mirror of
https://github.com/slicer69/doas
synced 2024-10-04 15:10:15 +00:00
This is the initial port of doas to FreeBSD. It compiles, installs and works.
Could probably use a clean-up, but this code is functional on FreeBSD 10.3.
This commit is contained in:
parent
cb8d475985
commit
d55af6cdf4
36
Makefile
Normal file
36
Makefile
Normal file
|
@ -0,0 +1,36 @@
|
|||
CC?=clang
|
||||
YC?=yacc
|
||||
BIN=doas
|
||||
PREFIX?=/usr/local
|
||||
OBJECTS=doas.o env.o execvpe.o reallocarr.o y.tab.o
|
||||
CFLAG+= -DUSE_PAM
|
||||
LFLAG+= -lpam
|
||||
|
||||
all: $(OBJECTS)
|
||||
$(CC) -o $(BIN) $(LFLAG) $(OBJECTS)
|
||||
|
||||
env.o: doas.h env.c
|
||||
$(CC) -c env.c
|
||||
|
||||
execvpe.o: doas.h execvpe.c
|
||||
$(CC) -c execvpe.c
|
||||
|
||||
doas.o: doas.h doas.c parse.y
|
||||
$(CC) $(CFLAG) -c doas.c
|
||||
|
||||
reallocarr.o: reallocarr.c doas.h
|
||||
$(CC) -c reallocarr.c
|
||||
|
||||
y.tab.o: parse.y
|
||||
$(YC) parse.y
|
||||
$(CC) -c y.tab.c
|
||||
|
||||
install: all
|
||||
cp $(BIN) $(PREFIX)/bin/
|
||||
chmod 4755 $(PREFIX)/bin/$(BIN)
|
||||
cp doas.1 $(PREFIX)/man/man1/
|
||||
cp doas.conf.5 $(PREFIX)/man/man5/
|
||||
|
||||
clean:
|
||||
rm -f $(BIN) $(OBJECTS) y.tab.c
|
||||
|
111
doas.c
111
doas.c
|
@ -18,9 +18,15 @@
|
|||
#include <sys/types.h>
|
||||
#include <sys/stat.h>
|
||||
|
||||
#if defined(HAVE_INTTYPES_H)
|
||||
#include <inttypes.h>
|
||||
#endif
|
||||
|
||||
#include <limits.h>
|
||||
/*
|
||||
#include <login_cap.h>
|
||||
#include <bsd_auth.h>
|
||||
*/
|
||||
#include <readpassphrase.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
@ -32,9 +38,24 @@
|
|||
#include <syslog.h>
|
||||
#include <errno.h>
|
||||
|
||||
#if defined(HAVE_LOGIN_CAP_H)
|
||||
#include <login_cap.h>
|
||||
#endif
|
||||
|
||||
#if defined(USE_BSD_AUTH)
|
||||
#include <bsd_auth.h>
|
||||
#endif
|
||||
|
||||
#if defined(USE_PAM)
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
static struct pam_conv pamc = { openpam_ttyconv, NULL };
|
||||
#endif
|
||||
|
||||
#include "doas.h"
|
||||
|
||||
static void __dead
|
||||
static void
|
||||
usage(void)
|
||||
{
|
||||
fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]"
|
||||
|
@ -182,7 +203,7 @@ parseconfig(const char *filename, int checkperms)
|
|||
exit(1);
|
||||
}
|
||||
|
||||
static void __dead
|
||||
static void
|
||||
checkconfig(const char *confpath, int argc, char **argv,
|
||||
uid_t uid, gid_t *groups, int ngroups, uid_t target)
|
||||
{
|
||||
|
@ -230,8 +251,10 @@ main(int argc, char **argv)
|
|||
|
||||
setprogname("doas");
|
||||
|
||||
/*
|
||||
if (pledge("stdio rpath getpw tty proc exec id", NULL) == -1)
|
||||
err(1, "pledge");
|
||||
*/
|
||||
|
||||
closefrom(STDERR_FILENO + 1);
|
||||
|
||||
|
@ -295,7 +318,13 @@ main(int argc, char **argv)
|
|||
exit(1); /* fail safe */
|
||||
}
|
||||
|
||||
parseconfig("/etc/doas.conf", 1);
|
||||
#if defined(USE_PAM)
|
||||
pam_handle_t *pamh = NULL;
|
||||
int pam_err;
|
||||
int pam_silent = PAM_SILENT;
|
||||
#endif
|
||||
|
||||
parseconfig("/usr/local/etc/doas.conf", 1);
|
||||
|
||||
/* cmdline is used only for logging, no need to abort on truncate */
|
||||
(void) strlcpy(cmdline, argv[0], sizeof(cmdline));
|
||||
|
@ -315,6 +344,7 @@ main(int argc, char **argv)
|
|||
}
|
||||
|
||||
if (!(rule->options & NOPASS)) {
|
||||
#if defined(USE_BSD_AUTH)
|
||||
char *challenge = NULL, *response, rbuf[1024], cbuf[128];
|
||||
auth_session_t *as;
|
||||
|
||||
|
@ -325,7 +355,7 @@ main(int argc, char **argv)
|
|||
&challenge)))
|
||||
errx(1, "Authorization failed");
|
||||
if (!challenge) {
|
||||
char host[HOST_NAME_MAX + 1];
|
||||
char host[MAXHOSTNAME + 1];
|
||||
if (gethostname(host, sizeof(host)))
|
||||
snprintf(host, sizeof(host), "?");
|
||||
snprintf(cbuf, sizeof(cbuf),
|
||||
|
@ -345,30 +375,95 @@ main(int argc, char **argv)
|
|||
errc(1, EPERM, NULL);
|
||||
}
|
||||
explicit_bzero(rbuf, sizeof(rbuf));
|
||||
#elif defined(USE_PAM)
|
||||
#define PAM_END(msg) do { \
|
||||
syslog(LOG_ERR, "%s: %s", msg, pam_strerror(pamh, pam_err)); \
|
||||
warnx("%s: %s", msg, pam_strerror(pamh, pam_err)); \
|
||||
pam_end(pamh, pam_err); \
|
||||
exit(EXIT_FAILURE); \
|
||||
} while (/*CONSTCOND*/0)
|
||||
|
||||
pam_err = pam_start("doas", myname, &pamc, &pamh);
|
||||
if (pam_err != PAM_SUCCESS) {
|
||||
if (pamh != NULL)
|
||||
PAM_END("pam_start");
|
||||
syslog(LOG_ERR, "pam_start failed: %s",
|
||||
pam_strerror(pamh, pam_err));
|
||||
errx(EXIT_FAILURE, "pam_start failed");
|
||||
}
|
||||
|
||||
switch (pam_err = pam_authenticate(pamh, pam_silent)) {
|
||||
case PAM_SUCCESS:
|
||||
switch (pam_err = pam_acct_mgmt(pamh, pam_silent)) {
|
||||
case PAM_SUCCESS:
|
||||
break;
|
||||
|
||||
case PAM_NEW_AUTHTOK_REQD:
|
||||
pam_err = pam_chauthtok(pamh,
|
||||
pam_silent|PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_END("pam_chauthtok");
|
||||
break;
|
||||
|
||||
case PAM_AUTH_ERR:
|
||||
case PAM_USER_UNKNOWN:
|
||||
case PAM_MAXTRIES:
|
||||
syslog(LOG_AUTHPRIV | LOG_NOTICE,
|
||||
"failed auth for %s", myname);
|
||||
break;
|
||||
|
||||
default:
|
||||
PAM_END("pam_acct_mgmt");
|
||||
break;
|
||||
}
|
||||
break;
|
||||
|
||||
case PAM_AUTH_ERR:
|
||||
case PAM_USER_UNKNOWN:
|
||||
case PAM_MAXTRIES:
|
||||
syslog(LOG_AUTHPRIV | LOG_NOTICE,
|
||||
"failed auth for %s", myname);
|
||||
break;
|
||||
|
||||
default:
|
||||
PAM_END("pam_authenticate");
|
||||
break;
|
||||
}
|
||||
pam_end(pamh, pam_err);
|
||||
#else
|
||||
#error No auth module!
|
||||
#endif
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
if (pledge("stdio rpath getpw exec id", NULL) == -1)
|
||||
err(1, "pledge");
|
||||
|
||||
*/
|
||||
pw = getpwuid(target);
|
||||
if (!pw)
|
||||
errx(1, "no passwd entry for target");
|
||||
|
||||
#if defined(HAVE_LOGIN_CAP_H)
|
||||
if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
|
||||
LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
|
||||
LOGIN_SETUSER) != 0)
|
||||
errx(1, "failed to set user context for target");
|
||||
|
||||
#endif
|
||||
/*
|
||||
if (pledge("stdio rpath exec", NULL) == -1)
|
||||
err(1, "pledge");
|
||||
*/
|
||||
|
||||
if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
|
||||
cwd = "(failed)";
|
||||
else
|
||||
cwd = cwdpath;
|
||||
|
||||
if (pledge("stdio exec", NULL) == -1)
|
||||
/*
|
||||
if (pledge("stdio exec", NULL) == -1)
|
||||
err(1, "pledge");
|
||||
*/
|
||||
|
||||
syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
|
||||
myname, cmdline, pw->pw_name, cwd);
|
||||
|
@ -383,4 +478,4 @@ main(int argc, char **argv)
|
|||
if (errno == ENOENT)
|
||||
errx(1, "%s: command not found", cmd);
|
||||
err(1, "%s", cmd);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
.Nm doas.conf
|
||||
.Nd doas configuration file
|
||||
.Sh SYNOPSIS
|
||||
.Nm /etc/doas.conf
|
||||
.Nm /usr/local/etc/doas.conf
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Xr doas 1
|
||||
|
@ -139,4 +139,4 @@ The
|
|||
configuration file first appeared in
|
||||
.Ox 5.8 .
|
||||
.Sh AUTHORS
|
||||
.An Ted Unangst Aq Mt tedu@openbsd.org
|
||||
.An Ted Unangst Aq Mt tedu@openbsd.org
|
||||
|
|
17
doas.h
17
doas.h
|
@ -21,4 +21,19 @@ char **prepenv(struct rule *);
|
|||
#define DENY 2
|
||||
|
||||
#define NOPASS 0x1
|
||||
#define KEEPENV 0x2
|
||||
#define KEEPENV 0x2
|
||||
|
||||
#ifndef _PW_NAME_LEN
|
||||
#define _PW_NAME_LEN 32
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_REALLOCARRAY) && !defined(HAVE_REALLOCARR)
|
||||
int reallocarr(void *ptr, size_t num, size_t size);
|
||||
#endif /* !HAVE_REALLOCARRAY && !HAVE_REALLOCARR */
|
||||
|
||||
|
||||
|
||||
#if !defined(HAVE_EXECVPE)
|
||||
int execvpe(const char *file, char * const *argv, char * const *envp);
|
||||
#endif /* !HAVE_EXECVPE */
|
||||
|
||||
|
|
5
env.c
5
env.c
|
@ -95,7 +95,8 @@ flattenenv(struct env *env)
|
|||
struct envnode *node;
|
||||
u_int i;
|
||||
|
||||
envp = reallocarray(NULL, env->count + 1, sizeof(char *));
|
||||
// envp = reallocarray(NULL, env->count + 1, sizeof(char *));
|
||||
envp = realloc(NULL, (env->count + 1) * sizeof(char *));
|
||||
if (!envp)
|
||||
err(1, NULL);
|
||||
i = 0;
|
||||
|
@ -177,4 +178,4 @@ prepenv(struct rule *rule)
|
|||
env = createenv(environ);
|
||||
env = filterenv(env, rule);
|
||||
return flattenenv(env);
|
||||
}
|
||||
}
|
||||
|
|
46
execvpe.c
Normal file
46
execvpe.c
Normal file
|
@ -0,0 +1,46 @@
|
|||
/*-
|
||||
* Copyright (C) 2015 NONAKA Kimihiro <nonakap@gmail.com>
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
||||
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
||||
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <unistd.h>
|
||||
|
||||
#include "doas.h"
|
||||
|
||||
#if !defined(HAVE_EXECVPE)
|
||||
|
||||
extern char **environ;
|
||||
|
||||
int
|
||||
execvpe(const char *file, char * const *argv, char * const *envp)
|
||||
{
|
||||
char **oldenvp = environ;
|
||||
int error;
|
||||
|
||||
environ = (char **)(long)envp; /* XXX */
|
||||
error = execvp(file, argv);
|
||||
environ = oldenvp;
|
||||
return error;
|
||||
}
|
||||
|
||||
#endif /* !HAVE_EXECVPE */
|
14
parse.y
14
parse.y
|
@ -84,8 +84,10 @@ rule: action ident target cmd {
|
|||
maxrules = 63;
|
||||
else
|
||||
maxrules *= 2;
|
||||
if (!(rules = reallocarray(rules, maxrules,
|
||||
/* if (!(rules = reallocarray(rules, maxrules,
|
||||
sizeof(*rules))))
|
||||
*/
|
||||
if (!(rules = realloc(rules, maxrules * sizeof(*rules))))
|
||||
errx(1, "can't allocate rules");
|
||||
}
|
||||
rules[nrules++] = r;
|
||||
|
@ -125,8 +127,10 @@ envlist: /* empty */ {
|
|||
errx(1, "can't allocate envlist");
|
||||
} | envlist TSTRING {
|
||||
int nenv = arraylen($1.envlist);
|
||||
if (!($$.envlist = reallocarray($1.envlist, nenv + 2,
|
||||
/* if (!($$.envlist = reallocarray($1.envlist, nenv + 2,
|
||||
sizeof(char *))))
|
||||
*/
|
||||
if (!($$.envlist = realloc($1.envlist, (nenv + 2) + sizeof(char*))))
|
||||
errx(1, "can't allocate envlist");
|
||||
$$.envlist[nenv] = $2.str;
|
||||
$$.envlist[nenv + 1] = NULL;
|
||||
|
@ -162,8 +166,10 @@ argslist: /* empty */ {
|
|||
errx(1, "can't allocate args");
|
||||
} | argslist TSTRING {
|
||||
int nargs = arraylen($1.cmdargs);
|
||||
if (!($$.cmdargs = reallocarray($1.cmdargs, nargs + 2,
|
||||
/* if (!($$.cmdargs = reallocarray($1.cmdargs, nargs + 2,
|
||||
sizeof(char *))))
|
||||
*/
|
||||
if (!($$.cmdargs = realloc($1.cmdargs, (nargs + 2) * sizeof(char *))))
|
||||
errx(1, "can't allocate args");
|
||||
$$.cmdargs[nargs] = $2.str;
|
||||
$$.cmdargs[nargs + 1] = NULL;
|
||||
|
@ -322,4 +328,4 @@ eof:
|
|||
if (ferror(yyfp))
|
||||
yyerror("input error reading config");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
|
72
reallocarr.c
Normal file
72
reallocarr.c
Normal file
|
@ -0,0 +1,72 @@
|
|||
/* NetBSD: reallocarr.c,v 1.2 2015/07/16 00:03:59 kamil Exp */
|
||||
|
||||
/*-
|
||||
* Copyright (c) 2015 Joerg Sonnenberger <joerg@NetBSD.org>.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in
|
||||
* the documentation and/or other materials provided with the
|
||||
* distribution.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
|
||||
* INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||
* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
||||
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
|
||||
* AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
|
||||
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
|
||||
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <errno.h>
|
||||
/* Old POSIX has SIZE_MAX in limits.h */
|
||||
#include <limits.h>
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "doas.h"
|
||||
|
||||
#if !defined(HAVE_REALLOCARR) && !defined(HAVE_REALLOCARRAY)
|
||||
|
||||
int
|
||||
reallocarr(void *ptr, size_t num, size_t size)
|
||||
{
|
||||
int saved_errno, result;
|
||||
void *optr;
|
||||
void *nptr;
|
||||
|
||||
saved_errno = errno;
|
||||
memcpy(&optr, ptr, sizeof(ptr));
|
||||
if (num == 0 || size == 0) {
|
||||
free(optr);
|
||||
nptr = NULL;
|
||||
memcpy(ptr, &nptr, sizeof(ptr));
|
||||
errno = saved_errno;
|
||||
return 0;
|
||||
}
|
||||
if ((num >= 65535 || size >= 65535) && num > SIZE_MAX / size)
|
||||
return EOVERFLOW;
|
||||
nptr = realloc(optr, num * size);
|
||||
if (nptr == NULL) {
|
||||
result = errno;
|
||||
} else {
|
||||
result = 0;
|
||||
memcpy(ptr, &nptr, sizeof(ptr));
|
||||
}
|
||||
errno = saved_errno;
|
||||
return result;
|
||||
}
|
||||
|
||||
#endif
|
Loading…
Reference in a new issue