doas with a timeout
Hi,
sudo was having a nice feature of not overwhelming the user with
password prompts (cookies :-) ).
This diff is adding this back to doas(1).
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.27
diff -c -r1.27 doas.c
*** doas.c26 Jul 2015 22:44:33 -1.27
--- doas.c27 Jul 2015 06:50:32 -
***
*** 18,29
--- 18,31
#include
#include
+ #include
#include
#include
#include
#include
#include
#include
+ #include
#include
#include
#include
***
*** 52,57
--- 54,82
return cnt;
}
+ int
+ checktimeout (const char *username)
+ {
+ char path[PATH_MAX];
+ struct stat stinfo;
+ time_t tv;
+ int fh;
+
+ snprintf((char *)&path,PATH_MAX-1,"/tmp/doas.timestamp.%s",username);
+ tv = time((time_t *)NULL);
+
+ if (!stat(path,(struct stat *)&stinfo) &&
(tv-stinfo.st_mtim.tv_sec)
+ return 1;
+ else {
+ fh = creat(path,S_IRUSR|S_IWUSR);
+ close(fh);
+ return 0;
+ }
+ return 0;
+ }
+
+
+
static int
parseuid(const char *s, uid_t *uid)
{
***
*** 399,405
"failed command for %s: %s", myname, cmdline);
fail();
}
!
if (!(rule->options & NOPASS)) {
if (nflag)
errx(1, "Authorization required");
--- 424,430
"failed command for %s: %s", myname, cmdline);
fail();
}
! if (pw_timeout && !checktimeout(pw->pw_name)) {
if (!(rule->options & NOPASS)) {
if (nflag)
errx(1, "Authorization required");
***
*** 409,414
--- 434,440
fail();
}
}
+ }
envp = copyenv((const char **)envp, rule);
pw = getpwuid(target);
Index: doas.conf.5
===
RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
retrieving revision 1.11
diff -c -r1.11 doas.conf.5
*** doas.conf.523 Jul 2015 15:26:37 -1.11
--- doas.conf.527 Jul 2015 06:50:32 -
***
*** 22,31
.Sh DESCRIPTION
The
.Xr doas 1
! utility executes commands as other users according to the rules
in the
.Nm
configuration file.
.Pp
The rules have the following format:
.Bd -ragged -offset indent
--- 22,42
.Sh DESCRIPTION
The
.Xr doas 1
! utility executes commands as other users according to the rules and
options
in the
.Nm
configuration file.
+ .Sh OPTIONS
+ .Pp
+ The configuration file currently accepts one option:
+ .Bd -ragged -offset indent
+ .Ic timeout
+ tsec
+ .Pp
+ By default
+ .Ic doas
+ prompts for password on every execution. This option sets timeout for
password reprompt to the tsec seconds value.
+ .Sh RULES
.Pp
The rules have the following format:
.Bd -ragged -offset indent
***
*** 113,118
--- 124,132
.Bd -literal -offset indent
# Non-exhaustive list of variables needed to
# build release(8) and ports(7)
+ # timeout is optional
+ timeout 300 # sets the password reprompt time out to 5 minutes
+
permit nopass keepenv { \e
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
Index: doas.h
===
RCS file: /cvs/src/usr.bin/doas/doas.h,v
retrieving revision 1.4
diff -c -r1.4 doas.h
*** doas.h24 Jul 2015 06:36:42 -1.4
--- doas.h27 Jul 2015 06:50:32 -
***
*** 10,15
--- 10,16
const char **envlist;
};
+ extern time_t pw_timeout;
extern struct rule **rules;
extern int nrules, maxrules;
extern int parse_errors;
Index: parse.y
===
RCS file: /cvs/src/usr.bin/doas/parse.y,v
retrieving revision 1.10
diff -c -r1.10 parse.y
*** parse.y24 Jul 2015 06:36:42 -1.10
--- parse.y27 Jul 2015 06:50:32 -
***
*** 17,22
--- 17,23
%{
#include
+ #include
#include
#include
#include
***
*** 24,29
--- 25,31
#include
#include
#include
+ #include
#include "doas.h"
***
*** 45,50
--- 47,53
FILE *yyfp;
+ time_t pw_timeout;
struct rule **rules;
int nrules, maxrules;
int parse_errors = 0;
***
*** 56,62
%}
%token TPERMIT TDENY TAS TCMD TARGS
! %token TNOPASS TKEEPENV
%token TSTRING
%%
--- 59,65
%}
%token TPERMIT TDENY TAS TCMD TARGS
! %token TNOPASS TKEEPENV TTIMEOUT
%token TSTRING
%%
***
*** 64,72
--- 67,87
grammar:/* empty */
| grammar '\n'
| grammar rule '\n'
+ | grammar timeout '\n'
| error '\n'
;
+ timeout:TTIMEOUT TSTRING {
+ errno = 0;
+ char *ep;
+ pw_timeout = s
Re: doas with a timeout
> sudo was having a nice feature of not overwhelming the user with > password prompts (cookies :-) ). > > This diff is adding this back to doas(1). It's not a big deal but one feature of sudo that I occasionally use is sudoedit or a one-time su like command with timestamp_timeout=0 to always prompt for a password for a particular user. So a non root password could unlock any command as any user once. Just wondering what peoples thoughts or considerations here are/have been. -- KISSIS - Keep It Simple So It's Securable
doas: add the -n flag to usage string
A small oversight. The man page is already up to date.
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.27
diff -u -p -r1.27 doas.c
--- doas.c 26 Jul 2015 22:44:33 - 1.27
+++ doas.c 27 Jul 2015 09:21:38 -
@@ -36,7 +36,7 @@
static void __dead
usage(void)
{
- fprintf(stderr, "usage: doas [-s] [-C config] [-u user] command
[args]\n");
+ fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command
[args]\n");
exit(1);
}
Re: ssh agent authentication for doas
> On 27 Jul 2015, at 1:57 am, Ted Unangst wrote: > > David Gwynne wrote: >> this is rough, but enough to start a discussion. >> >> this lets doas authenticate a user by talking to their ssh agent >> by specifying 'ssh-agent' on a permit line in the config. if agent >> auth fails, doas falls back to bsd auth (ie, password auth). >> >> to minimise the amount of code needed in doas, most of the heavy >> lifting is handed off to two external programs. > > ehhh... woah, this is getting complicated fast. > >> the first is a program that fetches a users keys. it has to be >> provided by the system administrator. >> >> at work i have an AuthorizedKeysCommand thing that fetches keys >> from active directory (ie, an ldap) so users can do key based auth > > and it sounds like you will be the only user... > > If we add this, we would need to document it. And worse, users would need to > read it. And it would sound cool, but then they'd struggle to set it up and > get frustrated. It is, in short, an "attractive nuisance". > > If bsd auth does not suit your needs, then I think that should be the place to > focus your efforts. aww, the burn :( im pretty sure im not the only user of authorizedkeyscommand. it sort of came via redhat, and i think sunssh on solaris has a similar capability via weird shared libs. presumably people who run more than a couple of machines at home find this stuff useful. more importantly to me, i also got a private reply to my diff from someone who seemed keen on this on openbsd as they are current users of http://pamsshagentauth.sourceforge.net/ on other platforms. they also asked if id seen https://www.usenix.org/legacy/event/lisa08/tech/full_papers/burnside/burnside_html/index.html. the link above is pretty depressing for two reasons. we could have had this functionality in place nearly 20 years ago, and between 98 when that paper was written and 2000 when bsd_auth seems to have been brought into the openbsd tree, the environment masking was put in place that gets in the way of me implementing a bsd_auth ssh agent login script. just so im clear, we're not arguing about the general usefulness of being able to use an ssh agent for auth with doas? just how my diff did it? id like to be able to do it cos it would give us an alternative to implementing "tickets" to mitigate password requests. if the preference is to do it via bsd_auth instead of hardcoding it in doas, can i have a suggestion on what the least damaging way of implementing it would be? the easiest change would be to for bsd_auth to unconditionally copy SSH_AUTH_SOCK into the environment it calls the login script with. that could also be considered quite damaging though :( maybe whitelisting env vars in login.conf that can be passed to a login script by bsd_auth? dlg
Re: doas with a timeout
On 07/27/2015 01:12 PM, Kevin Chadwick wrote: sudo was having a nice feature of not overwhelming the user with password prompts (cookies :-) ). This diff is adding this back to doas(1). It's not a big deal but one feature of sudo that I occasionally use is sudoedit or a one-time su like command with timestamp_timeout=0 to always prompt for a password for a particular user. So a non root password could unlock any command as any user once. Just wondering what peoples thoughts or considerations here are/have been. I could probably rework the diff so timeout could also be added per-rule if some body wants this.
Re: doas with a timeout
On Mon, Jul 27, 2015 at 10:54:02AM +0300, Gregory Edigarov wrote: > Hi, > > sudo was having a nice feature of not overwhelming the user with password > prompts (cookies :-) ). > > This diff is adding this back to doas(1). > On Mon, Jul 27, 2015 at 10:54:02AM +0300, Gregory Edigarov wrote: > Hi, > > sudo was having a nice feature of not overwhelming the user with password > prompts (cookies :-) ). > > This diff is adding this back to doas(1). Agreed, this is one of the sudo features I miss the most. Unfortunately, your patch didn't apply at all and didn't follow the usual style(9) guide. Could you please send a unified diff (diff -upN) next time? I'm probably missing something, but from reading your implementation of checktimeout() it seems that you can easily cumvent the password prompt using something like this (assuming the timeout is enabled for the user): $ touch /tmp/doas.timestamp.$USER $ doas ... Maybe looking at how sudo implemented this would give some ideas of how to implement this feature securely (for one thing the timestamp file was stored in /var/run/sudo/ which was owned by root:wheel).
Re: doas with a timeout
On Mon, Jul 27, 2015 at 10:54:02AM +0300, Gregory Edigarov wrote:
> Hi,
>
> sudo was having a nice feature of not overwhelming the user with password
> prompts (cookies :-) ).
>
> This diff is adding this back to doas(1).
>
> Index: doas.c
> ===
> RCS file: /cvs/src/usr.bin/doas/doas.c,v
> retrieving revision 1.27
> diff -c -r1.27 doas.c
> *** doas.c26 Jul 2015 22:44:33 -1.27
> --- doas.c27 Jul 2015 06:50:32 -
> ***
> *** 18,29
> --- 18,31
> #include
> #include
>
> + #include
> #include
> #include
> #include
> #include
> #include
> #include
> + #include
> #include
> #include
> #include
> ***
> *** 52,57
> --- 54,82
> return cnt;
> }
>
> + int
> + checktimeout (const char *username)
> + {
> + char path[PATH_MAX];
> + struct stat stinfo;
> + time_t tv;
> + int fh;
> +
> + snprintf((char *)&path,PATH_MAX-1,"/tmp/doas.timestamp.%s",username);
> + tv = time((time_t *)NULL);
> +
> + if (!stat(path,(struct stat *)&stinfo) &&
> (tv-stinfo.st_mtim.tv_sec) + return 1;
> + else {
> + fh = creat(path,S_IRUSR|S_IWUSR);
> + close(fh);
> + return 0;
> + }
> + return 0;
> + }
> +
> +
> +
> static int
> parseuid(const char *s, uid_t *uid)
> {
> ***
> *** 399,405
> "failed command for %s: %s", myname, cmdline);
> fail();
> }
> !
> if (!(rule->options & NOPASS)) {
> if (nflag)
> errx(1, "Authorization required");
> --- 424,430
> "failed command for %s: %s", myname, cmdline);
> fail();
> }
> ! if (pw_timeout && !checktimeout(pw->pw_name)) {
> if (!(rule->options & NOPASS)) {
> if (nflag)
> errx(1, "Authorization required");
> ***
> *** 409,414
> --- 434,440
> fail();
> }
> }
> + }
> envp = copyenv((const char **)envp, rule);
>
> pw = getpwuid(target);
> Index: doas.conf.5
> ===
> RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
> retrieving revision 1.11
> diff -c -r1.11 doas.conf.5
> *** doas.conf.523 Jul 2015 15:26:37 -1.11
> --- doas.conf.527 Jul 2015 06:50:32 -
> ***
> *** 22,31
> .Sh DESCRIPTION
> The
> .Xr doas 1
> ! utility executes commands as other users according to the rules
> in the
> .Nm
> configuration file.
> .Pp
> The rules have the following format:
> .Bd -ragged -offset indent
> --- 22,42
> .Sh DESCRIPTION
> The
> .Xr doas 1
> ! utility executes commands as other users according to the rules and
> options
> in the
> .Nm
> configuration file.
> + .Sh OPTIONS
> + .Pp
> + The configuration file currently accepts one option:
> + .Bd -ragged -offset indent
> + .Ic timeout
> + tsec
> + .Pp
> + By default
> + .Ic doas
> + prompts for password on every execution. This option sets timeout for
> password reprompt to the tsec seconds value.
> + .Sh RULES
> .Pp
> The rules have the following format:
> .Bd -ragged -offset indent
> ***
> *** 113,118
> --- 124,132
> .Bd -literal -offset indent
> # Non-exhaustive list of variables needed to
> # build release(8) and ports(7)
> + # timeout is optional
> + timeout 300 # sets the password reprompt time out to 5 minutes
> +
> permit nopass keepenv { \e
> FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
> DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
> Index: doas.h
> ===
> RCS file: /cvs/src/usr.bin/doas/doas.h,v
> retrieving revision 1.4
> diff -c -r1.4 doas.h
> *** doas.h24 Jul 2015 06:36:42 -1.4
> --- doas.h27 Jul 2015 06:50:32 -
> ***
> *** 10,15
> --- 10,16
> const char **envlist;
> };
>
> + extern time_t pw_timeout;
> extern struct rule **rules;
> extern int nrules, maxrules;
> extern int parse_errors;
> Index: parse.y
> ===
> RCS file: /cvs/src/usr.bin/doas/parse.y,v
> retrieving revision 1.10
> diff -c -r1.10 parse.y
> *** parse.y24 Jul 2015 06:36:42 -1.10
> --- parse.y27 Jul 2015 06:50:32 -
> ***
> *** 17,22
> --- 17,23
>
> %{
> #include
> + #include
> #include
> #include
> #include
> ***
> *** 24,29
> --- 25,31
> #include
> #include
> #include
> + #include
>
> #include "doas.h"
>
> ***
> *** 45,50
> --- 47,53
>
> FILE *yyfp;
>
> + time_t pw_timeout;
> struct rule **rules;
> int nrules, maxrules;
> int parse_errors = 0;
> ***
> *** 56,62
> %}
>
> %token TPERMIT TDENY TAS TCMD TARGS
> ! %t
Re: doas with a timeout
On 2015/07/27 10:54, Gregory Edigarov wrote: > Hi, > > sudo was having a nice feature of not overwhelming the user with password > prompts (cookies :-) ). There is nothing stopping you from installing sudo from packages if you need its features...
Re: Update to /etc/services
On 2015/07/26 21:05, Denis Fondras wrote: > > Are both TCP and UDP actually used for these? If not, please only list the > > protocols which are used (not just reserved). > > > > Only UDP is used currently. Thanks, added. > Index: services > === > RCS file: /cvs/src/etc/services,v > retrieving revision 1.93 > diff -u -p -r1.93 services > --- services 31 Dec 2014 11:52:22 - 1.93 > +++ services 26 Jul 2015 19:02:41 - > @@ -228,12 +228,14 @@ eppc3031/tcp# Remote > AppleEvents/PP BTW your diff was line-wrapped, and the BFD entries used spaces instead of tabs, so I hand applied it. > eppc 3031/udp# Remote AppleEvents/PPC Toolbox > iscsi3260/tcp# ISCSI > mysql3306/tcp# MySQL > +rdp 3389/tcp# Microsoft Remote Desktop > Protocol > iapp 3517/tcp802-11-iapp # IEEE 802.11f IAPP > iapp 3517/udp802-11-iapp # IEEE 802.11f IAPP > daap 3689/tcp# Digital Audio Access Protocol > daap 3689/udp# Digital Audio Access Protocol > svn 3690/tcp# Subversion > -rdp 3389/tcp# Microsoft Remote Desktop > Protocol > +bfd-control 3784/udp # BFD Control Protocol > +bfd-echo3785/udp # BFD Echo Protocol > sieve4190/tcp# ManageSieve Protocol > sieve4190/udp# ManageSieve Protocol > krb524 /tcp# Kerberos 5->4 >
Re: doas with a timeout
On 07/27/2015 01:33 PM, Stuart Henderson wrote: On 2015/07/27 10:54, Gregory Edigarov wrote: Hi, sudo was having a nice feature of not overwhelming the user with password prompts (cookies :-) ). There is nothing stopping you from installing sudo from packages if you need its features... Of course, I am just trying to stick with base system where it is possible.
Re: doas with a timeout
On 07/27/2015 01:21 PM, Marc Espie wrote:
On Mon, Jul 27, 2015 at 10:54:02AM +0300, Gregory Edigarov wrote:
Hi,
sudo was having a nice feature of not overwhelming the user with password
prompts (cookies :-) ).
This diff is adding this back to doas(1).
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.27
diff -c -r1.27 doas.c
*** doas.c26 Jul 2015 22:44:33 -1.27
--- doas.c27 Jul 2015 06:50:32 -
***
*** 18,29
--- 18,31
#include
#include
+ #include
#include
#include
#include
#include
#include
#include
+ #include
#include
#include
#include
***
*** 52,57
--- 54,82
return cnt;
}
+ int
+ checktimeout (const char *username)
+ {
+ char path[PATH_MAX];
+ struct stat stinfo;
+ time_t tv;
+ int fh;
+
+ snprintf((char *)&path,PATH_MAX-1,"/tmp/doas.timestamp.%s",username);
+ tv = time((time_t *)NULL);
+
+ if (!stat(path,(struct stat *)&stinfo) &&
(tv-stinfo.st_mtim.tv_sec)options & NOPASS)) {
if (nflag)
errx(1, "Authorization required");
--- 424,430
"failed command for %s: %s", myname, cmdline);
fail();
}
! if (pw_timeout && !checktimeout(pw->pw_name)) {
if (!(rule->options & NOPASS)) {
if (nflag)
errx(1, "Authorization required");
***
*** 409,414
--- 434,440
fail();
}
}
+ }
envp = copyenv((const char **)envp, rule);
pw = getpwuid(target);
Index: doas.conf.5
===
RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
retrieving revision 1.11
diff -c -r1.11 doas.conf.5
*** doas.conf.523 Jul 2015 15:26:37 -1.11
--- doas.conf.527 Jul 2015 06:50:32 -
***
*** 22,31
.Sh DESCRIPTION
The
.Xr doas 1
! utility executes commands as other users according to the rules
in the
.Nm
configuration file.
.Pp
The rules have the following format:
.Bd -ragged -offset indent
--- 22,42
.Sh DESCRIPTION
The
.Xr doas 1
! utility executes commands as other users according to the rules and
options
in the
.Nm
configuration file.
+ .Sh OPTIONS
+ .Pp
+ The configuration file currently accepts one option:
+ .Bd -ragged -offset indent
+ .Ic timeout
+ tsec
+ .Pp
+ By default
+ .Ic doas
+ prompts for password on every execution. This option sets timeout for
password reprompt to the tsec seconds value.
+ .Sh RULES
.Pp
The rules have the following format:
.Bd -ragged -offset indent
***
*** 113,118
--- 124,132
.Bd -literal -offset indent
# Non-exhaustive list of variables needed to
# build release(8) and ports(7)
+ # timeout is optional
+ timeout 300 # sets the password reprompt time out to 5 minutes
+
permit nopass keepenv { \e
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
Index: doas.h
===
RCS file: /cvs/src/usr.bin/doas/doas.h,v
retrieving revision 1.4
diff -c -r1.4 doas.h
*** doas.h24 Jul 2015 06:36:42 -1.4
--- doas.h27 Jul 2015 06:50:32 -
***
*** 10,15
--- 10,16
const char **envlist;
};
+ extern time_t pw_timeout;
extern struct rule **rules;
extern int nrules, maxrules;
extern int parse_errors;
Index: parse.y
===
RCS file: /cvs/src/usr.bin/doas/parse.y,v
retrieving revision 1.10
diff -c -r1.10 parse.y
*** parse.y24 Jul 2015 06:36:42 -1.10
--- parse.y27 Jul 2015 06:50:32 -
***
*** 17,22
--- 17,23
%{
#include
+ #include
#include
#include
#include
***
*** 24,29
--- 25,31
#include
#include
#include
+ #include
#include "doas.h"
***
*** 45,50
--- 47,53
FILE *yyfp;
+ time_t pw_timeout;
struct rule **rules;
int nrules, maxrules;
int parse_errors = 0;
***
*** 56,62
%}
%token TPERMIT TDENY TAS TCMD TARGS
! %token TNOPASS TKEEPENV
%token TSTRING
%%
--- 59,65
%}
%token TPERMIT TDENY TAS TCMD TARGS
! %token TNOPASS TKEEPENV TTIMEOUT
%token TSTRING
%%
***
*** 64,72
--- 67,87
grammar:/* empty */
| grammar '\n'
| grammar rule '\n'
+ | grammar timeout '\n'
| error '\n'
;
+ timeout:TTIMEOUT TSTRING {
+ errno = 0;
+ char *ep;
+ pw_timeout = strtol($2.str,&ep,10);
+ if ($2.str[0] == '\0' || *ep != '\0')
+ errx (1, "timeout must be a number of seconds");
+ if (errno =
Re: Update to /etc/services
Also BTW... the reason for only listing used protocols, is that this file is used to populate the net.inet.tcp.baddynamic and net.inet.udp.baddynamic port lists, so adding entries to this file reduces randomness in dynamic port selection, that's why we avoid listing ports for unnecessary protocols.
Re: doas with a timeout
On 07/27/2015 01:08 PM, Theo Buehler wrote: On Mon, Jul 27, 2015 at 10:54:02AM +0300, Gregory Edigarov wrote: Hi, sudo was having a nice feature of not overwhelming the user with password prompts (cookies :-) ). This diff is adding this back to doas(1). On Mon, Jul 27, 2015 at 10:54:02AM +0300, Gregory Edigarov wrote: Hi, sudo was having a nice feature of not overwhelming the user with password prompts (cookies :-) ). This diff is adding this back to doas(1). Agreed, this is one of the sudo features I miss the most. Unfortunately, your patch didn't apply at all and didn't follow the usual style(9) guide. Could you please send a unified diff (diff -upN) next time? I'm probably missing something, but from reading your implementation of checktimeout() it seems that you can easily cumvent the password prompt using something like this (assuming the timeout is enabled for the user): $ touch /tmp/doas.timestamp.$USER $ doas ... Maybe looking at how sudo implemented this would give some ideas of how to implement this feature securely (for one thing the timestamp file was stored in /var/run/sudo/ which was owned by root:wheel). Agreed, will look at sudo implementation of this. thanks for hints
Re: doas with a timeout
On Mon, Jul 27, 2015 at 02:55:34PM +0300, Gregory Edigarov wrote: > Thanks for showing that to me, Marc. Will think on how to implement that in > a more secure way. I think I need to add a token based check? Correct? I don't think you get what I'm saying. I don't think there's any way to implement that such that it would be: - secure, - simple. thus, I don't think it belongs in doas. This is what sthen@ is also trying to tell you. We removed sudo from the base tree for a main reason: excessive complexity.
doas strtogid to parsegid
Hello tech@,
I looked at the doas code and really like the concept and simplicity. I
did found the strtogid code a little odd for two reasons:
1) It reads like an mangled variety on the parseuid function.
2) It returns -1 on error, but gid_t is defined as a __uint32_t as per
/usr/include/sys/{,_}types.h.
Option 1 makes it strange to read and option 2 could potentially cause
an error when someone is stupid enough to assign GID_MAX as gid.
To make it more consistent I reformatted strtogid to parsegid to
resemble parseuid and solve the potential incorrect error.
Sincerely,
Martijn van Duren
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.27
diff -u -p -r1.27 doas.c
--- doas.c 26 Jul 2015 22:44:33 - 1.27
+++ doas.c 27 Jul 2015 14:38:12 -
@@ -80,19 +80,20 @@ uidcheck(const char *s, uid_t desired)
return 0;
}
-static gid_t
-strtogid(const char *s)
+static int
+parsegid(const char *s, gid_t *gid)
{
struct group *gr;
const char *errstr;
- gid_t gid;
- if ((gr = getgrnam(s)) != NULL)
- return gr->gr_gid;
- gid = strtonum(s, 0, GID_MAX, &errstr);
+ if ((gr = getgrnam(s)) != NULL) {
+ *gid = gr->gr_gid;
+ return 0;
+ }
+ *gid = strtonum(s, 0, GID_MAX, &errstr);
if (errstr)
return -1;
- return gid;
+ return 0;
}
static int
@@ -102,8 +103,8 @@ match(uid_t uid, gid_t *groups, int ngro
int i;
if (r->ident[0] == ':') {
- gid_t rgid = strtogid(r->ident + 1);
- if (rgid == -1)
+ gid_t rgid;
+ if(parsegid(r->ident + 1, &rgid) == -1)
return 0;
for (i = 0; i < ngroups; i++) {
if (rgid == groups[i])
Re: doas with a timeout
hi,
here's an updated diff using /var/doas directory root:wheel owned with a
strict 700 permissions. checks and batteries included.
Index: doas.c
===
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.27
diff -u -p -u -p -r1.27 doas.c
--- doas.c26 Jul 2015 22:44:33 -1.27
+++ doas.c27 Jul 2015 15:32:27 -
@@ -18,12 +18,14 @@
#include
#include
+#include
#include
#include
#include
#include
#include
#include
+#include
#include
#include
#include
@@ -52,6 +54,39 @@ arraylen(const char **arr)
return cnt;
}
+int
+checktimeout (const char *username)
+{
+char path[PATH_MAX];
+struct stat stinfo;
+time_t tv;
+int fh;
+
+if (!stat("/var/doas", (struct stat *)&stinfo)) {
+if(stinfo.st_mode != (S_IFDIR|S_IRWXU))
+errx(1,"/var/doas must be a directory, owned by root:wheel,
and not writable nor readable by world or group");
+if(stinfo.st_uid != 0 && stinfo.st_gid != 0)
+errx(1,"/var/doas must belong to root:wheel");
+} else {
+perror ("doas");
+exit(-1);
+}
+
+snprintf((char
*)&path,PATH_MAX-1,"/var/doas/doas.timestamp.%s",username);
+tv = time((time_t *)NULL);
+
+if (!stat(path,(struct stat *)&stinfo) &&
(tv-stinfo.st_mtim.tv_sec)
+return 1;
+else {
+fh = creat(path,S_IRUSR|S_IWUSR);
+close(fh);
+return 0;
+}
+return 0;
+}
+
+
+
static int
parseuid(const char *s, uid_t *uid)
{
@@ -399,7 +434,7 @@ main(int argc, char **argv, char **envp)
"failed command for %s: %s", myname, cmdline);
fail();
}
-
+ if (pw_timeout && !checktimeout(pw->pw_name)) {
if (!(rule->options & NOPASS)) {
if (nflag)
errx(1, "Authorization required");
@@ -409,6 +444,7 @@ main(int argc, char **argv, char **envp)
fail();
}
}
+}
envp = copyenv((const char **)envp, rule);
pw = getpwuid(target);
Index: doas.conf.5
===
RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 doas.conf.5
--- doas.conf.523 Jul 2015 15:26:37 -1.11
+++ doas.conf.527 Jul 2015 15:32:27 -
@@ -22,10 +22,21 @@
.Sh DESCRIPTION
The
.Xr doas 1
-utility executes commands as other users according to the rules
+utility executes commands as other users according to the rules and options
in the
.Nm
configuration file.
+.Sh OPTIONS
+.Pp
+The configuration file currently accepts one option:
+.Bd -ragged -offset indent
+.Ic timeout
+tsec
+.Pp
+By default
+.Ic doas
+prompts for password on every execution. This option sets timeout for
password reprompt to the tsec seconds value.
+.Sh RULES
.Pp
The rules have the following format:
.Bd -ragged -offset indent
@@ -113,6 +124,9 @@ and additionally permits tedu to run pro
.Bd -literal -offset indent
# Non-exhaustive list of variables needed to
# build release(8) and ports(7)
+# timeout is optional
+timeout 300 # sets the password reprompt time out to 5 minutes
+
permit nopass keepenv { \e
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \e
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \e
Index: doas.h
===
RCS file: /cvs/src/usr.bin/doas/doas.h,v
retrieving revision 1.4
diff -u -p -u -p -r1.4 doas.h
--- doas.h24 Jul 2015 06:36:42 -1.4
+++ doas.h27 Jul 2015 15:32:27 -
@@ -10,6 +10,7 @@ struct rule {
const char **envlist;
};
+extern time_t pw_timeout;
extern struct rule **rules;
extern int nrules, maxrules;
extern int parse_errors;
Index: parse.y
===
RCS file: /cvs/src/usr.bin/doas/parse.y,v
retrieving revision 1.10
diff -u -p -u -p -r1.10 parse.y
--- parse.y24 Jul 2015 06:36:42 -1.10
+++ parse.y27 Jul 2015 15:32:27 -
@@ -17,6 +17,7 @@
%{
#include
+#include
#include
#include
#include
@@ -24,6 +25,7 @@
#include
#include
#include
+#include
#include "doas.h"
@@ -45,6 +47,7 @@ typedef struct {
FILE *yyfp;
+time_t pw_timeout;
struct rule **rules;
int nrules, maxrules;
int parse_errors = 0;
@@ -56,7 +59,7 @@ int yyparse(void);
%}
%token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TKEEPENV
+%token TNOPASS TKEEPENV TTIMEOUT
%token TSTRING
%%
@@ -64,9 +67,21 @@ int yyparse(void);
grammar:/* empty */
| grammar '\n'
| grammar rule '\n'
+| grammar timeout '\n'
| error '\n'
;
+timeout:TTIMEOUT TSTRING {
+errno = 0;
+char *ep;
+pw_timeout = strtol($2.str,&ep,10);
+if ($2.str[0] == '\0' || *ep != '\0')
+errx (1, "timeout must be a number of seconds");
+if (errno == ERANGE && pw_timeout == ULONG_MAX)
+
Re: doas with a timeout
Theo Buehler wrote: > I'm probably missing something, but from reading your implementation of > checktimeout() it seems that you can easily cumvent the password prompt > using something like this (assuming the timeout is enabled for the > user): And this is why this feature is not included in doas. It is hard to get right and trivial to get wrong.
Re: doas with a timeout
Gregory Edigarov wrote: > hi, > here's an updated diff using /var/doas directory root:wheel owned with a > strict 700 permissions. checks and batteries included. Sorry, but this is not a feature we want at this time.
Re: doas strtogid to parsegid
Martijn van Duren wrote:
> Hello tech@,
>
> I looked at the doas code and really like the concept and simplicity. I
> did found the strtogid code a little odd for two reasons:
> 1) It reads like an mangled variety on the parseuid function.
> 2) It returns -1 on error, but gid_t is defined as a __uint32_t as per
> /usr/include/sys/{,_}types.h.
>
> Option 1 makes it strange to read and option 2 could potentially cause
> an error when someone is stupid enough to assign GID_MAX as gid.
>
> To make it more consistent I reformatted strtogid to parsegid to
> resemble parseuid and solve the potential incorrect error.
agreed, but the patch doesn't apply. can you resend a fixed version?
new errata for TCP, exec, and patch
A few patches are now available. Please consult the website for details. OpenBSD 5.6 errata: http://www.openbsd.org/errata56.html 027: SECURITY FIX: July 14, 2015 All architectures A TCP socket can become confused and not properly cleanup resources. A source code patch exists which remedies this problem. 028: RELIABILITY FIX: July 26, 2015 All architectures A kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace. A source code patch exists which remedies this problem. 029: SECURITY FIX: July 26, 2015 All architectures The patch utility could be made to invoke arbitrary commands via the obsolete SCCS and RCS support when processing a crafted input file. This patch deletes the SCCS and RCS support. A source code patch exists which remedies this problem. OpenBSD 5.7 errata: http://www.openbsd.org/errata57.html 010: SECURITY FIX: July 14, 2015 All architectures A TCP socket can become confused and not properly cleanup resources. A source code patch exists which remedies this problem. 011: RELIABILITY FIX: July 26, 2015 All architectures A kernel memory leak could be triggered by an unprivileged user in a failure case when using execve under systrace. A source code patch exists which remedies this problem. 012: SECURITY FIX: July 26, 2015 All architectures The patch utility could be made to invoke arbitrary commands via the obsolete RCS support when processing a crafted input file. This patch deletes the RCS support. A source code patch exists which remedies this problem.
audio: recover after missed interrupts
Sometimes the system may miss enough audio interrupts for DMA
pointers to wrap, which makes upper layers misbahave.
This diff makes the audio driver properly recover, by detecting and
compensating for the missed interrupts. This requires the hardware
to expose working DMA pointers and the low-level driver to properly
invoke the mid-layer call-back accordingly (ex. azalia does it).
This should fix most cases of audio programs stopping during heavy
system load or VT switching.
To test this, please install the latest in-tree libsndio and sndiod
first.
OK?
--- sys/dev/audio.c.origThu Jul 23 22:20:38 2015
+++ sys/dev/audio.c Thu Jul 23 22:37:32 2015
@@ -106,6 +106,7 @@ struct audio_softc {
unsigned char silence[4]; /* a sample of silence */
int pause; /* not trying to start DMA */
int active; /* DMA in process */
+ int offs; /* offset between play & rec dir */
void (*conv_enc)(unsigned char *, int); /* encode to native */
void (*conv_dec)(unsigned char *, int); /* decode to user */
#if NWSKBD > 0
@@ -348,7 +349,7 @@ audio_pintr(void *addr)
struct audio_softc *sc = addr;
unsigned char *ptr;
size_t count;
- int error;
+ int error, nblk, todo;
MUTEX_ASSERT_LOCKED(&audio_lock);
if (!(sc->mode & AUMODE_PLAY) || !sc->active) {
@@ -360,6 +361,23 @@ audio_pintr(void *addr)
return;
}
+ /*
+* check if record pointer wrapped, see explanation
+* in audio_rintr()
+*/
+ if (sc->mode & AUMODE_RECORD) {
+ sc->offs--;
+ nblk = sc->rec.len / sc->rec.blksz;
+ todo = -sc->offs;
+ if (todo >= nblk) {
+ todo -= todo % nblk;
+ DPRINTFN(1, "%s: rec ptr wrapped, moving %d blocs\n",
+ DEVNAME(sc), todo);
+ while (todo-- > 0)
+ audio_rintr(sc);
+ }
+ }
+
sc->play.pos += sc->play.blksz;
audio_fill_sil(sc, sc->play.data + sc->play.start, sc->play.blksz);
audio_buf_rdiscard(&sc->play, sc->play.blksz);
@@ -402,7 +420,7 @@ audio_rintr(void *addr)
struct audio_softc *sc = addr;
unsigned char *ptr;
size_t count;
- int error;
+ int error, nblk, todo;
MUTEX_ASSERT_LOCKED(&audio_lock);
if (!(sc->mode & AUMODE_RECORD) || !sc->active) {
@@ -414,6 +432,30 @@ audio_rintr(void *addr)
return;
}
+ /*
+* Interrupts may be masked by other sub-systems during 320ms
+* and more. During such a delay the hardware doesn't stop
+* playing and the play buffer pointers may wrap, this can't be
+* detected and corrected by low level drivers. This makes the
+* record stream ahead of the play stream; this is detected as a
+* hardware anomaly by userland and cause programs to misbehave.
+*
+* We fix this by advancing play position by an integer count of
+* full buffers, so it reaches the record position.
+*/
+ if (sc->mode & AUMODE_PLAY) {
+ sc->offs++;
+ nblk = sc->play.len / sc->play.blksz;
+ todo = sc->offs;
+ if (todo >= nblk) {
+ todo -= todo % nblk;
+ DPRINTFN(1, "%s: play ptr wrapped, moving %d blocs\n",
+ DEVNAME(sc), todo);
+ while (todo-- > 0)
+ audio_pintr(sc);
+ }
+ }
+
sc->rec.pos += sc->rec.blksz;
audio_buf_wcommit(&sc->rec, sc->rec.blksz);
if (sc->rec.used == sc->rec.len) {
@@ -464,6 +506,7 @@ audio_start_do(struct audio_softc *sc)
sc->rec.len, sc->rec.blksz);
error = 0;
+ sc->offs = 0;
if (sc->mode & AUMODE_PLAY) {
if (sc->ops->trigger_output) {
p.encoding = sc->hw_enc;
Re: doas man page improvements
On Sat, Jul 25, 2015 at 04:22:54PM -0400, Michael Reed wrote:
> On 07/25/15 15:01, Jason McIntyre wrote:
> > i do appreciate the mail - diffs are always welcome. but with markup i
> > just find myslef less inclined to mark up everything because i can. it's
> > only my opinion.
> >
> > jmc
>
>
> I've made a much smaller diff, including only the two bits you okay'd
> and the keepenv bit, which you said still needs confirmation from
> another developer. Thanks for all the feedback.
>
> Regards,
> Michael
>
thanks. the keepenv bit was confirmed to be correct and i've just
committed your diff.
jmc
>
>
> Index: src/usr.bin/doas/doas.1
> ===
> RCS file: /cvs/src/usr.bin/doas/doas.1,v
> retrieving revision 1.10
> diff -u -p -r1.10 doas.1
> --- src/usr.bin/doas/doas.1 21 Jul 2015 17:49:33 - 1.10
> +++ src/usr.bin/doas/doas.1 25 Jul 2015 20:19:59 -
> @@ -65,6 +65,7 @@ The password was incorrect.
> The actual program is absent or not executable.
> .El
> .Sh SEE ALSO
> +.Xr su 1 ,
> .Xr doas.conf 5
> .Sh HISTORY
> The
> Index: src/usr.bin/doas/doas.conf.5
> ===
> RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v
> retrieving revision 1.11
> diff -u -p -r1.11 doas.conf.5
> --- src/usr.bin/doas/doas.conf.5 23 Jul 2015 15:26:37 - 1.11
> +++ src/usr.bin/doas/doas.conf.5 25 Jul 2015 20:19:59 -
> @@ -57,12 +57,14 @@ The default is to reset the environment,
> .Ev USER
> and
> .Ev USERNAME .
> -.It Ic keepenv { Oo variable names Oc Ic }
> -Reset the environment, but keep the space-separated specified variables.
> +.It Ic keepenv { Oo Ar variable ... Oc Ic }
> +In addition to the variables mentioned above, keep the space-separated
> +specified variables.
> .El
> .It Ar identity
> The username to match.
> -Groups may be specified by prepending a colon (:).
> +Groups may be specified by prepending a colon
> +.Pq Sq \&: .
> Numeric IDs are also accepted.
> .It Ic as Ar target
> The target user the running user is allowed to run the command as.
>
Re: Interactive "F" option in fsck man pages
On Sun, Jul 26, 2015 at 07:02:42PM -0400, Michael McConville wrote: > It's documented in fsck(8), but not fsck_*(8). This can confuse people. > I just copied its paragraph from fsck(8). > > i'm ok with this if someone wants to commit it (or ok it and i'll do it). jmc > > Index: sbin/fsck_ext2fs/fsck_ext2fs.8 > === > RCS file: /cvs/src/sbin/fsck_ext2fs/fsck_ext2fs.8,v > retrieving revision 1.16 > diff -u -p -r1.16 fsck_ext2fs.8 > --- sbin/fsck_ext2fs/fsck_ext2fs.810 Jan 2010 10:53:33 - 1.16 > +++ sbin/fsck_ext2fs/fsck_ext2fs.826 Jul 2015 22:55:27 - > @@ -166,6 +166,17 @@ this should be used with great caution a > to continue after essentially unlimited trouble has been encountered. > .El > .Pp > +If neither of the > +.Fl y > +or > +.Fl n > +options are specified, the user may force > +.Nm > +to assume an answer of > +.Dq yes > +to all the remaining questions by replying to a question with a value of > +.Dq F . > +.Pp > Inconsistencies checked are as follows: > .Pp > .Bl -enum -compact > Index: sbin/fsck_ffs/fsck_ffs.8 > === > RCS file: /cvs/src/sbin/fsck_ffs/fsck_ffs.8,v > retrieving revision 1.23 > diff -u -p -r1.23 fsck_ffs.8 > --- sbin/fsck_ffs/fsck_ffs.8 11 Feb 2013 17:35:46 - 1.23 > +++ sbin/fsck_ffs/fsck_ffs.8 26 Jul 2015 22:55:27 - > @@ -216,6 +216,17 @@ this should be used with great caution a > to continue after essentially unlimited trouble has been encountered. > .El > .Pp > +If neither of the > +.Fl y > +or > +.Fl n > +options are specified, the user may force > +.Nm > +to assume an answer of > +.Dq yes > +to all the remaining questions by replying to a question with a value of > +.Dq F . > +.Pp > In interactive mode, > .Nm > will list the conversion to be made > Index: sbin/fsck_msdos/fsck_msdos.8 > === > RCS file: /cvs/src/sbin/fsck_msdos/fsck_msdos.8,v > retrieving revision 1.14 > diff -u -p -r1.14 fsck_msdos.8 > --- sbin/fsck_msdos/fsck_msdos.8 16 Jun 2014 18:33:33 - 1.14 > +++ sbin/fsck_msdos/fsck_msdos.8 26 Jul 2015 22:55:27 - > @@ -93,6 +93,17 @@ to assume > .Dq yes > as the answer to all operator questions. > .El > +.Pp > +If neither of the > +.Fl y > +or > +.Fl n > +options are specified, the user may force > +.Nm > +to assume an answer of > +.Dq yes > +to all the remaining questions by replying to a question with a value of > +.Dq F . > .Sh SEE ALSO > .Xr fs 5 , > .Xr fstab 5 , >
Re: doas with a timeout
This is harder to make secure than you realize. Once you add it you will people will complain that if you logout and log back in again during the timeout you can still run commands. Next you will get requests for per-tty and per-destination user timeout files. But wait! If someone can change the clock (an unprivileged operation for a lot of desktop environments) they can extend their timeout without a password. So now you need to use monotonic time. The list goes on and on... If you really need this feature just install sudo from ports. - todd
Re: Interactive "F" option in fsck man pages
On Sun, Jul 26, 2015 at 07:02:42PM -0400, Michael McConville wrote: > It's documented in fsck(8), but not fsck_*(8). This can confuse people. > I just copied its paragraph from fsck(8). > > fixed, thanks. jmc > > Index: sbin/fsck_ext2fs/fsck_ext2fs.8 > === > RCS file: /cvs/src/sbin/fsck_ext2fs/fsck_ext2fs.8,v > retrieving revision 1.16 > diff -u -p -r1.16 fsck_ext2fs.8 > --- sbin/fsck_ext2fs/fsck_ext2fs.810 Jan 2010 10:53:33 - 1.16 > +++ sbin/fsck_ext2fs/fsck_ext2fs.826 Jul 2015 22:55:27 - > @@ -166,6 +166,17 @@ this should be used with great caution a > to continue after essentially unlimited trouble has been encountered. > .El > .Pp > +If neither of the > +.Fl y > +or > +.Fl n > +options are specified, the user may force > +.Nm > +to assume an answer of > +.Dq yes > +to all the remaining questions by replying to a question with a value of > +.Dq F . > +.Pp > Inconsistencies checked are as follows: > .Pp > .Bl -enum -compact > Index: sbin/fsck_ffs/fsck_ffs.8 > === > RCS file: /cvs/src/sbin/fsck_ffs/fsck_ffs.8,v > retrieving revision 1.23 > diff -u -p -r1.23 fsck_ffs.8 > --- sbin/fsck_ffs/fsck_ffs.8 11 Feb 2013 17:35:46 - 1.23 > +++ sbin/fsck_ffs/fsck_ffs.8 26 Jul 2015 22:55:27 - > @@ -216,6 +216,17 @@ this should be used with great caution a > to continue after essentially unlimited trouble has been encountered. > .El > .Pp > +If neither of the > +.Fl y > +or > +.Fl n > +options are specified, the user may force > +.Nm > +to assume an answer of > +.Dq yes > +to all the remaining questions by replying to a question with a value of > +.Dq F . > +.Pp > In interactive mode, > .Nm > will list the conversion to be made > Index: sbin/fsck_msdos/fsck_msdos.8 > === > RCS file: /cvs/src/sbin/fsck_msdos/fsck_msdos.8,v > retrieving revision 1.14 > diff -u -p -r1.14 fsck_msdos.8 > --- sbin/fsck_msdos/fsck_msdos.8 16 Jun 2014 18:33:33 - 1.14 > +++ sbin/fsck_msdos/fsck_msdos.8 26 Jul 2015 22:55:27 - > @@ -93,6 +93,17 @@ to assume > .Dq yes > as the answer to all operator questions. > .El > +.Pp > +If neither of the > +.Fl y > +or > +.Fl n > +options are specified, the user may force > +.Nm > +to assume an answer of > +.Dq yes > +to all the remaining questions by replying to a question with a value of > +.Dq F . > .Sh SEE ALSO > .Xr fs 5 , > .Xr fstab 5 , >
Re: doas with a timeout
On Mon, 27 Jul 2015 11:12:17 +0100, Kevin Chadwick wrote: > It's not a big deal but one feature of sudo that I occasionally use is > sudoedit. You can get sudoedit-like functionality without building it into doas. All you really need is an editor front-end that uses getlogin(2) to figure out the user to run the editor as. I thought Openwall Linux had something like this but I can't find a reference to it right now. - todd
Re: doas with a timeout
An easier and more reliable compromise would be running 'doas sh' and executing multiple commands in the shell that is root. Having said that, I am unsure if doas(1) uses the $HOME of the current user, or the user that the command is executed as. If $HOME is that of the current user, the advantage of using doas(1) in this way, compared to plain old 'su', is that you get a shell running as a particular user, while keeping the current environment. I will miss that "timeout" feature too, but not for long. On Mon, 27 Jul 2015 10:54:02 +0300 Gregory Edigarov wrote: > Hi, > > sudo was having a nice feature of not overwhelming the user with > password prompts (cookies :-) ). > > This diff is adding this back to doas(1). > [snip]
