version 1.1, 2012/10/09 09:29:52
|
version 1.1.1.2, 2013/07/22 10:46:12
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2003-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
* Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com> |
* Copyright (c) 2011 Daniel Kopecek <dkopecek@redhat.com> |
* |
* |
* This code is derived from software contributed by Aaron Spangler. |
* This code is derived from software contributed by Aaron Spangler. |
Line 21
|
Line 21
|
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/time.h> |
#include <sys/time.h> |
#include <sys/param.h> |
|
#include <sys/stat.h> |
#include <sys/stat.h> |
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
Line 212 sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
Line 211 sudo_sss_filter_result(struct sudo_sss_handle *handle,
|
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
"reallocating result: %p (count: %u -> %u)", out_res->rules, |
"reallocating result: %p (count: %u -> %u)", out_res->rules, |
in_res->num_rules, l); |
in_res->num_rules, l); |
out_res->rules = erealloc3(out_res->rules, l, sizeof(struct sss_sudo_rule)); | if (l > 0) { |
| out_res->rules = |
| erealloc3(out_res->rules, l, sizeof(struct sss_sudo_rule)); |
| } else { |
| efree(out_res->rules); |
| out_res->rules = NULL; |
| } |
} |
} |
|
|
out_res->num_rules = l; |
out_res->num_rules = l; |
Line 248 static int sudo_sss_open(struct sudo_nss *nss)
|
Line 253 static int sudo_sss_open(struct sudo_nss *nss)
|
/* Load symbols */ |
/* Load symbols */ |
handle->ssslib = dlopen(path, RTLD_LAZY); |
handle->ssslib = dlopen(path, RTLD_LAZY); |
if (handle->ssslib == NULL) { |
if (handle->ssslib == NULL) { |
warningx(_("Unable to dlopen %s: %s"), path, dlerror()); | warningx(_("unable to dlopen %s: %s"), path, dlerror()); |
warningx(_("Unable to initialize SSS source. Is SSSD installed on your machine?")); | warningx(_("unable to initialize SSS source. Is SSSD installed on your machine?")); |
debug_return_int(EFAULT); |
debug_return_int(EFAULT); |
} |
} |
|
|
Line 345 static int sudo_sss_setdefs(struct sudo_nss *nss)
|
Line 350 static int sudo_sss_setdefs(struct sudo_nss *nss)
|
|
|
if (sss_error == ENOENT) { |
if (sss_error == ENOENT) { |
sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD."); |
sudo_debug_printf(SUDO_DEBUG_INFO, "The user was not found in SSSD."); |
debug_return_int(-1); | debug_return_int(0); |
} else if(sss_error != 0) { |
} else if(sss_error != 0) { |
sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error); |
sudo_debug_printf(SUDO_DEBUG_INFO, "sss_error=%u\n", sss_error); |
debug_return_int(-1); |
debug_return_int(-1); |
Line 466 sudo_sss_check_runas_user(struct sudo_sss_handle *hand
|
Line 471 sudo_sss_check_runas_user(struct sudo_sss_handle *hand
|
/* FALLTHROUGH */ |
/* FALLTHROUGH */ |
sudo_debug_printf(SUDO_DEBUG_DEBUG, "FALLTHROUGH"); |
sudo_debug_printf(SUDO_DEBUG_DEBUG, "FALLTHROUGH"); |
default: |
default: |
if (strcasecmp(val, runas_pw->pw_name) == 0) { | if (userpw_matches(val, runas_pw->pw_name, runas_pw)) { |
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
sudo_debug_printf(SUDO_DEBUG_DEBUG, |
"%s == %s (pw_name) => match", val, runas_pw->pw_name); |
"%s == %s (pw_name) => match", val, runas_pw->pw_name); |
ret = true; |
ret = true; |
Line 713 sudo_sss_check_bool(struct sudo_sss_handle *handle, st
|
Line 718 sudo_sss_check_bool(struct sudo_sss_handle *handle, st
|
} |
} |
|
|
/* |
/* |
|
* If a digest prefix is present, fills in struct sudo_digest |
|
* and returns a pointer to it, updating cmnd to point to the |
|
* command after the digest. |
|
*/ |
|
static struct sudo_digest * |
|
sudo_sss_extract_digest(char **cmnd, struct sudo_digest *digest) |
|
{ |
|
char *ep, *cp = *cmnd; |
|
int digest_type = SUDO_DIGEST_INVALID; |
|
debug_decl(sudo_sss_check_command, SUDO_DEBUG_LDAP) |
|
|
|
/* |
|
* Check for and extract a digest prefix, e.g. |
|
* sha224:d06a2617c98d377c250edd470fd5e576327748d82915d6e33b5f8db1 /bin/ls |
|
*/ |
|
if (cp[0] == 's' && cp[1] == 'h' && cp[2] == 'a') { |
|
switch (cp[3]) { |
|
case '2': |
|
if (cp[4] == '2' && cp[5] == '4') |
|
digest_type = SUDO_DIGEST_SHA224; |
|
else if (cp[4] == '5' && cp[5] == '6') |
|
digest_type = SUDO_DIGEST_SHA256; |
|
break; |
|
case '3': |
|
if (cp[4] == '8' && cp[5] == '4') |
|
digest_type = SUDO_DIGEST_SHA384; |
|
break; |
|
case '5': |
|
if (cp[4] == '1' && cp[5] == '2') |
|
digest_type = SUDO_DIGEST_SHA512; |
|
break; |
|
} |
|
if (digest_type != SUDO_DIGEST_INVALID) { |
|
cp += 6; |
|
while (isblank((unsigned char)*cp)) |
|
cp++; |
|
if (*cp == ':') { |
|
cp++; |
|
while (isblank((unsigned char)*cp)) |
|
cp++; |
|
ep = cp; |
|
while (*ep != '\0' && !isblank((unsigned char)*ep)) |
|
ep++; |
|
if (*ep != '\0') { |
|
digest->digest_type = digest_type; |
|
digest->digest_str = estrndup(cp, (size_t)(ep - cp)); |
|
cp = ep + 1; |
|
while (isblank((unsigned char)*cp)) |
|
cp++; |
|
*cmnd = cp; |
|
sudo_debug_printf(SUDO_DEBUG_INFO, |
|
"%s digest %s for %s", |
|
digest_type == SUDO_DIGEST_SHA224 ? "sha224" : |
|
digest_type == SUDO_DIGEST_SHA256 ? "sha256" : |
|
digest_type == SUDO_DIGEST_SHA384 ? "sha384" : |
|
"sha512", digest->digest_str, cp); |
|
debug_return_ptr(digest); |
|
} |
|
} |
|
} |
|
} |
|
debug_return_ptr(NULL); |
|
} |
|
|
|
/* |
* Walk through search results and return true if we have a command match, |
* Walk through search results and return true if we have a command match, |
* false if disallowed and UNSPEC if not matched. |
* false if disallowed and UNSPEC if not matched. |
*/ |
*/ |
Line 723 sudo_sss_check_command(struct sudo_sss_handle *handle,
|
Line 793 sudo_sss_check_command(struct sudo_sss_handle *handle,
|
char **val_array = NULL, *val; |
char **val_array = NULL, *val; |
char *allowed_cmnd, *allowed_args; |
char *allowed_cmnd, *allowed_args; |
int i, foundbang, ret = UNSPEC; |
int i, foundbang, ret = UNSPEC; |
|
struct sudo_digest digest, *allowed_digest = NULL; |
debug_decl(sudo_sss_check_command, SUDO_DEBUG_SSSD); |
debug_decl(sudo_sss_check_command, SUDO_DEBUG_SSSD); |
|
|
if (rule == NULL) |
if (rule == NULL) |
Line 754 sudo_sss_check_command(struct sudo_sss_handle *handle,
|
Line 825 sudo_sss_check_command(struct sudo_sss_handle *handle,
|
continue; |
continue; |
} |
} |
|
|
|
/* check for sha-2 digest */ |
|
allowed_digest = sudo_ldap_extract_digest(&val, &digest); |
|
|
/* check for !command */ |
/* check for !command */ |
if (*val == '!') { |
if (*val == '!') { |
foundbang = true; |
foundbang = true; |
Line 769 sudo_sss_check_command(struct sudo_sss_handle *handle,
|
Line 843 sudo_sss_check_command(struct sudo_sss_handle *handle,
|
*allowed_args++ = '\0'; |
*allowed_args++ = '\0'; |
|
|
/* check the command like normal */ |
/* check the command like normal */ |
if (command_matches(allowed_cmnd, allowed_args)) { | if (command_matches(allowed_cmnd, allowed_args, NULL)) { |
/* |
/* |
* If allowed (no bang) set ret but keep on checking. |
* If allowed (no bang) set ret but keep on checking. |
* If disallowed (bang), exit loop. |
* If disallowed (bang), exit loop. |