In struct sudo_auth, turn need_root and configured into flags and

add a flag to specify an auth method is running alone (the only one). Pass auth methods their sudo_auth pointer, not the data pointer. This allows us to get at the flags and tell if we are the only auth method. That, in turn, allows the method to be able to decide what should/should not be a fatal error. Currently only rfc1938 uses it this way, which allows us to kill the OTP_ONLY define and te hackery that went with it. With access to the sudo_auth struct, methods can also get at a string holding their cannonical name (useful in error messages).
2025-09-02 07:15:27 +00:00 · 1999-08-14 15:36:47 +00:00
parent 3a8b0be635
commit d40947c0b0
15 changed files with 215 additions and 185 deletions
--- a/auth/sudo_auth.h
+++ b/auth/sudo_auth.h
@@ -37,76 +37,90 @@
 #ifndef SUDO_AUTH_H
 #define SUDO_AUTH_H

+/* Auth function return values.  */
 #define AUTH_SUCCESS	0
 #define AUTH_FAILURE	1
 #define AUTH_FATAL	2

 typedef struct sudo_auth {
-    int need_root;		/* must run as root? */
-    int configured;		/* auth type configured on this host? */
-    int status;			/* status from verify routine */
-    char *name;
-    void *data;			/* method-specific data pointer */
-    int (*init) __P((struct passwd *pw, char **prompt, void **data));
-    int (*setup) __P((struct passwd *pw, char **prompt, void **data));
-    int (*verify) __P((struct passwd *pw, char *p, void **data));
-    int (*cleanup) __P((struct passwd *pw, int status, void **data));
+    short flags;		/* various flags, see below */
+    short status;		/* status from verify routine */
+    char *name;			/* name of the method as a string */
+    VOID *data;			/* method-specific data pointer */
+    int (*init) __P((struct passwd *pw, char **prompt, struct sudo_auth *auth));
+    int (*setup) __P((struct passwd *pw, char **prompt, struct sudo_auth *auth));
+    int (*verify) __P((struct passwd *pw, char *p, struct sudo_auth *auth));
+    int (*cleanup) __P((struct passwd *pw, struct sudo_auth *auth));
 } sudo_auth;

+/* Values for sudo_auth.flags.  */
+/* XXX - these names are too long for my liking */
+#define FLAG_ROOT	0x01	/* functions must run as root */
+#define FLAG_CONFIGURED	0x02	/* method configured ok */
+#define FLAG_ONEANDONLY	0x04	/* one and only auth method */
+
+/* Shortcuts for using the flags above. */
+#define NEEDS_ROOT(x)		((x)->flags & FLAG_ROOT)
+#define IS_CONFIGURED(x)	((x)->flags & FLAG_CONFIGURED)
+#define IS_ONEANDONLY(x)	((x)->flags & FLAG_ONEANDONLY)
+
 /* Prototypes for standalone methods */
-int fwtk_init __P((struct passwd *pw, char **prompt, void **data));
-int fwtk_verify __P((struct passwd *pw, char *prompt, void **data));
-int fwtk_cleanup __P((struct passwd *pw, int status, void **data));
-int pam_init __P((struct passwd *pw, char **prompt, void **data));
-int pam_verify __P((struct passwd *pw, char *prompt, void **data));
-int pam_cleanup __P((struct passwd *pw, int status, void **data));
-int sia_setup __P((struct passwd *pw, char **prompt, void **data));
-int sia_verify __P((struct passwd *pw, char *prompt, void **data));
-int sia_cleanup __P((struct passwd *pw, int status, void **data));
-int aixauth_verify __P((struct passwd *pw, char *pass, void **data));
-int dce_verify __P((struct passwd *pw, char *pass, void **data));
+int fwtk_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int fwtk_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth));
+int fwtk_cleanup __P((struct passwd *pw, sudo_auth *auth));
+int pam_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int pam_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth));
+int pam_cleanup __P((struct passwd *pw, sudo_auth *auth));
+int sia_setup __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int sia_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth));
+int sia_cleanup __P((struct passwd *pw, sudo_auth *auth));
+int aixauth_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int dce_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));

 /* Prototypes for normal methods */
-int passwd_verify __P((struct passwd *pw, char *pass, void **data));
-int secureware_init __P((struct passwd *pw, char **prompt, void **data));
-int secureware_verify __P((struct passwd *pw, char *pass, void **data));
-int rfc1938_setup __P((struct passwd *pw, char **prompt, void **data));
-int rfc1938_verify __P((struct passwd *pw, char *pass, void **data));
-int afs_verify __P((struct passwd *pw, char *pass, void **data));
-int kerb4_init __P((struct passwd *pw, char **prompt, void **data));
-int kerb4_verify __P((struct passwd *pw, char *pass, void **data));
-int kerb5_init __P((struct passwd *pw, char **prompt, void **data));
-int kerb5_verify __P((struct passwd *pw, char *pass, void **data));
-int securid_init __P((struct passwd *pw, char **prompt, void **data));
-int securid_setup __P((struct passwd *pw, char **prompt, void **data));
-int securid_verify __P((struct passwd *pw, char *pass, void **data));
+int passwd_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int secureware_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int secureware_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int rfc1938_setup __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int rfc1938_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int afs_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int kerb4_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int kerb4_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int kerb5_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int kerb5_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));
+int securid_init __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int securid_setup __P((struct passwd *pw, char **prompt, sudo_auth *auth));
+int securid_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));

 /* Fields: need_root, name, init, setup, verify, cleanup */
-#define AUTH_ENTRY(r, n, i, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, i, s, v, c },
+#define AUTH_ENTRY(r, n, i, s, v, c) \
+	{ (r|FLAG_CONFIGURED), AUTH_FAILURE, n, NULL, i, s, v, c },

 /* Some methods cannots (or should not) interoperate with any others */
 #if defined(HAVE_PAM)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "pam", pam_init, NULL, pam_verify, pam_cleanup)
+	AUTH_ENTRY(FLAG_ROOT, "pam", \
+	    pam_init, NULL, pam_verify, pam_cleanup)
 #elif defined(HAVE_SECURID)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "SecurId", securid_init, securid_setup, securid_verify, NULL)
+	AUTH_ENTRY(FLAG_ROOT, "SecurId", \
+	    securid_init, securid_setup, securid_verify, NULL)
 #elif defined(HAVE_SIA)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "sia", NULL, sia_setup, sia_verify, sia_cleanup)
+	AUTH_ENTRY(FLAG_ROOT, "sia", \
+	    NULL, sia_setup, sia_verify, sia_cleanup)
 #elif defined(HAVE_DCE)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "dce", NULL, NULL, dce_verify, NULL)
+	AUTH_ENTRY(FLAG_ROOT, "dce", \
+	    NULL, NULL, dce_verify, NULL)
 #elif defined(HAVE_AUTHENTICATE)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "aixauth", NULL, NULL, aixauth_verify, NULL)
+	AUTH_ENTRY(FLAG_ROOT, "aixauth", \
+	    NULL, NULL, aixauth_verify, NULL)
 #elif defined(HAVE_FWTK)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "fwtk", fwtk_init, NULL, fwtk_verify, fwtk_cleanup)
-#elif defined(OTP_ONLY) && (defined(HAVE_SKEY) || defined(HAVE_OPIE))
-#  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL)
-#  define AUTH_STANDALONE_GETPASS
+	AUTH_ENTRY(FLAG_ROOT, "fwtk", fwtk_init, \
+	    NULL, fwtk_verify, fwtk_cleanup)
 #endif

 #endif /* SUDO_AUTH_H */