2 * Copyright (c) 2016 Martijn van Duren <vias@imperialat.at>
3 * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #include <sys/types.h>
21 #include <sys/ioctl.h>
26 #include <login_cap.h>
28 #include <readpassphrase.h>
44 fprintf(stderr, "usage: vias [-a style] [-C config] "
45 "file [editor args]\n");
50 arraylen(const char **arr)
62 parseuid(const char *s, uid_t *uid)
67 if ((pw = getpwnam(s)) != NULL) {
71 *uid = strtonum(s, 0, UID_MAX, &errstr);
78 uidcheck(const char *s, uid_t desired)
82 if (parseuid(s, &uid) != 0)
90 parsegid(const char *s, gid_t *gid)
95 if ((gr = getgrnam(s)) != NULL) {
99 *gid = strtonum(s, 0, GID_MAX, &errstr);
106 open_nosym(const char *file)
114 (void) strlcpy(dir, dirname(file), sizeof(dir));
116 if (dir[1] == '\0') {
118 if ((pfd = open("/", O_CLOEXEC)) == -1)
121 pfd = open_nosym(dir);
129 fd = openat(pfd, basename(file),
130 O_NOFOLLOW | O_CLOEXEC);
132 fd = openat(pfd, basename(file),
133 O_RDWR | O_NOFOLLOW | O_CLOEXEC | O_CREAT, 0777);
135 } while (fd == -1 && errno == EINTR);
140 if (fstat(fd, &sb) == -1)
143 * This should already have been checked in parse.y.
144 * It's only here to test for race-conditions
146 if (S_ISLNK(sb.st_mode))
147 errx(1, "Symbolic links not allowed");
148 if (dep && !S_ISDIR(sb.st_mode))
149 errc(1, ENOTDIR, NULL);
150 if (!dep && !S_ISREG(sb.st_mode))
151 errx(1, "File is not a regular file");
157 match(uid_t uid, gid_t *groups, int ngroups, const char *file, struct rule *r)
162 if (r->ident[0] == ':') {
164 if (parsegid(r->ident + 1, &rgid) == -1)
166 for (i = 0; i < ngroups; i++) {
167 if (rgid == groups[i])
173 if (uidcheck(r->ident, uid) != 0)
176 if (r->files != NULL) {
177 for (i = 0; r->files[i] != NULL; i++) {
178 flen = strlen(r->files[i]);
179 /* Allow access to the entire directory tree */
180 if (r->files[i][flen-1] == '/') {
181 if (!strncmp(r->files[i], file, flen))
184 if (!strcmp(r->files[i], file))
188 if (r->files[i] == NULL)
195 permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
199 int fd = -1, pfd = -1;
204 if ((rfile = realpath(file, NULL)) == NULL)
205 err(1, "Unable to open %s", file);
208 for (i = 0; i < nrules; i++) {
210 if (match(uid, groups, ngroups, rfile, r)) {
211 /* Try to open the file, so we know the rule is really permitted */
213 if (parseuid(r->target, &suid) == -1)
215 if (seteuid(suid) == -1)
218 if ((fd = open_nosym(rfile)) != -1) {
220 if (close(pfd) == -1)
224 } else if (errno != EPERM) {
225 err(1, "open %s", file);
227 if (r->target && seteuid(0))
231 if (*lastr == NULL || (*lastr)->action != PERMIT) {
232 if (fd != -1 && close(fd) == -1)
241 parseconfig(const char *filename, int checkperms)
244 extern int yyparse(void);
247 yyfp = fopen(filename, "r");
249 err(1, checkperms ? "vias is not enabled, %s" :
250 "could not open config file %s", filename);
253 if (fstat(fileno(yyfp), &sb) != 0)
254 err(1, "fstat(\"%s\")", filename);
255 if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
256 errx(1, "%s is writable by group or other", filename);
258 errx(1, "%s is not owned by root", filename);
268 checkconfig(const char *confpath, uid_t uid, gid_t *groups, int ngroups,
273 parseconfig(confpath, 0);
277 if (permit(uid, groups, ngroups, &rule, file) != -1) {
278 printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
286 authuser(char *myname, char *login_style, int persist)
288 char *challenge = NULL, *response, rbuf[1024], cbuf[128];
293 fd = open("/dev/tty", O_RDWR);
295 if (ioctl(fd, TIOCCHKVERAUTH) == 0)
299 if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
301 errx(1, "Authorization failed");
303 char host[HOST_NAME_MAX + 1];
304 if (gethostname(host, sizeof(host)))
305 snprintf(host, sizeof(host), "?");
306 snprintf(cbuf, sizeof(cbuf),
307 "\rvias (%.32s@%.32s) password: ", myname, host);
310 response = readpassphrase(challenge, rbuf, sizeof(rbuf),
312 if (response == NULL && errno == ENOTTY) {
313 syslog(LOG_AUTHPRIV | LOG_NOTICE,
314 "tty required for %s", myname);
315 errx(1, "a tty is required");
317 if (!auth_userresponse(as, response, 0)) {
318 syslog(LOG_AUTHPRIV | LOG_NOTICE,
319 "failed auth for %s", myname);
320 errc(1, EPERM, NULL);
322 explicit_bzero(rbuf, sizeof(rbuf));
326 ioctl(fd, TIOCSETVERAUTH, &secs);
331 fcpy(int dfd, int sfd)
333 unsigned char buf[4096];
337 while ((r = read(sfd, buf, sizeof(buf))) > 0) {
338 if (write(dfd, buf, r) != r)
341 } while (r == -1 && errno == EINTR);
348 main(int argc, char **argv)
350 const char *confpath = NULL;
351 char tmpfile[] = "/tmp/vias.XXXXXX";
352 char myname[_PW_NAME_LEN + 1];
356 gid_t groups[NGROUPS_MAX + 1];
360 char cwdpath[PATH_MAX];
362 char *login_style = NULL;
370 closefrom(STDERR_FILENO + 1);
374 while ((ch = getopt(argc, argv, "a:C:")) != -1) {
377 login_style = optarg;
389 if (argc == 0 && confpath == NULL)
397 err(1, "getpwuid failed");
398 if (strlcpy(myname, pw->pw_name, sizeof(myname)) >= sizeof(myname))
399 errx(1, "pw_name too long");
400 ngroups = getgroups(NGROUPS_MAX, groups);
402 err(1, "can't get groups");
403 groups[ngroups++] = getgid();
406 checkconfig(confpath, uid, groups, ngroups, file);
409 errx(1, "not installed setuid");
411 parseconfig("/etc/vias.conf", 1);
415 if ((ofd = permit(uid, groups, ngroups, &rule, file)) == -1) {
416 syslog(LOG_AUTHPRIV | LOG_NOTICE,
417 "failed edit for %s: %s", myname, file);
418 errc(1, EPERM, "%s", file);
421 if (setreuid(uid, 0) == -1)
422 err(1, "setreuid failed");
424 if (!(rule->options & NOPASS))
425 authuser(myname, login_style, rule->options & PERSIST);
427 if (pledge("stdio rpath wpath cpath exec proc id", NULL) == -1)
430 if ((setuid(uid)) == -1)
431 err(1, "setuid failed");
433 if (pledge("stdio rpath wpath cpath exec proc", NULL) == -1)
436 if ((tfd = mkstemp(tmpfile)) == -1)
437 err(1, "mkstemp failed");
439 if (pledge("stdio rpath cpath exec proc", NULL) == -1)
442 if (!fcpy(tfd, ofd)) {
444 err(1, "temp copy failed");
447 if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
452 if (pledge("stdio cpath exec proc", NULL) == -1)
455 syslog(LOG_AUTHPRIV | LOG_INFO, "%s edited %s as %s from %s",
456 myname, file, pw->pw_name, cwd);
458 if ((eargv = reallocarray(NULL, arraylen((const char **) argv) + 2,
459 sizeof(*eargv))) == NULL) {
463 eargv[0] = getenv("EDITOR");
464 if (eargv[0] == NULL || *(eargv[0]) == '\0')
467 switch ((vipid = fork())) {
470 err(1, "fork failed");
472 if (pledge("stdio exec", NULL) == -1)
475 for (i = 0; argv[i] != NULL; i++)
476 eargv[i+1] = argv[i];
477 eargv[i+1] = tmpfile;
479 execvp(eargv[0], eargv);
480 err(1, "execvp failed");
482 if (pledge("stdio cpath", NULL) == -1)
485 while ((ret = waitpid(vipid, &status, 0)) == -1 &&
489 err(1, "wait failed: Temporary file saved at %s",
493 if (WEXITSTATUS(status) != 0) {
494 errx(1, "%s exited with status %d: Temporary file saved at %s",
495 eargv[0], WEXITSTATUS(status), tmpfile);
498 (void) lseek(tfd, 0, SEEK_SET);
499 if (ftruncate(ofd, 0) == -1)
500 err(1, "ftruncate failed: Temporary file saved at %s", tmpfile);
501 (void) lseek(ofd, 0, SEEK_SET);
503 err(1, "restoring failed: Temporary file saved at %s", tmpfile);
504 if (unlink(tmpfile) == -1)
505 err(1, "unlink %s", tmpfile);
