diff options
Diffstat (limited to 'usr.bin/doas/doas.c')
| -rw-r--r-- | usr.bin/doas/doas.c | 25 |
1 files changed, 17 insertions, 8 deletions
diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c index 15220e4..799373c 100644 --- a/usr.bin/doas/doas.c +++ b/usr.bin/doas/doas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: doas.c,v 1.82 2019/10/18 17:15:45 tedu Exp $ */ +/* $OpenBSD: doas.c,v 1.90 2021/07/12 15:09:19 beck Exp $ */ /* * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> * @@ -147,7 +147,7 @@ static int permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr, uid_t target, const char *cmd, const char **cmdargs) { - int i; + size_t i; *lastr = NULL; for (i = 0; i < nrules; i++) { @@ -194,6 +194,8 @@ checkconfig(const char *confpath, int argc, char **argv, const struct rule *rule; setresuid(uid, uid, uid); + if (pledge("stdio rpath getpw", NULL) == -1) + err(1, "pledge"); parseconfig(confpath, 0); if (!argc) exit(0); @@ -254,8 +256,9 @@ authuser(char *myname, int persist) } if (!verifypasswd(myname, response)) { explicit_bzero(rbuf, sizeof(rbuf)); - syslog(LOG_NOTICE, "failed auth for %s", myname); - errx(1, "Authorization failed"); + syslog(LOG_AUTHPRIV | LOG_NOTICE, + "failed auth for %s", myname); + errx(1, "Authentication failed"); } explicit_bzero(rbuf, sizeof(rbuf)); good: @@ -385,6 +388,8 @@ main(int argc, char **argv) } if (confpath) { + if (pledge("stdio rpath getpw id", NULL) == -1) + err(1, "pledge"); checkconfig(confpath, argc, argv, uid, groups, ngroups, target); exit(1); /* fail safe */ @@ -407,14 +412,15 @@ main(int argc, char **argv) cmd = argv[0]; if (!permit(uid, groups, ngroups, &rule, target, cmd, (const char **)argv + 1)) { - syslog(LOG_NOTICE, "failed command for %s: %s", mypw->pw_name, cmdline); + syslog(LOG_AUTHPRIV | LOG_NOTICE, + "command not permitted for %s: %s", mypw->pw_name, cmdline); errno = EPERM; err(1, NULL); } if (!(rule->options & NOPASS)) { if (nflag) - errx(1, "Authorization required"); + errx(1, "Authentication required"); authuser(mypw->pw_name, rule->options & PERSIST); } @@ -461,8 +467,11 @@ main(int argc, char **argv) if (pledge("stdio exec", NULL) == -1) err(1, "pledge"); - syslog(LOG_INFO, "%s ran command %s as %s from %s", - mypw->pw_name, cmdline, targpw->pw_name, cwd); + if (!(rule->options & NOLOG)) { + syslog(LOG_AUTHPRIV | LOG_INFO, + "%s ran command %s as %s from %s", + mypw->pw_name, cmdline, targpw->pw_name, cwd); + } envp = prepenv(rule, mypw, targpw); |