/*
- * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1999-2005, 2008-2010 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
# endif
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
-# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
-# include <memory.h>
-# endif
# include <string.h>
-#else
-# ifdef HAVE_STRINGS_H
-# include <strings.h>
-# endif
#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include "sudo_auth.h"
#include "insults.h"
-#ifndef lint
-__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.33.2.2 2007/06/12 01:28:42 millert Exp $";
-#endif /* lint */
-
sudo_auth auth_switch[] = {
#ifdef AUTH_STANDALONE
AUTH_STANDALONE
AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL)
};
-int nil_pw; /* I hate resorting to globals like this... */
-
void
verify_user(pw, prompt)
struct passwd *pw;
char *p;
sudo_auth *auth;
sigaction_t sa, osa;
+#ifdef HAVE_BSM_AUDIT
+ extern char **NewArgv;
+#endif
/* Enable suspend during password entry. */
sigemptyset(&sa.sa_mask);
(void) sigaction(SIGTSTP, &sa, &osa);
/* Make sure we have at least one auth method. */
- if (auth_switch[0].name == NULL)
+ if (auth_switch[0].name == NULL) {
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "no authentication methods");
+#endif
log_error(0, "%s %s %s",
"There are no authentication methods compiled into sudo!",
"If you want to turn off authentication, use the",
"--disable-authentication configure option.");
+ }
/* Set FLAG_ONEANDONLY if there is only one auth method. */
if (auth_switch[1].name == NULL)
status = (auth->init)(pw, &prompt, auth);
if (status == AUTH_FAILURE)
CLR(auth->flags, FLAG_CONFIGURED);
- else if (status == AUTH_FATAL) /* XXX log */
+ else if (status == AUTH_FATAL) { /* XXX log */
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1); /* assume error msg already printed */
+ }
if (NEEDS_USER(auth))
set_perms(PERM_ROOT);
status = (auth->setup)(pw, &prompt, auth);
if (status == AUTH_FAILURE)
CLR(auth->flags, FLAG_CONFIGURED);
- else if (status == AUTH_FATAL) /* XXX log */
+ else if (status == AUTH_FATAL) {/* XXX log */
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1); /* assume error msg already printed */
+ }
if (NEEDS_USER(auth))
set_perms(PERM_ROOT);
}
/* Get the password unless the auth function will do it for us */
- nil_pw = 0;
#ifdef AUTH_STANDALONE
p = prompt;
#else
p = (char *) tgetpass(prompt, def_passwd_timeout * 60,
tgetpass_flags);
- if (!p || *p == '\0')
- nil_pw = 1;
#endif /* AUTH_STANDALONE */
/* Call authentication functions. */
goto cleanup;
}
#ifndef AUTH_STANDALONE
- if (p)
- zero_bytes(p, strlen(p));
+ if (p == NULL)
+ break;
+ zero_bytes(p, strlen(p));
#endif
-
- /* Exit loop on nil password, but give it a chance to match first. */
- if (nil_pw) {
- if (counter == def_passwd_tries)
- exit(1);
- else
- break;
- }
-
- pass_warn(stderr);
+ if (!ISSET(tgetpass_flags, TGP_ASKPASS))
+ pass_warn(stderr);
}
cleanup:
set_perms(PERM_USER);
status = (auth->cleanup)(pw, auth);
- if (status == AUTH_FATAL) /* XXX log */
+ if (status == AUTH_FATAL) { /* XXX log */
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1); /* assume error msg already printed */
+ }
if (NEEDS_USER(auth))
set_perms(PERM_ROOT);
case AUTH_SUCCESS:
(void) sigaction(SIGTSTP, &osa, NULL);
return;
+ case AUTH_INTR:
case AUTH_FAILURE:
- if (def_mail_badpass || def_mail_always)
- flags = 0;
- else
- flags = NO_MAIL;
- log_error(flags, "%d incorrect password attempt%s",
- def_passwd_tries - counter,
- (def_passwd_tries - counter == 1) ? "" : "s");
+ if (counter != def_passwd_tries) {
+ if (def_mail_badpass || def_mail_always)
+ flags = 0;
+ else
+ flags = NO_MAIL;
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
+ log_error(flags, "%d incorrect password attempt%s",
+ def_passwd_tries - counter,
+ (def_passwd_tries - counter == 1) ? "" : "s");
+ }
+ /* FALLTHROUGH */
case AUTH_FATAL:
+#ifdef HAVE_BSM_AUDIT
+ audit_failure(NewArgv, "authentication failure");
+#endif
exit(1);
}
/* NOTREACHED */