lock.c revision 1.30
1/* $NetBSD: lock.c,v 1.30 2008/07/21 14:19:23 lukem Exp $ */ 2 3/* 4 * Copyright (c) 1980, 1987, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Bob Toxen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35#include <sys/cdefs.h> 36#ifndef lint 37__COPYRIGHT("@(#) Copyright (c) 1980, 1987, 1993\ 38 The Regents of the University of California. All rights reserved."); 39#endif /* not lint */ 40 41#ifndef lint 42#if 0 43static char sccsid[] = "@(#)lock.c 8.1 (Berkeley) 6/6/93"; 44#endif 45__RCSID("$NetBSD: lock.c,v 1.30 2008/07/21 14:19:23 lukem Exp $"); 46#endif /* not lint */ 47 48/* 49 * Lock a terminal up until the given key is entered, until the root 50 * password is entered, or the given interval times out. 51 * 52 * Timeout interval is by default TIMEOUT, it can be changed with 53 * an argument of the form -time where time is in minutes 54 */ 55 56#include <sys/param.h> 57#include <sys/stat.h> 58#include <sys/time.h> 59#include <signal.h> 60 61#include <err.h> 62#include <pwd.h> 63#include <errno.h> 64#include <stdio.h> 65#include <stdlib.h> 66#include <string.h> 67#include <termios.h> 68#include <time.h> 69#include <unistd.h> 70 71#ifdef USE_PAM 72#include <security/pam_appl.h> 73#include <security/openpam.h> /* for openpam_ttyconv() */ 74#endif 75 76#ifdef SKEY 77#include <skey.h> 78#endif 79 80 81#define TIMEOUT 15 82 83int main(int, char **); 84 85static void bye(int) __dead; 86static void hi(int); 87static void quit(int) __dead; 88#ifdef SKEY 89static int skey_auth(const char *); 90#endif 91 92static struct timeval timeout; 93static struct timeval zerotime; 94static struct termios tty, ntty; 95static int notimeout; /* no timeout at all */ 96static long nexttime; /* keep the timeout time */ 97 98int 99main(int argc, char **argv) 100{ 101 struct passwd *pw; 102 struct timeval timval; 103 struct itimerval ntimer, otimer; 104 struct tm *timp; 105 time_t curtime; 106 int ch, usemine; 107 long sectimeout; 108 char *ap, *mypw, *ttynam; 109 const char *tzn; 110 uid_t uid = getuid(); 111 char hostname[MAXHOSTNAMELEN + 1], s[BUFSIZ], s1[BUFSIZ]; 112#ifdef USE_PAM 113 pam_handle_t *pamh = NULL; 114 static const struct pam_conv pamc = { &openpam_ttyconv, NULL }; 115 int pam_err; 116#endif 117 118 if ((pw = getpwuid(getuid())) == NULL) 119 errx(1, "unknown uid %lu.", (u_long)uid); 120 121 notimeout = 0; 122 sectimeout = TIMEOUT; 123 mypw = NULL; 124 usemine = 0; 125 126 while ((ch = getopt(argc, argv, "npt:")) != -1) 127 switch ((char)ch) { 128 case 'n': 129 notimeout = 1; 130 break; 131 case 't': 132 errno = 0; 133 if (((sectimeout = strtol(optarg, &ap, 0)) == LONG_MAX 134 || sectimeout == LONG_MIN) 135 && errno == ERANGE) 136 err(1, "illegal timeout value: %s", optarg); 137 if (optarg == ap || *ap || sectimeout <= 0) 138 errx(1, "illegal timeout value: %s", optarg); 139 if (sectimeout >= INT_MAX / 60) 140 errx(1, "too large timeout value: %ld", 141 sectimeout); 142 break; 143 case 'p': 144 usemine = 1; 145#ifndef USE_PAM 146 mypw = strdup(pw->pw_passwd); 147 if (!mypw) 148 err(1, "strdup"); 149#endif 150 break; 151 case '?': 152 default: 153 (void)fprintf(stderr, 154 "usage: %s [-np] [-t timeout]\n", getprogname()); 155 exit(1); 156 } 157 158#if defined(USE_PAM) || defined(SKEY) 159 if (! usemine) { /* -p with PAM or S/key needs privs */ 160#endif 161 if (setuid(uid) == -1) /* discard privs */ 162 err(1, "setuid failed"); 163#if defined(USE_PAM) || defined(SKEY) 164 } 165#endif 166 167 timeout.tv_sec = (int)sectimeout * 60; 168 169 if (tcgetattr(STDIN_FILENO, &tty) < 0) /* get information for header */ 170 err(1, "tcgetattr failed"); 171 gethostname(hostname, sizeof(hostname)); 172 hostname[sizeof(hostname) - 1] = '\0'; 173 if (!(ttynam = ttyname(STDIN_FILENO))) 174 err(1, "ttyname failed"); 175 if (gettimeofday(&timval, NULL) == -1) 176 err(1, "gettimeofday failed"); 177 curtime = timval.tv_sec; 178 nexttime = timval.tv_sec + ((int)sectimeout * 60); 179 timp = localtime(&curtime); 180 ap = asctime(timp); 181#ifdef __SVR4 182 tzn = tzname[0]; 183#else 184 tzn = timp->tm_zone; 185#endif 186 187 if (signal(SIGINT, quit) == SIG_ERR) 188 err(1, "signal failed"); 189 if (signal(SIGQUIT, quit) == SIG_ERR) 190 err(1, "signal failed"); 191 ntty = tty; ntty.c_lflag &= ~ECHO; 192 if (tcsetattr(STDIN_FILENO, TCSADRAIN, &ntty) == -1) 193 err(1, "tcsetattr"); 194 195 if (!usemine) { 196 /* get key and check again */ 197 (void)printf("Key: "); 198 if (!fgets(s, sizeof(s), stdin) || *s == '\n') 199 quit(0); 200 (void)printf("\nAgain: "); 201 /* 202 * Don't need EOF test here, if we get EOF, then s1 != s 203 * and the right things will happen. 204 */ 205 (void)fgets(s1, sizeof(s1), stdin); 206 (void)putchar('\n'); 207 if (strcmp(s1, s)) { 208 (void)printf("\alock: passwords didn't match.\n"); 209 (void)tcsetattr(STDIN_FILENO, TCSADRAIN, &tty); 210 exit(1); 211 } 212 s[0] = '\0'; 213 mypw = s1; 214 } 215#ifdef USE_PAM 216 if (usemine) { 217 pam_err = pam_start("lock", pw->pw_name, &pamc, &pamh); 218 if (pam_err != PAM_SUCCESS) 219 err(1, "pam_start: %s", pam_strerror(NULL, pam_err)); 220 } 221#endif 222 223 /* set signal handlers */ 224 if (signal(SIGINT, hi) == SIG_ERR) 225 err(1, "signal failed"); 226 if (signal(SIGQUIT, hi) == SIG_ERR) 227 err(1, "signal failed"); 228 if (signal(SIGTSTP, hi) == SIG_ERR) 229 err(1, "signal failed"); 230 231 if (notimeout) { 232 if (signal(SIGALRM, hi) == SIG_ERR) 233 err(1, "signal failed"); 234 (void)printf("lock: %s on %s. no timeout.\n" 235 "time now is %.20s%s%s", 236 ttynam, hostname, ap, tzn, ap + 19); 237 } 238 else { 239 if (signal(SIGALRM, bye) == SIG_ERR) 240 err(1, "signal failed"); 241 242 ntimer.it_interval = zerotime; 243 ntimer.it_value = timeout; 244 if (setitimer(ITIMER_REAL, &ntimer, &otimer) == -1) 245 err(1, "setitimer failed"); 246 247 /* header info */ 248 (void)printf("lock: %s on %s. timeout in %ld minutes\n" 249 "time now is %.20s%s%s", 250 ttynam, hostname, sectimeout, ap, tzn, ap + 19); 251 } 252 253 for (;;) { 254#ifdef USE_PAM 255 if (usemine) { 256 pam_err = pam_authenticate(pamh, 0); 257 if (pam_err == PAM_SUCCESS) 258 break; 259 goto tryagain; 260 } 261#endif 262 (void)printf("Key: "); 263 if (!fgets(s, sizeof(s), stdin)) { 264 clearerr(stdin); 265 hi(0); 266 goto tryagain; 267 } 268#ifndef USE_PAM 269 if (usemine) { 270 s[strlen(s) - 1] = '\0'; 271#ifdef SKEY 272 if (strcasecmp(s, "s/key") == 0) { 273 if (skey_auth(pw->pw_name)) 274 break; 275 } 276#endif 277 if (!strcmp(mypw, crypt(s, mypw))) 278 break; 279 } 280 else 281#endif 282 if (!strcmp(s, s1)) 283 break; 284 (void)printf("\a\n"); 285 tryagain: 286 if (tcsetattr(STDIN_FILENO, TCSADRAIN, &ntty) == -1 287 && errno != EINTR) 288 err(1, "tcsetattr failed"); 289 } 290#ifdef USE_PAM 291 if (usemine) { 292 (void)pam_end(pamh, pam_err); 293 } 294#endif 295 quit(0); 296 /* NOTREACHED */ 297 return 0; 298} 299 300#ifdef SKEY 301/* 302 * We can't use libskey's skey_authenticate() since it 303 * handles signals in a way that's inappropriate 304 * for our needs. Instead we roll our own. 305 */ 306static int 307skey_auth(const char *user) 308{ 309 char s[128]; 310 const char *ask; 311 int ret = 0; 312 313 if (!skey_haskey(user) && (ask = skey_keyinfo(user))) { 314 (void)printf("\n[%s]\nResponse: ", ask); 315 if (!fgets(s, sizeof(s), stdin) || *s == '\n') 316 clearerr(stdin); 317 else { 318 s[strlen(s) - 1] = '\0'; 319 if (skey_passcheck(user, s) != -1) 320 ret = 1; 321 } 322 } else 323 (void)printf("Sorry, you have no s/key.\n"); 324 return ret; 325} 326#endif 327 328static void 329hi(dummy) 330 int dummy; 331{ 332 struct timeval timval; 333 334 if (notimeout) 335 (void)printf("lock: type in the unlock key.\n"); 336 else { 337 if (gettimeofday(&timval, NULL) == -1) 338 err(1, "gettimeofday failed"); 339 (void)printf("lock: type in the unlock key. " 340 "timeout in %ld:%ld minutes\n", 341 (nexttime - timval.tv_sec) / 60, 342 (nexttime - timval.tv_sec) % 60); 343 } 344} 345 346static void 347quit(int dummy) 348{ 349 (void)putchar('\n'); 350 (void)tcsetattr(STDIN_FILENO, TCSADRAIN, &tty); 351 exit(0); 352} 353 354static void 355bye(int dummy) 356{ 357 (void)tcsetattr(STDIN_FILENO, TCSADRAIN, &tty); 358 (void)printf("lock: timeout\n"); 359 exit(1); 360} 361