xref: /freebsd/usr.sbin/bsdconfig/share/mustberoot.subr (revision 052f89691c59e17ffd322a793a3d298e66f51278) 
1ab2043b8SDevin Teskeif [ ! "$_MUSTBEROOT_SUBR" ]; then _MUSTBEROOT_SUBR=1
2ab2043b8SDevin Teske#
3e14ddd1fSDevin Teske# Copyright (c) 2006-2013 Devin Teske
4ab2043b8SDevin Teske# All Rights Reserved.
5ab2043b8SDevin Teske#
6ab2043b8SDevin Teske# Redistribution and use in source and binary forms, with or without
7ab2043b8SDevin Teske# modification, are permitted provided that the following conditions
8ab2043b8SDevin Teske# are met:
9ab2043b8SDevin Teske# 1. Redistributions of source code must retain the above copyright
10ab2043b8SDevin Teske#    notice, this list of conditions and the following disclaimer.
11ab2043b8SDevin Teske# 2. Redistributions in binary form must reproduce the above copyright
12ab2043b8SDevin Teske#    notice, this list of conditions and the following disclaimer in the
13ab2043b8SDevin Teske#    documentation and/or other materials provided with the distribution.
14ab2043b8SDevin Teske#
15ab2043b8SDevin Teske# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16ab2043b8SDevin Teske# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO, THE
17ab2043b8SDevin Teske# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18ab2043b8SDevin Teske# ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19ab2043b8SDevin Teske# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20ab2043b8SDevin Teske# DAMAGES (INLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21ab2043b8SDevin Teske# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22ab2043b8SDevin Teske# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23ab2043b8SDevin Teske# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24ab2043b8SDevin Teske# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25ab2043b8SDevin Teske# SUCH DAMAGE.
26ab2043b8SDevin Teske#
27ab2043b8SDevin Teske# $FreeBSD$
28ab2043b8SDevin Teske#
29ab2043b8SDevin Teske############################################################ INCLUDES
30ab2043b8SDevin Teske
31ab2043b8SDevin TeskeBSDCFG_SHARE="/usr/share/bsdconfig"
32ab2043b8SDevin Teske. $BSDCFG_SHARE/common.subr || exit 1
3356961fd7SDevin Teskef_dprintf "%s: loading includes..." mustberoot.subr
34ab2043b8SDevin Teskef_include $BSDCFG_SHARE/dialog.subr
35ab2043b8SDevin Teske
36ab2043b8SDevin TeskeBSDCFG_LIBE="/usr/libexec/bsdconfig"
37ab2043b8SDevin Teskef_include_lang $BSDCFG_LIBE/include/messages.subr
38ab2043b8SDevin Teske
39ab2043b8SDevin Teske############################################################ CONFIGURATION
40ab2043b8SDevin Teske# NOTE: These are not able to be overridden/inherited for security purposes.
41ab2043b8SDevin Teske
42ab2043b8SDevin Teske#
43ab2043b8SDevin Teske# Number of tries a user gets to enter his/her password before we log the
44ab2043b8SDevin Teske# sudo(8) failure and exit.
45ab2043b8SDevin Teske#
46ab2043b8SDevin TeskePASSWD_TRIES=3
47ab2043b8SDevin Teske
48ab2043b8SDevin Teske#
49ab2043b8SDevin Teske# While in SECURE mode, should authentication as `root' be allowed? Set to
50ab2043b8SDevin Teske# non-NULL to enable authentication as `root', otherwise disabled.
51ab2043b8SDevin Teske#
52ab2043b8SDevin Teske# WARNING:
53ab2043b8SDevin Teske# Unless using a custom sudo(8) configuration, user `root' should not be
54ab2043b8SDevin Teske# allowed because no password is required to become `root' when already `root'
55ab2043b8SDevin Teske# and therefore, any value entered as password will work.
56ab2043b8SDevin Teske#
57ab2043b8SDevin TeskeSECURE_ALLOW_ROOT=
58ab2043b8SDevin Teske
59ab2043b8SDevin Teske#
60ab2043b8SDevin Teske# While in SECURE mode, should we divulge (through error message) when the
61ab2043b8SDevin Teske# requested authentication user does not exist? Set to non-NULL to enable,
62ab2043b8SDevin Teske# otherwise a non-existent user is treated like an invalid password.
63ab2043b8SDevin Teske#
64ab2043b8SDevin TeskeSECURE_DIVULGE_UNKNOWN_USER=
65ab2043b8SDevin Teske
66ab2043b8SDevin Teske############################################################ FUNCTIONS
67ab2043b8SDevin Teske
68ab2043b8SDevin Teske# f_become_root_via_sudo
69ab2043b8SDevin Teske#
70ab2043b8SDevin Teske# If not running as root, prompt for sudo(8) credentials to become root.
71ab2043b8SDevin Teske# Re-execution of the current program via sudo is automatically handled.
72ab2043b8SDevin Teske#
73ab2043b8SDevin Teske# The following environment variables effect functionality:
74ab2043b8SDevin Teske#
75ab2043b8SDevin Teske# 	USE_XDIALOG   Either NULL or Non-NULL. If given a value will indicate
76ab2043b8SDevin Teske# 	              that Xdialog(1) should be used instead of dialog(1).
77ab2043b8SDevin Teske#
78ab2043b8SDevin Teskef_become_root_via_sudo()
79ab2043b8SDevin Teske{
80*052f8969SDevin Teske	local prompt hline height width rows msg
81ab2043b8SDevin Teske
82ab2043b8SDevin Teske	[ "$( id -u )" = "0" ] && return $SUCCESS
83ab2043b8SDevin Teske
84ab2043b8SDevin Teske	f_have sudo || f_die 1 "$msg_must_be_root_to_execute" "$pgm"
85ab2043b8SDevin Teske
86ab2043b8SDevin Teske	#
879da4528eSDevin Teske	# Ask the user if it's OK to become root via sudo(8) and give them
889da4528eSDevin Teske	# the option to save this preference (by touch(1)ing a file in the
899da4528eSDevin Teske	# user's $HOME directory).
909da4528eSDevin Teske	#
919da4528eSDevin Teske	local checkpath="${HOME%/}/.bsdconfig_uses_sudo"
929da4528eSDevin Teske	if [ ! -e "$checkpath" ]; then
93*052f8969SDevin Teske		prompt=$( printf "$msg_you_are_not_root_but" bsdconfig )
949da4528eSDevin Teske		msg=$( printf "$msg_always_try_sudo_when_run_as" "$USER" )
959da4528eSDevin Teske		local menu_list="
969da4528eSDevin Teske			'X' '$msg_cancel_exit'
979da4528eSDevin Teske			'1' '$msg'
989da4528eSDevin Teske			'2' '$msg_try_sudo_only_this_once'
999da4528eSDevin Teske		" # END-QUOTE
1009da4528eSDevin Teske		hline="$hline_arrows_tab_enter"
101*052f8969SDevin Teske
10274036c4dSDevin Teske		eval f_dialog_menu_size height width rows \
1039da4528eSDevin Teske		                        \"\$DIALOG_TITLE\"     \
1049da4528eSDevin Teske		                        \"\$DIALOG_BACKTITLE\" \
105*052f8969SDevin Teske		                        \"\$prompt\"           \
1069da4528eSDevin Teske		                        \"\$hline\"            \
10774036c4dSDevin Teske		                        $menu_list
1089da4528eSDevin Teske
109fd962ac6SDevin Teske		local mtag
110fd962ac6SDevin Teske		mtag=$( eval $DIALOG \
1119da4528eSDevin Teske			--title \"\$DIALOG_TITLE\"         \
1129da4528eSDevin Teske			--backtitle \"\$DIALOG_BACKTITLE\" \
1139da4528eSDevin Teske			--hline \"\$hline\"                \
1149da4528eSDevin Teske			--ok-label \"\$msg_ok\"            \
1159da4528eSDevin Teske			--cancel-label \"\$msg_cancel\"    \
116*052f8969SDevin Teske			--menu \"\$prompt\"                \
11774036c4dSDevin Teske			$height $width $rows               \
1189da4528eSDevin Teske			$menu_list                         \
1199da4528eSDevin Teske			2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
120fd962ac6SDevin Teske		) || f_die
121fd962ac6SDevin Teske		f_dialog_data_sanitize mtag
1229da4528eSDevin Teske
1239da4528eSDevin Teske		case "$mtag" in
1249da4528eSDevin Teske		X) # Cancel/Exit
1259da4528eSDevin Teske		   f_die ;;
1269da4528eSDevin Teske		1) # Always try sudo(8) when run as $user
1279da4528eSDevin Teske			local err
1289da4528eSDevin Teske			if ! err=$( touch "$checkpath" 2>&1 ); then
129db7b0ba7SDevin Teske				f_dialog_msgbox "$err"
1309da4528eSDevin Teske			else
1319da4528eSDevin Teske				f_show_msg "$msg_created_path" "$checkpath"
1329da4528eSDevin Teske			fi
1339da4528eSDevin Teske		esac
1349da4528eSDevin Teske	else
1359da4528eSDevin Teske		#
1369da4528eSDevin Teske		# This user has created the path signing-off on sudo(8)-use
1379da4528eSDevin Teske		# but let's still give them a short/quick/unobtrusive reminder
1389da4528eSDevin Teske		#
1399da4528eSDevin Teske		f_dialog_info "$msg_becoming_root_via_sudo"
1409da4528eSDevin Teske		[ "$USE_XDIALOG" ] || sleep 0.6
1419da4528eSDevin Teske	fi
1429da4528eSDevin Teske
1439da4528eSDevin Teske	#
144ab2043b8SDevin Teske	# Check sudo(8) access before prompting for password.
145ab2043b8SDevin Teske	#
146fb7d723eSDevin Teske	:| sudo -S -v 2> /dev/null
147ab2043b8SDevin Teske	if [ $? -ne $SUCCESS ]; then
148ab2043b8SDevin Teske		#
149ab2043b8SDevin Teske		# sudo(8) access denied. Prompt for their password.
150ab2043b8SDevin Teske		#
151*052f8969SDevin Teske		prompt="$msg_please_enter_password"
152ab2043b8SDevin Teske		hline="$hline_alnum_punc_tab_enter"
15374036c4dSDevin Teske		f_dialog_inputbox_size height width \
154ab2043b8SDevin Teske		                       "$DIALOG_TITLE"     \
155ab2043b8SDevin Teske		                       "$DIALOG_BACKTITLE" \
156*052f8969SDevin Teske		                       "$prompt"           \
15774036c4dSDevin Teske		                       "$hline"
158ab2043b8SDevin Teske
159ab2043b8SDevin Teske		#
160ab2043b8SDevin Teske		# Continue prompting until they either Cancel, succeed
161ab2043b8SDevin Teske		# or exceed the number of allowed failures.
162ab2043b8SDevin Teske		#
163ab2043b8SDevin Teske		local password nfailures=0 retval
164ab2043b8SDevin Teske		while [ $nfailures -lt $PASSWD_TRIES ]; do
165ab2043b8SDevin Teske			if [ "$USE_XDIALOG" ]; then
166ab2043b8SDevin Teske				password=$( $DIALOG \
167ab2043b8SDevin Teske					--title "$DIALOG_TITLE"         \
168ab2043b8SDevin Teske					--backtitle "$DIALOG_BACKTITLE" \
169ab2043b8SDevin Teske					--hline "$hline"                \
170ab2043b8SDevin Teske					--ok-label "$msg_ok"            \
171ab2043b8SDevin Teske					--cancel-label "$msg_cancel"    \
172*052f8969SDevin Teske					--password --inputbox "$prompt" \
17374036c4dSDevin Teske					$height $width                  \
174fb7d723eSDevin Teske					2>&1 > /dev/null )
175ab2043b8SDevin Teske				retval=$?
176ab2043b8SDevin Teske
177ab2043b8SDevin Teske				# Catch X11-related errors
178ab2043b8SDevin Teske				[ $retval -eq 255 ] &&
179ab2043b8SDevin Teske					f_die $retval "$password"
180ab2043b8SDevin Teske			else
181ec7120b5SDevin Teske				password=$( $DIALOG \
182ab2043b8SDevin Teske					--title "$DIALOG_TITLE"         \
183ab2043b8SDevin Teske					--backtitle "$DIALOG_BACKTITLE" \
184ab2043b8SDevin Teske					--hline "$hline"                \
185ab2043b8SDevin Teske					--ok-label "$msg_ok"            \
186ab2043b8SDevin Teske					--cancel-label "$msg_cancel"    \
187ab2043b8SDevin Teske					--insecure                      \
188*052f8969SDevin Teske					--passwordbox "$prompt"         \
18974036c4dSDevin Teske					$height $width                  \
19089498fdfSDevin Teske					2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD
191ec7120b5SDevin Teske				) || exit $?
192ab2043b8SDevin Teske			fi
193ec7120b5SDevin Teske			debug= f_dialog_line_sanitize password
194ab2043b8SDevin Teske
195ab2043b8SDevin Teske			#
196ab2043b8SDevin Teske			# Validate sudo(8) credentials
197ab2043b8SDevin Teske			#
198fb7d723eSDevin Teske			sudo -S -v 2> /dev/null <<-EOF
199ab2043b8SDevin Teske			$password
200ab2043b8SDevin Teske			EOF
201ab2043b8SDevin Teske			retval=$?
202ab2043b8SDevin Teske			unset password # scrub memory
203ab2043b8SDevin Teske			if [ $retval -eq $SUCCESS ]; then
204ab2043b8SDevin Teske				# Access granted...
205ab2043b8SDevin Teske				break
206ab2043b8SDevin Teske			else
207ab2043b8SDevin Teske				# Access denied...
208ab2043b8SDevin Teske				nfailures=$(( $nfailures + 1 ))
209ab2043b8SDevin Teske
210ab2043b8SDevin Teske				# introduce a short delay
211ab2043b8SDevin Teske				if [ $nfailures -lt $PASSWD_TRIES ]; then
212ab2043b8SDevin Teske					f_dialog_info "$msg_sorry_try_again"
213ab2043b8SDevin Teske					sleep 1
214ab2043b8SDevin Teske				fi
215ab2043b8SDevin Teske			fi
216ab2043b8SDevin Teske		done
217ab2043b8SDevin Teske
218ab2043b8SDevin Teske		#
219ab2043b8SDevin Teske		# If user exhausted number of allowed password tries, log
220ab2043b8SDevin Teske		# the security event and exit immediately.
221ab2043b8SDevin Teske		#
222ab2043b8SDevin Teske		if [ $nfailures -ge $PASSWD_TRIES ]; then
223ab2043b8SDevin Teske			msg=$( printf "$msg_nfailed_attempts" "$nfailures" )
224ab2043b8SDevin Teske			logger -p auth.notice -t sudo " " \
225ab2043b8SDevin Teske				"$USER : $msg" \
226ab2043b8SDevin Teske				"; TTY=$(tty)" \
227ab2043b8SDevin Teske				"; PWD=$PWD"   \
228ab2043b8SDevin Teske				"; USER=root"  \
229ab2043b8SDevin Teske				"; COMMAND=$0"
230ab2043b8SDevin Teske			f_die 1 "sudo: $msg"
231ab2043b8SDevin Teske		fi
232ab2043b8SDevin Teske	fi
233ab2043b8SDevin Teske
234ab2043b8SDevin Teske	# Use xauth(1) to grant root the ability to use this X11/SSH session
235ab2043b8SDevin Teske	if [ "$USE_XDIALOG" -a "$SSH_CONNECTION" -a "$DISPLAY" ]; then
236ab2043b8SDevin Teske		f_have xauth || f_die 1 \
237ab2043b8SDevin Teske			"$msg_no_such_file_or_directory" "$pgm" "xauth"
238ab2043b8SDevin Teske		local HOSTNAME displaynum
239ab2043b8SDevin Teske		HOSTNAME=$(hostname)
240ab2043b8SDevin Teske		displaynum="${DISPLAY#*:}"
241ab2043b8SDevin Teske		xauth -f ~/.Xauthority extract - $HOSTNAME/unix:$displaynum \
242ab2043b8SDevin Teske			$HOSTNAME:$displaynum | sudo sh -c 'xauth -ivf \
243fb7d723eSDevin Teske			~root/.Xauthority merge - > /dev/null 2>&1'
244ab2043b8SDevin Teske	fi
245ab2043b8SDevin Teske
246ab2043b8SDevin Teske	# Re-execute ourselves with sudo(8)
247e14ddd1fSDevin Teske	f_dprintf "%s: Becoming root via sudo(8)..." mustberoot.subr
248ab2043b8SDevin Teske	if [ $ARGC -gt 0 ]; then
249ab2043b8SDevin Teske		exec sudo "$0" $ARGV
250ab2043b8SDevin Teske	else
251ab2043b8SDevin Teske		exec sudo "$0"
252ab2043b8SDevin Teske	fi
253ab2043b8SDevin Teske	exit $? # Never reached unless error
254ab2043b8SDevin Teske}
255ab2043b8SDevin Teske
256ab2043b8SDevin Teske# f_authenticate_some_user
257ab2043b8SDevin Teske#
258ab2043b8SDevin Teske# Only used if running as root and requires X11 (see USE_XDIALOG below).
259ab2043b8SDevin Teske# Prompts the user to enter a username and password to be authenticated via
260ab2043b8SDevin Teske# sudo(8) to proceed.
261ab2043b8SDevin Teske#
262ab2043b8SDevin Teske# The following environment variables effect functionality:
263ab2043b8SDevin Teske#
264ab2043b8SDevin Teske# 	USE_XDIALOG   Either NULL or Non-NULL. If given a value will indicate
265ab2043b8SDevin Teske# 	              that Xdialog(1) should be used instead of dialog(1).
266ab2043b8SDevin Teske#
267ab2043b8SDevin Teskef_authenticate_some_user()
268ab2043b8SDevin Teske{
26974036c4dSDevin Teske	local msg hline height width
270ab2043b8SDevin Teske
271ab2043b8SDevin Teske	f_have sudo || f_die 1 "$msg_must_be_root_to_execute" "$pgm"
272ab2043b8SDevin Teske
273ab2043b8SDevin Teske	#
274ab2043b8SDevin Teske	# Secure-mode has been requested.
275ab2043b8SDevin Teske	#
276ab2043b8SDevin Teske
277ab2043b8SDevin Teske	[ "$USE_XDIALOG" ] || f_die 1 "$msg_secure_mode_requires_x11"
278ab2043b8SDevin Teske	[ "$(id -u)" = "0" ] || f_die 1 "$msg_secure_mode_requires_root"
279ab2043b8SDevin Teske
280ab2043b8SDevin Teske	#
281ab2043b8SDevin Teske	# Prompt for sudo(8) credentials.
282ab2043b8SDevin Teske	#
283ab2043b8SDevin Teske
284ab2043b8SDevin Teske	msg="$msg_please_enter_username_password"
285ab2043b8SDevin Teske	hline="$hline_alnum_punc_tab_enter"
28674036c4dSDevin Teske	f_xdialog_2inputsbox_size height width \
287ab2043b8SDevin Teske	                          "$DIALOG_TITLE"      \
288ab2043b8SDevin Teske	                          "$DIALOG_BACKTITLE"  \
289ab2043b8SDevin Teske	                          "$msg"               \
290ab2043b8SDevin Teske	                          "$field_username" "" \
29174036c4dSDevin Teske	                          "$field_password" ""
292ab2043b8SDevin Teske	height=$(( $height + 2 )) # Add height for --password
293ab2043b8SDevin Teske
294ab2043b8SDevin Teske	#
295ab2043b8SDevin Teske	# Continue prompting until they either Cancel, succeed or exceed the
296ab2043b8SDevin Teske	# number of allowed failures.
297ab2043b8SDevin Teske	#
298ab2043b8SDevin Teske	local user_pass nfailures=0 retval
299ab2043b8SDevin Teske	while [ $nfailures -lt $PASSWD_TRIES ]; do
300ab2043b8SDevin Teske		user_pass=$( $DIALOG \
301ab2043b8SDevin Teske			--title "$DIALOG_TITLE"         \
302ab2043b8SDevin Teske			--backtitle "$DIALOG_BACKTITLE" \
303ab2043b8SDevin Teske			--hline "$hline"                \
304ab2043b8SDevin Teske			--ok-label "$msg_ok"            \
305ab2043b8SDevin Teske			--cancel-label "$msg_cancel"    \
306ab2043b8SDevin Teske			--password --2inputsbox "$msg"  \
307ab2043b8SDevin Teske			$height $width                  \
308ab2043b8SDevin Teske			"$field_username" ""            \
309ab2043b8SDevin Teske			"$field_password" ""            \
310fb7d723eSDevin Teske			2>&1 > /dev/null )
311ab2043b8SDevin Teske		retval=$?
312ab2043b8SDevin Teske
313ab2043b8SDevin Teske		# Catch X11-related errors
314ab2043b8SDevin Teske		[ $retval -eq 255 ] && f_die $retval "$user_pass"
315ab2043b8SDevin Teske
316ab2043b8SDevin Teske		# Exit if the user cancelled.
317ab2043b8SDevin Teske		[ $retval -eq $SUCCESS ] || exit $retval
318ab2043b8SDevin Teske
319ab2043b8SDevin Teske		#
320ab2043b8SDevin Teske		# Make sure the user exists and is non-root
321ab2043b8SDevin Teske		#
322ab2043b8SDevin Teske		local user password
323ab2043b8SDevin Teske		user="${user_pass%%/*}"
324ab2043b8SDevin Teske		password="${user_pass#*/}"
325ab2043b8SDevin Teske		unset user_pass # scrub memory
326ab2043b8SDevin Teske		if [ ! "$user" ]; then
327ab2043b8SDevin Teske			nfailures=$(( $nfailures + 1 ))
328ab2043b8SDevin Teske			f_dialog_msgbox "$msg_no_username"
329ab2043b8SDevin Teske			continue
330ab2043b8SDevin Teske		fi
331ab2043b8SDevin Teske		if [ ! "$SECURE_ALLOW_ROOT" ]; then
332ab2043b8SDevin Teske			case "$user" in
333ab2043b8SDevin Teske			root|toor)
334ab2043b8SDevin Teske				nfailures=$(( $nfailures + 1 ))
335fa2e39c8SDevin Teske				f_show_msg "$msg_user_disallowed" "$user"
336ab2043b8SDevin Teske				continue
337ab2043b8SDevin Teske			esac
338ab2043b8SDevin Teske		fi
339ab2043b8SDevin Teske		if ! f_quietly id "$user"; then
340ab2043b8SDevin Teske			nfailures=$(( $nfailures + 1 ))
341ab2043b8SDevin Teske			if [ "$SECURE_DIVULGE_UNKNOWN_USER" ]; then
342fa2e39c8SDevin Teske				f_show_msg "$msg_unknown_user" "$user"
343ab2043b8SDevin Teske			elif [ $nfailures -lt $PASSWD_TRIES ]; then
344ab2043b8SDevin Teske				f_dialog_info "$msg_sorry_try_again"
345ab2043b8SDevin Teske				sleep 1
346ab2043b8SDevin Teske			fi
347ab2043b8SDevin Teske			continue
348ab2043b8SDevin Teske		fi
349ab2043b8SDevin Teske
350ab2043b8SDevin Teske		#
351ab2043b8SDevin Teske		# Validate sudo(8) credentials for given user
352ab2043b8SDevin Teske		#
353ab2043b8SDevin Teske		su -m "$user" <<-EOF
354ab2043b8SDevin Teske			sh <<EOS
355ab2043b8SDevin Teske				sudo -k
356fb7d723eSDevin Teske				sudo -S -v 2> /dev/null <<EOP
357ab2043b8SDevin Teske				$password
358ab2043b8SDevin Teske				EOP
359ab2043b8SDevin Teske			EOS
360ab2043b8SDevin Teske		EOF
361ab2043b8SDevin Teske		retval=$?
362ab2043b8SDevin Teske		unset user
363ab2043b8SDevin Teske		unset password # scrub memory
364ab2043b8SDevin Teske
365ab2043b8SDevin Teske		if [ $retval -eq $SUCCESS ]; then
366ab2043b8SDevin Teske			# Access granted...
367ab2043b8SDevin Teske			break
368ab2043b8SDevin Teske		else
369ab2043b8SDevin Teske			# Access denied...
370ab2043b8SDevin Teske			nfailures=$(( $nfailures + 1 ))
371ab2043b8SDevin Teske
372ab2043b8SDevin Teske			# introduce a short delay
373ab2043b8SDevin Teske			if [ $nfailures -lt $PASSWD_TRIES ]; then
374ab2043b8SDevin Teske				f_dialog_info "$msg_sorry_try_again"
375ab2043b8SDevin Teske				sleep 1
376ab2043b8SDevin Teske			fi
377ab2043b8SDevin Teske		fi
378ab2043b8SDevin Teske	done
379ab2043b8SDevin Teske
380ab2043b8SDevin Teske	#
381ab2043b8SDevin Teske	# If user exhausted number of allowed password tries, log
382ab2043b8SDevin Teske	# the security event and exit immediately.
383ab2043b8SDevin Teske	#
384ab2043b8SDevin Teske	if [ $nfailures -ge $PASSWD_TRIES ]; then
385ab2043b8SDevin Teske		msg=$( printf "$msg_nfailed_attempts" "$nfailures" )
386ab2043b8SDevin Teske		logger -p auth.notice -t sudo " " \
387ab2043b8SDevin Teske			"${SUDO_USER:-$USER} : $msg" \
388ab2043b8SDevin Teske			"; TTY=$(tty)"               \
389ab2043b8SDevin Teske			"; PWD=$PWD"                 \
390ab2043b8SDevin Teske			"; USER=root"                \
391ab2043b8SDevin Teske			"; COMMAND=$0"
392ab2043b8SDevin Teske		f_die 1 "sudo: $message"
393ab2043b8SDevin Teske	fi
394ab2043b8SDevin Teske}
395ab2043b8SDevin Teske
396ab2043b8SDevin Teske# f_mustberoot_init
397ab2043b8SDevin Teske#
398ab2043b8SDevin Teske# If not already root, make the switch to root by re-executing ourselves via
399ab2043b8SDevin Teske# sudo(8) using user-supplied credentials.
400ab2043b8SDevin Teske#
401ab2043b8SDevin Teske# The following environment variables effect functionality:
402ab2043b8SDevin Teske#
403ab2043b8SDevin Teske# 	SECURE        Either NULL or Non-NULL. If given a value will indicate
404ab2043b8SDevin Teske# 	              that (while running as root) sudo(8) authentication is
405ab2043b8SDevin Teske# 	              required to proceed.
406ab2043b8SDevin Teske#
407ab2043b8SDevin Teskef_mustberoot_init()
408ab2043b8SDevin Teske{
409ab2043b8SDevin Teske	if [ "$(id -u)" != "0" -a ! "$SECURE" ]; then
410ab2043b8SDevin Teske		f_become_root_via_sudo
411ab2043b8SDevin Teske	elif [ "$SECURE" ]; then
412ab2043b8SDevin Teske		f_authenticate_some_user
413ab2043b8SDevin Teske	fi
414ab2043b8SDevin Teske}
415ab2043b8SDevin Teske
41656961fd7SDevin Teske############################################################ MAIN
41756961fd7SDevin Teske
41856961fd7SDevin Teskef_dprintf "%s: Successfully loaded." mustberoot.subr
41956961fd7SDevin Teske
420ab2043b8SDevin Teskefi # ! $_MUSTBEROOT_SUBR
421