version 1.1, 2012/02/21 16:23:02
|
version 1.1.1.5, 2013/10/14 07:56:35
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2007-2011 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
* purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
Line 17
|
Line 17
|
#include <config.h> |
#include <config.h> |
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/param.h> | #include <sys/stat.h> |
| |
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
# include <stdlib.h> |
# include <stdlib.h> |
Line 47 extern struct sudo_nss sudo_nss_file;
|
Line 48 extern struct sudo_nss sudo_nss_file;
|
#ifdef HAVE_LDAP |
#ifdef HAVE_LDAP |
extern struct sudo_nss sudo_nss_ldap; |
extern struct sudo_nss sudo_nss_ldap; |
#endif |
#endif |
|
#ifdef HAVE_SSSD |
|
extern struct sudo_nss sudo_nss_sss; |
|
#endif |
|
|
#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF) | #if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF) |
/* |
/* |
* Read in /etc/nsswitch.conf |
* Read in /etc/nsswitch.conf |
* Returns a tail queue of matches. |
* Returns a tail queue of matches. |
Line 57 struct sudo_nss_list *
|
Line 61 struct sudo_nss_list *
|
sudo_read_nss(void) |
sudo_read_nss(void) |
{ |
{ |
FILE *fp; |
FILE *fp; |
char *cp; | char *cp, *line = NULL; |
int saw_files = FALSE; | size_t linesize = 0; |
int saw_ldap = FALSE; | #ifdef HAVE_SSSD |
int got_match = FALSE; | bool saw_sss = false; |
| #endif |
| bool saw_files = false; |
| bool saw_ldap = false; |
| bool got_match = false; |
static struct sudo_nss_list snl; |
static struct sudo_nss_list snl; |
|
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) |
|
|
if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL) |
if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL) |
goto nomatch; |
goto nomatch; |
|
|
while ((cp = sudo_parseln(fp)) != NULL) { | while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { |
/* Skip blank or comment lines */ |
/* Skip blank or comment lines */ |
if (*cp == '\0') | if (*line == '\0') |
continue; |
continue; |
|
|
/* Look for a line starting with "sudoers:" */ |
/* Look for a line starting with "sudoers:" */ |
if (strncasecmp(cp, "sudoers:", 8) != 0) | if (strncasecmp(line, "sudoers:", 8) != 0) |
continue; |
continue; |
|
|
/* Parse line */ |
/* Parse line */ |
for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { | for ((cp = strtok(line + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { |
if (strcasecmp(cp, "files") == 0 && !saw_files) { |
if (strcasecmp(cp, "files") == 0 && !saw_files) { |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
got_match = TRUE; | got_match = true; |
| #ifdef HAVE_LDAP |
} else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { |
} else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { |
tq_append(&snl, &sudo_nss_ldap); |
tq_append(&snl, &sudo_nss_ldap); |
got_match = TRUE; | got_match = true; |
| #endif |
| #ifdef HAVE_SSSD |
| } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) { |
| tq_append(&snl, &sudo_nss_sss); |
| got_match = true; |
| #endif |
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { |
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { |
/* NOTFOUND affects the most recent entry */ |
/* NOTFOUND affects the most recent entry */ |
tq_last(&snl)->ret_if_notfound = TRUE; | tq_last(&snl)->ret_if_notfound = true; |
got_match = FALSE; | got_match = false; |
| } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) { |
| /* SUCCESS affects the most recent entry */ |
| tq_last(&snl)->ret_if_found = true; |
| got_match = false; |
} else |
} else |
got_match = FALSE; | got_match = false; |
} |
} |
/* Only parse the first "sudoers:" line */ |
/* Only parse the first "sudoers:" line */ |
break; |
break; |
} |
} |
|
free(line); |
fclose(fp); |
fclose(fp); |
|
|
nomatch: |
nomatch: |
Line 100 nomatch:
|
Line 121 nomatch:
|
if (tq_empty(&snl)) |
if (tq_empty(&snl)) |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
|
|
return &snl; | debug_return_ptr(&snl); |
} |
} |
|
|
#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ | #else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */ |
|
|
# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF) | # if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF) |
|
|
/* |
/* |
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX) |
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX) |
Line 115 struct sudo_nss_list *
|
Line 136 struct sudo_nss_list *
|
sudo_read_nss(void) |
sudo_read_nss(void) |
{ |
{ |
FILE *fp; |
FILE *fp; |
char *cp, *ep; | char *cp, *ep, *line = NULL; |
int saw_files = FALSE; | ssize_t linesize = 0; |
int saw_ldap = FALSE; | #ifdef HAVE_SSSD |
int got_match = FALSE; | bool saw_sss = false; |
| #endif |
| bool saw_files = false; |
| bool saw_ldap = false; |
| bool got_match = false; |
static struct sudo_nss_list snl; |
static struct sudo_nss_list snl; |
|
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) |
|
|
if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL) |
if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL) |
goto nomatch; |
goto nomatch; |
|
|
while ((cp = sudo_parseln(fp)) != NULL) { | while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { |
/* Skip blank or comment lines */ |
/* Skip blank or comment lines */ |
if (*cp == '\0') | if (*(cp = line) == '\0') |
continue; |
continue; |
|
|
/* Look for a line starting with "sudoers = " */ |
/* Look for a line starting with "sudoers = " */ |
Line 147 sudo_read_nss(void)
|
Line 173 sudo_read_nss(void)
|
if (!saw_files && strncasecmp(cp, "files", 5) == 0 && |
if (!saw_files && strncasecmp(cp, "files", 5) == 0 && |
(isspace((unsigned char)cp[5]) || cp[5] == '\0')) { |
(isspace((unsigned char)cp[5]) || cp[5] == '\0')) { |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
got_match = TRUE; | got_match = true; |
ep = &cp[5]; |
ep = &cp[5]; |
|
#ifdef HAVE_LDAP |
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && |
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
tq_append(&snl, &sudo_nss_ldap); |
tq_append(&snl, &sudo_nss_ldap); |
got_match = TRUE; | got_match = true; |
ep = &cp[4]; |
ep = &cp[4]; |
|
#endif |
|
#ifdef HAVE_SSSD |
|
} else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 && |
|
(isspace((unsigned char)cp[3]) || cp[3] == '\0')) { |
|
tq_append(&snl, &sudo_nss_sss); |
|
got_match = true; |
|
ep = &cp[3]; |
|
#endif |
} else { |
} else { |
got_match = FALSE; | got_match = false; |
} |
} |
|
|
/* check for = auth qualifier */ |
/* check for = auth qualifier */ |
Line 165 sudo_read_nss(void)
|
Line 200 sudo_read_nss(void)
|
cp++; |
cp++; |
if (strncasecmp(cp, "auth", 4) == 0 && |
if (strncasecmp(cp, "auth", 4) == 0 && |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
tq_last(&snl)->ret_if_found = TRUE; | tq_last(&snl)->ret_if_found = true; |
} |
} |
} |
} |
} |
} |
Line 179 nomatch:
|
Line 214 nomatch:
|
if (tq_empty(&snl)) |
if (tq_empty(&snl)) |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
|
|
return &snl; | debug_return_ptr(&snl); |
} |
} |
|
|
# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */ |
# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */ |
Line 191 struct sudo_nss_list *
|
Line 226 struct sudo_nss_list *
|
sudo_read_nss(void) |
sudo_read_nss(void) |
{ |
{ |
static struct sudo_nss_list snl; |
static struct sudo_nss_list snl; |
|
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) |
|
|
|
# ifdef HAVE_SSSD |
|
tq_append(&snl, &sudo_nss_sss); |
|
# endif |
# ifdef HAVE_LDAP |
# ifdef HAVE_LDAP |
tq_append(&snl, &sudo_nss_ldap); |
tq_append(&snl, &sudo_nss_ldap); |
# endif |
# endif |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
|
|
return &snl; | debug_return_ptr(&snl); |
} |
} |
|
|
# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */ |
# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */ |
Line 209 output(const char *buf)
|
Line 248 output(const char *buf)
|
{ |
{ |
struct sudo_conv_message msg; |
struct sudo_conv_message msg; |
struct sudo_conv_reply repl; |
struct sudo_conv_reply repl; |
|
debug_decl(output, SUDO_DEBUG_NSS) |
|
|
/* Call conversation function */ |
/* Call conversation function */ |
memset(&msg, 0, sizeof(msg)); |
memset(&msg, 0, sizeof(msg)); |
Line 216 output(const char *buf)
|
Line 256 output(const char *buf)
|
msg.msg = buf; |
msg.msg = buf; |
memset(&repl, 0, sizeof(repl)); |
memset(&repl, 0, sizeof(repl)); |
if (sudo_conv(1, &msg, &repl) == -1) |
if (sudo_conv(1, &msg, &repl) == -1) |
return 0; | debug_return_int(0); |
return (int)strlen(buf); | debug_return_int(strlen(buf)); |
} |
} |
|
|
/* |
/* |
* Print out privileges for the specified user. |
* Print out privileges for the specified user. |
* We only get here if the user is allowed to run something on this host. | * We only get here if the user is allowed to run something. |
*/ |
*/ |
void |
void |
display_privs(struct sudo_nss_list *snl, struct passwd *pw) |
display_privs(struct sudo_nss_list *snl, struct passwd *pw) |
{ |
{ |
struct sudo_nss *nss; |
struct sudo_nss *nss; |
struct lbuf defs, privs; |
struct lbuf defs, privs; |
int count, olen; | struct stat sb; |
| int cols, count, olen; |
| debug_decl(display_privs, SUDO_DEBUG_NSS) |
|
|
lbuf_init(&defs, output, 4, NULL, sudo_user.cols); | cols = sudo_user.cols; |
lbuf_init(&privs, output, 4, NULL, sudo_user.cols); | if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) |
| cols = 0; |
| lbuf_init(&defs, output, 4, NULL, cols); |
| lbuf_init(&privs, output, 8, NULL, cols); |
|
|
/* Display defaults from all sources. */ |
/* Display defaults from all sources. */ |
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), | lbuf_append(&defs, _("Matching Defaults entries for %s on %s:\n"), |
pw->pw_name); | pw->pw_name, user_srunhost); |
count = 0; |
count = 0; |
tq_foreach_fwd(snl, nss) { |
tq_foreach_fwd(snl, nss) { |
count += nss->display_defaults(nss, pw, &defs); |
count += nss->display_defaults(nss, pw, &defs); |
Line 261 display_privs(struct sudo_nss_list *snl, struct passwd
|
Line 306 display_privs(struct sudo_nss_list *snl, struct passwd
|
|
|
/* Display privileges from all sources. */ |
/* Display privileges from all sources. */ |
lbuf_append(&privs, |
lbuf_append(&privs, |
_("User %s may run the following commands on this host:\n"), | _("User %s may run the following commands on %s:\n"), |
pw->pw_name); | pw->pw_name, user_srunhost); |
count = 0; |
count = 0; |
tq_foreach_fwd(snl, nss) { |
tq_foreach_fwd(snl, nss) { |
count += nss->display_privs(nss, pw, &privs); |
count += nss->display_privs(nss, pw, &privs); |
} |
} |
if (count) { | if (count == 0) { |
lbuf_print(&defs); | defs.len = 0; |
lbuf_print(&privs); | privs.len = 0; |
} else { | lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"), |
printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name, | pw->pw_name, user_shost); |
user_shost); | |
} |
} |
|
lbuf_print(&defs); |
|
lbuf_print(&privs); |
|
|
lbuf_destroy(&defs); |
lbuf_destroy(&defs); |
lbuf_destroy(&privs); |
lbuf_destroy(&privs); |
|
|
|
debug_return; |
} |
} |
|
|
/* |
/* |
* Check user_cmnd against sudoers and print the matching entry if the |
* Check user_cmnd against sudoers and print the matching entry if the |
* command is allowed. |
* command is allowed. |
* Returns TRUE if the command is allowed, else FALSE. | * Returns true if the command is allowed, else false. |
*/ |
*/ |
int | bool |
display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) |
display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) |
{ |
{ |
struct sudo_nss *nss; |
struct sudo_nss *nss; |
|
debug_decl(display_cmnd, SUDO_DEBUG_NSS) |
|
|
tq_foreach_fwd(snl, nss) { |
tq_foreach_fwd(snl, nss) { |
if (nss->display_cmnd(nss, pw) == 0) |
if (nss->display_cmnd(nss, pw) == 0) |
return TRUE; | debug_return_bool(true); |
} |
} |
return FALSE; | debug_return_bool(false); |
} |
} |