aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--configurable-definitions5
-rw-r--r--src/cerberus.c17
-rw-r--r--src/cerberus.h3
-rw-r--r--src/security.c8
-rw-r--r--src/security.h4
5 files changed, 32 insertions, 5 deletions
diff --git a/configurable-definitions b/configurable-definitions
index a26a551..751e192 100644
--- a/configurable-definitions
+++ b/configurable-definitions
@@ -3,6 +3,11 @@ TTY_PERM (default: 0600, type: int)
Mode for TTY devices
+USE_TTY_GROUP (default: undefinied, type: #ifdef)
+
+ Use the group tty for group ownership of TTY devices
+
+
FAILURE_SLEEP (default: 5, type: float)
Number of seconds to sleep on login failure.
diff --git a/src/cerberus.c b/src/cerberus.c
index 2199d7b..e3f3f95 100644
--- a/src/cerberus.c
+++ b/src/cerberus.c
@@ -19,6 +19,11 @@
#include "cerberus.h"
+#ifndef USE_TTY_GROUP
+#define tty_group 0
+#endif
+
+
/**
* Mane method
*
@@ -33,6 +38,10 @@ int main(int argc, char** argv)
char* passphrase = NULL;
char preserve_env = 0;
char skip_auth = 0;
+ #ifdef USE_TTY_GROUP
+ gid_t tty_group = 0;
+ struct group* group;
+ #endif
struct passwd* entry;
@@ -117,7 +126,11 @@ int main(int argc, char** argv)
/* Make sure nopony is spying */
- secure_tty();
+ #ifdef USE_TTY_GROUP
+ if ((group = getgrnam("tty")))
+ tty_group = group->gr_gid;
+ #endif
+ secure_tty(tty_group);
/* Set up clean quiting and time out */
@@ -170,7 +183,7 @@ int main(int argc, char** argv)
/* Reset terminal ownership and mode */
- chown_tty(0, -1, 0);
+ chown_tty(0, tty_group, 0);
return 0;
}
diff --git a/src/cerberus.h b/src/cerberus.h
index 1dbd029..4f7b7b9 100644
--- a/src/cerberus.h
+++ b/src/cerberus.h
@@ -21,6 +21,9 @@
#include <signal.h>
#include <pwd.h>
#include <errno.h>
+#ifdef USE_TTY_GROUP
+#include <grp.h>
+#endif
#include "passphrase.h"
#include "quit.h"
diff --git a/src/security.c b/src/security.c
index af7df30..1e1dd9e 100644
--- a/src/security.c
+++ b/src/security.c
@@ -29,8 +29,10 @@ static inline void fail(char* str)
/**
* Secure the TTY from spying
+ *
+ * @param group The group, -1 for unchanged
*/
-void secure_tty(void)
+void secure_tty(gid_t group)
{
struct termios tty;
struct termios saved_tty;
@@ -38,7 +40,7 @@ void secure_tty(void)
int fd, i;
/* Set ownership of this TTY to root:root */
- chown_tty(0, -1, 1);
+ chown_tty(0, group, 1);
/* Get TTY name for last part of this functions */
tty_device = ttyname(STDIN_FILENO);
@@ -80,7 +82,9 @@ void secure_tty(void)
*/
void chown_tty(uid_t owner, gid_t group, int with_fail)
{
+ #if defined(OWN_VCSA) || defined(OWN_VCS)
struct vt_stat vtstat;
+ #endif
/* Set ownership of this TTY */
if (fchown(STDIN_FILENO, owner, group) && with_fail)
diff --git a/src/security.h b/src/security.h
index b16ef1b..5e291ff 100644
--- a/src/security.h
+++ b/src/security.h
@@ -38,8 +38,10 @@
/**
* Secure the TTY from spying
+ *
+ * @param group The group, -1 for unchanged
*/
-void secure_tty(void);
+void secure_tty(gid_t group);
/**
* Set ownership and mode of the TTY
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2024-11-05 13:53:59 +0000