auth API change. There is now an init method that gets run before

the main loop.  This allows auth routines to differentiate between
initialization that happens once vs. setup that needs to run each time
through the loop.

diff --git a/auth/fwtk.c b/auth/fwtk.c
index 5f3693c135845a57f42b638424a064871e68c5f0..9c8486d3916cb17fd0f86eac2ace9193affa71c7 100644 (file)
--- a/auth/fwtk.c
+++ b/auth/fwtk.c
@@ -54,7 +54,7 @@ static const char rcsid[] = "$Sudo$";
 #endif /* lint */
 
 int
-fwtk_setup(pw, promptp, data)
+fwtk_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
@@ -62,9 +62,6 @@ fwtk_setup(pw, promptp, data)
     static Cfg *confp;                 /* Configuration entry struct */
     char resp[128];                    /* Response from the server */
 
-    if (confp)
-       return(AUTH_SUCCESS);           /* Already initialized */
-
     if ((confp = cfg_read("sudo")) == (Cfg *)-1) {
        (void) fprintf(stderr, "%s: cannot read fwtk config.\n", Argv[0]);
        return(AUTH_FATAL);

diff --git a/auth/kerb4.c b/auth/kerb4.c
index 4a4313a1042581f32d98e5fc64f8d4930042c281..7d7b2864b1b8d630b563ba957e53b5b6499a6ab1 100644 (file)
--- a/auth/kerb4.c
+++ b/auth/kerb4.c
@@ -53,16 +53,13 @@ static const char rcsid[] = "$Sudo$";
 #endif /* lint */
 
 int
-kerb4_setup(pw, promptp, data)
+kerb4_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
 {
     static char realm[REALM_SZ];
 
-    if (*data)
-       return(AUTH_SUCCESS);           /* Already initialized */
-
     /* Don't try to verify root */
     if (pw->pw_uid == 0)
        return(AUTH_FAILURE);

diff --git a/auth/kerb5.c b/auth/kerb5.c
index 6dc7882263ec3f06dc50afc84b3f0a85a3c496b5..d89e7a85906ee1dcc3caf919c6f69786700d44bc 100644 (file)
--- a/auth/kerb5.c
+++ b/auth/kerb5.c
@@ -62,7 +62,7 @@ static krb5_context sudo_context = NULL;
 static int verify_krb_v5_tgt __P((krb5_ccache));
 
 int
-kerb5_setup(pw, promptp, data)
+kerb5_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
@@ -71,9 +71,6 @@ kerb5_setup(pw, promptp, data)
     krb5_error_code retval;
     extern int arg_prompt;
 
-    if (*data)
-       return(AUTH_SUCCESS);           /* Already initialized */
-
     /* XXX - make these errors non-fatal for better fallback? */
     if (retval = krb5_init_context(&sudo_context)) {
        /* XXX - how to map retval to error string? */

diff --git a/auth/pam.c b/auth/pam.c
index e10f25c74ee1385d554cd7f5724d9ece7e226801..de695ec439a1f4d9b7692c6e7a27b9811e2693d3 100644 (file)
--- a/auth/pam.c
+++ b/auth/pam.c
@@ -58,7 +58,7 @@ static int sudo_conv __P((int, PAM_CONST struct pam_message **,
 static char *def_prompt;
 
 int
-pam_setup(pw, promptp, data)
+pam_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
@@ -66,9 +66,6 @@ pam_setup(pw, promptp, data)
     static struct pam_conv pam_conv;
     pam_handle_t *pamh;
 
-    if (*data)
-       return(AUTH_SUCCESS);           /* Already initialized */
-
     /* Initial PAM setup */
     pam_conv.conv = sudo_conv;
     if (pam_start("sudo", pw->pw_name, &pam_conv, &pamh) != PAM_SUCCESS) {

diff --git a/auth/rfc1938.c b/auth/rfc1938.c
index 8c71ca5807cf7720c598958ee8fda197f736b837..03e8b81b25f535d9f5321c8bcdfef2e4f4308fbe 100644 (file)
--- a/auth/rfc1938.c
+++ b/auth/rfc1938.c
@@ -106,7 +106,7 @@ rfc1938_setup(pw, promptp, data)
 #endif /* OTP_ONLY */
     }
 
-    /* Get space for new prompt with embedded S/Key challenge */
+    /* Get space for new prompt with embedded challenge */
     if (np_size < op_len + strlen(challenge) + 7) {
        np_size = op_len + strlen(challenge) + 7;
        new_prompt = (char *) erealloc(new_prompt, np_size);

diff --git a/auth/secureware.c b/auth/secureware.c
index 35d82e3696b196974cc978d2a7121c596b927010..c414c1e58836090defd62249405a1e4fc59d6126 100644 (file)
--- a/auth/secureware.c
+++ b/auth/secureware.c
@@ -58,7 +58,7 @@ static const char rcsid[] = "$Sudo$";
 #endif /* lint */
 
 int
-secureware_setup(pw, promptp, data)
+secureware_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;

diff --git a/auth/securid.c b/auth/securid.c
index 7400b93993092b4be865b9b0828a95038e786532..ba408b81dacd978083e8be7e28566a190ba5676d 100644 (file)
--- a/auth/securid.c
+++ b/auth/securid.c
@@ -60,6 +60,17 @@ static const char rcsid[] = "$Sudo$";
 
 union config_record configure;
 
+int
+securid_init(pw, promptp, data)
+    struct passwd *pw;
+    char **promptp;
+    void **data;
+{
+
+    creadcfg();                                        /* Only read config file once */
+    return(AUTH_SUCCESS);
+}
+
 int
 securid_setup(pw, promptp, data)
     struct passwd *pw;
@@ -68,10 +79,7 @@ securid_setup(pw, promptp, data)
 {
     static SD_CLIENT sd_dat;                   /* SecurID data block */
 
-    if (!*data)
-       creadcfg();                             /* Only read config file once */
-
-    /* Initialize SecurID every time. */
+    /* Re-initialize SecurID every time. */
     *data = &sd_dat;
     if (sd_init(sd) == 0)
        return(AUTH_SUCCESS);

diff --git a/auth/sudo_auth.c b/auth/sudo_auth.c
index 3f854bac5d14ea3c7170146379c80860d0be2cd8..9e325ac7dbfc4cd6dd050fa1ca9a2def835844e5 100644 (file)
--- a/auth/sudo_auth.c
+++ b/auth/sudo_auth.c
@@ -59,25 +59,25 @@ sudo_auth auth_switch[] = {
     AUTH_STANDALONE
 #else
 #  ifndef WITHOUT_PASSWD
-    AUTH_ENTRY(0, "passwd", NULL, passwd_verify, NULL)
+    AUTH_ENTRY(0, "passwd", NULL, NULL, passwd_verify, NULL)
 #  endif
 #  if defined(HAVE_SECUREWARE) && !defined(WITHOUT_PASSWD)
-    AUTH_ENTRY(0, "secureware", secureware_setup, secureware_verify, NULL)
+    AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL)
 #  endif
 #  ifdef HAVE_AFS
-    AUTH_ENTRY(1, "afs", NULL, afs_verify, NULL)
+    AUTH_ENTRY(1, "afs", NULL, NULL, afs_verify, NULL)
 #  endif
 #  ifdef HAVE_KERB4
-    AUTH_ENTRY(1, "kerb4", kerb4_setup, kerb4_verify, NULL)
+    AUTH_ENTRY(1, "kerb4", kerb4_init, NULL, kerb4_verify, NULL)
 #  endif
 #  ifdef HAVE_KERB5
-    AUTH_ENTRY(1, "kerb5", kerb5_setup, kerb5_verify, NULL)
+    AUTH_ENTRY(1, "kerb5", kerb5_init, NULL, kerb5_verify, NULL)
 #  endif
 #  if defined(HAVE_SKEY)  || defined(HAVE_OPIE)
-    AUTH_ENTRY(1, "skey", rfc1938_setup, rfc1938_verify, NULL)
+    AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL)
 #  endif
 #endif /* AUTH_STANDALONE */
-    AUTH_ENTRY(0, NULL, NULL, NULL, NULL)
+    AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL)
 };
 
 int nil_pw;            /* I hate resorting to globals like this... */
@@ -90,6 +90,23 @@ verify_user()
     char *p;
     sudo_auth *auth;
 
+    /* Initialize auth methods and unconfigure the method if necessary. */
+    for (auth = auth_switch; auth->name; auth++) {
+       if (auth->init && auth->configured) {
+           if (auth->need_root)
+               set_perms(PERM_ROOT, 0);
+
+           status = (auth->init)(sudo_user.pw, &user_prompt, &auth->data);
+           if (status == AUTH_FAILURE)
+               auth->configured = 0;
+           else if (status == AUTH_FATAL)      /* XXX log */
+               exit(1);                /* assume error msg already printed */
+
+           if (auth->need_root)
+               set_perms(PERM_USER, 0);
+       }
+    }
+
     while (--counter) {
        /* Do any per-method setup and unconfigure the method if needed */
        for (auth = auth_switch; auth->name; auth++) {

diff --git a/auth/sudo_auth.h b/auth/sudo_auth.h
index 42a7e426959c75ead541fd6e0d6287c93eb3e29d..3c949d696a703b810402c28ae6f49462f651ea08 100644 (file)
--- a/auth/sudo_auth.h
+++ b/auth/sudo_auth.h
@@ -40,16 +40,17 @@ typedef struct sudo_auth {
     int status;                        /* status from verify routine */
     char *name;
     void *data;                        /* method-specific data pointer */
+    int (*init) __P((struct passwd *pw, char **prompt, void **data));
     int (*setup) __P((struct passwd *pw, char **prompt, void **data));
     int (*verify) __P((struct passwd *pw, char *p, void **data));
     int (*cleanup) __P((struct passwd *pw, int status, void **data));
 } sudo_auth;
 
 /* Prototypes for standalone methods */
-int fwtk_setup __P((struct passwd *pw, char **prompt, void **data));
+int fwtk_init __P((struct passwd *pw, char **prompt, void **data));
 int fwtk_verify __P((struct passwd *pw, char *prompt, void **data));
 int fwtk_cleanup __P((struct passwd *pw, int status, void **data));
-int pam_setup __P((struct passwd *pw, char **prompt, void **data));
+int pam_init __P((struct passwd *pw, char **prompt, void **data));
 int pam_verify __P((struct passwd *pw, char *prompt, void **data));
 int pam_cleanup __P((struct passwd *pw, int status, void **data));
 int sia_setup __P((struct passwd *pw, char **prompt, void **data));
@@ -60,41 +61,44 @@ int dce_verify __P((struct passwd *pw, char *pass, void **data));
 
 /* Prototypes for normal methods */
 int passwd_verify __P((struct passwd *pw, char *pass, void **data));
-int secureware_setup __P((struct passwd *pw, char **prompt, void **data));
+int secureware_init __P((struct passwd *pw, char **prompt, void **data));
 int secureware_verify __P((struct passwd *pw, char *pass, void **data));
 int rfc1938_setup __P((struct passwd *pw, char **prompt, void **data));
 int rfc1938_verify __P((struct passwd *pw, char *pass, void **data));
 int afs_verify __P((struct passwd *pw, char *pass, void **data));
-int kerb4_setup __P((struct passwd *pw, char **prompt, void **data));
+int kerb4_init __P((struct passwd *pw, char **prompt, void **data));
 int kerb4_verify __P((struct passwd *pw, char *pass, void **data));
-int kerb5_setup __P((struct passwd *pw, char **prompt, void **data));
+int kerb5_init __P((struct passwd *pw, char **prompt, void **data));
 int kerb5_verify __P((struct passwd *pw, char *pass, void **data));
+int securid_init __P((struct passwd *pw, char **prompt, void **data));
+int securid_setup __P((struct passwd *pw, char **prompt, void **data));
+int securid_verify __P((struct passwd *pw, char *pass, void **data));
 
-/* Fields: need_root, name, setup, verify, cleanup */
-#define AUTH_ENTRY(r, n, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, s, v, c },
+/* Fields: need_root, name, init, setup, verify, cleanup */
+#define AUTH_ENTRY(r, n, i, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, i, s, v, c },
 
 /* Some methods cannots (or should not) interoperate with any others */
 #if defined(HAVE_PAM)
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "pam", pam_setup, pam_verify, pam_cleanup)
+       AUTH_ENTRY(1, "pam", pam_init, NULL, pam_verify, pam_cleanup)
 #elif defined(HAVE_SECURID)
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "SecurId", securid_setup, securid_verify, NULL)
+       AUTH_ENTRY(1, "SecurId", securid_init, securid_setup, securid_verify, NULL)
 #elif defined(HAVE_SIA)
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "sia", sia_setup, sia_verify, sia_cleanup)
+       AUTH_ENTRY(1, "sia", NULL, sia_setup, sia_verify, sia_cleanup)
 #elif defined(HAVE_DCE)
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "dce", NULL, dce_verify, NULL)
+       AUTH_ENTRY(1, "dce", NULL, NULL, dce_verify, NULL)
 #elif defined(HAVE_AUTHENTICATE)
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "aixauth", NULL, aixauth_verify, NULL)
+       AUTH_ENTRY(1, "aixauth", NULL, NULL, aixauth_verify, NULL)
 #elif defined(HAVE_FWTK)
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "fwtk", fwtk_setup, fwtk_verify, fwtk_cleanup)
+       AUTH_ENTRY(1, "fwtk", fwtk_init, NULL, fwtk_verify, fwtk_cleanup)
 #elif defined(OTP_ONLY) && (defined(HAVE_SKEY) || defined(HAVE_OPIE))
 #  define AUTH_STANDALONE \
-       AUTH_ENTRY(1, "rfc1938", rfc1938_setup, rfc1938_verify, NULL)
+       AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL)
 #  define AUTH_STANDALONE_GETPASS
 #endif