|
version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.2, 2012/05/29 12:26:49
|
|
Line 1
|
Line 1
|
| /* |
/* |
| * Copyright (c) 1996, 1998-2005, 2007-2011 | * Copyright (c) 1996, 1998-2005, 2007-2012 |
| * Todd C. Miller <Todd.Miller@courtesan.com> |
* Todd C. Miller <Todd.Miller@courtesan.com> |
| * |
* |
| * Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
|
Line 47
|
Line 47
|
| #ifdef HAVE_FNMATCH |
#ifdef HAVE_FNMATCH |
| # include <fnmatch.h> |
# include <fnmatch.h> |
| #endif /* HAVE_FNMATCH */ |
#endif /* HAVE_FNMATCH */ |
| #ifdef HAVE_EXTENDED_GLOB | #ifdef HAVE_GLOB |
| # include <glob.h> |
# include <glob.h> |
| #endif /* HAVE_EXTENDED_GLOB */ | #endif /* HAVE_GLOB */ |
| #ifdef HAVE_NETGROUP_H |
#ifdef HAVE_NETGROUP_H |
| # include <netgroup.h> |
# include <netgroup.h> |
| #endif /* HAVE_NETGROUP_H */ |
#endif /* HAVE_NETGROUP_H */ |
|
Line 81
|
Line 81
|
| #ifndef HAVE_FNMATCH |
#ifndef HAVE_FNMATCH |
| # include "compat/fnmatch.h" |
# include "compat/fnmatch.h" |
| #endif /* HAVE_FNMATCH */ |
#endif /* HAVE_FNMATCH */ |
| #ifndef HAVE_EXTENDED_GLOB | #ifndef HAVE_GLOB |
| # include "compat/glob.h" |
# include "compat/glob.h" |
| #endif /* HAVE_EXTENDED_GLOB */ | #endif /* HAVE_GLOB */ |
| |
|
| static struct member_list empty; |
static struct member_list empty; |
| |
|
| static int command_matches_dir(char *, size_t); | static bool command_matches_dir(char *, size_t); |
| static int command_matches_glob(char *, char *); | static bool command_matches_glob(char *, char *); |
| static int command_matches_fnmatch(char *, char *); | static bool command_matches_fnmatch(char *, char *); |
| static int command_matches_normal(char *, char *); | static bool command_matches_normal(char *, char *); |
| |
|
| /* |
/* |
| * Returns TRUE if string 's' contains meta characters. | * Returns true if string 's' contains meta characters. |
| */ |
*/ |
| #define has_meta(s) (strpbrk(s, "\\?*[]") != NULL) |
#define has_meta(s) (strpbrk(s, "\\?*[]") != NULL) |
| |
|
|
Line 107 _userlist_matches(struct passwd *pw, struct member_lis
|
Line 107 _userlist_matches(struct passwd *pw, struct member_lis
|
| struct member *m; |
struct member *m; |
| struct alias *a; |
struct alias *a; |
| int rval, matched = UNSPEC; |
int rval, matched = UNSPEC; |
| |
debug_decl(_userlist_matches, SUDO_DEBUG_MATCH) |
| |
|
| tq_foreach_rev(list, m) { |
tq_foreach_rev(list, m) { |
| switch (m->type) { |
switch (m->type) { |
|
Line 137 _userlist_matches(struct passwd *pw, struct member_lis
|
Line 138 _userlist_matches(struct passwd *pw, struct member_lis
|
| if (matched != UNSPEC) |
if (matched != UNSPEC) |
| break; |
break; |
| } |
} |
| return matched; | debug_return_bool(matched); |
| } |
} |
| |
|
| int |
int |
|
Line 160 _runaslist_matches(struct member_list *user_list, stru
|
Line 161 _runaslist_matches(struct member_list *user_list, stru
|
| int rval; |
int rval; |
| int user_matched = UNSPEC; |
int user_matched = UNSPEC; |
| int group_matched = UNSPEC; |
int group_matched = UNSPEC; |
| |
debug_decl(_runaslist_matches, SUDO_DEBUG_MATCH) |
| |
|
| if (runas_pw != NULL) { |
if (runas_pw != NULL) { |
| /* If no runas user or runas group listed in sudoers, use default. */ |
/* If no runas user or runas group listed in sudoers, use default. */ |
| if (tq_empty(user_list) && tq_empty(group_list)) |
if (tq_empty(user_list) && tq_empty(group_list)) |
| return userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw); | debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw)); |
| |
|
| tq_foreach_rev(user_list, m) { |
tq_foreach_rev(user_list, m) { |
| switch (m->type) { |
switch (m->type) { |
|
Line 230 _runaslist_matches(struct member_list *user_list, stru
|
Line 232 _runaslist_matches(struct member_list *user_list, stru
|
| } |
} |
| |
|
| if (user_matched == DENY || group_matched == DENY) |
if (user_matched == DENY || group_matched == DENY) |
| return DENY; | debug_return_int(DENY); |
| if (user_matched == group_matched || runas_gr == NULL) |
if (user_matched == group_matched || runas_gr == NULL) |
| return user_matched; | debug_return_int(user_matched); |
| return UNSPEC; | debug_return_int(UNSPEC); |
| } |
} |
| |
|
| int |
int |
|
Line 254 _hostlist_matches(struct member_list *list)
|
Line 256 _hostlist_matches(struct member_list *list)
|
| struct member *m; |
struct member *m; |
| struct alias *a; |
struct alias *a; |
| int rval, matched = UNSPEC; |
int rval, matched = UNSPEC; |
| |
debug_decl(_hostlist_matches, SUDO_DEBUG_MATCH) |
| |
|
| tq_foreach_rev(list, m) { |
tq_foreach_rev(list, m) { |
| switch (m->type) { |
switch (m->type) { |
|
Line 284 _hostlist_matches(struct member_list *list)
|
Line 287 _hostlist_matches(struct member_list *list)
|
| if (matched != UNSPEC) |
if (matched != UNSPEC) |
| break; |
break; |
| } |
} |
| return matched; | debug_return_bool(matched); |
| } |
} |
| |
|
| int |
int |
|
Line 303 _cmndlist_matches(struct member_list *list)
|
Line 306 _cmndlist_matches(struct member_list *list)
|
| { |
{ |
| struct member *m; |
struct member *m; |
| int matched = UNSPEC; |
int matched = UNSPEC; |
| |
debug_decl(_cmndlist_matches, SUDO_DEBUG_MATCH) |
| |
|
| tq_foreach_rev(list, m) { |
tq_foreach_rev(list, m) { |
| matched = cmnd_matches(m); |
matched = cmnd_matches(m); |
| if (matched != UNSPEC) |
if (matched != UNSPEC) |
| break; |
break; |
| } |
} |
| return matched; | debug_return_bool(matched); |
| } |
} |
| |
|
| int |
int |
|
Line 329 cmnd_matches(struct member *m)
|
Line 333 cmnd_matches(struct member *m)
|
| struct alias *a; |
struct alias *a; |
| struct sudo_command *c; |
struct sudo_command *c; |
| int rval, matched = UNSPEC; |
int rval, matched = UNSPEC; |
| |
debug_decl(cmnd_matches, SUDO_DEBUG_MATCH) |
| |
|
| switch (m->type) { |
switch (m->type) { |
| case ALL: |
case ALL: |
|
Line 348 cmnd_matches(struct member *m)
|
Line 353 cmnd_matches(struct member *m)
|
| matched = !m->negated; |
matched = !m->negated; |
| break; |
break; |
| } |
} |
| return matched; | debug_return_bool(matched); |
| } |
} |
| |
|
| static int | static bool |
| command_args_match(sudoers_cmnd, sudoers_args) |
command_args_match(sudoers_cmnd, sudoers_args) |
| char *sudoers_cmnd; |
char *sudoers_cmnd; |
| char *sudoers_args; |
char *sudoers_args; |
| { |
{ |
| int flags = 0; |
int flags = 0; |
| |
debug_decl(command_args_match, SUDO_DEBUG_MATCH) |
| |
|
| /* |
/* |
| * If no args specified in sudoers, any user args are allowed. |
* If no args specified in sudoers, any user args are allowed. |
|
Line 364 command_args_match(sudoers_cmnd, sudoers_args)
|
Line 370 command_args_match(sudoers_cmnd, sudoers_args)
|
| */ |
*/ |
| if (!sudoers_args || |
if (!sudoers_args || |
| (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args))) |
(!user_args && sudoers_args && !strcmp("\"\"", sudoers_args))) |
| return TRUE; | debug_return_bool(true); |
| /* |
/* |
| * If args are specified in sudoers, they must match the user args. |
* If args are specified in sudoers, they must match the user args. |
| * If running as sudoedit, all args are assumed to be paths. |
* If running as sudoedit, all args are assumed to be paths. |
|
Line 374 command_args_match(sudoers_cmnd, sudoers_args)
|
Line 380 command_args_match(sudoers_cmnd, sudoers_args)
|
| if (strcmp(sudoers_cmnd, "sudoedit") == 0) |
if (strcmp(sudoers_cmnd, "sudoedit") == 0) |
| flags = FNM_PATHNAME; |
flags = FNM_PATHNAME; |
| if (fnmatch(sudoers_args, user_args ? user_args : "", flags) == 0) |
if (fnmatch(sudoers_args, user_args ? user_args : "", flags) == 0) |
| return TRUE; | debug_return_bool(true); |
| } |
} |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| |
|
| /* |
/* |
| * If path doesn't end in /, return TRUE iff cmnd & path name the same inode; | * If path doesn't end in /, return true iff cmnd & path name the same inode; |
| * otherwise, return TRUE if user_cmnd names one of the inodes in path. | * otherwise, return true if user_cmnd names one of the inodes in path. |
| */ |
*/ |
| int | bool |
| command_matches(char *sudoers_cmnd, char *sudoers_args) |
command_matches(char *sudoers_cmnd, char *sudoers_args) |
| { |
{ |
| |
debug_decl(command_matches, SUDO_DEBUG_MATCH) |
| |
|
| /* Check for pseudo-commands */ |
/* Check for pseudo-commands */ |
| if (sudoers_cmnd[0] != '/') { |
if (sudoers_cmnd[0] != '/') { |
| /* |
/* |
|
Line 396 command_matches(char *sudoers_cmnd, char *sudoers_args
|
Line 404 command_matches(char *sudoers_cmnd, char *sudoers_args
|
| */ |
*/ |
| if (strcmp(sudoers_cmnd, "sudoedit") != 0 || |
if (strcmp(sudoers_cmnd, "sudoedit") != 0 || |
| strcmp(user_cmnd, "sudoedit") != 0) |
strcmp(user_cmnd, "sudoedit") != 0) |
| return FALSE; | debug_return_bool(false); |
| if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
| efree(safe_cmnd); |
efree(safe_cmnd); |
| safe_cmnd = estrdup(sudoers_cmnd); |
safe_cmnd = estrdup(sudoers_cmnd); |
| return TRUE; | debug_return_bool(true); |
| } else |
} else |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| |
|
| if (has_meta(sudoers_cmnd)) { |
if (has_meta(sudoers_cmnd)) { |
|
Line 411 command_matches(char *sudoers_cmnd, char *sudoers_args
|
Line 419 command_matches(char *sudoers_cmnd, char *sudoers_args
|
| * use glob(3) and/or fnmatch(3) to do the matching. |
* use glob(3) and/or fnmatch(3) to do the matching. |
| */ |
*/ |
| if (def_fast_glob) |
if (def_fast_glob) |
| return command_matches_fnmatch(sudoers_cmnd, sudoers_args); | debug_return_bool(command_matches_fnmatch(sudoers_cmnd, sudoers_args)); |
| return command_matches_glob(sudoers_cmnd, sudoers_args); | debug_return_bool(command_matches_glob(sudoers_cmnd, sudoers_args)); |
| } |
} |
| return command_matches_normal(sudoers_cmnd, sudoers_args); | debug_return_bool(command_matches_normal(sudoers_cmnd, sudoers_args)); |
| } |
} |
| |
|
| static int | static bool |
| command_matches_fnmatch(char *sudoers_cmnd, char *sudoers_args) |
command_matches_fnmatch(char *sudoers_cmnd, char *sudoers_args) |
| { |
{ |
| |
debug_decl(command_matches_fnmatch, SUDO_DEBUG_MATCH) |
| |
|
| /* |
/* |
| * Return true if fnmatch(3) succeeds AND |
* Return true if fnmatch(3) succeeds AND |
| * a) there are no args in sudoers OR |
* a) there are no args in sudoers OR |
|
Line 428 command_matches_fnmatch(char *sudoers_cmnd, char *sudo
|
Line 438 command_matches_fnmatch(char *sudoers_cmnd, char *sudo
|
| * else return false. |
* else return false. |
| */ |
*/ |
| if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) |
if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) |
| return FALSE; | debug_return_bool(false); |
| if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
| if (safe_cmnd) |
if (safe_cmnd) |
| free(safe_cmnd); |
free(safe_cmnd); |
| safe_cmnd = estrdup(user_cmnd); |
safe_cmnd = estrdup(user_cmnd); |
| return TRUE; | debug_return_bool(true); |
| } else | } |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| |
|
| static int | static bool |
| command_matches_glob(char *sudoers_cmnd, char *sudoers_args) |
command_matches_glob(char *sudoers_cmnd, char *sudoers_args) |
| { |
{ |
| struct stat sudoers_stat; |
struct stat sudoers_stat; |
| size_t dlen; |
size_t dlen; |
| char **ap, *base, *cp; |
char **ap, *base, *cp; |
| glob_t gl; |
glob_t gl; |
| |
debug_decl(command_matches_glob, SUDO_DEBUG_MATCH) |
| |
|
| /* |
/* |
| * First check to see if we can avoid the call to glob(3). |
* First check to see if we can avoid the call to glob(3). |
|
Line 456 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 467 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
| if ((base = strrchr(sudoers_cmnd, '/')) != NULL) { |
if ((base = strrchr(sudoers_cmnd, '/')) != NULL) { |
| base++; |
base++; |
| if (!has_meta(base) && strcmp(user_base, base) != 0) |
if (!has_meta(base) && strcmp(user_base, base) != 0) |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| } |
} |
| /* |
/* |
|
Line 466 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 477 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
| * c) there are args in sudoers and on command line and they match |
* c) there are args in sudoers and on command line and they match |
| * else return false. |
* else return false. |
| */ |
*/ |
| #define GLOB_FLAGS (GLOB_NOSORT | GLOB_MARK | GLOB_BRACE | GLOB_TILDE) | if (glob(sudoers_cmnd, GLOB_NOSORT, NULL, &gl) != 0 || gl.gl_pathc == 0) { |
| if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0 || gl.gl_pathc == 0) { | |
| globfree(&gl); |
globfree(&gl); |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| /* For each glob match, compare basename, st_dev and st_ino. */ |
/* For each glob match, compare basename, st_dev and st_ino. */ |
| for (ap = gl.gl_pathv; (cp = *ap) != NULL; ap++) { |
for (ap = gl.gl_pathv; (cp = *ap) != NULL; ap++) { |
|
Line 477 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 487 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
| dlen = strlen(cp); |
dlen = strlen(cp); |
| if (cp[dlen - 1] == '/') { |
if (cp[dlen - 1] == '/') { |
| if (command_matches_dir(cp, dlen)) |
if (command_matches_dir(cp, dlen)) |
| return TRUE; | debug_return_bool(true); |
| continue; |
continue; |
| } |
} |
| |
|
|
Line 499 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 509 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
| } |
} |
| globfree(&gl); |
globfree(&gl); |
| if (cp == NULL) |
if (cp == NULL) |
| return FALSE; | debug_return_bool(false); |
| |
|
| if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
| efree(safe_cmnd); |
efree(safe_cmnd); |
| safe_cmnd = estrdup(user_cmnd); |
safe_cmnd = estrdup(user_cmnd); |
| return TRUE; | debug_return_bool(true); |
| } |
} |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| |
|
| static int | static bool |
| command_matches_normal(char *sudoers_cmnd, char *sudoers_args) |
command_matches_normal(char *sudoers_cmnd, char *sudoers_args) |
| { |
{ |
| struct stat sudoers_stat; |
struct stat sudoers_stat; |
| char *base; |
char *base; |
| size_t dlen; |
size_t dlen; |
| |
debug_decl(command_matches_normal, SUDO_DEBUG_MATCH) |
| |
|
| /* If it ends in '/' it is a directory spec. */ |
/* If it ends in '/' it is a directory spec. */ |
| dlen = strlen(sudoers_cmnd); |
dlen = strlen(sudoers_cmnd); |
| if (sudoers_cmnd[dlen - 1] == '/') |
if (sudoers_cmnd[dlen - 1] == '/') |
| return command_matches_dir(sudoers_cmnd, dlen); | debug_return_bool(command_matches_dir(sudoers_cmnd, dlen)); |
| |
|
| /* Only proceed if user_base and basename(sudoers_cmnd) match */ |
/* Only proceed if user_base and basename(sudoers_cmnd) match */ |
| if ((base = strrchr(sudoers_cmnd, '/')) == NULL) |
if ((base = strrchr(sudoers_cmnd, '/')) == NULL) |
|
Line 528 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
Line 539 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
| base++; |
base++; |
| if (strcmp(user_base, base) != 0 || |
if (strcmp(user_base, base) != 0 || |
| stat(sudoers_cmnd, &sudoers_stat) == -1) |
stat(sudoers_cmnd, &sudoers_stat) == -1) |
| return FALSE; | debug_return_bool(false); |
| |
|
| /* |
/* |
| * Return true if inode/device matches AND |
* Return true if inode/device matches AND |
|
Line 539 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
Line 550 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
| if (user_stat != NULL && |
if (user_stat != NULL && |
| (user_stat->st_dev != sudoers_stat.st_dev || |
(user_stat->st_dev != sudoers_stat.st_dev || |
| user_stat->st_ino != sudoers_stat.st_ino)) |
user_stat->st_ino != sudoers_stat.st_ino)) |
| return FALSE; | debug_return_bool(false); |
| if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
| efree(safe_cmnd); |
efree(safe_cmnd); |
| safe_cmnd = estrdup(sudoers_cmnd); |
safe_cmnd = estrdup(sudoers_cmnd); |
| return TRUE; | debug_return_bool(true); |
| } |
} |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| |
|
| /* |
/* |
| * Return TRUE if user_cmnd names one of the inodes in dir, else FALSE. | * Return true if user_cmnd names one of the inodes in dir, else false. |
| */ |
*/ |
| static int | static bool |
| command_matches_dir(char *sudoers_dir, size_t dlen) |
command_matches_dir(char *sudoers_dir, size_t dlen) |
| { |
{ |
| struct stat sudoers_stat; |
struct stat sudoers_stat; |
| struct dirent *dent; |
struct dirent *dent; |
| char buf[PATH_MAX]; |
char buf[PATH_MAX]; |
| DIR *dirp; |
DIR *dirp; |
| |
debug_decl(command_matches_dir, SUDO_DEBUG_MATCH) |
| |
|
| /* |
/* |
| * Grot through directory entries, looking for user_base. |
* Grot through directory entries, looking for user_base. |
| */ |
*/ |
| dirp = opendir(sudoers_dir); |
dirp = opendir(sudoers_dir); |
| if (dirp == NULL) |
if (dirp == NULL) |
| return FALSE; | debug_return_bool(false); |
| |
|
| if (strlcpy(buf, sudoers_dir, sizeof(buf)) >= sizeof(buf)) { |
if (strlcpy(buf, sudoers_dir, sizeof(buf)) >= sizeof(buf)) { |
| closedir(dirp); |
closedir(dirp); |
| return FALSE; | debug_return_bool(false); |
| } |
} |
| while ((dent = readdir(dirp)) != NULL) { |
while ((dent = readdir(dirp)) != NULL) { |
| /* ignore paths > PATH_MAX (XXX - log) */ |
/* ignore paths > PATH_MAX (XXX - log) */ |
|
Line 590 command_matches_dir(char *sudoers_dir, size_t dlen)
|
Line 602 command_matches_dir(char *sudoers_dir, size_t dlen)
|
| } |
} |
| |
|
| closedir(dirp); |
closedir(dirp); |
| return dent != NULL; | debug_return_bool(dent != NULL); |
| } |
} |
| |
|
| /* |
/* |
| * Returns TRUE if the hostname matches the pattern, else FALSE | * Returns true if the hostname matches the pattern, else false |
| */ |
*/ |
| int | bool |
| hostname_matches(char *shost, char *lhost, char *pattern) |
hostname_matches(char *shost, char *lhost, char *pattern) |
| { |
{ |
| |
debug_decl(hostname_matches, SUDO_DEBUG_MATCH) |
| |
|
| if (has_meta(pattern)) { |
if (has_meta(pattern)) { |
| if (strchr(pattern, '.')) |
if (strchr(pattern, '.')) |
| return !fnmatch(pattern, lhost, FNM_CASEFOLD); | debug_return_bool(!fnmatch(pattern, lhost, FNM_CASEFOLD)); |
| else |
else |
| return !fnmatch(pattern, shost, FNM_CASEFOLD); | debug_return_bool(!fnmatch(pattern, shost, FNM_CASEFOLD)); |
| } else { |
} else { |
| if (strchr(pattern, '.')) |
if (strchr(pattern, '.')) |
| return !strcasecmp(lhost, pattern); | debug_return_bool(!strcasecmp(lhost, pattern)); |
| else |
else |
| return !strcasecmp(shost, pattern); | debug_return_bool(!strcasecmp(shost, pattern)); |
| } |
} |
| } |
} |
| |
|
| /* |
/* |
| * Returns TRUE if the user/uid from sudoers matches the specified user/uid, | * Returns true if the user/uid from sudoers matches the specified user/uid, |
| * else returns FALSE. | * else returns false. |
| */ |
*/ |
| int | bool |
| userpw_matches(char *sudoers_user, char *user, struct passwd *pw) |
userpw_matches(char *sudoers_user, char *user, struct passwd *pw) |
| { |
{ |
| |
debug_decl(userpw_matches, SUDO_DEBUG_MATCH) |
| |
|
| if (pw != NULL && *sudoers_user == '#') { |
if (pw != NULL && *sudoers_user == '#') { |
| uid_t uid = (uid_t) atoi(sudoers_user + 1); |
uid_t uid = (uid_t) atoi(sudoers_user + 1); |
| if (uid == pw->pw_uid) |
if (uid == pw->pw_uid) |
| return TRUE; | debug_return_bool(true); |
| } |
} |
| return strcmp(sudoers_user, user) == 0; | debug_return_bool(strcmp(sudoers_user, user) == 0); |
| } |
} |
| |
|
| /* |
/* |
| * Returns TRUE if the group/gid from sudoers matches the specified group/gid, | * Returns true if the group/gid from sudoers matches the specified group/gid, |
| * else returns FALSE. | * else returns false. |
| */ |
*/ |
| int | bool |
| group_matches(char *sudoers_group, struct group *gr) |
group_matches(char *sudoers_group, struct group *gr) |
| { |
{ |
| |
debug_decl(group_matches, SUDO_DEBUG_MATCH) |
| |
|
| if (*sudoers_group == '#') { |
if (*sudoers_group == '#') { |
| gid_t gid = (gid_t) atoi(sudoers_group + 1); |
gid_t gid = (gid_t) atoi(sudoers_group + 1); |
| if (gid == gr->gr_gid) |
if (gid == gr->gr_gid) |
| return TRUE; | debug_return_bool(true); |
| } |
} |
| return strcmp(gr->gr_name, sudoers_group) == 0; | debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0); |
| } |
} |
| |
|
| /* |
/* |
| * Returns TRUE if the given user belongs to the named group, | * Returns true if the given user belongs to the named group, |
| * else returns FALSE. | * else returns false. |
| */ |
*/ |
| int | bool |
| usergr_matches(char *group, char *user, struct passwd *pw) |
usergr_matches(char *group, char *user, struct passwd *pw) |
| { |
{ |
| int matched = FALSE; | int matched = false; |
| struct passwd *pw0 = NULL; |
struct passwd *pw0 = NULL; |
| |
debug_decl(usergr_matches, SUDO_DEBUG_MATCH) |
| |
|
| /* make sure we have a valid usergroup, sudo style */ |
/* make sure we have a valid usergroup, sudo style */ |
| if (*group++ != '%') |
if (*group++ != '%') |
|
Line 669 usergr_matches(char *group, char *user, struct passwd
|
Line 688 usergr_matches(char *group, char *user, struct passwd
|
| } |
} |
| |
|
| if (user_in_group(pw, group)) { |
if (user_in_group(pw, group)) { |
| matched = TRUE; | matched = true; |
| goto done; |
goto done; |
| } |
} |
| |
|
| /* not a Unix group, could be an external group */ |
/* not a Unix group, could be an external group */ |
| if (def_group_plugin && group_plugin_query(user, group, pw)) { |
if (def_group_plugin && group_plugin_query(user, group, pw)) { |
| matched = TRUE; | matched = true; |
| goto done; |
goto done; |
| } |
} |
| |
|
|
Line 683 done:
|
Line 702 done:
|
| if (pw0 != NULL) |
if (pw0 != NULL) |
| pw_delref(pw0); |
pw_delref(pw0); |
| |
|
| return matched; | debug_return_bool(matched); |
| } |
} |
| |
|
| /* |
/* |
| * Returns TRUE if "host" and "user" belong to the netgroup "netgr", | * Returns true if "host" and "user" belong to the netgroup "netgr", |
| * else return FALSE. Either of "host", "shost" or "user" may be NULL | * else return false. Either of "host", "shost" or "user" may be NULL |
| * in which case that argument is not checked... |
* in which case that argument is not checked... |
| * |
* |
| * XXX - swap order of host & shost |
* XXX - swap order of host & shost |
| */ |
*/ |
| int | bool |
| netgr_matches(char *netgr, char *lhost, char *shost, char *user) |
netgr_matches(char *netgr, char *lhost, char *shost, char *user) |
| { |
{ |
| static char *domain; |
static char *domain; |
| #ifdef HAVE_GETDOMAINNAME |
#ifdef HAVE_GETDOMAINNAME |
| static int initialized; |
static int initialized; |
| #endif |
#endif |
| |
debug_decl(netgr_matches, SUDO_DEBUG_MATCH) |
| |
|
| /* make sure we have a valid netgroup, sudo style */ |
/* make sure we have a valid netgroup, sudo style */ |
| if (*netgr++ != '+') |
if (*netgr++ != '+') |
| return FALSE; | debug_return_bool(false); |
| |
|
| #ifdef HAVE_GETDOMAINNAME |
#ifdef HAVE_GETDOMAINNAME |
| /* get the domain name (if any) */ |
/* get the domain name (if any) */ |
|
Line 719 netgr_matches(char *netgr, char *lhost, char *shost, c
|
Line 739 netgr_matches(char *netgr, char *lhost, char *shost, c
|
| |
|
| #ifdef HAVE_INNETGR |
#ifdef HAVE_INNETGR |
| if (innetgr(netgr, lhost, user, domain)) |
if (innetgr(netgr, lhost, user, domain)) |
| return TRUE; | debug_return_bool(true); |
| else if (lhost != shost && innetgr(netgr, shost, user, domain)) |
else if (lhost != shost && innetgr(netgr, shost, user, domain)) |
| return TRUE; | debug_return_bool(true); |
| #endif /* HAVE_INNETGR */ |
#endif /* HAVE_INNETGR */ |
| |
|
| return FALSE; | debug_return_bool(false); |
| } |
} |
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to match.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers