You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

393 lines
10 KiB

#include "e_util_suid.h"
#include "config.h"
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#ifdef HAVE_ALLOCA_H
# include <alloca.h>
#endif
#include <Eina.h>
#include <Ecore.h>
#include <Eldbus.h>
static uid_t uid = -1; // uid of person running me
static gid_t gid = -1; // gid of person running me
static char *user_name = NULL;
static char *group_name = NULL;
#if defined(__OpenBSD__)
static int
_check_auth(uid_t id, const char *guess)
{
struct passwd *pwent;
pwent = getpwuid_shadow(id);
if (!pwent) return -1;
if (!pwent->pw_passwd) return -1;
return crypt_checkpass(guess, pwent->pw_passwd);
}
#elif defined(__FreeBSD__)
#include <security/pam_constants.h>
static int
_check_auth(uid_t id, const char *pw)
{
struct passwd *pwent = getpwuid(id);
if (!pwent) return -1;
if (!pwent->pw_passwd) return -1;
if (!strcmp(crypt(pw, pwent->pw_passwd), pwent->pw_passwd)) return 0;
return -1;
}
#elif defined(HAVE_PAM)
# include <security/pam_appl.h>
typedef struct
{
const char *user;
const char *pw;
} Authinfo;
static int
_conv_cb(int num, const struct pam_message **msg, struct pam_response **resp, void *data)
{
Authinfo *ai = data;
int replies;
struct pam_response *reply = NULL;
reply = malloc(sizeof(struct pam_response) * num);
if (!reply) return PAM_CONV_ERR;
for (replies = 0; replies < num; replies++)
{
switch (msg[replies]->msg_style)
{
case PAM_PROMPT_ECHO_ON:
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = strdup(ai->user);
break;
case PAM_PROMPT_ECHO_OFF:
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = strdup(ai->pw);
break;
case PAM_ERROR_MSG:
case PAM_TEXT_INFO:
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = NULL;
break;
default:
free(reply);
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
static int
_check_auth(uid_t id, const char *pw)
{
Authinfo ai;
struct passwd *pwent;
const char *user;
const char *prof;
const char *host;
struct stat st;
pam_handle_t *handle;
int pamerr;
struct pam_conv conv;
pwent = getpwuid(id);
if (!pwent) return -1;
user = pwent->pw_name;
if (!user) return -1;
host = "localhost";
prof = "login";
if (!stat("/etc/pam.d/enlightenment", &st)) prof = "enlightenment";
else if (!stat("/etc/pam.d/xscreensaver", &st)) prof = "xscreensaver";
else if (!stat("/etc/pam.d/kscreensaver", &st)) prof = "kscreensaver";
else if (!stat("/etc/pam.d/system-auth", &st)) prof = "system-auth";
else if (!stat("/etc/pam.d/system", &st)) prof = "system";
else if (!stat("/etc/pam.d/xdm", &st)) prof = "xdm";
else if (!stat("/etc/pam.d/gdm", &st)) prof = "gdm";
else if (!stat("/etc/pam.d/kdm", &st)) prof = "kdm";
ai.user = user;
ai.pw = pw;
conv.conv = _conv_cb;
conv.appdata_ptr = &ai;
if (pam_start(prof, user, &conv, &handle) != PAM_SUCCESS) return -1;
if (pam_set_item(handle, PAM_USER, user) != PAM_SUCCESS) return -1;
if (pam_set_item(handle, PAM_RHOST, host) != PAM_SUCCESS) return -1;
pamerr = pam_authenticate(handle, 0);
pam_end(handle, pamerr);
if (pamerr != PAM_SUCCESS) return -1;
return 0;
}
#else
static int
_check_auth(uid_t id, const char *pw)
{
return -1;
}
#endif
static int polkit_auth_ok = -1;
static void
polkit_agent_response(void *data EINA_UNUSED, const Eldbus_Message *msg,
Eldbus_Pending *pending EINA_UNUSED)
{
const char *name, *text;
ecore_main_loop_quit();
if (eldbus_message_error_get(msg, &name, &text))
{
fprintf(stderr, "AUTH: Could not respond to auth.\n %s:\n %s\n", name, text);
return;
}
polkit_auth_ok = 0;
fprintf(stderr, "AUTH: OK\n");
}
int
polkit_auth(const char *cookie, unsigned int auth_uid)
{
Eldbus_Connection *c;
Eldbus_Object *obj;
Eldbus_Proxy *proxy;
Eldbus_Message *m;
Eldbus_Message_Iter *iter, *subj, *array, *dict, *vari;
eina_init();
ecore_init();
eldbus_init();
c = eldbus_connection_get(ELDBUS_CONNECTION_TYPE_SYSTEM);
#define BARF(str) do { \
fprintf(stderr, "AUTH: POLKIT: %s\n", str); \
return -1; \
} while (0)
if (!c) BARF("Cannot get session dbus");
obj = eldbus_object_get(c, "org.freedesktop.PolicyKit1",
"/org/freedesktop/PolicyKit1/Authority");
if (!obj) BARF("Cannot get obj: org.freedesktop.PolicyKit1 /org/freedesktop/PolicyKit1/Authority");
proxy = eldbus_proxy_get(obj, "org.freedesktop.PolicyKit1.Authority");
if (!proxy) BARF("Cannot proxy: org.freedesktop.PolicyKit1.Authority");
m = eldbus_proxy_method_call_new(proxy, "AuthenticationAgentResponse2");
if (!m) BARF("Cannot get method call: AuthenticationAgentResponse2");
iter = eldbus_message_iter_get(m);
if (!iter) BARF("Cannot set iter on proxy");
if (!eldbus_message_iter_arguments_append(iter, "us", uid, cookie))
BARF("Cannot append 'us' args");
if (!eldbus_message_iter_arguments_append(iter, "(sa{sv})", &subj))
BARF("Cannot append '(sa{sv})' args");
if (!eldbus_message_iter_basic_append(subj, 's', "unix-user"))
BARF("Cannot append 's' arg for unix-user");
if (!eldbus_message_iter_arguments_append(subj, "a{sv}", &array))
BARF("Cannot append 'a{sv}' args");
if (!eldbus_message_iter_arguments_append(array, "{sv}", &dict))
BARF("Cannot append '{sv}' args");
if (!eldbus_message_iter_basic_append(dict, 's', "uid"))
BARF("Cannot append 's' arg for uid");
vari = eldbus_message_iter_container_new(dict, 'v', "u");
if (!vari)
BARF("Cannot create new iter container");
if (!eldbus_message_iter_basic_append(vari, 'u', auth_uid))
BARF("Cannot append 'u' arg for auth_uid");
eldbus_message_iter_container_close(dict, vari);
eldbus_message_iter_container_close(array, dict);
eldbus_message_iter_container_close(subj, array);
eldbus_message_iter_container_close(iter, subj);
eldbus_proxy_send(proxy, m, polkit_agent_response, NULL, -1);
ecore_main_loop_begin();
eldbus_connection_unref(c);
eldbus_shutdown();
ecore_shutdown();
eina_shutdown();
return polkit_auth_ok;
}
int
main(int argc, char **argv)
{
ssize_t rd;
char pw[4096], *p;
int polkit_mode = 0;
char polkit_cookie[4096];
unsigned int polkit_uid = 0;
if (argc < 2)
{
fprintf(stderr, "This is an internal tool for Enlightenment\n");
fprintf(stderr, "Options: pw | pk\n");
goto err;
}
if (!strcmp(argv[1], "pw")) polkit_mode = 0;
else if (!strcmp(argv[1], "pk")) polkit_mode = 1;
// read passwd from stdin
if (polkit_mode == 0)
{
rd = read(0, pw, 3);
if (rd != 3)
{
fprintf(stderr, "AUTH: Error. Can't read passwd preable\n");
goto err;
}
if (!((pw[0] == 'p') && (pw[1] == 'w') && (pw[2] == ' ')))
{
fprintf(stderr, "AUTH: Error. Preable is wrong\n");
goto err;
}
rd = read(0, pw, sizeof(pw) - 1);
if (rd < 0)
{
fprintf(stderr, "AUTH: Error. Can't read passwd on stdin\n");
goto err;
}
pw[rd] = 0;
for (p = pw; *p; p++)
{
if ((*p == '\r') || (*p == '\n'))
{
*p = 0;
break;
}
}
}
else if (polkit_mode == 1)
{
unsigned int pos = 0;
// read "cookie-string uid-string password...[\r|\n|EOF]"
for (;;) // cookie
{
rd = read(0, pw + pos, 1);
if (rd < 0)
{
fprintf(stderr, "AUTH: POLKIT: Error. Can't read polkit cookie on stdin\n");
goto err;
}
if (pw[pos] == ' ')
{
memcpy(polkit_cookie, pw, pos);
polkit_cookie[pos] = 0;
fprintf(stderr, "AUTH: POLKIT: [%s]\n", polkit_cookie);
pos = 0;
break;
}
else
{
pos++;
if (pos > 4000)
{
fprintf(stderr, "AUTH: POLKIT: Error. Polkit cookie too long\n");
return -10;
}
}
}
for (;;) // uid
{
rd = read(0, pw + pos, 1);
if (rd < 0)
{
fprintf(stderr, "AUTH: Error. Can't read polkit uid on stdin\n");
goto err;
}
if (pw[pos] == ' ')
{
pw[pos] = 0;
polkit_uid = atoi(pw);
fprintf(stderr, "AUTH: UID: [%u]\n", polkit_uid);
break;
}
else
{
pos++;
if (pos > 4000)
{
fprintf(stderr, "AUTH: Error. Polkit uid too long\n");
return -11;
}
}
}
// password
fprintf(stderr, "AUTH: readpass...\n");
rd = read(0, pw, sizeof(pw) - 1);
if (rd < 0)
{
fprintf(stderr, "AUTH: Error. Can't read passwd on stdin\n");
goto err;
}
pw[rd] = 0;
for (p = pw; *p; p++)
{
if ((*p == '\r') || (*p == '\n'))
{
*p = 0;
break;
}
}
}
// ok to fail - auth will just possibly fail then
e_setuid_setup(&uid, &gid, &user_name, &group_name);
if (_check_auth(polkit_mode ? polkit_uid : uid, pw) == 0)
{
fprintf(stderr, "AUTH: Password OK\n");
if (polkit_mode == 1)
{
if (polkit_auth(polkit_cookie, polkit_uid) == 0)
{
fprintf(stderr, "AUTH: Polkit AuthenticationAgentResponse2 success\n");
return 0;
}
fprintf(stderr, "AUTH: Polkit AuthenticationAgentResponse2 failure\n");
return -2;
}
return 0;
}
err:
fprintf(stderr, "AUTH: Password auth fail\n");
return -1;
}