version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.2, 2012/05/29 12:26:49
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 1996, 1998-2005, 2007-2011 | * Copyright (c) 1996, 1998-2005, 2007-2012 |
* Todd C. Miller <Todd.Miller@courtesan.com> |
* Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
Line 47
|
Line 47
|
#ifdef HAVE_FNMATCH |
#ifdef HAVE_FNMATCH |
# include <fnmatch.h> |
# include <fnmatch.h> |
#endif /* HAVE_FNMATCH */ |
#endif /* HAVE_FNMATCH */ |
#ifdef HAVE_EXTENDED_GLOB | #ifdef HAVE_GLOB |
# include <glob.h> |
# include <glob.h> |
#endif /* HAVE_EXTENDED_GLOB */ | #endif /* HAVE_GLOB */ |
#ifdef HAVE_NETGROUP_H |
#ifdef HAVE_NETGROUP_H |
# include <netgroup.h> |
# include <netgroup.h> |
#endif /* HAVE_NETGROUP_H */ |
#endif /* HAVE_NETGROUP_H */ |
Line 81
|
Line 81
|
#ifndef HAVE_FNMATCH |
#ifndef HAVE_FNMATCH |
# include "compat/fnmatch.h" |
# include "compat/fnmatch.h" |
#endif /* HAVE_FNMATCH */ |
#endif /* HAVE_FNMATCH */ |
#ifndef HAVE_EXTENDED_GLOB | #ifndef HAVE_GLOB |
# include "compat/glob.h" |
# include "compat/glob.h" |
#endif /* HAVE_EXTENDED_GLOB */ | #endif /* HAVE_GLOB */ |
|
|
static struct member_list empty; |
static struct member_list empty; |
|
|
static int command_matches_dir(char *, size_t); | static bool command_matches_dir(char *, size_t); |
static int command_matches_glob(char *, char *); | static bool command_matches_glob(char *, char *); |
static int command_matches_fnmatch(char *, char *); | static bool command_matches_fnmatch(char *, char *); |
static int command_matches_normal(char *, char *); | static bool command_matches_normal(char *, char *); |
|
|
/* |
/* |
* Returns TRUE if string 's' contains meta characters. | * Returns true if string 's' contains meta characters. |
*/ |
*/ |
#define has_meta(s) (strpbrk(s, "\\?*[]") != NULL) |
#define has_meta(s) (strpbrk(s, "\\?*[]") != NULL) |
|
|
Line 107 _userlist_matches(struct passwd *pw, struct member_lis
|
Line 107 _userlist_matches(struct passwd *pw, struct member_lis
|
struct member *m; |
struct member *m; |
struct alias *a; |
struct alias *a; |
int rval, matched = UNSPEC; |
int rval, matched = UNSPEC; |
|
debug_decl(_userlist_matches, SUDO_DEBUG_MATCH) |
|
|
tq_foreach_rev(list, m) { |
tq_foreach_rev(list, m) { |
switch (m->type) { |
switch (m->type) { |
Line 137 _userlist_matches(struct passwd *pw, struct member_lis
|
Line 138 _userlist_matches(struct passwd *pw, struct member_lis
|
if (matched != UNSPEC) |
if (matched != UNSPEC) |
break; |
break; |
} |
} |
return matched; | debug_return_bool(matched); |
} |
} |
|
|
int |
int |
Line 160 _runaslist_matches(struct member_list *user_list, stru
|
Line 161 _runaslist_matches(struct member_list *user_list, stru
|
int rval; |
int rval; |
int user_matched = UNSPEC; |
int user_matched = UNSPEC; |
int group_matched = UNSPEC; |
int group_matched = UNSPEC; |
|
debug_decl(_runaslist_matches, SUDO_DEBUG_MATCH) |
|
|
if (runas_pw != NULL) { |
if (runas_pw != NULL) { |
/* If no runas user or runas group listed in sudoers, use default. */ |
/* If no runas user or runas group listed in sudoers, use default. */ |
if (tq_empty(user_list) && tq_empty(group_list)) |
if (tq_empty(user_list) && tq_empty(group_list)) |
return userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw); | debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw)); |
|
|
tq_foreach_rev(user_list, m) { |
tq_foreach_rev(user_list, m) { |
switch (m->type) { |
switch (m->type) { |
Line 230 _runaslist_matches(struct member_list *user_list, stru
|
Line 232 _runaslist_matches(struct member_list *user_list, stru
|
} |
} |
|
|
if (user_matched == DENY || group_matched == DENY) |
if (user_matched == DENY || group_matched == DENY) |
return DENY; | debug_return_int(DENY); |
if (user_matched == group_matched || runas_gr == NULL) |
if (user_matched == group_matched || runas_gr == NULL) |
return user_matched; | debug_return_int(user_matched); |
return UNSPEC; | debug_return_int(UNSPEC); |
} |
} |
|
|
int |
int |
Line 254 _hostlist_matches(struct member_list *list)
|
Line 256 _hostlist_matches(struct member_list *list)
|
struct member *m; |
struct member *m; |
struct alias *a; |
struct alias *a; |
int rval, matched = UNSPEC; |
int rval, matched = UNSPEC; |
|
debug_decl(_hostlist_matches, SUDO_DEBUG_MATCH) |
|
|
tq_foreach_rev(list, m) { |
tq_foreach_rev(list, m) { |
switch (m->type) { |
switch (m->type) { |
Line 284 _hostlist_matches(struct member_list *list)
|
Line 287 _hostlist_matches(struct member_list *list)
|
if (matched != UNSPEC) |
if (matched != UNSPEC) |
break; |
break; |
} |
} |
return matched; | debug_return_bool(matched); |
} |
} |
|
|
int |
int |
Line 303 _cmndlist_matches(struct member_list *list)
|
Line 306 _cmndlist_matches(struct member_list *list)
|
{ |
{ |
struct member *m; |
struct member *m; |
int matched = UNSPEC; |
int matched = UNSPEC; |
|
debug_decl(_cmndlist_matches, SUDO_DEBUG_MATCH) |
|
|
tq_foreach_rev(list, m) { |
tq_foreach_rev(list, m) { |
matched = cmnd_matches(m); |
matched = cmnd_matches(m); |
if (matched != UNSPEC) |
if (matched != UNSPEC) |
break; |
break; |
} |
} |
return matched; | debug_return_bool(matched); |
} |
} |
|
|
int |
int |
Line 329 cmnd_matches(struct member *m)
|
Line 333 cmnd_matches(struct member *m)
|
struct alias *a; |
struct alias *a; |
struct sudo_command *c; |
struct sudo_command *c; |
int rval, matched = UNSPEC; |
int rval, matched = UNSPEC; |
|
debug_decl(cmnd_matches, SUDO_DEBUG_MATCH) |
|
|
switch (m->type) { |
switch (m->type) { |
case ALL: |
case ALL: |
Line 348 cmnd_matches(struct member *m)
|
Line 353 cmnd_matches(struct member *m)
|
matched = !m->negated; |
matched = !m->negated; |
break; |
break; |
} |
} |
return matched; | debug_return_bool(matched); |
} |
} |
|
|
static int | static bool |
command_args_match(sudoers_cmnd, sudoers_args) |
command_args_match(sudoers_cmnd, sudoers_args) |
char *sudoers_cmnd; |
char *sudoers_cmnd; |
char *sudoers_args; |
char *sudoers_args; |
{ |
{ |
int flags = 0; |
int flags = 0; |
|
debug_decl(command_args_match, SUDO_DEBUG_MATCH) |
|
|
/* |
/* |
* If no args specified in sudoers, any user args are allowed. |
* If no args specified in sudoers, any user args are allowed. |
Line 364 command_args_match(sudoers_cmnd, sudoers_args)
|
Line 370 command_args_match(sudoers_cmnd, sudoers_args)
|
*/ |
*/ |
if (!sudoers_args || |
if (!sudoers_args || |
(!user_args && sudoers_args && !strcmp("\"\"", sudoers_args))) |
(!user_args && sudoers_args && !strcmp("\"\"", sudoers_args))) |
return TRUE; | debug_return_bool(true); |
/* |
/* |
* If args are specified in sudoers, they must match the user args. |
* If args are specified in sudoers, they must match the user args. |
* If running as sudoedit, all args are assumed to be paths. |
* If running as sudoedit, all args are assumed to be paths. |
Line 374 command_args_match(sudoers_cmnd, sudoers_args)
|
Line 380 command_args_match(sudoers_cmnd, sudoers_args)
|
if (strcmp(sudoers_cmnd, "sudoedit") == 0) |
if (strcmp(sudoers_cmnd, "sudoedit") == 0) |
flags = FNM_PATHNAME; |
flags = FNM_PATHNAME; |
if (fnmatch(sudoers_args, user_args ? user_args : "", flags) == 0) |
if (fnmatch(sudoers_args, user_args ? user_args : "", flags) == 0) |
return TRUE; | debug_return_bool(true); |
} |
} |
return FALSE; | debug_return_bool(false); |
} |
} |
|
|
/* |
/* |
* If path doesn't end in /, return TRUE iff cmnd & path name the same inode; | * If path doesn't end in /, return true iff cmnd & path name the same inode; |
* otherwise, return TRUE if user_cmnd names one of the inodes in path. | * otherwise, return true if user_cmnd names one of the inodes in path. |
*/ |
*/ |
int | bool |
command_matches(char *sudoers_cmnd, char *sudoers_args) |
command_matches(char *sudoers_cmnd, char *sudoers_args) |
{ |
{ |
|
debug_decl(command_matches, SUDO_DEBUG_MATCH) |
|
|
/* Check for pseudo-commands */ |
/* Check for pseudo-commands */ |
if (sudoers_cmnd[0] != '/') { |
if (sudoers_cmnd[0] != '/') { |
/* |
/* |
Line 396 command_matches(char *sudoers_cmnd, char *sudoers_args
|
Line 404 command_matches(char *sudoers_cmnd, char *sudoers_args
|
*/ |
*/ |
if (strcmp(sudoers_cmnd, "sudoedit") != 0 || |
if (strcmp(sudoers_cmnd, "sudoedit") != 0 || |
strcmp(user_cmnd, "sudoedit") != 0) |
strcmp(user_cmnd, "sudoedit") != 0) |
return FALSE; | debug_return_bool(false); |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
efree(safe_cmnd); |
efree(safe_cmnd); |
safe_cmnd = estrdup(sudoers_cmnd); |
safe_cmnd = estrdup(sudoers_cmnd); |
return TRUE; | debug_return_bool(true); |
} else |
} else |
return FALSE; | debug_return_bool(false); |
} |
} |
|
|
if (has_meta(sudoers_cmnd)) { |
if (has_meta(sudoers_cmnd)) { |
Line 411 command_matches(char *sudoers_cmnd, char *sudoers_args
|
Line 419 command_matches(char *sudoers_cmnd, char *sudoers_args
|
* use glob(3) and/or fnmatch(3) to do the matching. |
* use glob(3) and/or fnmatch(3) to do the matching. |
*/ |
*/ |
if (def_fast_glob) |
if (def_fast_glob) |
return command_matches_fnmatch(sudoers_cmnd, sudoers_args); | debug_return_bool(command_matches_fnmatch(sudoers_cmnd, sudoers_args)); |
return command_matches_glob(sudoers_cmnd, sudoers_args); | debug_return_bool(command_matches_glob(sudoers_cmnd, sudoers_args)); |
} |
} |
return command_matches_normal(sudoers_cmnd, sudoers_args); | debug_return_bool(command_matches_normal(sudoers_cmnd, sudoers_args)); |
} |
} |
|
|
static int | static bool |
command_matches_fnmatch(char *sudoers_cmnd, char *sudoers_args) |
command_matches_fnmatch(char *sudoers_cmnd, char *sudoers_args) |
{ |
{ |
|
debug_decl(command_matches_fnmatch, SUDO_DEBUG_MATCH) |
|
|
/* |
/* |
* Return true if fnmatch(3) succeeds AND |
* Return true if fnmatch(3) succeeds AND |
* a) there are no args in sudoers OR |
* a) there are no args in sudoers OR |
Line 428 command_matches_fnmatch(char *sudoers_cmnd, char *sudo
|
Line 438 command_matches_fnmatch(char *sudoers_cmnd, char *sudo
|
* else return false. |
* else return false. |
*/ |
*/ |
if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) |
if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) |
return FALSE; | debug_return_bool(false); |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (safe_cmnd) |
if (safe_cmnd) |
free(safe_cmnd); |
free(safe_cmnd); |
safe_cmnd = estrdup(user_cmnd); |
safe_cmnd = estrdup(user_cmnd); |
return TRUE; | debug_return_bool(true); |
} else | } |
return FALSE; | debug_return_bool(false); |
} |
} |
|
|
static int | static bool |
command_matches_glob(char *sudoers_cmnd, char *sudoers_args) |
command_matches_glob(char *sudoers_cmnd, char *sudoers_args) |
{ |
{ |
struct stat sudoers_stat; |
struct stat sudoers_stat; |
size_t dlen; |
size_t dlen; |
char **ap, *base, *cp; |
char **ap, *base, *cp; |
glob_t gl; |
glob_t gl; |
|
debug_decl(command_matches_glob, SUDO_DEBUG_MATCH) |
|
|
/* |
/* |
* First check to see if we can avoid the call to glob(3). |
* First check to see if we can avoid the call to glob(3). |
Line 456 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 467 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
if ((base = strrchr(sudoers_cmnd, '/')) != NULL) { |
if ((base = strrchr(sudoers_cmnd, '/')) != NULL) { |
base++; |
base++; |
if (!has_meta(base) && strcmp(user_base, base) != 0) |
if (!has_meta(base) && strcmp(user_base, base) != 0) |
return FALSE; | debug_return_bool(false); |
} |
} |
} |
} |
/* |
/* |
Line 466 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 477 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
* c) there are args in sudoers and on command line and they match |
* c) there are args in sudoers and on command line and they match |
* else return false. |
* else return false. |
*/ |
*/ |
#define GLOB_FLAGS (GLOB_NOSORT | GLOB_MARK | GLOB_BRACE | GLOB_TILDE) | if (glob(sudoers_cmnd, GLOB_NOSORT, NULL, &gl) != 0 || gl.gl_pathc == 0) { |
if (glob(sudoers_cmnd, GLOB_FLAGS, NULL, &gl) != 0 || gl.gl_pathc == 0) { | |
globfree(&gl); |
globfree(&gl); |
return FALSE; | debug_return_bool(false); |
} |
} |
/* For each glob match, compare basename, st_dev and st_ino. */ |
/* For each glob match, compare basename, st_dev and st_ino. */ |
for (ap = gl.gl_pathv; (cp = *ap) != NULL; ap++) { |
for (ap = gl.gl_pathv; (cp = *ap) != NULL; ap++) { |
Line 477 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 487 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
dlen = strlen(cp); |
dlen = strlen(cp); |
if (cp[dlen - 1] == '/') { |
if (cp[dlen - 1] == '/') { |
if (command_matches_dir(cp, dlen)) |
if (command_matches_dir(cp, dlen)) |
return TRUE; | debug_return_bool(true); |
continue; |
continue; |
} |
} |
|
|
Line 499 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
Line 509 command_matches_glob(char *sudoers_cmnd, char *sudoers
|
} |
} |
globfree(&gl); |
globfree(&gl); |
if (cp == NULL) |
if (cp == NULL) |
return FALSE; | debug_return_bool(false); |
|
|
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
efree(safe_cmnd); |
efree(safe_cmnd); |
safe_cmnd = estrdup(user_cmnd); |
safe_cmnd = estrdup(user_cmnd); |
return TRUE; | debug_return_bool(true); |
} |
} |
return FALSE; | debug_return_bool(false); |
} |
} |
|
|
static int | static bool |
command_matches_normal(char *sudoers_cmnd, char *sudoers_args) |
command_matches_normal(char *sudoers_cmnd, char *sudoers_args) |
{ |
{ |
struct stat sudoers_stat; |
struct stat sudoers_stat; |
char *base; |
char *base; |
size_t dlen; |
size_t dlen; |
|
debug_decl(command_matches_normal, SUDO_DEBUG_MATCH) |
|
|
/* If it ends in '/' it is a directory spec. */ |
/* If it ends in '/' it is a directory spec. */ |
dlen = strlen(sudoers_cmnd); |
dlen = strlen(sudoers_cmnd); |
if (sudoers_cmnd[dlen - 1] == '/') |
if (sudoers_cmnd[dlen - 1] == '/') |
return command_matches_dir(sudoers_cmnd, dlen); | debug_return_bool(command_matches_dir(sudoers_cmnd, dlen)); |
|
|
/* Only proceed if user_base and basename(sudoers_cmnd) match */ |
/* Only proceed if user_base and basename(sudoers_cmnd) match */ |
if ((base = strrchr(sudoers_cmnd, '/')) == NULL) |
if ((base = strrchr(sudoers_cmnd, '/')) == NULL) |
Line 528 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
Line 539 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
base++; |
base++; |
if (strcmp(user_base, base) != 0 || |
if (strcmp(user_base, base) != 0 || |
stat(sudoers_cmnd, &sudoers_stat) == -1) |
stat(sudoers_cmnd, &sudoers_stat) == -1) |
return FALSE; | debug_return_bool(false); |
|
|
/* |
/* |
* Return true if inode/device matches AND |
* Return true if inode/device matches AND |
Line 539 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
Line 550 command_matches_normal(char *sudoers_cmnd, char *sudoe
|
if (user_stat != NULL && |
if (user_stat != NULL && |
(user_stat->st_dev != sudoers_stat.st_dev || |
(user_stat->st_dev != sudoers_stat.st_dev || |
user_stat->st_ino != sudoers_stat.st_ino)) |
user_stat->st_ino != sudoers_stat.st_ino)) |
return FALSE; | debug_return_bool(false); |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
if (command_args_match(sudoers_cmnd, sudoers_args)) { |
efree(safe_cmnd); |
efree(safe_cmnd); |
safe_cmnd = estrdup(sudoers_cmnd); |
safe_cmnd = estrdup(sudoers_cmnd); |
return TRUE; | debug_return_bool(true); |
} |
} |
return FALSE; | debug_return_bool(false); |
} |
} |
|
|
/* |
/* |
* Return TRUE if user_cmnd names one of the inodes in dir, else FALSE. | * Return true if user_cmnd names one of the inodes in dir, else false. |
*/ |
*/ |
static int | static bool |
command_matches_dir(char *sudoers_dir, size_t dlen) |
command_matches_dir(char *sudoers_dir, size_t dlen) |
{ |
{ |
struct stat sudoers_stat; |
struct stat sudoers_stat; |
struct dirent *dent; |
struct dirent *dent; |
char buf[PATH_MAX]; |
char buf[PATH_MAX]; |
DIR *dirp; |
DIR *dirp; |
|
debug_decl(command_matches_dir, SUDO_DEBUG_MATCH) |
|
|
/* |
/* |
* Grot through directory entries, looking for user_base. |
* Grot through directory entries, looking for user_base. |
*/ |
*/ |
dirp = opendir(sudoers_dir); |
dirp = opendir(sudoers_dir); |
if (dirp == NULL) |
if (dirp == NULL) |
return FALSE; | debug_return_bool(false); |
|
|
if (strlcpy(buf, sudoers_dir, sizeof(buf)) >= sizeof(buf)) { |
if (strlcpy(buf, sudoers_dir, sizeof(buf)) >= sizeof(buf)) { |
closedir(dirp); |
closedir(dirp); |
return FALSE; | debug_return_bool(false); |
} |
} |
while ((dent = readdir(dirp)) != NULL) { |
while ((dent = readdir(dirp)) != NULL) { |
/* ignore paths > PATH_MAX (XXX - log) */ |
/* ignore paths > PATH_MAX (XXX - log) */ |
Line 590 command_matches_dir(char *sudoers_dir, size_t dlen)
|
Line 602 command_matches_dir(char *sudoers_dir, size_t dlen)
|
} |
} |
|
|
closedir(dirp); |
closedir(dirp); |
return dent != NULL; | debug_return_bool(dent != NULL); |
} |
} |
|
|
/* |
/* |
* Returns TRUE if the hostname matches the pattern, else FALSE | * Returns true if the hostname matches the pattern, else false |
*/ |
*/ |
int | bool |
hostname_matches(char *shost, char *lhost, char *pattern) |
hostname_matches(char *shost, char *lhost, char *pattern) |
{ |
{ |
|
debug_decl(hostname_matches, SUDO_DEBUG_MATCH) |
|
|
if (has_meta(pattern)) { |
if (has_meta(pattern)) { |
if (strchr(pattern, '.')) |
if (strchr(pattern, '.')) |
return !fnmatch(pattern, lhost, FNM_CASEFOLD); | debug_return_bool(!fnmatch(pattern, lhost, FNM_CASEFOLD)); |
else |
else |
return !fnmatch(pattern, shost, FNM_CASEFOLD); | debug_return_bool(!fnmatch(pattern, shost, FNM_CASEFOLD)); |
} else { |
} else { |
if (strchr(pattern, '.')) |
if (strchr(pattern, '.')) |
return !strcasecmp(lhost, pattern); | debug_return_bool(!strcasecmp(lhost, pattern)); |
else |
else |
return !strcasecmp(shost, pattern); | debug_return_bool(!strcasecmp(shost, pattern)); |
} |
} |
} |
} |
|
|
/* |
/* |
* Returns TRUE if the user/uid from sudoers matches the specified user/uid, | * Returns true if the user/uid from sudoers matches the specified user/uid, |
* else returns FALSE. | * else returns false. |
*/ |
*/ |
int | bool |
userpw_matches(char *sudoers_user, char *user, struct passwd *pw) |
userpw_matches(char *sudoers_user, char *user, struct passwd *pw) |
{ |
{ |
|
debug_decl(userpw_matches, SUDO_DEBUG_MATCH) |
|
|
if (pw != NULL && *sudoers_user == '#') { |
if (pw != NULL && *sudoers_user == '#') { |
uid_t uid = (uid_t) atoi(sudoers_user + 1); |
uid_t uid = (uid_t) atoi(sudoers_user + 1); |
if (uid == pw->pw_uid) |
if (uid == pw->pw_uid) |
return TRUE; | debug_return_bool(true); |
} |
} |
return strcmp(sudoers_user, user) == 0; | debug_return_bool(strcmp(sudoers_user, user) == 0); |
} |
} |
|
|
/* |
/* |
* Returns TRUE if the group/gid from sudoers matches the specified group/gid, | * Returns true if the group/gid from sudoers matches the specified group/gid, |
* else returns FALSE. | * else returns false. |
*/ |
*/ |
int | bool |
group_matches(char *sudoers_group, struct group *gr) |
group_matches(char *sudoers_group, struct group *gr) |
{ |
{ |
|
debug_decl(group_matches, SUDO_DEBUG_MATCH) |
|
|
if (*sudoers_group == '#') { |
if (*sudoers_group == '#') { |
gid_t gid = (gid_t) atoi(sudoers_group + 1); |
gid_t gid = (gid_t) atoi(sudoers_group + 1); |
if (gid == gr->gr_gid) |
if (gid == gr->gr_gid) |
return TRUE; | debug_return_bool(true); |
} |
} |
return strcmp(gr->gr_name, sudoers_group) == 0; | debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0); |
} |
} |
|
|
/* |
/* |
* Returns TRUE if the given user belongs to the named group, | * Returns true if the given user belongs to the named group, |
* else returns FALSE. | * else returns false. |
*/ |
*/ |
int | bool |
usergr_matches(char *group, char *user, struct passwd *pw) |
usergr_matches(char *group, char *user, struct passwd *pw) |
{ |
{ |
int matched = FALSE; | int matched = false; |
struct passwd *pw0 = NULL; |
struct passwd *pw0 = NULL; |
|
debug_decl(usergr_matches, SUDO_DEBUG_MATCH) |
|
|
/* make sure we have a valid usergroup, sudo style */ |
/* make sure we have a valid usergroup, sudo style */ |
if (*group++ != '%') |
if (*group++ != '%') |
Line 669 usergr_matches(char *group, char *user, struct passwd
|
Line 688 usergr_matches(char *group, char *user, struct passwd
|
} |
} |
|
|
if (user_in_group(pw, group)) { |
if (user_in_group(pw, group)) { |
matched = TRUE; | matched = true; |
goto done; |
goto done; |
} |
} |
|
|
/* not a Unix group, could be an external group */ |
/* not a Unix group, could be an external group */ |
if (def_group_plugin && group_plugin_query(user, group, pw)) { |
if (def_group_plugin && group_plugin_query(user, group, pw)) { |
matched = TRUE; | matched = true; |
goto done; |
goto done; |
} |
} |
|
|
Line 683 done:
|
Line 702 done:
|
if (pw0 != NULL) |
if (pw0 != NULL) |
pw_delref(pw0); |
pw_delref(pw0); |
|
|
return matched; | debug_return_bool(matched); |
} |
} |
|
|
/* |
/* |
* Returns TRUE if "host" and "user" belong to the netgroup "netgr", | * Returns true if "host" and "user" belong to the netgroup "netgr", |
* else return FALSE. Either of "host", "shost" or "user" may be NULL | * else return false. Either of "host", "shost" or "user" may be NULL |
* in which case that argument is not checked... |
* in which case that argument is not checked... |
* |
* |
* XXX - swap order of host & shost |
* XXX - swap order of host & shost |
*/ |
*/ |
int | bool |
netgr_matches(char *netgr, char *lhost, char *shost, char *user) |
netgr_matches(char *netgr, char *lhost, char *shost, char *user) |
{ |
{ |
static char *domain; |
static char *domain; |
#ifdef HAVE_GETDOMAINNAME |
#ifdef HAVE_GETDOMAINNAME |
static int initialized; |
static int initialized; |
#endif |
#endif |
|
debug_decl(netgr_matches, SUDO_DEBUG_MATCH) |
|
|
/* make sure we have a valid netgroup, sudo style */ |
/* make sure we have a valid netgroup, sudo style */ |
if (*netgr++ != '+') |
if (*netgr++ != '+') |
return FALSE; | debug_return_bool(false); |
|
|
#ifdef HAVE_GETDOMAINNAME |
#ifdef HAVE_GETDOMAINNAME |
/* get the domain name (if any) */ |
/* get the domain name (if any) */ |
Line 719 netgr_matches(char *netgr, char *lhost, char *shost, c
|
Line 739 netgr_matches(char *netgr, char *lhost, char *shost, c
|
|
|
#ifdef HAVE_INNETGR |
#ifdef HAVE_INNETGR |
if (innetgr(netgr, lhost, user, domain)) |
if (innetgr(netgr, lhost, user, domain)) |
return TRUE; | debug_return_bool(true); |
else if (lhost != shost && innetgr(netgr, shost, user, domain)) |
else if (lhost != shost && innetgr(netgr, shost, user, domain)) |
return TRUE; | debug_return_bool(true); |
#endif /* HAVE_INNETGR */ |
#endif /* HAVE_INNETGR */ |
|
|
return FALSE; | debug_return_bool(false); |
} |
} |