diff options
| author | Mattias Andrée <maandree@operamail.com> | 2013-11-03 07:23:21 +0100 | 
|---|---|---|
| committer | Mattias Andrée <maandree@operamail.com> | 2013-11-03 07:23:21 +0100 | 
| commit | e275a3418a290576210270b291bbca4e2fc53e3b (patch) | |
| tree | e6a4129ff9cebfc33237b4adadd83427a3c83dd5 /src | |
| parent | missed staging (diff) | |
| download | libpassphrase-e275a3418a290576210270b291bbca4e2fc53e3b.tar.gz libpassphrase-e275a3418a290576210270b291bbca4e2fc53e3b.tar.bz2 libpassphrase-e275a3418a290576210270b291bbca4e2fc53e3b.tar.xz | |
secure the tty
Signed-off-by: Mattias Andrée <maandree@operamail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/cerberus.c | 4 | ||||
| -rw-r--r-- | src/cerberus.h | 1 | ||||
| -rw-r--r-- | src/security.c | 82 | ||||
| -rw-r--r-- | src/security.h | 30 | 
4 files changed, 117 insertions, 0 deletions
| diff --git a/src/cerberus.c b/src/cerberus.c index 5b69a81..76a2f74 100644 --- a/src/cerberus.c +++ b/src/cerberus.c @@ -125,6 +125,10 @@ int main(int argc, char** argv)    alarm(TIMEOUT_SECONDS); +  /* Make sure nopony is spying */ +  secure_tty(); +   +      /* Get the passphrase, if -f has not been used */    if (skip_auth == 0)      { diff --git a/src/cerberus.h b/src/cerberus.h index 566e149..aeb41c2 100644 --- a/src/cerberus.h +++ b/src/cerberus.h @@ -22,4 +22,5 @@  #include "passphrase.h"  #include "quit.h" +#include "security.h" diff --git a/src/security.c b/src/security.c new file mode 100644 index 0000000..04ec33d --- /dev/null +++ b/src/security.c @@ -0,0 +1,82 @@ +/** + * cerberus – Minimal login program + *  + * Copyright © 2013  Mattias Andrée (maandree@member.fsf.org) + *  + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + *  + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the + * GNU General Public License for more details. + *  + * You should have received a copy of the GNU General Public License + * along with this program.  If not, see <http://www.gnu.org/licenses/>. + */ +#include "security.h" + + +#ifndef TTY_PERM +#define TTY_PERM  0600 +#endif + +#ifndef FAILURE_SLEEP +#define FAILURE_SLEEP  5 +#endif + + +#define fail(FUNC)  ({ perror(#FUNC); sleep(FAILURE_SLEEP); _exit(1); }) + + + +/** + * Secure the TTY from spying + */ +void secure_tty(void) /* TODO /dev/vcs[a][0-9]+ */ +{ +  struct termios tty; +  struct termios saved_tty; +  char* tty_device; +  int fd, i; +   +  /* Take owner ship of this TTY */ +  if (fchown(STDIN_FILENO, 0, 0)) +    fail(fchown); +   +  /* Restrict others from using this TTY */ +  if (fchmod(STDIN_FILENO, TTY_PERM)) +    fail(fchmod); +   +  /* Get TTY name for last part of this functions */ +  tty_device = ttyname(STDIN_FILENO); +   +  /* Kill other processes on this TTY */ +  tcgetattr(STDIN_FILENO, &tty); +  saved_tty = tty; +  tty.c_cflag &= ~HUPCL; +  tcsetattr(0, TCSANOW, &tty); +  close(STDIN_FILENO); +  close(STDOUT_FILENO); +  close(STDERR_FILENO); +  signal(SIGHUP, SIG_IGN); +  vhangup(); +  signal(SIGHUP, SIG_DFL); +   +  /* Restore terminal and TTY modes */ +  fd = open(tty_device, O_RDWR | O_NONBLOCK); +  if (fd == -1) +    fail(open); +  fcntl(fd, F_SETFL, fcntl(fd, F_GETFL) & ~O_NONBLOCK); +  for (i = 0; i < fd; i++) +    close(i); +  for (i = 0; i < 3; i++) +    if (i != fd) +      dup2(fd, i); +  if (fd > 2) +    close(fd); +  tcgetattr(STDIN_FILENO, &saved_tty); +} + diff --git a/src/security.h b/src/security.h new file mode 100644 index 0000000..9c7804d --- /dev/null +++ b/src/security.h @@ -0,0 +1,30 @@ +/** + * cerberus – Minimal login program + *  + * Copyright © 2013  Mattias Andrée (maandree@member.fsf.org) + *  + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + *  + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the + * GNU General Public License for more details. + *  + * You should have received a copy of the GNU General Public License + * along with this program.  If not, see <http://www.gnu.org/licenses/>. + */ +#include <unistd.h> +#include <sys/stat.h> +#include <stdio.h> +#include <termios.h> +#include <fcntl.h> + + +/** + * Secure the TTY from spying + */ +void secure_tty(void); + | 
