opendoas

A portable version of the OpenBSD `doas` command
git clone https://pi.duncano.de/git/opendoas.git
Log | Files | Refs | README | LICENSE

commit c70ee87c8315be3958b968f0f3646bb2561ef4db
parent dba0eda8cebb119477002ef8c1d1c6463c0dccb6
Author: Nicholas Marriott <nicm@openbsd.org>
Date:   Sat, 18 Jul 2015 06:33:23 +0000

Add doas -s as a shorthand for doas $SHELL. ok tedu

Diffstat:
doas.1 | 8+++++++-
doas.c | 44++++++++++++++++++++++++++++++--------------
2 files changed, 37 insertions(+), 15 deletions(-)

diff --git a/doas.1 b/doas.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: doas.1,v 1.3 2015/07/17 20:24:41 tedu Exp $ +.\" $OpenBSD: doas.1,v 1.4 2015/07/17 20:50:31 schwarze Exp $ .\" .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> .\" @@ -21,6 +21,7 @@ .Nd execute commands as another user .Sh SYNOPSIS .Nm doas +.Op Fl s .Op Fl u Ar user .Ar command .Op Ar args @@ -31,6 +32,11 @@ utility executes the given command as another user. .Pp The options are as follows: .Bl -tag -width tenletters +.It Fl s +Execute the shell from +.Ev SHELL +or +.Pa /etc/passwd . .It Fl u Ar user Execute the command as .Ar user . diff --git a/doas.c b/doas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: doas.c,v 1.6 2015/07/16 23:22:08 nicm Exp $ */ +/* $OpenBSD: doas.c,v 1.7 2015/07/18 00:19:38 doug Exp $ */ /* * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> * @@ -35,7 +35,7 @@ static void __dead usage(void) { - fprintf(stderr, "usage: doas [-u user] command [args]\n"); + fprintf(stderr, "usage: doas [-s] [-u user] command [args]\n"); exit(1); } @@ -255,15 +255,21 @@ main(int argc, char **argv, char **envp) int i, ch; const char *safepath = "/bin:/sbin:/usr/bin:/usr/sbin:" "/usr/local/bin:/usr/local/sbin"; + int sflag = 0; + char *shargv[] = { NULL, NULL }; + char *sh; parseconfig("/etc/doas.conf"); - while ((ch = getopt(argc, argv, "u:")) != -1) { + while ((ch = getopt(argc, argv, "su:")) != -1) { switch (ch) { case 'u': if (parseuid(optarg, &target) != 0) errx(1, "unknown user"); break; + case 's': + sflag = 1; + break; default: usage(); break; @@ -272,19 +278,9 @@ main(int argc, char **argv, char **envp) argv += optind; argc -= optind; - if (!argc) + if ((!sflag && !argc) || (sflag && argc)) usage(); - cmd = argv[0]; - if (strlcpy(cmdline, argv[0], sizeof(cmdline)) >= sizeof(cmdline)) - errx(1, "command line too long"); - for (i = 1; i < argc; i++) { - if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline)) - errx(1, "command line too long"); - if (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline)) - errx(1, "command line too long"); - } - uid = getuid(); pw = getpwuid(uid); if (!pw) @@ -296,6 +292,26 @@ main(int argc, char **argv, char **envp) err(1, "can't get groups"); groups[ngroups++] = getgid(); + if (sflag) { + sh = getenv("SHELL"); + if (sh == NULL || *sh == '\0') + shargv[0] = pw->pw_shell; + else + shargv[0] = sh; + argv = shargv; + argc = 1; + } + + cmd = argv[0]; + if (strlcpy(cmdline, argv[0], sizeof(cmdline)) >= sizeof(cmdline)) + errx(1, "command line too long"); + for (i = 1; i < argc; i++) { + if (strlcat(cmdline, " ", sizeof(cmdline)) >= sizeof(cmdline)) + errx(1, "command line too long"); + if (strlcat(cmdline, argv[i], sizeof(cmdline)) >= sizeof(cmdline)) + errx(1, "command line too long"); + } + if (!permit(uid, groups, ngroups, &rule, target, cmd)) { syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed command for %s: %s", myname, cmdline);