|
|
|
|
@ -41,6 +41,7 @@ |
|
|
|
|
#include <signal.h> |
|
|
|
|
#include <time.h> |
|
|
|
|
#include <fcntl.h> |
|
|
|
|
#include <syslog.h> |
|
|
|
|
|
|
|
|
|
#if !defined(_XOPEN_CRYPT) || _XOPEN_CRYPT == -1 |
|
|
|
|
#include <crypt.h> |
|
|
|
|
@ -51,6 +52,7 @@ |
|
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
#define MAX_HASH 1024 |
|
|
|
|
#define PASS_MAX 1024 |
|
|
|
|
#define CONF_LINE_MAX 1024 |
|
|
|
|
#define GROUPS_MAX 256 |
|
|
|
|
#define STR_MAX 1024 |
|
|
|
|
@ -85,7 +87,7 @@ struct user_info { |
|
|
|
|
static void *emalloc(size_t); |
|
|
|
|
static char *estrdup(const char *); |
|
|
|
|
void *erealloc(void *, size_t); |
|
|
|
|
static void usage(void); |
|
|
|
|
static void usage(int); |
|
|
|
|
static void die(const char *, ...); |
|
|
|
|
static int perm_set(struct passwd *, struct group *); |
|
|
|
|
static int authenticate(uid_t, int, int); |
|
|
|
|
@ -104,7 +106,7 @@ int main(int argc, char *argv[]) |
|
|
|
|
struct user_info t_gr_info = {0}, t_pw_info = {0}; |
|
|
|
|
int opt, err; |
|
|
|
|
int shellflag = 0, envflag = 0, askpass = 0; |
|
|
|
|
while ((opt = getopt(argc, argv, "Au:g:C:se")) != -1) { |
|
|
|
|
while ((opt = getopt(argc, argv, "Au:g:C:seh")) != -1) { |
|
|
|
|
switch (opt) { |
|
|
|
|
case 'A': |
|
|
|
|
askpass = 1; |
|
|
|
|
@ -124,8 +126,12 @@ int main(int argc, char *argv[]) |
|
|
|
|
case 'e': |
|
|
|
|
envflag = 1; |
|
|
|
|
break; |
|
|
|
|
case 'h': |
|
|
|
|
usage(1); |
|
|
|
|
exit(EXIT_SUCCESS); |
|
|
|
|
break; |
|
|
|
|
case '?': |
|
|
|
|
usage(); |
|
|
|
|
usage(0); |
|
|
|
|
exit(EINVAL); |
|
|
|
|
break; |
|
|
|
|
} |
|
|
|
|
@ -242,8 +248,18 @@ int main(int argc, char *argv[]) |
|
|
|
|
|
|
|
|
|
/* Authenticate, we will be root from now on */ |
|
|
|
|
if (!(conf_flags & FLAG_NOPASS)) |
|
|
|
|
if (authenticate(my_pw->pw_uid, askpass, conf_flags & FLAG_PERSIST)) |
|
|
|
|
if (authenticate(my_pw->pw_uid, askpass, conf_flags & FLAG_PERSIST)) { |
|
|
|
|
if (!(conf_flags & FLAG_NOLOG)) |
|
|
|
|
exit(EXIT_FAILURE); |
|
|
|
|
char cmd[1024] = {0}; |
|
|
|
|
for (int i = optind, x = 0; argv[i] && x < 1024; i++) |
|
|
|
|
x += snprintf(cmd, 1024-x, "%s ", argv[i]); |
|
|
|
|
openlog("us", LOG_NOWAIT, LOG_AUTH); |
|
|
|
|
syslog(LOG_NOTICE, "user %s tried to run %s as %s" |
|
|
|
|
"but failed", my_name, cmd, t_pw->pw_name); |
|
|
|
|
closelog(); |
|
|
|
|
exit(EXIT_FAILURE); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* Get target user's shell */ |
|
|
|
|
if (!shellflag) |
|
|
|
|
@ -333,6 +349,15 @@ int main(int argc, char *argv[]) |
|
|
|
|
goto fail_end; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
if (!(conf_flags & FLAG_NOLOG)) { |
|
|
|
|
char cmd[1024] = {0}; |
|
|
|
|
for (int i = 0, x = 0; c_argv[i] && x < 1024; i++) |
|
|
|
|
x += snprintf(cmd, 1024-x, "%s ", c_argv[i]); |
|
|
|
|
openlog("us", LOG_NOWAIT, LOG_AUTH); |
|
|
|
|
syslog(LOG_INFO, "user %s ran %s as %s", my_name, cmd, t_pw->pw_name); |
|
|
|
|
closelog(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
/* Execute the command */ |
|
|
|
|
err = execvp(c_argv[0], c_argv); |
|
|
|
|
if (err == -1) |
|
|
|
|
@ -347,17 +372,18 @@ int main(int argc, char *argv[]) |
|
|
|
|
return errno; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static inline void usage(void) |
|
|
|
|
static inline void usage(int complete) |
|
|
|
|
{ |
|
|
|
|
// TODO: planned options
|
|
|
|
|
// -a [program]: like sudo's askpass
|
|
|
|
|
// -u [user]: change the default user from root to user
|
|
|
|
|
// -g [group]: change the primary group to [gorup]
|
|
|
|
|
// both -a and -g will accept numbers with #[num] like sudo
|
|
|
|
|
// -c [file]: manually select config file
|
|
|
|
|
// something about environment
|
|
|
|
|
// something about non interactiveness
|
|
|
|
|
printf("usage: us [-seA] [-u user] [-g group] [-C config] command [args]\n"); |
|
|
|
|
printf("usage: us [-hseA] [-u user] [-g group] [-C config] command [args]\n"); |
|
|
|
|
if (!complete) |
|
|
|
|
return; |
|
|
|
|
printf("-h print this message\n" |
|
|
|
|
"-s use the user's shell instead of /bin/sh\n" |
|
|
|
|
"-e keep the user's entire environment\n" |
|
|
|
|
"-A use the command in US_ASKPASS as askpass helper\n" |
|
|
|
|
"-u user set new user to 'user' instead of root\n" |
|
|
|
|
"-s group set new group to 'group'\n" |
|
|
|
|
"-C config use specifi config file\n"); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
static int perm_set(struct passwd *pw, struct group *gr) |
|
|
|
|
@ -486,7 +512,7 @@ static int authenticate(uid_t uid, int ask, int persist) |
|
|
|
|
|
|
|
|
|
int fd = STDIN_FILENO; |
|
|
|
|
char *askpass = getenv("US_ASKPASS"); |
|
|
|
|
char pass[1024] = {0}; |
|
|
|
|
char pass[PASS_MAX] = {0}; |
|
|
|
|
struct termios tio_before, tio_pass; |
|
|
|
|
if (ask && askpass) { |
|
|
|
|
pid_t pid, parent = getpid(); |
|
|
|
|
@ -532,7 +558,7 @@ static int authenticate(uid_t uid, int ask, int persist) |
|
|
|
|
if (tcsetattr(tty_fd, TCSANOW, &tio_pass) == -1) |
|
|
|
|
die("tcsetattr:"); |
|
|
|
|
} |
|
|
|
|
int r = read(fd, pass, 1023); |
|
|
|
|
int r = read(fd, pass, PASS_MAX-1); |
|
|
|
|
if (!r || r == -1) { |
|
|
|
|
if (errno) |
|
|
|
|
fprintf(stderr, "read: %s\n", strerror(errno)); |
|
|
|
|
@ -543,7 +569,7 @@ static int authenticate(uid_t uid, int ask, int persist) |
|
|
|
|
waitpid(-1, NULL, 0); |
|
|
|
|
exit(EXIT_FAILURE); |
|
|
|
|
} |
|
|
|
|
pass[1023] = '\0'; |
|
|
|
|
pass[PASS_MAX-1] = '\0'; |
|
|
|
|
/* Remove the terminating (if there is) \n in password */ |
|
|
|
|
int l = strlen(pass); |
|
|
|
|
if (pass[l-1] == '\n') |
|
|
|
|
@ -558,8 +584,8 @@ static int authenticate(uid_t uid, int ask, int persist) |
|
|
|
|
|
|
|
|
|
char *enc = crypt(pass, hash); |
|
|
|
|
/* Remove password from memory, just to be sure */ |
|
|
|
|
memset(pass, 0, 1024); |
|
|
|
|
if (strncmp(hash, enc, 1024)) { |
|
|
|
|
memset(pass, 0, PASS_MAX); |
|
|
|
|
if (strncmp(hash, enc, PASS_MAX)) { |
|
|
|
|
printf("Authentication failure\n"); |
|
|
|
|
setuid(uid); |
|
|
|
|
return -1; |
|
|
|
|
|
Alessandro Mauri