nflag (as in sudo, force non-interactive mode)

as discussed with ted@

2 files changed, 15 insertions, 4 deletions

diff --git a/usr.bin/doas/doas.1 b/usr.bin/doas/doas.1
index 90f71b853ab..bce860d8bd7 100644
--- a/usr.bin/doas/doas.1
+++ b/usr.bin/doas/doas.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.1,v 1.11 2015/07/26 17:24:02 zhuk Exp $
+.\" $OpenBSD: doas.1,v 1.12 2015/07/26 20:47:01 espie Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -21,7 +21,7 @@
 .Nd execute commands as another user
 .Sh SYNOPSIS
 .Nm doas
-.Op Fl s
+.Op Fl ns
 .Op Fl C Ar config
 .Op Fl u Ar user
 .Ar command
@@ -58,6 +58,10 @@ or
 will be printed on standard output, depending on command
 matching results.
 No command is executed.
+.It Fl n
+Non interactive mode, fail if
+.Nm
+would prompt for password.
 .It Fl s
 Execute the shell from
 .Ev SHELL
diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c
index 44ccd6a67e3..53f71cd92ab 100644
--- a/usr.bin/doas/doas.c
+++ b/usr.bin/doas/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.25 2015/07/26 19:49:11 zhuk Exp $ */
+/* $OpenBSD: doas.c,v 1.26 2015/07/26 20:47:01 espie Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -322,8 +322,10 @@ main(int argc, char **argv, char **envp)
 	int ngroups;
 	int i, ch;
 	int sflag = 0;
+	int nflag = 0;
 
-	while ((ch = getopt(argc, argv, "C:su:")) != -1) {
+	uid = getuid();
+	while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
 		switch (ch) {
 		case 'C':
 			confpath = optarg;
@@ -332,6 +334,9 @@ main(int argc, char **argv, char **envp)
 			if (parseuid(optarg, &target) != 0)
 				errx(1, "unknown user");
 			break;
+		case 'n':
+			nflag = 1;
+			break;
 		case 's':
 			sflag = 1;
 			break;
@@ -396,6 +401,8 @@ main(int argc, char **argv, char **envp)
 	}
 
 	if (!(rule->options & NOPASS)) {
+		if (nflag)
+			errx(1, "Authorization required");
 		if (!auth_userokay(myname, NULL, NULL, NULL)) {
 			syslog(LOG_AUTHPRIV | LOG_NOTICE,
 			    "failed password for %s", myname);