:39:40 -06:00
#ifdef INSULT
if (def_insults)
warning = INSULT;
#endif
Use the SUDO_CONV_PREFER_TTY flag during authentication. This prevents the password and PAM prompts from being redirected. Bug #895
2019-08-26 19:30:11 -06:00
sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, "%s\n", warning);
Move pass_warn() so that it is defined before it is called().
2014-09-26 20:39:40 -06:00
debug_return;
}
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
static bool
user_interrupted(void)
{
sigset_t mask;
return (sigpending(&mask) == 0 &&
(sigismember(&mask, SIGINT) || sigismember(&mask, SIGQUIT)));
}
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
/*
* Verify the specified user.
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
* Returns AUTH_SUCCESS, AUTH_FAILURE or AUTH_ERROR.
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
*/
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt,
unsigned int validated, struct sudo_conv_callback *callback)
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
{
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
struct sigaction sa, saved_sigtstp;
int ret = AUTH_FAILURE;
Simplify how we count the password tries
2014-09-27 10:17:21 -06:00
unsigned int ntries;
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
sigset_t mask, omask;
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
sudo_auth *auth;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(verify_user, SUDOERS_DEBUG_AUTH);
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
/* Make sure we have at least one auth method. */
if (auth_switch[0].name == NULL) {
Move NewArgv, NewArgc and saved_argv into struct sudoers_context.
2023-08-21 09:22:24 -06:00
audit_failure(ctx, ctx->runas.argv, N_("no authentication methods"));
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
log_warningx(ctx, SLOG_SEND_MAIL,
Call gettext inside log_error et al instead of having the caller do it. This way we can display any messages to the user in their own locale but log in the sudoers local.
2012-11-08 15:37:44 -05:00
N_("There are no authentication methods compiled into sudo! "
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
"If you want to turn off authentication, use the "
"--disable-authentication configure option."));
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_ERROR);
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
}
auth API change. There is now an init method that gets run before the main loop. This allows auth routines to differentiate between initialization that happens once vs. setup that needs to run each time through the loop.
1999-07-22 19:48:27 +00:00
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
/* Enable suspend during password entry. */
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
sa.sa_handler = SIG_DFL;
(void) sigaction(SIGTSTP, &sa, &saved_sigtstp);
/*
* We treat authentication as a critical section and block
* keyboard-generated signals such as SIGINT and SIGQUIT
* which might otherwise interrupt a sleep(3).
* They are temporarily unblocked by auth_getpass().
*/
sigemptyset(&mask);
sigaddset(&mask, SIGINT);
sigaddset(&mask, SIGQUIT);
(void) sigprocmask(SIG_BLOCK, &mask, &omask);
Simplify how we count the password tries
2014-09-27 10:17:21 -06:00
for (ntries = 0; ntries < def_passwd_tries; ntries++) {
If all authentication methods fail init/setup, fail with an error.
2014-09-26 20:55:19 -06:00
int num_methods = 0;
Try to deconfuse static analyzers a bit.
2016-01-27 16:19:22 -07:00
char *pass = NULL;
If all authentication methods fail init/setup, fail with an error.
2014-09-26 20:55:19 -06:00
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
/* If user attempted to interrupt password verify, quit now. */
if (user_interrupted())
goto done;
Simplify how we count the password tries
2014-09-27 10:17:21 -06:00
if (ntries != 0)
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
pass_warn();
New authentication API and methods
1999-07-11 00:32:11 +00:00
/* Do any per-method setup and unconfigure the method if needed */
for (auth = auth_switch; auth->name; auth++) {
If all authentication methods fail init/setup, fail with an error.
2014-09-26 20:55:19 -06:00
if (IS_DISABLED(auth))
continue;
num_methods++;
if (auth->setup != NULL) {
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
switch ((auth->setup)(ctx, pw, &prompt, auth)) {
case AUTH_SUCCESS:
if (user_interrupted())
goto done; /* assume error msg already printed */
break;
case AUTH_FAILURE:
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
SET(auth->flags, FLAG_DISABLED);
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
break;
case AUTH_NONINTERACTIVE:
/* Non-interactive mode, cannot prompt user. */
goto done;
default:
ret = AUTH_ERROR;
Push non-interactive mode checking down into the auth methods. For "sudo -n" we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83
2022-01-04 18:57:36 -07:00
goto done;
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
}
New authentication API and methods
1999-07-11 00:32:11 +00:00
}
}
If all authentication methods fail init/setup, fail with an error.
2014-09-26 20:55:19 -06:00
if (num_methods == 0) {
Move NewArgv, NewArgc and saved_argv into struct sudoers_context.
2023-08-21 09:22:24 -06:00
audit_failure(ctx, ctx->runas.argv,
N_("no authentication methods"));
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
log_warningx(ctx, SLOG_SEND_MAIL,
If all authentication methods fail init/setup, fail with an error.
2014-09-26 20:55:19 -06:00
N_("Unable to initialize authentication methods."));
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
debug_return_int(AUTH_ERROR);
If all authentication methods fail init/setup, fail with an error.
2014-09-26 20:55:19 -06:00
}
New authentication API and methods
1999-07-11 00:32:11 +00:00
/* Get the password unless the auth function will do it for us */
Try to deconfuse static analyzers a bit.
2016-01-27 16:19:22 -07:00
if (!standalone) {
Quiet two PVS-studio warnings.
2022-01-05 11:04:18 -07:00
if (IS_NONINTERACTIVE(&auth_switch[0])) {
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
ret = AUTH_NONINTERACTIVE;
Push non-interactive mode checking down into the auth methods. For "sudo -n" we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83
2022-01-04 18:57:36 -07:00
goto done;
}
Store passwd_timeout and timestamp_timeout as a struct timespec instead of as a float. Remove timeout argument to auth_getpass() as it was never used.
2018-01-22 12:18:48 -07:00
pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback);
Try to deconfuse static analyzers a bit.
2016-01-27 16:19:22 -07:00
if (pass == NULL)
For non-standalone auth methods, stop reading the password if the user enters ^C at the prompt.
2010-08-06 17:16:57 -04:00
break;
}
New authentication API and methods
1999-07-11 00:32:11 +00:00
/* Call authentication functions. */
For non-standalone auth methods, stop reading the password if the user enters ^C at the prompt.
2010-08-06 17:16:57 -04:00
for (auth = auth_switch; auth->name; auth++) {
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
if (IS_DISABLED(auth))
New authentication API and methods
1999-07-11 00:32:11 +00:00
continue;
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
ret = auth->status = (auth->verify)(ctx, pw,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
standalone ? prompt : pass, auth, callback);
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
if (ret != AUTH_FAILURE)
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
break;
New authentication API and methods
1999-07-11 00:32:11 +00:00
}
Use OpenBSD-compatible freezero() in place of explicit_bzero() + free()
2020-08-10 19:24:33 -06:00
if (pass != NULL)
freezero(pass, strlen(pass));
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
if (ret != AUTH_FAILURE)
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
goto done;
New authentication API and methods
1999-07-11 00:32:11 +00:00
}
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
done:
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
/* Restore signal handlers and signal mask. */
(void) sigaction(SIGTSTP, &saved_sigtstp, NULL);
(void) sigprocmask(SIG_SETMASK, &omask, NULL);
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
switch (ret) {
New authentication API and methods
1999-07-11 00:32:11 +00:00
case AUTH_SUCCESS:
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
break;
Restore AUTH_INTR support, it is still needed. We still need AUTH_INTR to know when to break out of the password prompt loop.
2023-08-29 10:02:09 -06:00
case AUTH_INTR:
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
ret = AUTH_FAILURE;
FALLTHROUGH;
New authentication API and methods
1999-07-11 00:32:11 +00:00
case AUTH_FAILURE:
Simplify how we count the password tries
2014-09-27 10:17:21 -06:00
if (ntries != 0)
Push non-interactive mode checking down into the auth methods. For "sudo -n" we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83
2022-01-04 18:57:36 -07:00
SET(validated, FLAG_BAD_PASSWORD);
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
log_auth_failure(ctx, validated, ntries);
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
break;
Push non-interactive mode checking down into the auth methods. For "sudo -n" we only want to reject a command if user input is actually required. In the case of PAM at least, we may not need to interact with the user. Bug #956, GitHub issue #83
2022-01-04 18:57:36 -07:00
case AUTH_NONINTERACTIVE:
SET(validated, FLAG_NO_USER_INPUT);
FALLTHROUGH;
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
default:
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
log_auth_failure(ctx, validated, 0);
Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}.
2023-09-09 14:07:07 -06:00
ret = AUTH_ERROR;
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
break;
New authentication API and methods
1999-07-11 00:32:11 +00:00
}
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
Be consistent with the naming of the variable used to store the function return value. Previously, some code used "rval", some used "ret". This standardizes on "ret" and uses "rc" for temporary return codes.
2016-09-08 16:38:08 -06:00
debug_return_int(ret);
New authentication API and methods
1999-07-11 00:32:11 +00:00
}
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
/*
* Call authentication method begin session hooks.
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
* Returns true on success, false on failure and -1 on error.
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
*/
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudo_auth_begin_session(const struct sudoers_context *ctx, struct passwd *pw,
char **user_env[])
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
{
sudo_auth *auth;
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
int ret = true;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudo_auth_begin_session, SUDOERS_DEBUG_AUTH);
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
for (auth = auth_switch; auth->name; auth++) {
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
if (auth->begin_session && !IS_DISABLED(auth)) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
int status = (auth->begin_session)(ctx, pw, user_env, auth);
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
switch (status) {
case AUTH_SUCCESS:
break;
case AUTH_FAILURE:
ret = false;
break;
default:
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
/* Assume error msg already printed. */
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
ret = -1;
break;
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
}
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
}
}
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
debug_return_int(ret);
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
}
Dummy out close function if there is no end_session for the auth method and the front-end can handle a NULL close function. Avoids the extra sudo process when we don't actually need it.
2013-02-24 05:54:57 -05:00
bool
sudo_auth_needs_end_session(void)
{
sudo_auth *auth;
bool needed = false;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudo_auth_needs_end_session, SUDOERS_DEBUG_AUTH);
Dummy out close function if there is no end_session for the auth method and the front-end can handle a NULL close function. Avoids the extra sudo process when we don't actually need it.
2013-02-24 05:54:57 -05:00
for (auth = auth_switch; auth->name; auth++) {
if (auth->end_session && !IS_DISABLED(auth)) {
needed = true;
break;
}
}
debug_return_bool(needed);
}
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
/*
* Call authentication method end session hooks.
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
* Returns true on success, false on failure and -1 on error.
Move log_denial() calls and logic to log_failure(). Move authentication failure logging to log_auth_failure(). Both of these call audit_failure() for us. This subtly changes logging for commands that are denied by sudoers but where the user failed to enter the correct password. Previously, these would be logged as "N incorrect password attempts" but now are logged as "command not allowed". Fixes bug #563
2012-07-10 12:42:33 -04:00
*/
Modify the authentication API such that the init and cleanup functions are always called, regardless of whether or not we are going to verify a password. This is needed for proper PAM session support.
2011-09-27 13:18:46 -04:00
int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudo_auth_end_session(void)
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
{
sudo_auth *auth;
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
int ret = true;
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
int status;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudo_auth_end_session, SUDOERS_DEBUG_AUTH);
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
for (auth = auth_switch; auth->name; auth++) {
Clean up the sudoers auth API a bit and update the docs.
2010-05-27 14:53:11 -04:00
if (auth->end_session && !IS_DISABLED(auth)) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
status = (auth->end_session)(auth);
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
switch (status) {
case AUTH_SUCCESS:
break;
case AUTH_FAILURE:
ret = false;
break;
default:
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
/* Assume error msg already printed. */
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
ret = -1;
break;
Add an approval function to the sudo auth API which is run after the user's password has been verified. The approval function is run even if no password is required. This is currently only used for PAM (use pam_acct_mgmt) and BSD auth (auth_approval).
2018-01-16 10:27:58 -07:00
}
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
}
}
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
debug_return_int(ret);
Add open/close session to sudo auth, only used by PAM. This allows us to open (and close) the PAM session from sudoers.
2010-05-26 17:57:47 -04:00
}
auth_getpass() returns a dynamically allocated copy of the plaintext password which needs to be freed after checking (and clearing) it.
2016-01-27 15:36:50 -07:00
/*
* Prompts the user for a password using the conversation function.
* Returns the plaintext password or NULL.
* The user is responsible for freeing the returned value.
*/
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
char *
Store passwd_timeout and timestamp_timeout as a struct timespec instead of as a float. Remove timeout argument to auth_getpass() as it was never used.
2018-01-22 12:18:48 -07:00
auth_getpass(const char *prompt, int type, struct sudo_conv_callback *callback)
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
{
struct sudo_conv_message msg;
struct sudo_conv_reply repl;
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
sigset_t mask, omask;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(auth_getpass, SUDOERS_DEBUG_AUTH);
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
Display the lecture immediately before prompting for a password. This means we no longer display the lecture unless the user is going to enter a password. Authentication methods that don't interact with the user via the terminal don't trigger the lecture.
2022-02-21 19:34:06 -07:00
/* Display lecture if needed and we haven't already done so. */
display_lecture(callback);
Add SUDO_CONV_PROMPT_MASK define which corresponds to the "pwfeedback" sudoers option. Do not disable echo if TGP_ECHO is set.
2010-06-09 10:31:05 -04:00
/* Mask user input if pwfeedback set and echo is off. */
if (type == SUDO_CONV_PROMPT_ECHO_OFF && def_pwfeedback)
type = SUDO_CONV_PROMPT_MASK;
Fix visiblepw sudoers option; the plugin API portion still needs documenting
2010-06-10 15:02:32 -04:00
/* If visiblepw set, do not error out if there is no tty. */
if (def_visiblepw)
type |= SUDO_CONV_PROMPT_ECHO_OK;
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
/* Unblock SIGINT and SIGQUIT during password entry. */
/* XXX - do in tgetpass() itself instead? */
sigemptyset(&mask);
sigaddset(&mask, SIGINT);
sigaddset(&mask, SIGQUIT);
(void) sigprocmask(SIG_UNBLOCK, &mask, &omask);
/* Call conversation function. */
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
memset(&msg, 0, sizeof(msg));
Add SUDO_CONV_PROMPT_MASK define which corresponds to the "pwfeedback" sudoers option. Do not disable echo if TGP_ECHO is set.
2010-06-09 10:31:05 -04:00
msg.msg_type = type;
sudoers plugin: silence most -Wconversion warnings.
2023-07-07 15:07:04 -06:00
msg.timeout = (int)def_passwd_timeout.tv_sec;
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
msg.msg = prompt;
memset(&repl, 0, sizeof(repl));
Add a struct sudo_conv_callback that contains on_suspend and on_resume function pointer args plus a closure pointer and at it to the conversation function.
2015-09-07 06:06:08 -06:00
sudo_conv(1, &msg, &repl, callback);
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
/* XXX - check for ENOTTY? */
Block SIGINT and SIGQUIT while verifying passwords so that authentication modules that use sleep() are not interrupted. If the user interrupted authentication, exit the loop.
2014-09-27 10:16:31 -06:00
/* Restore previous signal mask. */
(void) sigprocmask(SIG_SETMASK, &omask, NULL);
Add debug_decl/debug_return (almost) everywhere. Remove old sudo_debug() and convert users to sudo_debug_printf().
2011-10-22 14:40:21 -04:00
debug_return_str_masked(repl.reply);
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
}
Add support for "Defaults" line in sudoers to make configuration variables changable at runtime (and on a global, per-host and per-user basis). Both the names and the internal representation are still subject to change. It was necessary to make sudo_user.runas but a char ** instead of a char * since this value can be changed by a Defaults line. There is a similar (but more complicated) issue with sudo_user.prompt but it is handled differently at the moment. Add a "-L" flag to list the name of options with their descriptions. This may only be temporary. Move some prototypes to parse.h Be much less restrictive on what is allowed for a username.
1999-09-08 08:06:28 +00:00
void
Initial bits of sudoers plugin; still needs work.
2010-03-14 19:58:47 -04:00
dump_auth_methods(void)
Add support for "Defaults" line in sudoers to make configuration variables changable at runtime (and on a global, per-host and per-user basis). Both the names and the internal representation are still subject to change. It was necessary to make sudo_user.runas but a char ** instead of a char * since this value can be changed by a Defaults line. There is a similar (but more complicated) issue with sudo_user.prompt but it is handled differently at the moment. Add a "-L" flag to list the name of options with their descriptions. This may only be temporary. Move some prototypes to parse.h Be much less restrictive on what is allowed for a username.
1999-09-08 08:06:28 +00:00
{
sudo_auth *auth;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(dump_auth_methods, SUDOERS_DEBUG_AUTH);
Add support for "Defaults" line in sudoers to make configuration variables changable at runtime (and on a global, per-host and per-user basis). Both the names and the internal representation are still subject to change. It was necessary to make sudo_user.runas but a char ** instead of a char * since this value can be changed by a Defaults line. There is a similar (but more complicated) issue with sudo_user.prompt but it is handled differently at the moment. Add a "-L" flag to list the name of options with their descriptions. This may only be temporary. Move some prototypes to parse.h Be much less restrictive on what is allowed for a username.
1999-09-08 08:06:28 +00:00
Prepare sudoers module messages for translation.
2011-05-16 16:32:05 -04:00
sudo_printf(SUDO_CONV_INFO_MSG, _("Authentication methods:"));
Add support for "Defaults" line in sudoers to make configuration variables changable at runtime (and on a global, per-host and per-user basis). Both the names and the internal representation are still subject to change. It was necessary to make sudo_user.runas but a char ** instead of a char * since this value can be changed by a Defaults line. There is a similar (but more complicated) issue with sudo_user.prompt but it is handled differently at the moment. Add a "-L" flag to list the name of options with their descriptions. This may only be temporary. Move some prototypes to parse.h Be much less restrictive on what is allowed for a username.
1999-09-08 08:06:28 +00:00
for (auth = auth_switch; auth->name; auth++)
Use sudo_printf to display verbose version information.
2010-05-28 12:01:06 -04:00
sudo_printf(SUDO_CONV_INFO_MSG, " '%s'", auth->name);
sudo_printf(SUDO_CONV_INFO_MSG, "\n");
Add debug_decl/debug_return (almost) everywhere. Remove old sudo_debug() and convert users to sudo_debug_printf().
2011-10-22 14:40:21 -04:00
debug_return;
Add support for "Defaults" line in sudoers to make configuration variables changable at runtime (and on a global, per-host and per-user basis). Both the names and the internal representation are still subject to change. It was necessary to make sudo_user.runas but a char ** instead of a char * since this value can be changed by a Defaults line. There is a similar (but more complicated) issue with sudo_user.prompt but it is handled differently at the moment. Add a "-L" flag to list the name of options with their descriptions. This may only be temporary. Move some prototypes to parse.h Be much less restrictive on what is allowed for a username.
1999-09-08 08:06:28 +00:00
}
Reference in New Issue Copy Permalink