/*
* Returns true if the user successfully authenticates, false if not
* or -1 on error.
*/
static int
check_user_interactive(int validated, int mode, struct passwd *auth_pw)
{
int status, rval = true;
debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH)
/* Always need a password when -k was specified with the command. */
if (ISSET(mode, MODE_IGNORE_TICKET))
SET(validated, FLAG_CHECK_USER);
if (build_timestamp(auth_pw) == -1) {
rval = -1;
goto done;
}
status = timestamp_status(auth_pw);
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
char *prompt;
bool lectured;
/* Bail out if we are non-interactive and a password is required */
if (ISSET(mode, MODE_NONINTERACTIVE)) {
validated |= FLAG_NON_INTERACTIVE;
log_auth_failure(validated, 0);
rval = -1;
goto done;
}
/* XXX - should not lecture if askpass helper is being used. */
lectured = display_lecture(status);
/* Expand any escapes in the prompt. */
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
auth_pw->pw_name);
if (prompt == NULL) {
rval = -1;
goto done;
}
rval = verify_user(auth_pw, prompt, validated);
if (rval == true && lectured)
set_lectured();
sudo_efree(prompt);
}
/* Only update timestamp if user was validated. */
if (rval == true && ISSET(validated, VALIDATE_SUCCESS) &&
!ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR)
update_timestamp(auth_pw);
done:
debug_return_bool(rval);
}
/*
* Returns true if the user successfully authenticates, false if not
* or -1 on error.
*/
int
check_user(int validated, int mode)
{
struct passwd *auth_pw;
char *timestampdir = NULL;
char *timestampfile = NULL;
char *prompt;
struct stat sb;
int status, rval = true;
debug_decl(check_user, SUDO_DEBUG_AUTH)
/*
* Init authentication system regardless of whether we need a password.
* Required for proper PAM session support.
*/
auth_pw = get_authpw();
if (sudo_auth_init(auth_pw) == -1) {
rval = -1;
goto done;
}
/*
* Don't prompt for the root passwd or if the user is exempt.
* If the user is not changing uid/gid, no need for a password.
*/
if (!def_authenticate || user_uid == 0 || user_is_exempt())
goto done;
if (user_uid == runas_pw->pw_uid &&
(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) {
#ifdef HAVE_SELINUX
if (user_role == NULL && user_type == NULL)
#endif
#ifdef HAVE_PRIV_SET
if (runas_privs == NULL && runas_limitprivs == NULL)
#endif
goto done;
}
/* Always need a password when -k was specified with the command. */
if (ISSET(mode, MODE_IGNORE_TICKET))
SET(validated, FLAG_CHECK_USER);
/* Stash the tty's ctime for tty ticket comparison. */
if (def_tty_tickets && user_ttypath && stat(user_ttypath, &sb) == 0) {
tty_info.dev = sb.st_dev;
tty_info.ino = sb.st_ino;
tty_info.rdev = sb.st_rdev;
if (tty_is_devpts(user_ttypath))
ctim_get(&sb, &tty_info.ctime);
}
if (build_timestamp(×tampdir, ×tampfile) == -1) {
rval = -1;
goto done;
}
status = timestamp_status(timestampdir, timestampfile, user_name,
TS_MAKE_DIRS);
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
/* Bail out if we are non-interactive and a password is required */
if (ISSET(mode, MODE_NONINTERACTIVE)) {
validated |= FLAG_NON_INTERACTIVE;
log_auth_failure(validated, 0);
rval = -1;
goto done;
}
/* XXX - should not lecture if askpass helper is being used. */
lecture(status);
/* Expand any escapes in the prompt. */
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
user_name, user_shost);
rval = verify_user(auth_pw, prompt, validated);
}
/* Only update timestamp if user was validated. */
if (rval == true && ISSET(validated, VALIDATE_OK) &&
!ISSET(mode, MODE_IGNORE_TICKET) && status != TS_ERROR)
update_timestamp(timestampdir, timestampfile);
efree(timestampdir);
efree(timestampfile);
done:
sudo_auth_cleanup(auth_pw);
sudo_pw_delref(auth_pw);
debug_return_bool(rval);
}