xref: /openbsd/usr.bin/doas/doas.c (revision 9b7c3dbb) 
1 /* $OpenBSD: doas.c,v 1.60 2016/07/18 16:46:30 zhuk Exp $ */
2 /*
3  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include <sys/types.h>
19 #include <sys/stat.h>
20 
21 #include <limits.h>
22 #include <login_cap.h>
23 #include <bsd_auth.h>
24 #include <readpassphrase.h>
25 #include <string.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <err.h>
29 #include <unistd.h>
30 #include <pwd.h>
31 #include <grp.h>
32 #include <syslog.h>
33 #include <errno.h>
34 
35 #include "doas.h"
36 
37 static void __dead
38 usage(void)
39 {
40 	fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]"
41 	    " command [args]\n");
42 	exit(1);
43 }
44 
45 size_t
46 arraylen(const char **arr)
47 {
48 	size_t cnt = 0;
49 
50 	while (*arr) {
51 		cnt++;
52 		arr++;
53 	}
54 	return cnt;
55 }
56 
57 static int
58 parseuid(const char *s, uid_t *uid)
59 {
60 	struct passwd *pw;
61 	const char *errstr;
62 
63 	if ((pw = getpwnam(s)) != NULL) {
64 		*uid = pw->pw_uid;
65 		return 0;
66 	}
67 	*uid = strtonum(s, 0, UID_MAX, &errstr);
68 	if (errstr)
69 		return -1;
70 	return 0;
71 }
72 
73 static int
74 uidcheck(const char *s, uid_t desired)
75 {
76 	uid_t uid;
77 
78 	if (parseuid(s, &uid) != 0)
79 		return -1;
80 	if (uid != desired)
81 		return -1;
82 	return 0;
83 }
84 
85 static int
86 parsegid(const char *s, gid_t *gid)
87 {
88 	struct group *gr;
89 	const char *errstr;
90 
91 	if ((gr = getgrnam(s)) != NULL) {
92 		*gid = gr->gr_gid;
93 		return 0;
94 	}
95 	*gid = strtonum(s, 0, GID_MAX, &errstr);
96 	if (errstr)
97 		return -1;
98 	return 0;
99 }
100 
101 static int
102 match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd,
103     const char **cmdargs, struct rule *r)
104 {
105 	int i;
106 
107 	if (r->ident[0] == ':') {
108 		gid_t rgid;
109 		if (parsegid(r->ident + 1, &rgid) == -1)
110 			return 0;
111 		for (i = 0; i < ngroups; i++) {
112 			if (rgid == groups[i])
113 				break;
114 		}
115 		if (i == ngroups)
116 			return 0;
117 	} else {
118 		if (uidcheck(r->ident, uid) != 0)
119 			return 0;
120 	}
121 	if (r->target && uidcheck(r->target, target) != 0)
122 		return 0;
123 	if (r->cmd) {
124 		if (strcmp(r->cmd, cmd))
125 			return 0;
126 		if (r->cmdargs) {
127 			/* if arguments were given, they should match explicitly */
128 			for (i = 0; r->cmdargs[i]; i++) {
129 				if (!cmdargs[i])
130 					return 0;
131 				if (strcmp(r->cmdargs[i], cmdargs[i]))
132 					return 0;
133 			}
134 			if (cmdargs[i])
135 				return 0;
136 		}
137 	}
138 	return 1;
139 }
140 
141 static int
142 permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
143     uid_t target, const char *cmd, const char **cmdargs)
144 {
145 	int i;
146 
147 	*lastr = NULL;
148 	for (i = 0; i < nrules; i++) {
149 		if (match(uid, groups, ngroups, target, cmd,
150 		    cmdargs, rules[i]))
151 			*lastr = rules[i];
152 	}
153 	if (!*lastr)
154 		return 0;
155 	return (*lastr)->action == PERMIT;
156 }
157 
158 static void
159 parseconfig(const char *filename, int checkperms)
160 {
161 	extern FILE *yyfp;
162 	extern int yyparse(void);
163 	struct stat sb;
164 
165 	yyfp = fopen(filename, "r");
166 	if (!yyfp)
167 		err(1, checkperms ? "doas is not enabled, %s" :
168 		    "could not open config file %s", filename);
169 
170 	if (checkperms) {
171 		if (fstat(fileno(yyfp), &sb) != 0)
172 			err(1, "fstat(\"%s\")", filename);
173 		if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
174 			errx(1, "%s is writable by group or other", filename);
175 		if (sb.st_uid != 0)
176 			errx(1, "%s is not owned by root", filename);
177 	}
178 
179 	yyparse();
180 	fclose(yyfp);
181 	if (parse_errors)
182 		exit(1);
183 }
184 
185 static void __dead
186 checkconfig(const char *confpath, int argc, char **argv,
187     uid_t uid, gid_t *groups, int ngroups, uid_t target)
188 {
189 	struct rule *rule;
190 
191 	setresuid(uid, uid, uid);
192 	parseconfig(confpath, 0);
193 	if (!argc)
194 		exit(0);
195 
196 	if (permit(uid, groups, ngroups, &rule, target, argv[0],
197 	    (const char **)argv + 1)) {
198 		printf("permit%s\n", (rule->options & NOPASS) ? " nopass" : "");
199 		exit(0);
200 	} else {
201 		printf("deny\n");
202 		exit(1);
203 	}
204 }
205 
206 int
207 main(int argc, char **argv)
208 {
209 	const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:"
210 	    "/usr/local/bin:/usr/local/sbin";
211 	const char *confpath = NULL;
212 	char *shargv[] = { NULL, NULL };
213 	char *sh;
214 	const char *cmd;
215 	char cmdline[LINE_MAX];
216 	char myname[_PW_NAME_LEN + 1];
217 	struct passwd *pw;
218 	struct rule *rule;
219 	uid_t uid;
220 	uid_t target = 0;
221 	gid_t groups[NGROUPS_MAX + 1];
222 	int ngroups;
223 	int i, ch;
224 	int sflag = 0;
225 	int nflag = 0;
226 	char cwdpath[PATH_MAX];
227 	const char *cwd;
228 	char *login_style = NULL;
229 	char **envp;
230 
231 	setprogname("doas");
232 
233 	if (pledge("stdio rpath getpw tty recvfd proc exec id", NULL) == -1)
234 		err(1, "pledge");
235 
236 	closefrom(STDERR_FILENO + 1);
237 
238 	uid = getuid();
239 
240 	while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
241 		switch (ch) {
242 		case 'a':
243 			login_style = optarg;
244 			break;
245 		case 'C':
246 			confpath = optarg;
247 			break;
248 		case 'u':
249 			if (parseuid(optarg, &target) != 0)
250 				errx(1, "unknown user");
251 			break;
252 		case 'n':
253 			nflag = 1;
254 			break;
255 		case 's':
256 			sflag = 1;
257 			break;
258 		default:
259 			usage();
260 			break;
261 		}
262 	}
263 	argv += optind;
264 	argc -= optind;
265 
266 	if (confpath) {
267 		if (sflag)
268 			usage();
269 	} else if ((!sflag && !argc) || (sflag && argc))
270 		usage();
271 
272 	pw = getpwuid(uid);
273 	if (!pw)
274 		err(1, "getpwuid failed");
275 	if (strlcpy(myname, pw->pw_name, sizeof(myname)) >= sizeof(myname))
276 		errx(1, "pw_name too long");
277 	ngroups = getgroups(NGROUPS_MAX, groups);
278 	if (ngroups == -1)
279 		err(1, "can't get groups");
280 	groups[ngroups++] = getgid();
281 
282 	if (sflag) {
283 		sh = getenv("SHELL");
284 		if (sh == NULL || *sh == '\0') {
285 			shargv[0] = strdup(pw->pw_shell);
286 			if (shargv[0] == NULL)
287 				err(1, NULL);
288 		} else
289 			shargv[0] = sh;
290 		argv = shargv;
291 		argc = 1;
292 	}
293 
294 	if (confpath) {
295 		checkconfig(confpath, argc, argv, uid, groups, ngroups,
296 		    target);
297 		exit(1);	/* fail safe */
298 	}
299 
300 	parseconfig("/etc/doas.conf", 1);
301 
302 	/* cmdline is used only for logging, no need to abort on truncate */
303 	(void)strlcpy(cmdline, argv[0], sizeof(cmdline));
304 	for (i = 1; i < argc; i++) {
305 		if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline))
306 			break;
307 		if (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline))
308 			break;
309 	}
310 
311 	cmd = argv[0];
312 	if (!permit(uid, groups, ngroups, &rule, target, cmd,
313 	    (const char **)argv + 1)) {
314 		syslog(LOG_AUTHPRIV | LOG_NOTICE,
315 		    "failed command for %s: %s", myname, cmdline);
316 		errc(1, EPERM, NULL);
317 	}
318 
319 	if (!(rule->options & NOPASS)) {
320 		char *challenge = NULL, *response, rbuf[1024], cbuf[128];
321 		auth_session_t *as;
322 
323 		if (nflag)
324 			errx(1, "Authorization required");
325 
326 		if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
327 		    &challenge)))
328 			errx(1, "Authorization failed");
329 		if (!challenge) {
330 			char host[HOST_NAME_MAX + 1];
331 			if (gethostname(host, sizeof(host)))
332 				snprintf(host, sizeof(host), "?");
333 			snprintf(cbuf, sizeof(cbuf),
334 			    "\rdoas (%.32s@%.32s) password: ", myname, host);
335 			challenge = cbuf;
336 		}
337 		response = readpassphrase(challenge, rbuf, sizeof(rbuf),
338 		    RPP_REQUIRE_TTY);
339 		if (response == NULL && errno == ENOTTY) {
340 			syslog(LOG_AUTHPRIV | LOG_NOTICE,
341 			    "tty required for %s", myname);
342 			errx(1, "a tty is required");
343 		}
344 		if (!auth_userresponse(as, response, 0)) {
345 			syslog(LOG_AUTHPRIV | LOG_NOTICE,
346 			    "failed auth for %s", myname);
347 			errc(1, EPERM, NULL);
348 		}
349 		explicit_bzero(rbuf, sizeof(rbuf));
350 	}
351 
352 	if (pledge("stdio rpath getpw exec id", NULL) == -1)
353 		err(1, "pledge");
354 
355 	pw = getpwuid(target);
356 	if (!pw)
357 		errx(1, "no passwd entry for target");
358 
359 	if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
360 	    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
361 	    LOGIN_SETUSER) != 0)
362 		errx(1, "failed to set user context for target");
363 
364 	if (pledge("stdio rpath exec", NULL) == -1)
365 		err(1, "pledge");
366 
367 	if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)
368 		cwd = "(failed)";
369 	else
370 		cwd = cwdpath;
371 
372 	if (pledge("stdio exec", NULL) == -1)
373 		err(1, "pledge");
374 
375 	syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
376 	    myname, cmdline, pw->pw_name, cwd);
377 
378 	envp = prepenv(rule);
379 
380 	if (rule->cmd) {
381 		if (setenv("PATH", safepath, 1) == -1)
382 			err(1, "failed to set PATH '%s'", safepath);
383 	}
384 	execvpe(cmd, argv, envp);
385 	if (errno == ENOENT)
386 		errx(1, "%s: command not found", cmd);
387 	err(1, "%s", cmd);
388 }
389