commit 27235dd398ab05cf7f992efe2027efc70fa0da0c
parent 3d4da2df4672135c3fe89bb7083f07a3a1849452
Author: tedu <tedu>
Date: Fri, 2 Sep 2016 18:12:30 +0000
add support for the verified auth ioctls using 'persist' rules. ok deraadt henning
Diffstat:
5 files changed, 41 insertions(+), 12 deletions(-)
diff --git a/doas.1 b/doas.1
@@ -21,7 +21,7 @@
.Nd execute commands as another user
.Sh SYNOPSIS
.Nm doas
-.Op Fl ns
+.Op Fl Lns
.Op Fl C Ar config
.Op Fl u Ar user
.Ar command
@@ -57,7 +57,9 @@ or
.Sq deny
will be printed on standard output, depending on command
matching results.
-In either case, no command is executed.
+No command is executed.
+.It Fl L
+Clear any persisted authorizations from previous invocations.
.It Fl n
Non interactive mode, fail if
.Nm
diff --git a/doas.c b/doas.c
@@ -17,6 +17,7 @@
#include <sys/types.h>
#include <sys/stat.h>
+#include <sys/ioctl.h>
#include <limits.h>
#include <string.h>
@@ -46,7 +47,7 @@ version(void)
static void __dead
usage(void)
{
- fprintf(stderr, "usage: doas [-nsv] "
+ fprintf(stderr, "usage: doas [-Lnsv] "
#ifdef HAVE_BSD_AUTH_H
"[-a style] "
#endif
@@ -221,10 +222,18 @@ checkconfig(const char *confpath, int argc, char **argv,
#ifdef HAVE_BSD_AUTH_H
static void
-authuser(char *myname, char *login_style)
+authuser(char *myname, char *login_style, int persist)
{
char *challenge = NULL, *response, rbuf[1024], cbuf[128];
auth_session_t *as;
+ int fd = -1;
+
+ if (persist)
+ fd = open("/dev/tty", O_RDWR);
+ if (fd != -1) {
+ if (ioctl(fd, TIOCCHKVERAUTH) == 0)
+ goto good;
+ }
if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
&challenge)))
@@ -250,10 +259,16 @@ authuser(char *myname, char *login_style)
errc(1, EPERM, NULL);
}
explicit_bzero(rbuf, sizeof(rbuf));
+good:
+ if (fd != -1) {
+ int secs = 10 * 60;
+ ioctl(fd, TIOCSETVERAUTH, &secs);
+ close(fd);
+ }
}
#elif HAVE_SHADOW_H
static void
-authuser(const char *myname, const char *login_style)
+authuser(const char *myname, const char *login_style, int persist)
{
const char *hash;
char *encrypted;
@@ -326,17 +341,14 @@ main(int argc, char **argv)
setprogname("doas");
- if (pledge("stdio rpath getpw tty recvfd proc exec id", NULL) == -1)
- err(1, "pledge");
-
closefrom(STDERR_FILENO + 1);
uid = getuid();
#ifdef HAVE_BSD_AUTH_H
-# define OPTSTRING "a:C:nsu:v"
+# define OPTSTRING "a:C:Lnsu:v"
#else
-# define OPTSTRING "+C:nsu:v"
+# define OPTSTRING "+C:Lnsu:v"
#endif
while ((ch = getopt(argc, argv, OPTSTRING)) != -1) {
@@ -349,6 +361,13 @@ main(int argc, char **argv)
case 'C':
confpath = optarg;
break;
+ case 'L':
+#ifdef TIOCCLRVERAUTH
+ i = open("/dev/tty", O_RDWR);
+ if (i != -1)
+ ioctl(i, TIOCCLRVERAUTH);
+ exit(i == -1);
+#endif
case 'u':
if (parseuid(optarg, &target) != 0)
errx(1, "unknown user");
@@ -431,7 +450,7 @@ main(int argc, char **argv)
if (nflag)
errx(1, "Authorization required");
- authuser(myname, login_style);
+ authuser(myname, login_style, rule->options & PERSIST);
}
#elif HAVE_PAM_APPL_H
pw = getpwuid(target);
diff --git a/doas.conf.5 b/doas.conf.5
@@ -45,6 +45,9 @@ Options are:
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
+.It Ic persist
+After the user successfully authenticates, do not ask for a password
+again for some time.
.It Ic keepenv
The user's environment is maintained.
The default is to reset the environment, except for the variables
diff --git a/doas.h b/doas.h
@@ -22,3 +22,4 @@ char **prepenv(struct rule *);
#define NOPASS 0x1
#define KEEPENV 0x2
+#define PERSIST 0x4
diff --git a/parse.y b/parse.y
@@ -60,7 +60,7 @@ int yyparse(void);
%}
%token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TKEEPENV TSETENV
+%token TNOPASS TPERSIST TKEEPENV TSETENV
%token TSTRING
%%
@@ -122,6 +122,9 @@ options: /* none */ {
option: TNOPASS {
$$.options = NOPASS;
$$.envlist = NULL;
+ } | TPERSIST {
+ $$.options = PERSIST;
+ $$.envlist = NULL;
} | TKEEPENV {
$$.options = KEEPENV;
$$.envlist = NULL;
@@ -208,6 +211,7 @@ struct keyword {
{ "cmd", TCMD },
{ "args", TARGS },
{ "nopass", TNOPASS },
+ { "persist", TPERSIST },
{ "keepenv", TKEEPENV },
{ "setenv", TSETENV },
};
