forked from soccera/rdo
Add groups support
rdo now supports taking a group name instead of only allowing a single user. This also completely removes the user option, as it isn't necessary anymore with groups support.
This commit is contained in:
sw1tchbl4d3
parent
5404c11700
commit
35232fef05
4 changed files with 34 additions and 17 deletions
|
|
@ -35,12 +35,12 @@ rdo [command]
|
|||
|
||||
The configuration file has the following variables:
|
||||
```
|
||||
username=sw1tchbl4d3
|
||||
group=wheel
|
||||
wrong_pw_sleep=1000
|
||||
session_ttl=5
|
||||
```
|
||||
|
||||
- `username`: The username of the user that is allowed to execute rdo (no multi user or group support (yet)).
|
||||
- `group`: The group of users that is allowed to execute rdo.
|
||||
- `wrong_pw_sleep`: The amount of milliseconds to sleep at a wrong password attempt. Must be a positive integer. Set to 0 to disable.
|
||||
- `session_ttl`: The amount of minutes a session lasts. Must be a positive integer. Set to 0 to disable.
|
||||
|
||||
|
|
|
|||
37
rdo.c
37
rdo.c
|
|
@ -1,4 +1,5 @@
|
|||
#include <pwd.h>
|
||||
#include <grp.h>
|
||||
#include <err.h>
|
||||
#include <shadow.h>
|
||||
#include <crypt.h>
|
||||
|
|
@ -46,7 +47,7 @@ void runprog(char** program_argv) {
|
|||
}
|
||||
|
||||
int main(int argc, char** argv) {
|
||||
char username[64], wrong_pw_sleep[64], session_ttl[64], password[128];
|
||||
char groupname[64], wrong_pw_sleep[64], session_ttl[64], password[128];
|
||||
unsigned int sleep_us, tries, ts_ttl;
|
||||
|
||||
if (argc == 1) {
|
||||
|
|
@ -67,7 +68,7 @@ int main(int argc, char** argv) {
|
|||
if (!fp)
|
||||
err(1, "Could not open /etc/rdo.conf");
|
||||
|
||||
getconf(fp, "username", username, sizeof(username));
|
||||
getconf(fp, "group", groupname, sizeof(groupname));
|
||||
getconf(fp, "wrong_pw_sleep", wrong_pw_sleep, sizeof(wrong_pw_sleep));
|
||||
getconf(fp, "session_ttl", session_ttl, sizeof(session_ttl));
|
||||
sleep_us = atoi(wrong_pw_sleep) * 1000;
|
||||
|
|
@ -75,22 +76,38 @@ int main(int argc, char** argv) {
|
|||
|
||||
fclose(fp);
|
||||
|
||||
if (getsession(getppid(), ts_ttl) == 0)
|
||||
if (getsession(getppid(), ts_ttl, ruid) == 0)
|
||||
runprog(&argv[1]);
|
||||
|
||||
struct passwd* p = getpwnam(username);
|
||||
if (!p) {
|
||||
struct passwd* pw = getpwuid(ruid);
|
||||
if (!pw) {
|
||||
if (errno == 0)
|
||||
errx(1, "The user specified in the config file does not exist.");
|
||||
errx(1, "No user with UID %d", ruid);
|
||||
else
|
||||
err(1, "Could not get user info");
|
||||
}
|
||||
|
||||
int uid = p->pw_uid;
|
||||
if (uid != ruid)
|
||||
struct group* current_group_entry = getgrent();
|
||||
while (current_group_entry) {
|
||||
if (strcmp(current_group_entry->gr_name, groupname) == 0)
|
||||
break;
|
||||
current_group_entry = getgrent();
|
||||
}
|
||||
|
||||
if (!current_group_entry)
|
||||
errx(1, "The group '%s' does not exist.", groupname);
|
||||
|
||||
char* current_member = current_group_entry->gr_mem[0];
|
||||
for (int i = 1; current_member; i++) {
|
||||
if (strcmp(current_member, pw->pw_name) == 0)
|
||||
break;
|
||||
current_member = current_group_entry->gr_mem[i];
|
||||
}
|
||||
|
||||
if (!current_member)
|
||||
errx(1, "You are not allowed to execute rdo.");
|
||||
|
||||
struct spwd* shadowEntry = getspnam(p->pw_name);
|
||||
struct spwd* shadowEntry = getspnam(pw->pw_name);
|
||||
|
||||
if (!shadowEntry || !shadowEntry->sp_pwdp)
|
||||
err(1, "Could not get shadow entry");
|
||||
|
|
@ -107,7 +124,7 @@ int main(int argc, char** argv) {
|
|||
errx(1, "Could not hash password, does your user have a password?");
|
||||
|
||||
if (strcmp(shadowEntry->sp_pwdp, hashed_pw) == 0) {
|
||||
setsession(getppid(), ts_ttl);
|
||||
setsession(getppid(), ts_ttl, ruid);
|
||||
runprog(&argv[1]);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,3 @@
|
|||
username=sw1tchbl4d3
|
||||
group=wheel
|
||||
wrong_pw_sleep=1000
|
||||
session_ttl=5
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ int ensuredir() {
|
|||
return 0;
|
||||
}
|
||||
|
||||
void setsession(int pid, unsigned int ts_ttl) {
|
||||
void setsession(int pid, unsigned int ts_ttl, int ruid) {
|
||||
unsigned long long startts;
|
||||
char path[1024], ts_str[32];
|
||||
|
||||
|
|
@ -87,7 +87,7 @@ void setsession(int pid, unsigned int ts_ttl) {
|
|||
if (ensuredir() < 0 || getpstartts(pid, &startts) < 0)
|
||||
return;
|
||||
|
||||
snprintf(path, sizeof(path), "/run/rdo/%d-%llu", pid, startts);
|
||||
snprintf(path, sizeof(path), "/run/rdo/%d-%d-%llu", ruid, pid, startts);
|
||||
|
||||
int fd = open(path, O_CREAT | O_EXCL | O_WRONLY, 0700);
|
||||
if (fd < 0) {
|
||||
|
|
@ -108,7 +108,7 @@ void setsession(int pid, unsigned int ts_ttl) {
|
|||
return;
|
||||
}
|
||||
|
||||
int getsession(int pid, unsigned int ts_ttl) {
|
||||
int getsession(int pid, unsigned int ts_ttl, int ruid) {
|
||||
unsigned long long startts, current;
|
||||
char path[1024], ts_str[32];
|
||||
|
||||
|
|
@ -118,7 +118,7 @@ int getsession(int pid, unsigned int ts_ttl) {
|
|||
if (ensuredir() < 0 || getpstartts(pid, &startts) < 0)
|
||||
return -1;
|
||||
|
||||
snprintf(path, sizeof(path), "/run/rdo/%d-%llu", pid, startts);
|
||||
snprintf(path, sizeof(path), "/run/rdo/%d-%d-%llu", ruid, pid, startts);
|
||||
|
||||
int fd = open(path, O_RDONLY);
|
||||
if (fd < 0) {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue