1999-07-11 00:32:11 +00:00
|
|
|
/*
|
2018-01-16 10:27:58 -07:00
|
|
|
* Copyright (c) 1999-2005, 2007-2018 Todd C. Miller <Todd.Miller@sudo.ws>
|
1999-07-11 00:32:11 +00:00
|
|
|
*
|
2004-02-13 21:36:47 +00:00
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
1999-07-31 16:19:50 +00:00
|
|
|
*
|
2004-02-13 21:36:47 +00:00
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
2003-04-16 00:42:10 +00:00
|
|
|
*
|
|
|
|
|
* Sponsored in part by the Defense Advanced Research Projects
|
|
|
|
|
* Agency (DARPA) and Air Force Research Laboratory, Air Force
|
|
|
|
|
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
1999-07-11 00:32:11 +00:00
|
|
|
*/
|
|
|
|
|
|
2018-10-26 08:39:09 -06:00
|
|
|
/*
|
|
|
|
|
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
|
|
|
|
|
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
|
|
|
|
*/
|
2018-10-21 08:46:05 -06:00
|
|
|
|
2004-11-19 18:39:14 +00:00
|
|
|
#include <config.h>
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2015-05-21 11:07:13 -06:00
|
|
|
#ifdef HAVE_PAM
|
|
|
|
|
|
2001-12-14 19:52:54 +00:00
|
|
|
#include <sys/types.h>
|
1999-07-11 00:32:11 +00:00
|
|
|
#include <stdio.h>
|
2015-06-19 14:29:27 -06:00
|
|
|
#include <stdlib.h>
|
1999-07-11 00:32:11 +00:00
|
|
|
#ifdef HAVE_STRING_H
|
2001-12-14 19:52:54 +00:00
|
|
|
# include <string.h>
|
1999-07-11 00:32:11 +00:00
|
|
|
#endif /* HAVE_STRING_H */
|
2010-06-29 13:08:05 -04:00
|
|
|
#ifdef HAVE_STRINGS_H
|
|
|
|
|
# include <strings.h>
|
|
|
|
|
#endif /* HAVE_STRINGS_H */
|
2015-07-02 09:08:28 -06:00
|
|
|
#include <unistd.h>
|
1999-07-11 00:32:11 +00:00
|
|
|
#include <pwd.h>
|
2008-11-22 18:17:44 +00:00
|
|
|
#include <errno.h>
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2004-01-09 19:35:54 +00:00
|
|
|
#ifdef HAVE_PAM_PAM_APPL_H
|
|
|
|
|
# include <pam/pam_appl.h>
|
|
|
|
|
#else
|
|
|
|
|
# include <security/pam_appl.h>
|
|
|
|
|
#endif
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2011-05-04 15:26:31 -04:00
|
|
|
#ifdef HAVE_LIBINTL_H
|
2007-12-01 16:22:25 +00:00
|
|
|
# if defined(__LINUX_PAM__)
|
|
|
|
|
# define PAM_TEXT_DOMAIN "Linux-PAM"
|
|
|
|
|
# elif defined(__sun__)
|
|
|
|
|
# define PAM_TEXT_DOMAIN "SUNW_OST_SYSOSPAM"
|
|
|
|
|
# endif
|
|
|
|
|
#endif
|
|
|
|
|
|
2013-04-09 09:40:36 -04:00
|
|
|
/* We don't want to translate the strings in the calls to dgt(). */
|
|
|
|
|
#ifdef PAM_TEXT_DOMAIN
|
|
|
|
|
# define dgt(d, t) dgettext(d, t)
|
|
|
|
|
#endif
|
|
|
|
|
|
2010-03-14 19:58:47 -04:00
|
|
|
#include "sudoers.h"
|
1999-07-11 00:32:11 +00:00
|
|
|
#include "sudo_auth.h"
|
|
|
|
|
|
2004-01-09 19:39:00 +00:00
|
|
|
/* Only OpenPAM and Linux PAM use const qualifiers. */
|
2016-03-09 09:39:46 -07:00
|
|
|
#ifdef PAM_SUN_CODEBASE
|
|
|
|
|
# define PAM_CONST
|
|
|
|
|
#else
|
2004-01-09 19:39:00 +00:00
|
|
|
# define PAM_CONST const
|
2016-03-09 09:39:46 -07:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/* Ambiguity in spec: is it an array of pointers or a pointer to an array? */
|
|
|
|
|
#ifdef PAM_SUN_CODEBASE
|
|
|
|
|
# define PAM_MSG_GET(msg, n) (*(msg) + (n))
|
2004-01-09 19:39:00 +00:00
|
|
|
#else
|
2016-03-09 09:39:46 -07:00
|
|
|
# define PAM_MSG_GET(msg, n) ((msg)[(n)])
|
2004-01-09 19:39:00 +00:00
|
|
|
#endif
|
|
|
|
|
|
2001-12-31 17:18:12 +00:00
|
|
|
#ifndef PAM_DATA_SILENT
|
|
|
|
|
#define PAM_DATA_SILENT 0
|
|
|
|
|
#endif
|
|
|
|
|
|
2013-03-07 16:17:44 -05:00
|
|
|
static int converse(int, PAM_CONST struct pam_message **,
|
|
|
|
|
struct pam_response **, void *);
|
2015-09-07 06:06:08 -06:00
|
|
|
static struct sudo_conv_callback *conv_callback;
|
|
|
|
|
static struct pam_conv pam_conv = { converse, &conv_callback };
|
2014-09-27 10:24:19 -06:00
|
|
|
static char *def_prompt = PASSPROMPT;
|
2015-02-23 11:12:45 -07:00
|
|
|
static bool getpass_error;
|
2010-05-26 17:57:47 -04:00
|
|
|
static pam_handle_t *pamh;
|
2003-06-29 01:31:55 +00:00
|
|
|
|
2016-03-22 16:31:28 -06:00
|
|
|
static int
|
|
|
|
|
sudo_pam_init2(struct passwd *pw, sudo_auth *auth, bool quiet)
|
1999-07-11 00:32:11 +00:00
|
|
|
{
|
2016-03-22 16:31:28 -06:00
|
|
|
static int pam_status = PAM_SUCCESS;
|
2019-04-08 08:50:03 -06:00
|
|
|
const char *tty = user_ttypath;
|
2015-08-10 10:56:47 -06:00
|
|
|
int rc;
|
2015-02-01 08:24:49 -07:00
|
|
|
debug_decl(sudo_pam_init, SUDOERS_DEBUG_AUTH)
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2016-03-22 16:31:28 -06:00
|
|
|
/* Stash pointer to last pam status. */
|
|
|
|
|
auth->data = &pam_status;
|
|
|
|
|
|
|
|
|
|
#ifdef _AIX
|
|
|
|
|
if (pamh != NULL) {
|
|
|
|
|
/* Already initialized (may happen with AIX). */
|
|
|
|
|
debug_return_int(AUTH_SUCCESS);
|
|
|
|
|
}
|
|
|
|
|
#endif /* _AIX */
|
|
|
|
|
|
1999-07-11 00:32:11 +00:00
|
|
|
/* Initial PAM setup */
|
2013-08-06 11:01:36 -06:00
|
|
|
pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
|
|
|
|
|
def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
|
2003-06-29 01:31:55 +00:00
|
|
|
if (pam_status != PAM_SUCCESS) {
|
2016-03-22 16:31:28 -06:00
|
|
|
if (!quiet)
|
|
|
|
|
log_warning(0, N_("unable to initialize PAM"));
|
2011-10-22 14:40:21 -04:00
|
|
|
debug_return_int(AUTH_FATAL);
|
1999-07-11 00:32:11 +00:00
|
|
|
}
|
2009-08-07 14:21:51 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Set PAM_RUSER to the invoking user (the "from" user).
|
|
|
|
|
* We set PAM_RHOST to avoid a bug in Solaris 7 and below.
|
|
|
|
|
*/
|
2015-08-10 10:56:47 -06:00
|
|
|
rc = pam_set_item(pamh, PAM_RUSER, user_name);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_set_item(pamh, PAM_RUSER, %s): %s", user_name,
|
|
|
|
|
errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
2010-07-13 08:56:31 -04:00
|
|
|
#ifdef __sun__
|
2015-08-10 10:56:47 -06:00
|
|
|
rc = pam_set_item(pamh, PAM_RHOST, user_host);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_set_item(pamh, PAM_RHOST, %s): %s", user_host,
|
|
|
|
|
errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
2010-07-13 08:56:31 -04:00
|
|
|
#endif
|
2009-08-07 14:21:51 +00:00
|
|
|
|
2019-04-08 08:50:03 -06:00
|
|
|
#if defined(__LINUX_PAM__) || defined(__sun__)
|
2007-07-22 12:13:07 +00:00
|
|
|
/*
|
2019-04-08 08:50:03 -06:00
|
|
|
* Some PAM modules assume PAM_TTY is set and will misbehave (or crash)
|
|
|
|
|
* if it is not. Known offenders include pam_lastlog and pam_time.
|
2007-07-22 12:13:07 +00:00
|
|
|
*/
|
2019-04-08 08:50:03 -06:00
|
|
|
if (tty == NULL)
|
|
|
|
|
tty = "";
|
|
|
|
|
#endif
|
|
|
|
|
if (tty != NULL) {
|
|
|
|
|
rc = pam_set_item(pamh, PAM_TTY, tty);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_set_item(pamh, PAM_TTY, %s): %s", tty,
|
|
|
|
|
errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
2015-08-10 10:56:47 -06:00
|
|
|
}
|
2000-05-09 15:52:31 +00:00
|
|
|
|
2013-08-06 14:44:21 -06:00
|
|
|
/*
|
|
|
|
|
* If PAM session and setcred support is disabled we don't
|
|
|
|
|
* need to keep a sudo process around to close the session.
|
|
|
|
|
*/
|
|
|
|
|
if (!def_pam_session && !def_pam_setcred)
|
|
|
|
|
auth->end_session = NULL;
|
|
|
|
|
|
2011-10-22 14:40:21 -04:00
|
|
|
debug_return_int(AUTH_SUCCESS);
|
1999-07-11 00:32:11 +00:00
|
|
|
}
|
|
|
|
|
|
2016-03-22 16:31:28 -06:00
|
|
|
int
|
|
|
|
|
sudo_pam_init(struct passwd *pw, sudo_auth *auth)
|
|
|
|
|
{
|
|
|
|
|
return sudo_pam_init2(pw, auth, false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef _AIX
|
|
|
|
|
int
|
|
|
|
|
sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth)
|
|
|
|
|
{
|
|
|
|
|
return sudo_pam_init2(pw, auth, true);
|
|
|
|
|
}
|
|
|
|
|
#endif /* _AIX */
|
|
|
|
|
|
1999-07-11 00:32:11 +00:00
|
|
|
int
|
2015-09-07 06:06:08 -06:00
|
|
|
sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback)
|
1999-07-11 00:32:11 +00:00
|
|
|
{
|
1999-11-23 18:06:45 +00:00
|
|
|
const char *s;
|
2003-06-29 01:31:55 +00:00
|
|
|
int *pam_status = (int *) auth->data;
|
2015-02-01 08:24:49 -07:00
|
|
|
debug_decl(sudo_pam_verify, SUDOERS_DEBUG_AUTH)
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2010-03-14 20:47:56 -04:00
|
|
|
def_prompt = prompt; /* for converse */
|
2015-02-23 11:12:45 -07:00
|
|
|
getpass_error = false; /* set by converse if user presses ^C */
|
2015-09-07 06:06:08 -06:00
|
|
|
conv_callback = callback; /* passed to conversation function */
|
1999-07-11 09:33:01 +00:00
|
|
|
|
2001-12-31 17:18:12 +00:00
|
|
|
/* PAM_SILENT prevents the authentication service from generating output. */
|
2003-06-29 01:31:55 +00:00
|
|
|
*pam_status = pam_authenticate(pamh, PAM_SILENT);
|
2015-02-23 11:12:45 -07:00
|
|
|
if (getpass_error) {
|
|
|
|
|
/* error or ^C from tgetpass() */
|
|
|
|
|
debug_return_int(AUTH_INTR);
|
|
|
|
|
}
|
2003-06-29 01:31:55 +00:00
|
|
|
switch (*pam_status) {
|
2001-12-31 17:18:12 +00:00
|
|
|
case PAM_SUCCESS:
|
2018-01-16 10:27:58 -07:00
|
|
|
debug_return_int(AUTH_SUCCESS);
|
2001-12-31 17:18:12 +00:00
|
|
|
case PAM_AUTH_ERR:
|
2012-04-11 19:51:56 -04:00
|
|
|
case PAM_AUTHINFO_UNAVAIL:
|
2001-12-31 17:18:12 +00:00
|
|
|
case PAM_MAXTRIES:
|
2005-02-05 15:22:46 +00:00
|
|
|
case PAM_PERM_DENIED:
|
2015-08-10 10:56:47 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
|
2018-01-16 10:27:58 -07:00
|
|
|
"pam_authenticate: %d", *pam_status);
|
2011-10-22 14:40:21 -04:00
|
|
|
debug_return_int(AUTH_FAILURE);
|
2001-12-31 17:18:12 +00:00
|
|
|
default:
|
2013-04-11 09:09:53 -04:00
|
|
|
if ((s = pam_strerror(pamh, *pam_status)) != NULL)
|
2014-05-02 20:54:01 -06:00
|
|
|
log_warningx(0, N_("PAM authentication error: %s"), s);
|
2011-10-22 14:40:21 -04:00
|
|
|
debug_return_int(AUTH_FATAL);
|
1999-11-23 18:06:45 +00:00
|
|
|
}
|
1999-07-11 00:32:11 +00:00
|
|
|
}
|
|
|
|
|
|
2018-01-16 10:27:58 -07:00
|
|
|
int
|
2018-07-26 12:31:29 -06:00
|
|
|
sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt)
|
2018-01-16 10:27:58 -07:00
|
|
|
{
|
|
|
|
|
const char *s;
|
2018-12-07 09:51:34 -07:00
|
|
|
int rc, status = AUTH_SUCCESS;
|
2018-01-16 10:27:58 -07:00
|
|
|
int *pam_status = (int *) auth->data;
|
|
|
|
|
debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH)
|
|
|
|
|
|
2018-12-07 09:51:34 -07:00
|
|
|
rc = pam_acct_mgmt(pamh, PAM_SILENT);
|
|
|
|
|
switch (rc) {
|
2018-01-16 10:27:58 -07:00
|
|
|
case PAM_SUCCESS:
|
2018-12-07 09:51:34 -07:00
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
case PAM_AUTH_ERR:
|
|
|
|
|
log_warningx(0, N_("account validation failure, "
|
|
|
|
|
"is your account locked?"));
|
2018-12-07 09:51:34 -07:00
|
|
|
status = AUTH_FATAL;
|
|
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
case PAM_NEW_AUTHTOK_REQD:
|
2018-07-26 12:31:29 -06:00
|
|
|
/* Ignore if user is exempt from password restrictions. */
|
2018-12-08 08:10:04 -07:00
|
|
|
if (exempt) {
|
|
|
|
|
rc = *pam_status;
|
2018-12-07 09:51:34 -07:00
|
|
|
break;
|
2018-12-08 08:10:04 -07:00
|
|
|
}
|
2018-07-26 12:31:29 -06:00
|
|
|
/* New password required, try to change it. */
|
2018-01-16 10:27:58 -07:00
|
|
|
log_warningx(0, N_("Account or password is "
|
|
|
|
|
"expired, reset your password and try again"));
|
2018-12-07 09:51:34 -07:00
|
|
|
rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
|
|
|
if (rc == PAM_SUCCESS)
|
|
|
|
|
break;
|
|
|
|
|
if ((s = pam_strerror(pamh, rc)) == NULL)
|
2018-01-16 10:27:58 -07:00
|
|
|
s = "unknown error";
|
|
|
|
|
log_warningx(0,
|
|
|
|
|
N_("unable to change expired password: %s"), s);
|
2018-12-07 09:51:34 -07:00
|
|
|
status = AUTH_FAILURE;
|
|
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
case PAM_AUTHTOK_EXPIRED:
|
2018-07-26 12:31:29 -06:00
|
|
|
/* Ignore if user is exempt from password restrictions. */
|
2018-12-08 08:10:04 -07:00
|
|
|
if (exempt) {
|
|
|
|
|
rc = *pam_status;
|
2018-12-07 09:51:34 -07:00
|
|
|
break;
|
2018-12-08 08:10:04 -07:00
|
|
|
}
|
2018-07-26 12:31:29 -06:00
|
|
|
/* Password expired, cannot be updated by user. */
|
2018-01-16 10:27:58 -07:00
|
|
|
log_warningx(0,
|
|
|
|
|
N_("Password expired, contact your system administrator"));
|
2018-12-07 09:51:34 -07:00
|
|
|
status = AUTH_FATAL;
|
|
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
case PAM_ACCT_EXPIRED:
|
|
|
|
|
log_warningx(0,
|
|
|
|
|
N_("Account expired or PAM config lacks an \"account\" "
|
|
|
|
|
"section for sudo, contact your system administrator"));
|
2018-12-07 09:51:34 -07:00
|
|
|
status = AUTH_FATAL;
|
|
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
case PAM_AUTHINFO_UNAVAIL:
|
|
|
|
|
case PAM_MAXTRIES:
|
|
|
|
|
case PAM_PERM_DENIED:
|
2018-12-07 09:51:34 -07:00
|
|
|
s = pam_strerror(pamh, rc);
|
2018-01-16 10:27:58 -07:00
|
|
|
log_warningx(0, N_("PAM account management error: %s"),
|
|
|
|
|
s ? s : "unknown error");
|
2018-12-07 09:51:34 -07:00
|
|
|
status = AUTH_FAILURE;
|
|
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
default:
|
2018-12-07 09:51:34 -07:00
|
|
|
s = pam_strerror(pamh, rc);
|
2018-01-16 10:27:58 -07:00
|
|
|
log_warningx(0, N_("PAM account management error: %s"),
|
|
|
|
|
s ? s : "unknown error");
|
2018-12-07 09:51:34 -07:00
|
|
|
status = AUTH_FATAL;
|
|
|
|
|
break;
|
2018-01-16 10:27:58 -07:00
|
|
|
}
|
2018-12-08 08:10:04 -07:00
|
|
|
*pam_status = rc;
|
2018-12-07 09:51:34 -07:00
|
|
|
debug_return_int(status);
|
2018-01-16 10:27:58 -07:00
|
|
|
}
|
|
|
|
|
|
1999-07-11 00:32:11 +00:00
|
|
|
int
|
2011-11-13 11:46:39 -05:00
|
|
|
sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth)
|
1999-07-11 00:32:11 +00:00
|
|
|
{
|
2003-06-29 01:31:55 +00:00
|
|
|
int *pam_status = (int *) auth->data;
|
2015-02-01 08:24:49 -07:00
|
|
|
debug_decl(sudo_pam_cleanup, SUDOERS_DEBUG_AUTH)
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2013-08-06 14:44:21 -06:00
|
|
|
/* If successful, we can't close the session until sudo_pam_end_session() */
|
|
|
|
|
if (*pam_status != PAM_SUCCESS || auth->end_session == NULL) {
|
2013-07-11 17:50:03 -04:00
|
|
|
*pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
|
|
|
|
|
pamh = NULL;
|
|
|
|
|
}
|
2011-11-29 14:41:00 -05:00
|
|
|
debug_return_int(*pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE);
|
1999-07-11 00:32:11 +00:00
|
|
|
}
|
|
|
|
|
|
2001-12-31 17:18:12 +00:00
|
|
|
int
|
2012-03-15 09:18:36 -04:00
|
|
|
sudo_pam_begin_session(struct passwd *pw, char **user_envp[], sudo_auth *auth)
|
2001-12-31 17:18:12 +00:00
|
|
|
{
|
2015-08-10 10:56:47 -06:00
|
|
|
int rc, status = AUTH_SUCCESS;
|
2013-07-11 17:50:03 -04:00
|
|
|
int *pam_status = (int *) auth->data;
|
2016-05-25 08:33:57 -06:00
|
|
|
const char *errstr;
|
2015-02-01 08:24:49 -07:00
|
|
|
debug_decl(sudo_pam_begin_session, SUDOERS_DEBUG_AUTH)
|
2005-06-25 18:29:17 +00:00
|
|
|
|
2010-05-27 14:46:39 -04:00
|
|
|
/*
|
|
|
|
|
* If there is no valid user we cannot open a PAM session.
|
|
|
|
|
* This is not an error as sudo can run commands with arbitrary
|
|
|
|
|
* uids, it just means we are done from a session management standpoint.
|
|
|
|
|
*/
|
|
|
|
|
if (pw == NULL) {
|
|
|
|
|
if (pamh != NULL) {
|
2015-08-10 10:56:47 -06:00
|
|
|
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
2016-05-25 08:33:57 -06:00
|
|
|
errstr = pam_strerror(pamh, rc);
|
2015-08-10 10:56:47 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_end: %s", errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
2010-05-27 14:46:39 -04:00
|
|
|
pamh = NULL;
|
|
|
|
|
}
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
2003-06-29 01:31:55 +00:00
|
|
|
/*
|
2009-08-07 14:21:51 +00:00
|
|
|
* Update PAM_USER to reference the user we are running the command
|
|
|
|
|
* as, as opposed to the user we authenticated as.
|
2003-06-29 01:31:55 +00:00
|
|
|
*/
|
2015-08-10 10:56:47 -06:00
|
|
|
rc = pam_set_item(pamh, PAM_USER, pw->pw_name);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
2016-05-25 08:33:57 -06:00
|
|
|
errstr = pam_strerror(pamh, rc);
|
2015-08-10 10:56:47 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_set_item(pamh, PAM_USER, %s): %s", pw->pw_name,
|
|
|
|
|
errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
2001-12-31 17:18:12 +00:00
|
|
|
|
2002-01-20 00:46:44 +00:00
|
|
|
/*
|
2014-04-15 07:16:57 -06:00
|
|
|
* Reinitialize credentials when changing the user.
|
2013-07-11 17:50:03 -04:00
|
|
|
* We don't worry about a failure from pam_setcred() since with
|
|
|
|
|
* stacked PAM auth modules a failure from one module may override
|
|
|
|
|
* PAM_SUCCESS from another. For example, given a non-local user,
|
|
|
|
|
* pam_unix will fail but pam_ldap or pam_sss may succeed, but if
|
|
|
|
|
* pam_unix is first in the stack, pam_setcred() will fail.
|
2002-01-20 00:46:44 +00:00
|
|
|
*/
|
2015-08-10 10:56:47 -06:00
|
|
|
if (def_pam_setcred) {
|
|
|
|
|
rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
2016-05-25 08:33:57 -06:00
|
|
|
errstr = pam_strerror(pamh, rc);
|
2015-08-10 10:56:47 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_setcred: %s", errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
|
|
|
|
}
|
2002-01-20 00:46:44 +00:00
|
|
|
|
2013-08-17 06:22:46 -06:00
|
|
|
if (def_pam_session) {
|
2019-01-07 09:50:40 -07:00
|
|
|
/*
|
|
|
|
|
* We use PAM_SILENT to prevent pam_lastlog from printing last login
|
|
|
|
|
* information except when explicitly running a shell.
|
|
|
|
|
*/
|
|
|
|
|
const bool silent = !ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL);
|
|
|
|
|
rc = pam_open_session(pamh, silent ? PAM_SILENT : 0);
|
2016-05-25 08:33:57 -06:00
|
|
|
switch (rc) {
|
|
|
|
|
case PAM_SUCCESS:
|
|
|
|
|
break;
|
|
|
|
|
case PAM_SESSION_ERR:
|
|
|
|
|
/* Treat PAM_SESSION_ERR as a non-fatal error. */
|
|
|
|
|
errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_open_session: %s", errstr ? errstr : "unknown error");
|
|
|
|
|
/* Avoid closing session that was not opened. */
|
|
|
|
|
def_pam_session = false;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/* Unexpected session failure, treat as fatal error. */
|
|
|
|
|
*pam_status = rc;
|
|
|
|
|
errstr = pam_strerror(pamh, *pam_status);
|
2016-05-12 10:33:32 -06:00
|
|
|
log_warningx(0, N_("%s: %s"), "pam_open_session",
|
2016-05-11 15:01:45 -06:00
|
|
|
errstr ? errstr : "unknown error");
|
2015-08-10 10:56:47 -06:00
|
|
|
rc = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
2016-05-11 15:01:45 -06:00
|
|
|
errstr = pam_strerror(pamh, rc);
|
2015-08-10 10:56:47 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_end: %s", errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
2013-08-17 06:22:46 -06:00
|
|
|
pamh = NULL;
|
2015-08-10 20:17:02 -06:00
|
|
|
status = AUTH_FATAL;
|
2013-10-22 14:47:51 -06:00
|
|
|
goto done;
|
2013-08-17 06:22:46 -06:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-03-15 09:18:36 -04:00
|
|
|
#ifdef HAVE_PAM_GETENVLIST
|
|
|
|
|
/*
|
|
|
|
|
* Update environment based on what is stored in pamh.
|
|
|
|
|
* If no authentication is done we will only have environment
|
|
|
|
|
* variables if pam_env is called via session.
|
|
|
|
|
*/
|
|
|
|
|
if (user_envp != NULL) {
|
|
|
|
|
char **pam_envp = pam_getenvlist(pamh);
|
|
|
|
|
if (pam_envp != NULL) {
|
2013-08-19 09:19:24 -06:00
|
|
|
/* Merge pam env with user env. */
|
2015-06-17 06:49:59 -06:00
|
|
|
if (!env_init(*user_envp) || !env_merge(pam_envp))
|
2015-08-10 20:17:02 -06:00
|
|
|
status = AUTH_FATAL;
|
2012-03-15 09:18:36 -04:00
|
|
|
*user_envp = env_get();
|
2015-06-17 06:49:59 -06:00
|
|
|
(void)env_init(NULL);
|
|
|
|
|
free(pam_envp);
|
2012-03-15 09:18:36 -04:00
|
|
|
/* XXX - we leak any duplicates that were in pam_envp */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif /* HAVE_PAM_GETENVLIST */
|
|
|
|
|
|
2010-05-27 14:46:39 -04:00
|
|
|
done:
|
2013-07-11 17:50:03 -04:00
|
|
|
debug_return_int(status);
|
2010-05-26 17:57:47 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int
|
2011-11-13 11:46:39 -05:00
|
|
|
sudo_pam_end_session(struct passwd *pw, sudo_auth *auth)
|
2010-05-26 17:57:47 -04:00
|
|
|
{
|
2015-08-10 10:56:47 -06:00
|
|
|
int rc, status = AUTH_SUCCESS;
|
2015-02-01 08:24:49 -07:00
|
|
|
debug_decl(sudo_pam_end_session, SUDOERS_DEBUG_AUTH)
|
2010-05-26 17:57:47 -04:00
|
|
|
|
2011-09-27 13:18:46 -04:00
|
|
|
if (pamh != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* Update PAM_USER to reference the user we are running the command
|
2012-04-23 16:11:49 -04:00
|
|
|
* as, as opposed to the user we authenticated as.
|
2012-04-23 16:38:16 -04:00
|
|
|
* XXX - still needed now that session init is in parent?
|
2011-09-27 13:18:46 -04:00
|
|
|
*/
|
2015-08-10 10:56:47 -06:00
|
|
|
rc = pam_set_item(pamh, PAM_USER, pw->pw_name);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_set_item(pamh, PAM_USER, %s): %s", pw->pw_name,
|
|
|
|
|
errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
|
|
|
|
if (def_pam_session) {
|
|
|
|
|
rc = pam_close_session(pamh, PAM_SILENT);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_close_session: %s", errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (def_pam_setcred) {
|
|
|
|
|
rc = pam_setcred(pamh, PAM_DELETE_CRED | PAM_SILENT);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_setcred: %s", errstr ? errstr : "unknown error");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
rc = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
|
|
|
|
|
if (rc != PAM_SUCCESS) {
|
|
|
|
|
const char *errstr = pam_strerror(pamh, rc);
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"pam_end: %s", errstr ? errstr : "unknown error");
|
2015-08-10 20:17:02 -06:00
|
|
|
status = AUTH_FATAL;
|
2015-08-10 10:56:47 -06:00
|
|
|
}
|
2011-09-27 13:18:46 -04:00
|
|
|
pamh = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-11 17:50:03 -04:00
|
|
|
debug_return_int(status);
|
2001-12-31 17:18:12 +00:00
|
|
|
}
|
|
|
|
|
|
2014-09-27 10:24:19 -06:00
|
|
|
#define PROMPT_IS_PASSWORD(_p) \
|
|
|
|
|
(strncmp((_p), "Password:", 9) == 0 && \
|
|
|
|
|
((_p)[9] == '\0' || ((_p)[9] == ' ' && (_p)[10] == '\0')))
|
|
|
|
|
|
|
|
|
|
#ifdef PAM_TEXT_DOMAIN
|
|
|
|
|
# define PAM_PROMPT_IS_PASSWORD(_p) \
|
2015-06-25 09:12:15 -06:00
|
|
|
(strcmp((_p), dgt(PAM_TEXT_DOMAIN, "Password:")) == 0 || \
|
|
|
|
|
strcmp((_p), dgt(PAM_TEXT_DOMAIN, "Password: ")) == 0 || \
|
|
|
|
|
PROMPT_IS_PASSWORD(_p))
|
2014-09-27 10:24:19 -06:00
|
|
|
#else
|
|
|
|
|
# define PAM_PROMPT_IS_PASSWORD(_p) PROMPT_IS_PASSWORD(_p)
|
|
|
|
|
#endif /* PAM_TEXT_DOMAIN */
|
|
|
|
|
|
2017-07-20 16:06:47 -06:00
|
|
|
/*
|
|
|
|
|
* We use the PAM prompt in preference to sudo's as long
|
|
|
|
|
* as passprompt_override is not set and:
|
|
|
|
|
* a) the (translated) sudo prompt matches /^Password: ?/
|
|
|
|
|
* or:
|
|
|
|
|
* b) the PAM prompt itself *doesn't* match /^Password: ?/
|
|
|
|
|
* or /^username's Password: ?/
|
|
|
|
|
*
|
|
|
|
|
* The intent is to use the PAM prompt for things like
|
|
|
|
|
* challenge-response, otherwise use sudo's prompt.
|
|
|
|
|
* There may also be cases where a localized translation
|
|
|
|
|
* of "Password: " exists for PAM but not for sudo.
|
|
|
|
|
*/
|
|
|
|
|
static bool
|
|
|
|
|
use_pam_prompt(const char *pam_prompt)
|
|
|
|
|
{
|
|
|
|
|
size_t user_len;
|
|
|
|
|
debug_decl(use_pam_prompt, SUDOERS_DEBUG_AUTH)
|
|
|
|
|
|
2017-09-05 09:30:19 -06:00
|
|
|
/* Always use sudo prompt if passprompt_override is set. */
|
|
|
|
|
if (def_passprompt_override)
|
|
|
|
|
debug_return_bool(false);
|
2017-07-20 16:06:47 -06:00
|
|
|
|
2017-09-05 09:30:19 -06:00
|
|
|
/* If sudo prompt matches "^Password: ?$", use PAM prompt. */
|
|
|
|
|
if (PROMPT_IS_PASSWORD(def_prompt))
|
|
|
|
|
debug_return_bool(true);
|
2017-07-20 16:06:47 -06:00
|
|
|
|
2017-09-05 09:30:19 -06:00
|
|
|
/* If PAM prompt matches "^Password: ?$", use sudo prompt. */
|
|
|
|
|
if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
|
|
|
|
|
debug_return_bool(false);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Some PAM modules use "^username's Password: ?$" instead of
|
|
|
|
|
* "^Password: ?" so check for that too.
|
|
|
|
|
*/
|
|
|
|
|
user_len = strlen(user_name);
|
|
|
|
|
if (strncmp(pam_prompt, user_name, user_len) == 0) {
|
|
|
|
|
const char *cp = pam_prompt + user_len;
|
|
|
|
|
if (strncmp(cp, "'s Password:", 12) == 0 &&
|
|
|
|
|
(cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
|
|
|
|
|
debug_return_bool(false);
|
2017-07-20 16:06:47 -06:00
|
|
|
}
|
2017-09-05 09:30:19 -06:00
|
|
|
|
|
|
|
|
/* Otherwise, use the PAM prompt. */
|
|
|
|
|
debug_return_bool(true);
|
2017-07-20 16:06:47 -06:00
|
|
|
}
|
|
|
|
|
|
1999-07-11 00:32:11 +00:00
|
|
|
/*
|
2016-02-26 09:30:31 -07:00
|
|
|
* ``Conversation function'' for PAM <-> human interaction.
|
1999-07-11 00:32:11 +00:00
|
|
|
*/
|
|
|
|
|
static int
|
2010-06-14 12:30:21 -04:00
|
|
|
converse(int num_msg, PAM_CONST struct pam_message **msg,
|
2016-03-09 09:39:46 -07:00
|
|
|
struct pam_response **reply_out, void *vcallback)
|
1999-07-11 00:32:11 +00:00
|
|
|
{
|
2015-09-24 13:43:17 -06:00
|
|
|
struct sudo_conv_callback *callback = NULL;
|
2016-03-09 09:39:46 -07:00
|
|
|
struct pam_response *reply;
|
2007-12-01 16:22:25 +00:00
|
|
|
const char *prompt;
|
2003-12-31 22:46:10 +00:00
|
|
|
char *pass;
|
2014-09-27 10:24:19 -06:00
|
|
|
int n, type;
|
2015-02-23 11:12:45 -07:00
|
|
|
int ret = PAM_SUCCESS;
|
2015-02-01 08:24:49 -07:00
|
|
|
debug_decl(converse, SUDOERS_DEBUG_AUTH)
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2015-07-14 14:00:18 -06:00
|
|
|
if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG) {
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"invalid number of PAM messages: %d", num_msg);
|
2015-02-23 11:12:45 -07:00
|
|
|
debug_return_int(PAM_CONV_ERR);
|
2015-07-14 14:00:18 -06:00
|
|
|
}
|
2016-02-26 09:30:31 -07:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
|
|
|
|
|
"number of PAM messages: %d", num_msg);
|
2015-02-23 11:12:45 -07:00
|
|
|
|
2016-03-09 09:39:46 -07:00
|
|
|
if ((reply = calloc(num_msg, sizeof(struct pam_response))) == NULL) {
|
2015-07-14 14:00:18 -06:00
|
|
|
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
2015-02-23 11:12:45 -07:00
|
|
|
debug_return_int(PAM_BUF_ERR);
|
2015-07-14 14:00:18 -06:00
|
|
|
}
|
2016-03-09 09:39:46 -07:00
|
|
|
*reply_out = reply;
|
1999-07-11 00:32:11 +00:00
|
|
|
|
2015-09-24 13:43:17 -06:00
|
|
|
if (vcallback != NULL)
|
|
|
|
|
callback = *((struct sudo_conv_callback **)vcallback);
|
|
|
|
|
|
2016-03-09 09:39:46 -07:00
|
|
|
for (n = 0; n < num_msg; n++) {
|
|
|
|
|
PAM_CONST struct pam_message *pm = PAM_MSG_GET(msg, n);
|
|
|
|
|
|
2010-03-14 19:58:47 -04:00
|
|
|
type = SUDO_CONV_PROMPT_ECHO_OFF;
|
1999-07-11 00:32:11 +00:00
|
|
|
switch (pm->msg_style) {
|
|
|
|
|
case PAM_PROMPT_ECHO_ON:
|
2010-03-14 19:58:47 -04:00
|
|
|
type = SUDO_CONV_PROMPT_ECHO_ON;
|
2012-04-11 19:51:56 -04:00
|
|
|
/* FALLTHROUGH */
|
1999-07-11 00:32:11 +00:00
|
|
|
case PAM_PROMPT_ECHO_OFF:
|
2010-08-14 10:18:49 -04:00
|
|
|
/* Error out if the last password read was interrupted. */
|
2012-04-11 19:51:56 -04:00
|
|
|
if (getpass_error)
|
|
|
|
|
goto done;
|
2010-08-14 10:18:49 -04:00
|
|
|
|
2017-07-20 16:06:47 -06:00
|
|
|
/* Choose either the sudo prompt or the PAM one. */
|
|
|
|
|
prompt = use_pam_prompt(pm->msg) ? pm->msg : def_prompt;
|
|
|
|
|
|
2008-11-22 18:17:44 +00:00
|
|
|
/* Read the password unless interrupted. */
|
2018-01-22 12:18:48 -07:00
|
|
|
pass = auth_getpass(prompt, type, callback);
|
2006-09-29 14:53:42 +00:00
|
|
|
if (pass == NULL) {
|
2012-04-11 19:51:56 -04:00
|
|
|
/* Error (or ^C) reading password, don't try again. */
|
2015-02-23 11:12:45 -07:00
|
|
|
getpass_error = true;
|
2016-06-01 14:48:31 -06:00
|
|
|
ret = PAM_CONV_ERR;
|
2015-02-23 11:12:45 -07:00
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
if (strlen(pass) >= PAM_MAX_RESP_SIZE) {
|
2015-07-14 14:00:18 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"password longer than %d", PAM_MAX_RESP_SIZE);
|
2015-02-23 11:12:45 -07:00
|
|
|
ret = PAM_CONV_ERR;
|
2016-01-27 15:36:50 -07:00
|
|
|
memset_s(pass, SUDO_CONV_REPL_MAX, 0, strlen(pass));
|
2012-04-11 19:51:56 -04:00
|
|
|
goto done;
|
2006-09-29 14:53:42 +00:00
|
|
|
}
|
2016-03-09 09:39:46 -07:00
|
|
|
reply[n].resp = pass; /* auth_getpass() malloc's a copy */
|
1999-07-11 00:32:11 +00:00
|
|
|
break;
|
|
|
|
|
case PAM_TEXT_INFO:
|
2016-05-14 19:33:28 -06:00
|
|
|
if (pm->msg != NULL)
|
|
|
|
|
sudo_printf(SUDO_CONV_INFO_MSG, "%s\n", pm->msg);
|
1999-07-11 00:32:11 +00:00
|
|
|
break;
|
|
|
|
|
case PAM_ERROR_MSG:
|
2016-05-14 19:33:28 -06:00
|
|
|
if (pm->msg != NULL)
|
|
|
|
|
sudo_printf(SUDO_CONV_ERROR_MSG, "%s\n", pm->msg);
|
1999-07-11 00:32:11 +00:00
|
|
|
break;
|
|
|
|
|
default:
|
2015-08-10 10:56:47 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
|
|
|
|
|
"unsupported message style: %d", pm->msg_style);
|
2012-04-11 19:51:56 -04:00
|
|
|
ret = PAM_CONV_ERR;
|
|
|
|
|
goto done;
|
1999-07-11 00:32:11 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2012-04-11 19:51:56 -04:00
|
|
|
done:
|
|
|
|
|
if (ret != PAM_SUCCESS) {
|
|
|
|
|
/* Zero and free allocated memory and return an error. */
|
2016-03-09 09:39:46 -07:00
|
|
|
for (n = 0; n < num_msg; n++) {
|
|
|
|
|
struct pam_response *pr = &reply[n];
|
|
|
|
|
|
2012-04-11 19:51:56 -04:00
|
|
|
if (pr->resp != NULL) {
|
2013-08-03 08:30:06 -06:00
|
|
|
memset_s(pr->resp, SUDO_CONV_REPL_MAX, 0, strlen(pr->resp));
|
2012-04-11 19:51:56 -04:00
|
|
|
free(pr->resp);
|
|
|
|
|
pr->resp = NULL;
|
|
|
|
|
}
|
2007-07-22 12:14:18 +00:00
|
|
|
}
|
2016-03-09 09:39:46 -07:00
|
|
|
free(reply);
|
|
|
|
|
*reply_out = NULL;
|
2007-07-22 12:14:18 +00:00
|
|
|
}
|
2012-04-11 19:51:56 -04:00
|
|
|
debug_return_int(ret);
|
1999-07-11 00:32:11 +00:00
|
|
|
}
|
2015-05-21 11:07:13 -06:00
|
|
|
|
|
|
|
|
#endif /* HAVE_PAM */
|
