1 /* $OpenBSD: lock.c,v 1.33 2016/05/28 16:11:10 tedu Exp $ */ 2 /* $NetBSD: lock.c,v 1.8 1996/05/07 18:32:31 jtc Exp $ */ 3 4 /* 5 * Copyright (c) 1980, 1987, 1993 6 * The Regents of the University of California. All rights reserved. 7 * 8 * This code is derived from software contributed to Berkeley by 9 * Bob Toxen. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 /* 37 * Lock a terminal up until the given key is entered, until the root 38 * password is entered, or the given interval times out. 39 * 40 * Timeout interval is by default TIMEOUT, it can be changed with 41 * an argument of the form -time where time is in minutes 42 */ 43 44 #include <sys/stat.h> 45 #include <sys/time.h> 46 #include <signal.h> 47 48 #include <ctype.h> 49 #include <err.h> 50 #include <pwd.h> 51 #include <readpassphrase.h> 52 #include <stdio.h> 53 #include <stdlib.h> 54 #include <string.h> 55 #include <termios.h> 56 #include <unistd.h> 57 #include <limits.h> 58 59 #include <login_cap.h> 60 #include <bsd_auth.h> 61 62 #define TIMEOUT 15 63 64 void bye(int); 65 void hi(int); 66 67 struct timeval timeout; 68 struct timeval zerotime; 69 time_t nexttime; /* keep the timeout time */ 70 int no_timeout; /* lock terminal forever */ 71 72 extern char *__progname; 73 74 /*ARGSUSED*/ 75 int 76 main(int argc, char *argv[]) 77 { 78 char hostname[HOST_NAME_MAX+1], s[BUFSIZ], s1[BUFSIZ], date[256]; 79 char *p, *style, *nstyle, *ttynam; 80 struct itimerval ntimer, otimer; 81 int ch, sectimeout, usemine, cnt, tries = 10, backoff = 3; 82 const char *errstr; 83 struct passwd *pw; 84 struct tm *timp; 85 time_t curtime; 86 login_cap_t *lc; 87 88 sectimeout = TIMEOUT; 89 style = NULL; 90 usemine = 0; 91 no_timeout = 0; 92 93 if (pledge("stdio rpath wpath getpw tty proc exec", NULL) == -1) 94 err(1, "pledge"); 95 96 if (!(pw = getpwuid(getuid()))) 97 errx(1, "unknown uid %u.", getuid()); 98 99 lc = login_getclass(pw->pw_class); 100 if (lc != NULL) { 101 /* 102 * We allow "login-tries" attempts to login but start 103 * slowing down after "login-backoff" attempts. 104 */ 105 tries = (int)login_getcapnum(lc, "login-tries", 10, 10); 106 backoff = (int)login_getcapnum(lc, "login-backoff", 3, 3); 107 } 108 109 while ((ch = getopt(argc, argv, "a:npt:")) != -1) { 110 switch (ch) { 111 case 'a': 112 if (lc) { 113 style = login_getstyle(lc, optarg, "auth-lock"); 114 if (style == NULL) 115 errx(1, 116 "invalid authentication style: %s", 117 optarg); 118 } 119 usemine = 1; 120 break; 121 case 't': 122 sectimeout = (int)strtonum(optarg, 1, INT_MAX, &errstr); 123 if (errstr) 124 errx(1, "timeout %s: %s", errstr, optarg); 125 break; 126 case 'p': 127 usemine = 1; 128 break; 129 case 'n': 130 no_timeout = 1; 131 break; 132 default: 133 (void)fprintf(stderr, 134 "usage: %s [-np] [-a style] [-t timeout]\n", 135 __progname); 136 exit(1); 137 } 138 } 139 timeout.tv_sec = sectimeout * 60; 140 141 gethostname(hostname, sizeof(hostname)); 142 if (usemine && lc == NULL) 143 errx(1, "login class not found"); 144 if (!(ttynam = ttyname(STDIN_FILENO))) 145 errx(1, "not a terminal?"); 146 curtime = time(NULL); 147 nexttime = curtime + (sectimeout * 60); 148 timp = localtime(&curtime); 149 strftime(date, sizeof(date), "%c", timp); 150 151 if (!usemine) { 152 /* get key and check again */ 153 if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) || 154 *s == '\0') 155 exit(0); 156 /* 157 * Don't need EOF test here, if we get EOF, then s1 != s 158 * and the right things will happen. 159 */ 160 (void)readpassphrase("Again: ", s1, sizeof(s1), RPP_ECHO_OFF); 161 if (strcmp(s1, s)) { 162 warnx("\apasswords didn't match."); 163 exit(1); 164 } 165 s[0] = '\0'; 166 } 167 168 /* set signal handlers */ 169 (void)signal(SIGINT, hi); 170 (void)signal(SIGQUIT, hi); 171 (void)signal(SIGTSTP, hi); 172 (void)signal(SIGALRM, bye); 173 174 ntimer.it_interval = zerotime; 175 ntimer.it_value = timeout; 176 if (!no_timeout) 177 setitimer(ITIMER_REAL, &ntimer, &otimer); 178 179 /* header info */ 180 if (no_timeout) { 181 (void)fprintf(stderr, 182 "%s: %s on %s. no timeout\ntime now is %s\n", 183 __progname, ttynam, hostname, date); 184 } else { 185 (void)fprintf(stderr, 186 "%s: %s on %s. timeout in %d minutes\ntime now is %s\n", 187 __progname, ttynam, hostname, sectimeout, date); 188 } 189 190 for (cnt = 0;;) { 191 if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) || 192 *s == '\0') { 193 hi(0); 194 continue; 195 } 196 if (usemine) { 197 /* 198 * If user entered 's/key' or the style specified via 199 * the '-a' argument, auth_userokay() will prompt 200 * for a new password. Otherwise, use what we have. 201 */ 202 if ((strcmp(s, "s/key") == 0 && 203 (nstyle = login_getstyle(lc, "skey", "auth-lock"))) 204 || ((nstyle = style) && strcmp(s, nstyle) == 0)) 205 p = NULL; 206 else 207 p = s; 208 if (auth_userokay(pw->pw_name, nstyle, "auth-lock", p)) 209 break; 210 } else if (strcmp(s, s1) == 0) 211 break; 212 (void)putc('\a', stderr); 213 cnt %= tries; 214 if (++cnt > backoff) { 215 sigset_t set, oset; 216 sigfillset(&set); 217 sigprocmask(SIG_BLOCK, &set, &oset); 218 sleep((u_int)((cnt - backoff) * tries / 2)); 219 sigprocmask(SIG_SETMASK, &oset, NULL); 220 } 221 } 222 223 exit(0); 224 } 225 226 /*ARGSUSED*/ 227 void 228 hi(int signo) 229 { 230 char buf[1024], buf2[1024]; 231 time_t left; 232 233 if (no_timeout) 234 buf2[0] = '\0'; 235 else { 236 left = nexttime - time(NULL); 237 (void)snprintf(buf2, sizeof buf2, " timeout in %lld:%d minutes", 238 (long long)(left / 60), (int)(left % 60)); 239 } 240 (void)snprintf(buf, sizeof buf, "%s: type in the unlock key.%s\n", 241 __progname, buf2); 242 (void) write(STDERR_FILENO, buf, strlen(buf)); 243 } 244 245 /*ARGSUSED*/ 246 void 247 bye(int signo) 248 { 249 250 if (!no_timeout) 251 warnx("timeout"); 252 _exit(1); 253 } 254