add support for the verified auth ioctls using 'persist' rules.

ok deraadt henning
author: tedu <tedu@openbsd.org> 2016-09-02 18:12:30 +0000
committer: tedu <tedu@openbsd.org> 2016-09-02 18:12:30 +0000
commit: 0a39d05f91f952d2642cc6dd87f7a7f4e37bf39c (patch)
tree: 07bba9d9393f61ec34a942328881b3e9bda88f79
parent: add a concept of 'verified auth' to sessions. When set via ioctl, (diff)
download: wireguard-openbsd-0a39d05f91f952d2642cc6dd87f7a7f4e37bf39c.tar.xz
wireguard-openbsd-0a39d05f91f952d2642cc6dd87f7a7f4e37bf39c.zip
5 files changed, 44 insertions, 16 deletions
diff --git a/usr.bin/doas/doas.1 b/usr.bin/doas/doas.1
index c5b8e00f32c..bbbb901b8d5 100644
--- a/usr.bin/doas/doas.1
+++ b/usr.bin/doas/doas.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.1,v 1.16 2016/06/11 04:38:21 tedu Exp $
+.\" $OpenBSD: doas.1,v 1.17 2016/09/02 18:12:30 tedu Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: June 11 2016 $
+.Dd $Mdocdate: September 2 2016 $
 .Dt DOAS 1
 .Os
 .Sh NAME
@@ -21,7 +21,7 @@
 .Nd execute commands as another user
 .Sh SYNOPSIS
 .Nm doas
-.Op Fl ns
+.Op Fl Lns
 .Op Fl a Ar style
 .Op Fl C Ar config
 .Op Fl u Ar user
@@ -67,6 +67,8 @@ or
 will be printed on standard output, depending on command
 matching results.
 No command is executed.
+.It Fl L
+Clear any persisted authorizations from previous invocations.
 .It Fl n
 Non interactive mode, fail if
 .Nm
diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c
index dba81727543..d65beb3e70a 100644
--- a/usr.bin/doas/doas.c
+++ b/usr.bin/doas/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.62 2016/09/01 17:30:52 tedu Exp $ */
+/* $OpenBSD: doas.c,v 1.63 2016/09/02 18:12:30 tedu Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -17,6 +17,7 @@
 
 #include <sys/types.h>
 #include <sys/stat.h>
+#include <sys/ioctl.h>
 
 #include <limits.h>
 #include <login_cap.h>
@@ -31,13 +32,14 @@
 #include <grp.h>
 #include <syslog.h>
 #include <errno.h>
+#include <fcntl.h>
 
 #include "doas.h"
 
 static void __dead
 usage(void)
 {
-	fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]"
+	fprintf(stderr, "usage: doas [-Lns] [-a style] [-C config] [-u user]"
 	    " command [args]\n");
 	exit(1);
 }
@@ -204,10 +206,18 @@ checkconfig(const char *confpath, int argc, char **argv,
 }
 
 static void
-authuser(char *myname, char *login_style)
+authuser(char *myname, char *login_style, int persist)
 {
 	char *challenge = NULL, *response, rbuf[1024], cbuf[128];
 	auth_session_t *as;
+	int fd = -1;
+
+	if (persist)
+		fd = open("/dev/tty", O_RDWR);
+	if (fd != -1) {
+		if (ioctl(fd, TIOCCHKVERAUTH) == 0)
+			goto good;
+	}
 
 	if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
 	    &challenge)))
@@ -233,6 +243,12 @@ authuser(char *myname, char *login_style)
 		errc(1, EPERM, NULL);
 	}
 	explicit_bzero(rbuf, sizeof(rbuf));
+good:
+	if (fd != -1) {
+		int secs = 10 * 60;
+		ioctl(fd, TIOCSETVERAUTH, &secs);
+		close(fd);
+	}
 }
 
 int
@@ -262,14 +278,11 @@ main(int argc, char **argv)
 
 	setprogname("doas");
 
-	if (pledge("stdio rpath getpw tty recvfd proc exec id", NULL) == -1)
-		err(1, "pledge");
-
 	closefrom(STDERR_FILENO + 1);
 
 	uid = getuid();
 
-	while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
+	while ((ch = getopt(argc, argv, "a:C:Lnsu:")) != -1) {
 		switch (ch) {
 		case 'a':
 			login_style = optarg;
@@ -277,6 +290,11 @@ main(int argc, char **argv)
 		case 'C':
 			confpath = optarg;
 			break;
+		case 'L':
+			i = open("/dev/tty", O_RDWR);
+			if (i != -1)
+				ioctl(i, TIOCCLRVERAUTH);
+			exit(i != -1);
 		case 'u':
 			if (parseuid(optarg, &target) != 0)
 				errx(1, "unknown user");
@@ -352,7 +370,7 @@ main(int argc, char **argv)
 		if (nflag)
 			errx(1, "Authorization required");
 
-		authuser(myname, login_style);
+		authuser(myname, login_style, rule->options & PERSIST);
 	}
 
 	if (pledge("stdio rpath getpw exec id", NULL) == -1)
diff --git a/usr.bin/doas/doas.conf.5 b/usr.bin/doas/doas.conf.5
index 864c37ec510..317ee0028c4 100644
--- a/usr.bin/doas/doas.conf.5
+++ b/usr.bin/doas/doas.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.conf.5,v 1.29 2016/06/27 17:36:33 jmc Exp $
+.\" $OpenBSD: doas.conf.5,v 1.30 2016/09/02 18:12:30 tedu Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: June 27 2016 $
+.Dd $Mdocdate: September 2 2016 $
 .Dt DOAS.CONF 5
 .Os
 .Sh NAME
@@ -47,6 +47,9 @@ Options are:
 .Bl -tag -width keepenv
 .It Ic nopass
 The user is not required to enter a password.
+.It Ic persist
+After the user successfully authenticates, do not ask for a password
+again for some time.
 .It Ic keepenv
 The user's environment is maintained.
 The default is to reset the environment, except for the variables
diff --git a/usr.bin/doas/doas.h b/usr.bin/doas/doas.h
index 067483ee3c0..93b68fadc32 100644
--- a/usr.bin/doas/doas.h
+++ b/usr.bin/doas/doas.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.h,v 1.8 2016/06/19 19:29:43 martijn Exp $ */
+/* $OpenBSD: doas.h,v 1.9 2016/09/02 18:12:30 tedu Exp $ */
 struct rule {
 	int action;
 	int options;
@@ -22,3 +22,4 @@ char **prepenv(struct rule *);
 
 #define NOPASS		0x1
 #define KEEPENV		0x2
+#define PERSIST		0x4
diff --git a/usr.bin/doas/parse.y b/usr.bin/doas/parse.y
index 7e68cb7c5b3..900f7970b05 100644
--- a/usr.bin/doas/parse.y
+++ b/usr.bin/doas/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.19 2016/06/27 15:41:17 tedu Exp $ */
+/* $OpenBSD: parse.y,v 1.20 2016/09/02 18:12:30 tedu Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -57,7 +57,7 @@ int yyparse(void);
 %}
 
 %token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TKEEPENV TSETENV
+%token TNOPASS TPERSIST TKEEPENV TSETENV
 %token TSTRING
 
 %%
@@ -119,6 +119,9 @@ options:	/* none */ {
 option:		TNOPASS {
 			$$.options = NOPASS;
 			$$.envlist = NULL;
+		} | TPERSIST {
+			$$.options = PERSIST;
+			$$.envlist = NULL;
 		} | TKEEPENV {
 			$$.options = KEEPENV;
 			$$.envlist = NULL;
@@ -208,6 +211,7 @@ struct keyword {
 	{ "cmd", TCMD },
 	{ "args", TARGS },
 	{ "nopass", TNOPASS },
+	{ "persist", TPERSIST },
 	{ "keepenv", TKEEPENV },
 	{ "setenv", TSETENV },
 };
author	tedu <tedu@openbsd.org>	2016-09-02 18:12:30 +0000
committer	tedu <tedu@openbsd.org>	2016-09-02 18:12:30 +0000
commit	0a39d05f91f952d2642cc6dd87f7a7f4e37bf39c (patch)
tree	07bba9d9393f61ec34a942328881b3e9bda88f79
parent	add a concept of 'verified auth' to sessions. When set via ioctl, (diff)
download	wireguard-openbsd-0a39d05f91f952d2642cc6dd87f7a7f4e37bf39c.tar.xz wireguard-openbsd-0a39d05f91f952d2642cc6dd87f7a7f4e37bf39c.zip