/*
- * Copyright (c) 1999-2005, 2008 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1999-2005, 2008-2010 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
# endif
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
-# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
-# include <memory.h>
-# endif
# include <string.h>
-#else
-# ifdef HAVE_STRINGS_H
-# include <strings.h>
-# endif
#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include "sudo_auth.h"
#include "insults.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.38 2008/11/07 17:45:52 millert Exp $";
-#endif /* lint */
-
sudo_auth auth_switch[] = {
#ifdef AUTH_STANDALONE
AUTH_STANDALONE
char *p;
sudo_auth *auth;
sigaction_t sa, osa;
+#ifdef HAVE_BSM_AUDIT
+ extern char **NewArgv;
+#endif
/* Enable suspend during password entry. */
sigemptyset(&sa.sa_mask);
(void) sigaction(SIGTSTP, &sa, &osa);
/* Make sure we have at least one auth method. */
- if (auth_switch[0].name == NULL)
+ if (auth_switch[0].name == NULL) {
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "no authentication methods");
+#endif
log_error(0, "%s %s %s",
"There are no authentication methods compiled into sudo!",
"If you want to turn off authentication, use the",
"--disable-authentication configure option.");
+ }
/* Set FLAG_ONEANDONLY if there is only one auth method. */
if (auth_switch[1].name == NULL)
status = (auth->init)(pw, &prompt, auth);
if (status == AUTH_FAILURE)
CLR(auth->flags, FLAG_CONFIGURED);
- else if (status == AUTH_FATAL) /* XXX log */
+ else if (status == AUTH_FATAL) { /* XXX log */
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1); /* assume error msg already printed */
+ }
if (NEEDS_USER(auth))
set_perms(PERM_ROOT);
status = (auth->setup)(pw, &prompt, auth);
if (status == AUTH_FAILURE)
CLR(auth->flags, FLAG_CONFIGURED);
- else if (status == AUTH_FATAL) /* XXX log */
+ else if (status == AUTH_FATAL) {/* XXX log */
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1); /* assume error msg already printed */
+ }
if (NEEDS_USER(auth))
set_perms(PERM_ROOT);
goto cleanup;
}
#ifndef AUTH_STANDALONE
- if (p)
- zero_bytes(p, strlen(p));
+ if (p == NULL)
+ break;
+ zero_bytes(p, strlen(p));
#endif
if (!ISSET(tgetpass_flags, TGP_ASKPASS))
pass_warn(stderr);
set_perms(PERM_USER);
status = (auth->cleanup)(pw, auth);
- if (status == AUTH_FATAL) /* XXX log */
+ if (status == AUTH_FATAL) { /* XXX log */
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1); /* assume error msg already printed */
+ }
if (NEEDS_USER(auth))
set_perms(PERM_ROOT);
flags = 0;
else
flags = NO_MAIL;
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
log_error(flags, "%d incorrect password attempt%s",
def_passwd_tries - counter,
(def_passwd_tries - counter == 1) ? "" : "s");
}
/* FALLTHROUGH */
case AUTH_FATAL:
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1);
}
/* NOTREACHED */