diff options
| author | cheloha <cheloha@cvs.openbsd.org> | 2019-07-19 18:32:20 +0000 |
|---|---|---|
| committer | cheloha <cheloha@cvs.openbsd.org> | 2019-07-19 18:32:20 +0000 |
| commit | 7c42da4a798e40848f036283d6092643361713e8 (patch) | |
| tree | 1112667b0429726554a054e0e3d4723cb2544339 /usr.bin | |
| parent | 6c458a4a0e04b74ff9c7949cbe22437633a60a0a (diff) | |
lock(1): remove default timeout
It makes little sense from a security standpoint to unlock the terminal
and expose the user's session after fifteen minutes by default.
Default behavior is now to reserve the terminal forever. Add instructions
to the manpage to help the user employ the -t timeout option more safely.
Manpage greatly improved by jmc@; bug(s) caught by millert@; with input
from claudio@.
ok millert@
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/lock/lock.1 | 26 | ||||
| -rw-r--r-- | usr.bin/lock/lock.c | 34 |
2 files changed, 20 insertions, 40 deletions
diff --git a/usr.bin/lock/lock.1 b/usr.bin/lock/lock.1 index 7aacc64c9f1..46e3c431b9b 100644 --- a/usr.bin/lock/lock.1 +++ b/usr.bin/lock/lock.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: lock.1,v 1.18 2019/07/05 14:11:26 cheloha Exp $ +.\" $OpenBSD: lock.1,v 1.19 2019/07/19 18:32:19 cheloha Exp $ .\" .\" Copyright (c) 1987, 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -29,7 +29,7 @@ .\" .\" @(#)lock.1 8.1 (Berkeley) 6/6/93 .\" -.Dd $Mdocdate: July 5 2019 $ +.Dd $Mdocdate: July 19 2019 $ .Dt LOCK 1 .Os .Sh NAME @@ -37,7 +37,7 @@ .Nd reserve a terminal .Sh SYNOPSIS .Nm lock -.Op Fl np +.Op Fl p .Op Fl a Ar style .Op Fl t Ar timeout .Sh DESCRIPTION @@ -45,9 +45,6 @@ requests a password from the user, reads it again for verification and then will normally not relinquish the terminal until the password is repeated. -There are two other conditions under which it will terminate: it -will timeout after some interval of time and it may be killed by someone -with the appropriate privileges. .Pp The options are as follows: .Bl -tag -width Ds @@ -66,12 +63,6 @@ user may enter the name of the .Ar style to get the standard prompt for that .Ar style . -.It Fl n -Don't use a timeout value. -Terminal will be locked forever. -This option is incompatible with the -.Fl t -option. .It Fl p A password is not requested, instead the user's current login password is used. @@ -85,12 +76,15 @@ The user will then be issued an S/Key challenge to which they may respond with a six-word S/Key one-time password. .It Fl t Ar timeout -The time limit (default 15 minutes) is changed to +Unlock the terminal after .Ar timeout minutes. -This option is incompatible with the -.Fl n -option. +When used in this manner +.Nm +should be invoked so that the user is safely logged out +if the timeout elapses: +.Pp +.Dl $ lock -t 15 || exit .El .Sh SEE ALSO .Xr skey 1 , diff --git a/usr.bin/lock/lock.c b/usr.bin/lock/lock.c index 449a94f2426..ae6eff4c36d 100644 --- a/usr.bin/lock/lock.c +++ b/usr.bin/lock/lock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lock.c,v 1.42 2019/07/05 14:11:26 cheloha Exp $ */ +/* $OpenBSD: lock.c,v 1.43 2019/07/19 18:32:19 cheloha Exp $ */ /* $NetBSD: lock.c,v 1.8 1996/05/07 18:32:31 jtc Exp $ */ /* @@ -36,9 +36,6 @@ /* * Lock a terminal up until the given key is entered, until the root * password is entered, or the given interval times out. - * - * Timeout interval is by default TIMEOUT, it can be changed with - * an argument of the form -time where time is in minutes */ #include <sys/stat.h> @@ -59,14 +56,11 @@ #include <login_cap.h> #include <bsd_auth.h> -#define TIMEOUT 15 - void bye(int); void hi(int); void usage(void); -int custom_timeout; -int no_timeout; /* lock terminal forever */ +int no_timeout = 1; /* lock terminal forever */ int main(int argc, char *argv[]) @@ -83,10 +77,8 @@ main(int argc, char *argv[]) time_t curtime; login_cap_t *lc; - sectimeout = TIMEOUT; style = NULL; usemine = 0; - custom_timeout = no_timeout = 0; memset(&timeout, 0, sizeof(timeout)); if (pledge("stdio rpath wpath getpw tty proc exec", NULL) == -1) @@ -105,7 +97,7 @@ main(int argc, char *argv[]) backoff = login_getcapnum(lc, "login-backoff", 3, 3); } - while ((ch = getopt(argc, argv, "a:npt:")) != -1) { + while ((ch = getopt(argc, argv, "a:pt:")) != -1) { switch (ch) { case 'a': if (lc) { @@ -118,26 +110,18 @@ main(int argc, char *argv[]) usemine = 1; break; case 't': - if (no_timeout) - usage(); sectimeout = strtonum(optarg, 1, INT_MAX, &errstr); if (errstr) errx(1, "timeout %s: %s", errstr, optarg); - custom_timeout = 1; + no_timeout = 0; break; case 'p': usemine = 1; break; - case 'n': - if (custom_timeout) - usage(); - no_timeout = 1; - break; default: usage(); } } - timeout.tv_sec = sectimeout * 60; gethostname(hostname, sizeof(hostname)); if (usemine && lc == NULL) @@ -173,10 +157,12 @@ main(int argc, char *argv[]) signal(SIGTSTP, hi); signal(SIGALRM, bye); - memset(&ntimer, 0, sizeof(ntimer)); - ntimer.it_value = timeout; - if (!no_timeout) + if (!no_timeout) { + timeout.tv_sec = (time_t)sectimeout * 60; + memset(&ntimer, 0, sizeof(ntimer)); + ntimer.it_value = timeout; setitimer(ITIMER_REAL, &ntimer, &otimer); + } /* header info */ if (no_timeout) { @@ -260,7 +246,7 @@ bye(int signo) void usage(void) { - fprintf(stderr, "usage: %s [-np] [-a style] [-t timeout]\n", + fprintf(stderr, "usage: %s [-p] [-a style] [-t timeout]\n", getprogname()); exit(1); } |