Re: Ask for password for failed commands
> On 17 Jul 2015, at 16:18, Bob Beck wrote: > > I concur. Vadim I like the basic idea, but I do not like that in the > bogus case we still run all the priviledged user auth code. sudo also has the -l flag, which lists what commands you're allowed to run. however, it looks like if you arent allowed to run anything on the local machine sudo -l will make it look like you're entering your password incorrectly rather than report that you cant run anything. so a similar problem but different. or i cant type my password good today. dlg > > > On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst wrote: >> Vadim Zhukov wrote: >>> Ask for a password when we're going to fail() anyway, to avoid >>> leaking information about available commands. The sudo(8) behaves >>> the same way, FWIW. >> >> Let's say no for now. I'm not too concerned about this leak. I'm not sure >> what >> a user would hope to discover. Hasn't the sysadmin told them what commands >> they can run? >> >> On the other hand, running more auth code seems riskier. >> >
Re: Ask for password for failed commands
I concur. Vadim I like the basic idea, but I do not like that in the bogus case we still run all the priviledged user auth code. On Thu, Jul 16, 2015 at 4:30 PM, Ted Unangst wrote: > Vadim Zhukov wrote: >> Ask for a password when we're going to fail() anyway, to avoid >> leaking information about available commands. The sudo(8) behaves >> the same way, FWIW. > > Let's say no for now. I'm not too concerned about this leak. I'm not sure what > a user would hope to discover. Hasn't the sysadmin told them what commands > they can run? > > On the other hand, running more auth code seems riskier. >
Re: Ask for password for failed commands
Vadim Zhukov wrote: > Ask for a password when we're going to fail() anyway, to avoid > leaking information about available commands. The sudo(8) behaves > the same way, FWIW. Let's say no for now. I'm not too concerned about this leak. I'm not sure what a user would hope to discover. Hasn't the sysadmin told them what commands they can run? On the other hand, running more auth code seems riskier.
Re: Ask for password for failed commands
Vadim Zhukov wrote: > Ask for a password when we're going to fail() anyway, to avoid > leaking information about available commands. The sudo(8) behaves > the same way, FWIW. > > okay? i need to think about this for a bit. there's a strange interaction where if the nopasswd option is used, you've now created the opposite problem. maybe. also, we may want to create a fake password prompt without running through all the user auth machinery, but it gets harder then because you have to run bcrypt the right number of times, etc., etc. so maybe ok, but not right away?
Ask for password for failed commands
Ask for a password when we're going to fail() anyway, to avoid leaking information about available commands. The sudo(8) behaves the same way, FWIW. okay? -- WBR, Vadim Zhukov Index: doas.c === RCS file: /cvs/src/usr.bin/doas/doas.c,v retrieving revision 1.2 diff -u -p -r1.2 doas.c --- doas.c 16 Jul 2015 21:00:59 - 1.2 +++ doas.c 16 Jul 2015 22:05:44 - @@ -249,7 +249,7 @@ main(int argc, char **argv, char **envp) char myname[32]; uid_t uid, target = 0; gid_t groups[NGROUPS_MAX + 1]; - int ngroups; + int ngroups, permitted; struct passwd *pw; struct rule *rule; const char *cmd; @@ -292,17 +292,17 @@ main(int argc, char **argv, char **envp) err(1, "can't get groups"); groups[ngroups++] = getgid(); - if (!permit(uid, groups, ngroups, &rule, target, cmd)) { + permitted = permit(uid, groups, ngroups, &rule, target, cmd); + if (!permitted) syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed command for %s: %s", myname, cmdline); - fail(); - } - - if (!(rule->options & NOPASS)) { + if (!permitted || !(rule->options & NOPASS)) { if (!auth_userokay(myname, NULL, NULL, NULL)) { syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed password for %s", myname); fail(); } } + if (!permitted) + fail(); envp = copyenv((const char **)envp, rule); pw = getpwuid(target);