On August 26, 2015 10:21:23 AM GMT+02:00, Renaud Allard <[email protected]>
wrote:
>On 08/26/2015 09:36 AM, Renaud Allard wrote:
>> On 08/26/2015 09:26 AM, Gregor Best wrote:
>>> On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote:
>>>> [...]
>>>> + fprintf(stderr, "usage: doas [-ans] [-C config] [-u user]
>command
>>>> [args]\n");
>>>> [...]
>>>
>>> The usage string should probably be
>>>
>>> "usage: doas [-ns] [-a style] [-C config] [-u user] command
>[args]"
>>>
>>> and the new option should appear in doas(1).
>>>
>>
>> True, I will change and add that
>>
>>
>Here is the new patch with the man correct and an additional auth-doas
>as suggested by Alexander Hall
>
>diff -ur doas.orig/doas.1 doas/doas.1
>--- doas.orig/doas.1 Wed Aug 26 10:18:27 2015
>+++ doas/doas.1 Wed Aug 26 10:17:21 2015
>@@ -40,6 +40,12 @@
> .Pp
> The options are as follows:
> .Bl -tag -width tenletters
>+.It Fl a Ar style
>+The
>+.Fl a
>+(authentication style) option causes
>+.Nm
>+to use the specified authentication style when validating the user, as
>
>allowed by /etc/login.conf. The system administrator may specify a list
>
>of sudo-specific authentication methods by adding an ``auth-doas''
>entry
>in /etc/login.conf.
That is a horribly long line.
> .It Fl C Ar config
> Parse and check the configuration file
> .Ar config ,
>diff -ur doas.orig/doas.c doas/doas.c
>--- doas.orig/doas.c Wed Aug 26 10:18:27 2015
>+++ doas/doas.c Wed Aug 26 10:16:14 2015
>@@ -36,7 +36,7 @@
> static void __dead
> usage(void)
> {
>- fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command
>[args]\n");
>+ fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]
>command [args]\n");
> exit(1);
> }
>
>@@ -318,6 +318,7 @@
> const char *cmd;
> char cmdline[LINE_MAX];
> char myname[_PW_NAME_LEN + 1];
>+ char *login_style = NULL;
> struct passwd *pw;
> struct rule *rule;
> uid_t uid;
>@@ -332,8 +333,11 @@
>
> uid = getuid();
>
>- while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
>+ while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
> switch (ch) {
>+ case 'a':
>+ login_style = optarg;
>+ break;
> case 'C':
> confpath = optarg;
> break;
>@@ -409,7 +413,7 @@
> if (!(rule->options & NOPASS)) {
> if (nflag)
> errx(1, "Authorization required");
>- if (!auth_userokay(myname, NULL, NULL, NULL)) {
>+ if (!auth_userokay(myname, login_style, "auth-doas", NULL)) {
Assuming the login_style is limited to the login type (or the default), which I
assume it is but could not deduce from the man page, I like this.
Whether it's adding to much to do as our not, I'm not to decide. I've already
received sort of ok's for the auth-doas part.
/Alexander
> syslog(LOG_AUTHPRIV | LOG_NOTICE,
> "failed password for %s", myname);
> permfail();
>
>
>OK?
