GNUmakefile

@@ -15,16 +15,13 @@ OBJS:=	${OBJS:.c=.o}
 ${PROG}: ${OBJS}
 	${CC} ${CFLAGS} $^ -o $@ ${LDFLAGS} ${LDLIBS}
 
-install: ${PROG} ${PAM_DOAS} ${MAN}
+install: ${PROG} ${MAN}
 	mkdir -p -m 0755 ${DESTDIR}${BINDIR}
-	[ -n "${PAM_DOAS}" ] && mkdir -p -m 0755 ${DESTDIR}${PAMDIR} || true
 	mkdir -p -m 0755 ${DESTDIR}${MANDIR}/man1
 	mkdir -p -m 0755 ${DESTDIR}${MANDIR}/man5
 	cp -f ${PROG} ${DESTDIR}${BINDIR}
 	chown ${BINOWN}:${BINGRP} ${DESTDIR}${BINDIR}/${PROG}
 	chmod ${BINMODE} ${DESTDIR}${BINDIR}/${PROG}
-	[ -n "${PAM_DOAS}" ] && cp ${PAM_DOAS} ${DESTDIR}${PAMDIR}/doas || true
-	[ -n "${PAM_DOAS}" ] && chmod 0644 ${DESTDIR}${PAMDIR}/doas || true
 	cp -f doas.1 ${DESTDIR}${MANDIR}/man1
 	cp -f doas.conf.5 ${DESTDIR}${MANDIR}/man5
 

README.md

@@ -1,45 +1,64 @@
 # OpenDoas: a portable version of OpenBSD's `doas` command
 
-`doas` is a minimal replacement for the venerable `sudo`. It was
+[`doas`](https://en.wikipedia.org/wiki/Doas) is a minimal replacement for the venerable `sudo`. It was
 initially [written by Ted Unangst](http://www.tedunangst.com/flak/post/doas)
 of the OpenBSD project to provide 95% of the features of `sudo` with a
 fraction of the codebase.
 
-At the moment only linux with GLIBC or musl libc is supported and tested.
+## Building and Installation Warnings
 
-## Building and installing
+There are a few steps you have to carefully consider before building and installing
+OpenDoas:
 
-```
-$ ./configure
-$ make
-# make install
-```
+* There are fewer eyes on random `doas` ports, just because `sudo` had a vulnerability
+  does not mean random doas ports are more secure if they are not reviewed
+  or [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) is configured incorrectly.
+  * If you want to use PAM; You have to [configure PAM](#pam-configuration)
+    and failing to do so correctly might leave a big open door.
 
-## About the port
+* Use the `configure` script.
+* Use the default make target.
+* If you really want to install a setuid binary that depends on
+  PAM being correctly configured, use the `make install` target
+  to install the software.
+
+## About the OpenDoas Port
 
 This is not an official port/project from OpenBSD!
 
 As much as possible I've attempted to stick to `doas` as tedu desired
 it. As things stand it's essentially just code lifted from OpenBSD with
 PAM or shadow based authentication glommed on to it.
 
-Compatibility functions in libopenbsd come from openbsd directly
+Compatibility functions in libopenbsd come from OpenBSD directly
 (`strtonum.c`, `reallocarray.c`, `strlcpy.c`, `strlcat.c`),
 from openssh (`readpassphrase.c`) or from sudo (`closefrom.c`).
 
 The PAM and shadow authentication code does not come from the OpenBSD project.
 
-### Perist/Timestamp/Timeout
+### PAM Configuration
+
+I will not ship PAM configuration files, they are distribution specific and
+its simply not safe or productive to ship and install those files.
+
+If you want to use OpenDoas on your system and there is no package that
+ships with a working PAM configuration file, then you have to write and
+test it yourself.
+
+A good starting point is probably the distribution maintained `/etc/pam.d/sudo`
+file.
+
+### Persist/Timestamp/Timeout
 
-The persist feature is disabled by default and can be enabled with the configure
-flag `--with-timestamp`.
+The persist feature is disabled by default and can be enabled with the
+`--with-timestamp` configure flag.
 
-This feature is new and potentially dangerous, in the original doas, a kernel API
-is used to set and clear timeouts. This API is openbsd specific and no similar API
+This feature is new and potentially dangerous, in the original `doas`, a kernel API
+is used to set and clear timeouts. This API is OpenBSD specific and no similar API
 is available on other operating systems.
 
 As a workaround, the persist feature is implemented using timestamp files
-similar to sudo.
+similar to `sudo`.
 
 See the comment block in `timestamp.c` for an in-depth description on how
 timestamps are created and checked to be as safe as possible.

configure

@@ -15,7 +15,6 @@ usage: configure [options]
   --datadir=DIR          architecture-independent data files [PREFIX/share]
   --mandir=DIR           manual pages [DATADIR/man]
   --sysconfdir=DIR       directory for configuration files [/etc]
-  --pamdir=DIR           PAM directory [SYSCONFDIR/pam.d]
 
   --build=build-alias    a cpu-vendor-opsys for the system where the application will be built
   --host=host-alias      a cpu-vendor-opsys for the system where the application will run
@@ -52,7 +51,6 @@ for x; do
 	--datadir) SHAREDIR=$var ;;
 	--mandir) MANDIR=$var ;;
 	--sysconfdir) SYSCONFDIR=$var ;;
-	--pamdir) PAMDIR=$var ;;
 	--build) BUILD=$var ;;
 	--host) HOST=$var ;;
 	--target) TARGET=$var ;;
@@ -134,7 +132,6 @@ esac
 : ${SHAREDIR:=${PREFIX}/share}
 : ${MANDIR:=${SHAREDIR}/man}
 : ${SYSCONFDIR:=/etc}
-: ${PAMDIR:=${SYSCONFDIR}/pam.d}
 : ${BINMODE:=4755}
 : ${BINOWN:=root}
 : ${BINGRP:=root}
@@ -146,7 +143,6 @@ BINDIR   ?=	${BINDIR}
 SHAREDIR ?=	${SHAREDIR}
 MANDIR   ?=	${MANDIR}
 SYSCONFDIR?=	${SYSCONFDIR}
-PAMDIR   ?=	${PAMDIR}
 BINMODE  ?=	${BINMODE}
 BINOWN  ?=	${BINOWN}
 BINGRP  ?=	${BINGRP}
@@ -203,9 +199,6 @@ int main(void) {
 		printf 'LDLIBS +=	-lpam\n' >>$CONFIG_MK
 		printf '#define USE_PAM\n' >>$CONFIG_H
 		printf 'pam\n'
-
-		pam_file="pam.d__doas__${OS}"
-		[ -e "$pam_file" ] && printf 'PAM_DOAS  =	%s\n' "$pam_file" >>$CONFIG_MK
 		return 0
 	}
 

doas.1

@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.1,v 1.13 2015/07/26 23:00:15 tedu Exp $
+.\" $OpenBSD: doas.1,v 1.25 2021/01/16 09:18:41 martijn Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: July 26 2015 $
+.Dd $Mdocdate: January 16 2021 $
 .Dt DOAS 1
 .Os
 .Sh NAME
@@ -85,13 +85,13 @@ will be printed on standard output, depending on command
 matching results.
 No command is executed.
 .It Fl L
-Clear any persisted authorizations from previous invocations,
+Clear any persisted authentications from previous invocations,
 then immediately exit.
 No command is executed.
 .It Fl n
-Non interactive mode, fail if
-.Nm
-would prompt for password.
+Non interactive mode, fail if the matching rule doesn't have the
+.Ic nopass
+option.
 .It Fl s
 Execute the shell from
 .Ev SHELL

doas.c

@@ -139,7 +139,7 @@ static int
 permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr,
     uid_t target, const char *cmd, const char **cmdargs)
 {
-	int i;
+	size_t i;
 
 	*lastr = NULL;
 	for (i = 0; i < nrules; i++) {
@@ -352,15 +352,15 @@ main(int argc, char **argv)
 #if defined(USE_SHADOW)
 	if (!(rule->options & NOPASS)) {
 		if (nflag)
-			errx(1, "Authorization required");
+			errx(1, "Authentication required");
 
 		shadowauth(mypw->pw_name, rule->options & PERSIST);
 	}
 #elif !defined(USE_PAM)
 	/* no authentication provider, only allow NOPASS rules */
 	(void) nflag;
 	if (!(rule->options & NOPASS))
-		errx(1, "Authorization required");
+		errx(1, "Authentication required");
 #endif
 
 	if ((p = getenv("PATH")) != NULL)
@@ -386,6 +386,7 @@ main(int argc, char **argv)
 
 #ifdef HAVE_LOGIN_CAP_H
 	if (setusercontext(NULL, targpw, target, LOGIN_SETGROUP |
+	    LOGIN_SETPATH |
 	    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
 	    LOGIN_SETUSER) != 0)
 		errx(1, "failed to set user context for target");
@@ -396,6 +397,8 @@ main(int argc, char **argv)
 		err(1, "initgroups");
 	if (setresuid(target, target, target) != 0)
 		err(1, "setresuid");
+	if (setenv("PATH", safepath, 1) == -1)
+		err(1, "failed to set PATH '%s'", safepath);
 #endif
 
 	if (getcwd(cwdpath, sizeof(cwdpath)) == NULL)

doas.conf.5

@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.conf.5,v 1.13 2015/07/27 21:44:11 tedu Exp $
+.\" $OpenBSD: doas.conf.5,v 1.45 2020/10/09 10:24:33 jmc Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: July 27 2015 $
+.Dd $Mdocdate: October 9 2020 $
 .Dt DOAS.CONF 5
 .Os
 .Sh NAME
@@ -111,7 +111,7 @@ escapes the next character, including new line characters, outside comments;
 as a result, comments may not be extended over multiple lines.
 .It
 If quotes or backslashes are used in a word,
-it isn't considered a keyword.
+it is not considered a keyword.
 .El
 .Sh FILES
 .Bl -tag -width /etc/examples/doas.conf -compact

doas.h

@@ -26,7 +26,7 @@ struct rule {
 };
 
 extern struct rule **rules;
-extern int nrules;
+extern size_t nrules;
 extern int parse_errors;
 
 extern const char *formerpath;

pam.c

@@ -104,8 +104,7 @@ pamconv(int nmsgs, const struct pam_message **msgs,
 
 		case PAM_ERROR_MSG:
 		case PAM_TEXT_INFO:
-			if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
-			    "%s\n", msgs[i]->msg) < 0)
+			if (fprintf(stderr, "%s\n", msgs[i]->msg) < 0)
 				goto fail;
 			break;
 
@@ -245,7 +244,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 #endif
 
 	if (!user || !myname)
-		errx(1, "Authorization failed");
+		errx(1, "Authentication failed");
 
 	ret = pam_start(PAM_SERVICE_NAME, myname, &conv, &pamh);
 	if (ret != PAM_SUCCESS)
@@ -277,7 +276,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 
 	if (!nopass) {
 		if (!interactive)
-			errx(1, "Authorization required");
+			errx(1, "Authentication required");
 
 		/* doas style prompt for pam */
 		char host[HOST_NAME_MAX + 1];
@@ -291,7 +290,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 		if (ret != PAM_SUCCESS) {
 			pamcleanup(ret, sess, cred);
 			syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-			errx(1, "Authorization failed");
+			errx(1, "Authentication failed");
 		}
 	}
 
@@ -304,7 +303,7 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 	if (ret != PAM_SUCCESS) {
 		pamcleanup(ret, sess, cred);
 		syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-		errx(1, "Authorization failed");
+		errx(1, "Authentication failed");
 	}
 
 	/* set PAM_USER to the user we want to be */