2 * Copyright (c) 1993-1996,1998-2005, 2007-2011
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Sponsored in part by the Defense Advanced Research Projects
18 * Agency (DARPA) and Air Force Research Laboratory, Air Force
19 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 #include <sys/types.h>
25 #include <sys/param.h>
31 #if defined(__sun) && defined(__SVR4)
32 # include <sys/statvfs.h>
35 # include <sys/file.h>
45 #endif /* STDC_HEADERS */
48 #endif /* HAVE_STRING_H */
51 #endif /* HAVE_STRINGS_H */
54 #endif /* HAVE_UNISTD_H */
55 #if TIME_WITH_SYS_TIME
66 /* Status codes for timestamp_status() */
73 /* Flags for timestamp_status() */
74 #define TS_MAKE_DIRS 1
78 * Info stored in tty ticket from stat(2) to help with tty matching.
80 static struct tty_info {
81 dev_t dev; /* ID of device tty resides on */
82 dev_t rdev; /* tty device ID */
83 ino_t ino; /* tty inode number */
84 struct timeval ctime; /* tty inode change time */
85 pid_t sid; /* ID of session with controlling tty */
88 static int build_timestamp(char **, char **);
89 static int timestamp_status(char *, char *, char *, int);
90 static char *expand_prompt(char *, char *, char *);
91 static void lecture(int);
92 static void update_timestamp(char *, char *);
93 static bool tty_is_devpts(const char *);
94 static struct passwd *get_authpw(void);
97 * Returns true if the user successfully authenticates, false if not
101 check_user(int validated, int mode)
103 struct passwd *auth_pw;
104 char *timestampdir = NULL;
105 char *timestampfile = NULL;
108 int status, rval = true;
109 debug_decl(check_user, SUDO_DEBUG_AUTH)
112 * Init authentication system regardless of whether we need a password.
113 * Required for proper PAM session support.
115 auth_pw = get_authpw();
116 if (sudo_auth_init(auth_pw) == -1) {
122 * Don't prompt for the root passwd or if the user is exempt.
123 * If the user is not changing uid/gid, no need for a password.
125 if (!def_authenticate || user_uid == 0 || user_is_exempt())
127 if (user_uid == runas_pw->pw_uid &&
128 (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) {
130 if (user_role == NULL && user_type == NULL)
133 if (runas_privs == NULL && runas_limitprivs == NULL)
138 /* Always need a password when -k was specified with the command. */
139 if (ISSET(mode, MODE_IGNORE_TICKET))
140 SET(validated, FLAG_CHECK_USER);
142 /* Stash the tty's device, session ID and ctime for ticket comparison. */
143 if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
144 tty_info.dev = sb.st_dev;
145 tty_info.ino = sb.st_ino;
146 tty_info.rdev = sb.st_rdev;
147 if (tty_is_devpts(user_ttypath))
148 ctim_get(&sb, &tty_info.ctime);
149 tty_info.sid = user_sid;
152 if (build_timestamp(×tampdir, ×tampfile) == -1) {
157 status = timestamp_status(timestampdir, timestampfile, user_name,
160 if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
161 /* Bail out if we are non-interactive and a password is required */
162 if (ISSET(mode, MODE_NONINTERACTIVE)) {
163 validated |= FLAG_NON_INTERACTIVE;
164 log_auth_failure(validated, 0);
169 /* XXX - should not lecture if askpass helper is being used. */
172 /* Expand any escapes in the prompt. */
173 prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
174 user_name, user_shost);
176 rval = verify_user(auth_pw, prompt, validated);
178 /* Only update timestamp if user was validated. */
179 if (rval == true && ISSET(validated, VALIDATE_OK) &&
180 !ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR)
181 update_timestamp(timestampdir, timestampfile);
183 efree(timestampfile);
186 sudo_auth_cleanup(auth_pw);
187 sudo_pw_delref(auth_pw);
189 debug_return_bool(rval);
192 #define DEFAULT_LECTURE "\n" \
193 "We trust you have received the usual lecture from the local System\n" \
194 "Administrator. It usually boils down to these three things:\n\n" \
195 " #1) Respect the privacy of others.\n" \
196 " #2) Think before you type.\n" \
197 " #3) With great power comes great responsibility.\n\n"
200 * Standard sudo lecture.
208 struct sudo_conv_message msg;
209 struct sudo_conv_reply repl;
210 debug_decl(lecture, SUDO_DEBUG_AUTH)
212 if (def_lecture == never ||
213 (def_lecture == once && status != TS_MISSING && status != TS_ERROR))
216 memset(&msg, 0, sizeof(msg));
217 memset(&repl, 0, sizeof(repl));
219 if (def_lecture_file && (fp = fopen(def_lecture_file, "r")) != NULL) {
220 while ((nread = fread(buf, sizeof(char), sizeof(buf) - 1, fp)) != 0) {
222 msg.msg_type = SUDO_CONV_ERROR_MSG;
224 sudo_conv(1, &msg, &repl);
228 msg.msg_type = SUDO_CONV_ERROR_MSG;
229 msg.msg = _(DEFAULT_LECTURE);
230 sudo_conv(1, &msg, &repl);
236 * Update the time on the timestamp file/dir or create it if necessary.
239 update_timestamp(char *timestampdir, char *timestampfile)
241 debug_decl(update_timestamp, SUDO_DEBUG_AUTH)
243 /* If using tty timestamps but we have no tty there is nothing to do. */
244 if (def_tty_tickets && !user_ttypath)
247 if (timestamp_uid != 0)
248 set_perms(PERM_TIMESTAMP);
251 * Store tty info in timestamp file
253 int fd = open(timestampfile, O_WRONLY|O_CREAT, 0600);
255 log_error(USE_ERRNO, _("unable to open %s"), timestampfile);
257 lock_file(fd, SUDO_LOCK);
258 if (write(fd, &tty_info, sizeof(tty_info)) != sizeof(tty_info)) {
259 log_error(USE_ERRNO, _("unable to write to %s"),
265 if (touch(-1, timestampdir, NULL) == -1) {
266 if (mkdir(timestampdir, 0700) == -1) {
267 log_error(USE_ERRNO, _("unable to mkdir %s"),
272 if (timestamp_uid != 0)
278 * Expand %h and %u escapes in the prompt and pass back the dynamically
279 * allocated result. Returns the same string if there are no escapes.
282 expand_prompt(char *old_prompt, char *user, char *host)
286 char *p, *np, *new_prompt, *endp;
287 debug_decl(expand_prompt, SUDO_DEBUG_AUTH)
289 /* How much space do we need to malloc for the prompt? */
291 for (p = old_prompt, len = strlen(old_prompt); *p; p++) {
296 len += strlen(user_shost) - 2;
301 len += strlen(user_host) - 2;
308 else if (def_targetpw || def_runaspw)
309 len += strlen(runas_pw->pw_name) - 2;
311 len += strlen(user_name) - 2;
316 len += strlen(user_name) - 2;
321 len += strlen(runas_pw->pw_name) - 2;
336 new_prompt = emalloc(++len);
337 endp = new_prompt + len;
338 for (p = old_prompt, np = new_prompt; *p; p++) {
343 n = strlcpy(np, user_shost, np - endp);
350 n = strlcpy(np, user_host, np - endp);
358 n = strlcpy(np, "root", np - endp);
359 else if (def_targetpw || def_runaspw)
360 n = strlcpy(np, runas_pw->pw_name, np - endp);
362 n = strlcpy(np, user_name, np - endp);
369 n = strlcpy(np, user_name, np - endp);
376 n = strlcpy(np, runas_pw->pw_name, np - endp);
382 /* convert %% -> % */
396 new_prompt = old_prompt;
398 debug_return_str(new_prompt);
401 /* We pre-allocate enough space, so this should never happen. */
402 errorx(1, _("internal error, %s overflow"), "expand_prompt()");
406 * Checks if the user is exempt from supplying a password.
412 debug_decl(user_is_exempt, SUDO_DEBUG_AUTH)
414 if (def_exempt_group)
415 rval = user_in_group(sudo_user.pw, def_exempt_group);
416 debug_return_bool(rval);
420 * Fills in timestampdir as well as timestampfile if using tty tickets.
423 build_timestamp(char **timestampdir, char **timestampfile)
427 debug_decl(build_timestamp, SUDO_DEBUG_AUTH)
429 dirparent = def_timestampdir;
430 *timestampfile = NULL;
431 len = easprintf(timestampdir, "%s/%s", dirparent, user_name);
436 * Timestamp file may be a file in the directory or NUL to use
437 * the directory as the timestamp.
439 if (def_tty_tickets) {
442 if ((p = strrchr(user_tty, '/')))
447 len = easprintf(timestampfile, "%s/%s/%s:%s", dirparent, user_name,
448 p, runas_pw->pw_name);
450 len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p);
453 } else if (def_targetpw) {
454 len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name,
459 *timestampfile = NULL;
461 debug_return_int(len);
463 log_fatal(0, _("timestamp path too long: %s"),
464 *timestampfile ? *timestampfile : *timestampdir);
466 debug_return_int(-1);
470 * Check the timestamp file and directory and return their status.
473 timestamp_status(char *timestampdir, char *timestampfile, char *user, int flags)
476 struct timeval boottime, mtime;
478 char *dirparent = def_timestampdir;
479 int status = TS_ERROR; /* assume the worst */
480 debug_decl(timestamp_status, SUDO_DEBUG_AUTH)
482 if (timestamp_uid != 0)
483 set_perms(PERM_TIMESTAMP);
486 * Sanity check dirparent and make it if it doesn't already exist.
487 * We start out assuming the worst (that the dir is not sane) and
488 * if it is ok upgrade the status to ``no timestamp file''.
489 * Note that we don't check the parent(s) of dirparent for
490 * sanity since the sudo dir is often just located in /tmp.
492 if (lstat(dirparent, &sb) == 0) {
493 if (!S_ISDIR(sb.st_mode))
494 log_error(0, _("%s exists but is not a directory (0%o)"),
495 dirparent, (unsigned int) sb.st_mode);
496 else if (sb.st_uid != timestamp_uid)
497 log_error(0, _("%s owned by uid %u, should be uid %u"),
498 dirparent, (unsigned int) sb.st_uid,
499 (unsigned int) timestamp_uid);
500 else if ((sb.st_mode & 0000022))
502 _("%s writable by non-owner (0%o), should be mode 0700"),
503 dirparent, (unsigned int) sb.st_mode);
505 if ((sb.st_mode & 0000777) != 0700)
506 (void) chmod(dirparent, 0700);
509 } else if (errno != ENOENT) {
510 log_error(USE_ERRNO, _("unable to stat %s"), dirparent);
512 /* No dirparent, try to make one. */
513 if (ISSET(flags, TS_MAKE_DIRS)) {
514 if (mkdir(dirparent, S_IRWXU))
515 log_error(USE_ERRNO, _("unable to mkdir %s"),
521 if (status == TS_ERROR)
525 * Sanity check the user's ticket dir. We start by downgrading
526 * the status to TS_ERROR. If the ticket dir exists and is sane
527 * this will be upgraded to TS_OLD. If the dir does not exist,
528 * it will be upgraded to TS_MISSING.
530 status = TS_ERROR; /* downgrade status again */
531 if (lstat(timestampdir, &sb) == 0) {
532 if (!S_ISDIR(sb.st_mode)) {
533 if (S_ISREG(sb.st_mode)) {
534 /* convert from old style */
535 if (unlink(timestampdir) == 0)
538 log_error(0, _("%s exists but is not a directory (0%o)"),
539 timestampdir, (unsigned int) sb.st_mode);
540 } else if (sb.st_uid != timestamp_uid)
541 log_error(0, _("%s owned by uid %u, should be uid %u"),
542 timestampdir, (unsigned int) sb.st_uid,
543 (unsigned int) timestamp_uid);
544 else if ((sb.st_mode & 0000022))
546 _("%s writable by non-owner (0%o), should be mode 0700"),
547 timestampdir, (unsigned int) sb.st_mode);
549 if ((sb.st_mode & 0000777) != 0700)
550 (void) chmod(timestampdir, 0700);
551 status = TS_OLD; /* do date check later */
553 } else if (errno != ENOENT) {
554 log_error(USE_ERRNO, _("unable to stat %s"), timestampdir);
559 * If there is no user ticket dir, AND we are in tty ticket mode,
560 * AND the TS_MAKE_DIRS flag is set, create the user ticket dir.
562 if (status == TS_MISSING && timestampfile && ISSET(flags, TS_MAKE_DIRS)) {
563 if (mkdir(timestampdir, S_IRWXU) == -1) {
565 log_error(USE_ERRNO, _("unable to mkdir %s"), timestampdir);
570 * Sanity check the tty ticket file if it exists.
572 if (timestampfile && status != TS_ERROR) {
573 if (status != TS_MISSING)
574 status = TS_NOFILE; /* dir there, file missing */
575 if (def_tty_tickets && !user_ttypath)
576 goto done; /* no tty, always prompt */
577 if (lstat(timestampfile, &sb) == 0) {
578 if (!S_ISREG(sb.st_mode)) {
580 log_error(0, _("%s exists but is not a regular file (0%o)"),
581 timestampfile, (unsigned int) sb.st_mode);
583 /* If bad uid or file mode, complain and kill the bogus file. */
584 if (sb.st_uid != timestamp_uid) {
586 _("%s owned by uid %u, should be uid %u"),
587 timestampfile, (unsigned int) sb.st_uid,
588 (unsigned int) timestamp_uid);
589 (void) unlink(timestampfile);
590 } else if ((sb.st_mode & 0000022)) {
592 _("%s writable by non-owner (0%o), should be mode 0600"),
593 timestampfile, (unsigned int) sb.st_mode);
594 (void) unlink(timestampfile);
596 /* If not mode 0600, fix it. */
597 if ((sb.st_mode & 0000777) != 0600)
598 (void) chmod(timestampfile, 0600);
601 * Check for stored tty info. If the file is zero-sized
602 * it is an old-style timestamp with no tty info in it.
603 * If removing, we don't care about the contents.
604 * The actual mtime check is done later.
606 if (ISSET(flags, TS_REMOVE)) {
608 } else if (sb.st_size != 0) {
609 struct tty_info info;
610 int fd = open(timestampfile, O_RDONLY, 0644);
612 if (read(fd, &info, sizeof(info)) == sizeof(info) &&
613 memcmp(&info, &tty_info, sizeof(info)) == 0) {
621 } else if (errno != ENOENT) {
622 log_error(USE_ERRNO, _("unable to stat %s"), timestampfile);
628 * If the file/dir exists and we are not removing it, check its mtime.
630 if (status == TS_OLD && !ISSET(flags, TS_REMOVE)) {
631 mtim_get(&sb, &mtime);
632 if (timevalisset(&mtime)) {
633 /* Negative timeouts only expire manually (sudo -k). */
634 if (def_timestamp_timeout < 0) {
638 if (def_timestamp_timeout &&
639 now - mtime.tv_sec < 60 * def_timestamp_timeout) {
641 * Check for bogus time on the stampfile. The clock may
642 * have been set back or user could be trying to spoof us.
644 if (mtime.tv_sec > now + 60 * def_timestamp_timeout * 2) {
645 time_t tv_sec = (time_t)mtime.tv_sec;
647 _("timestamp too far in the future: %20.20s"),
650 (void) unlink(timestampfile);
652 (void) rmdir(timestampdir);
654 } else if (get_boottime(&boottime) &&
655 timevalcmp(&mtime, &boottime, <)) {
666 if (timestamp_uid != 0)
668 debug_return_int(status);
672 * Remove the timestamp ticket file/dir.
675 remove_timestamp(bool remove)
678 char *timestampdir, *timestampfile, *path;
680 debug_decl(remove_timestamp, SUDO_DEBUG_AUTH)
682 if (build_timestamp(×tampdir, ×tampfile) == -1)
685 status = timestamp_status(timestampdir, timestampfile, user_name,
687 if (status != TS_MISSING && status != TS_ERROR) {
688 path = timestampfile ? timestampfile : timestampdir;
691 status = unlink(timestampfile);
693 status = rmdir(timestampdir);
694 if (status == -1 && errno != ENOENT) {
696 _("unable to remove %s (%s), will reset to the epoch"),
697 path, strerror(errno));
703 if (touch(-1, path, &tv) == -1 && errno != ENOENT)
704 error(1, _("unable to reset %s to the epoch"), path);
708 efree(timestampfile);
714 * Returns true if tty lives on a devpts, /dev or /devices filesystem, else
715 * false. Unlike most filesystems, the ctime of devpts nodes is not updated
716 * when the device node is written to, only when the inode's status changes,
717 * typically via the chmod, chown, link, rename, or utimes system calls.
718 * Since the ctime is "stable" in this case, we can stash it the tty ticket
719 * file and use it to determine whether the tty ticket file is stale.
722 tty_is_devpts(const char *tty)
727 debug_decl(tty_is_devpts, SUDO_DEBUG_PTY)
729 #ifndef DEVPTS_SUPER_MAGIC
730 # define DEVPTS_SUPER_MAGIC 0x1cd1
733 if (statfs(tty, &sfs) == 0) {
734 if (sfs.f_type == DEVPTS_SUPER_MAGIC)
737 #elif defined(__sun) && defined(__SVR4)
739 debug_decl(tty_is_devpts, SUDO_DEBUG_PTY)
741 if (statvfs(tty, &sfs) == 0) {
742 if (strcmp(sfs.f_fstr, "dev") == 0 || strcmp(sfs.f_fstr, "devices") == 0)
746 debug_decl(tty_is_devpts, SUDO_DEBUG_PTY)
747 #endif /* __linux__ */
748 debug_return_bool(retval);
752 * Get passwd entry for the user we are going to authenticate as.
753 * By default, this is the user invoking sudo. In the most common
754 * case, this matches sudo_user.pw or runas_pw.
756 static struct passwd *
760 debug_decl(get_authpw, SUDO_DEBUG_AUTH)
763 if ((pw = sudo_getpwuid(ROOT_UID)) == NULL)
764 log_fatal(0, _("unknown uid: %u"), ROOT_UID);
765 } else if (def_runaspw) {
766 if ((pw = sudo_getpwnam(def_runas_default)) == NULL)
767 log_fatal(0, _("unknown user: %s"), def_runas_default);
768 } else if (def_targetpw) {
769 if (runas_pw->pw_name == NULL)
770 log_fatal(NO_MAIL|MSG_ONLY, _("unknown uid: %u"),
771 (unsigned int) runas_pw->pw_uid);
772 sudo_pw_addref(runas_pw);
775 sudo_pw_addref(sudo_user.pw);
779 debug_return_ptr(pw);