diff options
Diffstat (limited to 'plugins/sudoers/auth/aix_auth.c')
-rw-r--r-- | plugins/sudoers/auth/aix_auth.c | 314 |
1 files changed, 314 insertions, 0 deletions
diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c new file mode 100644 index 0000000..74a3bc9 --- /dev/null +++ b/plugins/sudoers/auth/aix_auth.c @@ -0,0 +1,314 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 1999-2005, 2007-2018 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include <config.h> + +#ifdef HAVE_AIXAUTH + +#include <sys/types.h> +#include <sys/wait.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <ctype.h> +#include <errno.h> +#include <pwd.h> +#include <signal.h> +#include <usersec.h> + +#include <sudoers.h> +#include "sudo_auth.h" + +/* + * For a description of the AIX authentication API, see + * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm + */ + +#ifdef HAVE_PAM +# define AIX_AUTH_UNKNOWN 0 +# define AIX_AUTH_STD 1 +# define AIX_AUTH_PAM 2 + +static int +sudo_aix_authtype(void) +{ + size_t linesize = 0; + ssize_t len; + char *cp, *line = NULL; + bool in_stanza = false; + int authtype = AIX_AUTH_UNKNOWN; + FILE *fp; + debug_decl(sudo_aix_authtype, SUDOERS_DEBUG_AUTH); + + if ((fp = fopen("/etc/security/login.cfg", "r")) == NULL) + debug_return_int(AIX_AUTH_UNKNOWN); + + while ((len = getdelim(&line, &linesize, '\n', fp)) != -1) { + /* First remove comments. */ + if ((cp = strchr(line, '#')) != NULL) { + *cp = '\0'; + len = (ssize_t)(cp - line); + } + + /* Next remove trailing newlines and whitespace. */ + while (len > 0 && isspace((unsigned char)line[len - 1])) + line[--len] = '\0'; + + /* Skip blank lines. */ + if (len == 0) + continue; + + /* Match start of the usw stanza. */ + if (!in_stanza) { + if (strncmp(line, "usw:", 4) == 0) + in_stanza = true; + continue; + } + + /* Check for end of the usw stanza. */ + if (!isblank((unsigned char)line[0])) { + in_stanza = false; + break; + } + + /* Skip leading blanks. */ + cp = line; + do { + cp++; + } while (isblank((unsigned char)*cp)); + + /* Match "auth_type = (PAM_AUTH|STD_AUTH)". */ + if (strncmp(cp, "auth_type", 9) != 0) + continue; + cp += 9; + while (isblank((unsigned char)*cp)) + cp++; + if (*cp++ != '=') + continue; + while (isblank((unsigned char)*cp)) + cp++; + if (strcmp(cp, "PAM_AUTH") == 0) { + authtype = AIX_AUTH_PAM; + break; + } + if (strcmp(cp, "STD_AUTH") == 0) { + authtype = AIX_AUTH_STD; + break; + } + } + free(line); + fclose(fp); + + debug_return_int(authtype); +} +#endif /* HAVE_PAM */ + +int +sudo_aix_init(const struct sudoers_context *ctx, struct passwd *pw, + sudo_auth *auth) +{ + debug_decl(sudo_aix_init, SUDOERS_DEBUG_AUTH); + +#ifdef HAVE_PAM + /* Check auth_type in /etc/security/login.cfg. */ + if (sudo_aix_authtype() == AIX_AUTH_PAM) { + if (sudo_pam_init_quiet(ctx, pw, auth) == AUTH_SUCCESS) { + /* Fail AIX authentication so we can use PAM instead. */ + debug_return_int(AUTH_FAILURE); + } + } +#endif + debug_return_int(AUTH_SUCCESS); +} + +/* Ignore AIX password incorrect message */ +static bool +sudo_aix_valid_message(const char *message) +{ + const char *cp; + const char badpass_msgid[] = "3004-300"; + debug_decl(sudo_aix_valid_message, SUDOERS_DEBUG_AUTH); + + if (message == NULL || message[0] == '\0') + debug_return_bool(false); + + /* Match "3004-300: You entered an invalid login name or password" */ + for (cp = message; *cp != '\0'; cp++) { + if (isdigit((unsigned char)*cp)) { + if (strncmp(cp, badpass_msgid, strlen(badpass_msgid)) == 0) + debug_return_bool(false); + break; + } + } + debug_return_bool(true); +} + +/* + * Change the user's password. If root changes the user's password + * the ADMCHG flag is set on the account (and the user must change + * it again) so we run passwd(1) as the user. This does mean that + * the user will need to re-enter their original password again, + * unlike with su(1). We may consider using pwdadm(1) as root to + * change the password and then clear the flag in the future. + */ +static bool +sudo_aix_change_password(const struct sudoers_context *ctx, const char *user) +{ + struct sigaction sa, savechld; + pid_t child, pid; + bool ret = false; + sigset_t mask; + int status; + debug_decl(sudo_aix_change_password, SUDOERS_DEBUG_AUTH); + + /* Set SIGCHLD handler to default since we call waitpid() below. */ + memset(&sa, 0, sizeof(sa)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sa.sa_handler = SIG_DFL; + (void) sigaction(SIGCHLD, &sa, &savechld); + + switch (child = sudo_debug_fork()) { + case -1: + /* error */ + sudo_warn("%s", U_("unable to fork")); + break; + case 0: + /* child, run passwd(1) */ + sigemptyset(&mask); + sigaddset(&mask, SIGINT); + sigaddset(&mask, SIGQUIT); + (void) sigprocmask(SIG_UNBLOCK, &mask, NULL); + set_perms(ctx, PERM_USER); + execl("/usr/bin/passwd", "passwd", user, (char *)NULL); + sudo_warn("passwd"); + _exit(127); + /* NOTREACHED */ + default: + /* parent */ + break; + } + + /* Wait for passwd(1) to complete. */ + do { + pid = waitpid(child, &status, 0); + } while (pid == -1 && errno == EINTR); + sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, + "child (%d) exit value %d", (int)child, status); + if (pid != -1 && WIFEXITED(status) && WEXITSTATUS(status) == 0) + ret = true; + + /* Restore saved SIGCHLD handler. */ + (void) sigaction(SIGCHLD, &savechld, NULL); + + debug_return_bool(ret); +} + +int +sudo_aix_verify(const struct sudoers_context *ctx, struct passwd *pw, + const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback) +{ + char *pass, *message = NULL; + int result = 1, reenter = 0; + int ret = AUTH_SUCCESS; + debug_decl(sudo_aix_verify, SUDOERS_DEBUG_AUTH); + + if (IS_NONINTERACTIVE(auth)) + debug_return_int(AUTH_NONINTERACTIVE); + + do { + pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); + if (pass == NULL) + break; + free(message); + message = NULL; + result = authenticate(pw->pw_name, pass, &reenter, &message); + freezero(pass, strlen(pass)); + prompt = message; + } while (reenter); + + if (result != 0) { + /* Display error message, if any. */ + if (sudo_aix_valid_message(message)) + sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, + "%s", message); + ret = pass ? AUTH_FAILURE : AUTH_INTR; + } + free(message); + message = NULL; + + /* Check if password expired and allow user to change it if possible. */ + if (ret == AUTH_SUCCESS) { + result = passwdexpired(pw->pw_name, &message); + if (message != NULL && message[0] != '\0') { + int msg_type = SUDO_CONV_PREFER_TTY; + msg_type |= result ? SUDO_CONV_ERROR_MSG : SUDO_CONV_INFO_MSG, + sudo_printf(msg_type, "%s", message); + free(message); + message = NULL; + } + switch (result) { + case 0: + /* password not expired. */ + break; + case 1: + /* password expired, user must change it */ + if (!sudo_aix_change_password(ctx, pw->pw_name)) { + sudo_warnx(U_("unable to change password for %s"), pw->pw_name); + ret = AUTH_ERROR; + } + break; + case 2: + /* password expired, only admin can change it */ + ret = AUTH_ERROR; + break; + default: + /* error (-1) */ + sudo_warn("passwdexpired"); + ret = AUTH_ERROR; + break; + } + } + + debug_return_int(ret); +} + +int +sudo_aix_cleanup(const struct sudoers_context *ctx, struct passwd *pw, + sudo_auth *auth, bool force) +{ + debug_decl(sudo_aix_cleanup, SUDOERS_DEBUG_AUTH); + + /* Unset AUTHSTATE as it may not be correct for the runas user. */ + if (sudo_unsetenv("AUTHSTATE") == -1) + debug_return_int(AUTH_FAILURE); + + debug_return_int(AUTH_SUCCESS); +} + +#endif /* HAVE_AIXAUTH */ |