diff options
author | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-05-04 13:06:09 -0600 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@sudo.ws> | 2023-05-04 13:06:09 -0600 |
commit | eb96cfe459a08537811631911688148915b61fff (patch) | |
tree | 57e51fb4b2f979d3331d5f990f822df776939929 | |
parent | edde95eb4272efa35f20389442342255a4823296 (diff) | |
download | sudo-eb96cfe459a08537811631911688148915b61fff.tar.gz |
Make login_style private to bsdauth.c
Add a setter for policy.c to handle auth_type from the front-end.
-rw-r--r-- | plugins/sudoers/auth/bsdauth.c | 48 | ||||
-rw-r--r-- | plugins/sudoers/auth/sudo_auth.h | 1 | ||||
-rw-r--r-- | plugins/sudoers/policy.c | 8 | ||||
-rw-r--r-- | plugins/sudoers/regress/fuzz/fuzz_policy.c | 9 | ||||
-rw-r--r-- | plugins/sudoers/sudoers.h | 1 |
5 files changed, 41 insertions, 26 deletions
diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c index 2d972887d..f887a07d0 100644 --- a/plugins/sudoers/auth/bsdauth.c +++ b/plugins/sudoers/auth/bsdauth.c @@ -54,6 +54,8 @@ struct bsdauth_state { login_cap_t *lc; }; +static char *login_style; /* user may set style via -a option */ + int bsdauth_init(struct passwd *pw, sudo_auth *auth) { @@ -65,42 +67,42 @@ bsdauth_init(struct passwd *pw, sudo_auth *auth) debug_return_int(AUTH_SUCCESS); /* Get login class based on auth user, which may not be invoking user. */ - if (pw->pw_class && *pw->pw_class) + if (pw->pw_class && *pw->pw_class) { state.lc = login_getclass(pw->pw_class); - else - state.lc = login_getclass(pw->pw_uid ? (char *)LOGIN_DEFCLASS : (char *)LOGIN_DEFROOTCLASS); - if (state.lc == NULL) { - log_warning(0, - N_("unable to get login class for user %s"), pw->pw_name); - debug_return_int(AUTH_FATAL); + } else { + state.lc = login_getclass( + pw->pw_uid ? (char *)LOGIN_DEFCLASS : (char *)LOGIN_DEFROOTCLASS); } - - if ((state.as = auth_open()) == NULL) { - log_warning(0, N_("unable to begin bsd authentication")); - login_close(state.lc); - debug_return_int(AUTH_FATAL); + if (state.lc == NULL) { + log_warning(0, N_("unable to get login class for user %s"), + pw->pw_name); + goto bad; } - /* XXX - maybe check the auth style earlier? */ login_style = login_getstyle(state.lc, login_style, (char *)"auth-sudo"); if (login_style == NULL) { log_warningx(0, N_("invalid authentication type")); - auth_close(state.as); - login_close(state.lc); - debug_return_int(AUTH_FATAL); + goto bad; } - if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 || + if ((state.as = auth_open()) == NULL) { + log_warning(0, N_("unable to begin BSD authentication")); + goto bad; + } + + if (auth_setitem(state.as, AUTHV_STYLE, login_style) < 0 || auth_setitem(state.as, AUTHV_NAME, pw->pw_name) < 0 || auth_setitem(state.as, AUTHV_CLASS, login_class) < 0) { log_warningx(0, N_("unable to initialize BSD authentication")); - auth_close(state.as); - login_close(state.lc); - debug_return_int(AUTH_FATAL); + goto bad; } auth->data = (void *) &state; debug_return_int(AUTH_SUCCESS); +bad: + auth_close(state.as); + login_close(state.lc); + debug_return_int(AUTH_FATAL); } int @@ -209,4 +211,10 @@ bsdauth_cleanup(struct passwd *pw, sudo_auth *auth, bool force) debug_return_int(AUTH_SUCCESS); } +void +bsdauth_set_style(const char *style) +{ + login_style = (char *)style; +} + #endif /* HAVE_BSD_AUTH_H */ diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 031810466..70979b4b9 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -63,6 +63,7 @@ int bsdauth_init(struct passwd *pw, sudo_auth *auth); int bsdauth_verify(struct passwd *pw, const char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt); int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth, bool force); +void bsdauth_set_style(const char *style); int sudo_aix_init(struct passwd *pw, sudo_auth *auth); int sudo_aix_verify(struct passwd *pw, const char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); int sudo_aix_cleanup(struct passwd *pw, sudo_auth *auth, bool force); diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 34fa0e306..1487118b9 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -37,6 +37,7 @@ #include "sudoers.h" #include "sudoers_version.h" #include "interfaces.h" +#include "auth/sudo_auth.h" static char **command_info; @@ -62,10 +63,6 @@ int sudoedit_nfiles; extern sudo_dso_public struct policy_plugin sudoers_policy; -#ifdef HAVE_BSD_AUTH_H -char *login_style; -#endif /* HAVE_BSD_AUTH_H */ - static int parse_bool(const char *line, int varlen, int *flags, int fval) { @@ -349,7 +346,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults) #ifdef HAVE_BSD_AUTH_H if (MATCHES(*cur, "bsdauth_type=")) { CHECK(*cur, "bsdauth_type="); - login_style = *cur + sizeof("bsdauth_type=") - 1; + p = *cur + sizeof("bsdauth_type=") - 1; + bsdauth_set_style(p); continue; } #endif /* HAVE_BSD_AUTH_H */ diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.c b/plugins/sudoers/regress/fuzz/fuzz_policy.c index 05cbd54e5..02cb59f29 100644 --- a/plugins/sudoers/regress/fuzz/fuzz_policy.c +++ b/plugins/sudoers/regress/fuzz/fuzz_policy.c @@ -42,6 +42,7 @@ #include "sudo_iolog.h" #include "interfaces.h" #include "check.h" +#include "auth/sudo_auth.h" extern char **environ; extern sudo_dso_public struct policy_plugin sudoers_policy; @@ -889,3 +890,11 @@ cb_group_plugin(const char *file, int line, int column, { return true; } + +/* STUB */ +void +bsdauth_set_style(const char *style) +{ + return; +} + diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 392efb248..02168367d 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -324,7 +324,6 @@ int pam_prep_user(struct passwd *); /* gram.y */ int sudoersparse(void); -extern char *login_style; extern bool parse_error; extern bool sudoers_recovery; extern bool sudoers_strict; |