version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.2, 2012/05/29 12:26:49
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2004-2005, 2007-2011 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2004-2005, 2007-2012 Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
* purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
Line 70 struct sudo_nss sudo_nss_file = {
|
Line 70 struct sudo_nss sudo_nss_file = {
|
*/ |
*/ |
extern FILE *yyin; |
extern FILE *yyin; |
extern char *errorfile; |
extern char *errorfile; |
extern int errorlineno, parse_error; | extern int errorlineno; |
| extern bool parse_error; |
|
|
/* |
/* |
* Local prototypes. |
* Local prototypes. |
Line 81 static int display_bound_defaults(int, struct lbuf *);
|
Line 82 static int display_bound_defaults(int, struct lbuf *);
|
int |
int |
sudo_file_open(struct sudo_nss *nss) |
sudo_file_open(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_open, SUDO_DEBUG_NSS) |
|
|
if (def_ignore_local_sudoers) |
if (def_ignore_local_sudoers) |
return -1; | debug_return_int(-1); |
nss->handle = open_sudoers(sudoers_file, FALSE, NULL); | nss->handle = open_sudoers(sudoers_file, false, NULL); |
return nss->handle ? 0 : -1; | debug_return_int(nss->handle ? 0 : -1); |
} |
} |
|
|
int |
int |
sudo_file_close(struct sudo_nss *nss) |
sudo_file_close(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_close, SUDO_DEBUG_NSS) |
|
|
/* Free parser data structures and close sudoers file. */ |
/* Free parser data structures and close sudoers file. */ |
init_parser(NULL, 0); |
init_parser(NULL, 0); |
if (nss->handle != NULL) { |
if (nss->handle != NULL) { |
Line 97 sudo_file_close(struct sudo_nss *nss)
|
Line 102 sudo_file_close(struct sudo_nss *nss)
|
nss->handle = NULL; |
nss->handle = NULL; |
yyin = NULL; |
yyin = NULL; |
} |
} |
return 0; | debug_return_int(0); |
} |
} |
|
|
/* |
/* |
Line 106 sudo_file_close(struct sudo_nss *nss)
|
Line 111 sudo_file_close(struct sudo_nss *nss)
|
int |
int |
sudo_file_parse(struct sudo_nss *nss) |
sudo_file_parse(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_close, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
return -1; | debug_return_int(-1); |
|
|
init_parser(sudoers_file, 0); |
init_parser(sudoers_file, 0); |
yyin = nss->handle; |
yyin = nss->handle; |
if (yyparse() != 0 || parse_error) { |
if (yyparse() != 0 || parse_error) { |
log_error(NO_EXIT, _("parse error in %s near line %d"), | if (errorlineno != -1) { |
errorfile, errorlineno); | log_error(0, _("parse error in %s near line %d"), |
return -1; | errorfile, errorlineno); |
| } else { |
| log_error(0, _("parse error in %s"), errorfile); |
| } |
| debug_return_int(-1); |
} |
} |
return 0; | debug_return_int(0); |
} |
} |
|
|
/* |
/* |
Line 125 sudo_file_parse(struct sudo_nss *nss)
|
Line 136 sudo_file_parse(struct sudo_nss *nss)
|
int |
int |
sudo_file_setdefs(struct sudo_nss *nss) |
sudo_file_setdefs(struct sudo_nss *nss) |
{ |
{ |
|
debug_decl(sudo_file_setdefs, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
return -1; | debug_return_int(-1); |
|
|
if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER)) |
if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER)) |
return -1; | debug_return_int(-1); |
return 0; | debug_return_int(0); |
} |
} |
|
|
/* |
/* |
Line 145 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 158 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
struct cmndtag *tags = NULL; |
struct cmndtag *tags = NULL; |
struct privilege *priv; |
struct privilege *priv; |
struct userspec *us; |
struct userspec *us; |
|
debug_decl(sudo_file_lookup, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
return validated; | debug_return_int(validated); |
|
|
/* |
/* |
* Only check the actual command if pwflag is not set. |
* Only check the actual command if pwflag is not set. |
Line 159 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 173 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
enum def_tuple pwcheck; |
enum def_tuple pwcheck; |
|
|
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; |
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; |
nopass = (pwcheck == all) ? TRUE : FALSE; | nopass = (pwcheck == all) ? true : false; |
|
|
if (list_pw == NULL) |
if (list_pw == NULL) |
SET(validated, FLAG_NO_CHECK); |
SET(validated, FLAG_NO_CHECK); |
Line 178 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 192 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
user_uid == list_pw->pw_uid || |
user_uid == list_pw->pw_uid || |
cmnd_matches(cs->cmnd) == ALLOW) |
cmnd_matches(cs->cmnd) == ALLOW) |
match = ALLOW; |
match = ALLOW; |
if ((pwcheck == any && cs->tags.nopasswd == TRUE) || | if ((pwcheck == any && cs->tags.nopasswd == true) || |
(pwcheck == all && cs->tags.nopasswd != TRUE)) | (pwcheck == all && cs->tags.nopasswd != true)) |
nopass = cs->tags.nopasswd; |
nopass = cs->tags.nopasswd; |
} |
} |
} |
} |
Line 191 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 205 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
SET(validated, VALIDATE_NOT_OK); |
SET(validated, VALIDATE_NOT_OK); |
if (pwcheck == always && def_authenticate) |
if (pwcheck == always && def_authenticate) |
SET(validated, FLAG_CHECK_USER); |
SET(validated, FLAG_CHECK_USER); |
else if (pwcheck == never || nopass == TRUE) | else if (pwcheck == never || nopass == true) |
def_authenticate = FALSE; | def_authenticate = false; |
return validated; | debug_return_int(validated); |
} |
} |
|
|
/* Need to be runas user while stat'ing things. */ |
/* Need to be runas user while stat'ing things. */ |
Line 254 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
Line 268 sudo_file_lookup(struct sudo_nss *nss, int validated,
|
def_authenticate = !tags->nopasswd; |
def_authenticate = !tags->nopasswd; |
} |
} |
restore_perms(); |
restore_perms(); |
return validated; | debug_return_int(validated); |
} |
} |
|
|
#define TAG_CHANGED(t) \ |
#define TAG_CHANGED(t) \ |
Line 265 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
Line 279 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
struct lbuf *lbuf) |
struct lbuf *lbuf) |
{ |
{ |
struct member *m; |
struct member *m; |
|
debug_decl(sudo_file_append_cmnd, SUDO_DEBUG_NSS) |
|
|
#ifdef HAVE_SELINUX |
#ifdef HAVE_SELINUX |
if (cs->role) |
if (cs->role) |
Line 295 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
Line 310 sudo_file_append_cmnd(struct cmndspec *cs, struct cmnd
|
m = cs->cmnd; |
m = cs->cmnd; |
print_member(lbuf, m->name, m->type, m->negated, |
print_member(lbuf, m->name, m->type, m->negated, |
CMNDALIAS); |
CMNDALIAS); |
|
debug_return; |
} |
} |
|
|
static int |
static int |
Line 306 sudo_file_display_priv_short(struct passwd *pw, struct
|
Line 322 sudo_file_display_priv_short(struct passwd *pw, struct
|
struct privilege *priv; |
struct privilege *priv; |
struct cmndtag tags; |
struct cmndtag tags; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_priv_short, SUDO_DEBUG_NSS) |
|
|
tq_foreach_fwd(&us->privileges, priv) { |
tq_foreach_fwd(&us->privileges, priv) { |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
Line 347 sudo_file_display_priv_short(struct passwd *pw, struct
|
Line 364 sudo_file_display_priv_short(struct passwd *pw, struct
|
} |
} |
lbuf_append(lbuf, "\n"); |
lbuf_append(lbuf, "\n"); |
} |
} |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
static int |
static int |
Line 359 sudo_file_display_priv_long(struct passwd *pw, struct
|
Line 376 sudo_file_display_priv_long(struct passwd *pw, struct
|
struct privilege *priv; |
struct privilege *priv; |
struct cmndtag tags; |
struct cmndtag tags; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_priv_long, SUDO_DEBUG_NSS) |
|
|
tq_foreach_fwd(&us->privileges, priv) { |
tq_foreach_fwd(&us->privileges, priv) { |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
if (hostlist_matches(&priv->hostlist) != ALLOW) |
Line 400 sudo_file_display_priv_long(struct passwd *pw, struct
|
Line 418 sudo_file_display_priv_long(struct passwd *pw, struct
|
nfound++; |
nfound++; |
} |
} |
} |
} |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
int |
int |
Line 409 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
Line 427 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
{ |
{ |
struct userspec *us; |
struct userspec *us; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_priv, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
goto done; |
goto done; |
Line 423 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
Line 442 sudo_file_display_privs(struct sudo_nss *nss, struct p
|
nfound += sudo_file_display_priv_short(pw, us, lbuf); |
nfound += sudo_file_display_priv_short(pw, us, lbuf); |
} |
} |
done: |
done: |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
/* |
/* |
Line 436 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
Line 455 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
struct defaults *d; |
struct defaults *d; |
char *prefix; |
char *prefix; |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_defaults, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
goto done; |
goto done; |
Line 470 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
Line 490 sudo_file_display_defaults(struct sudo_nss *nss, struc
|
lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", d->val); |
lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", d->val); |
} else |
} else |
lbuf_append(lbuf, "%s%s%s", prefix, |
lbuf_append(lbuf, "%s%s%s", prefix, |
d->op == FALSE ? "!" : "", d->var); | d->op == false ? "!" : "", d->var); |
prefix = ", "; |
prefix = ", "; |
nfound++; |
nfound++; |
} |
} |
done: |
done: |
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
/* |
/* |
Line 486 sudo_file_display_bound_defaults(struct sudo_nss *nss,
|
Line 506 sudo_file_display_bound_defaults(struct sudo_nss *nss,
|
struct lbuf *lbuf) |
struct lbuf *lbuf) |
{ |
{ |
int nfound = 0; |
int nfound = 0; |
|
debug_decl(sudo_file_display_bound_defaults, SUDO_DEBUG_NSS) |
|
|
/* XXX - should only print ones that match what the user can do. */ |
/* XXX - should only print ones that match what the user can do. */ |
nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf); |
nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf); |
nfound += display_bound_defaults(DEFAULTS_CMND, lbuf); |
nfound += display_bound_defaults(DEFAULTS_CMND, lbuf); |
|
|
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
/* |
/* |
Line 504 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
Line 525 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
struct member *m, *binding = NULL; |
struct member *m, *binding = NULL; |
char *dsep; |
char *dsep; |
int atype, nfound = 0; |
int atype, nfound = 0; |
|
debug_decl(display_bound_defaults, SUDO_DEBUG_NSS) |
|
|
switch (dtype) { |
switch (dtype) { |
case DEFAULTS_HOST: |
case DEFAULTS_HOST: |
Line 523 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
Line 545 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
dsep = "!"; |
dsep = "!"; |
break; |
break; |
default: |
default: |
return -1; | debug_return_int(-1); |
} |
} |
tq_foreach_fwd(&defaults, d) { |
tq_foreach_fwd(&defaults, d) { |
if (d->type != dtype) |
if (d->type != dtype) |
Line 547 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
Line 569 display_bound_defaults(int dtype, struct lbuf *lbuf)
|
lbuf_append(lbuf, "%s%s%s", d->var, d->op == '+' ? "+=" : |
lbuf_append(lbuf, "%s%s%s", d->var, d->op == '+' ? "+=" : |
d->op == '-' ? "-=" : "=", d->val); |
d->op == '-' ? "-=" : "=", d->val); |
} else |
} else |
lbuf_append(lbuf, "%s%s", d->op == FALSE ? "!" : "", d->var); | lbuf_append(lbuf, "%s%s", d->op == false ? "!" : "", d->var); |
} |
} |
|
|
return nfound; | debug_return_int(nfound); |
} |
} |
|
|
int |
int |
Line 562 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
Line 584 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
struct userspec *us; |
struct userspec *us; |
int rval = 1; |
int rval = 1; |
int host_match, runas_match, cmnd_match; |
int host_match, runas_match, cmnd_match; |
|
debug_decl(sudo_file_display_cmnd, SUDO_DEBUG_NSS) |
|
|
if (nss->handle == NULL) |
if (nss->handle == NULL) |
goto done; |
goto done; |
Line 595 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
Line 618 sudo_file_display_cmnd(struct sudo_nss *nss, struct pa
|
rval = 0; |
rval = 0; |
} |
} |
done: |
done: |
return rval; | debug_return_int(rval); |
} |
} |
|
|
/* |
/* |
Line 608 _print_member(struct lbuf *lbuf, char *name, int type,
|
Line 631 _print_member(struct lbuf *lbuf, char *name, int type,
|
struct alias *a; |
struct alias *a; |
struct member *m; |
struct member *m; |
struct sudo_command *c; |
struct sudo_command *c; |
|
debug_decl(_print_member, SUDO_DEBUG_NSS) |
|
|
switch (type) { |
switch (type) { |
case ALL: |
case ALL: |
Line 638 _print_member(struct lbuf *lbuf, char *name, int type,
|
Line 662 _print_member(struct lbuf *lbuf, char *name, int type,
|
lbuf_append(lbuf, "%s%s", negated ? "!" : "", name); |
lbuf_append(lbuf, "%s%s", negated ? "!" : "", name); |
break; |
break; |
} |
} |
|
debug_return; |
} |
} |
|
|
static void |
static void |