1ab2043b8SDevin Teskeif [ ! "$_MUSTBEROOT_SUBR" ]; then _MUSTBEROOT_SUBR=1 2ab2043b8SDevin Teske# 3ab2043b8SDevin Teske# Copyright (c) 2006-2012 Devin Teske 4ab2043b8SDevin Teske# All Rights Reserved. 5ab2043b8SDevin Teske# 6ab2043b8SDevin Teske# Redistribution and use in source and binary forms, with or without 7ab2043b8SDevin Teske# modification, are permitted provided that the following conditions 8ab2043b8SDevin Teske# are met: 9ab2043b8SDevin Teske# 1. Redistributions of source code must retain the above copyright 10ab2043b8SDevin Teske# notice, this list of conditions and the following disclaimer. 11ab2043b8SDevin Teske# 2. Redistributions in binary form must reproduce the above copyright 12ab2043b8SDevin Teske# notice, this list of conditions and the following disclaimer in the 13ab2043b8SDevin Teske# documentation and/or other materials provided with the distribution. 14ab2043b8SDevin Teske# 15ab2043b8SDevin Teske# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16ab2043b8SDevin Teske# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING BUT NOT LIMITED TO, THE 17ab2043b8SDevin Teske# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18ab2043b8SDevin Teske# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19ab2043b8SDevin Teske# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20ab2043b8SDevin Teske# DAMAGES (INLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21ab2043b8SDevin Teske# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22ab2043b8SDevin Teske# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23ab2043b8SDevin Teske# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24ab2043b8SDevin Teske# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25ab2043b8SDevin Teske# SUCH DAMAGE. 26ab2043b8SDevin Teske# 27ab2043b8SDevin Teske# $FreeBSD$ 28ab2043b8SDevin Teske# 29ab2043b8SDevin Teske############################################################ INCLUDES 30ab2043b8SDevin Teske 31ab2043b8SDevin TeskeBSDCFG_SHARE="/usr/share/bsdconfig" 32ab2043b8SDevin Teske. $BSDCFG_SHARE/common.subr || exit 1 33ab2043b8SDevin Teskef_include $BSDCFG_SHARE/dialog.subr 34ab2043b8SDevin Teske 35ab2043b8SDevin TeskeBSDCFG_LIBE="/usr/libexec/bsdconfig" 36ab2043b8SDevin Teskef_include_lang $BSDCFG_LIBE/include/messages.subr 37ab2043b8SDevin Teske 38ab2043b8SDevin Teske############################################################ CONFIGURATION 39ab2043b8SDevin Teske# NOTE: These are not able to be overridden/inherited for security purposes. 40ab2043b8SDevin Teske 41ab2043b8SDevin Teske# 42ab2043b8SDevin Teske# Number of tries a user gets to enter his/her password before we log the 43ab2043b8SDevin Teske# sudo(8) failure and exit. 44ab2043b8SDevin Teske# 45ab2043b8SDevin TeskePASSWD_TRIES=3 46ab2043b8SDevin Teske 47ab2043b8SDevin Teske# 48ab2043b8SDevin Teske# While in SECURE mode, should authentication as `root' be allowed? Set to 49ab2043b8SDevin Teske# non-NULL to enable authentication as `root', otherwise disabled. 50ab2043b8SDevin Teske# 51ab2043b8SDevin Teske# WARNING: 52ab2043b8SDevin Teske# Unless using a custom sudo(8) configuration, user `root' should not be 53ab2043b8SDevin Teske# allowed because no password is required to become `root' when already `root' 54ab2043b8SDevin Teske# and therefore, any value entered as password will work. 55ab2043b8SDevin Teske# 56ab2043b8SDevin TeskeSECURE_ALLOW_ROOT= 57ab2043b8SDevin Teske 58ab2043b8SDevin Teske# 59ab2043b8SDevin Teske# While in SECURE mode, should we divulge (through error message) when the 60ab2043b8SDevin Teske# requested authentication user does not exist? Set to non-NULL to enable, 61ab2043b8SDevin Teske# otherwise a non-existent user is treated like an invalid password. 62ab2043b8SDevin Teske# 63ab2043b8SDevin TeskeSECURE_DIVULGE_UNKNOWN_USER= 64ab2043b8SDevin Teske 65ab2043b8SDevin Teske############################################################ FUNCTIONS 66ab2043b8SDevin Teske 67ab2043b8SDevin Teske# f_become_root_via_sudo 68ab2043b8SDevin Teske# 69ab2043b8SDevin Teske# If not running as root, prompt for sudo(8) credentials to become root. 70ab2043b8SDevin Teske# Re-execution of the current program via sudo is automatically handled. 71ab2043b8SDevin Teske# 72ab2043b8SDevin Teske# The following environment variables effect functionality: 73ab2043b8SDevin Teske# 74ab2043b8SDevin Teske# USE_XDIALOG Either NULL or Non-NULL. If given a value will indicate 75ab2043b8SDevin Teske# that Xdialog(1) should be used instead of dialog(1). 76ab2043b8SDevin Teske# 77ab2043b8SDevin Teskef_become_root_via_sudo() 78ab2043b8SDevin Teske{ 79ab2043b8SDevin Teske local msg hline size 80ab2043b8SDevin Teske 81ab2043b8SDevin Teske [ "$( id -u )" = "0" ] && return $SUCCESS 82ab2043b8SDevin Teske 83ab2043b8SDevin Teske f_have sudo || f_die 1 "$msg_must_be_root_to_execute" "$pgm" 84ab2043b8SDevin Teske 85ab2043b8SDevin Teske # 86*9da4528eSDevin Teske # Ask the user if it's OK to become root via sudo(8) and give them 87*9da4528eSDevin Teske # the option to save this preference (by touch(1)ing a file in the 88*9da4528eSDevin Teske # user's $HOME directory). 89*9da4528eSDevin Teske # 90*9da4528eSDevin Teske local checkpath="${HOME%/}/.bsdconfig_uses_sudo" 91*9da4528eSDevin Teske if [ ! -e "$checkpath" ]; then 92*9da4528eSDevin Teske msg=$( printf "$msg_always_try_sudo_when_run_as" "$USER" ) 93*9da4528eSDevin Teske local menu_list=" 94*9da4528eSDevin Teske 'X' '$msg_cancel_exit' 95*9da4528eSDevin Teske '1' '$msg' 96*9da4528eSDevin Teske '2' '$msg_try_sudo_only_this_once' 97*9da4528eSDevin Teske " # END-QUOTE 98*9da4528eSDevin Teske msg=$( printf "$msg_you_are_not_root_but" bsdconfig ) 99*9da4528eSDevin Teske hline="$hline_arrows_tab_enter" 100*9da4528eSDevin Teske size=$( eval f_dialog_menu_size \ 101*9da4528eSDevin Teske \"\$DIALOG_TITLE\" \ 102*9da4528eSDevin Teske \"\$DIALOG_BACKTITLE\" \ 103*9da4528eSDevin Teske \"\$msg\" \ 104*9da4528eSDevin Teske \"\$hline\" \ 105*9da4528eSDevin Teske $menu_list ) 106*9da4528eSDevin Teske 107*9da4528eSDevin Teske local dialog_menu mtag retval 108*9da4528eSDevin Teske dialog_menu=$( eval $DIALOG \ 109*9da4528eSDevin Teske --title \"\$DIALOG_TITLE\" \ 110*9da4528eSDevin Teske --backtitle \"\$DIALOG_BACKTITLE\" \ 111*9da4528eSDevin Teske --hline \"\$hline\" \ 112*9da4528eSDevin Teske --ok-label \"\$msg_ok\" \ 113*9da4528eSDevin Teske --cancel-label \"\$msg_cancel\" \ 114*9da4528eSDevin Teske --menu \"\$msg\" $size \ 115*9da4528eSDevin Teske $menu_list \ 116*9da4528eSDevin Teske 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD 117*9da4528eSDevin Teske ) 118*9da4528eSDevin Teske retval=$? 119*9da4528eSDevin Teske setvar DIALOG_MENU_$$ "$dialog_menu" 120*9da4528eSDevin Teske mtag=$( f_dialog_menutag ) 121*9da4528eSDevin Teske 122*9da4528eSDevin Teske [ $retval -eq 0 ] || f_die 123*9da4528eSDevin Teske 124*9da4528eSDevin Teske case "$mtag" in 125*9da4528eSDevin Teske X) # Cancel/Exit 126*9da4528eSDevin Teske f_die ;; 127*9da4528eSDevin Teske 1) # Always try sudo(8) when run as $user 128*9da4528eSDevin Teske local err 129*9da4528eSDevin Teske if ! err=$( touch "$checkpath" 2>&1 ); then 130*9da4528eSDevin Teske f_show_msg "%s" "$err" 131*9da4528eSDevin Teske else 132*9da4528eSDevin Teske f_show_msg "$msg_created_path" "$checkpath" 133*9da4528eSDevin Teske fi 134*9da4528eSDevin Teske esac 135*9da4528eSDevin Teske else 136*9da4528eSDevin Teske # 137*9da4528eSDevin Teske # This user has created the path signing-off on sudo(8)-use 138*9da4528eSDevin Teske # but let's still give them a short/quick/unobtrusive reminder 139*9da4528eSDevin Teske # 140*9da4528eSDevin Teske f_dialog_info "$msg_becoming_root_via_sudo" 141*9da4528eSDevin Teske [ "$USE_XDIALOG" ] || sleep 0.6 142*9da4528eSDevin Teske fi 143*9da4528eSDevin Teske 144*9da4528eSDevin Teske # 145ab2043b8SDevin Teske # Check sudo(8) access before prompting for password. 146ab2043b8SDevin Teske # 147fb7d723eSDevin Teske :| sudo -S -v 2> /dev/null 148ab2043b8SDevin Teske if [ $? -ne $SUCCESS ]; then 149ab2043b8SDevin Teske # 150ab2043b8SDevin Teske # sudo(8) access denied. Prompt for their password. 151ab2043b8SDevin Teske # 152ab2043b8SDevin Teske msg="$msg_please_enter_password" 153ab2043b8SDevin Teske hline="$hline_alnum_punc_tab_enter" 154ab2043b8SDevin Teske size=$( f_dialog_inputbox_size \ 155ab2043b8SDevin Teske "$DIALOG_TITLE" \ 156ab2043b8SDevin Teske "$DIALOG_BACKTITLE" \ 157ab2043b8SDevin Teske "$msg" \ 158ab2043b8SDevin Teske "$hline" ) 159ab2043b8SDevin Teske 160ab2043b8SDevin Teske # 161ab2043b8SDevin Teske # Continue prompting until they either Cancel, succeed 162ab2043b8SDevin Teske # or exceed the number of allowed failures. 163ab2043b8SDevin Teske # 164ab2043b8SDevin Teske local password nfailures=0 retval 165ab2043b8SDevin Teske while [ $nfailures -lt $PASSWD_TRIES ]; do 166ab2043b8SDevin Teske if [ "$USE_XDIALOG" ]; then 167ab2043b8SDevin Teske password=$( $DIALOG \ 168ab2043b8SDevin Teske --title "$DIALOG_TITLE" \ 169ab2043b8SDevin Teske --backtitle "$DIALOG_BACKTITLE" \ 170ab2043b8SDevin Teske --hline "$hline" \ 171ab2043b8SDevin Teske --ok-label "$msg_ok" \ 172ab2043b8SDevin Teske --cancel-label "$msg_cancel" \ 173ab2043b8SDevin Teske --password --inputbox "$msg" $size \ 174fb7d723eSDevin Teske 2>&1 > /dev/null ) 175ab2043b8SDevin Teske retval=$? 176ab2043b8SDevin Teske 177ab2043b8SDevin Teske # Catch X11-related errors 178ab2043b8SDevin Teske [ $retval -eq 255 ] && 179ab2043b8SDevin Teske f_die $retval "$password" 180ab2043b8SDevin Teske else 18189498fdfSDevin Teske local dialog_inputbox 18289498fdfSDevin Teske dialog_inputbox=$( $DIALOG \ 183ab2043b8SDevin Teske --title "$DIALOG_TITLE" \ 184ab2043b8SDevin Teske --backtitle "$DIALOG_BACKTITLE" \ 185ab2043b8SDevin Teske --hline "$hline" \ 186ab2043b8SDevin Teske --ok-label "$msg_ok" \ 187ab2043b8SDevin Teske --cancel-label "$msg_cancel" \ 188ab2043b8SDevin Teske --insecure \ 189ab2043b8SDevin Teske --passwordbox "$msg" $size \ 19089498fdfSDevin Teske 2>&1 >&$DIALOG_TERMINAL_PASSTHRU_FD 19189498fdfSDevin Teske ) 192ab2043b8SDevin Teske retval=$? 19389498fdfSDevin Teske setvar DIALOG_INPUTBOX_$$ "$dialog_inputbox" 194ab2043b8SDevin Teske password=$( f_dialog_inputstr ) 195ab2043b8SDevin Teske fi 196ab2043b8SDevin Teske 197ab2043b8SDevin Teske # Exit if the user cancelled. 198ab2043b8SDevin Teske [ $retval -eq $SUCCESS ] || exit $retval 199ab2043b8SDevin Teske 200ab2043b8SDevin Teske # 201ab2043b8SDevin Teske # Validate sudo(8) credentials 202ab2043b8SDevin Teske # 203fb7d723eSDevin Teske sudo -S -v 2> /dev/null <<-EOF 204ab2043b8SDevin Teske $password 205ab2043b8SDevin Teske EOF 206ab2043b8SDevin Teske retval=$? 207ab2043b8SDevin Teske unset password # scrub memory 208ab2043b8SDevin Teske if [ $retval -eq $SUCCESS ]; then 209ab2043b8SDevin Teske # Access granted... 210ab2043b8SDevin Teske break 211ab2043b8SDevin Teske else 212ab2043b8SDevin Teske # Access denied... 213ab2043b8SDevin Teske nfailures=$(( $nfailures + 1 )) 214ab2043b8SDevin Teske 215ab2043b8SDevin Teske # introduce a short delay 216ab2043b8SDevin Teske if [ $nfailures -lt $PASSWD_TRIES ]; then 217ab2043b8SDevin Teske f_dialog_info "$msg_sorry_try_again" 218ab2043b8SDevin Teske sleep 1 219ab2043b8SDevin Teske fi 220ab2043b8SDevin Teske fi 221ab2043b8SDevin Teske done 222ab2043b8SDevin Teske 223ab2043b8SDevin Teske # 224ab2043b8SDevin Teske # If user exhausted number of allowed password tries, log 225ab2043b8SDevin Teske # the security event and exit immediately. 226ab2043b8SDevin Teske # 227ab2043b8SDevin Teske if [ $nfailures -ge $PASSWD_TRIES ]; then 228ab2043b8SDevin Teske msg=$( printf "$msg_nfailed_attempts" "$nfailures" ) 229ab2043b8SDevin Teske logger -p auth.notice -t sudo " " \ 230ab2043b8SDevin Teske "$USER : $msg" \ 231ab2043b8SDevin Teske "; TTY=$(tty)" \ 232ab2043b8SDevin Teske "; PWD=$PWD" \ 233ab2043b8SDevin Teske "; USER=root" \ 234ab2043b8SDevin Teske "; COMMAND=$0" 235ab2043b8SDevin Teske f_die 1 "sudo: $msg" 236ab2043b8SDevin Teske fi 237ab2043b8SDevin Teske fi 238ab2043b8SDevin Teske 239ab2043b8SDevin Teske # Use xauth(1) to grant root the ability to use this X11/SSH session 240ab2043b8SDevin Teske if [ "$USE_XDIALOG" -a "$SSH_CONNECTION" -a "$DISPLAY" ]; then 241ab2043b8SDevin Teske f_have xauth || f_die 1 \ 242ab2043b8SDevin Teske "$msg_no_such_file_or_directory" "$pgm" "xauth" 243ab2043b8SDevin Teske local HOSTNAME displaynum 244ab2043b8SDevin Teske HOSTNAME=$(hostname) 245ab2043b8SDevin Teske displaynum="${DISPLAY#*:}" 246ab2043b8SDevin Teske xauth -f ~/.Xauthority extract - $HOSTNAME/unix:$displaynum \ 247ab2043b8SDevin Teske $HOSTNAME:$displaynum | sudo sh -c 'xauth -ivf \ 248fb7d723eSDevin Teske ~root/.Xauthority merge - > /dev/null 2>&1' 249ab2043b8SDevin Teske fi 250ab2043b8SDevin Teske 251ab2043b8SDevin Teske # Re-execute ourselves with sudo(8) 252ab2043b8SDevin Teske if [ $ARGC -gt 0 ]; then 253ab2043b8SDevin Teske exec sudo "$0" $ARGV 254ab2043b8SDevin Teske else 255ab2043b8SDevin Teske exec sudo "$0" 256ab2043b8SDevin Teske fi 257ab2043b8SDevin Teske exit $? # Never reached unless error 258ab2043b8SDevin Teske} 259ab2043b8SDevin Teske 260ab2043b8SDevin Teske# f_authenticate_some_user 261ab2043b8SDevin Teske# 262ab2043b8SDevin Teske# Only used if running as root and requires X11 (see USE_XDIALOG below). 263ab2043b8SDevin Teske# Prompts the user to enter a username and password to be authenticated via 264ab2043b8SDevin Teske# sudo(8) to proceed. 265ab2043b8SDevin Teske# 266ab2043b8SDevin Teske# The following environment variables effect functionality: 267ab2043b8SDevin Teske# 268ab2043b8SDevin Teske# USE_XDIALOG Either NULL or Non-NULL. If given a value will indicate 269ab2043b8SDevin Teske# that Xdialog(1) should be used instead of dialog(1). 270ab2043b8SDevin Teske# 271ab2043b8SDevin Teskef_authenticate_some_user() 272ab2043b8SDevin Teske{ 273ab2043b8SDevin Teske local msg hline size width height 274ab2043b8SDevin Teske 275ab2043b8SDevin Teske f_have sudo || f_die 1 "$msg_must_be_root_to_execute" "$pgm" 276ab2043b8SDevin Teske 277ab2043b8SDevin Teske # 278ab2043b8SDevin Teske # Secure-mode has been requested. 279ab2043b8SDevin Teske # 280ab2043b8SDevin Teske 281ab2043b8SDevin Teske [ "$USE_XDIALOG" ] || f_die 1 "$msg_secure_mode_requires_x11" 282ab2043b8SDevin Teske [ "$(id -u)" = "0" ] || f_die 1 "$msg_secure_mode_requires_root" 283ab2043b8SDevin Teske 284ab2043b8SDevin Teske # 285ab2043b8SDevin Teske # Prompt for sudo(8) credentials. 286ab2043b8SDevin Teske # 287ab2043b8SDevin Teske 288ab2043b8SDevin Teske msg="$msg_please_enter_username_password" 289ab2043b8SDevin Teske hline="$hline_alnum_punc_tab_enter" 290ab2043b8SDevin Teske size=$( f_xdialog_2inputsbox_size \ 291ab2043b8SDevin Teske "$DIALOG_TITLE" \ 292ab2043b8SDevin Teske "$DIALOG_BACKTITLE" \ 293ab2043b8SDevin Teske "$msg" \ 294ab2043b8SDevin Teske "$field_username" "" \ 295ab2043b8SDevin Teske "$field_password" "" ) 296ab2043b8SDevin Teske width="${size##*[$IFS]}" 297ab2043b8SDevin Teske height="${size%%[$IFS]*}" 298ab2043b8SDevin Teske height=$(( $height + 2 )) # Add height for --password 299ab2043b8SDevin Teske 300ab2043b8SDevin Teske # 301ab2043b8SDevin Teske # Continue prompting until they either Cancel, succeed or exceed the 302ab2043b8SDevin Teske # number of allowed failures. 303ab2043b8SDevin Teske # 304ab2043b8SDevin Teske local user_pass nfailures=0 retval 305ab2043b8SDevin Teske while [ $nfailures -lt $PASSWD_TRIES ]; do 306ab2043b8SDevin Teske user_pass=$( $DIALOG \ 307ab2043b8SDevin Teske --title "$DIALOG_TITLE" \ 308ab2043b8SDevin Teske --backtitle "$DIALOG_BACKTITLE" \ 309ab2043b8SDevin Teske --hline "$hline" \ 310ab2043b8SDevin Teske --ok-label "$msg_ok" \ 311ab2043b8SDevin Teske --cancel-label "$msg_cancel" \ 312ab2043b8SDevin Teske --password --2inputsbox "$msg" \ 313ab2043b8SDevin Teske $height $width \ 314ab2043b8SDevin Teske "$field_username" "" \ 315ab2043b8SDevin Teske "$field_password" "" \ 316fb7d723eSDevin Teske 2>&1 > /dev/null ) 317ab2043b8SDevin Teske retval=$? 318ab2043b8SDevin Teske 319ab2043b8SDevin Teske # Catch X11-related errors 320ab2043b8SDevin Teske [ $retval -eq 255 ] && f_die $retval "$user_pass" 321ab2043b8SDevin Teske 322ab2043b8SDevin Teske # Exit if the user cancelled. 323ab2043b8SDevin Teske [ $retval -eq $SUCCESS ] || exit $retval 324ab2043b8SDevin Teske 325ab2043b8SDevin Teske # 326ab2043b8SDevin Teske # Make sure the user exists and is non-root 327ab2043b8SDevin Teske # 328ab2043b8SDevin Teske local user password 329ab2043b8SDevin Teske user="${user_pass%%/*}" 330ab2043b8SDevin Teske password="${user_pass#*/}" 331ab2043b8SDevin Teske unset user_pass # scrub memory 332ab2043b8SDevin Teske if [ ! "$user" ]; then 333ab2043b8SDevin Teske nfailures=$(( $nfailures + 1 )) 334ab2043b8SDevin Teske f_dialog_msgbox "$msg_no_username" 335ab2043b8SDevin Teske continue 336ab2043b8SDevin Teske fi 337ab2043b8SDevin Teske if [ ! "$SECURE_ALLOW_ROOT" ]; then 338ab2043b8SDevin Teske case "$user" in 339ab2043b8SDevin Teske root|toor) 340ab2043b8SDevin Teske nfailures=$(( $nfailures + 1 )) 341ab2043b8SDevin Teske f_dialog_msgbox "$( printf \ 342ab2043b8SDevin Teske "$msg_user_disallowed" "$user" )" 343ab2043b8SDevin Teske continue 344ab2043b8SDevin Teske esac 345ab2043b8SDevin Teske fi 346ab2043b8SDevin Teske if ! f_quietly id "$user"; then 347ab2043b8SDevin Teske nfailures=$(( $nfailures + 1 )) 348ab2043b8SDevin Teske if [ "$SECURE_DIVULGE_UNKNOWN_USER" ]; then 349ab2043b8SDevin Teske f_dialog_msgbox "$( printf \ 350ab2043b8SDevin Teske "$msg_unknown_user" "$user" )" 351ab2043b8SDevin Teske elif [ $nfailures -lt $PASSWD_TRIES ]; then 352ab2043b8SDevin Teske f_dialog_info "$msg_sorry_try_again" 353ab2043b8SDevin Teske sleep 1 354ab2043b8SDevin Teske fi 355ab2043b8SDevin Teske continue 356ab2043b8SDevin Teske fi 357ab2043b8SDevin Teske 358ab2043b8SDevin Teske # 359ab2043b8SDevin Teske # Validate sudo(8) credentials for given user 360ab2043b8SDevin Teske # 361ab2043b8SDevin Teske su -m "$user" <<-EOF 362ab2043b8SDevin Teske sh <<EOS 363ab2043b8SDevin Teske sudo -k 364fb7d723eSDevin Teske sudo -S -v 2> /dev/null <<EOP 365ab2043b8SDevin Teske $password 366ab2043b8SDevin Teske EOP 367ab2043b8SDevin Teske EOS 368ab2043b8SDevin Teske EOF 369ab2043b8SDevin Teske retval=$? 370ab2043b8SDevin Teske unset user 371ab2043b8SDevin Teske unset password # scrub memory 372ab2043b8SDevin Teske 373ab2043b8SDevin Teske if [ $retval -eq $SUCCESS ]; then 374ab2043b8SDevin Teske # Access granted... 375ab2043b8SDevin Teske break 376ab2043b8SDevin Teske else 377ab2043b8SDevin Teske # Access denied... 378ab2043b8SDevin Teske nfailures=$(( $nfailures + 1 )) 379ab2043b8SDevin Teske 380ab2043b8SDevin Teske # introduce a short delay 381ab2043b8SDevin Teske if [ $nfailures -lt $PASSWD_TRIES ]; then 382ab2043b8SDevin Teske f_dialog_info "$msg_sorry_try_again" 383ab2043b8SDevin Teske sleep 1 384ab2043b8SDevin Teske fi 385ab2043b8SDevin Teske fi 386ab2043b8SDevin Teske done 387ab2043b8SDevin Teske 388ab2043b8SDevin Teske # 389ab2043b8SDevin Teske # If user exhausted number of allowed password tries, log 390ab2043b8SDevin Teske # the security event and exit immediately. 391ab2043b8SDevin Teske # 392ab2043b8SDevin Teske if [ $nfailures -ge $PASSWD_TRIES ]; then 393ab2043b8SDevin Teske msg=$( printf "$msg_nfailed_attempts" "$nfailures" ) 394ab2043b8SDevin Teske logger -p auth.notice -t sudo " " \ 395ab2043b8SDevin Teske "${SUDO_USER:-$USER} : $msg" \ 396ab2043b8SDevin Teske "; TTY=$(tty)" \ 397ab2043b8SDevin Teske "; PWD=$PWD" \ 398ab2043b8SDevin Teske "; USER=root" \ 399ab2043b8SDevin Teske "; COMMAND=$0" 400ab2043b8SDevin Teske f_die 1 "sudo: $message" 401ab2043b8SDevin Teske fi 402ab2043b8SDevin Teske} 403ab2043b8SDevin Teske 404ab2043b8SDevin Teske# f_mustberoot_init 405ab2043b8SDevin Teske# 406ab2043b8SDevin Teske# If not already root, make the switch to root by re-executing ourselves via 407ab2043b8SDevin Teske# sudo(8) using user-supplied credentials. 408ab2043b8SDevin Teske# 409ab2043b8SDevin Teske# The following environment variables effect functionality: 410ab2043b8SDevin Teske# 411ab2043b8SDevin Teske# SECURE Either NULL or Non-NULL. If given a value will indicate 412ab2043b8SDevin Teske# that (while running as root) sudo(8) authentication is 413ab2043b8SDevin Teske# required to proceed. 414ab2043b8SDevin Teske# 415ab2043b8SDevin Teskef_mustberoot_init() 416ab2043b8SDevin Teske{ 417ab2043b8SDevin Teske if [ "$(id -u)" != "0" -a ! "$SECURE" ]; then 418ab2043b8SDevin Teske f_become_root_via_sudo 419ab2043b8SDevin Teske elif [ "$SECURE" ]; then 420ab2043b8SDevin Teske f_authenticate_some_user 421ab2043b8SDevin Teske fi 422ab2043b8SDevin Teske} 423ab2043b8SDevin Teske 424ab2043b8SDevin Teskefi # ! $_MUSTBEROOT_SUBR 425