VeraCrypt
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMounir IDRASSI <mounir.idrassi@idrix.fr>2024-12-25 11:29:32 +0100
committerMounir IDRASSI <mounir.idrassi@idrix.fr>2024-12-25 11:29:32 +0100
commitca331b8b349cf1a42e6219d8733ae581199961fc (patch)
treeb04dce61a60a793c5b519b5cbb9754bb7b4c6c4e
parent341411e935621ee74e816cf83a149ce9cf1e6f9e (diff)
downloadVeraCrypt-ca331b8b349cf1a42e6219d8733ae581199961fc.tar.gz
VeraCrypt-ca331b8b349cf1a42e6219d8733ae581199961fc.zip
Linux/macOS: Simplify sudo session detection logic and extend it to macOS
This update simplifies the logic for detecting active sudo sessions by checking the exit code of the sudo -n -l command, which reliably returns 0 if a session is active. Additionally, this approach is now applicable to recent macOS versions, as they no longer have the sudo bug that previously prevented us from using this method.
-rw-r--r--src/Core/CoreBase.h4
-rw-r--r--src/Core/Unix/CoreService.cpp55
-rw-r--r--src/Main/CommandLineInterface.cpp4
-rw-r--r--src/Main/CommandLineInterface.h2
-rw-r--r--src/Main/UserInterface.cpp2
5 files changed, 23 insertions, 44 deletions
diff --git a/src/Core/CoreBase.h b/src/Core/CoreBase.h
index e646fce3..7f830336 100644
--- a/src/Core/CoreBase.h
+++ b/src/Core/CoreBase.h
@@ -76,12 +76,10 @@ namespace VeraCrypt
virtual void SetApplicationExecutablePath (const FilePath &path) { ApplicationExecutablePath = path; }
virtual void SetFileOwner (const FilesystemPath &path, const UserId &owner) const = 0;
virtual DirectoryPath SlotNumberToMountPoint (VolumeSlotNumber slotNumber) const = 0;
virtual void WipePasswordCache () const = 0;
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
virtual void ForceUseDummySudoPassword (bool useDummySudoPassword) { UseDummySudoPassword = useDummySudoPassword;}
virtual bool GetUseDummySudoPassword () const { return UseDummySudoPassword;}
-#endif
Event VolumeDismountedEvent;
Event VolumeMountedEvent;
Event WarningEvent;
@@ -90,11 +88,9 @@ namespace VeraCrypt
CoreBase ();
bool DeviceChangeInProgress;
FilePath ApplicationExecutablePath;
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
bool UseDummySudoPassword;
-#endif
private:
CoreBase (const CoreBase &);
CoreBase &operator= (const CoreBase &);
diff --git a/src/Core/Unix/CoreService.cpp b/src/Core/Unix/CoreService.cpp
index 6d0f05e5..e4b75dd3 100644
--- a/src/Core/Unix/CoreService.cpp
+++ b/src/Core/Unix/CoreService.cpp
@@ -291,43 +291,35 @@ namespace VeraCrypt
while (!ElevatedServiceAvailable)
{
// Test if the user has an active "sudo" session.
- // This is only done under Linux / FreeBSD by executing the command 'sudo -n uptime'.
- // In case a "sudo" session is active, the result of the command contains the string 'load average'.
- // Otherwise, the result contains "sudo: a password is required".
- // This may not work on all OSX versions because of a bug in sudo in its version 1.7.10,
- // therefore we keep the old behaviour of sending a 'dummy' password under OSX.
- // See : https://superuser.com/questions/902826/why-does-sudo-n-on-mac-os-x-always-return-0
- //
- // If for some reason we are getting empty output from pipe, we revert to old behavior
- // We also use the old way if the user is forcing the use of dummy password for sudo
-
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
bool authCheckDone = false;
if (!Core->GetUseDummySudoPassword ())
- {
- std::vector<char> buffer(128, 0);
- std::string result;
-
- FILE* pipe = popen("sudo -n uptime 2>&1 | grep 'load average' | wc -l | tr -d '[:blank:]'", "r"); // We redirect stderr to stdout (2>&1) to be able to catch the result of the command
+ {
+ // sudo man page: "If the -l option was specified without a command, sudo, will exit
+ // with a value of 0 if the user is allowed to run sudo, and they authenticated successfully"
+ // We are using -n to avoid prompting the user for a password.
+ // We are redirecting stderr to stdout and discarding both to avoid any output.
+ // This approach also works on newer macOS versions (12.0 and later).
+ FILE* pipe = popen("sudo -n -l > /dev/null 2>&1", "r"); // redirect stderr to stdout and discard both.
if (pipe)
{
- while (!feof(pipe))
- {
- if (fgets(buffer.data(), 128, pipe) != nullptr)
- result += buffer.data();
- }
-
- fflush(pipe);
- pclose(pipe);
+ // We only care about the exit code
+ char buf[128];
+ while (!feof(pipe))
+ {
+ if (fgets(buf, sizeof(buf), pipe) == NULL)
+ break;
+ }
+ int status = pclose(pipe);
pipe = NULL;
- if (!result.empty() && strlen(result.c_str()) != 0)
- {
- authCheckDone = true;
- if (result[0] == '0') // no line found with "load average" text, rerquest admin password
- (*AdminPasswordCallback) (request.AdminPassword);
+ authCheckDone = true;
+
+ // If exit code != 0, user does NOT have an active session => request password
+ if (status != 0)
+ {
+ (*AdminPasswordCallback)(request.AdminPassword);
}
}
if (authCheckDone)
@@ -335,9 +327,9 @@ namespace VeraCrypt
// Set to false to force the 'WarningEvent' to be raised in case of and elevation exception.
request.FastElevation = false;
}
}
-#endif
+
try
{
request.Serialize (ServiceInputStream);
unique_ptr <T> response (GetResponse <T>());
@@ -352,11 +344,10 @@ namespace VeraCrypt
Core->WarningEvent.Raise (args);
}
request.FastElevation = false;
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
+
if(!authCheckDone)
-#endif
(*AdminPasswordCallback) (request.AdminPassword);
}
}
}
diff --git a/src/Main/CommandLineInterface.cpp b/src/Main/CommandLineInterface.cpp
index 735cbeef..08042c9e 100644
--- a/src/Main/CommandLineInterface.cpp
+++ b/src/Main/CommandLineInterface.cpp
@@ -31,11 +31,9 @@ namespace VeraCrypt
ArgVolumeType (VolumeType::Unknown),
ArgAllowScreencapture (false),
ArgDisableFileSizeCheck (false),
ArgUseLegacyPassword (false),
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
ArgUseDummySudoPassword (false),
-#endif
StartBackgroundTask (false)
{
wxCmdLineParser parser;
parser.SetCmdLine (argc, argv);
@@ -375,11 +373,9 @@ namespace VeraCrypt
ArgForce = parser.Found (L"force");
ArgDisableFileSizeCheck = parser.Found (L"no-size-check");
ArgUseLegacyPassword = parser.Found (L"legacy-password-maxlength");
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
ArgUseDummySudoPassword = parser.Found (L"use-dummy-sudo-password");
-#endif
#if !defined(TC_WINDOWS) && !defined(TC_MACOSX)
if (parser.Found (L"fs-options", &str))
ArgMountOptions.FilesystemOptions = str;
diff --git a/src/Main/CommandLineInterface.h b/src/Main/CommandLineInterface.h
index f773ca6f..7e7b1054 100644
--- a/src/Main/CommandLineInterface.h
+++ b/src/Main/CommandLineInterface.h
@@ -86,11 +86,9 @@ namespace VeraCrypt
shared_ptr<SecureBuffer> ArgTokenPin;
bool ArgAllowScreencapture;
bool ArgDisableFileSizeCheck;
bool ArgUseLegacyPassword;
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
bool ArgUseDummySudoPassword;
-#endif
bool StartBackgroundTask;
UserPreferences Preferences;
diff --git a/src/Main/UserInterface.cpp b/src/Main/UserInterface.cpp
index 81093d08..4bb8bcda 100644
--- a/src/Main/UserInterface.cpp
+++ b/src/Main/UserInterface.cpp
@@ -569,11 +569,9 @@ namespace VeraCrypt
{
Core->SetAdminPasswordCallback (shared_ptr <GetStringFunctor> (new AdminPasswordRequestHandler));
}
-#if defined(TC_LINUX ) || defined (TC_FREEBSD)
Core->ForceUseDummySudoPassword (CmdLine->ArgUseDummySudoPassword);
-#endif
Core->WarningEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnWarning));
Core->VolumeMountedEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnVolumeMounted));