Implement passwd_timeout (#1165)

Author: squell

src/defaults/mod.rs

@@ -52,6 +52,7 @@ defaults! {
 
     verifypw                  = all (!= never) [all, always, any, never] #ignored
 
+    passwd_timeout            = (5*60) (!= 0) {fractional_minutes}
     timestamp_timeout         = (15*60) (!= 0) {fractional_minutes}
 
     env_keep                  = ["COLORS", "DISPLAY", "HOSTNAME", "KRB5CCNAME", "LS_COLORS", "PATH",

src/pam/converse.rs

@@ -1,4 +1,7 @@
+use std::io;
+
 use crate::cutils::string_from_ptr;
+use crate::system::time::Duration;
 
 use super::sys::*;
 
@@ -98,6 +101,7 @@ pub struct CLIConverser {
     pub(super) use_stdin: bool,
     pub(super) bell: bool,
     pub(super) password_feedback: bool,
+    pub(super) password_timeout: Option<Duration>,
 }
 
 use rpassword::Terminal;
@@ -126,10 +130,17 @@ impl Converser for CLIConverser {
         }
         tty.prompt(msg)?;
         if self.password_feedback {
-            Ok(tty.read_password_with_feedback()?)
+            tty.read_password_with_feedback(self.password_timeout)
         } else {
-            Ok(tty.read_password()?)
+            tty.read_password(self.password_timeout)
         }
+        .map_err(|err| {
+            if let io::ErrorKind::TimedOut = err.kind() {
+                PamError::TimedOut
+            } else {
+                PamError::IoError(err)
+            }
+        })
     }
 
     fn handle_error(&self, msg: &str) -> PamResult<()> {
@@ -149,6 +160,10 @@ pub(super) struct ConverserData<C> {
     pub(super) converser_name: String,
     pub(super) no_interact: bool,
     pub(super) auth_prompt: Option<String>,
+    // pam_authenticate does not return error codes returned by the conversation
+    // function; these are set by the conversation function instead of returning
+    // multiple error codes.
+    pub(super) timed_out: bool,
     pub(super) panicked: bool,
 }
 
@@ -194,11 +209,16 @@ pub(super) unsafe extern "C" fn converse<C: Converser>(
             // send the conversation off to the Rust part
             // SAFETY: appdata_ptr contains the `*mut ConverserData` that is untouched by PAM
             let app_data = unsafe { &mut *(appdata_ptr as *mut ConverserData<C>) };
-            let Ok(resp_buf) = handle_message(app_data, style, &msg) else {
-                return PamErrorType::ConversationError;
-            };
-
-            resp_bufs.push(resp_buf);
+            match handle_message(app_data, style, &msg) {
+                Ok(resp_buf) => {
+                    resp_bufs.push(resp_buf);
+                }
+                Err(PamError::TimedOut) => {
+                    app_data.timed_out = true;
+                    return PamErrorType::ConversationError;
+                }
+                Err(_) => return PamErrorType::ConversationError,
+            }
         }
 
         // Allocate enough memory for the responses, which are initialized with zero.
@@ -374,6 +394,7 @@ mod test {
             converser_name: "tux".to_string(),
             no_interact: false,
             auth_prompt: Some("authenticate".to_owned()),
+            timed_out: false,
             panicked: false,
         });
         let cookie = PamConvBorrow::new(hello.as_mut());

src/pam/error.rs

@@ -175,6 +175,7 @@ pub enum PamError {
     IoError(std::io::Error),
     EnvListFailure,
     InteractionRequired,
+    TimedOut,
     InvalidUser(String, String),
 }
 
@@ -222,6 +223,7 @@ impl fmt::Display for PamError {
                 )
             }
             PamError::InteractionRequired => write!(f, "Interaction is required"),
+            PamError::TimedOut => write!(f, "timed out"),
             PamError::InvalidUser(username, other_user) => {
                 write!(
                     f,

src/pam/mod.rs

@@ -6,6 +6,8 @@ use std::{
     ptr::NonNull,
 };
 
+use crate::system::time::Duration;
+
 use converse::ConverserData;
 use error::pam_err;
 pub use error::{PamError, PamErrorType, PamResult};
@@ -43,20 +45,23 @@ impl PamContext {
     /// username.
     ///
     /// This function will error when initialization of the PAM session somehow failed.
+    #[allow(clippy::too_many_arguments)]
     pub fn new_cli(
         converser_name: &str,
         service_name: &str,
         use_stdin: bool,
         bell: bool,
         no_interact: bool,
         password_feedback: bool,
+        password_timeout: Option<Duration>,
         target_user: Option<&str>,
     ) -> PamResult<PamContext> {
         let converser = CLIConverser {
             bell,
             name: converser_name.to_owned(),
             use_stdin,
             password_feedback,
+            password_timeout,
         };
 
         let c_service_name = CString::new(service_name)?;
@@ -75,6 +80,7 @@ impl PamContext {
                 .ok()
                 .filter(|s| !s.is_empty())
                 .or(Some("authenticate".to_owned())),
+            timed_out: false,
             panicked: false,
         }));
 
@@ -151,12 +157,22 @@ impl PamContext {
         flags |= self.disallow_null_auth_token_flag();
 
         // SAFETY: `self.pamh` contains a correct handle (obtained from `pam_start`)
-        pam_err(unsafe { pam_authenticate(self.pamh, flags) })?;
+        let auth_res = pam_err(unsafe { pam_authenticate(self.pamh, flags) });
 
         if self.has_panicked() {
             panic!("Panic during pam authentication");
         }
 
+        // SAFETY: self.data_ptr was created by Box::into_raw
+        if unsafe { (*self.data_ptr).timed_out } {
+            return Err(PamError::TimedOut);
+        }
+
+        #[allow(clippy::question_mark)]
+        if let Err(err) = auth_res {
+            return Err(err);
+        }
+
         // Check that no PAM module changed the user.
         match self.get_user() {
             Ok(pam_user) => {

src/pam/rpassword.rs

@@ -14,12 +14,14 @@
 ///   (although much more robust than in the original code)
 ///
 use std::io::{self, Error, ErrorKind, Read};
-use std::os::fd::{AsFd, AsRawFd};
+use std::os::fd::{AsFd, AsRawFd, BorrowedFd};
+use std::time::Instant;
 use std::{fs, mem};
 
 use libc::{tcsetattr, termios, ECHO, ECHONL, ICANON, TCSANOW, VEOF, VERASE, VKILL};
 
 use crate::cutils::cerr;
+use crate::system::time::Duration;
 
 use super::securemem::PamBuffer;
 
@@ -177,6 +179,66 @@ fn write_unbuffered(sink: &mut dyn io::Write, text: &[u8]) -> io::Result<()> {
     sink.flush()
 }
 
+struct TimeoutRead<'a> {
+    timeout_at: Option<Instant>,
+    fd: BorrowedFd<'a>,
+}
+
+impl<'a> TimeoutRead<'a> {
+    fn new(fd: BorrowedFd<'a>, timeout: Option<Duration>) -> TimeoutRead<'a> {
+        TimeoutRead {
+            timeout_at: timeout.map(|timeout| Instant::now() + timeout.into()),
+            fd,
+        }
+    }
+}
+
+impl io::Read for TimeoutRead<'_> {
+    fn read(&mut self, buf: &mut [u8]) -> io::Result<usize> {
+        let pollmask = libc::POLLIN | libc::POLLRDHUP;
+
+        let mut pollfd = [libc::pollfd {
+            fd: self.fd.as_raw_fd(),
+            events: pollmask,
+            revents: 0,
+        }; 1];
+
+        let timeout = match self.timeout_at {
+            Some(timeout_at) => {
+                let now = Instant::now();
+                if now > timeout_at {
+                    return Err(io::Error::from(ErrorKind::TimedOut));
+                }
+
+                (timeout_at - now)
+                    .as_millis()
+                    .try_into()
+                    .unwrap_or(i32::MAX)
+            }
+            None => -1,
+        };
+
+        // SAFETY: pollfd is initialized and its length matches
+        cerr(unsafe { libc::poll(pollfd.as_mut_ptr(), pollfd.len() as u64, timeout) })?;
+
+        // There may yet be data waiting to be read even if POLLHUP is set.
+        if pollfd[0].revents & (pollmask | libc::POLLHUP) > 0 {
+            // SAFETY: buf is initialized and its length matches
+            let ret = cerr(unsafe {
+                libc::read(
+                    self.fd.as_raw_fd(),
+                    buf.as_mut_ptr() as *mut libc::c_void,
+                    buf.len(),
+                )
+            })?;
+
+            Ok(ret as usize)
+        } else {
+            Err(io::Error::from(io::ErrorKind::TimedOut))
+        }
+    }
+}
+
 /// A data structure representing either /dev/tty or /dev/stdin+stderr
 pub enum Terminal<'a> {
     Tty(fs::File),
@@ -200,21 +262,27 @@ impl Terminal<'_> {
     }
 
     /// Reads input with TTY echo disabled
-    pub fn read_password(&mut self) -> io::Result<PamBuffer> {
-        let input = self.source();
+    pub fn read_password(&mut self, timeout: Option<Duration>) -> io::Result<PamBuffer> {
+        let mut input = self.source_timeout(timeout);
         let _hide_input = HiddenInput::new(false)?;
-        read_unbuffered(input)
+        read_unbuffered(&mut input)
     }
 
     /// Reads input with TTY echo disabled, but do provide visual feedback while typing.
-    pub fn read_password_with_feedback(&mut self) -> io::Result<PamBuffer> {
-        if let Some(hide_input) = HiddenInput::new(true)? {
-            match self {
-                Terminal::StdIE(x, y) => read_unbuffered_with_feedback(x, y, &hide_input),
-                Terminal::Tty(x) => read_unbuffered_with_feedback(&mut &*x, &mut &*x, &hide_input),
+    pub fn read_password_with_feedback(
+        &mut self,
+        timeout: Option<Duration>,
+    ) -> io::Result<PamBuffer> {
+        match (HiddenInput::new(true)?, self) {
+            (Some(hide_input), Terminal::StdIE(stdin, stdout)) => {
+                let mut reader = TimeoutRead::new(stdin.as_fd(), timeout);
+                read_unbuffered_with_feedback(&mut reader, stdout, &hide_input)
             }
-        } else {
-            read_unbuffered(self.source())
+            (Some(hide_input), Terminal::Tty(file)) => {
+                let mut reader = TimeoutRead::new(file.as_fd(), timeout);
+                read_unbuffered_with_feedback(&mut reader, &mut &*file, &hide_input)
+            }
+            (None, term) => read_unbuffered(&mut term.source_timeout(timeout)),
         }
     }
 
@@ -242,6 +310,13 @@ impl Terminal<'_> {
         }
     }
 
+    fn source_timeout(&self, timeout: Option<Duration>) -> TimeoutRead {
+        match self {
+            Terminal::StdIE(stdin, _) => TimeoutRead::new(stdin.as_fd(), timeout),
+            Terminal::Tty(file) => TimeoutRead::new(file.as_fd(), timeout),
+        }
+    }
+
     fn sink(&mut self) -> &mut dyn io::Write {
         match self {
             Terminal::StdIE(_, x) => x,

src/su/mod.rs

@@ -29,7 +29,16 @@ fn authenticate(requesting_user: &str, user: &str, login: bool) -> Result<PamCon
         "su"
     };
     let use_stdin = true;
-    let mut pam = PamContext::new_cli("su", context, use_stdin, false, false, false, Some(user))?;
+    let mut pam = PamContext::new_cli(
+        "su",
+        context,
+        use_stdin,
+        false,
+        false,
+        false,
+        None,
+        Some(user),
+    )?;
     pam.set_requesting_user(requesting_user)?;
 
     // attempt to set the TTY this session is communicating on

src/sudo/pam.rs

@@ -4,14 +4,15 @@ use crate::common::context::LaunchType;
 use crate::common::error::Error;
 use crate::log::{dev_info, user_warn};
 use crate::pam::{PamContext, PamError, PamErrorType, PamResult};
-use crate::system::term::current_tty_name;
+use crate::system::{term::current_tty_name, time::Duration};
 
 pub(super) struct InitPamArgs<'a> {
     pub(super) launch: LaunchType,
     pub(super) use_stdin: bool,
     pub(super) bell: bool,
     pub(super) non_interactive: bool,
     pub(super) password_feedback: bool,
+    pub(super) password_timeout: Option<Duration>,
     pub(super) auth_prompt: Option<String>,
     pub(super) auth_user: &'a str,
     pub(super) requesting_user: &'a str,
@@ -26,6 +27,7 @@ pub(super) fn init_pam(
         bell,
         non_interactive,
         password_feedback,
+        password_timeout,
         auth_prompt,
         auth_user,
         requesting_user,
@@ -44,6 +46,7 @@ pub(super) fn init_pam(
         bell,
         non_interactive,
         password_feedback,
+        password_timeout,
         Some(auth_user),
     )?;
     pam.mark_silent(matches!(launch, LaunchType::Direct));

src/sudo/pipeline.rs

@@ -149,6 +149,7 @@ fn auth_and_update_record_file(
         must_authenticate,
         prior_validity,
         allowed_attempts,
+        password_timeout,
         ref credential,
         pwfeedback,
     }: Authentication,
@@ -178,6 +179,7 @@ fn auth_and_update_record_file(
         bell: context.bell,
         non_interactive: context.non_interactive,
         password_feedback: pwfeedback,
+        password_timeout,
         auth_prompt: context.prompt.clone(),
         auth_user: &auth_user.name,
         requesting_user: &context.current_user.name,