1 /* $NetBSD: lock.c,v 1.31 2008/12/29 01:26:46 christos Exp $ */ 2 3 /* 4 * Copyright (c) 1980, 1987, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Bob Toxen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #include <sys/cdefs.h> 36 #ifndef lint 37 __COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1993\ 38 The Regents of the University of California. All rights reserved."); 39 #endif /* not lint */ 40 41 #ifndef lint 42 #if 0 43 static char sccsid[] = "@(#)lock.c 8.1 (Berkeley) 6/6/93"; 44 #endif 45 __RCSID("$NetBSD: lock.c,v 1.31 2008/12/29 01:26:46 christos Exp $"); 46 #endif /* not lint */ 47 48 /* 49 * Lock a terminal up until the given key is entered, until the root 50 * password is entered, or the given interval times out. 51 * 52 * Timeout interval is by default TIMEOUT, it can be changed with 53 * an argument of the form -time where time is in minutes 54 */ 55 56 #include <sys/param.h> 57 #include <sys/stat.h> 58 #include <sys/time.h> 59 #include <signal.h> 60 61 #include <err.h> 62 #include <pwd.h> 63 #include <errno.h> 64 #include <stdio.h> 65 #include <stdlib.h> 66 #include <string.h> 67 #include <termios.h> 68 #include <time.h> 69 #include <unistd.h> 70 71 #ifdef USE_PAM 72 #include <security/pam_appl.h> 73 #include <security/openpam.h> /* for openpam_ttyconv() */ 74 #endif 75 76 #ifdef SKEY 77 #include <skey.h> 78 #endif 79 80 81 #define TIMEOUT 15 82 83 int main(int, char **); 84 85 static void bye(int) __dead; 86 static void hi(int); 87 static void quit(int) __dead; 88 #ifdef SKEY 89 static int skey_auth(const char *); 90 #endif 91 92 static struct timeval timeout; 93 static struct timeval zerotime; 94 static struct termios tty, ntty; 95 static int notimeout; /* no timeout at all */ 96 static long nexttime; /* keep the timeout time */ 97 98 int 99 main(int argc, char **argv) 100 { 101 struct passwd *pw; 102 struct timeval timval; 103 struct itimerval ntimer, otimer; 104 struct tm *timp; 105 time_t curtime; 106 int ch, usemine; 107 long sectimeout; 108 char *ap, *mypw, *ttynam; 109 const char *tzn; 110 uid_t uid = getuid(); 111 char hostname[MAXHOSTNAMELEN + 1], s[BUFSIZ], s1[BUFSIZ]; 112 #ifdef USE_PAM 113 pam_handle_t *pamh = NULL; 114 static const struct pam_conv pamc = { &openpam_ttyconv, NULL }; 115 int pam_err; 116 #endif 117 118 if ((pw = getpwuid(getuid())) == NULL) 119 errx(1, "unknown uid %lu.", (u_long)uid); 120 121 notimeout = 0; 122 sectimeout = TIMEOUT; 123 mypw = NULL; 124 usemine = 0; 125 126 while ((ch = getopt(argc, argv, "npt:")) != -1) 127 switch ((char)ch) { 128 case 'n': 129 notimeout = 1; 130 break; 131 case 't': 132 errno = 0; 133 if (((sectimeout = strtol(optarg, &ap, 0)) == LONG_MAX 134 || sectimeout == LONG_MIN) 135 && errno == ERANGE) 136 err(1, "illegal timeout value: %s", optarg); 137 if (optarg == ap || *ap || sectimeout <= 0) 138 errx(1, "illegal timeout value: %s", optarg); 139 if (sectimeout >= INT_MAX / 60) 140 errx(1, "too large timeout value: %ld", 141 sectimeout); 142 break; 143 case 'p': 144 usemine = 1; 145 #ifndef USE_PAM 146 mypw = strdup(pw->pw_passwd); 147 if (!mypw) 148 err(1, "strdup"); 149 #endif 150 break; 151 case '?': 152 default: 153 (void)fprintf(stderr, 154 "usage: %s [-np] [-t timeout]\n", getprogname()); 155 exit(1); 156 } 157 158 #if defined(USE_PAM) || defined(SKEY) 159 if (! usemine) { /* -p with PAM or S/key needs privs */ 160 #endif 161 if (setuid(uid) == -1) /* discard privs */ 162 err(1, "setuid failed"); 163 #if defined(USE_PAM) || defined(SKEY) 164 } 165 #endif 166 167 timeout.tv_sec = (int)sectimeout * 60; 168 169 if (tcgetattr(STDIN_FILENO, &tty) < 0) /* get information for header */ 170 err(1, "tcgetattr failed"); 171 gethostname(hostname, sizeof(hostname)); 172 hostname[sizeof(hostname) - 1] = '\0'; 173 if (!(ttynam = ttyname(STDIN_FILENO))) 174 err(1, "ttyname failed"); 175 if (gettimeofday(&timval, NULL) == -1) 176 err(1, "gettimeofday failed"); 177 curtime = timval.tv_sec; 178 nexttime = timval.tv_sec + ((int)sectimeout * 60); 179 timp = localtime(&curtime); 180 ap = asctime(timp); 181 #ifdef __SVR4 182 tzn = tzname[0]; 183 #else 184 tzn = timp->tm_zone; 185 #endif 186 187 if (signal(SIGINT, quit) == SIG_ERR) 188 err(1, "signal failed"); 189 if (signal(SIGQUIT, quit) == SIG_ERR) 190 err(1, "signal failed"); 191 ntty = tty; ntty.c_lflag &= ~ECHO; 192 if (tcsetattr(STDIN_FILENO, TCSADRAIN, &ntty) == -1) 193 err(1, "tcsetattr"); 194 195 if (!usemine) { 196 /* get key and check again */ 197 (void)printf("Key: "); 198 if (!fgets(s, sizeof(s), stdin) || *s == '\n') 199 quit(0); 200 (void)printf("\nAgain: "); 201 /* 202 * Don't need EOF test here, if we get EOF, then s1 != s 203 * and the right things will happen. 204 */ 205 (void)fgets(s1, sizeof(s1), stdin); 206 (void)putchar('\n'); 207 if (strcmp(s1, s)) { 208 (void)printf("\alock: passwords didn't match.\n"); 209 (void)tcsetattr(STDIN_FILENO, TCSADRAIN, &tty); 210 exit(1); 211 } 212 s[0] = '\0'; 213 mypw = s1; 214 } 215 #ifdef USE_PAM 216 if (usemine) { 217 pam_err = pam_start("lock", pw->pw_name, &pamc, &pamh); 218 if (pam_err != PAM_SUCCESS) 219 err(1, "pam_start: %s", pam_strerror(NULL, pam_err)); 220 } 221 #endif 222 223 /* set signal handlers */ 224 if (signal(SIGINT, hi) == SIG_ERR) 225 err(1, "signal failed"); 226 if (signal(SIGQUIT, hi) == SIG_ERR) 227 err(1, "signal failed"); 228 if (signal(SIGTSTP, hi) == SIG_ERR) 229 err(1, "signal failed"); 230 231 if (notimeout) { 232 if (signal(SIGALRM, hi) == SIG_ERR) 233 err(1, "signal failed"); 234 (void)printf("lock: %s on %s. no timeout.\n" 235 "time now is %.20s%s%s", 236 ttynam, hostname, ap, tzn, ap + 19); 237 } 238 else { 239 if (signal(SIGALRM, bye) == SIG_ERR) 240 err(1, "signal failed"); 241 242 ntimer.it_interval = zerotime; 243 ntimer.it_value = timeout; 244 if (setitimer(ITIMER_REAL, &ntimer, &otimer) == -1) 245 err(1, "setitimer failed"); 246 247 /* header info */ 248 (void)printf("lock: %s on %s. timeout in %ld minutes\n" 249 "time now is %.20s%s%s", 250 ttynam, hostname, sectimeout, ap, tzn, ap + 19); 251 } 252 253 for (;;) { 254 #ifdef USE_PAM 255 if (usemine) { 256 pam_err = pam_authenticate(pamh, 0); 257 if (pam_err == PAM_SUCCESS) 258 break; 259 goto tryagain; 260 } 261 #endif 262 (void)printf("Key: "); 263 if (!fgets(s, sizeof(s), stdin)) { 264 clearerr(stdin); 265 hi(0); 266 goto tryagain; 267 } 268 #ifndef USE_PAM 269 if (usemine) { 270 s[strlen(s) - 1] = '\0'; 271 #ifdef SKEY 272 if (strcasecmp(s, "s/key") == 0) { 273 if (skey_auth(pw->pw_name)) 274 break; 275 } 276 #endif 277 if (!strcmp(mypw, crypt(s, mypw))) 278 break; 279 } 280 else 281 #endif 282 if (!strcmp(s, s1)) 283 break; 284 (void)printf("\a\n"); 285 tryagain: 286 if (tcsetattr(STDIN_FILENO, TCSADRAIN, &ntty) == -1 287 && errno != EINTR) 288 err(1, "tcsetattr failed"); 289 } 290 #ifdef USE_PAM 291 if (usemine) { 292 (void)pam_end(pamh, pam_err); 293 } 294 #endif 295 quit(0); 296 /* NOTREACHED */ 297 return 0; 298 } 299 300 #ifdef SKEY 301 /* 302 * We can't use libskey's skey_authenticate() since it 303 * handles signals in a way that's inappropriate 304 * for our needs. Instead we roll our own. 305 */ 306 static int 307 skey_auth(const char *user) 308 { 309 char s[128]; 310 const char *ask; 311 int ret = 0; 312 313 if (!skey_haskey(user) && (ask = skey_keyinfo(user))) { 314 (void)printf("\n[%s]\nResponse: ", ask); 315 if (!fgets(s, sizeof(s), stdin) || *s == '\n') 316 clearerr(stdin); 317 else { 318 s[strlen(s) - 1] = '\0'; 319 if (skey_passcheck(user, s) != -1) 320 ret = 1; 321 } 322 } else 323 (void)printf("Sorry, you have no s/key.\n"); 324 return ret; 325 } 326 #endif 327 328 static void 329 hi(dummy) 330 int dummy; 331 { 332 struct timeval timval; 333 334 if (notimeout) 335 (void)printf("lock: type in the unlock key.\n"); 336 else { 337 if (gettimeofday(&timval, NULL) == -1) 338 err(1, "gettimeofday failed"); 339 (void)printf("lock: type in the unlock key. " 340 "timeout in %lld:%lld minutes\n", 341 (long long)(nexttime - timval.tv_sec) / 60, 342 (long long)(nexttime - timval.tv_sec) % 60); 343 } 344 } 345 346 static void 347 quit(int dummy) 348 { 349 (void)putchar('\n'); 350 (void)tcsetattr(STDIN_FILENO, TCSADRAIN, &tty); 351 exit(0); 352 } 353 354 static void 355 bye(int dummy) 356 { 357 (void)tcsetattr(STDIN_FILENO, TCSADRAIN, &tty); 358 (void)printf("lock: timeout\n"); 359 exit(1); 360 } 361