diff options
Diffstat (limited to 'usr.bin/sudo/auth')
| -rw-r--r-- | usr.bin/sudo/auth/afs.c | 5 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/aix_auth.c | 15 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/bsdauth.c | 11 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/fwtk.c | 11 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/kerb4.c | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/kerb5.c | 28 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/pam.c | 17 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/securid.c | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/securid5.c | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/sia.c | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/sudo_auth.c | 34 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/sudo_auth.h | 10 |
12 files changed, 83 insertions, 64 deletions
diff --git a/usr.bin/sudo/auth/afs.c b/usr.bin/sudo/auth/afs.c index 46951d68d23..fed48ba0673 100644 --- a/usr.bin/sudo/auth/afs.c +++ b/usr.bin/sudo/auth/afs.c @@ -1,5 +1,6 @@ /* - * Copyright (c) 1999, 2001-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999, 2001-2005, 2007 + * Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -50,7 +51,7 @@ #include <afs/kautils.h> #ifndef lint -__unused static const char rcsid[] = "$Sudo: afs.c,v 1.14 2007/08/31 23:30:07 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: afs.c,v 1.15 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ int diff --git a/usr.bin/sudo/auth/aix_auth.c b/usr.bin/sudo/auth/aix_auth.c index 7b7eaedc5a1..14343efb014 100644 --- a/usr.bin/sudo/auth/aix_auth.c +++ b/usr.bin/sudo/auth/aix_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -47,7 +47,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.22 2007/06/21 22:28:40 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.25 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ /* @@ -75,3 +75,14 @@ aixauth_verify(pw, prompt, auth) } return(rval); } + +int +aixauth_cleanup(pw, auth) + struct passwd *pw; + sudo_auth *auth; +{ + /* Unset AUTHSTATE as it may not be correct for the runas user. */ + sudo_unsetenv("AUTHSTATE"); + + return(AUTH_SUCCESS); +} diff --git a/usr.bin/sudo/auth/bsdauth.c b/usr.bin/sudo/auth/bsdauth.c index e093e82ee81..aae7fd68991 100644 --- a/usr.bin/sudo/auth/bsdauth.c +++ b/usr.bin/sudo/auth/bsdauth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 2000-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -52,7 +52,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: bsdauth.c,v 1.21 2008/03/30 21:36:51 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: bsdauth.c,v 1.23 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ extern char *login_style; /* from sudo.c */ @@ -104,7 +104,6 @@ bsdauth_verify(pw, prompt, auth) int authok = 0; sigaction_t sa, osa; auth_session_t *as = (auth_session_t *) auth->data; - extern int nil_pw; /* save old signal handler */ sigemptyset(&sa.sa_mask); @@ -142,9 +141,6 @@ bsdauth_verify(pw, prompt, auth) } } - if (!pass || *pass == '\0') /* ^C or empty password */ - nil_pw = 1; - if (pass) { authok = auth_userresponse(as, pass, 1); zero_bytes(pass, strlen(pass)); @@ -156,6 +152,9 @@ bsdauth_verify(pw, prompt, auth) if (authok) return(AUTH_SUCCESS); + if (!pass) + return(AUTH_INTR); + if ((s = auth_getvalue(as, "errormsg")) != NULL) log_error(NO_EXIT|NO_MAIL, "%s", s); return(AUTH_FAILURE); diff --git a/usr.bin/sudo/auth/fwtk.c b/usr.bin/sudo/auth/fwtk.c index 8bbf5a3d9dc..d09b132d7fa 100644 --- a/usr.bin/sudo/auth/fwtk.c +++ b/usr.bin/sudo/auth/fwtk.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2008 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -50,7 +50,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: fwtk.c,v 1.27 2005/02/12 22:56:07 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: fwtk.c,v 1.29 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ int @@ -95,7 +95,6 @@ fwtk_verify(pw, prompt, auth) char buf[SUDO_PASS_MAX + 12]; /* General prupose buffer */ char resp[128]; /* Response from the server */ int error; - extern int nil_pw; /* Send username to authentication server. */ (void) snprintf(buf, sizeof(buf), "authorize %s 'sudo'", pw->pw_name); @@ -127,10 +126,8 @@ restart: return(AUTH_FATAL); } if (!pass) { /* ^C or error */ - nil_pw = 1; - return(AUTH_FAILURE); - } else if (*pass == '\0') /* empty password */ - nil_pw = 1; + return(AUTH_INTR); + } /* Send the user's response to the server */ (void) snprintf(buf, sizeof(buf), "response '%s'", pass); diff --git a/usr.bin/sudo/auth/kerb4.c b/usr.bin/sudo/auth/kerb4.c index 9179ee33137..2f6c1099c9c 100644 --- a/usr.bin/sudo/auth/kerb4.c +++ b/usr.bin/sudo/auth/kerb4.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -48,7 +48,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: kerb4.c,v 1.15 2007/08/31 23:30:07 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: kerb4.c,v 1.16 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ int diff --git a/usr.bin/sudo/auth/kerb5.c b/usr.bin/sudo/auth/kerb5.c index 72693a88df8..5e17685bc06 100644 --- a/usr.bin/sudo/auth/kerb5.c +++ b/usr.bin/sudo/auth/kerb5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -54,7 +54,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.34 2008/02/13 22:17:14 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.36 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ #ifdef HAVE_HEIMDAL @@ -74,6 +74,24 @@ static struct _sudo_krb5_data { } sudo_krb5_data = { NULL, NULL, NULL }; typedef struct _sudo_krb5_data *sudo_krb5_datap; +#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC +static krb5_error_code +krb5_get_init_creds_opt_alloc(context, opts) + krb5_context context; + krb5_get_init_creds_opt **opts; +{ + *opts = emalloc(sizeof(krb5_get_init_creds_opt)); + return 0; +} + +static void +krb5_get_init_creds_opt_free(opts) + krb5_get_init_creds_opt *opts; +{ + free(opts); +} +#endif + int kerb5_init(pw, promptp, auth) struct passwd *pw; @@ -220,10 +238,10 @@ kerb5_verify(pw, pass, auth) done: if (opts) { -#ifdef HAVE_HEIMDAL - krb5_get_init_creds_opt_free(opts); -#else +#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_FREE_TWO_ARGS krb5_get_init_creds_opt_free(sudo_context, opts); +#else + krb5_get_init_creds_opt_free(opts); #endif } if (creds) diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c index e0dd059b011..af448de7071 100644 --- a/usr.bin/sudo/auth/pam.c +++ b/usr.bin/sudo/auth/pam.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -72,12 +72,13 @@ #endif #ifndef lint -__unused static const char rcsid[] = "$Sudo: pam.c,v 1.62 2008/02/22 20:19:34 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: pam.c,v 1.64 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ static int sudo_conv __P((int, PAM_CONST struct pam_message **, struct pam_response **, void *)); static char *def_prompt; +static int gotintr; #ifndef PAM_DATA_SILENT #define PAM_DATA_SILENT 0 @@ -162,6 +163,10 @@ pam_verify(pw, prompt, auth) } /* FALLTHROUGH */ case PAM_AUTH_ERR: + if (gotintr) { + /* error or ^C from tgetpass() */ + return(AUTH_INTR); + } case PAM_MAXTRIES: case PAM_PERM_DENIED: return(AUTH_FAILURE); @@ -251,7 +256,6 @@ sudo_conv(num_msg, msg, response, appdata_ptr) const char *prompt; char *pass; int n, flags, std_prompt; - extern int nil_pw; if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL) return(PAM_CONV_ERR); @@ -286,14 +290,11 @@ sudo_conv(num_msg, msg, response, appdata_ptr) pass = tgetpass(prompt, def_passwd_timeout * 60, flags); if (pass == NULL) { /* We got ^C instead of a password; abort quickly. */ - nil_pw = 1; + gotintr = 1; goto err; } pr->resp = estrdup(pass); - if (*pr->resp == '\0') - nil_pw = 1; /* empty password */ - else - zero_bytes(pass, strlen(pass)); + zero_bytes(pass, strlen(pass)); break; case PAM_TEXT_INFO: if (pm->msg) diff --git a/usr.bin/sudo/auth/securid.c b/usr.bin/sudo/auth/securid.c index f70142b0a58..8ec7bbeff7c 100644 --- a/usr.bin/sudo/auth/securid.c +++ b/usr.bin/sudo/auth/securid.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -54,7 +54,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: securid.c,v 1.17 2007/08/31 23:30:07 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: securid.c,v 1.18 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ union config_record configure; diff --git a/usr.bin/sudo/auth/securid5.c b/usr.bin/sudo/auth/securid5.c index 254211460d3..db254c2f51a 100644 --- a/usr.bin/sudo/auth/securid5.c +++ b/usr.bin/sudo/auth/securid5.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com> * Copyright (c) 2002 Michael Stroucken <michael@stroucken.org> * * Permission to use, copy, modify, and distribute this software for any @@ -56,7 +56,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: securid5.c,v 1.12 2007/08/31 23:30:07 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: securid5.c,v 1.13 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ /* diff --git a/usr.bin/sudo/auth/sia.c b/usr.bin/sudo/auth/sia.c index af379cac208..852e8c77dc5 100644 --- a/usr.bin/sudo/auth/sia.c +++ b/usr.bin/sudo/auth/sia.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -50,7 +50,7 @@ #include "sudo_auth.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: sia.c,v 1.18 2007/08/31 23:30:07 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sia.c,v 1.19 2008/11/09 14:13:13 millert Exp $"; #endif /* lint */ static int sudo_collect __P((int, int, uchar_t *, int, prompt_t *)); diff --git a/usr.bin/sudo/auth/sudo_auth.c b/usr.bin/sudo/auth/sudo_auth.c index eb0b04a8030..509f26ff5b0 100644 --- a/usr.bin/sudo/auth/sudo_auth.c +++ b/usr.bin/sudo/auth/sudo_auth.c @@ -53,7 +53,7 @@ #include "insults.h" #ifndef lint -__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.37 2008/03/02 14:31:57 millert Exp $"; +__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.38 2008/11/07 17:45:52 millert Exp $"; #endif /* lint */ sudo_auth auth_switch[] = { @@ -88,8 +88,6 @@ sudo_auth auth_switch[] = { AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL) }; -int nil_pw; /* I hate resorting to globals like this... */ - void verify_user(pw, prompt) struct passwd *pw; @@ -156,14 +154,11 @@ verify_user(pw, prompt) } /* Get the password unless the auth function will do it for us */ - nil_pw = 0; #ifdef AUTH_STANDALONE p = prompt; #else p = (char *) tgetpass(prompt, def_passwd_timeout * 60, tgetpass_flags); - if (!p || *p == '\0') - nil_pw = 1; #endif /* AUTH_STANDALONE */ /* Call authentication functions. */ @@ -186,15 +181,6 @@ verify_user(pw, prompt) if (p) zero_bytes(p, strlen(p)); #endif - - /* Exit loop on nil password, but give it a chance to match first. */ - if (nil_pw) { - if (counter == def_passwd_tries) - exit(1); - else - break; - } - if (!ISSET(tgetpass_flags, TGP_ASKPASS)) pass_warn(stderr); } @@ -219,14 +205,18 @@ cleanup: case AUTH_SUCCESS: (void) sigaction(SIGTSTP, &osa, NULL); return; + case AUTH_INTR: case AUTH_FAILURE: - if (def_mail_badpass || def_mail_always) - flags = 0; - else - flags = NO_MAIL; - log_error(flags, "%d incorrect password attempt%s", - def_passwd_tries - counter, - (def_passwd_tries - counter == 1) ? "" : "s"); + if (counter != def_passwd_tries) { + if (def_mail_badpass || def_mail_always) + flags = 0; + else + flags = NO_MAIL; + log_error(flags, "%d incorrect password attempt%s", + def_passwd_tries - counter, + (def_passwd_tries - counter == 1) ? "" : "s"); + } + /* FALLTHROUGH */ case AUTH_FATAL: exit(1); } diff --git a/usr.bin/sudo/auth/sudo_auth.h b/usr.bin/sudo/auth/sudo_auth.h index 74b82f4a9f5..5214fb1a57d 100644 --- a/usr.bin/sudo/auth/sudo_auth.h +++ b/usr.bin/sudo/auth/sudo_auth.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com> + * Copyright (c) 1999-2005, 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -13,7 +13,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. * - * $Sudo: sudo_auth.h,v 1.23 2007/08/31 23:30:07 millert Exp $ + * $Sudo: sudo_auth.h,v 1.27 2008/11/18 12:54:51 millert Exp $ */ #ifndef SUDO_AUTH_H @@ -22,7 +22,8 @@ /* Auth function return values. */ #define AUTH_SUCCESS 0 #define AUTH_FAILURE 1 -#define AUTH_FATAL 2 +#define AUTH_INTR 2 +#define AUTH_FATAL 3 typedef struct sudo_auth { short flags; /* various flags, see below */ @@ -57,6 +58,7 @@ int sia_setup __P((struct passwd *pw, char **prompt, sudo_auth *auth)); int sia_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth)); int sia_cleanup __P((struct passwd *pw, sudo_auth *auth)); int aixauth_verify __P((struct passwd *pw, char *pass, sudo_auth *auth)); +int aixauth_cleanup __P((struct passwd *pw, sudo_auth *auth)); int bsdauth_init __P((struct passwd *pw, char **prompt, sudo_auth *auth)); int bsdauth_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth)); int bsdauth_cleanup __P((struct passwd *pw, sudo_auth *auth)); @@ -99,7 +101,7 @@ int securid_verify __P((struct passwd *pw, char *pass, sudo_auth *auth)); #elif defined(HAVE_AIXAUTH) # define AUTH_STANDALONE \ AUTH_ENTRY(0, "aixauth", \ - NULL, NULL, aixauth_verify, NULL) + NULL, NULL, aixauth_verify, aixauth_cleanup) #elif defined(HAVE_FWTK) # define AUTH_STANDALONE \ AUTH_ENTRY(0, "fwtk", \ |