bsd-auth.c

   1 /*
   2  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
   3  * Copyright (c) 2021-2022 Sergey Sushilin <sergeysushilin@protonmail.com>
   4  *
   5  * Permission to use, copy, modify, and distribute this software for any
   6  * purpose with or without fee is hereby granted, provided that the above
   7  * copyright notice and this permission notice appear in all copies.
   8  *
   9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
  10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
  11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
  12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
  13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  16  */
  17
  18 #include <bsd_auth.h>
  19 #include <readpassphrase.h>
  20
  21 void authuser(char const *doas_prompt, char const *restrict name, char const *restrict login_style, bool persist)
  22 {
  23         char *challenge = NULL, *response, rbuf[1024];
  24         auth_session_t *as;
  25         int fd = -1;
  26
  27         if (persist)
  28                 fd = open(_PATH_TTY, O_RDWR);
  29
  30         if (fd >= 0 && ioctl(fd, TIOCCHKVERAUTH) == 0)
  31                 goto good;
  32
  33         if ((as = auth_userchallenge(name, login_style, "auth-doas", &challenge)) == NULL)
  34                 errx(EXIT_FAILURE, "Authorization failed");
  35
  36         if (challenge == NULL)
  37                 challenge = doas_prompt;
  38
  39         response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
  40
  41         if (response == NULL && errno == ENOTTY) {
  42                 syslog(LOG_AUTHPRIV | LOG_NOTICE, "tty required for %s", name);
  43                 errx(EXIT_FAILURE, "a tty is required");
  44         }
  45
  46         if (auth_userresponse(as, response, 0) == NULL) {
  47                 syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", name);
  48                 errc(EXIT_FAILURE, EPERM, "auth_userresponse");
  49         }
  50
  51         explicit_bzero(rbuf, sizeof(rbuf));
  52
  53 good:
  54         if (fd >= 0) {
  55                 int secs = 5 * 60;
  56                 ioctl(fd, TIOCSETVERAUTH, &secs);
  57                 close(fd);
  58         }
  59 }