diff options
Diffstat (limited to 'usr.bin/lock/lock.c')
-rw-r--r-- | usr.bin/lock/lock.c | 301 |
1 files changed, 301 insertions, 0 deletions
diff --git a/usr.bin/lock/lock.c b/usr.bin/lock/lock.c new file mode 100644 index 000000000000..f2f13f6e56f8 --- /dev/null +++ b/usr.bin/lock/lock.c @@ -0,0 +1,301 @@ +/*- + * SPDX-License-Identifier: BSD-3-Clause + * + * Copyright (c) 1980, 1987, 1993 + * The Regents of the University of California. All rights reserved. + * + * This code is derived from software contributed to Berkeley by + * Bob Toxen. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* + * Lock a terminal up until the given key is entered or the given + * interval times out. + * + * Timeout interval is by default TIMEOUT, it can be changed with + * an argument of the form -time where time is in minutes + */ + +#include <sys/param.h> +#include <sys/stat.h> +#include <sys/signal.h> +#include <sys/consio.h> + +#include <err.h> +#include <ctype.h> +#include <errno.h> +#include <paths.h> +#include <pwd.h> +#include <stdint.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <termios.h> +#include <time.h> +#include <unistd.h> + +#include <security/pam_appl.h> +#include <security/openpam.h> /* for openpam_ttyconv() */ + +#define TIMEOUT 15 + +static void quit(int); +static void bye(int); +static void hi(int); +static void usage(void) __dead2; + +static struct timeval timeout; +static struct timeval zerotime; +static struct termios tty, ntty; +static long nexttime; /* keep the timeout time */ +static int no_timeout; /* lock terminal forever */ +static int vtyunlock; /* Unlock flag and code. */ + +/*ARGSUSED*/ +int +main(int argc, char **argv) +{ + static const struct pam_conv pamc = { &openpam_ttyconv, NULL }; + pam_handle_t *pamh; + struct passwd *pw; + struct itimerval ntimer, otimer; + struct tm *timp; + time_t timval; + int ch, failures, pam_err, sectimeout, usemine, vtylock; + char *ap, *ttynam, *tzn; + char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ]; + + openlog("lock", 0, LOG_AUTH); + + pam_err = PAM_SYSTEM_ERR; /* pacify GCC */ + + sectimeout = TIMEOUT; + pamh = NULL; + pw = NULL; + usemine = 0; + no_timeout = 0; + vtylock = 0; + while ((ch = getopt(argc, argv, "npt:v")) != -1) + switch((char)ch) { + case 't': + if ((sectimeout = atoi(optarg)) <= 0) + errx(1, "illegal timeout value"); + break; + case 'p': + usemine = 1; + if (!(pw = getpwuid(getuid()))) + errx(1, "unknown uid %d", getuid()); + break; + case 'n': + no_timeout = 1; + break; + case 'v': + vtylock = 1; + break; + case '?': + default: + usage(); + } + timeout.tv_sec = sectimeout * 60; + + if (!usemine) { /* -p with PAM or S/key needs privs */ + /* discard privs */ + if (setuid(getuid()) != 0) + errx(1, "setuid failed"); + } + + if (tcgetattr(0, &tty)) /* get information for header */ + exit(1); + gethostname(hostname, sizeof(hostname)); + if (!(ttynam = ttyname(0))) + errx(1, "not a terminal?"); + if (strncmp(ttynam, _PATH_DEV, strlen(_PATH_DEV)) == 0) + ttynam += strlen(_PATH_DEV); + timval = time(NULL); + nexttime = timval + (sectimeout * 60); + timp = localtime(&timval); + ap = asctime(timp); + tzn = timp->tm_zone; + + (void)signal(SIGINT, quit); + (void)signal(SIGQUIT, quit); + ntty = tty; ntty.c_lflag &= ~ECHO; + (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &ntty); + + if (usemine) { + pam_err = pam_start("lock", pw->pw_name, &pamc, &pamh); + if (pam_err != PAM_SUCCESS) + err(1, "pam_start: %s", pam_strerror(NULL, pam_err)); + } else { + /* get key and check again */ + (void)printf("Key: "); + if (!fgets(s, sizeof(s), stdin) || *s == '\n') + quit(0); + (void)printf("\nAgain: "); + /* + * Don't need EOF test here, if we get EOF, then s1 != s + * and the right things will happen. + */ + (void)fgets(s1, sizeof(s1), stdin); + (void)putchar('\n'); + if (strcmp(s1, s)) { + (void)printf("\07lock: passwords didn't match.\n"); + (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); + exit(1); + } + s[0] = '\0'; + } + + /* set signal handlers */ + (void)signal(SIGINT, hi); + (void)signal(SIGQUIT, hi); + (void)signal(SIGTSTP, hi); + (void)signal(SIGALRM, bye); + + ntimer.it_interval = zerotime; + ntimer.it_value = timeout; + if (!no_timeout) + setitimer(ITIMER_REAL, &ntimer, &otimer); + if (vtylock) { + /* + * If this failed, we want to err out; warn isn't good + * enough, since we don't want the user to think that + * everything is nice and locked because they got a + * "Key:" prompt. + */ + if (ioctl(0, VT_LOCKSWITCH, &vtylock) == -1) { + (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); + err(1, "locking vty"); + } + vtyunlock = 0x2; + } + + /* header info */ + if (pw != NULL) + (void)printf("lock: %s using %s on %s.", pw->pw_name, + ttynam, hostname); + else + (void)printf("lock: %s on %s.", ttynam, hostname); + if (no_timeout) + (void)printf(" no timeout."); + else + (void)printf(" timeout in %d minute%s.", sectimeout, + sectimeout != 1 ? "s" : ""); + if (vtylock) + (void)printf(" vty locked."); + (void)printf("\ntime now is %.20s%s%s", ap, tzn, ap + 19); + + failures = 0; + + for (;;) { + if (usemine) { + pam_err = pam_authenticate(pamh, 0); + if (pam_err == PAM_SUCCESS) + break; + + if (pam_err != PAM_AUTH_ERR && + pam_err != PAM_USER_UNKNOWN && + pam_err != PAM_MAXTRIES) { + syslog(LOG_ERR, "pam_authenticate: %s", + pam_strerror(pamh, pam_err)); + } + + goto tryagain; + } + (void)printf("Key: "); + if (!fgets(s, sizeof(s), stdin)) { + clearerr(stdin); + hi(0); + goto tryagain; + } + if (!strcmp(s, s1)) + break; + (void)printf("\07\n"); + failures++; + if (getuid() == 0) + syslog(LOG_NOTICE, "%d ROOT UNLOCK FAILURE%s (%s on %s)", + failures, failures > 1 ? "S": "", ttynam, hostname); +tryagain: + if (tcgetattr(0, &ntty) && (errno != EINTR)) + exit(1); + sleep(1); /* to discourage guessing */ + } + if (getuid() == 0) + syslog(LOG_NOTICE, "ROOT UNLOCK ON hostname %s port %s", + hostname, ttynam); + if (usemine) + (void)pam_end(pamh, pam_err); + quit(0); + return(0); /* not reached */ +} + + +static void +usage(void) +{ + (void)fprintf(stderr, "usage: lock [-npv] [-t timeout]\n"); + exit(1); +} + +static void +hi(int signo __unused) +{ + time_t timval; + + timval = time(NULL); + (void)printf("lock: type in the unlock key. "); + if (no_timeout) { + (void)putchar('\n'); + } else { + (void)printf("timeout in %jd:%jd minutes\n", + (intmax_t)(nexttime - timval) / 60, + (intmax_t)(nexttime - timval) % 60); + } +} + +static void +quit(int signo __unused) +{ + (void)putchar('\n'); + (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); + if (vtyunlock) + (void)ioctl(0, VT_LOCKSWITCH, &vtyunlock); + exit(0); +} + +static void +bye(int signo __unused) +{ + if (!no_timeout) { + (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); + if (vtyunlock) + (void)ioctl(0, VT_LOCKSWITCH, &vtyunlock); + (void)printf("lock: timeout\n"); + exit(1); + } +} |