Implement askpass support

bjorn3 · bjorn3 · commit a167ef07da2b · 2025-12-02T09:38:31.000+01:00
diff --git a/src/pam/askpass.rs b/src/pam/askpass.rs
@@ -0,0 +1,58 @@
+use std::os::fd::{FromRawFd, OwnedFd};
+use std::os::unix::process::CommandExt;
+use std::path::Path;
+use std::process::Command;
+use std::{io, process};
+
+use libc::O_CLOEXEC;
+
+use crate::cutils::cerr;
+use crate::system::interface::ProcessId;
+use crate::system::{fork, mark_fds_as_cloexec, ForkResult};
+
+pub(super) fn spawn_askpass(program: &Path, prompt: &str) -> io::Result<(ProcessId, OwnedFd)> {
+    // Create socket
+    let mut pipes = [-1, -1];
+    // SAFETY: A valid pointer to a mutable array of 2 fds is passed in.
+    unsafe {
+        cerr(libc::pipe2(pipes.as_mut_ptr(), O_CLOEXEC))?;
+    }
+    // SAFETY: pipe2 created two owned pipe fds
+    let (pipe_read, pipe_write) = unsafe {
+        (
+            OwnedFd::from_raw_fd(pipes[0]),
+            OwnedFd::from_raw_fd(pipes[1]),
+        )
+    };
+
+    // Spawn child
+    // SAFETY: There should be no other threads at this point.
+    let ForkResult::Parent(command_pid) = unsafe { fork() }.unwrap() else {
+        drop(pipe_read);
+        handle_child(program, prompt, pipe_write)
+    };
+    drop(pipe_write);
+
+    Ok((command_pid, pipe_read))
+}
+
+fn handle_child(program: &Path, prompt: &str, stdout: OwnedFd) -> ! {
+    // Drop root privileges.
+    // SAFETY: setuid does not change any memory and only affects OS state.
+    unsafe {
+        libc::setuid(libc::getuid());
+    }
+
+    if let Err(e) = mark_fds_as_cloexec() {
+        eprintln_ignore_io_error!("Failed to mark fds as CLOEXEC: {e}");
+        process::exit(1);
+    };
+
+    // Exec askpass program
+    let error = Command::new(program).arg(prompt).stdout(stdout).exec();
+    eprintln_ignore_io_error!(
+        "Failed to run askpass program {}: {error}",
+        program.display()
+    );
+    process::exit(1);
+}
diff --git a/src/pam/converse.rs b/src/pam/converse.rs
@@ -129,7 +129,9 @@ impl Drop for SignalGuard {
 
 impl CLIConverser {
     fn open(&self) -> PamResult<(Terminal<'_>, SignalGuard)> {
-        let term = if self.use_stdin {
+        let term = if self.use_askpass {
+            Terminal::open_askpass()?
+        } else if self.use_stdin {
             Terminal::open_stdie()?
         } else {
             Terminal::open_tty()?
diff --git a/src/pam/error.rs b/src/pam/error.rs
@@ -1,5 +1,6 @@
 use std::ffi::{c_int, NulError};
 use std::fmt;
+use std::path::PathBuf;
 use std::str::Utf8Error;
 
 use crate::cutils::string_from_ptr;
@@ -182,6 +183,8 @@ pub enum PamError {
     IncorrectPasswordAttempt,
     TimedOut,
     InvalidUser(String, String),
+    NoAskpassProgram,
+    InvalidAskpassProgram(PathBuf),
 }
 
 impl From<std::io::Error> for PamError {
@@ -238,6 +241,14 @@ impl fmt::Display for PamError {
                     "Sorry, user {username} is not allowed to authenticate as {other_user}.",
                 )
             }
+            PamError::NoAskpassProgram => write!(f, "No askpass program specified in SUDO_ASKPASS"),
+            PamError::InvalidAskpassProgram(program) => {
+                write!(
+                    f,
+                    "Askpass program `{}` is not absolute path",
+                    program.display()
+                )
+            }
         }
     }
 }
diff --git a/src/pam/mod.rs b/src/pam/mod.rs
@@ -14,6 +14,7 @@ use error::pam_err;
 pub use error::{PamError, PamErrorType, PamResult};
 use sys::*;
 
+mod askpass;
 mod converse;
 mod error;
 mod rpassword;
diff --git a/src/pam/rpassword.rs b/src/pam/rpassword.rs
@@ -16,13 +16,15 @@
 use std::ffi::c_void;
 use std::io::{self, ErrorKind, Read};
 use std::os::fd::{AsFd, AsRawFd, BorrowedFd};
+use std::path::PathBuf;
 use std::time::{Duration, Instant};
 use std::{fs, mem};
 
 use libc::{tcsetattr, termios, ECHO, ECHONL, ICANON, TCSANOW, VEOF, VERASE, VKILL};
 
 use crate::cutils::{cerr, safe_isatty};
-use crate::pam::{PamError, PamResult};
+use crate::pam::{askpass, PamError, PamResult};
+use crate::system::wait::{Wait, WaitError, WaitOptions};
 
 use super::securemem::PamBuffer;
 
@@ -253,6 +255,7 @@ impl io::Read for TimeoutRead<'_> {
 pub enum Terminal<'a> {
     Tty(fs::File),
     StdIE(io::StdinLock<'a>, io::StderrLock<'a>),
+    Askpass(PathBuf, io::Sink),
 }
 
 impl Terminal<'_> {
@@ -274,6 +277,19 @@ impl Terminal<'_> {
         Ok(Terminal::StdIE(io::stdin().lock(), io::stderr().lock()))
     }
 
+    pub fn open_askpass() -> PamResult<Self> {
+        let Some(program) = std::env::var_os("SUDO_ASKPASS") else {
+            return Err(PamError::NoAskpassProgram);
+        };
+        let program = PathBuf::from(program);
+
+        if program.is_absolute() {
+            Ok(Terminal::Askpass(program, io::sink()))
+        } else {
+            Err(PamError::InvalidAskpassProgram(program))
+        }
+    }
+
     /// Reads input with TTY echo and visual feedback set according to the `hidden` parameter.
     pub(super) fn read_input(
         &mut self,
@@ -310,6 +326,23 @@ impl Terminal<'_> {
                 let mut reader = TimeoutRead::new(file.as_fd(), timeout);
                 read_unbuffered(&mut reader, &mut &*file, &hide_input)
             }
+            Terminal::Askpass(program, sink) => {
+                let (command_pid, askpass_stdout) = askpass::spawn_askpass(program, prompt)?;
+
+                let mut reader = TimeoutRead::new(askpass_stdout.as_fd(), timeout);
+                let password = read_unbuffered(&mut reader, sink, &Hidden::No)?;
+
+                loop {
+                    match command_pid.wait(WaitOptions::new()) {
+                        Ok(_) => break,
+                        Err(WaitError::Io(err)) if err.kind() == io::ErrorKind::Interrupted => {}
+                        Err(WaitError::Io(err)) => return Err(PamError::IoError(err)),
+                        Err(WaitError::NotReady) => unreachable!(),
+                    }
+                }
+
+                Ok(password)
+            }
         }
     }
 
@@ -329,6 +362,7 @@ impl Terminal<'_> {
         match self {
             Terminal::StdIE(_, x) => x,
             Terminal::Tty(x) => x,
+            Terminal::Askpass(_, x) => x,
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,6 @@`
`1`	`1`	`use std::ffi::{c_int, NulError};`
`2`	`2`	`use std::fmt;`
	`3`	`+use std::path::PathBuf;`
`3`	`4`	`use std::str::Utf8Error;`
`4`	`5`
`5`	`6`	`use crate::cutils::string_from_ptr;`
`@@ -182,6 +183,8 @@ pub enum PamError {`
`182`	`183`	`IncorrectPasswordAttempt,`
`183`	`184`	`TimedOut,`
`184`	`185`	`InvalidUser(String, String),`
	`186`	`+ NoAskpassProgram,`
	`187`	`+ InvalidAskpassProgram(PathBuf),`
`185`	`188`	`}`
`186`	`189`
`187`	`190`	`impl From<std::io::Error> for PamError {`
`@@ -238,6 +241,14 @@ impl fmt::Display for PamError {`
`238`	`241`	`"Sorry, user {username} is not allowed to authenticate as {other_user}.",`
`239`	`242`	`)`
`240`	`243`	`}`
	`244`	`+ PamError::NoAskpassProgram => write!(f, "No askpass program specified in SUDO_ASKPASS"),`
	`245`	`+ PamError::InvalidAskpassProgram(program) => {`
	`246`	`+ write!(`
	`247`	`+ f,`
	`248`	+ "Askpass program `{}` is not absolute path",
	`249`	`+ program.display()`
	`250`	`+ )`
	`251`	`+ }`
`241`	`252`	`}`
`242`	`253`	`}`
`243`	`254`	`}`