mirror of
https://github.com/veracrypt/VeraCrypt.git
synced 2026-06-09 21:22:41 +00:00
Unix: add doas elevation support
Prefer sudo when available and fall back to doas on Unix. Run doas authentication through a PTY while keeping service communication on stdin/stdout pipes, and use a no-fork service mode for the doas path. Keep doas authentication terminal descriptors close-on-exec and close the slave descriptor after attaching it as the controlling terminal. Preserve startup diagnostics through stderr until service synchronization completes, then redirect no-fork service stderr away from the closed parent pipe. Use noninteractive privilege-helper auth checks for both sudo and doas so cached, nopass, or persisted sessions do not need an unnecessary VeraCrypt password prompt. Keep the PTY password path for doas when authentication is required. Use a shared Unix DOAS_USER helper for FUSE and mount ownership, backed by getpwnam_r and guarded so non-OpenBSD platforms only trust it for VeraCrypt's internal doas no-fork service path. Detach asynchronous child-reaper threads to avoid leaking joinable pthread handles.
This commit is contained in:
@@ -21,14 +21,12 @@
|
||||
#ifdef TC_LINUX
|
||||
#include <sys/utsname.h>
|
||||
#endif
|
||||
#ifdef TC_OPENBSD
|
||||
#include <pwd.h>
|
||||
#endif
|
||||
#include <stdio.h>
|
||||
#include <unistd.h>
|
||||
#include "Platform/FileStream.h"
|
||||
#include "Platform/MemoryStream.h"
|
||||
#include "Platform/SystemLog.h"
|
||||
#include "Core/Unix/UnixUser.h"
|
||||
#include "Driver/Fuse/FuseService.h"
|
||||
#include "Volume/VolumePasswordCache.h"
|
||||
|
||||
@@ -43,26 +41,6 @@ namespace VeraCrypt
|
||||
static bool SamePath (const string& path1, const string& path2);
|
||||
#endif
|
||||
|
||||
#ifdef TC_OPENBSD
|
||||
static bool GetDoasUserIds (uid_t *uid, gid_t *gid)
|
||||
{
|
||||
const char *env = getenv ("DOAS_USER");
|
||||
if (!env || !env[0])
|
||||
return false;
|
||||
|
||||
struct passwd *pw = getpwnam (env);
|
||||
if (!pw)
|
||||
return false;
|
||||
|
||||
if (uid)
|
||||
*uid = pw->pw_uid;
|
||||
if (gid)
|
||||
*gid = pw->pw_gid;
|
||||
|
||||
return true;
|
||||
}
|
||||
#endif
|
||||
|
||||
// Struct to hold terminal emulator information
|
||||
struct TerminalInfo {
|
||||
const char* name;
|
||||
@@ -657,11 +635,9 @@ namespace VeraCrypt
|
||||
catch (...) { }
|
||||
}
|
||||
|
||||
#ifdef TC_OPENBSD
|
||||
gid_t doasGid;
|
||||
if (GetDoasUserIds (nullptr, &doasGid))
|
||||
return doasGid;
|
||||
#endif
|
||||
|
||||
return getgid();
|
||||
}
|
||||
@@ -679,11 +655,9 @@ namespace VeraCrypt
|
||||
catch (...) { }
|
||||
}
|
||||
|
||||
#ifdef TC_OPENBSD
|
||||
uid_t doasUid;
|
||||
if (GetDoasUserIds (&doasUid, nullptr))
|
||||
return doasUid;
|
||||
#endif
|
||||
|
||||
return getuid();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user