From: Todd C. Miller Date: Thu, 22 Jul 1999 19:48:27 +0000 (+0000) Subject: auth API change. There is now an init method that gets run before X-Git-Tag: SUDO_1_6_0~191 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a1e0a8180ad9fa520efaa881851deda8d3066c07;p=sudo auth API change. There is now an init method that gets run before the main loop. This allows auth routines to differentiate between initialization that happens once vs. setup that needs to run each time through the loop. --- diff --git a/auth/fwtk.c b/auth/fwtk.c index 5f3693c13..9c8486d39 100644 --- a/auth/fwtk.c +++ b/auth/fwtk.c @@ -54,7 +54,7 @@ static const char rcsid[] = "$Sudo$"; #endif /* lint */ int -fwtk_setup(pw, promptp, data) +fwtk_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; @@ -62,9 +62,6 @@ fwtk_setup(pw, promptp, data) static Cfg *confp; /* Configuration entry struct */ char resp[128]; /* Response from the server */ - if (confp) - return(AUTH_SUCCESS); /* Already initialized */ - if ((confp = cfg_read("sudo")) == (Cfg *)-1) { (void) fprintf(stderr, "%s: cannot read fwtk config.\n", Argv[0]); return(AUTH_FATAL); diff --git a/auth/kerb4.c b/auth/kerb4.c index 4a4313a10..7d7b2864b 100644 --- a/auth/kerb4.c +++ b/auth/kerb4.c @@ -53,16 +53,13 @@ static const char rcsid[] = "$Sudo$"; #endif /* lint */ int -kerb4_setup(pw, promptp, data) +kerb4_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; { static char realm[REALM_SZ]; - if (*data) - return(AUTH_SUCCESS); /* Already initialized */ - /* Don't try to verify root */ if (pw->pw_uid == 0) return(AUTH_FAILURE); diff --git a/auth/kerb5.c b/auth/kerb5.c index 6dc788226..d89e7a859 100644 --- a/auth/kerb5.c +++ b/auth/kerb5.c @@ -62,7 +62,7 @@ static krb5_context sudo_context = NULL; static int verify_krb_v5_tgt __P((krb5_ccache)); int -kerb5_setup(pw, promptp, data) +kerb5_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; @@ -71,9 +71,6 @@ kerb5_setup(pw, promptp, data) krb5_error_code retval; extern int arg_prompt; - if (*data) - return(AUTH_SUCCESS); /* Already initialized */ - /* XXX - make these errors non-fatal for better fallback? */ if (retval = krb5_init_context(&sudo_context)) { /* XXX - how to map retval to error string? */ diff --git a/auth/pam.c b/auth/pam.c index e10f25c74..de695ec43 100644 --- a/auth/pam.c +++ b/auth/pam.c @@ -58,7 +58,7 @@ static int sudo_conv __P((int, PAM_CONST struct pam_message **, static char *def_prompt; int -pam_setup(pw, promptp, data) +pam_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; @@ -66,9 +66,6 @@ pam_setup(pw, promptp, data) static struct pam_conv pam_conv; pam_handle_t *pamh; - if (*data) - return(AUTH_SUCCESS); /* Already initialized */ - /* Initial PAM setup */ pam_conv.conv = sudo_conv; if (pam_start("sudo", pw->pw_name, &pam_conv, &pamh) != PAM_SUCCESS) { diff --git a/auth/rfc1938.c b/auth/rfc1938.c index 8c71ca580..03e8b81b2 100644 --- a/auth/rfc1938.c +++ b/auth/rfc1938.c @@ -106,7 +106,7 @@ rfc1938_setup(pw, promptp, data) #endif /* OTP_ONLY */ } - /* Get space for new prompt with embedded S/Key challenge */ + /* Get space for new prompt with embedded challenge */ if (np_size < op_len + strlen(challenge) + 7) { np_size = op_len + strlen(challenge) + 7; new_prompt = (char *) erealloc(new_prompt, np_size); diff --git a/auth/secureware.c b/auth/secureware.c index 35d82e369..c414c1e58 100644 --- a/auth/secureware.c +++ b/auth/secureware.c @@ -58,7 +58,7 @@ static const char rcsid[] = "$Sudo$"; #endif /* lint */ int -secureware_setup(pw, promptp, data) +secureware_init(pw, promptp, data) struct passwd *pw; char **promptp; void **data; diff --git a/auth/securid.c b/auth/securid.c index 7400b9399..ba408b81d 100644 --- a/auth/securid.c +++ b/auth/securid.c @@ -60,6 +60,17 @@ static const char rcsid[] = "$Sudo$"; union config_record configure; +int +securid_init(pw, promptp, data) + struct passwd *pw; + char **promptp; + void **data; +{ + + creadcfg(); /* Only read config file once */ + return(AUTH_SUCCESS); +} + int securid_setup(pw, promptp, data) struct passwd *pw; @@ -68,10 +79,7 @@ securid_setup(pw, promptp, data) { static SD_CLIENT sd_dat; /* SecurID data block */ - if (!*data) - creadcfg(); /* Only read config file once */ - - /* Initialize SecurID every time. */ + /* Re-initialize SecurID every time. */ *data = &sd_dat; if (sd_init(sd) == 0) return(AUTH_SUCCESS); diff --git a/auth/sudo_auth.c b/auth/sudo_auth.c index 3f854bac5..9e325ac7d 100644 --- a/auth/sudo_auth.c +++ b/auth/sudo_auth.c @@ -59,25 +59,25 @@ sudo_auth auth_switch[] = { AUTH_STANDALONE #else # ifndef WITHOUT_PASSWD - AUTH_ENTRY(0, "passwd", NULL, passwd_verify, NULL) + AUTH_ENTRY(0, "passwd", NULL, NULL, passwd_verify, NULL) # endif # if defined(HAVE_SECUREWARE) && !defined(WITHOUT_PASSWD) - AUTH_ENTRY(0, "secureware", secureware_setup, secureware_verify, NULL) + AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL) # endif # ifdef HAVE_AFS - AUTH_ENTRY(1, "afs", NULL, afs_verify, NULL) + AUTH_ENTRY(1, "afs", NULL, NULL, afs_verify, NULL) # endif # ifdef HAVE_KERB4 - AUTH_ENTRY(1, "kerb4", kerb4_setup, kerb4_verify, NULL) + AUTH_ENTRY(1, "kerb4", kerb4_init, NULL, kerb4_verify, NULL) # endif # ifdef HAVE_KERB5 - AUTH_ENTRY(1, "kerb5", kerb5_setup, kerb5_verify, NULL) + AUTH_ENTRY(1, "kerb5", kerb5_init, NULL, kerb5_verify, NULL) # endif # if defined(HAVE_SKEY) || defined(HAVE_OPIE) - AUTH_ENTRY(1, "skey", rfc1938_setup, rfc1938_verify, NULL) + AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL) # endif #endif /* AUTH_STANDALONE */ - AUTH_ENTRY(0, NULL, NULL, NULL, NULL) + AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL) }; int nil_pw; /* I hate resorting to globals like this... */ @@ -90,6 +90,23 @@ verify_user() char *p; sudo_auth *auth; + /* Initialize auth methods and unconfigure the method if necessary. */ + for (auth = auth_switch; auth->name; auth++) { + if (auth->init && auth->configured) { + if (auth->need_root) + set_perms(PERM_ROOT, 0); + + status = (auth->init)(sudo_user.pw, &user_prompt, &auth->data); + if (status == AUTH_FAILURE) + auth->configured = 0; + else if (status == AUTH_FATAL) /* XXX log */ + exit(1); /* assume error msg already printed */ + + if (auth->need_root) + set_perms(PERM_USER, 0); + } + } + while (--counter) { /* Do any per-method setup and unconfigure the method if needed */ for (auth = auth_switch; auth->name; auth++) { diff --git a/auth/sudo_auth.h b/auth/sudo_auth.h index 42a7e4269..3c949d696 100644 --- a/auth/sudo_auth.h +++ b/auth/sudo_auth.h @@ -40,16 +40,17 @@ typedef struct sudo_auth { int status; /* status from verify routine */ char *name; void *data; /* method-specific data pointer */ + int (*init) __P((struct passwd *pw, char **prompt, void **data)); int (*setup) __P((struct passwd *pw, char **prompt, void **data)); int (*verify) __P((struct passwd *pw, char *p, void **data)); int (*cleanup) __P((struct passwd *pw, int status, void **data)); } sudo_auth; /* Prototypes for standalone methods */ -int fwtk_setup __P((struct passwd *pw, char **prompt, void **data)); +int fwtk_init __P((struct passwd *pw, char **prompt, void **data)); int fwtk_verify __P((struct passwd *pw, char *prompt, void **data)); int fwtk_cleanup __P((struct passwd *pw, int status, void **data)); -int pam_setup __P((struct passwd *pw, char **prompt, void **data)); +int pam_init __P((struct passwd *pw, char **prompt, void **data)); int pam_verify __P((struct passwd *pw, char *prompt, void **data)); int pam_cleanup __P((struct passwd *pw, int status, void **data)); int sia_setup __P((struct passwd *pw, char **prompt, void **data)); @@ -60,41 +61,44 @@ int dce_verify __P((struct passwd *pw, char *pass, void **data)); /* Prototypes for normal methods */ int passwd_verify __P((struct passwd *pw, char *pass, void **data)); -int secureware_setup __P((struct passwd *pw, char **prompt, void **data)); +int secureware_init __P((struct passwd *pw, char **prompt, void **data)); int secureware_verify __P((struct passwd *pw, char *pass, void **data)); int rfc1938_setup __P((struct passwd *pw, char **prompt, void **data)); int rfc1938_verify __P((struct passwd *pw, char *pass, void **data)); int afs_verify __P((struct passwd *pw, char *pass, void **data)); -int kerb4_setup __P((struct passwd *pw, char **prompt, void **data)); +int kerb4_init __P((struct passwd *pw, char **prompt, void **data)); int kerb4_verify __P((struct passwd *pw, char *pass, void **data)); -int kerb5_setup __P((struct passwd *pw, char **prompt, void **data)); +int kerb5_init __P((struct passwd *pw, char **prompt, void **data)); int kerb5_verify __P((struct passwd *pw, char *pass, void **data)); +int securid_init __P((struct passwd *pw, char **prompt, void **data)); +int securid_setup __P((struct passwd *pw, char **prompt, void **data)); +int securid_verify __P((struct passwd *pw, char *pass, void **data)); -/* Fields: need_root, name, setup, verify, cleanup */ -#define AUTH_ENTRY(r, n, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, s, v, c }, +/* Fields: need_root, name, init, setup, verify, cleanup */ +#define AUTH_ENTRY(r, n, i, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, i, s, v, c }, /* Some methods cannots (or should not) interoperate with any others */ #if defined(HAVE_PAM) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "pam", pam_setup, pam_verify, pam_cleanup) + AUTH_ENTRY(1, "pam", pam_init, NULL, pam_verify, pam_cleanup) #elif defined(HAVE_SECURID) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "SecurId", securid_setup, securid_verify, NULL) + AUTH_ENTRY(1, "SecurId", securid_init, securid_setup, securid_verify, NULL) #elif defined(HAVE_SIA) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "sia", sia_setup, sia_verify, sia_cleanup) + AUTH_ENTRY(1, "sia", NULL, sia_setup, sia_verify, sia_cleanup) #elif defined(HAVE_DCE) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "dce", NULL, dce_verify, NULL) + AUTH_ENTRY(1, "dce", NULL, NULL, dce_verify, NULL) #elif defined(HAVE_AUTHENTICATE) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "aixauth", NULL, aixauth_verify, NULL) + AUTH_ENTRY(1, "aixauth", NULL, NULL, aixauth_verify, NULL) #elif defined(HAVE_FWTK) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "fwtk", fwtk_setup, fwtk_verify, fwtk_cleanup) + AUTH_ENTRY(1, "fwtk", fwtk_init, NULL, fwtk_verify, fwtk_cleanup) #elif defined(OTP_ONLY) && (defined(HAVE_SKEY) || defined(HAVE_OPIE)) # define AUTH_STANDALONE \ - AUTH_ENTRY(1, "rfc1938", rfc1938_setup, rfc1938_verify, NULL) + AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL) # define AUTH_STANDALONE_GETPASS #endif