diff options
author | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2024-12-25 11:29:32 +0100 |
---|---|---|
committer | Mounir IDRASSI <mounir.idrassi@idrix.fr> | 2024-12-25 11:29:32 +0100 |
commit | ca331b8b349cf1a42e6219d8733ae581199961fc (patch) | |
tree | b04dce61a60a793c5b519b5cbb9754bb7b4c6c4e /src | |
parent | 341411e935621ee74e816cf83a149ce9cf1e6f9e (diff) | |
download | VeraCrypt-ca331b8b349cf1a42e6219d8733ae581199961fc.tar.gz VeraCrypt-ca331b8b349cf1a42e6219d8733ae581199961fc.zip |
Linux/macOS: Simplify sudo session detection logic and extend it to macOS
This update simplifies the logic for detecting active sudo sessions by checking the exit code of the sudo -n -l command, which reliably returns 0 if a session is active.
Additionally, this approach is now applicable to recent macOS versions, as they no longer have the sudo bug that previously prevented us from using this method.
Diffstat (limited to 'src')
-rw-r--r-- | src/Core/CoreBase.h | 4 | ||||
-rw-r--r-- | src/Core/Unix/CoreService.cpp | 55 | ||||
-rw-r--r-- | src/Main/CommandLineInterface.cpp | 4 | ||||
-rw-r--r-- | src/Main/CommandLineInterface.h | 2 | ||||
-rw-r--r-- | src/Main/UserInterface.cpp | 2 |
5 files changed, 23 insertions, 44 deletions
diff --git a/src/Core/CoreBase.h b/src/Core/CoreBase.h index e646fce3..7f830336 100644 --- a/src/Core/CoreBase.h +++ b/src/Core/CoreBase.h @@ -76,12 +76,10 @@ namespace VeraCrypt virtual void SetApplicationExecutablePath (const FilePath &path) { ApplicationExecutablePath = path; } virtual void SetFileOwner (const FilesystemPath &path, const UserId &owner) const = 0; virtual DirectoryPath SlotNumberToMountPoint (VolumeSlotNumber slotNumber) const = 0; virtual void WipePasswordCache () const = 0; -#if defined(TC_LINUX ) || defined (TC_FREEBSD) virtual void ForceUseDummySudoPassword (bool useDummySudoPassword) { UseDummySudoPassword = useDummySudoPassword;} virtual bool GetUseDummySudoPassword () const { return UseDummySudoPassword;} -#endif Event VolumeDismountedEvent; Event VolumeMountedEvent; Event WarningEvent; @@ -90,11 +88,9 @@ namespace VeraCrypt CoreBase (); bool DeviceChangeInProgress; FilePath ApplicationExecutablePath; -#if defined(TC_LINUX ) || defined (TC_FREEBSD) bool UseDummySudoPassword; -#endif private: CoreBase (const CoreBase &); CoreBase &operator= (const CoreBase &); diff --git a/src/Core/Unix/CoreService.cpp b/src/Core/Unix/CoreService.cpp index 6d0f05e5..e4b75dd3 100644 --- a/src/Core/Unix/CoreService.cpp +++ b/src/Core/Unix/CoreService.cpp @@ -291,43 +291,35 @@ namespace VeraCrypt while (!ElevatedServiceAvailable) { // Test if the user has an active "sudo" session. - // This is only done under Linux / FreeBSD by executing the command 'sudo -n uptime'. - // In case a "sudo" session is active, the result of the command contains the string 'load average'. - // Otherwise, the result contains "sudo: a password is required". - // This may not work on all OSX versions because of a bug in sudo in its version 1.7.10, - // therefore we keep the old behaviour of sending a 'dummy' password under OSX. - // See : https://superuser.com/questions/902826/why-does-sudo-n-on-mac-os-x-always-return-0 - // - // If for some reason we are getting empty output from pipe, we revert to old behavior - // We also use the old way if the user is forcing the use of dummy password for sudo - -#if defined(TC_LINUX ) || defined (TC_FREEBSD) bool authCheckDone = false; if (!Core->GetUseDummySudoPassword ()) - { - std::vector<char> buffer(128, 0); - std::string result; - - FILE* pipe = popen("sudo -n uptime 2>&1 | grep 'load average' | wc -l | tr -d '[:blank:]'", "r"); // We redirect stderr to stdout (2>&1) to be able to catch the result of the command + { + // sudo man page: "If the -l option was specified without a command, sudo, will exit + // with a value of 0 if the user is allowed to run sudo, and they authenticated successfully" + // We are using -n to avoid prompting the user for a password. + // We are redirecting stderr to stdout and discarding both to avoid any output. + // This approach also works on newer macOS versions (12.0 and later). + FILE* pipe = popen("sudo -n -l > /dev/null 2>&1", "r"); // redirect stderr to stdout and discard both. if (pipe) { - while (!feof(pipe)) - { - if (fgets(buffer.data(), 128, pipe) != nullptr) - result += buffer.data(); - } - - fflush(pipe); - pclose(pipe); + // We only care about the exit code + char buf[128]; + while (!feof(pipe)) + { + if (fgets(buf, sizeof(buf), pipe) == NULL) + break; + } + int status = pclose(pipe); pipe = NULL; - if (!result.empty() && strlen(result.c_str()) != 0) - { - authCheckDone = true; - if (result[0] == '0') // no line found with "load average" text, rerquest admin password - (*AdminPasswordCallback) (request.AdminPassword); + authCheckDone = true; + + // If exit code != 0, user does NOT have an active session => request password + if (status != 0) + { + (*AdminPasswordCallback)(request.AdminPassword); } } if (authCheckDone) @@ -335,9 +327,9 @@ namespace VeraCrypt // Set to false to force the 'WarningEvent' to be raised in case of and elevation exception. request.FastElevation = false; } } -#endif + try { request.Serialize (ServiceInputStream); unique_ptr <T> response (GetResponse <T>()); @@ -352,11 +344,10 @@ namespace VeraCrypt Core->WarningEvent.Raise (args); } request.FastElevation = false; -#if defined(TC_LINUX ) || defined (TC_FREEBSD) + if(!authCheckDone) -#endif (*AdminPasswordCallback) (request.AdminPassword); } } } diff --git a/src/Main/CommandLineInterface.cpp b/src/Main/CommandLineInterface.cpp index 735cbeef..08042c9e 100644 --- a/src/Main/CommandLineInterface.cpp +++ b/src/Main/CommandLineInterface.cpp @@ -31,11 +31,9 @@ namespace VeraCrypt ArgVolumeType (VolumeType::Unknown), ArgAllowScreencapture (false), ArgDisableFileSizeCheck (false), ArgUseLegacyPassword (false), -#if defined(TC_LINUX ) || defined (TC_FREEBSD) ArgUseDummySudoPassword (false), -#endif StartBackgroundTask (false) { wxCmdLineParser parser; parser.SetCmdLine (argc, argv); @@ -375,11 +373,9 @@ namespace VeraCrypt ArgForce = parser.Found (L"force"); ArgDisableFileSizeCheck = parser.Found (L"no-size-check"); ArgUseLegacyPassword = parser.Found (L"legacy-password-maxlength"); -#if defined(TC_LINUX ) || defined (TC_FREEBSD) ArgUseDummySudoPassword = parser.Found (L"use-dummy-sudo-password"); -#endif #if !defined(TC_WINDOWS) && !defined(TC_MACOSX) if (parser.Found (L"fs-options", &str)) ArgMountOptions.FilesystemOptions = str; diff --git a/src/Main/CommandLineInterface.h b/src/Main/CommandLineInterface.h index f773ca6f..7e7b1054 100644 --- a/src/Main/CommandLineInterface.h +++ b/src/Main/CommandLineInterface.h @@ -86,11 +86,9 @@ namespace VeraCrypt shared_ptr<SecureBuffer> ArgTokenPin; bool ArgAllowScreencapture; bool ArgDisableFileSizeCheck; bool ArgUseLegacyPassword; -#if defined(TC_LINUX ) || defined (TC_FREEBSD) bool ArgUseDummySudoPassword; -#endif bool StartBackgroundTask; UserPreferences Preferences; diff --git a/src/Main/UserInterface.cpp b/src/Main/UserInterface.cpp index 81093d08..4bb8bcda 100644 --- a/src/Main/UserInterface.cpp +++ b/src/Main/UserInterface.cpp @@ -569,11 +569,9 @@ namespace VeraCrypt { Core->SetAdminPasswordCallback (shared_ptr <GetStringFunctor> (new AdminPasswordRequestHandler)); } -#if defined(TC_LINUX ) || defined (TC_FREEBSD) Core->ForceUseDummySudoPassword (CmdLine->ArgUseDummySudoPassword); -#endif Core->WarningEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnWarning)); Core->VolumeMountedEvent.Connect (EventConnector <UserInterface> (this, &UserInterface::OnVolumeMounted)); |