On 08/26/2015 09:36 AM, Renaud Allard wrote:
On 08/26/2015 09:26 AM, Gregor Best wrote:
On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote:
[...]
+ fprintf(stderr, "usage: doas [-ans] [-C config] [-u user] command
[args]\n");
[...]
The usage string should probably be
"usage: doas [-ns] [-a style] [-C config] [-u user] command [args]"
and the new option should appear in doas(1).
True, I will change and add that
Here is the new patch with the man correct and an additional auth-doas
as suggested by Alexander Hall
diff -ur doas.orig/doas.1 doas/doas.1
--- doas.orig/doas.1 Wed Aug 26 10:18:27 2015
+++ doas/doas.1 Wed Aug 26 10:17:21 2015
@@ -40,6 +40,12 @@
.Pp
The options are as follows:
.Bl -tag -width tenletters
+.It Fl a Ar style
+The
+.Fl a
+(authentication style) option causes
+.Nm
+to use the specified authentication style when validating the user, as
allowed by /etc/login.conf. The system administrator may specify a list
of sudo-specific authentication methods by adding an ``auth-doas'' entry
in /etc/login.conf.
.It Fl C Ar config
Parse and check the configuration file
.Ar config ,
diff -ur doas.orig/doas.c doas/doas.c
--- doas.orig/doas.c Wed Aug 26 10:18:27 2015
+++ doas/doas.c Wed Aug 26 10:16:14 2015
@@ -36,7 +36,7 @@
static void __dead
usage(void)
{
- fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command
[args]\n");
+ fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]
command [args]\n");
exit(1);
}
@@ -318,6 +318,7 @@
const char *cmd;
char cmdline[LINE_MAX];
char myname[_PW_NAME_LEN + 1];
+ char *login_style = NULL;
struct passwd *pw;
struct rule *rule;
uid_t uid;
@@ -332,8 +333,11 @@
uid = getuid();
- while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
+ while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
switch (ch) {
+ case 'a':
+ login_style = optarg;
+ break;
case 'C':
confpath = optarg;
break;
@@ -409,7 +413,7 @@
if (!(rule->options & NOPASS)) {
if (nflag)
errx(1, "Authorization required");
- if (!auth_userokay(myname, NULL, NULL, NULL)) {
+ if (!auth_userokay(myname, login_style, "auth-doas", NULL)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE,
"failed password for %s", myname);
permfail();
OK?