xref: /freebsd/usr.bin/lock/lock.c (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1980, 1987, 1993
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * This code is derived from software contributed to Berkeley by
8  * Bob Toxen.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of the University nor the names of its contributors
19  *    may be used to endorse or promote products derived from this software
20  *    without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
23  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
26  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32  * SUCH DAMAGE.
33  */
34 
35 #ifndef lint
36 static const char copyright[] =
37 "@(#) Copyright (c) 1980, 1987, 1993\n\
38 	The Regents of the University of California.  All rights reserved.\n";
39 #endif /* not lint */
40 
41 #ifndef lint
42 #if 0
43 static char sccsid[] = "@(#)lock.c	8.1 (Berkeley) 6/6/93";
44 #endif
45 #endif /* not lint */
46 #include <sys/cdefs.h>
47 __FBSDID("$FreeBSD$");
48 
49 /*
50  * Lock a terminal up until the given key is entered or the given
51  * interval times out.
52  *
53  * Timeout interval is by default TIMEOUT, it can be changed with
54  * an argument of the form -time where time is in minutes
55  */
56 
57 #include <sys/param.h>
58 #include <sys/stat.h>
59 #include <sys/signal.h>
60 #include <sys/consio.h>
61 
62 #include <err.h>
63 #include <ctype.h>
64 #include <errno.h>
65 #include <paths.h>
66 #include <pwd.h>
67 #include <stdint.h>
68 #include <stdio.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <syslog.h>
72 #include <termios.h>
73 #include <time.h>
74 #include <unistd.h>
75 
76 #include <security/pam_appl.h>
77 #include <security/openpam.h>	/* for openpam_ttyconv() */
78 
79 #define	TIMEOUT	15
80 
81 static void quit(int);
82 static void bye(int);
83 static void hi(int);
84 static void usage(void) __dead2;
85 
86 static struct timeval	timeout;
87 static struct timeval	zerotime;
88 static struct termios	tty, ntty;
89 static long		nexttime;		/* keep the timeout time */
90 static int		no_timeout;		/* lock terminal forever */
91 static int		vtyunlock;		/* Unlock flag and code. */
92 
93 /*ARGSUSED*/
94 int
95 main(int argc, char **argv)
96 {
97 	static const struct pam_conv pamc = { &openpam_ttyconv, NULL };
98 	pam_handle_t *pamh;
99 	struct passwd *pw;
100 	struct itimerval ntimer, otimer;
101 	struct tm *timp;
102 	time_t timval;
103 	int ch, failures, pam_err, sectimeout, usemine, vtylock;
104 	char *ap, *ttynam, *tzn;
105 	char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ];
106 
107 	openlog("lock", 0, LOG_AUTH);
108 
109 	pam_err = PAM_SYSTEM_ERR; /* pacify GCC */
110 
111 	sectimeout = TIMEOUT;
112 	pamh = NULL;
113 	pw = NULL;
114 	usemine = 0;
115 	no_timeout = 0;
116 	vtylock = 0;
117 	while ((ch = getopt(argc, argv, "npt:v")) != -1)
118 		switch((char)ch) {
119 		case 't':
120 			if ((sectimeout = atoi(optarg)) <= 0)
121 				errx(1, "illegal timeout value");
122 			break;
123 		case 'p':
124 			usemine = 1;
125 			if (!(pw = getpwuid(getuid())))
126 				errx(1, "unknown uid %d", getuid());
127 			break;
128 		case 'n':
129 			no_timeout = 1;
130 			break;
131 		case 'v':
132 			vtylock = 1;
133 			break;
134 		case '?':
135 		default:
136 			usage();
137 		}
138 	timeout.tv_sec = sectimeout * 60;
139 
140 	if (!usemine) {	/* -p with PAM or S/key needs privs */
141 		/* discard privs */
142 		if (setuid(getuid()) != 0)
143 			errx(1, "setuid failed");
144 	}
145 
146 	if (tcgetattr(0, &tty))		/* get information for header */
147 		exit(1);
148 	gethostname(hostname, sizeof(hostname));
149 	if (!(ttynam = ttyname(0)))
150 		errx(1, "not a terminal?");
151 	if (strncmp(ttynam, _PATH_DEV, strlen(_PATH_DEV)) == 0)
152 		ttynam += strlen(_PATH_DEV);
153 	timval = time(NULL);
154 	nexttime = timval + (sectimeout * 60);
155 	timp = localtime(&timval);
156 	ap = asctime(timp);
157 	tzn = timp->tm_zone;
158 
159 	(void)signal(SIGINT, quit);
160 	(void)signal(SIGQUIT, quit);
161 	ntty = tty; ntty.c_lflag &= ~ECHO;
162 	(void)tcsetattr(0, TCSADRAIN|TCSASOFT, &ntty);
163 
164 	if (usemine) {
165 		pam_err = pam_start("lock", pw->pw_name, &pamc, &pamh);
166 		if (pam_err != PAM_SUCCESS)
167 			err(1, "pam_start: %s", pam_strerror(NULL, pam_err));
168 	} else {
169 		/* get key and check again */
170 		(void)printf("Key: ");
171 		if (!fgets(s, sizeof(s), stdin) || *s == '\n')
172 			quit(0);
173 		(void)printf("\nAgain: ");
174 		/*
175 		 * Don't need EOF test here, if we get EOF, then s1 != s
176 		 * and the right things will happen.
177 		 */
178 		(void)fgets(s1, sizeof(s1), stdin);
179 		(void)putchar('\n');
180 		if (strcmp(s1, s)) {
181 			(void)printf("\07lock: passwords didn't match.\n");
182 			(void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty);
183 			exit(1);
184 		}
185 		s[0] = '\0';
186 	}
187 
188 	/* set signal handlers */
189 	(void)signal(SIGINT, hi);
190 	(void)signal(SIGQUIT, hi);
191 	(void)signal(SIGTSTP, hi);
192 	(void)signal(SIGALRM, bye);
193 
194 	ntimer.it_interval = zerotime;
195 	ntimer.it_value = timeout;
196 	if (!no_timeout)
197 		setitimer(ITIMER_REAL, &ntimer, &otimer);
198 	if (vtylock) {
199 		/*
200 		 * If this failed, we want to err out; warn isn't good
201 		 * enough, since we don't want the user to think that
202 		 * everything is nice and locked because they got a
203 		 * "Key:" prompt.
204 		 */
205 		if (ioctl(0, VT_LOCKSWITCH, &vtylock) == -1) {
206 			(void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty);
207 			err(1, "locking vty");
208 		}
209 		vtyunlock = 0x2;
210 	}
211 
212 	/* header info */
213 	if (pw != NULL)
214 		(void)printf("lock: %s using %s on %s.", pw->pw_name,
215 		    ttynam, hostname);
216 	else
217 		(void)printf("lock: %s on %s.", ttynam, hostname);
218 	if (no_timeout)
219 		(void)printf(" no timeout.");
220 	else
221 		(void)printf(" timeout in %d minute%s.", sectimeout,
222 		    sectimeout != 1 ? "s" : "");
223 	if (vtylock)
224 		(void)printf(" vty locked.");
225 	(void)printf("\ntime now is %.20s%s%s", ap, tzn, ap + 19);
226 
227 	failures = 0;
228 
229 	for (;;) {
230 		if (usemine) {
231 			pam_err = pam_authenticate(pamh, 0);
232 			if (pam_err == PAM_SUCCESS)
233 				break;
234 
235 			if (pam_err != PAM_AUTH_ERR &&
236 			    pam_err != PAM_USER_UNKNOWN &&
237 			    pam_err != PAM_MAXTRIES) {
238 				syslog(LOG_ERR, "pam_authenticate: %s",
239 				    pam_strerror(pamh, pam_err));
240 			}
241 
242 			goto tryagain;
243 		}
244 		(void)printf("Key: ");
245 		if (!fgets(s, sizeof(s), stdin)) {
246 			clearerr(stdin);
247 			hi(0);
248 			goto tryagain;
249 		}
250 		if (!strcmp(s, s1))
251 			break;
252 		(void)printf("\07\n");
253 	    	failures++;
254 		if (getuid() == 0)
255 	    	    syslog(LOG_NOTICE, "%d ROOT UNLOCK FAILURE%s (%s on %s)",
256 			failures, failures > 1 ? "S": "", ttynam, hostname);
257 tryagain:
258 		if (tcgetattr(0, &ntty) && (errno != EINTR))
259 			exit(1);
260 		sleep(1);		/* to discourage guessing */
261 	}
262 	if (getuid() == 0)
263 		syslog(LOG_NOTICE, "ROOT UNLOCK ON hostname %s port %s",
264 		    hostname, ttynam);
265 	if (usemine)
266 		(void)pam_end(pamh, pam_err);
267 	quit(0);
268 	return(0); /* not reached */
269 }
270 
271 
272 static void
273 usage(void)
274 {
275 	(void)fprintf(stderr, "usage: lock [-npv] [-t timeout]\n");
276 	exit(1);
277 }
278 
279 static void
280 hi(int signo __unused)
281 {
282 	time_t timval;
283 
284 	timval = time(NULL);
285 	(void)printf("lock: type in the unlock key. ");
286 	if (no_timeout) {
287 		(void)putchar('\n');
288 	} else {
289 		(void)printf("timeout in %jd:%jd minutes\n",
290 		    (intmax_t)(nexttime - timval) / 60,
291 		    (intmax_t)(nexttime - timval) % 60);
292 	}
293 }
294 
295 static void
296 quit(int signo __unused)
297 {
298 	(void)putchar('\n');
299 	(void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty);
300 	if (vtyunlock)
301 		(void)ioctl(0, VT_LOCKSWITCH, &vtyunlock);
302 	exit(0);
303 }
304 
305 static void
306 bye(int signo __unused)
307 {
308 	if (!no_timeout) {
309 		(void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty);
310 		if (vtyunlock)
311 			(void)ioctl(0, VT_LOCKSWITCH, &vtyunlock);
312 		(void)printf("lock: timeout\n");
313 		exit(1);
314 	}
315 }
316