--- embedaddon/sudo/plugins/sudoers/sudo_nss.c 2012/05/29 12:26:49 1.1.1.2 +++ embedaddon/sudo/plugins/sudoers/sudo_nss.c 2013/10/14 07:56:35 1.1.1.5 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2011 Todd C. Miller + * Copyright (c) 2007-2013 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,8 @@ #include #include -#include +#include + #include #ifdef STDC_HEADERS # include @@ -47,8 +48,11 @@ extern struct sudo_nss sudo_nss_file; #ifdef HAVE_LDAP extern struct sudo_nss sudo_nss_ldap; #endif +#ifdef HAVE_SSSD +extern struct sudo_nss sudo_nss_sss; +#endif -#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF) +#if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF) /* * Read in /etc/nsswitch.conf * Returns a tail queue of matches. @@ -57,7 +61,11 @@ struct sudo_nss_list * sudo_read_nss(void) { FILE *fp; - char *cp; + char *cp, *line = NULL; + size_t linesize = 0; +#ifdef HAVE_SSSD + bool saw_sss = false; +#endif bool saw_files = false; bool saw_ldap = false; bool got_match = false; @@ -67,33 +75,45 @@ sudo_read_nss(void) if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL) goto nomatch; - while ((cp = sudo_parseln(fp)) != NULL) { + while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { /* Skip blank or comment lines */ - if (*cp == '\0') + if (*line == '\0') continue; /* Look for a line starting with "sudoers:" */ - if (strncasecmp(cp, "sudoers:", 8) != 0) + if (strncasecmp(line, "sudoers:", 8) != 0) continue; /* Parse line */ - for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { + for ((cp = strtok(line + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { if (strcasecmp(cp, "files") == 0 && !saw_files) { tq_append(&snl, &sudo_nss_file); got_match = true; +#ifdef HAVE_LDAP } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { tq_append(&snl, &sudo_nss_ldap); got_match = true; +#endif +#ifdef HAVE_SSSD + } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) { + tq_append(&snl, &sudo_nss_sss); + got_match = true; +#endif } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { /* NOTFOUND affects the most recent entry */ tq_last(&snl)->ret_if_notfound = true; got_match = false; + } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) { + /* SUCCESS affects the most recent entry */ + tq_last(&snl)->ret_if_found = true; + got_match = false; } else got_match = false; } /* Only parse the first "sudoers:" line */ break; } + free(line); fclose(fp); nomatch: @@ -104,9 +124,9 @@ nomatch: debug_return_ptr(&snl); } -#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ +#else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */ -# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF) +# if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF) /* * Read in /etc/netsvc.conf (like nsswitch.conf on AIX) @@ -116,7 +136,11 @@ struct sudo_nss_list * sudo_read_nss(void) { FILE *fp; - char *cp, *ep; + char *cp, *ep, *line = NULL; + ssize_t linesize = 0; +#ifdef HAVE_SSSD + bool saw_sss = false; +#endif bool saw_files = false; bool saw_ldap = false; bool got_match = false; @@ -126,9 +150,9 @@ sudo_read_nss(void) if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL) goto nomatch; - while ((cp = sudo_parseln(fp)) != NULL) { + while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { /* Skip blank or comment lines */ - if (*cp == '\0') + if (*(cp = line) == '\0') continue; /* Look for a line starting with "sudoers = " */ @@ -151,11 +175,20 @@ sudo_read_nss(void) tq_append(&snl, &sudo_nss_file); got_match = true; ep = &cp[5]; +#ifdef HAVE_LDAP } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && (isspace((unsigned char)cp[4]) || cp[4] == '\0')) { tq_append(&snl, &sudo_nss_ldap); got_match = true; ep = &cp[4]; +#endif +#ifdef HAVE_SSSD + } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 && + (isspace((unsigned char)cp[3]) || cp[3] == '\0')) { + tq_append(&snl, &sudo_nss_sss); + got_match = true; + ep = &cp[3]; +#endif } else { got_match = false; } @@ -195,6 +228,9 @@ sudo_read_nss(void) static struct sudo_nss_list snl; debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) +# ifdef HAVE_SSSD + tq_append(&snl, &sudo_nss_sss); +# endif # ifdef HAVE_LDAP tq_append(&snl, &sudo_nss_ldap); # endif @@ -226,22 +262,26 @@ output(const char *buf) /* * Print out privileges for the specified user. - * We only get here if the user is allowed to run something on this host. + * We only get here if the user is allowed to run something. */ void display_privs(struct sudo_nss_list *snl, struct passwd *pw) { struct sudo_nss *nss; struct lbuf defs, privs; - int count, olen; + struct stat sb; + int cols, count, olen; debug_decl(display_privs, SUDO_DEBUG_NSS) - lbuf_init(&defs, output, 4, NULL, sudo_user.cols); - lbuf_init(&privs, output, 4, NULL, sudo_user.cols); + cols = sudo_user.cols; + if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) + cols = 0; + lbuf_init(&defs, output, 4, NULL, cols); + lbuf_init(&privs, output, 8, NULL, cols); /* Display defaults from all sources. */ - lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), - pw->pw_name); + lbuf_append(&defs, _("Matching Defaults entries for %s on %s:\n"), + pw->pw_name, user_srunhost); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_defaults(nss, pw, &defs); @@ -266,19 +306,20 @@ display_privs(struct sudo_nss_list *snl, struct passwd /* Display privileges from all sources. */ lbuf_append(&privs, - _("User %s may run the following commands on this host:\n"), - pw->pw_name); + _("User %s may run the following commands on %s:\n"), + pw->pw_name, user_srunhost); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_privs(nss, pw, &privs); } - if (count) { - lbuf_print(&defs); - lbuf_print(&privs); - } else { - printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name, - user_shost); + if (count == 0) { + defs.len = 0; + privs.len = 0; + lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"), + pw->pw_name, user_shost); } + lbuf_print(&defs); + lbuf_print(&privs); lbuf_destroy(&defs); lbuf_destroy(&privs);