xref: /freebsd/usr.sbin/bsdconfig/share/mustberoot.subr (revision d0b2dbfa0ecf2bbc9709efc5e20baf8e4b44bbbf) 
1ab2043b8SDevin Teskeif [ ! "$_MUSTBEROOT_SUBR" ]; then _MUSTBEROOT_SUBR=1
2ab2043b8SDevin Teske#
3e14ddd1fSDevin Teske# Copyright (c) 2006-2013 Devin Teske
4f8ea072aSDevin Teske# All rights reserved.
5ab2043b8SDevin Teske#
6ab2043b8SDevin Teske# Redistribution and use in source and binary forms, with or without
7ab2043b8SDevin Teske# modification, are permitted provided that the following conditions
8ab2043b8SDevin Teske# are met:
9ab2043b8SDevin Teske# 1. Redistributions of source code must retain the above copyright
10ab2043b8SDevin Teske#    notice, this list of conditions and the following disclaimer.
11ab2043b8SDevin Teske# 2. Redistributions in binary form must reproduce the above copyright
12ab2043b8SDevin Teske#    notice, this list of conditions and the following disclaimer in the
13ab2043b8SDevin Teske#    documentation and/or other materials provided with the distribution.
14ab2043b8SDevin Teske#
15ab2043b8SDevin Teske# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
168e37a7c8SDevin Teske# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17ab2043b8SDevin Teske# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18ab2043b8SDevin Teske# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19ab2043b8SDevin Teske# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
208e37a7c8SDevin Teske# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21ab2043b8SDevin Teske# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22ab2043b8SDevin Teske# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23ab2043b8SDevin Teske# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24ab2043b8SDevin Teske# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25ab2043b8SDevin Teske# SUCH DAMAGE.
26ab2043b8SDevin Teske#
27ab2043b8SDevin Teske#
28ab2043b8SDevin Teske############################################################ INCLUDES
29ab2043b8SDevin Teske
30ab2043b8SDevin TeskeBSDCFG_SHARE="/usr/share/bsdconfig"
31ab2043b8SDevin Teske. $BSDCFG_SHARE/common.subr || exit 1
3256961fd7SDevin Teskef_dprintf "%s: loading includes..." mustberoot.subr
33ab2043b8SDevin Teskef_include $BSDCFG_SHARE/dialog.subr
34*d4ae33f0SDevin Teskef_include $BSDCFG_SHARE/strings.subr
35ab2043b8SDevin Teske
36ab2043b8SDevin TeskeBSDCFG_LIBE="/usr/libexec/bsdconfig"
37ab2043b8SDevin Teskef_include_lang $BSDCFG_LIBE/include/messages.subr
38ab2043b8SDevin Teske
39ab2043b8SDevin Teske############################################################ CONFIGURATION
40ab2043b8SDevin Teske# NOTE: These are not able to be overridden/inherited for security purposes.
41ab2043b8SDevin Teske
42ab2043b8SDevin Teske#
43ab2043b8SDevin Teske# Number of tries a user gets to enter his/her password before we log the
44ab2043b8SDevin Teske# sudo(8) failure and exit.
45ab2043b8SDevin Teske#
46ab2043b8SDevin TeskePASSWD_TRIES=3
47ab2043b8SDevin Teske
48ab2043b8SDevin Teske#
49ab2043b8SDevin Teske# While in SECURE mode, should authentication as `root' be allowed? Set to
50ab2043b8SDevin Teske# non-NULL to enable authentication as `root', otherwise disabled.
51ab2043b8SDevin Teske#
52ab2043b8SDevin Teske# WARNING:
53ab2043b8SDevin Teske# Unless using a custom sudo(8) configuration, user `root' should not be
54ab2043b8SDevin Teske# allowed because no password is required to become `root' when already `root'
55ab2043b8SDevin Teske# and therefore, any value entered as password will work.
56ab2043b8SDevin Teske#
57ab2043b8SDevin TeskeSECURE_ALLOW_ROOT=
58ab2043b8SDevin Teske
59ab2043b8SDevin Teske#
60ab2043b8SDevin Teske# While in SECURE mode, should we divulge (through error message) when the
61ab2043b8SDevin Teske# requested authentication user does not exist? Set to non-NULL to enable,
62ab2043b8SDevin Teske# otherwise a non-existent user is treated like an invalid password.
63ab2043b8SDevin Teske#
64ab2043b8SDevin TeskeSECURE_DIVULGE_UNKNOWN_USER=
65ab2043b8SDevin Teske
66ab2043b8SDevin Teske############################################################ FUNCTIONS
67ab2043b8SDevin Teske
68ab2043b8SDevin Teske# f_become_root_via_sudo
69ab2043b8SDevin Teske#
70ab2043b8SDevin Teske# If not running as root, prompt for sudo(8) credentials to become root.
71ab2043b8SDevin Teske# Re-execution of the current program via sudo is automatically handled.
72ab2043b8SDevin Teske#
73ab2043b8SDevin Teske# The following environment variables effect functionality:
74ab2043b8SDevin Teske#
75ab2043b8SDevin Teske# 	USE_XDIALOG   Either NULL or Non-NULL. If given a value will indicate
76ab2043b8SDevin Teske# 	              that Xdialog(1) should be used instead of dialog(1).
77ab2043b8SDevin Teske#
78ab2043b8SDevin Teskef_become_root_via_sudo()
79ab2043b8SDevin Teske{
80*d4ae33f0SDevin Teske	local funcname=f_become_root_via_sudo
81052f8969SDevin Teske	local prompt hline height width rows msg
82ab2043b8SDevin Teske
83ab2043b8SDevin Teske	[ "$( id -u )" = "0" ] && return $SUCCESS
84ab2043b8SDevin Teske
85ab2043b8SDevin Teske	f_have sudo || f_die 1 "$msg_must_be_root_to_execute" "$pgm"
86ab2043b8SDevin Teske
87ab2043b8SDevin Teske	#
889da4528eSDevin Teske	# Ask the user if it's OK to become root via sudo(8) and give them
899da4528eSDevin Teske	# the option to save this preference (by touch(1)ing a file in the
909da4528eSDevin Teske	# user's $HOME directory).
919da4528eSDevin Teske	#
929da4528eSDevin Teske	local checkpath="${HOME%/}/.bsdconfig_uses_sudo"
939da4528eSDevin Teske	if [ ! -e "$checkpath" ]; then
94*d4ae33f0SDevin Teske		f_sprintf prompt "$msg_you_are_not_root_but" bsdconfig
95*d4ae33f0SDevin Teske		f_sprintf msg "$msg_always_try_sudo_when_run_as" "$USER"
969da4528eSDevin Teske		local menu_list="
979da4528eSDevin Teske			'X' '$msg_cancel_exit'
989da4528eSDevin Teske			'1' '$msg'
999da4528eSDevin Teske			'2' '$msg_try_sudo_only_this_once'
1009da4528eSDevin Teske		" # END-QUOTE
1019da4528eSDevin Teske		hline="$hline_arrows_tab_enter"
102052f8969SDevin Teske
10374036c4dSDevin Teske		eval f_dialog_menu_size height width rows \
1049da4528eSDevin Teske		                        \"\$DIALOG_TITLE\"     \
1059da4528eSDevin Teske		                        \"\$DIALOG_BACKTITLE\" \
106052f8969SDevin Teske		                        \"\$prompt\"           \
1079da4528eSDevin Teske		                        \"\$hline\"            \
10874036c4dSDevin Teske		                        $menu_list
1099da4528eSDevin Teske
110fd962ac6SDevin Teske		local mtag
111fd962ac6SDevin Teske		mtag=$( eval $DIALOG \
1129da4528eSDevin Teske			--title \"\$DIALOG_TITLE\"         \
1139da4528eSDevin Teske			--backtitle \"\$DIALOG_BACKTITLE\" \
1149da4528eSDevin Teske			--hline \"\$hline\"                \
1159da4528eSDevin Teske			--ok-label \"\$msg_ok\"            \
1169da4528eSDevin Teske			--cancel-label \"\$msg_cancel\"    \
117052f8969SDevin Teske			--menu \"\$prompt\"                \
11874036c4dSDevin Teske			$height $width $rows               \
1199da4528eSDevin Teske			$menu_list                         \
1209da4528eSDevin Teske			2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
121fd962ac6SDevin Teske		) || f_die
122fd962ac6SDevin Teske		f_dialog_data_sanitize mtag
1239da4528eSDevin Teske
1249da4528eSDevin Teske		case "$mtag" in
1259da4528eSDevin Teske		X) # Cancel/Exit
1269da4528eSDevin Teske		   f_die ;;
1279da4528eSDevin Teske		1) # Always try sudo(8) when run as $user
128*d4ae33f0SDevin Teske			f_eval_catch $funcname touch \
129*d4ae33f0SDevin Teske				'touch "%s"' "$checkpath" &&
1309da4528eSDevin Teske				f_show_msg "$msg_created_path" "$checkpath"
1319da4528eSDevin Teske		esac
1329da4528eSDevin Teske	else
1339da4528eSDevin Teske		#
1349da4528eSDevin Teske		# This user has created the path signing-off on sudo(8)-use
1359da4528eSDevin Teske		# but let's still give them a short/quick/unobtrusive reminder
1369da4528eSDevin Teske		#
1379da4528eSDevin Teske		f_dialog_info "$msg_becoming_root_via_sudo"
1389da4528eSDevin Teske		[ "$USE_XDIALOG" ] || sleep 0.6
1399da4528eSDevin Teske	fi
1409da4528eSDevin Teske
1419da4528eSDevin Teske	#
142ab2043b8SDevin Teske	# Check sudo(8) access before prompting for password.
143ab2043b8SDevin Teske	#
144fb7d723eSDevin Teske	:| sudo -S -v 2> /dev/null
145ab2043b8SDevin Teske	if [ $? -ne $SUCCESS ]; then
146ab2043b8SDevin Teske		#
147ab2043b8SDevin Teske		# sudo(8) access denied. Prompt for their password.
148ab2043b8SDevin Teske		#
149052f8969SDevin Teske		prompt="$msg_please_enter_password"
150ab2043b8SDevin Teske		hline="$hline_alnum_punc_tab_enter"
15174036c4dSDevin Teske		f_dialog_inputbox_size height width \
152ab2043b8SDevin Teske		                       "$DIALOG_TITLE"     \
153ab2043b8SDevin Teske		                       "$DIALOG_BACKTITLE" \
154052f8969SDevin Teske		                       "$prompt"           \
15574036c4dSDevin Teske		                       "$hline"
156ab2043b8SDevin Teske
157ab2043b8SDevin Teske		#
158ab2043b8SDevin Teske		# Continue prompting until they either Cancel, succeed
159ab2043b8SDevin Teske		# or exceed the number of allowed failures.
160ab2043b8SDevin Teske		#
161ab2043b8SDevin Teske		local password nfailures=0 retval
162ab2043b8SDevin Teske		while [ $nfailures -lt $PASSWD_TRIES ]; do
163ab2043b8SDevin Teske			if [ "$USE_XDIALOG" ]; then
164ab2043b8SDevin Teske				password=$( $DIALOG \
165ab2043b8SDevin Teske					--title "$DIALOG_TITLE"         \
166ab2043b8SDevin Teske					--backtitle "$DIALOG_BACKTITLE" \
167ab2043b8SDevin Teske					--hline "$hline"                \
168ab2043b8SDevin Teske					--ok-label "$msg_ok"            \
169ab2043b8SDevin Teske					--cancel-label "$msg_cancel"    \
170052f8969SDevin Teske					--password --inputbox "$prompt" \
17174036c4dSDevin Teske					$height $width                  \
172f4844f65SDevin Teske					2>&1 > /dev/null
173f4844f65SDevin Teske				)
174ab2043b8SDevin Teske				retval=$?
175ab2043b8SDevin Teske
176ab2043b8SDevin Teske				# Catch X11-related errors
177f677a9e2SDevin Teske				if [ $retval -eq $DIALOG_ESC ]; then
178ab2043b8SDevin Teske					f_die $retval "$password"
179f677a9e2SDevin Teske				elif [ $retval -ne $DIALOG_OK ]; then
180538d68eaSDevin Teske					# User cancelled
181538d68eaSDevin Teske					exit $retval
182538d68eaSDevin Teske				fi
183ab2043b8SDevin Teske			else
184ec7120b5SDevin Teske				password=$( $DIALOG \
185ab2043b8SDevin Teske					--title "$DIALOG_TITLE"         \
186ab2043b8SDevin Teske					--backtitle "$DIALOG_BACKTITLE" \
187ab2043b8SDevin Teske					--hline "$hline"                \
188ab2043b8SDevin Teske					--ok-label "$msg_ok"            \
189ab2043b8SDevin Teske					--cancel-label "$msg_cancel"    \
190ab2043b8SDevin Teske					--insecure                      \
191052f8969SDevin Teske					--passwordbox "$prompt"         \
19274036c4dSDevin Teske					$height $width                  \
19389498fdfSDevin Teske					2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
194ec7120b5SDevin Teske				) || exit $?
195ab2043b8SDevin Teske			fi
196ec7120b5SDevin Teske			debug= f_dialog_line_sanitize password
197ab2043b8SDevin Teske
198ab2043b8SDevin Teske			#
199ab2043b8SDevin Teske			# Validate sudo(8) credentials
200ab2043b8SDevin Teske			#
201fb7d723eSDevin Teske			sudo -S -v 2> /dev/null <<-EOF
202ab2043b8SDevin Teske			$password
203ab2043b8SDevin Teske			EOF
204ab2043b8SDevin Teske			retval=$?
205ab2043b8SDevin Teske			unset password # scrub memory
206ab2043b8SDevin Teske			if [ $retval -eq $SUCCESS ]; then
207ab2043b8SDevin Teske				# Access granted...
208ab2043b8SDevin Teske				break
209ab2043b8SDevin Teske			else
210ab2043b8SDevin Teske				# Access denied...
211ab2043b8SDevin Teske				nfailures=$(( $nfailures + 1 ))
212ab2043b8SDevin Teske
213ab2043b8SDevin Teske				# introduce a short delay
214ab2043b8SDevin Teske				if [ $nfailures -lt $PASSWD_TRIES ]; then
215ab2043b8SDevin Teske					f_dialog_info "$msg_sorry_try_again"
216ab2043b8SDevin Teske					sleep 1
217ab2043b8SDevin Teske				fi
218ab2043b8SDevin Teske			fi
219ab2043b8SDevin Teske		done
220ab2043b8SDevin Teske
221ab2043b8SDevin Teske		#
222ab2043b8SDevin Teske		# If user exhausted number of allowed password tries, log
223ab2043b8SDevin Teske		# the security event and exit immediately.
224ab2043b8SDevin Teske		#
225ab2043b8SDevin Teske		if [ $nfailures -ge $PASSWD_TRIES ]; then
226*d4ae33f0SDevin Teske			f_sprintf msg "$msg_nfailed_attempts" "$nfailures"
227ab2043b8SDevin Teske			logger -p auth.notice -t sudo " " \
228ab2043b8SDevin Teske				"$USER : $msg" \
229ab2043b8SDevin Teske				"; TTY=$(tty)" \
230ab2043b8SDevin Teske				"; PWD=$PWD"   \
231ab2043b8SDevin Teske				"; USER=root"  \
232ab2043b8SDevin Teske				"; COMMAND=$0"
233ab2043b8SDevin Teske			f_die 1 "sudo: $msg"
234ab2043b8SDevin Teske		fi
235ab2043b8SDevin Teske	fi
236ab2043b8SDevin Teske
237ab2043b8SDevin Teske	# Use xauth(1) to grant root the ability to use this X11/SSH session
238ab2043b8SDevin Teske	if [ "$USE_XDIALOG" -a "$SSH_CONNECTION" -a "$DISPLAY" ]; then
239ab2043b8SDevin Teske		f_have xauth || f_die 1 \
240ab2043b8SDevin Teske			"$msg_no_such_file_or_directory" "$pgm" "xauth"
241ab2043b8SDevin Teske		local HOSTNAME displaynum
242ab2043b8SDevin Teske		HOSTNAME=$(hostname)
243ab2043b8SDevin Teske		displaynum="${DISPLAY#*:}"
244ab2043b8SDevin Teske		xauth -f ~/.Xauthority extract - $HOSTNAME/unix:$displaynum \
245ab2043b8SDevin Teske			$HOSTNAME:$displaynum | sudo sh -c 'xauth -ivf \
246fb7d723eSDevin Teske			~root/.Xauthority merge - > /dev/null 2>&1'
247ab2043b8SDevin Teske	fi
248ab2043b8SDevin Teske
249ab2043b8SDevin Teske	# Re-execute ourselves with sudo(8)
250e14ddd1fSDevin Teske	f_dprintf "%s: Becoming root via sudo(8)..." mustberoot.subr
251ab2043b8SDevin Teske	if [ $ARGC -gt 0 ]; then
252ab2043b8SDevin Teske		exec sudo "$0" $ARGV
253ab2043b8SDevin Teske	else
254ab2043b8SDevin Teske		exec sudo "$0"
255ab2043b8SDevin Teske	fi
256ab2043b8SDevin Teske	exit $? # Never reached unless error
257ab2043b8SDevin Teske}
258ab2043b8SDevin Teske
259ab2043b8SDevin Teske# f_authenticate_some_user
260ab2043b8SDevin Teske#
261ab2043b8SDevin Teske# Only used if running as root and requires X11 (see USE_XDIALOG below).
262ab2043b8SDevin Teske# Prompts the user to enter a username and password to be authenticated via
263ab2043b8SDevin Teske# sudo(8) to proceed.
264ab2043b8SDevin Teske#
265ab2043b8SDevin Teske# The following environment variables effect functionality:
266ab2043b8SDevin Teske#
267ab2043b8SDevin Teske# 	USE_XDIALOG   Either NULL or Non-NULL. If given a value will indicate
268ab2043b8SDevin Teske# 	              that Xdialog(1) should be used instead of dialog(1).
269ab2043b8SDevin Teske#
270ab2043b8SDevin Teskef_authenticate_some_user()
271ab2043b8SDevin Teske{
27274036c4dSDevin Teske	local msg hline height width
273ab2043b8SDevin Teske
274ab2043b8SDevin Teske	f_have sudo || f_die 1 "$msg_must_be_root_to_execute" "$pgm"
275ab2043b8SDevin Teske
276ab2043b8SDevin Teske	#
277ab2043b8SDevin Teske	# Secure-mode has been requested.
278ab2043b8SDevin Teske	#
279ab2043b8SDevin Teske
280ab2043b8SDevin Teske	[ "$USE_XDIALOG" ] || f_die 1 "$msg_secure_mode_requires_x11"
281ab2043b8SDevin Teske	[ "$(id -u)" = "0" ] || f_die 1 "$msg_secure_mode_requires_root"
282ab2043b8SDevin Teske
283ab2043b8SDevin Teske	#
284ab2043b8SDevin Teske	# Prompt for sudo(8) credentials.
285ab2043b8SDevin Teske	#
286ab2043b8SDevin Teske
287ab2043b8SDevin Teske	msg="$msg_please_enter_username_password"
288ab2043b8SDevin Teske	hline="$hline_alnum_punc_tab_enter"
28974036c4dSDevin Teske	f_xdialog_2inputsbox_size height width \
290ab2043b8SDevin Teske	                          "$DIALOG_TITLE"      \
291ab2043b8SDevin Teske	                          "$DIALOG_BACKTITLE"  \
292ab2043b8SDevin Teske	                          "$msg"               \
293ab2043b8SDevin Teske	                          "$field_username" "" \
29474036c4dSDevin Teske	                          "$field_password" ""
295ab2043b8SDevin Teske	height=$(( $height + 2 )) # Add height for --password
296ab2043b8SDevin Teske
297ab2043b8SDevin Teske	#
298ab2043b8SDevin Teske	# Continue prompting until they either Cancel, succeed or exceed the
299ab2043b8SDevin Teske	# number of allowed failures.
300ab2043b8SDevin Teske	#
301ab2043b8SDevin Teske	local user_pass nfailures=0 retval
302ab2043b8SDevin Teske	while [ $nfailures -lt $PASSWD_TRIES ]; do
303ab2043b8SDevin Teske		user_pass=$( $DIALOG \
304ab2043b8SDevin Teske			--title "$DIALOG_TITLE"         \
305ab2043b8SDevin Teske			--backtitle "$DIALOG_BACKTITLE" \
306ab2043b8SDevin Teske			--hline "$hline"                \
307ab2043b8SDevin Teske			--ok-label "$msg_ok"            \
308ab2043b8SDevin Teske			--cancel-label "$msg_cancel"    \
309ab2043b8SDevin Teske			--password --2inputsbox "$msg"  \
310ab2043b8SDevin Teske			$height $width                  \
311ab2043b8SDevin Teske			"$field_username" ""            \
312ab2043b8SDevin Teske			"$field_password" ""            \
313fb7d723eSDevin Teske			2>&1 > /dev/null )
314ab2043b8SDevin Teske		retval=$?
315ab2043b8SDevin Teske
316ab2043b8SDevin Teske		# Catch X11-related errors
317f677a9e2SDevin Teske		[ $retval -eq $DIALOG_ESC ] && f_die $retval "$user_pass"
318ab2043b8SDevin Teske
319ab2043b8SDevin Teske		# Exit if the user cancelled.
320f677a9e2SDevin Teske		[ $retval -eq $DIALOG_OK ] || exit $retval
321ab2043b8SDevin Teske
322ab2043b8SDevin Teske		#
323ab2043b8SDevin Teske		# Make sure the user exists and is non-root
324ab2043b8SDevin Teske		#
325ab2043b8SDevin Teske		local user password
326ab2043b8SDevin Teske		user="${user_pass%%/*}"
327ab2043b8SDevin Teske		password="${user_pass#*/}"
328ab2043b8SDevin Teske		unset user_pass # scrub memory
329ab2043b8SDevin Teske		if [ ! "$user" ]; then
330ab2043b8SDevin Teske			nfailures=$(( $nfailures + 1 ))
3317079fc4eSDevin Teske			f_show_msg "$msg_no_username"
332ab2043b8SDevin Teske			continue
333ab2043b8SDevin Teske		fi
334ab2043b8SDevin Teske		if [ ! "$SECURE_ALLOW_ROOT" ]; then
335ab2043b8SDevin Teske			case "$user" in
336ab2043b8SDevin Teske			root|toor)
337ab2043b8SDevin Teske				nfailures=$(( $nfailures + 1 ))
338fa2e39c8SDevin Teske				f_show_msg "$msg_user_disallowed" "$user"
339ab2043b8SDevin Teske				continue
340ab2043b8SDevin Teske			esac
341ab2043b8SDevin Teske		fi
342ab2043b8SDevin Teske		if ! f_quietly id "$user"; then
343ab2043b8SDevin Teske			nfailures=$(( $nfailures + 1 ))
344ab2043b8SDevin Teske			if [ "$SECURE_DIVULGE_UNKNOWN_USER" ]; then
345fa2e39c8SDevin Teske				f_show_msg "$msg_unknown_user" "$user"
346ab2043b8SDevin Teske			elif [ $nfailures -lt $PASSWD_TRIES ]; then
347ab2043b8SDevin Teske				f_dialog_info "$msg_sorry_try_again"
348ab2043b8SDevin Teske				sleep 1
349ab2043b8SDevin Teske			fi
350ab2043b8SDevin Teske			continue
351ab2043b8SDevin Teske		fi
352ab2043b8SDevin Teske
353ab2043b8SDevin Teske		#
354ab2043b8SDevin Teske		# Validate sudo(8) credentials for given user
355ab2043b8SDevin Teske		#
356ab2043b8SDevin Teske		su -m "$user" <<-EOF
357ab2043b8SDevin Teske			sh <<EOS
358ab2043b8SDevin Teske				sudo -k
359fb7d723eSDevin Teske				sudo -S -v 2> /dev/null <<EOP
360ab2043b8SDevin Teske				$password
361ab2043b8SDevin Teske				EOP
362ab2043b8SDevin Teske			EOS
363ab2043b8SDevin Teske		EOF
364ab2043b8SDevin Teske		retval=$?
365ab2043b8SDevin Teske		unset user
366ab2043b8SDevin Teske		unset password # scrub memory
367ab2043b8SDevin Teske
368ab2043b8SDevin Teske		if [ $retval -eq $SUCCESS ]; then
369ab2043b8SDevin Teske			# Access granted...
370ab2043b8SDevin Teske			break
371ab2043b8SDevin Teske		else
372ab2043b8SDevin Teske			# Access denied...
373ab2043b8SDevin Teske			nfailures=$(( $nfailures + 1 ))
374ab2043b8SDevin Teske
375ab2043b8SDevin Teske			# introduce a short delay
376ab2043b8SDevin Teske			if [ $nfailures -lt $PASSWD_TRIES ]; then
377ab2043b8SDevin Teske				f_dialog_info "$msg_sorry_try_again"
378ab2043b8SDevin Teske				sleep 1
379ab2043b8SDevin Teske			fi
380ab2043b8SDevin Teske		fi
381ab2043b8SDevin Teske	done
382ab2043b8SDevin Teske
383ab2043b8SDevin Teske	#
384ab2043b8SDevin Teske	# If user exhausted number of allowed password tries, log
385ab2043b8SDevin Teske	# the security event and exit immediately.
386ab2043b8SDevin Teske	#
387ab2043b8SDevin Teske	if [ $nfailures -ge $PASSWD_TRIES ]; then
388*d4ae33f0SDevin Teske		f_sprintf msg "$msg_nfailed_attempts" "$nfailures"
389ab2043b8SDevin Teske		logger -p auth.notice -t sudo " " \
390ab2043b8SDevin Teske			"${SUDO_USER:-$USER} : $msg" \
391ab2043b8SDevin Teske			"; TTY=$(tty)"               \
392ab2043b8SDevin Teske			"; PWD=$PWD"                 \
393ab2043b8SDevin Teske			"; USER=root"                \
394ab2043b8SDevin Teske			"; COMMAND=$0"
395ab2043b8SDevin Teske		f_die 1 "sudo: $message"
396ab2043b8SDevin Teske	fi
397ab2043b8SDevin Teske}
398ab2043b8SDevin Teske
399ab2043b8SDevin Teske# f_mustberoot_init
400ab2043b8SDevin Teske#
401ab2043b8SDevin Teske# If not already root, make the switch to root by re-executing ourselves via
402ab2043b8SDevin Teske# sudo(8) using user-supplied credentials.
403ab2043b8SDevin Teske#
404ab2043b8SDevin Teske# The following environment variables effect functionality:
405ab2043b8SDevin Teske#
406ab2043b8SDevin Teske# 	SECURE        Either NULL or Non-NULL. If given a value will indicate
407ab2043b8SDevin Teske# 	              that (while running as root) sudo(8) authentication is
408ab2043b8SDevin Teske# 	              required to proceed.
409ab2043b8SDevin Teske#
410ab2043b8SDevin Teskef_mustberoot_init()
411ab2043b8SDevin Teske{
412ab2043b8SDevin Teske	if [ "$(id -u)" != "0" -a ! "$SECURE" ]; then
413ab2043b8SDevin Teske		f_become_root_via_sudo
414ab2043b8SDevin Teske	elif [ "$SECURE" ]; then
415ab2043b8SDevin Teske		f_authenticate_some_user
416ab2043b8SDevin Teske	fi
417ab2043b8SDevin Teske}
418ab2043b8SDevin Teske
41956961fd7SDevin Teske############################################################ MAIN
42056961fd7SDevin Teske
42156961fd7SDevin Teskef_dprintf "%s: Successfully loaded." mustberoot.subr
42256961fd7SDevin Teske
423ab2043b8SDevin Teskefi # ! $_MUSTBEROOT_SUBR
424