sudo: Implement passwd_timeout

Author: MggMuggins

src/defaults/mod.rs

@@ -52,6 +52,7 @@ defaults! {
 
     verifypw                  = all (!= never) [all, always, any, never] #ignored
 
+    passwd_timeout            = (5*60) (!= 0) {fractional_minutes}
     timestamp_timeout         = (15*60) (!= 0) {fractional_minutes}
 
     env_keep                  = ["COLORS", "DISPLAY", "HOSTNAME", "KRB5CCNAME", "LS_COLORS", "PATH",

src/pam/converse.rs

@@ -1,6 +1,7 @@
 use std::io;
 
 use crate::cutils::string_from_ptr;
+use crate::system::time::Duration;
 
 use super::sys::*;
 
@@ -100,6 +101,7 @@ pub struct CLIConverser {
     pub(super) use_stdin: bool,
     pub(super) bell: bool,
     pub(super) password_feedback: bool,
+    pub(super) password_timeout: Option<Duration>,
 }
 
 use rpassword::Terminal;
@@ -128,9 +130,9 @@ impl Converser for CLIConverser {
         }
         tty.prompt(msg)?;
         if self.password_feedback {
-            tty.read_password_with_feedback()
+            tty.read_password_with_feedback(self.password_timeout)
         } else {
-            tty.read_password()
+            tty.read_password(self.password_timeout)
         }
         .map_err(|err| {
             if let io::ErrorKind::TimedOut = err.kind() {

src/pam/mod.rs

@@ -6,6 +6,8 @@ use std::{
     ptr::NonNull,
 };
 
+use crate::system::time::Duration;
+
 use converse::ConverserData;
 use error::pam_err;
 pub use error::{PamError, PamErrorType, PamResult};
@@ -43,20 +45,23 @@ impl PamContext {
     /// username.
     ///
     /// This function will error when initialization of the PAM session somehow failed.
+    #[allow(clippy::too_many_arguments)]
     pub fn new_cli(
         converser_name: &str,
         service_name: &str,
         use_stdin: bool,
         bell: bool,
         no_interact: bool,
         password_feedback: bool,
+        password_timeout: Option<Duration>,
         target_user: Option<&str>,
     ) -> PamResult<PamContext> {
         let converser = CLIConverser {
             bell,
             name: converser_name.to_owned(),
             use_stdin,
             password_feedback,
+            password_timeout,
         };
 
         let c_service_name = CString::new(service_name)?;

src/pam/rpassword.rs

@@ -262,24 +262,27 @@ impl Terminal<'_> {
     }
 
     /// Reads input with TTY echo disabled
-    pub fn read_password(&mut self) -> io::Result<PamBuffer> {
-        let mut input = self.source_timeout(None);
+    pub fn read_password(&mut self, timeout: Option<Duration>) -> io::Result<PamBuffer> {
+        let mut input = self.source_timeout(timeout);
         let _hide_input = HiddenInput::new(false)?;
         read_unbuffered(&mut input)
     }
 
     /// Reads input with TTY echo disabled, but do provide visual feedback while typing.
-    pub fn read_password_with_feedback(&mut self) -> io::Result<PamBuffer> {
+    pub fn read_password_with_feedback(
+        &mut self,
+        timeout: Option<Duration>,
+    ) -> io::Result<PamBuffer> {
         match (HiddenInput::new(true)?, self) {
             (Some(hide_input), Terminal::StdIE(stdin, stdout)) => {
-                let mut reader = TimeoutRead::new(stdin.as_fd(), None);
+                let mut reader = TimeoutRead::new(stdin.as_fd(), timeout);
                 read_unbuffered_with_feedback(&mut reader, stdout, &hide_input)
             }
             (Some(hide_input), Terminal::Tty(file)) => {
-                let mut reader = TimeoutRead::new(file.as_fd(), None);
+                let mut reader = TimeoutRead::new(file.as_fd(), timeout);
                 read_unbuffered_with_feedback(&mut reader, &mut &*file, &hide_input)
             }
-            (None, term) => read_unbuffered(&mut term.source_timeout(None)),
+            (None, term) => read_unbuffered(&mut term.source_timeout(timeout)),
         }
     }
 

src/su/mod.rs

@@ -29,7 +29,16 @@ fn authenticate(requesting_user: &str, user: &str, login: bool) -> Result<PamCon
         "su"
     };
     let use_stdin = true;
-    let mut pam = PamContext::new_cli("su", context, use_stdin, false, false, false, Some(user))?;
+    let mut pam = PamContext::new_cli(
+        "su",
+        context,
+        use_stdin,
+        false,
+        false,
+        false,
+        None,
+        Some(user),
+    )?;
     pam.set_requesting_user(requesting_user)?;
 
     // attempt to set the TTY this session is communicating on

src/sudo/pam.rs

@@ -4,14 +4,15 @@ use crate::common::context::LaunchType;
 use crate::common::error::Error;
 use crate::log::{dev_info, user_warn};
 use crate::pam::{PamContext, PamError, PamErrorType, PamResult};
-use crate::system::term::current_tty_name;
+use crate::system::{term::current_tty_name, time::Duration};
 
 pub(super) struct InitPamArgs<'a> {
     pub(super) launch: LaunchType,
     pub(super) use_stdin: bool,
     pub(super) bell: bool,
     pub(super) non_interactive: bool,
     pub(super) password_feedback: bool,
+    pub(super) password_timeout: Option<Duration>,
     pub(super) auth_prompt: Option<String>,
     pub(super) auth_user: &'a str,
     pub(super) requesting_user: &'a str,
@@ -26,6 +27,7 @@ pub(super) fn init_pam(
         bell,
         non_interactive,
         password_feedback,
+        password_timeout,
         auth_prompt,
         auth_user,
         requesting_user,
@@ -44,6 +46,7 @@ pub(super) fn init_pam(
         bell,
         non_interactive,
         password_feedback,
+        password_timeout,
         Some(auth_user),
     )?;
     pam.mark_silent(matches!(launch, LaunchType::Direct));

src/sudo/pipeline.rs

@@ -149,6 +149,7 @@ fn auth_and_update_record_file(
         must_authenticate,
         prior_validity,
         allowed_attempts,
+        password_timeout,
         ref credential,
         pwfeedback,
     }: Authentication,
@@ -178,6 +179,7 @@ fn auth_and_update_record_file(
         bell: context.bell,
         non_interactive: context.non_interactive,
         password_feedback: pwfeedback,
+        password_timeout,
         auth_prompt: context.prompt.clone(),
         auth_user: &auth_user.name,
         requesting_user: &context.current_user.name,

src/sudoers/policy.rs

@@ -30,6 +30,7 @@ pub struct Authentication {
     pub allowed_attempts: u16,
     pub prior_validity: Duration,
     pub pwfeedback: bool,
+    pub password_timeout: Option<Duration>,
 }
 
 impl super::Settings {
@@ -39,6 +40,10 @@ impl super::Settings {
             allowed_attempts: self.passwd_tries().try_into().unwrap(),
             prior_validity: Duration::seconds(self.timestamp_timeout()),
             pwfeedback: self.pwfeedback(),
+            password_timeout: match self.passwd_timeout() {
+                0 => None,
+                timeout => Some(Duration::seconds(timeout)),
+            },
             credential: if self.rootpw() {
                 AuthenticatingUser::Root
             } else if self.targetpw() {
@@ -183,6 +188,7 @@ mod test {
                 prior_validity: Duration::minutes(15),
                 credential: AuthenticatingUser::InvokingUser,
                 pwfeedback: false,
+                password_timeout: Some(Duration::seconds(300)),
             },
         );
 
@@ -199,6 +205,7 @@ mod test {
                 prior_validity: Duration::minutes(15),
                 credential: AuthenticatingUser::InvokingUser,
                 pwfeedback: false,
+                password_timeout: Some(Duration::seconds(300)),
             },
         );
         assert_eq!(restrictions, restrictions2);