1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1980, 1987, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * This code is derived from software contributed to Berkeley by 8 * Bob Toxen. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of the University nor the names of its contributors 19 * may be used to endorse or promote products derived from this software 20 * without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #ifndef lint 36 static const char copyright[] = 37 "@(#) Copyright (c) 1980, 1987, 1993\n\ 38 The Regents of the University of California. All rights reserved.\n"; 39 #endif /* not lint */ 40 41 #ifndef lint 42 #if 0 43 static char sccsid[] = "@(#)lock.c 8.1 (Berkeley) 6/6/93"; 44 #endif 45 #endif /* not lint */ 46 #include <sys/cdefs.h> 47 __FBSDID("$FreeBSD$"); 48 49 /* 50 * Lock a terminal up until the given key is entered or the given 51 * interval times out. 52 * 53 * Timeout interval is by default TIMEOUT, it can be changed with 54 * an argument of the form -time where time is in minutes 55 */ 56 57 #include <sys/param.h> 58 #include <sys/stat.h> 59 #include <sys/signal.h> 60 #include <sys/consio.h> 61 62 #include <err.h> 63 #include <ctype.h> 64 #include <errno.h> 65 #include <paths.h> 66 #include <pwd.h> 67 #include <stdint.h> 68 #include <stdio.h> 69 #include <stdlib.h> 70 #include <string.h> 71 #include <syslog.h> 72 #include <termios.h> 73 #include <time.h> 74 #include <unistd.h> 75 76 #include <security/pam_appl.h> 77 #include <security/openpam.h> /* for openpam_ttyconv() */ 78 79 #define TIMEOUT 15 80 81 static void quit(int); 82 static void bye(int); 83 static void hi(int); 84 static void usage(void); 85 86 static struct timeval timeout; 87 static struct timeval zerotime; 88 static struct termios tty, ntty; 89 static long nexttime; /* keep the timeout time */ 90 static int no_timeout; /* lock terminal forever */ 91 static int vtyunlock; /* Unlock flag and code. */ 92 93 /*ARGSUSED*/ 94 int 95 main(int argc, char **argv) 96 { 97 static const struct pam_conv pamc = { &openpam_ttyconv, NULL }; 98 pam_handle_t *pamh; 99 struct passwd *pw; 100 struct itimerval ntimer, otimer; 101 struct tm *timp; 102 time_t timval; 103 int ch, failures, pam_err, sectimeout, usemine, vtylock; 104 char *ap, *ttynam, *tzn; 105 char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ]; 106 107 openlog("lock", 0, LOG_AUTH); 108 109 pam_err = PAM_SYSTEM_ERR; /* pacify GCC */ 110 111 sectimeout = TIMEOUT; 112 pamh = NULL; 113 pw = NULL; 114 usemine = 0; 115 no_timeout = 0; 116 vtylock = 0; 117 while ((ch = getopt(argc, argv, "npt:v")) != -1) 118 switch((char)ch) { 119 case 't': 120 if ((sectimeout = atoi(optarg)) <= 0) 121 errx(1, "illegal timeout value"); 122 break; 123 case 'p': 124 usemine = 1; 125 if (!(pw = getpwuid(getuid()))) 126 errx(1, "unknown uid %d", getuid()); 127 break; 128 case 'n': 129 no_timeout = 1; 130 break; 131 case 'v': 132 vtylock = 1; 133 break; 134 case '?': 135 default: 136 usage(); 137 } 138 timeout.tv_sec = sectimeout * 60; 139 140 if (!usemine) { /* -p with PAM or S/key needs privs */ 141 /* discard privs */ 142 if (setuid(getuid()) != 0) 143 errx(1, "setuid failed"); 144 } 145 146 if (tcgetattr(0, &tty)) /* get information for header */ 147 exit(1); 148 gethostname(hostname, sizeof(hostname)); 149 if (!(ttynam = ttyname(0))) 150 errx(1, "not a terminal?"); 151 if (strncmp(ttynam, _PATH_DEV, strlen(_PATH_DEV)) == 0) 152 ttynam += strlen(_PATH_DEV); 153 timval = time(NULL); 154 nexttime = timval + (sectimeout * 60); 155 timp = localtime(&timval); 156 ap = asctime(timp); 157 tzn = timp->tm_zone; 158 159 (void)signal(SIGINT, quit); 160 (void)signal(SIGQUIT, quit); 161 ntty = tty; ntty.c_lflag &= ~ECHO; 162 (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &ntty); 163 164 if (usemine) { 165 pam_err = pam_start("lock", pw->pw_name, &pamc, &pamh); 166 if (pam_err != PAM_SUCCESS) 167 err(1, "pam_start: %s", pam_strerror(NULL, pam_err)); 168 } else { 169 /* get key and check again */ 170 (void)printf("Key: "); 171 if (!fgets(s, sizeof(s), stdin) || *s == '\n') 172 quit(0); 173 (void)printf("\nAgain: "); 174 /* 175 * Don't need EOF test here, if we get EOF, then s1 != s 176 * and the right things will happen. 177 */ 178 (void)fgets(s1, sizeof(s1), stdin); 179 (void)putchar('\n'); 180 if (strcmp(s1, s)) { 181 (void)printf("\07lock: passwords didn't match.\n"); 182 (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); 183 exit(1); 184 } 185 s[0] = '\0'; 186 } 187 188 /* set signal handlers */ 189 (void)signal(SIGINT, hi); 190 (void)signal(SIGQUIT, hi); 191 (void)signal(SIGTSTP, hi); 192 (void)signal(SIGALRM, bye); 193 194 ntimer.it_interval = zerotime; 195 ntimer.it_value = timeout; 196 if (!no_timeout) 197 setitimer(ITIMER_REAL, &ntimer, &otimer); 198 if (vtylock) { 199 /* 200 * If this failed, we want to err out; warn isn't good 201 * enough, since we don't want the user to think that 202 * everything is nice and locked because they got a 203 * "Key:" prompt. 204 */ 205 if (ioctl(0, VT_LOCKSWITCH, &vtylock) == -1) { 206 (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); 207 err(1, "locking vty"); 208 } 209 vtyunlock = 0x2; 210 } 211 212 /* header info */ 213 if (pw != NULL) 214 (void)printf("lock: %s using %s on %s.", pw->pw_name, 215 ttynam, hostname); 216 else 217 (void)printf("lock: %s on %s.", ttynam, hostname); 218 if (no_timeout) 219 (void)printf(" no timeout."); 220 else 221 (void)printf(" timeout in %d minute%s.", sectimeout, 222 sectimeout != 1 ? "s" : ""); 223 if (vtylock) 224 (void)printf(" vty locked."); 225 (void)printf("\ntime now is %.20s%s%s", ap, tzn, ap + 19); 226 227 failures = 0; 228 229 for (;;) { 230 if (usemine) { 231 pam_err = pam_authenticate(pamh, 0); 232 if (pam_err == PAM_SUCCESS) 233 break; 234 235 if (pam_err != PAM_AUTH_ERR && 236 pam_err != PAM_USER_UNKNOWN && 237 pam_err != PAM_MAXTRIES) { 238 syslog(LOG_ERR, "pam_authenticate: %s", 239 pam_strerror(pamh, pam_err)); 240 } 241 242 goto tryagain; 243 } 244 (void)printf("Key: "); 245 if (!fgets(s, sizeof(s), stdin)) { 246 clearerr(stdin); 247 hi(0); 248 goto tryagain; 249 } 250 if (!strcmp(s, s1)) 251 break; 252 (void)printf("\07\n"); 253 failures++; 254 if (getuid() == 0) 255 syslog(LOG_NOTICE, "%d ROOT UNLOCK FAILURE%s (%s on %s)", 256 failures, failures > 1 ? "S": "", ttynam, hostname); 257 tryagain: 258 if (tcgetattr(0, &ntty) && (errno != EINTR)) 259 exit(1); 260 sleep(1); /* to discourage guessing */ 261 } 262 if (getuid() == 0) 263 syslog(LOG_NOTICE, "ROOT UNLOCK ON hostname %s port %s", 264 hostname, ttynam); 265 if (usemine) 266 (void)pam_end(pamh, pam_err); 267 quit(0); 268 return(0); /* not reached */ 269 } 270 271 272 static void 273 usage(void) 274 { 275 (void)fprintf(stderr, "usage: lock [-npv] [-t timeout]\n"); 276 exit(1); 277 } 278 279 static void 280 hi(int signo __unused) 281 { 282 time_t timval; 283 284 timval = time(NULL); 285 (void)printf("lock: type in the unlock key. "); 286 if (no_timeout) { 287 (void)putchar('\n'); 288 } else { 289 (void)printf("timeout in %jd:%jd minutes\n", 290 (intmax_t)(nexttime - timval) / 60, 291 (intmax_t)(nexttime - timval) % 60); 292 } 293 } 294 295 static void 296 quit(int signo __unused) 297 { 298 (void)putchar('\n'); 299 (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); 300 if (vtyunlock) 301 (void)ioctl(0, VT_LOCKSWITCH, &vtyunlock); 302 exit(0); 303 } 304 305 static void 306 bye(int signo __unused) 307 { 308 if (!no_timeout) { 309 (void)tcsetattr(0, TCSADRAIN|TCSASOFT, &tty); 310 if (vtyunlock) 311 (void)ioctl(0, VT_LOCKSWITCH, &vtyunlock); 312 (void)printf("lock: timeout\n"); 313 exit(1); 314 } 315 } 316