2 * Copyright (c) 2016 Martijn van Duren <vias@imperialat.at>
3 * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/types.h>
21 #include <sys/ioctl.h>
26 #include <login_cap.h>
28 #include <readpassphrase.h>
44 fprintf(stderr, "usage: vias [-a style] [-C config] "
45 "file [editor args]\n");
50 arraylen(const char **arr)
62 parseuid(const char *s, uid_t *uid)
67 if ((pw = getpwnam(s)) != NULL) {
71 *uid = strtonum(s, 0, UID_MAX, &errstr);
78 uidcheck(const char *s, uid_t desired)
82 if (parseuid(s, &uid) != 0)
90 parsegid(const char *s, gid_t *gid)
95 if ((gr = getgrnam(s)) != NULL) {
99 *gid = strtonum(s, 0, GID_MAX, &errstr);
106 open_nosym(const char *file)
114 (void) strlcpy(dir, dirname(file), sizeof(dir));
116 if (dir[1] == '\0') {
118 if ((pfd = open("/", O_CLOEXEC)) == -1)
121 pfd = open_nosym(dir);
129 fd = openat(pfd, basename(file),
130 O_NOFOLLOW | O_CLOEXEC);
132 fd = openat(pfd, basename(file),
133 O_RDWR | O_NOFOLLOW | O_CLOEXEC | O_CREAT, 0777);
135 } while (fd == -1 && errno == EINTR);
140 if (fstat(fd, &sb) == -1)
143 * This should already have been checked in parse.y.
144 * It's only here to test for race-conditions
146 if (S_ISLNK(sb.st_mode))
147 errx(1, "Symbolic links not allowed");
148 if (dep && !S_ISDIR(sb.st_mode))
149 errc(1, ENOTDIR, NULL);
150 if (!dep && !S_ISREG(sb.st_mode))
151 errx(1, "File is not a regular file");
157 match(uid_t uid, gid_t *groups, int ngroups, const char *file, struct rule *r)
162 if (r->ident[0] == ':') {
164 if (parsegid(r->ident + 1, &rgid) == -1)
166 for (i = 0; i < ngroups; i++) {
167 if (rgid == groups[i])
173 if (uidcheck(r->ident, uid) != 0)
176 if (r->files != NULL) {
177 for (i = 0; r->files[i] != NULL; i++) {
178 flen = strlen(r->files[i]);
179 /* Allow access to the entire directory tree */
180 if (r->files[i][flen-1] == '/') {
181 if (!strncmp(r->files[i], file, flen))
184 if (!strcmp(r->files[i], file))
188 if (r->files[i] == NULL)
195 permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
199 int fd = -1, pfd = -1;
204 if ((rfile = realpath(file, NULL)) == NULL)
205 err(1, "Unable to open %s", file);
208 for (i = 0; i < nrules; i++) {
210 if (match(uid, groups, ngroups, rfile, r)) {
211 /* Try to open the file, so we know the rule is really permitted */
213 if (parseuid(r->target, &suid) == -1)
215 if (seteuid(suid) == -1)
218 if ((fd = open_nosym(rfile)) != -1) {
220 if (close(pfd) == -1)
224 } else if (errno != EPERM) {
225 err(1, "open %s", file);
227 if (r->target && seteuid(0))
231 if (*lastr == NULL || (*lastr)->action != PERMIT) {
240 parseconfig(const char *filename, int checkperms)
243 extern int yyparse(void);
246 yyfp = fopen(filename, "r");
248 err(1, checkperms ? "vias is not enabled, %s" :
249 "could not open config file %s", filename);
252 if (fstat(fileno(yyfp), &sb) != 0)
253 err(1, "fstat(\"%s\")", filename);
254 if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
255 errx(1, "%s is writable by group or other", filename);
257 errx(1, "%s is not owned by root", filename);
267 checkconfig(const char *confpath, uid_t uid, gid_t *groups, int ngroups,
272 parseconfig(confpath, 0);
276 if (permit(uid, groups, ngroups, &rule, file) != -1) {
277 printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
285 authuser(char *myname, char *login_style, int persist)
287 char *challenge = NULL, *response, rbuf[1024], cbuf[128];
292 fd = open("/dev/tty", O_RDWR);
294 if (ioctl(fd, TIOCCHKVERAUTH) == 0)
298 if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
300 errx(1, "Authorization failed");
302 char host[HOST_NAME_MAX + 1];
303 if (gethostname(host, sizeof(host)))
304 snprintf(host, sizeof(host), "?");
305 snprintf(cbuf, sizeof(cbuf),
306 "\rvias (%.32s@%.32s) password: ", myname, host);
309 response = readpassphrase(challenge, rbuf, sizeof(rbuf),
311 if (response == NULL && errno == ENOTTY) {
312 syslog(LOG_AUTHPRIV | LOG_NOTICE,
313 "tty required for %s", myname);
314 errx(1, "a tty is required");
316 if (!auth_userresponse(as, response, 0)) {
317 syslog(LOG_AUTHPRIV | LOG_NOTICE,
318 "failed auth for %s", myname);
319 errc(1, EPERM, NULL);
321 explicit_bzero(rbuf, sizeof(rbuf));
325 ioctl(fd, TIOCSETVERAUTH, &secs);
330 fcpy(int dfd, int sfd)
332 unsigned char buf[4096];
336 while ((r = read(sfd, buf, sizeof(buf))) > 0) {
337 if (write(dfd, buf, r) != r)
340 } while (r == -1 && errno == EINTR);
347 main(int argc, char **argv)
349 const char *confpath = NULL;
350 char tmpfile[] = "/tmp/vias.XXXXXX";
351 char myname[_PW_NAME_LEN + 1];
355 gid_t groups[NGROUPS_MAX + 1];
359 char cwdpath[PATH_MAX];
361 char *login_style = NULL;
369 closefrom(STDERR_FILENO + 1);
373 while ((ch = getopt(argc, argv, "a:C:")) != -1) {
376 login_style = optarg;
388 if (argc == 0 && confpath == NULL)
396 err(1, "getpwuid failed");
397 if (strlcpy(myname, pw->pw_name, sizeof(myname)) >= sizeof(myname))
398 errx(1, "pw_name too long");
399 ngroups = getgroups(NGROUPS_MAX, groups);
401 err(1, "can't get groups");
402 groups[ngroups++] = getgid();
405 checkconfig(confpath, uid, groups, ngroups, file);
408 errx(1, "not installed setuid");
410 parseconfig("/etc/vias.conf", 1);
414 if ((ofd = permit(uid, groups, ngroups, &rule, file)) == -1) {
415 syslog(LOG_AUTHPRIV | LOG_NOTICE,
416 "failed edit for %s: %s", myname, file);
420 if (setreuid(uid, 0) == -1)
421 err(1, "setreuid failed");
423 if (!(rule->options & NOPASS))
424 authuser(myname, login_style, rule->options & PERSIST);
426 if (pledge("stdio rpath wpath cpath exec proc id", NULL) == -1)
429 if ((setuid(uid)) == -1)
430 err(1, "setuid failed");
432 if (pledge("stdio rpath wpath cpath exec proc", NULL) == -1)
435 if ((tfd = mkstemp(tmpfile)) == -1)
436 err(1, "mkstemp failed");
438 if (pledge("stdio rpath cpath exec proc", NULL) == -1)
441 if (!fcpy(tfd, ofd)) {
443 err(1, "temp copy failed");
446 if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
451 if (pledge("stdio cpath exec proc", NULL) == -1)
454 syslog(LOG_AUTHPRIV | LOG_INFO, "%s edited %s as %s from %s",
455 myname, file, pw->pw_name, cwd);
457 if ((eargv = reallocarray(NULL, arraylen((const char **) argv) + 2,
458 sizeof(*eargv))) == NULL) {
462 eargv[0] = getenv("EDITOR");
463 if (eargv[0] == NULL || *(eargv[0]) == '\0')
466 switch ((vipid = fork())) {
469 err(1, "fork failed");
471 if (pledge("stdio exec", NULL) == -1)
474 for (i = 0; argv[i] != NULL; i++)
475 eargv[i+1] = argv[i];
476 eargv[i+1] = tmpfile;
478 execvp(eargv[0], eargv);
479 err(1, "execvp failed");
481 if (pledge("stdio cpath", NULL) == -1)
484 while ((ret = waitpid(vipid, &status, 0)) == -1 &&
488 err(1, "wait failed: Temporary file saved at %s",
492 if (WEXITSTATUS(status) != 0) {
493 errx(1, "%s exited with status %d: Temporary file saved at %s",
494 eargv[0], WEXITSTATUS(status), tmpfile);
497 (void) lseek(tfd, 0, SEEK_SET);
498 if (ftruncate(ofd, 0) == -1)
499 err(1, "ftruncate failed: Temporary file saved at %s", tmpfile);
500 (void) lseek(ofd, 0, SEEK_SET);
502 err(1, "restoring failed: Temporary file saved at %s", tmpfile);
503 if (unlink(tmpfile) == -1)
504 err(1, "unlink %s", tmpfile);
