Head

GCC Code Coverage Report

Directory:	./		Exec	Total	Coverage
File:	usr.bin/doas/doas.c	Lines:	0	185	0.0 %
Date:	2016-12-06	Branches:	0	150	0.0 %


/* $OpenBSD: doas.c,v 1.60 2016/07/18 16:46:30 zhuk Exp $ */
/*
 * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include <sys/types.h>
#include <sys/stat.h>

#include <limits.h>
#include <login_cap.h>
#include <bsd_auth.h>
#include <readpassphrase.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <err.h>
#include <unistd.h>
#include <pwd.h>
#include <grp.h>
#include <syslog.h>
#include <errno.h>

#include "doas.h"

static void __dead
usage(void)
{
	fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]"
	    " command [args]\n");
	exit(1);
}

size_t
arraylen(const char **arr)
{
	size_t cnt = 0;

	while (*arr) {
		cnt++;
		arr++;
	}
	return cnt;
}

static int
parseuid(const char *s, uid_t *uid)
{
	struct passwd *pw;
	const char *errstr;

	if ((pw = getpwnam(s)) != NULL) {
		*uid = pw->pw_uid;
		return 0;
	}
	*uid = strtonum(s, 0, UID_MAX, &errstr);
	if (errstr)
		return -1;
	return 0;
}

static int
uidcheck(const char *s, uid_t desired)
{
	uid_t uid;

	if (parseuid(s, &uid) != 0)
		return -1;
	if (uid != desired)
		return -1;
	return 0;
}

static int
parsegid(const char *s, gid_t *gid)
{
	struct group *gr;
	const char *errstr;

	if ((gr = getgrnam(s)) != NULL) {
		*gid = gr->gr_gid;
		return 0;
	}
	*gid = strtonum(s, 0, GID_MAX, &errstr);
	if (errstr)
		return -1;
	return 0;
}

static int
match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd,
    const char **cmdargs, struct rule *r)
{
	int i;

	if (r->ident[0] == ':') {
		gid_t rgid;
		if (parsegid(r->ident + 1, &rgid) == -1)
			return 0;
		for (i = 0; i < ngroups; i++) {
			if (rgid == groups[i])
				break;
		}
		if (i == ngroups)
			return 0;
	} else {
		if (uidcheck(r->ident, uid) != 0)
			return 0;
	}
	if (r->target && uidcheck(r->target, target) != 0)
		return 0;
	if (r->cmd) {
		if (strcmp(r->cmd, cmd))
			return 0;
		if (r->cmdargs) {
			/* if arguments were given, they should match explicitly */
			for (i = 0; r->cmdargs[i]; i++) {
				if (!cmdargs[i])
					return 0;
				if (strcmp(r->cmdargs[i], cmdargs[i]))
					return 0;
			}
			if (cmdargs[i])
				return 0;
		}
	}
	return 1;
}

static int
permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
    uid_t target, const char *cmd, const char **cmdargs)
{
	int i;

	*lastr = NULL;
	for (i = 0; i < nrules; i++) {
		if (match(uid, groups, ngroups, target, cmd,
		    cmdargs, rules[i]))
			*lastr = rules[i];
	}
	if (!*lastr)
		return 0;
	return (*lastr)->action == PERMIT;
}

static void
parseconfig(const char *filename, int checkperms)
{
	extern FILE *yyfp;
	extern int yyparse(void);
	struct stat sb;

	yyfp = fopen(filename, "r");
	if (!yyfp)
		err(1, checkperms ? "doas is not enabled, %s" :
		    "could not open config file %s", filename);

	if (checkperms) {
		if (fstat(fileno(yyfp), &sb) != 0)
			err(1, "fstat(\"%s\")", filename);
		if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
			errx(1, "%s is writable by group or other", filename);
		if (sb.st_uid != 0)
			errx(1, "%s is not owned by root", filename);
	}

	yyparse();
	fclose(yyfp);
	if (parse_errors)
		exit(1);
}

static void __dead
checkconfig(const char *confpath, int argc, char **argv,
    uid_t uid, gid_t *groups, int ngroups, uid_t target)
{
	struct rule *rule;

	setresuid(uid, uid, uid);
	parseconfig(confpath, 0);
	if (!argc)
		exit(0);

	if (permit(uid, groups, ngroups, &rule, target, argv[0],
	    (const char **)argv + 1)) {
		printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
		exit(0);
	} else {
		printf("deny\n");
		exit(1);
	}
}

int
main(int argc, char **argv)
{
	const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
	    "/usr/local/bin:/usr/local/sbin";
	const char *confpath = NULL;
	char *shargv[] = { NULL, NULL };
	char *sh;
	const char *cmd;
	char cmdline[LINE_MAX];
	char myname[_PW_NAME_LEN + 1];
	struct passwd *pw;
	struct rule *rule;
	uid_t uid;
	uid_t target = 0;
	gid_t groups[NGROUPS_MAX + 1];
	int ngroups;
	int i, ch;
	int sflag = 0;
	int nflag = 0;
	char cwdpath[PATH_MAX];
	const char *cwd;
	char *login_style = NULL;
	char **envp;

	setprogname("doas");

	if (pledge("stdio rpath getpw tty recvfd proc exec id wpath cpath", NULL) == -1)
		err(1, "pledge");

	closefrom(STDERR_FILENO + 1);

	uid = getuid();

	while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
		switch (ch) {
		case 'a':
			login_style = optarg;
			break;
		case 'C':
			confpath = optarg;
			break;
		case 'u':
			if (parseuid(optarg, &target) != 0)
				errx(1, "unknown user");
			break;
		case 'n':
			nflag = 1;
			break;
		case 's':
			sflag = 1;
			break;
		default:
			usage();
			break;
		}
	}
	argv += optind;
	argc -= optind;

	if (confpath) {
		if (sflag)
			usage();
	} else if ((!sflag && !argc) || (sflag && argc))
		usage();

	pw = getpwuid(uid);
	if (!pw)
		err(1, "getpwuid failed");
	if (strlcpy(myname, pw->pw_name, sizeof(myname)) >= sizeof(myname))
		errx(1, "pw_name too long");
	ngroups = getgroups(NGROUPS_MAX, groups);
	if (ngroups == -1)
		err(1, "can't get groups");
	groups[ngroups++] = getgid();

	if (sflag) {
		sh = getenv("SHELL");
		if (sh == NULL || *sh == '\0') {
			shargv[0] = strdup(pw->pw_shell);
			if (shargv[0] == NULL)
				err(1, NULL);
		} else
			shargv[0] = sh;
		argv = shargv;
		argc = 1;
	}

	if (confpath) {
		checkconfig(confpath, argc, argv, uid, groups, ngroups,
		    target);
		exit(1);	/* fail safe */
	}

	parseconfig("/etc/doas.conf", 1);

	/* cmdline is used only for logging, no need to abort on truncate */
	(void)strlcpy(cmdline, argv[0], sizeof(cmdline));
	for (i = 1; i < argc; i++) {
		if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline))
			break;
		if (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline))
			break;
	}

	cmd = argv[0];
	if (!permit(uid, groups, ngroups, &rule, target, cmd,
	    (const char **)argv + 1)) {
		syslog(LOG_AUTHPRIV | LOG_NOTICE,
		    "failed command for %s: %s", myname, cmdline);
		errc(1, EPERM, NULL);
	}

	if (!(rule->options & NOPASS)) {
		char *challenge = NULL, *response, rbuf[1024], cbuf[128];
		auth_session_t *as;

		if (nflag)
			errx(1, "Authorization required");

		if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
		    &challenge)))
			errx(1, "Authorization failed");
		if (!challenge) {
			char host[HOST_NAME_MAX + 1];
			if (gethostname(host, sizeof(host)))
				snprintf(host, sizeof(host), "?");
			snprintf(cbuf, sizeof(cbuf),
			    "\rdoas (%.32s@%.32s) password: ", myname, host);
			challenge = cbuf;
		}
		response = readpassphrase(challenge, rbuf, sizeof(rbuf),
		    RPP_REQUIRE_TTY);
		if (response == NULL && errno == ENOTTY) {
			syslog(LOG_AUTHPRIV | LOG_NOTICE,
			    "tty required for %s", myname);
			errx(1, "a tty is required");
		}
		if (!auth_userresponse(as, response, 0)) {
			syslog(LOG_AUTHPRIV | LOG_NOTICE,
			    "failed auth for %s", myname);
			errc(1, EPERM, NULL);
		}
		explicit_bzero(rbuf, sizeof(rbuf));
	}

	if (pledge("stdio rpath getpw exec id wpath cpath", NULL) == -1)
		err(1, "pledge");

	pw = getpwuid(target);
	if (!pw)
		errx(1, "no passwd entry for target");

	if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
	    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
	    LOGIN_SETUSER) != 0)
		errx(1, "failed to set user context for target");

	if (pledge("stdio rpath exec wpath cpath", NULL) == -1)
		err(1, "pledge");

	if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
		cwd = "(failed)";
	else
		cwd = cwdpath;

	if (pledge("stdio exec wpath cpath rpath", NULL) == -1)
		err(1, "pledge");

	syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
	    myname, cmdline, pw->pw_name, cwd);

	envp = prepenv(rule);

	if (rule->cmd) {
		if (setenv("PATH", safepath, 1) == -1)
			err(1, "failed to set PATH '%s'", safepath);
	}
	execvpe(cmd, argv, envp);
	if (errno == ENOENT)
		errx(1, "%s: command not found", cmd);
	err(1, "%s", cmd);
}


Generated by: GCOVR (Version 3.3)

Line	Branch	Exec	Source
1			/* $OpenBSD: doas.c,v 1.60 2016/07/18 16:46:30 zhuk Exp $ */
2			/*
3			* Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4			*
5			* Permission to use, copy, modify, and distribute this software for any
6			* purpose with or without fee is hereby granted, provided that the above
7			* copyright notice and this permission notice appear in all copies.
8			*
9			* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10			* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11			* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12			* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13			* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14			* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15			* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16			*/
17
18			#include <sys/types.h>
19			#include <sys/stat.h>
20
21			#include <limits.h>
22			#include <login_cap.h>
23			#include <bsd_auth.h>
24			#include <readpassphrase.h>
25			#include <string.h>
26			#include <stdio.h>
27			#include <stdlib.h>
28			#include <err.h>
29			#include <unistd.h>
30			#include <pwd.h>
31			#include <grp.h>
32			#include <syslog.h>
33			#include <errno.h>
34
35			#include "doas.h"
36
37			static void __dead
38			usage(void)
39			{
40			fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]"
41			" command [args]\n");
42			exit(1);
43			}
44
45			size_t
46			arraylen(const char **arr)
47			{
48			size_t cnt = 0;
49
50			while (*arr) {
51			cnt++;
52			arr++;
53			}
54			return cnt;
55			}
56
57			static int
58			parseuid(const char s, uid_t uid)
59			{
60			struct passwd *pw;
61			const char *errstr;
62
63			if ((pw = getpwnam(s)) != NULL) {
64			*uid = pw->pw_uid;
65			return 0;
66			}
67			*uid = strtonum(s, 0, UID_MAX, &errstr);
68			if (errstr)
69			return -1;
70			return 0;
71			}
72
73			static int
74			uidcheck(const char *s, uid_t desired)
75			{
76			uid_t uid;
77
78			if (parseuid(s, &uid) != 0)
79			return -1;
80			if (uid != desired)
81			return -1;
82			return 0;
83			}
84
85			static int
86			parsegid(const char s, gid_t gid)
87			{
88			struct group *gr;
89			const char *errstr;
90
91			if ((gr = getgrnam(s)) != NULL) {
92			*gid = gr->gr_gid;
93			return 0;
94			}
95			*gid = strtonum(s, 0, GID_MAX, &errstr);
96			if (errstr)
97			return -1;
98			return 0;
99			}
100
101			static int
102			match(uid_t uid, gid_t groups, int ngroups, uid_t target, const char cmd,
103			const char *cmdargs, struct rule r)
104			{
105			int i;
106
107			if (r->ident[0] == ':') {
108			gid_t rgid;
109			if (parsegid(r->ident + 1, &rgid) == -1)
110			return 0;
111			for (i = 0; i < ngroups; i++) {
112			if (rgid == groups[i])
113			break;
114			}
115			if (i == ngroups)
116			return 0;
117			} else {
118			if (uidcheck(r->ident, uid) != 0)
119			return 0;
120			}
121			if (r->target && uidcheck(r->target, target) != 0)
122			return 0;
123			if (r->cmd) {
124			if (strcmp(r->cmd, cmd))
125			return 0;
126			if (r->cmdargs) {
127			/* if arguments were given, they should match explicitly */
128			for (i = 0; r->cmdargs[i]; i++) {
129			if (!cmdargs[i])
130			return 0;
131			if (strcmp(r->cmdargs[i], cmdargs[i]))
132			return 0;
133			}
134			if (cmdargs[i])
135			return 0;
136			}
137			}
138			return 1;
139			}
140
141			static int
142			permit(uid_t uid, gid_t groups, int ngroups, struct rule *lastr,
143			uid_t target, const char cmd, const char *cmdargs)
144			{
145			int i;
146
147			*lastr = NULL;
148			for (i = 0; i < nrules; i++) {
149			if (match(uid, groups, ngroups, target, cmd,
150			cmdargs, rules[i]))
151			*lastr = rules[i];
152			}
153			if (!*lastr)
154			return 0;
155			return (*lastr)->action == PERMIT;
156			}
157
158			static void
159			parseconfig(const char *filename, int checkperms)
160			{
161			extern FILE *yyfp;
162			extern int yyparse(void);
163			struct stat sb;
164
165			yyfp = fopen(filename, "r");
166			if (!yyfp)
167			err(1, checkperms ? "doas is not enabled, %s" :
168			"could not open config file %s", filename);
169
170			if (checkperms) {
171			if (fstat(fileno(yyfp), &sb) != 0)
172			err(1, "fstat(\"%s\")", filename);
173			if ((sb.st_mode & (S_IWGRP\|S_IWOTH)) != 0)
174			errx(1, "%s is writable by group or other", filename);
175			if (sb.st_uid != 0)
176			errx(1, "%s is not owned by root", filename);
177			}
178
179			yyparse();
180			fclose(yyfp);
181			if (parse_errors)
182			exit(1);
183			}
184
185			static void __dead
186			checkconfig(const char confpath, int argc, char *argv,
187			uid_t uid, gid_t *groups, int ngroups, uid_t target)
188			{
189			struct rule *rule;
190
191			setresuid(uid, uid, uid);
192			parseconfig(confpath, 0);
193			if (!argc)
194			exit(0);
195
196			if (permit(uid, groups, ngroups, &rule, target, argv[0],
197			(const char **)argv + 1)) {
198			printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
199			exit(0);
200			} else {
201			printf("deny\n");
202			exit(1);
203			}
204			}
205
206			int
207			main(int argc, char **argv)
208			{
209			const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
210			"/usr/local/bin:/usr/local/sbin";
211			const char *confpath = NULL;
212			char *shargv[] = { NULL, NULL };
213			char *sh;
214			const char *cmd;
215			char cmdline[LINE_MAX];
216			char myname[_PW_NAME_LEN + 1];
217			struct passwd *pw;
218			struct rule *rule;
219			uid_t uid;
220			uid_t target = 0;
221			gid_t groups[NGROUPS_MAX + 1];
222			int ngroups;
223			int i, ch;
224			int sflag = 0;
225			int nflag = 0;
226			char cwdpath[PATH_MAX];
227			const char *cwd;
228			char *login_style = NULL;
229			char **envp;
230
231			setprogname("doas");
232
233			if (pledge("stdio rpath getpw tty recvfd proc exec id wpath cpath", NULL) == -1)
234			err(1, "pledge");
235
236			closefrom(STDERR_FILENO + 1);
237
238			uid = getuid();
239
240			while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
241			switch (ch) {
242			case 'a':
243			login_style = optarg;
244			break;
245			case 'C':
246			confpath = optarg;
247			break;
248			case 'u':
249			if (parseuid(optarg, &target) != 0)
250			errx(1, "unknown user");
251			break;
252			case 'n':
253			nflag = 1;
254			break;
255			case 's':
256			sflag = 1;
257			break;
258			default:
259			usage();
260			break;
261			}
262			}
263			argv += optind;
264			argc -= optind;
265
266			if (confpath) {
267			if (sflag)
268			usage();
269			} else if ((!sflag && !argc) \|\| (sflag && argc))
270			usage();
271
272			pw = getpwuid(uid);
273			if (!pw)
274			err(1, "getpwuid failed");
275			if (strlcpy(myname, pw->pw_name, sizeof(myname)) >= sizeof(myname))
276			errx(1, "pw_name too long");
277			ngroups = getgroups(NGROUPS_MAX, groups);
278			if (ngroups == -1)
279			err(1, "can't get groups");
280			groups[ngroups++] = getgid();
281
282			if (sflag) {
283			sh = getenv("SHELL");
284			if (sh == NULL \|\| *sh == '\0') {
285			shargv[0] = strdup(pw->pw_shell);
286			if (shargv[0] == NULL)
287			err(1, NULL);
288			} else
289			shargv[0] = sh;
290			argv = shargv;
291			argc = 1;
292			}
293
294			if (confpath) {
295			checkconfig(confpath, argc, argv, uid, groups, ngroups,
296			target);
297			exit(1); /* fail safe */
298			}
299
300			parseconfig("/etc/doas.conf", 1);
301
302			/* cmdline is used only for logging, no need to abort on truncate */
303			(void)strlcpy(cmdline, argv[0], sizeof(cmdline));
304			for (i = 1; i < argc; i++) {
305			if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline))
306			break;
307			if (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline))
308			break;
309			}
310
311			cmd = argv[0];
312			if (!permit(uid, groups, ngroups, &rule, target, cmd,
313			(const char **)argv + 1)) {
314			syslog(LOG_AUTHPRIV \| LOG_NOTICE,
315			"failed command for %s: %s", myname, cmdline);
316			errc(1, EPERM, NULL);
317			}
318
319			if (!(rule->options & NOPASS)) {
320			char challenge = NULL, response, rbuf[1024], cbuf[128];
321			auth_session_t *as;
322
323			if (nflag)
324			errx(1, "Authorization required");
325
326			if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
327			&challenge)))
328			errx(1, "Authorization failed");
329			if (!challenge) {
330			char host[HOST_NAME_MAX + 1];
331			if (gethostname(host, sizeof(host)))
332			snprintf(host, sizeof(host), "?");
333			snprintf(cbuf, sizeof(cbuf),
334			"\rdoas (%.32s@%.32s) password: ", myname, host);
335			challenge = cbuf;
336			}
337			response = readpassphrase(challenge, rbuf, sizeof(rbuf),
338			RPP_REQUIRE_TTY);
339			if (response == NULL && errno == ENOTTY) {
340			syslog(LOG_AUTHPRIV \| LOG_NOTICE,
341			"tty required for %s", myname);
342			errx(1, "a tty is required");
343			}
344			if (!auth_userresponse(as, response, 0)) {
345			syslog(LOG_AUTHPRIV \| LOG_NOTICE,
346			"failed auth for %s", myname);
347			errc(1, EPERM, NULL);
348			}
349			explicit_bzero(rbuf, sizeof(rbuf));
350			}
351
352			if (pledge("stdio rpath getpw exec id wpath cpath", NULL) == -1)
353			err(1, "pledge");
354
355			pw = getpwuid(target);
356			if (!pw)
357			errx(1, "no passwd entry for target");
358
359			if (setusercontext(NULL, pw, target, LOGIN_SETGROUP \|
360			LOGIN_SETPRIORITY \| LOGIN_SETRESOURCES \| LOGIN_SETUMASK \|
361			LOGIN_SETUSER) != 0)
362			errx(1, "failed to set user context for target");
363
364			if (pledge("stdio rpath exec wpath cpath", NULL) == -1)
365			err(1, "pledge");
366
367			if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
368			cwd = "(failed)";
369			else
370			cwd = cwdpath;
371
372			if (pledge("stdio exec wpath cpath rpath", NULL) == -1)
373			err(1, "pledge");
374
375			syslog(LOG_AUTHPRIV \| LOG_INFO, "%s ran command %s as %s from %s",
376			myname, cmdline, pw->pw_name, cwd);
377
378			envp = prepenv(rule);
379
380			if (rule->cmd) {
381			if (setenv("PATH", safepath, 1) == -1)
382			err(1, "failed to set PATH '%s'", safepath);
383			}
384			execvpe(cmd, argv, envp);
385			if (errno == ENOENT)
386			errx(1, "%s: command not found", cmd);
387			err(1, "%s", cmd);
388			}