version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2012/10/09 09:29:52
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2004-2005, 2007-2011 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2004-2005, 2007-2012 Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
* purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
Line 70 struct sudo_nss sudo_nss_file = {
|
Line 70 struct sudo_nss sudo_nss_file = {
|
*/ |
*/ |
extern FILE *yyin; |
extern FILE *yyin; |
extern char *errorfile; |
extern char *errorfile; |
extern int errorlineno, parse_error; | extern int errorlineno; |
| extern bool parse_error; |
|
|
/* |
/* |
* Local prototypes. |
* Local prototypes. |
Line 81 static int display_bound_defaults(int, struct lbuf *);
|
Line 82 static int display_bound_defaults(int, struct lbuf *);
|
int |
int |
sudo_file_open(struct sudo_nss *nss) |
sudo_file_open(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_open, SUDO_DEBUG_NSS) |
|
|
if (def_ignore_local_sudoers) |
if (def_ignore_local_sudoers) |
return -1; | debug_return_int(-1); |
nss->handle = open_sudoers(sudoers_file, FALSE, NULL); | nss->handle = open_sudoers(sudoers_file, false, NULL); |
return nss->handle ? 0 : -1; | debug_return_int(nss->handle ? 0 : -1); |
} |
} |
|
|
int |
int |
sudo_file_close(struct sudo_nss *nss) |
sudo_file_close(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_close, SUDO_DEBUG_NSS) |
|
|
/* Free parser data structures and close sudoers file. */ |
/* Free parser data structures and close sudoers file. */ |
init_parser(NULL, 0); | init_parser(NULL, false); |
if (nss->handle != NULL) { |
if (nss->handle != NULL) { |
fclose(nss->handle); |
fclose(nss->handle); |
nss->handle = NULL; |
nss->handle = NULL; |
yyin = NULL; |
yyin = NULL; |
} |
} |
return 0; | debug_return_int(0); |
} |
} |
|
|
/* |
/* |
Line 106 sudo_file_close(struct sudo_nss *nss)
|
Line 111 sudo_file_close(struct sudo_nss *nss)
|
int |
int |
sudo_file_parse(struct sudo_nss *nss) |
sudo_file_parse(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_close, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
return -1; | debug_return_int(-1); |
|
|
init_parser(sudoers_file, 0); | init_parser(sudoers_file, false); |
yyin = nss->handle; |
yyin = nss->handle; |
if (yyparse() != 0 || parse_error) { |
if (yyparse() != 0 || parse_error) { |
log_error(NO_EXIT, _("parse error in %s near line %d"), | if (errorlineno != -1) { |
errorfile, errorlineno); | log_error(0, _("parse error in %s near line %d"), |
return -1; | errorfile, errorlineno); |
| } else { |
| log_error(0, _("parse error in %s"), errorfile); |
| } |
| debug_return_int(-1); |
} |
} |
return 0; | debug_return_int(0); |
} |
} |
|
|
/* |
/* |
Line 125 sudo_file_parse(struct sudo_nss *nss)
|
Line 136 sudo_file_parse(struct sudo_nss *nss)
|
int |
int |
sudo_file_setdefs(struct sudo_nss *nss) |
sudo_file_setdefs(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_setdefs, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
return -1; | debug_return_int(-1); |
|
|
if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER)) |
if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER)) |
return -1; | debug_return_int(-1); |
return 0; | debug_return_int(0); |
} |
} |
|
|
/* |
/* |
Line 145 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 158 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
struct cmndtag *tags = NULL; |
struct cmndtag *tags = NULL; |
struct privilege *priv; |
struct privilege *priv; |
struct userspec *us; |
struct userspec *us; |
|
struct member *matching_user; |
|
debug_decl(sudo_file_lookup, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
return validated; | debug_return_int(validated); |
|
|
/* |
/* |
* Only check the actual command if pwflag is not set. |
* Only check the actual command if pwflag is not set. |
Line 159 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 174 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
enum def_tuple pwcheck; |
enum def_tuple pwcheck; |
|
|
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; |
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; |
nopass = (pwcheck == all) ? TRUE : FALSE; | nopass = (pwcheck == all) ? true : false; |
|
|
if (list_pw == NULL) |
if (list_pw == NULL) |
SET(validated, FLAG_NO_CHECK); |
SET(validated, FLAG_NO_CHECK); |
Line 178 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 193 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
user_uid == list_pw->pw_uid || |
user_uid == list_pw->pw_uid || |
cmnd_matches(cs->cmnd) == ALLOW) |
cmnd_matches(cs->cmnd) == ALLOW) |
match = ALLOW; |
match = ALLOW; |
if ((pwcheck == any && cs->tags.nopasswd == TRUE) || | if ((pwcheck == any && cs->tags.nopasswd == true) || |
(pwcheck == all && cs->tags.nopasswd != TRUE)) | (pwcheck == all && cs->tags.nopasswd != true)) |
nopass = cs->tags.nopasswd; |
nopass = cs->tags.nopasswd; |
} |
} |
} |
} |
Line 191 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 206 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
SET(validated, VALIDATE_NOT_OK); |
SET(validated, VALIDATE_NOT_OK); |
if (pwcheck == always && def_authenticate) |
if (pwcheck == always && def_authenticate) |
SET(validated, FLAG_CHECK_USER); |
SET(validated, FLAG_CHECK_USER); |
else if (pwcheck == never || nopass == TRUE) | else if (pwcheck == never || nopass == true) |
def_authenticate = FALSE; | def_authenticate = false; |
return validated; | debug_return_int(validated); |
} |
} |
|
|
/* Need to be runas user while stat'ing things. */ |
/* Need to be runas user while stat'ing things. */ |
Line 211 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 226 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
else |
else |
continue; |
continue; |
tq_foreach_rev(&priv->cmndlist, cs) { |
tq_foreach_rev(&priv->cmndlist, cs) { |
|
matching_user = NULL; |
runas_match = runaslist_matches(&cs->runasuserlist, |
runas_match = runaslist_matches(&cs->runasuserlist, |
&cs->runasgrouplist); | &cs->runasgrouplist, &matching_user, NULL); |
if (runas_match == ALLOW) { |
if (runas_match == ALLOW) { |
cmnd_match = cmnd_matches(cs->cmnd); |
cmnd_match = cmnd_matches(cs->cmnd); |
if (cmnd_match != UNSPEC) { |
if (cmnd_match != UNSPEC) { |
Line 225 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 241 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
if (user_type == NULL) |
if (user_type == NULL) |
user_type = cs->type ? estrdup(cs->type) : def_type; |
user_type = cs->type ? estrdup(cs->type) : def_type; |
#endif /* HAVE_SELINUX */ |
#endif /* HAVE_SELINUX */ |
|
#ifdef HAVE_PRIV_SET |
|
/* Set Solaris privilege sets */ |
|
if (runas_privs == NULL) |
|
runas_privs = cs->privs ? estrdup(cs->privs) : def_privs; |
|
if (runas_limitprivs == NULL) |
|
runas_limitprivs = cs->limitprivs ? estrdup(cs->limitprivs) : def_limitprivs; |
|
#endif /* HAVE_PRIV_SET */ |
|
/* |
|
* If user is running command as himself, |
|
* set runas_pw = sudo_user.pw. |
|
* XXX - hack, want more general solution |
|
*/ |
|
if (matching_user && matching_user->type == MYSELF) { |
|
sudo_pw_delref(runas_pw); |
|
sudo_pw_addref(sudo_user.pw); |
|
runas_pw = sudo_user.pw; |
|
} |
goto matched2; |
goto matched2; |
} |
} |
} |
} |
Line 254 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 287 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
def_authenticate = !tags->nopasswd; |
def_authenticate = !tags->nopasswd; |
} |
} |
restore_perms(); |
restore_perms(); |
return validated; | debug_return_int(validated); |
} |
} |
|
|
#define TAG_CHANGED(t) \ |
#define TAG_CHANGED(t) \ |
Line 265 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
Line 298 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
struct lbuf *lbuf) |
struct lbuf *lbuf) |
{ |
{ |
struct member *m; |
struct member *m; |
|
debug_decl(sudo_file_append_cmnd, SUDO_DEBUG_NSS) |
|
|
|
#ifdef HAVE_PRIV_SET |
|
if (cs->privs) |
|
lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs); |
|
if (cs->limitprivs) |
|
lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs); |
|
#endif /* HAVE_PRIV_SET */ |
#ifdef HAVE_SELINUX |
#ifdef HAVE_SELINUX |
if (cs->role) |
if (cs->role) |
lbuf_append(lbuf, "ROLE=%s ", cs->role); |
lbuf_append(lbuf, "ROLE=%s ", cs->role); |
Line 295 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
Line 335 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
m = cs->cmnd; |
m = cs->cmnd; |
print_member(lbuf, m->name, m->type, m->negated, |
print_member(lbuf, m->name, m->type, m->negated, |
CMNDALIAS); |
CMNDALIAS); |
|
debug_return; |
} |
} |
|
|
static int |
static int |
Line 306 sudo_file_display_priv_short(struct passwd *pw, struct
|
Line 347 sudo_file_display_priv_short(struct passwd *pw, struct
|
struct privilege *priv; |
struct privilege *priv; |
struct cmndtag tags; |
struct cmndtag tags; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_priv_short, SUDO_DEBUG_NSS) |
|
|
tq_foreach_fwd(&us->privileges, priv) { |
tq_foreach_fwd(&us->privileges, priv) { |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
Line 347 sudo_file_display_priv_short(struct passwd *pw, struct
|
Line 389 sudo_file_display_priv_short(struct passwd *pw, struct
|
} |
} |
lbuf_append(lbuf, "\n"); |
lbuf_append(lbuf, "\n"); |
} |
} |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
static int |
static int |
Line 359 sudo_file_display_priv_long(struct passwd *pw, struct
|
Line 401 sudo_file_display_priv_long(struct passwd *pw, struct
|
struct privilege *priv; |
struct privilege *priv; |
struct cmndtag tags; |
struct cmndtag tags; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_priv_long, SUDO_DEBUG_NSS) |
|
|
tq_foreach_fwd(&us->privileges, priv) { |
tq_foreach_fwd(&us->privileges, priv) { |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
Line 400 sudo_file_display_priv_long(struct passwd *pw, struct
|
Line 443 sudo_file_display_priv_long(struct passwd *pw, struct
|
nfound++; |
nfound++; |
} |
} |
} |
} |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
int |
int |
Line 409 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
Line 452 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
{ |
{ |
struct userspec *us; |
struct userspec *us; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_priv, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
goto done; |
goto done; |
Line 423 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
Line 467 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
nfound += sudo_file_display_priv_short(pw, us, lbuf); |
nfound += sudo_file_display_priv_short(pw, us, lbuf); |
} |
} |
done: |
done: |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
/* |
/* |
Line 436 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
Line 480 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
struct defaults *d; |
struct defaults *d; |
char *prefix; |
char *prefix; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_defaults, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
goto done; |
goto done; |
Line 470 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
Line 515 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", d->val); |
lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", d->val); |
} else |
} else |
lbuf_append(lbuf, "%s%s%s", prefix, |
lbuf_append(lbuf, "%s%s%s", prefix, |
d->op == FALSE ? "!" : "", d->var); | d->op == false ? "!" : "", d->var); |
prefix = ", "; |
prefix = ", "; |
nfound++; |
nfound++; |
} |
} |
done: |
done: |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
/* |
/* |
Line 486 sudo_file_display_bound_defaults(struct sudo_nss *nss,
|
Line 531 sudo_file_display_bound_defaults(struct sudo_nss *nss,
|
struct lbuf *lbuf) |
struct lbuf *lbuf) |
{ |
{ |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_bound_defaults, SUDO_DEBUG_NSS) |
|
|
/* XXX - should only print ones that match what the user can do. */ |
/* XXX - should only print ones that match what the user can do. */ |
nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf); |
nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf); |
nfound += display_bound_defaults(DEFAULTS_CMND, lbuf); |
nfound += display_bound_defaults(DEFAULTS_CMND, lbuf); |
|
|
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
/* |
/* |
Line 504 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
Line 550 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
struct member *m, *binding = NULL; |
struct member *m, *binding = NULL; |
char *dsep; |
char *dsep; |
int atype, nfound = 0; |
int atype, nfound = 0; |
|
debug_decl(display_bound_defaults, SUDO_DEBUG_NSS) |
|
|
switch (dtype) { |
switch (dtype) { |
case DEFAULTS_HOST: |
case DEFAULTS_HOST: |
Line 523 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
Line 570 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
dsep = "!"; |
dsep = "!"; |
break; |
break; |
default: |
default: |
return -1; | debug_return_int(-1); |
} |
} |
tq_foreach_fwd(&defaults, d) { |
tq_foreach_fwd(&defaults, d) { |
if (d->type != dtype) |
if (d->type != dtype) |
Line 547 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
Line 594 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
lbuf_append(lbuf, "%s%s%s", d->var, d->op == '+' ? "+=" : |
lbuf_append(lbuf, "%s%s%s", d->var, d->op == '+' ? "+=" : |
d->op == '-' ? "-=" : "=", d->val); |
d->op == '-' ? "-=" : "=", d->val); |
} else |
} else |
lbuf_append(lbuf, "%s%s", d->op == FALSE ? "!" : "", d->var); | lbuf_append(lbuf, "%s%s", d->op == false ? "!" : "", d->var); |
} |
} |
|
|
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
int |
int |
Line 562 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
Line 609 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
struct userspec *us; |
struct userspec *us; |
int rval = 1; |
int rval = 1; |
int host_match, runas_match, cmnd_match; |
int host_match, runas_match, cmnd_match; |
|
debug_decl(sudo_file_display_cmnd, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
goto done; |
goto done; |
Line 577 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
Line 625 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
continue; |
continue; |
tq_foreach_rev(&priv->cmndlist, cs) { |
tq_foreach_rev(&priv->cmndlist, cs) { |
runas_match = runaslist_matches(&cs->runasuserlist, |
runas_match = runaslist_matches(&cs->runasuserlist, |
&cs->runasgrouplist); | &cs->runasgrouplist, NULL, NULL); |
if (runas_match == ALLOW) { |
if (runas_match == ALLOW) { |
cmnd_match = cmnd_matches(cs->cmnd); |
cmnd_match = cmnd_matches(cs->cmnd); |
if (cmnd_match != UNSPEC) { |
if (cmnd_match != UNSPEC) { |
Line 595 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
Line 643 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
rval = 0; |
rval = 0; |
} |
} |
done: |
done: |
return rval; | debug_return_int(rval); |
} |
} |
|
|
/* |
/* |
Line 608 _print_member(struct lbuf *lbuf, char *name, int type,
|
Line 656 _print_member(struct lbuf *lbuf, char *name, int type,
|
struct alias *a; |
struct alias *a; |
struct member *m; |
struct member *m; |
struct sudo_command *c; |
struct sudo_command *c; |
|
debug_decl(_print_member, SUDO_DEBUG_NSS) |
|
|
switch (type) { |
switch (type) { |
case ALL: |
case ALL: |
lbuf_append(lbuf, "%sALL", negated ? "!" : ""); |
lbuf_append(lbuf, "%sALL", negated ? "!" : ""); |
break; |
break; |
|
case MYSELF: |
|
lbuf_append(lbuf, "%s%s", negated ? "!" : "", user_name); |
|
break; |
case COMMAND: |
case COMMAND: |
c = (struct sudo_command *) name; |
c = (struct sudo_command *) name; |
if (negated) |
if (negated) |
Line 638 _print_member(struct lbuf *lbuf, char *name, int type,
|
Line 690 _print_member(struct lbuf *lbuf, char *name, int type,
|
lbuf_append(lbuf, "%s%s", negated ? "!" : "", name); |
lbuf_append(lbuf, "%s%s", negated ? "!" : "", name); |
break; |
break; |
} |
} |
|
debug_return; |
} |
} |
|
|
static void |
static void |