2 * Copyright (c) 1993-1996,1998-2005, 2007-2008
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Sponsored in part by the Defense Advanced Research Projects
18 * Agency (DARPA) and Air Force Research Laboratory, Air Force
19 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 #include <sys/types.h>
25 #include <sys/param.h>
28 # include <sys/file.h>
38 #endif /* STDC_HEADERS */
42 # ifdef HAVE_STRINGS_H
45 #endif /* HAVE_STRING_H */
48 #endif /* HAVE_UNISTD_H */
56 # include <emul/timespec.h>
62 __unused static const char rcsid[] = "$Sudo: check.c,v 1.245 2008/11/25 17:01:34 millert Exp $";
65 /* Status codes for timestamp_status() */
72 /* Flags for timestamp_status() */
73 #define TS_MAKE_DIRS 1
76 static void build_timestamp __P((char **, char **));
77 static int timestamp_status __P((char *, char *, char *, int));
78 static char *expand_prompt __P((char *, char *, char *));
79 static void lecture __P((int));
80 static void update_timestamp __P((char *, char *));
83 * This function only returns if the user can successfully
84 * verify who he/she is.
87 check_user(validated, interactive)
91 char *timestampdir = NULL;
92 char *timestampfile = NULL;
96 if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt())
99 build_timestamp(×tampdir, ×tampfile);
100 status = timestamp_status(timestampdir, timestampfile, user_name,
102 if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
103 /* Bail out if we are non-interactive and a password is required */
105 errorx(1, "sorry, a password is required to run %s", getprogname());
107 /* If user specified -A, make sure we have an askpass helper. */
108 if (ISSET(tgetpass_flags, TGP_ASKPASS)) {
109 if (user_askpass == NULL)
111 "no askpass program specified, try setting SUDO_ASKPASS");
112 } else if (!ISSET(tgetpass_flags, TGP_STDIN)) {
113 /* If no tty but DISPLAY is set, use askpass if we have it. */
114 if (!user_ttypath && !tty_present()) {
115 if (user_askpass && user_display && *user_display != '\0') {
116 SET(tgetpass_flags, TGP_ASKPASS);
117 } else if (!def_visiblepw) {
119 "no tty present and no askpass program specified");
124 if (!ISSET(tgetpass_flags, TGP_ASKPASS))
127 /* Expand any escapes in the prompt. */
128 prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
129 user_name, user_shost);
131 verify_user(auth_pw, prompt);
133 /* Only update timestamp if user was validated. */
134 if (status != TS_ERROR && ISSET(validated, VALIDATE_OK))
135 update_timestamp(timestampdir, timestampfile);
137 efree(timestampfile);
141 * Standard sudo lecture.
142 * TODO: allow the user to specify a file name instead.
152 if (def_lecture == never ||
153 (def_lecture == once && status != TS_MISSING && status != TS_ERROR))
156 if (def_lecture_file && (fp = fopen(def_lecture_file, "r")) != NULL) {
157 while ((nread = fread(buf, sizeof(char), sizeof(buf), fp)) != 0)
158 fwrite(buf, nread, 1, stderr);
162 We trust you have received the usual lecture from the local System\n\
163 Administrator. It usually boils down to these three things:\n\
165 #1) Respect the privacy of others.\n\
166 #2) Think before you type.\n\
167 #3) With great power comes great responsibility.\n\n",
173 * Update the time on the timestamp file/dir or create it if necessary.
176 update_timestamp(timestampdir, timestampfile)
180 if (timestamp_uid != 0)
181 set_perms(PERM_TIMESTAMP);
182 if (touch(-1, timestampfile ? timestampfile : timestampdir, NULL) == -1) {
184 int fd = open(timestampfile, O_WRONLY|O_CREAT|O_TRUNC, 0600);
187 log_error(NO_EXIT|USE_ERRNO, "Can't open %s", timestampfile);
191 if (mkdir(timestampdir, 0700) == -1)
192 log_error(NO_EXIT|USE_ERRNO, "Can't mkdir %s", timestampdir);
195 if (timestamp_uid != 0)
196 set_perms(PERM_ROOT);
200 * Expand %h and %u escapes in the prompt and pass back the dynamically
201 * allocated result. Returns the same string if there are no escapes.
204 expand_prompt(old_prompt, user, host)
211 char *p, *np, *new_prompt, *endp;
213 /* How much space do we need to malloc for the prompt? */
215 for (p = old_prompt, len = strlen(old_prompt); *p; p++) {
220 len += strlen(user_shost) - 2;
225 len += strlen(user_host) - 2;
232 else if (def_targetpw || def_runaspw)
233 len += strlen(runas_pw->pw_name) - 2;
235 len += strlen(user_name) - 2;
240 len += strlen(user_name) - 2;
245 len += strlen(runas_pw->pw_name) - 2;
260 new_prompt = (char *) emalloc(++len);
261 endp = new_prompt + len;
262 for (p = old_prompt, np = new_prompt; *p; p++) {
267 n = strlcpy(np, user_shost, np - endp);
274 n = strlcpy(np, user_host, np - endp);
282 n = strlcpy(np, "root", np - endp);
283 else if (def_targetpw || def_runaspw)
284 n = strlcpy(np, runas_pw->pw_name, np - endp);
286 n = strlcpy(np, user_name, np - endp);
293 n = strlcpy(np, user_name, np - endp);
300 n = strlcpy(np, runas_pw->pw_name, np - endp);
306 /* convert %% -> % */
320 new_prompt = old_prompt;
325 /* We pre-allocate enough space, so this should never happen. */
326 errorx(1, "internal error, expand_prompt() overflow");
330 * Checks if the user is exempt from supplying a password.
338 if (!def_exempt_group)
341 if (!(grp = sudo_getgrnam(def_exempt_group)))
344 if (user_gid == grp->gr_gid)
347 for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
348 if (strcmp(user_name, *gr_mem) == 0)
356 * Fills in timestampdir as well as timestampfile if using tty tickets.
359 build_timestamp(timestampdir, timestampfile)
361 char **timestampfile;
366 dirparent = def_timestampdir;
367 len = easprintf(timestampdir, "%s/%s", dirparent, user_name);
369 log_error(0, "timestamp path too long: %s", *timestampdir);
372 * Timestamp file may be a file in the directory or NUL to use
373 * the directory as the timestamp.
375 if (def_tty_tickets) {
378 if ((p = strrchr(user_tty, '/')))
383 len = easprintf(timestampfile, "%s/%s/%s:%s", dirparent, user_name,
384 p, runas_pw->pw_name);
386 len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p);
388 log_error(0, "timestamp path too long: %s", *timestampfile);
389 } else if (def_targetpw) {
390 len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name,
393 log_error(0, "timestamp path too long: %s", *timestampfile);
395 *timestampfile = NULL;
399 * Check the timestamp file and directory and return their status.
402 timestamp_status(timestampdir, timestampfile, user, flags)
410 char *dirparent = def_timestampdir;
411 int status = TS_ERROR; /* assume the worst */
413 if (timestamp_uid != 0)
414 set_perms(PERM_TIMESTAMP);
417 * Sanity check dirparent and make it if it doesn't already exist.
418 * We start out assuming the worst (that the dir is not sane) and
419 * if it is ok upgrade the status to ``no timestamp file''.
420 * Note that we don't check the parent(s) of dirparent for
421 * sanity since the sudo dir is often just located in /tmp.
423 if (lstat(dirparent, &sb) == 0) {
424 if (!S_ISDIR(sb.st_mode))
425 log_error(NO_EXIT, "%s exists but is not a directory (0%o)",
426 dirparent, (unsigned int) sb.st_mode);
427 else if (sb.st_uid != timestamp_uid)
428 log_error(NO_EXIT, "%s owned by uid %lu, should be uid %lu",
429 dirparent, (unsigned long) sb.st_uid,
430 (unsigned long) timestamp_uid);
431 else if ((sb.st_mode & 0000022))
433 "%s writable by non-owner (0%o), should be mode 0700",
434 dirparent, (unsigned int) sb.st_mode);
436 if ((sb.st_mode & 0000777) != 0700)
437 (void) chmod(dirparent, 0700);
440 } else if (errno != ENOENT) {
441 log_error(NO_EXIT|USE_ERRNO, "can't stat %s", dirparent);
443 /* No dirparent, try to make one. */
444 if (ISSET(flags, TS_MAKE_DIRS)) {
445 if (mkdir(dirparent, S_IRWXU))
446 log_error(NO_EXIT|USE_ERRNO, "can't mkdir %s",
452 if (status == TS_ERROR) {
453 if (timestamp_uid != 0)
454 set_perms(PERM_ROOT);
459 * Sanity check the user's ticket dir. We start by downgrading
460 * the status to TS_ERROR. If the ticket dir exists and is sane
461 * this will be upgraded to TS_OLD. If the dir does not exist,
462 * it will be upgraded to TS_MISSING.
464 status = TS_ERROR; /* downgrade status again */
465 if (lstat(timestampdir, &sb) == 0) {
466 if (!S_ISDIR(sb.st_mode)) {
467 if (S_ISREG(sb.st_mode)) {
468 /* convert from old style */
469 if (unlink(timestampdir) == 0)
472 log_error(NO_EXIT, "%s exists but is not a directory (0%o)",
473 timestampdir, (unsigned int) sb.st_mode);
474 } else if (sb.st_uid != timestamp_uid)
475 log_error(NO_EXIT, "%s owned by uid %lu, should be uid %lu",
476 timestampdir, (unsigned long) sb.st_uid,
477 (unsigned long) timestamp_uid);
478 else if ((sb.st_mode & 0000022))
480 "%s writable by non-owner (0%o), should be mode 0700",
481 timestampdir, (unsigned int) sb.st_mode);
483 if ((sb.st_mode & 0000777) != 0700)
484 (void) chmod(timestampdir, 0700);
485 status = TS_OLD; /* do date check later */
487 } else if (errno != ENOENT) {
488 log_error(NO_EXIT|USE_ERRNO, "can't stat %s", timestampdir);
493 * If there is no user ticket dir, AND we are in tty ticket mode,
494 * AND the TS_MAKE_DIRS flag is set, create the user ticket dir.
496 if (status == TS_MISSING && timestampfile && ISSET(flags, TS_MAKE_DIRS)) {
497 if (mkdir(timestampdir, S_IRWXU) == -1) {
499 log_error(NO_EXIT|USE_ERRNO, "can't mkdir %s", timestampdir);
504 * Sanity check the tty ticket file if it exists.
506 if (timestampfile && status != TS_ERROR) {
507 if (status != TS_MISSING)
508 status = TS_NOFILE; /* dir there, file missing */
509 if (lstat(timestampfile, &sb) == 0) {
510 if (!S_ISREG(sb.st_mode)) {
512 log_error(NO_EXIT, "%s exists but is not a regular file (0%o)",
513 timestampfile, (unsigned int) sb.st_mode);
515 /* If bad uid or file mode, complain and kill the bogus file. */
516 if (sb.st_uid != timestamp_uid) {
518 "%s owned by uid %lu, should be uid %lu",
519 timestampfile, (unsigned long) sb.st_uid,
520 (unsigned long) timestamp_uid);
521 (void) unlink(timestampfile);
522 } else if ((sb.st_mode & 0000022)) {
524 "%s writable by non-owner (0%o), should be mode 0600",
525 timestampfile, (unsigned int) sb.st_mode);
526 (void) unlink(timestampfile);
528 /* If not mode 0600, fix it. */
529 if ((sb.st_mode & 0000777) != 0600)
530 (void) chmod(timestampfile, 0600);
532 status = TS_OLD; /* actually check mtime below */
535 } else if (errno != ENOENT) {
536 log_error(NO_EXIT|USE_ERRNO, "can't stat %s", timestampfile);
542 * If the file/dir exists and we are not removing it, check its mtime.
544 if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
545 /* Negative timeouts only expire manually (sudo -k). */
546 if (def_timestamp_timeout < 0 && sb.st_mtime != 0)
549 /* XXX - should use timespec here */
551 if (def_timestamp_timeout &&
552 now - sb.st_mtime < 60 * def_timestamp_timeout) {
554 * Check for bogus time on the stampfile. The clock may
555 * have been set back or someone could be trying to spoof us.
557 if (sb.st_mtime > now + 60 * def_timestamp_timeout * 2) {
559 "timestamp too far in the future: %20.20s",
560 4 + ctime(&sb.st_mtime));
562 (void) unlink(timestampfile);
564 (void) rmdir(timestampdir);
572 if (timestamp_uid != 0)
573 set_perms(PERM_ROOT);
578 * Remove the timestamp ticket file/dir.
581 remove_timestamp(remove)
585 char *timestampdir, *timestampfile, *path;
588 build_timestamp(×tampdir, ×tampfile);
589 status = timestamp_status(timestampdir, timestampfile, user_name,
591 if (status == TS_OLD || status == TS_CURRENT) {
592 path = timestampfile ? timestampfile : timestampdir;
595 status = unlink(timestampfile);
597 status = rmdir(timestampdir);
598 if (status == -1 && errno != ENOENT) {
599 log_error(NO_EXIT, "can't remove %s (%s), will reset to Epoch",
600 path, strerror(errno));
605 if (touch(-1, path, &ts) == -1)
606 error(1, "can't reset %s to Epoch", path);
611 efree(timestampfile);