doas

https://man.openbsd.org/doas.1
git clone anongit@rnpnr.xyz:doas.git
Log | Files | Refs | Feed
Commit: 68469665cce53d17c88f38c7fc9259fa0e88aae5
Parent: 31985065c16a2aaa1ed610c91f077008253153b5
Author: 0x766F6964
Date:   Wed, 27 Jan 2021 21:08:32 -0700

update to src as of 2021.01.27

Diffstat:

Mdoas.1 | 12++++++------


Mdoas.c | 18++++++++++++------


Mdoas.conf.5 | 10+++++++---


Mdoas.h | 5+++--


Mparse.y | 25+++++++++++++++----------


5 files changed, 43 insertions(+), 27 deletions(-)

diff --git a/doas.1 b/doas.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.1,v 1.23 2019/07/04 19:04:17 tedu Exp $
+.\" $OpenBSD: doas.1,v 1.25 2021/01/16 09:18:41 martijn Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: July 4 2019 $
+.Dd $Mdocdate: January 16 2021 $
 .Dt DOAS 1
 .Os
 .Sh NAME
@@ -85,13 +85,13 @@ will be printed on standard output, depending on command
 matching results.
 No command is executed.
 .It Fl L
-Clear any persisted authorizations from previous invocations,
+Clear any persisted authentications from previous invocations,
 then immediately exit.
 No command is executed.
 .It Fl n
-Non interactive mode, fail if
-.Nm
-would prompt for password.
+Non interactive mode, fail if the matching rule doesn't have the
+.Ic nopass
+option.
 .It Fl s
 Execute the shell from
 .Ev SHELL
diff --git a/doas.c b/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.82 2019/10/18 17:15:45 tedu Exp $ */
+/* $OpenBSD: doas.c,v 1.89 2021/01/27 17:02:50 millert Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -143,7 +143,7 @@ static int
 permit(uid_t uid, gid_t *groups, int ngroups, const struct rule **lastr,
     uid_t target, const char *cmd, const char **cmdargs)
 {
-	int i;
+	size_t i;
 
 	*lastr = NULL;
 	for (i = 0; i < nrules; i++) {
@@ -190,6 +190,8 @@ checkconfig(const char *confpath, int argc, char **argv,
 	const struct rule *rule;
 
 	setresuid(uid, uid, uid);
+	if (pledge("stdio rpath getpw", NULL) == -1)
+		err(1, "pledge");
 	parseconfig(confpath, 0);
 	if (!argc)
 		exit(0);
@@ -251,7 +253,7 @@ authuser(char *myname, int persist)
 	if (!verifypasswd(myname, response)) {
 		explicit_bzero(rbuf, sizeof(rbuf));
 		syslog(LOG_NOTICE, "failed auth for %s", myname);
-		errx(1, "Authorization failed");
+		errx(1, "Authentication failed");
 	}
 	explicit_bzero(rbuf, sizeof(rbuf));
 good:
@@ -381,6 +383,8 @@ main(int argc, char **argv)
 	}
 
 	if (confpath) {
+		if (pledge("stdio rpath getpw id", NULL) == -1)
+			err(1, "pledge");
 		checkconfig(confpath, argc, argv, uid, groups, ngroups,
 		    target);
 		exit(1);	/* fail safe */
@@ -410,7 +414,7 @@ main(int argc, char **argv)
 
 	if (!(rule->options & NOPASS)) {
 		if (nflag)
-			errx(1, "Authorization required");
+			errx(1, "Authentication required");
 
 		authuser(mypw->pw_name, rule->options & PERSIST);
 	}
@@ -457,8 +461,10 @@ main(int argc, char **argv)
 	if (pledge("stdio exec", NULL) == -1)
 		err(1, "pledge");
 
-	syslog(LOG_INFO, "%s ran command %s as %s from %s",
-	    mypw->pw_name, cmdline, targpw->pw_name, cwd);
+	if (!(rule->options & NOLOG)) {
+		syslog(LOG_INFO, "%s ran command %s as %s from %s",
+		    mypw->pw_name, cmdline, targpw->pw_name, cwd);
+	}
 
 	envp = prepenv(rule, mypw, targpw);
 
diff --git a/doas.conf.5 b/doas.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.conf.5,v 1.43 2020/05/16 16:58:11 jmc Exp $
+.\" $OpenBSD: doas.conf.5,v 1.45 2020/10/09 10:24:33 jmc Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: May 16 2020 $
+.Dd $Mdocdate: October 9 2020 $
 .Dt DOAS.CONF 5
 .Os
 .Sh NAME
@@ -45,6 +45,9 @@ Options are:
 .Bl -tag -width keepenv
 .It Ic nopass
 The user is not required to enter a password.
+.It Ic nolog
+Do not log successful command execution to
+.Xr syslogd 8 .
 .It Ic persist
 After the user successfully authenticates, do not ask for a password
 again for some time.
@@ -139,7 +142,8 @@ permit nopass tedu as root cmd /usr/sbin/procmap
 permit nopass keepenv setenv { PATH } root as root
 .Ed
 .Sh SEE ALSO
-.Xr doas 1
+.Xr doas 1 ,
+.Xr syslogd 8
 .Sh HISTORY
 The
 .Nm
diff --git a/doas.h b/doas.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.h,v 1.15 2019/06/17 19:51:23 tedu Exp $ */
+/* $OpenBSD: doas.h,v 1.17 2021/01/27 17:02:50 millert Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -26,7 +26,7 @@ struct rule {
 };
 
 extern struct rule **rules;
-extern int nrules;
+extern size_t nrules;
 extern int parse_errors;
 
 extern const char *formerpath;
@@ -46,3 +46,4 @@ int clearpersist(void);
 #define NOPASS		0x1
 #define KEEPENV		0x2
 #define PERSIST		0x4
+#define NOLOG		0x8
diff --git a/parse.y b/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.27 2018/07/11 07:39:22 krw Exp $ */
+/* $OpenBSD: parse.y,v 1.29 2021/01/27 17:02:50 millert Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -48,8 +48,8 @@ typedef struct {
 FILE *yyfp;
 
 struct rule **rules;
-int nrules;
-static int maxrules;
+size_t nrules;
+static size_t maxrules;
 
 int parse_errors = 0;
 
@@ -71,7 +71,7 @@ arraylen(const char **arr)
 %}
 
 %token TPERMIT TDENY TAS TCMD TARGS
-%token TNOPASS TPERSIST TKEEPENV TSETENV
+%token TNOPASS TNOLOG TPERSIST TKEEPENV TSETENV
 %token TSTRING
 
 %%
@@ -96,12 +96,12 @@ rule:		action ident target cmd {
 			r->cmdargs = $4.cmdargs;
 			if (nrules == maxrules) {
 				if (maxrules == 0)
-					maxrules = 63;
-				else
-					maxrules *= 2;
-				if (!(rules = reallocarray(rules, maxrules,
-				    sizeof(*rules))))
+					maxrules = 32;
+				rules = reallocarray(rules, maxrules,
+				    2 * sizeof(*rules));
+				if (!rules)
 					errx(1, "can't allocate rules");
+				maxrules *= 2;
 			}
 			rules[nrules++] = r;
 		} ;
@@ -137,6 +137,9 @@ options:	/* none */ {
 option:		TNOPASS {
 			$$.options = NOPASS;
 			$$.envlist = NULL;
+		} | TNOLOG {
+			$$.options = NOLOG;
+			$$.envlist = NULL;
 		} | TPERSIST {
 			$$.options = PERSIST;
 			$$.envlist = NULL;
@@ -210,6 +213,7 @@ static struct keyword {
 	{ "cmd", TCMD },
 	{ "args", TARGS },
 	{ "nopass", TNOPASS },
+	{ "nolog", TNOLOG },
 	{ "persist", TPERSIST },
 	{ "keepenv", TKEEPENV },
 	{ "setenv", TSETENV },
@@ -219,7 +223,8 @@ int
 yylex(void)
 {
 	char buf[1024], *ebuf, *p, *str;
-	int i, c, quotes = 0, escape = 0, qpos = -1, nonkw = 0;
+	int c, quotes = 0, escape = 0, qpos = -1, nonkw = 0;
+	size_t i;
 
 	p = buf;
 	ebuf = buf + sizeof(buf);