Date: Mon, 15 Jul 2002 02:34:56 +0000 From: Dima Dorfman <dima@trit.org> To: audit@freebsd.org Subject: lock(1) -v (was: VT_LOCKSWITCH) Message-ID: <20020715023456.483403E1A@turbine.trit.org>
next in thread | raw e-mail | index | archive | help
Anybody care to review this patch? I'd rather not commit unreviewed
changes to a setuid root program.
Thanks.
I wrote:
> Sheldon Hearn <sheldonh@starjuice.net> wrote:
> >
> >
> > On Tue, 28 May 2002 08:54:20 GMT, Dima Dorfman wrote:
> >
> > > The attached patch adds an -S option to vidcontrol(1) that allows the
> > > user to disallow vty switching. It is implemented using a new
> > > VT_LOCKSWITCH ioctl.
> >
> > Ooo! Ooo! This is nice.
> >
> > If you're up to it, I'd love to see the same functionality available as
> > an extension to lock(1). Imagine the convenience of being able to type
> >
> > lock -npS
> >
> > on just one terminal and not have to worry about the rest!
>
> Sounds nice. How about the following patch? I really tried to keep
> the not-directly-related changes to a minimum, but it was difficult
> (lock(1) is so small and simple, but so lacking in polish!) (I did
> refrain from fixing anything that I wasn't already going to change,
> though, so the diff shouldn't be significantly harder to read).
>
> Note also that lock(1) is installed setuid root (for -p), so please
> review accordingly (even though none of the new code runs as root).
>
> Thanks,
>
> Dima.
Index: lock.1
===================================================================
RCS file: /home/ncvs/src/usr.bin/lock/lock.1,v
retrieving revision 1.7
diff -u -r1.7 lock.1
--- lock.1 20 Apr 2002 12:15:20 -0000 1.7
+++ lock.1 10 Jul 2002 04:54:50 -0000
@@ -32,7 +32,7 @@
.\" @(#)lock.1 8.1 (Berkeley) 6/6/93
.\" $FreeBSD$
.\"
-.Dd June 6, 1993
+.Dd July 10, 2002
.Dt LOCK 1
.Os
.Sh NAME
@@ -40,8 +40,7 @@
.Nd reserve a terminal
.Sh SYNOPSIS
.Nm
-.Op Fl n
-.Op Fl p
+.Op Fl npv
.Op Fl t Ar timeout
.Sh DESCRIPTION
The
@@ -65,6 +64,15 @@
The time limit (default 15 minutes) is changed to
.Ar timeout
minutes.
+.It Fl v
+Disable switching virtual terminals while this terminal is locked.
+This option is implemented in a way similar to the
+.Fl S
+option of
+.Xr vidcontrol 1 ,
+and is only available if the terminal in question is a
+.Xr syscons 4
+virtual terminal.
.El
.Sh HISTORY
The
Index: lock.c
===================================================================
RCS file: /home/ncvs/src/usr.bin/lock/lock.c,v
retrieving revision 1.13
diff -u -r1.13 lock.c
--- lock.c 10 Jul 2002 04:05:33 -0000 1.13
+++ lock.c 10 Jul 2002 04:54:50 -0000
@@ -60,6 +60,7 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/signal.h>
+#include <sys/consio.h>
#include <err.h>
#include <ctype.h>
#include <pwd.h>
@@ -83,6 +84,7 @@
struct sgttyb tty, ntty;
long nexttime; /* keep the timeout time */
int no_timeout; /* lock terminal forever */
+int vtyunlock; /* Unlock flag and code. */
/*ARGSUSED*/
int
@@ -95,7 +97,7 @@
time_t timval_sec;
struct itimerval ntimer, otimer;
struct tm *timp;
- int ch, failures, sectimeout, usemine;
+ int ch, failures, sectimeout, usemine, vtylock;
char *ap, *mypw, *ttynam, *tzn;
char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ];
@@ -105,7 +107,8 @@
mypw = NULL;
usemine = 0;
no_timeout = 0;
- while ((ch = getopt(argc, argv, "npt:")) != -1)
+ vtylock = 0;
+ while ((ch = getopt(argc, argv, "npt:v")) != -1)
switch((char)ch) {
case 't':
if ((sectimeout = atoi(optarg)) <= 0)
@@ -120,6 +123,9 @@
case 'n':
no_timeout = 1;
break;
+ case 'v':
+ vtylock = 1;
+ break;
case '?':
default:
usage();
@@ -177,15 +183,31 @@
ntimer.it_value = timeout;
if (!no_timeout)
setitimer(ITIMER_REAL, &ntimer, &otimer);
+ if (vtylock) {
+ /*
+ * If this failed, we want to err out; warn isn't good
+ * enough, since we don't want the user to think that
+ * everything is nice and locked because they got a
+ * "Key:" prompt.
+ */
+ if (ioctl(0, VT_LOCKSWITCH, &vtylock) == -1) {
+ (void)ioctl(0, TIOCSETP, &tty);
+ err(1, "locking vty");
+ }
+ vtyunlock = 0x2;
+ }
/* header info */
- if (no_timeout) {
-(void)printf("lock: %s on %s. no timeout\ntime now is %.20s%s%s",
- ttynam, hostname, ap, tzn, ap + 19);
- } else {
-(void)printf("lock: %s on %s. timeout in %d minutes\ntime now is %.20s%s%s",
- ttynam, hostname, sectimeout, ap, tzn, ap + 19);
- }
+ (void)printf("lock: %s on %s.", ttynam, hostname);
+ if (no_timeout)
+ (void)printf(" no timeout.");
+ else
+ (void)printf(" timeout in %d minute%s.", sectimeout,
+ sectimeout != 1 ? "s" : "");
+ if (vtylock)
+ (void)printf(" vty locked.");
+ (void)printf("\ntime now is %.20s%s%s", ap, tzn, ap + 19);
+
failures = 0;
for (;;) {
@@ -222,7 +244,7 @@
static void
usage()
{
- (void)fprintf(stderr, "usage: lock [-n] [-p] [-t timeout]\n");
+ (void)fprintf(stderr, "usage: lock [-npv] [-t timeout]\n");
exit(1);
}
@@ -248,6 +270,8 @@
{
(void)putchar('\n');
(void)ioctl(0, TIOCSETP, &tty);
+ if (vtyunlock)
+ (void)ioctl(0, VT_LOCKSWITCH, &vtyunlock);
exit(0);
}
@@ -256,6 +280,8 @@
{
if (!no_timeout) {
(void)ioctl(0, TIOCSETP, &tty);
+ if (vtyunlock)
+ (void)ioctl(0, VT_LOCKSWITCH, &vtyunlock);
(void)printf("lock: timeout\n");
exit(1);
}
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020715023456.483403E1A>