xref: /openbsd/usr.bin/passwd/pwd_check.c (revision d89ec533) 
1 /*	$OpenBSD: pwd_check.c,v 1.17 2021/08/28 06:46:49 robert Exp $	*/
2 
3 /*
4  * Copyright 2000 Niels Provos <provos@citi.umich.edu>
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. All advertising materials mentioning features or use of this software
16  *    must display the following acknowledgement:
17  *      This product includes software developed by Niels Provos.
18  * 4. The name of the author may not be used to endorse or promote products
19  *    derived from this software without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
22  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
24  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
25  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
26  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
27  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
28  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
29  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
30  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 #include <sys/types.h>
34 #include <sys/wait.h>
35 
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <string.h>
39 #include <unistd.h>
40 #include <limits.h>
41 #include <errno.h>
42 #include <err.h>
43 #include <regex.h>
44 #include <grp.h>
45 #include <paths.h>
46 #include <login_cap.h>
47 #include <signal.h>
48 
49 int pwd_check(login_cap_t *, char *);
50 int pwd_gettries(login_cap_t *);
51 
52 struct pattern {
53 	char *match;
54 	int flags;
55 	char *response;
56 };
57 
58 struct pattern patterns[] = {
59 	{
60 		"^[0-9]*$",
61 		REG_EXTENDED|REG_NOSUB,
62 		"Please don't use all-digit passwords."
63 	},
64 	{
65 		"^[a-z]{1,9}$",
66 		REG_EXTENDED|REG_NOSUB,
67 		"Please don't use an all-lower case password."
68 	},
69 	{
70 		"^[a-z]{1,6}[0-9]+$",
71 		REG_EXTENDED|REG_NOSUB|REG_ICASE,
72 		"Please use a more complicated password."
73 	},
74 	{
75 		"^([a-z][0-9]){1,4}$",
76 		REG_EXTENDED|REG_NOSUB|REG_ICASE,
77 		"Please use a more complicated password."
78 	},
79 	{
80 		"^([0-9][a-z]){1,4}$",
81 		REG_EXTENDED|REG_NOSUB|REG_ICASE,
82 		"Please use a more complicated password."
83 	}
84 };
85 
86 int
87 pwd_check(login_cap_t *lc, char *password)
88 {
89 	regex_t rgx;
90 	int i, res, min_len;
91 	char *checker;
92 	char *argp[] = { "sh", "-c", NULL, NULL};
93 	int pipefds[2];
94 	pid_t child;
95 	uid_t uid;
96 	gid_t gid;
97 
98 	min_len = (int)login_getcapnum(lc, "minpasswordlen", 6, 6);
99 	if (min_len > 0 && strlen(password) < min_len) {
100 		fprintf(stderr, "Please enter a longer password.\n");
101 		return (0);
102 	}
103 
104 	/* External password check program */
105 	checker = login_getcapstr(lc, "passwordcheck", NULL, NULL);
106 
107 	/* Pipes are only used for external checker */
108 	if (checker != NULL && pipe(pipefds) == -1) {
109 		warn("pipe");
110 		goto out;
111 	}
112 
113 	/* Check password in low-privileged child */
114 	switch (child = fork()) {
115 	case -1:
116 		warn("fork");
117 		goto out;
118 	case 0:
119 		(void)signal(SIGINT, SIG_DFL);
120 		(void)signal(SIGQUIT, SIG_DFL);
121 		uid = getuid();
122 		gid = getgid();
123 		if (setresgid(gid, gid, gid) == -1) {
124 			warn("setresgid");
125 			exit(1);
126 		}
127 		if (setgroups(1, &gid) == -1) {
128 			warn("setgroups");
129 			exit(1);
130 		}
131 		if (setresuid(uid, uid, uid) == -1) {
132 			warn("setresuid");
133 			exit(1);
134 		}
135 
136 		if (checker == NULL) {
137 			if (pledge("stdio", NULL) == -1)
138 				err(1, "pledge");
139 
140 			for (i = 0; i < sizeof(patterns) / sizeof(*patterns); i++) {
141 				int ret;
142 
143 				if (regcomp(&rgx, patterns[i].match,
144 				    patterns[i].flags) != 0)
145 					continue;
146 				ret = regexec(&rgx, password, 0, NULL, 0);
147 				regfree(&rgx);
148 				if (ret == 0) {
149 					fprintf(stderr, "%s\n", patterns[i].response);
150 					exit(1);
151 				}
152 			}
153 			/* no external checker in use, accept the password */
154 			exit(0);
155 		}
156 
157 		if (pledge("stdio exec", NULL) == -1)
158 			err(1, "pledge");
159 
160 		/* Otherwise, pass control to checker program */
161 		argp[2] = checker;
162 		if (dup2(pipefds[0], STDIN_FILENO) == -1) {
163 			warn("dup2");
164 			exit(1);
165 		}
166 		close(pipefds[0]);
167 		close(pipefds[1]);
168 
169 		if (execv(_PATH_BSHELL, argp) == -1) {
170 			warn("exec");
171 			exit(1);
172 		}
173 		/* NOTREACHED */
174 	default:
175 		break; /* parent continues below */
176 	}
177 
178 	if (checker != NULL) {
179 		/* Send the password to STDIN of child */
180 		close(pipefds[0]);
181 		write(pipefds[1], password, strlen(password) + 1);
182 		close(pipefds[1]);
183 	}
184 
185 	/* get the return value from the child */
186 	while (waitpid(child, &res, 0) == -1) {
187 		if (errno != EINTR)
188 			break;
189 	}
190 	if (WIFEXITED(res) && WEXITSTATUS(res) == 0) {
191 		free(checker);
192 		return (1);
193 	}
194 
195  out:
196 	free(checker);
197 	fprintf(stderr, "Please use a different password. Unusual capitalization,\n");
198 	fprintf(stderr, "control characters, or digits are suggested.\n");
199 
200 	return (0);
201 }
202 
203 int
204 pwd_gettries(login_cap_t *lc)
205 {
206 	quad_t ntries;
207 
208 	if ((ntries = login_getcapnum(lc, "passwordtries", -1, -1)) != -1) {
209 		if (ntries >= 0 && ntries <= INT_MAX)
210 			return((int)ntries);
211 		fprintf(stderr,
212 		    "Warning: pwdtries out of range in /etc/login.conf");
213 	}
214 
215 	/*
216 	 * If no amount of tries is specified, return a default of 3,
217 	 * meaning that after 3 attempts where the user is foiled by the
218 	 * password checks, it will no longer be checked and they can set
219 	 * it to whatever they like.  This is the historic BSD behavior.
220 	 */
221 	return (3);
222 }
223