rdo/rdo.c

#include <pwd.h>
#include <grp.h>
#include <err.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef __linux__
#include <shadow.h>
#endif

#include "readpassphrase.h"
#include "sessions.h"

#define VERSION "1.4.3"

char* getpwhash(struct passwd* pw) {
    if (pw->pw_passwd[0] != 'x')
        return pw->pw_passwd;

#ifdef __linux__
    struct spwd* pw_entry = getspnam(pw->pw_name);

    if (!pw_entry || !pw_entry->sp_pwdp)
        err(1, "Could not get shadow entry");
    return pw_entry->sp_pwdp;
#endif

    errx(1, "Could not get hashed password entry");
}

void getconf(FILE* fp, const char* entry, char* result, size_t len_result) {
    char* line = NULL;
    size_t len = 0;

    fseek(fp, 0, SEEK_SET);

    while (getline(&line, &len, fp) != -1) {
        if (strncmp(entry, line, strlen(entry)) == 0) {
            strtok(line, "=");
            char* token = strtok(NULL, "=");
            if (token) {
                strncpy(result, token, len_result);
                result[strcspn(result, "\n")] = 0;
                free(line);
                return;
            }
        }
    }

    errx(1, "Could not get '%s' entry in config", entry);
}

void runprog(char** program_argv) {
    if (setuid(0) < 0)
        err(1, "Could not setuid");
    if (setgid(0) < 0)
        err(1, "Could not setgid");

    putenv("HOME=/root");

    // NOTE: this does not return when no error occurred.
    execvp(program_argv[0], program_argv);

    err(1, "%s", program_argv[0]);
}

int main(int argc, char** argv) {
    char groupname[64], wrong_pw_sleep[64], session_ttl[64], password[128];
    int sleep_us, tries, ts_ttl;

    int read_pw_from_stdin = 0;
    if (argc > 1)
        read_pw_from_stdin = strcmp(argv[1], "-") == 0;

    if (argc == 1 || (read_pw_from_stdin && argc == 2)) {
        printf("RootDO version: %s\n\n", VERSION);
        printf("Usage: %s [command]\n", argv[0]);
        return 0;
    }

    if (geteuid() != 0)
        errx(1, "The rdo binary needs to be installed as SUID.");

    int ruid = getuid();
    if (ruid == 0)
        runprog(&argv[read_pw_from_stdin+1]);

    FILE* fp = fopen("/etc/rdo.conf", "r");

    if (!fp)
        err(1, "Could not open /etc/rdo.conf");

    getconf(fp, "group", groupname, sizeof(groupname));
    getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));
    getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));
    sleep_us = atoi(wrong_pw_sleep) * 1000;
    ts_ttl = atoi(session_ttl) * 60;

    fclose(fp);

    if (getsession(getppid(), ts_ttl, ruid) == 0 && !read_pw_from_stdin)
        runprog(&argv[1]);

    struct passwd* pw = getpwuid(ruid);
    if (!pw) {
        if (errno == 0)
            errx(1, "No user with UID %d", ruid);
        else
            err(1, "Could not get user info");
    }

    struct group* current_group_entry = getgrent();
    while (current_group_entry) {
        if (strcmp(current_group_entry->gr_name, groupname) == 0)
            break;
        current_group_entry = getgrent();
    }

    if (!current_group_entry)
        errx(1, "The group '%s' does not exist.", groupname);

    char* current_member = current_group_entry->gr_mem[0];
    for (int i = 1; current_member; i++) {
        if (strcmp(current_member, pw->pw_name) == 0)
            break;
        current_member = current_group_entry->gr_mem[i];
    }

    if (!current_member)
        errx(1, "You are not allowed to execute rdo.");

    char* user_hashed_pw = getpwhash(pw);

    tries = 0;
    while (tries < 3) {
        if (!readpassphrase("(rdo) Password: ", password, sizeof(password), read_pw_from_stdin))
            err(1, "Could not get passphrase");

        char* given_hashed_pw = crypt(password, user_hashed_pw);
        memset(password, 0, sizeof(password));

        if (!given_hashed_pw)
            errx(1, "Could not hash password, does your user have a password?");

        if (strcmp(given_hashed_pw, user_hashed_pw) == 0) {
            if (!read_pw_from_stdin)
                setsession(getppid(), ts_ttl, ruid);
            runprog(&argv[read_pw_from_stdin+1]);
        }

        usleep(sleep_us);
        fprintf(stderr, "Wrong password.\n");
        tries++;
    }
    errx(1, "Too many wrong password attempts.");
    return 1;
}
First Commit 2021-07-13 21:33:12 +02:00			`#include <pwd.h>`
Add groups support rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support. 2022-03-08 17:32:53 +01:00			`#include <grp.h>`
Improve error messages This commit makes rdo make use of the err.h header for more pleasant and convenient error logging. 2021-07-13 22:39:28 +02:00			`#include <err.h>`
First Commit 2021-07-13 21:33:12 +02:00			`#include <unistd.h>`
			`#include <stdio.h>`
Add sleep between wrong password attempts This is required for #1 2021-07-13 23:42:11 +02:00			`#include <stdlib.h>`
First Commit 2021-07-13 21:33:12 +02:00			`#include <string.h>`
Add own readpassphrase function This removes the libbsd dependency. Fixed #10. 2022-05-05 08:21:48 +02:00
Add support for platforms without shadow.h 2023-02-02 19:14:46 +01:00			`#ifdef __linux__`
			`#include <shadow.h>`
			`#endif`

Add own readpassphrase function This removes the libbsd dependency. Fixed #10. 2022-05-05 08:21:48 +02:00			`#include "readpassphrase.h"`
Add sessions feature This is by far the heaviest feature of rdo, justifying its own file for its 140loc. It creates sessions, inspired by the way doas does it. We use the /run/rdo temporary folder to store files in the format of /run/rdo/pid-ts, pid being the PID of the process that executed rdo, and ts being the timestamp at which said process started. As no 2 processes can have the exact same PID and startup time (startup time is measured in the milliseconds), this seems secure. Closes #4. 2021-07-15 23:47:27 +02:00			`#include "sessions.h"`
First Commit 2021-07-13 21:33:12 +02:00
Bump to 1.4.3 2023-02-02 20:21:15 +01:00			`#define VERSION "1.4.3"`
Add version and usage if no arguments are given. 2021-07-17 18:29:39 +02:00
Add support for platforms without shadow.h 2023-02-02 19:14:46 +01:00			`char* getpwhash(struct passwd* pw) {`
			`if (pw->pw_passwd[0] != 'x')`
			`return pw->pw_passwd;`

			`#ifdef __linux__`
			`struct spwd* pw_entry = getspnam(pw->pw_name);`

			`if (!pw_entry \|\| !pw_entry->sp_pwdp)`
			`err(1, "Could not get shadow entry");`
			`return pw_entry->sp_pwdp;`
			`#endif`

			`errx(1, "Could not get hashed password entry");`
			`}`

Add error message for faulty config 2021-07-13 23:31:23 +02:00			`void getconf(FILE* fp, const char* entry, char* result, size_t len_result) {`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`char* line = NULL;`
			`size_t len = 0;`

			`fseek(fp, 0, SEEK_SET);`

			`while (getline(&line, &len, fp) != -1) {`
			`if (strncmp(entry, line, strlen(entry)) == 0) {`
			`strtok(line, "=");`
			`char* token = strtok(NULL, "=");`
			`if (token) {`
			`strncpy(result, token, len_result);`
			`result[strcspn(result, "\n")] = 0;`
			`free(line);`
			`return;`
			`}`
			`}`
			`}`

			`errx(1, "Could not get '%s' entry in config", entry);`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00			`}`

Reduce memory access in runprog Previously, we used a for loop to rearrange argv to omit the first argument, the rdo call itself. It's way smarter to just dereference the first argv argument, and use it as an argv pointer, to achieve the same result. 2022-03-08 16:42:43 +01:00			`void runprog(char** program_argv) {`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`if (setuid(0) < 0)`
			`err(1, "Could not setuid");`
			`if (setgid(0) < 0)`
			`err(1, "Could not setgid");`
Add config for rdo This is needed for #1. 2021-07-13 23:21:34 +02:00
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`putenv("HOME=/root");`
Change HOME to /root on exec This affected some programs like vim, which put root-owned swap files into the normal user's swap directory, since $HOME didn't change. Fixes #11 2022-05-05 07:26:56 +02:00
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`// NOTE: this does not return when no error occurred.`
			`execvp(program_argv[0], program_argv);`
Move type declerations to start of main 2021-07-15 16:17:54 +02:00
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`err(1, "%s", program_argv[0]);`
First Commit 2021-07-13 21:33:12 +02:00			`}`

			`int main(int argc, char** argv) {`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`char groupname[64], wrong_pw_sleep[64], session_ttl[64], password[128];`
Add support for TIOCSETVERAUTH ioctl 2023-02-04 10:32:21 +01:00			`int sleep_us, tries, ts_ttl;`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00
			`int read_pw_from_stdin = 0;`
			`if (argc > 1)`
			`read_pw_from_stdin = strcmp(argv[1], "-") == 0;`

			`if (argc == 1 \|\| (read_pw_from_stdin && argc == 2)) {`
			`printf("RootDO version: %s\n\n", VERSION);`
			`printf("Usage: %s [command]\n", argv[0]);`
			`return 0;`
			`}`

			`if (geteuid() != 0)`
			`errx(1, "The rdo binary needs to be installed as SUID.");`

			`int ruid = getuid();`
			`if (ruid == 0)`
			`runprog(&argv[read_pw_from_stdin+1]);`

			`FILE* fp = fopen("/etc/rdo.conf", "r");`

			`if (!fp)`
			`err(1, "Could not open /etc/rdo.conf");`

			`getconf(fp, "group", groupname, sizeof(groupname));`
			`getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));`
			`getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));`
			`sleep_us = atoi(wrong_pw_sleep) * 1000;`
			`ts_ttl = atoi(session_ttl) * 60;`

			`fclose(fp);`

			`if (getsession(getppid(), ts_ttl, ruid) == 0 && !read_pw_from_stdin)`
			`runprog(&argv[1]);`

			`struct passwd* pw = getpwuid(ruid);`
			`if (!pw) {`
			`if (errno == 0)`
			`errx(1, "No user with UID %d", ruid);`
			`else`
			`err(1, "Could not get user info");`
			`}`

			`struct group* current_group_entry = getgrent();`
			`while (current_group_entry) {`
			`if (strcmp(current_group_entry->gr_name, groupname) == 0)`
			`break;`
			`current_group_entry = getgrent();`
			`}`

			`if (!current_group_entry)`
			`errx(1, "The group '%s' does not exist.", groupname);`

			`char* current_member = current_group_entry->gr_mem[0];`
			`for (int i = 1; current_member; i++) {`
			`if (strcmp(current_member, pw->pw_name) == 0)`
			`break;`
			`current_member = current_group_entry->gr_mem[i];`
			`}`

			`if (!current_member)`
			`errx(1, "You are not allowed to execute rdo.");`

Add support for platforms without shadow.h 2023-02-02 19:14:46 +01:00			`char* user_hashed_pw = getpwhash(pw);`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00
			`tries = 0;`
			`while (tries < 3) {`
			`if (!readpassphrase("(rdo) Password: ", password, sizeof(password), read_pw_from_stdin))`
			`err(1, "Could not get passphrase");`

Add support for platforms without shadow.h 2023-02-02 19:14:46 +01:00			`char* given_hashed_pw = crypt(password, user_hashed_pw);`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`memset(password, 0, sizeof(password));`

Add support for platforms without shadow.h 2023-02-02 19:14:46 +01:00			`if (!given_hashed_pw)`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`errx(1, "Could not hash password, does your user have a password?");`

Add support for platforms without shadow.h 2023-02-02 19:14:46 +01:00			`if (strcmp(given_hashed_pw, user_hashed_pw) == 0) {`
Convert indentation for all files to spaces To unify things. 2022-12-17 00:37:56 +01:00			`if (!read_pw_from_stdin)`
			`setsession(getppid(), ts_ttl, ruid);`
			`runprog(&argv[read_pw_from_stdin+1]);`
			`}`

			`usleep(sleep_us);`
			`fprintf(stderr, "Wrong password.\n");`
			`tries++;`
			`}`
			`errx(1, "Too many wrong password attempts.");`
			`return 1;`
First Commit 2021-07-13 21:33:12 +02:00			`}`