version 1.1.1.1, 2012/02/21 16:23:02
|
version 1.1.1.3, 2012/10/09 09:29:52
|
Line 18
|
Line 18
|
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/param.h> |
#include <sys/param.h> |
|
#include <sys/stat.h> |
|
|
#include <stdio.h> |
#include <stdio.h> |
#ifdef STDC_HEADERS |
#ifdef STDC_HEADERS |
# include <stdlib.h> |
# include <stdlib.h> |
Line 47 extern struct sudo_nss sudo_nss_file;
|
Line 49 extern struct sudo_nss sudo_nss_file;
|
#ifdef HAVE_LDAP |
#ifdef HAVE_LDAP |
extern struct sudo_nss sudo_nss_ldap; |
extern struct sudo_nss sudo_nss_ldap; |
#endif |
#endif |
|
#ifdef HAVE_SSSD |
|
extern struct sudo_nss sudo_nss_sss; |
|
#endif |
|
|
#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF) | #if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF) |
/* |
/* |
* Read in /etc/nsswitch.conf |
* Read in /etc/nsswitch.conf |
* Returns a tail queue of matches. |
* Returns a tail queue of matches. |
Line 58 sudo_read_nss(void)
|
Line 63 sudo_read_nss(void)
|
{ |
{ |
FILE *fp; |
FILE *fp; |
char *cp; |
char *cp; |
int saw_files = FALSE; | #ifdef HAVE_SSSD |
int saw_ldap = FALSE; | bool saw_sss = false; |
int got_match = FALSE; | #endif |
| bool saw_files = false; |
| bool saw_ldap = false; |
| bool got_match = false; |
static struct sudo_nss_list snl; |
static struct sudo_nss_list snl; |
|
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) |
|
|
if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL) |
if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL) |
goto nomatch; |
goto nomatch; |
Line 79 sudo_read_nss(void)
|
Line 88 sudo_read_nss(void)
|
for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { |
for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { |
if (strcasecmp(cp, "files") == 0 && !saw_files) { |
if (strcasecmp(cp, "files") == 0 && !saw_files) { |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
got_match = TRUE; | got_match = true; |
} else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { |
} else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { |
tq_append(&snl, &sudo_nss_ldap); |
tq_append(&snl, &sudo_nss_ldap); |
got_match = TRUE; | got_match = true; |
| #ifdef HAVE_SSSD |
| } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) { |
| tq_append(&snl, &sudo_nss_sss); |
| got_match = true; |
| #endif |
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { |
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { |
/* NOTFOUND affects the most recent entry */ |
/* NOTFOUND affects the most recent entry */ |
tq_last(&snl)->ret_if_notfound = TRUE; | tq_last(&snl)->ret_if_notfound = true; |
got_match = FALSE; | got_match = false; |
| } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) { |
| /* SUCCESS affects the most recent entry */ |
| tq_last(&snl)->ret_if_found = true; |
| got_match = false; |
} else |
} else |
got_match = FALSE; | got_match = false; |
} |
} |
/* Only parse the first "sudoers:" line */ |
/* Only parse the first "sudoers:" line */ |
break; |
break; |
Line 100 nomatch:
|
Line 118 nomatch:
|
if (tq_empty(&snl)) |
if (tq_empty(&snl)) |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
|
|
return &snl; | debug_return_ptr(&snl); |
} |
} |
|
|
#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ | #else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */ |
|
|
# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF) | # if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF) |
|
|
/* |
/* |
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX) |
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX) |
Line 116 sudo_read_nss(void)
|
Line 134 sudo_read_nss(void)
|
{ |
{ |
FILE *fp; |
FILE *fp; |
char *cp, *ep; |
char *cp, *ep; |
int saw_files = FALSE; | #ifdef HAVE_SSSD |
int saw_ldap = FALSE; | bool saw_sss = false; |
int got_match = FALSE; | #endif |
| bool saw_files = false; |
| bool saw_ldap = false; |
| bool got_match = false; |
static struct sudo_nss_list snl; |
static struct sudo_nss_list snl; |
|
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) |
|
|
if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL) |
if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL) |
goto nomatch; |
goto nomatch; |
Line 147 sudo_read_nss(void)
|
Line 169 sudo_read_nss(void)
|
if (!saw_files && strncasecmp(cp, "files", 5) == 0 && |
if (!saw_files && strncasecmp(cp, "files", 5) == 0 && |
(isspace((unsigned char)cp[5]) || cp[5] == '\0')) { |
(isspace((unsigned char)cp[5]) || cp[5] == '\0')) { |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
got_match = TRUE; | got_match = true; |
ep = &cp[5]; |
ep = &cp[5]; |
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && |
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
tq_append(&snl, &sudo_nss_ldap); |
tq_append(&snl, &sudo_nss_ldap); |
got_match = TRUE; | got_match = true; |
ep = &cp[4]; |
ep = &cp[4]; |
|
#ifdef HAVE_SSSD |
|
} else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 && |
|
(isspace((unsigned char)cp[3]) || cp[3] == '\0')) { |
|
tq_append(&snl, &sudo_nss_sss); |
|
got_match = true; |
|
ep = &cp[3]; |
|
#endif |
} else { |
} else { |
got_match = FALSE; | got_match = false; |
} |
} |
|
|
/* check for = auth qualifier */ |
/* check for = auth qualifier */ |
Line 165 sudo_read_nss(void)
|
Line 194 sudo_read_nss(void)
|
cp++; |
cp++; |
if (strncasecmp(cp, "auth", 4) == 0 && |
if (strncasecmp(cp, "auth", 4) == 0 && |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) { |
tq_last(&snl)->ret_if_found = TRUE; | tq_last(&snl)->ret_if_found = true; |
} |
} |
} |
} |
} |
} |
Line 179 nomatch:
|
Line 208 nomatch:
|
if (tq_empty(&snl)) |
if (tq_empty(&snl)) |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
|
|
return &snl; | debug_return_ptr(&snl); |
} |
} |
|
|
# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */ |
# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */ |
Line 191 struct sudo_nss_list *
|
Line 220 struct sudo_nss_list *
|
sudo_read_nss(void) |
sudo_read_nss(void) |
{ |
{ |
static struct sudo_nss_list snl; |
static struct sudo_nss_list snl; |
|
debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) |
|
|
|
# ifdef HAVE_SSSD |
|
tq_append(&snl, &sudo_nss_sss); |
|
# endif |
# ifdef HAVE_LDAP |
# ifdef HAVE_LDAP |
tq_append(&snl, &sudo_nss_ldap); |
tq_append(&snl, &sudo_nss_ldap); |
# endif |
# endif |
tq_append(&snl, &sudo_nss_file); |
tq_append(&snl, &sudo_nss_file); |
|
|
return &snl; | debug_return_ptr(&snl); |
} |
} |
|
|
# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */ |
# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */ |
Line 209 output(const char *buf)
|
Line 242 output(const char *buf)
|
{ |
{ |
struct sudo_conv_message msg; |
struct sudo_conv_message msg; |
struct sudo_conv_reply repl; |
struct sudo_conv_reply repl; |
|
debug_decl(output, SUDO_DEBUG_NSS) |
|
|
/* Call conversation function */ |
/* Call conversation function */ |
memset(&msg, 0, sizeof(msg)); |
memset(&msg, 0, sizeof(msg)); |
Line 216 output(const char *buf)
|
Line 250 output(const char *buf)
|
msg.msg = buf; |
msg.msg = buf; |
memset(&repl, 0, sizeof(repl)); |
memset(&repl, 0, sizeof(repl)); |
if (sudo_conv(1, &msg, &repl) == -1) |
if (sudo_conv(1, &msg, &repl) == -1) |
return 0; | debug_return_int(0); |
return (int)strlen(buf); | debug_return_int(strlen(buf)); |
} |
} |
|
|
/* |
/* |
Line 229 display_privs(struct sudo_nss_list *snl, struct passwd
|
Line 263 display_privs(struct sudo_nss_list *snl, struct passwd
|
{ |
{ |
struct sudo_nss *nss; |
struct sudo_nss *nss; |
struct lbuf defs, privs; |
struct lbuf defs, privs; |
int count, olen; | struct stat sb; |
| int cols, count, olen; |
| debug_decl(display_privs, SUDO_DEBUG_NSS) |
|
|
lbuf_init(&defs, output, 4, NULL, sudo_user.cols); | cols = sudo_user.cols; |
lbuf_init(&privs, output, 4, NULL, sudo_user.cols); | if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) |
| cols = 0; |
| lbuf_init(&defs, output, 4, NULL, cols); |
| lbuf_init(&privs, output, 4, NULL, cols); |
|
|
/* Display defaults from all sources. */ |
/* Display defaults from all sources. */ |
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), |
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), |
Line 267 display_privs(struct sudo_nss_list *snl, struct passwd
|
Line 306 display_privs(struct sudo_nss_list *snl, struct passwd
|
tq_foreach_fwd(snl, nss) { |
tq_foreach_fwd(snl, nss) { |
count += nss->display_privs(nss, pw, &privs); |
count += nss->display_privs(nss, pw, &privs); |
} |
} |
if (count) { | if (count == 0) { |
lbuf_print(&defs); | defs.len = 0; |
lbuf_print(&privs); | privs.len = 0; |
} else { | lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"), |
printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name, | pw->pw_name, user_shost); |
user_shost); | |
} |
} |
|
lbuf_print(&defs); |
|
lbuf_print(&privs); |
|
|
lbuf_destroy(&defs); |
lbuf_destroy(&defs); |
lbuf_destroy(&privs); |
lbuf_destroy(&privs); |
|
|
|
debug_return; |
} |
} |
|
|
/* |
/* |
* Check user_cmnd against sudoers and print the matching entry if the |
* Check user_cmnd against sudoers and print the matching entry if the |
* command is allowed. |
* command is allowed. |
* Returns TRUE if the command is allowed, else FALSE. | * Returns true if the command is allowed, else false. |
*/ |
*/ |
int | bool |
display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) |
display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) |
{ |
{ |
struct sudo_nss *nss; |
struct sudo_nss *nss; |
|
debug_decl(display_cmnd, SUDO_DEBUG_NSS) |
|
|
tq_foreach_fwd(snl, nss) { |
tq_foreach_fwd(snl, nss) { |
if (nss->display_cmnd(nss, pw) == 0) |
if (nss->display_cmnd(nss, pw) == 0) |
return TRUE; | debug_return_bool(true); |
} |
} |
return FALSE; | debug_return_bool(false); |
} |
} |