1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
use std::io::Write;
use std::process::{Command, Stdio};
use anyhow::{Context, Result};
use log::info;
use crate::log_line;
use crate::utils::current_username;
/// Different kind of password
#[derive(Debug, Clone, Copy)]
pub enum PasswordKind {
SUDO,
CRYPTSETUP,
}
impl std::fmt::Display for PasswordKind {
fn fmt(&self, f: &mut std::fmt::Formatter) -> std::fmt::Result {
let asker = match self {
Self::SUDO => "sudo ",
Self::CRYPTSETUP => "device ",
};
write!(f, "{asker}")
}
}
/// What will this password be used for ?
/// ATM only 3 usages are supported:
/// * mounting an ISO file,
/// * opening an mounting an encrypted device.
/// * running a sudo command
#[derive(Debug, Clone, Copy)]
pub enum PasswordUsage {
ISO,
CRYPTSETUP,
SUDOCOMMAND,
}
type Password = String;
/// Holds passwords allowing to mount or unmount an encrypted drive.
#[derive(Default, Clone, Debug)]
pub struct PasswordHolder {
sudo: Option<Password>,
cryptsetup: Option<Password>,
}
impl PasswordHolder {
/// Set the sudo password.
pub fn set_sudo(&mut self, password: Password) {
self.sudo = Some(password)
}
/// Set the encrypted device passphrase
pub fn set_cryptsetup(&mut self, passphrase: Password) {
self.cryptsetup = Some(passphrase)
}
/// Reads the cryptsetup password
pub fn cryptsetup(&self) -> Result<Password> {
self.cryptsetup
.clone()
.context("PasswordHolder: cryptsetup password isn't set")
}
/// Reads the sudo password
pub fn sudo(&self) -> Result<Password> {
self.sudo
.clone()
.context("PasswordHolder: sudo password isn't set")
}
/// True if the sudo password was set
pub fn has_sudo(&self) -> bool {
self.sudo.is_some()
}
/// True if the encrypted device passphrase was set
pub fn has_cryptsetup(&self) -> bool {
self.cryptsetup.is_some()
}
/// Reset every known password, dropping them.
/// It should be called ASAP.
pub fn reset(&mut self) {
self.sudo = None;
self.cryptsetup = None;
}
}
/// Spawn a sudo command with stdin, stdout and stderr piped.
/// sudo is run with -S argument to read the passworo from stdin
/// Args are sent.
/// CWD is set to `path`.
/// No password is set yet.
/// A password should be sent with `inject_password`.
fn new_sudo_command_awaiting_password<S, P>(args: &[S], path: P) -> Result<std::process::Child>
where
S: AsRef<std::ffi::OsStr> + std::fmt::Debug,
P: AsRef<std::path::Path> + std::fmt::Debug,
{
Ok(Command::new("sudo")
.arg("-S")
.args(args)
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.current_dir(path)
.spawn()?)
}
/// Send password to a sudo command through its stdin.
fn inject_password(password: &str, child: &mut std::process::Child) -> Result<()> {
let child_stdin = child
.stdin
.as_mut()
.context("run_privileged_command: couldn't open child stdin")?;
child_stdin.write_all(format!("{password}\n").as_bytes())?;
Ok(())
}
/// run a sudo command requiring a password (generally to establish the password.)
/// Since I can't send 2 passwords at a time, it will only work with the sudo password
/// It requires a path to establish CWD.
pub fn execute_sudo_command_with_password<S, P>(
args: &[S],
password: &str,
path: P,
) -> Result<(bool, String, String)>
where
S: AsRef<std::ffi::OsStr> + std::fmt::Debug,
P: AsRef<std::path::Path> + std::fmt::Debug,
{
info!("sudo_with_password {args:?} CWD {path:?}");
log_line!("running sudo command with password. args: {args:?}, CWD: {path:?}");
let mut child = new_sudo_command_awaiting_password(args, path)?;
inject_password(password, &mut child)?;
let output = child.wait_with_output()?;
Ok((
output.status.success(),
String::from_utf8(output.stdout)?,
String::from_utf8(output.stderr)?,
))
}
/// Spawn a sudo command which shouldn't require a password.
/// The command is executed immediatly and we return an handle to it.
fn new_sudo_command_passwordless<S>(args: &[S]) -> Result<std::process::Child>
where
S: AsRef<std::ffi::OsStr> + std::fmt::Debug,
{
Ok(Command::new("sudo")
.args(args)
.stdin(Stdio::null())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()?)
}
/// Runs a passwordless sudo command.
/// Returns stdout & stderr
pub fn execute_sudo_command<S>(args: &[S]) -> Result<(bool, String, String)>
where
S: AsRef<std::ffi::OsStr> + std::fmt::Debug,
{
info!("running sudo {:?}", args);
log_line!("running sudo command. {args:?}");
let child = new_sudo_command_passwordless(args)?;
let output = child.wait_with_output()?;
Ok((
output.status.success(),
String::from_utf8(output.stdout)?,
String::from_utf8(output.stderr)?,
))
}
/// Runs `sudo -k` removing sudo privileges of current running instance.
pub fn drop_sudo_privileges() -> Result<()> {
Command::new("sudo")
.arg("-k")
.stdin(Stdio::null())
.stdout(Stdio::null())
.stderr(Stdio::null())
.spawn()?;
Ok(())
}
/// Reset the sudo faillock to avoid being blocked from running sudo commands.
/// Runs `faillock --user $USERNAME --reset`
pub fn reset_sudo_faillock() -> Result<()> {
Command::new("faillock")
.arg("--user")
.arg(current_username()?)
.arg("--reset")
.stdin(Stdio::null())
.stdout(Stdio::null())
.stderr(Stdio::null())
.spawn()?;
Ok(())
}
|
