2 * Copyright (c) 2016 Martijn van Duren <martijn@openbsd.org>
3 * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/types.h>
21 #include <sys/ioctl.h>
26 #include <login_cap.h>
28 #include <readpassphrase.h>
45 fprintf(stderr, "usage: vias [-a style] [-C config] "
46 "file [editor args]\n");
51 arraylen(const char * const*arr)
63 parseuid(const char *s, uid_t *uid)
68 if ((pw = getpwnam(s)) != NULL) {
72 *uid = strtonum(s, 0, UID_MAX, &errstr);
79 uidcheck(const char *s, uid_t desired)
83 if (parseuid(s, &uid) != 0)
91 parsegid(const char *s, gid_t *gid)
96 if ((gr = getgrnam(s)) != NULL) {
100 *gid = strtonum(s, 0, GID_MAX, &errstr);
107 open_nosym(const char *file)
115 strlcpy(path, file, sizeof(path));
116 (void) strlcpy(path, dirname(path), sizeof(path));
118 if (path[1] == '\0') {
120 if ((pfd = open("/", O_CLOEXEC)) == -1)
123 pfd = open_nosym(path);
130 strlcpy(path, file, sizeof(path));
132 fd = openat(pfd, basename(path),
133 O_NOFOLLOW | O_CLOEXEC);
135 fd = openat(pfd, basename(path),
136 O_RDWR | O_NOFOLLOW | O_CLOEXEC | O_CREAT, 0777);
138 } while (fd == -1 && errno == EINTR);
143 if (fstat(fd, &sb) == -1)
146 * This should already have been checked in parse.y.
147 * It's only here to test for race-conditions
149 if (S_ISLNK(sb.st_mode))
150 errx(1, "Symbolic links not allowed");
151 if (dep && !S_ISDIR(sb.st_mode))
152 errc(1, ENOTDIR, NULL);
153 if (!dep && !S_ISREG(sb.st_mode))
154 errx(1, "File is not a regular file");
160 match(uid_t uid, gid_t *groups, int ngroups, const char *file, struct rule *r)
165 if (r->ident[0] == ':') {
167 if (parsegid(r->ident + 1, &rgid) == -1)
169 for (i = 0; i < ngroups; i++) {
170 if (rgid == groups[i])
176 if (uidcheck(r->ident, uid) != 0)
179 if (r->files != NULL) {
180 for (i = 0; r->files[i] != NULL; i++) {
181 flen = strlen(r->files[i]);
182 /* Allow access to the entire directory tree */
183 if (r->files[i][flen-1] == '/') {
184 if (!strncmp(r->files[i], file, flen))
187 if (!strcmp(r->files[i], file))
191 if (r->files[i] == NULL)
198 permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
202 int fd = -1, pfd = -1;
207 if ((rfile = realpath(file, NULL)) == NULL)
208 err(1, "Unable to open %s", file);
211 for (i = 0; i < nrules; i++) {
213 if (match(uid, groups, ngroups, rfile, r)) {
214 /* Try to open the file, so we know the rule is really permitted */
216 if (parseuid(r->target, &suid) == -1)
218 if (seteuid(suid) == -1)
221 if ((fd = open_nosym(rfile)) != -1) {
223 if (close(pfd) == -1)
227 } else if (errno != EPERM) {
228 err(1, "open %s", file);
230 if (r->target && seteuid(0))
234 if (*lastr == NULL || (*lastr)->action != PERMIT) {
235 if (fd != -1 && close(fd) == -1)
244 parseconfig(const char *filename, int checkperms)
247 extern int yyparse(void);
250 yyfp = fopen(filename, "r");
252 err(1, checkperms ? "vias is not enabled, %s" :
253 "could not open config file %s", filename);
256 if (fstat(fileno(yyfp), &sb) != 0)
257 err(1, "fstat(\"%s\")", filename);
258 if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
259 errx(1, "%s is writable by group or other", filename);
261 errx(1, "%s is not owned by root", filename);
271 checkconfig(const char *confpath, uid_t uid, gid_t *groups, int ngroups,
276 parseconfig(confpath, 0);
280 if (permit(uid, groups, ngroups, &rule, file) != -1) {
281 printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
289 authuser(char *myname, char *login_style, int persist)
291 char *challenge = NULL, *response, rbuf[1024], cbuf[128];
296 fd = open("/dev/tty", O_RDWR);
298 if (ioctl(fd, TIOCCHKVERAUTH) == 0)
302 if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
304 errx(1, "Authorization failed");
306 char host[HOST_NAME_MAX + 1];
307 if (gethostname(host, sizeof(host)))
308 snprintf(host, sizeof(host), "?");
309 snprintf(cbuf, sizeof(cbuf),
310 "\rvias (%.32s@%.32s) password: ", myname, host);
313 response = readpassphrase(challenge, rbuf, sizeof(rbuf),
315 if (response == NULL && errno == ENOTTY) {
316 syslog(LOG_AUTHPRIV | LOG_NOTICE,
317 "tty required for %s", myname);
318 errx(1, "a tty is required");
320 if (!auth_userresponse(as, response, 0)) {
321 explicit_bzero(rbuf, sizeof(rbuf));
322 syslog(LOG_AUTHPRIV | LOG_NOTICE,
323 "failed auth for %s", myname);
324 errc(1, EPERM, NULL);
326 explicit_bzero(rbuf, sizeof(rbuf));
330 ioctl(fd, TIOCSETVERAUTH, &secs);
335 fcpy(int dfd, int sfd)
337 unsigned char buf[4096];
341 while ((r = read(sfd, buf, sizeof(buf))) > 0) {
342 if (write(dfd, buf, r) != r)
345 } while (r == -1 && errno == EINTR);
352 main(int argc, char **argv)
354 const char *confpath = NULL;
355 char tmpfile[] = "/tmp/vias.XXXXXX";
356 char myname[_PW_NAME_LEN + 1];
360 gid_t groups[NGROUPS_MAX + 1];
364 char cwdpath[PATH_MAX];
366 char *login_style = NULL;
374 closefrom(STDERR_FILENO + 1);
378 while ((ch = getopt(argc, argv, "a:C:")) != -1) {
381 login_style = optarg;
393 if (argc == 0 && confpath == NULL)
401 err(1, "getpwuid failed");
402 if (strlcpy(myname, pw->pw_name, sizeof(myname)) >= sizeof(myname))
403 errx(1, "pw_name too long");
404 ngroups = getgroups(NGROUPS_MAX, groups);
406 err(1, "can't get groups");
407 groups[ngroups++] = getgid();
410 checkconfig(confpath, uid, groups, ngroups, file);
413 errx(1, "not installed setuid");
415 parseconfig("/etc/vias.conf", 1);
419 if ((ofd = permit(uid, groups, ngroups, &rule, file)) == -1) {
420 syslog(LOG_AUTHPRIV | LOG_NOTICE,
421 "failed edit for %s: %s", myname, file);
422 errc(1, EPERM, "%s", file);
425 if (setreuid(uid, 0) == -1)
426 err(1, "setreuid failed");
428 if (!(rule->options & NOPASS))
429 authuser(myname, login_style, rule->options & PERSIST);
431 if (pledge("stdio rpath wpath cpath exec proc id tty", NULL) == -1)
434 if ((setuid(uid)) == -1)
435 err(1, "setuid failed");
437 if (pledge("stdio rpath wpath cpath exec proc tty", NULL) == -1)
440 if ((tfd = mkstemp(tmpfile)) == -1)
441 err(1, "mkstemp failed");
443 if (pledge("stdio rpath cpath exec proc tty", NULL) == -1)
446 if (!fcpy(tfd, ofd)) {
448 err(1, "temp copy failed");
451 if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
456 if (pledge("stdio cpath exec proc tty", NULL) == -1)
459 syslog(LOG_AUTHPRIV | LOG_INFO, "%s edited %s from %s",
462 if ((eargv = reallocarray(NULL, arraylen((const char * const*)argv) + 2,
463 sizeof(*eargv))) == NULL) {
467 eargv[0] = getenv("EDITOR");
468 if (eargv[0] == NULL || *(eargv[0]) == '\0')
471 switch ((vipid = fork())) {
474 err(1, "fork failed");
476 if (pledge("stdio exec", NULL) == -1)
479 for (i = 0; argv[i] != NULL; i++)
480 eargv[i+1] = argv[i];
481 eargv[i+1] = tmpfile;
483 execvp(eargv[0], eargv);
484 err(1, "execvp failed");
486 if (pledge("stdio cpath proc tty", NULL) == -1)
489 (void)setpgid(vipid, 0);
490 ttyfd = open("/dev/tty", O_RDWR);
492 (void)tcsetpgrp(ttyfd, vipid);
493 while ((ret = waitpid(vipid, &status, 0)) == -1 &&
497 err(1, "wait failed: Temporary file saved at %s",
501 if (WEXITSTATUS(status) != 0) {
502 errx(1, "%s exited with status %d: Temporary file saved at %s",
503 eargv[0], WEXITSTATUS(status), tmpfile);
506 (void) lseek(tfd, 0, SEEK_SET);
507 if (ftruncate(ofd, 0) == -1)
508 err(1, "ftruncate failed: Temporary file saved at %s", tmpfile);
509 (void) lseek(ofd, 0, SEEK_SET);
511 err(1, "restoring failed: Temporary file saved at %s", tmpfile);
512 if (unlink(tmpfile) == -1)
513 err(1, "unlink %s", tmpfile);
