embedaddon/sudo/plugins/sudoers/sudoers.c - diff

Return to sudoers.c CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / sudo / plugins / sudoers

Diff for /embedaddon/sudo/plugins/sudoers/sudoers.c between versions 1.1.1.5 and 1.1.1.6

version 1.1.1.5, 2013/10/14 07:56:35	version 1.1.1.6, 2014/06/15 16:12:54
Line 100 struct sudo_user sudo_user;	Line 100 struct sudo_user sudo_user;
struct passwd *list_pw;	struct passwd *list_pw;
int long_list;	int long_list;
uid_t timestamp_uid;	uid_t timestamp_uid;
extern int errorlineno;
extern bool parse_error;
extern char *errorfile;
#ifdef HAVE_BSD_AUTH_H	#ifdef HAVE_BSD_AUTH_H
char *login_style;	char *login_style;
#endif /* HAVE_BSD_AUTH_H */	#endif /* HAVE_BSD_AUTH_H */
Line 150 sudoers_policy_init(void info, char const envp[])	Line 147 sudoers_policy_init(void info, char const envp[])
set_perms(PERM_ROOT);	set_perms(PERM_ROOT);

/* Open and parse sudoers, set global defaults */	/* Open and parse sudoers, set global defaults */
for (nss = snl->first; nss != NULL; nss = nss_next) {	TAILQ_FOREACH_SAFE(nss, snl, entries, nss_next) {
nss_next = nss->next;
if (nss->open(nss) == 0 && nss->parse(nss) == 0) {	if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
sources++;	sources++;
if (nss->setdefs(nss) != 0)	if (nss->setdefs(nss) != 0)
log_warning(NO_STDERR, N_("problem with defaults entries"));	log_warning(NO_STDERR, N_("problem with defaults entries"));
} else {	} else {
tq_remove(snl, nss);	TAILQ_REMOVE(snl, nss, entries);
}	}
}	}
if (sources == 0) {	if (sources == 0) {
warningx(_("no valid sudoers sources found, quitting"));	warningx(U_("no valid sudoers sources found, quitting"));
debug_return_bool(-1);	debug_return_bool(-1);
}	}

Line 223 sudoers_policy_main(int argc, char * const argv[], int	Line 219 sudoers_policy_main(int argc, char * const argv[], int

/* Is root even allowed to run sudo? */	/* Is root even allowed to run sudo? */
if (user_uid == 0 && !def_root_sudo) {	if (user_uid == 0 && !def_root_sudo) {
warningx(_("sudoers specifies that root is not allowed to sudo"));	warningx(U_("sudoers specifies that root is not allowed to sudo"));
goto bad;	goto bad;
}	}

Line 262 sudoers_policy_main(int argc, char * const argv[], int	Line 258 sudoers_policy_main(int argc, char * const argv[], int
/* Check for -C overriding def_closefrom. */	/* Check for -C overriding def_closefrom. */
if (user_closefrom >= 0 && user_closefrom != def_closefrom) {	if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
if (!def_closefrom_override) {	if (!def_closefrom_override) {
warningx(_("you are not permitted to use the -C option"));	warningx(U_("you are not permitted to use the -C option"));
goto bad;	goto bad;
}	}
def_closefrom = user_closefrom;	def_closefrom = user_closefrom;
Line 273 sudoers_policy_main(int argc, char * const argv[], int	Line 269 sudoers_policy_main(int argc, char * const argv[], int
*/	*/
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);	sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
validated = FLAG_NO_USER \| FLAG_NO_HOST;	validated = FLAG_NO_USER \| FLAG_NO_HOST;
tq_foreach_fwd(snl, nss) {	TAILQ_FOREACH(nss, snl, entries) {
validated = nss->lookup(nss, validated, pwflag);	validated = nss->lookup(nss, validated, pwflag);

if (ISSET(validated, VALIDATE_OK)) {	if (ISSET(validated, VALIDATE_OK)) {
Line 301 sudoers_policy_main(int argc, char * const argv[], int	Line 297 sudoers_policy_main(int argc, char * const argv[], int
* Look up the timestamp dir owner if one is specified.	* Look up the timestamp dir owner if one is specified.
*/	*/
if (def_timestampowner) {	if (def_timestampowner) {
struct passwd *pw;	struct passwd *pw = NULL;

if (*def_timestampowner == '#')	if (*def_timestampowner == '#') {
pw = sudo_getpwuid(atoi(def_timestampowner + 1));	const char *errstr;
else	uid_t uid = atoid(def_timestampowner + 1, NULL, NULL, &errstr);
	if (errstr == NULL)
	pw = sudo_getpwuid(uid);
	}
	if (pw == NULL)
pw = sudo_getpwnam(def_timestampowner);	pw = sudo_getpwnam(def_timestampowner);
if (pw != NULL) {	if (pw != NULL) {
timestamp_uid = pw->pw_uid;	timestamp_uid = pw->pw_uid;
Line 326 sudoers_policy_main(int argc, char * const argv[], int	Line 326 sudoers_policy_main(int argc, char * const argv[], int
/* Bail if a tty is required and we don't have one. */	/* Bail if a tty is required and we don't have one. */
if (def_requiretty && !tty_present()) {	if (def_requiretty && !tty_present()) {
audit_failure(NewArgv, N_("no tty"));	audit_failure(NewArgv, N_("no tty"));
warningx(_("sorry, you must have a tty to run sudo"));	warningx(U_("sorry, you must have a tty to run sudo"));
goto bad;	goto bad;
}	}

Line 375 sudoers_policy_main(int argc, char * const argv[], int	Line 375 sudoers_policy_main(int argc, char * const argv[], int
/* Finally tell the user if the command did not exist. */	/* Finally tell the user if the command did not exist. */
if (cmnd_status == NOT_FOUND_DOT) {	if (cmnd_status == NOT_FOUND_DOT) {
audit_failure(NewArgv, N_("command in current directory"));	audit_failure(NewArgv, N_("command in current directory"));
warningx(_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd);	warningx(U_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd);
goto bad;	goto bad;
} else if (cmnd_status == NOT_FOUND) {	} else if (cmnd_status == NOT_FOUND) {
if (ISSET(sudo_mode, MODE_CHECK)) {	if (ISSET(sudo_mode, MODE_CHECK)) {
audit_failure(NewArgv, N_("%s: command not found"), NewArgv[0]);	audit_failure(NewArgv, N_("%s: command not found"), NewArgv[0]);
warningx(_("%s: command not found"), NewArgv[0]);	warningx(U_("%s: command not found"), NewArgv[0]);
} else {	} else {
audit_failure(NewArgv, N_("%s: command not found"), user_cmnd);	audit_failure(NewArgv, N_("%s: command not found"), user_cmnd);
warningx(_("%s: command not found"), user_cmnd);	warningx(U_("%s: command not found"), user_cmnd);
}	}
goto bad;	goto bad;
}	}
Line 391 sudoers_policy_main(int argc, char * const argv[], int	Line 391 sudoers_policy_main(int argc, char * const argv[], int
/* If user specified env vars make sure sudoers allows it. */	/* If user specified env vars make sure sudoers allows it. */
if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {	if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {	if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
warningx(_("sorry, you are not allowed to preserve the environment"));	warningx(U_("sorry, you are not allowed to preserve the environment"));
goto bad;	goto bad;
} else	} else
validate_env_vars(sudo_user.env_vars);	validate_env_vars(sudo_user.env_vars);
Line 413 sudoers_policy_main(int argc, char * const argv[], int	Line 413 sudoers_policy_main(int argc, char * const argv[], int
display_privs(snl, list_pw ? list_pw : sudo_user.pw); /* XXX - return val */	display_privs(snl, list_pw ? list_pw : sudo_user.pw); /* XXX - return val */

/* Cleanup sudoers sources */	/* Cleanup sudoers sources */
tq_foreach_fwd(snl, nss) {	TAILQ_FOREACH(nss, snl, entries) {
nss->close(nss);	nss->close(nss);
}	}
if (def_group_plugin)	if (def_group_plugin)
Line 559 init_vars(char * const envp[])	Line 559 init_vars(char * const envp[])
* YP/NIS/NIS+/LDAP/etc daemon has died.	* YP/NIS/NIS+/LDAP/etc daemon has died.
*/	*/
if (sudo_mode == MODE_KILL \|\| sudo_mode == MODE_INVALIDATE)	if (sudo_mode == MODE_KILL \|\| sudo_mode == MODE_INVALIDATE)
fatalx(_("unknown uid: %u"), (unsigned int) user_uid);	fatalx(U_("unknown uid: %u"), (unsigned int) user_uid);

/* Need to make a fake struct passwd for the call to log_fatal(). */	/* Need to make a fake struct passwd for the call to log_fatal(). */
sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL);	sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL);
Line 653 set_cmnd(void)	Line 653 set_cmnd(void)
for (to = user_args, av = NewArgv + 1; *av; av++) {	for (to = user_args, av = NewArgv + 1; *av; av++) {
n = strlcpy(to, *av, size - (to - user_args));	n = strlcpy(to, *av, size - (to - user_args));
if (n >= size - (to - user_args))	if (n >= size - (to - user_args))
fatalx(_("internal error, %s overflow"), "set_cmnd()");	fatalx(U_("internal error, %s overflow"), "set_cmnd()");
to += n;	to += n;
*to++ = ' ';	*to++ = ' ';
}	}
Line 693 open_sudoers(const char sudoers, bool doedit, bool k	Line 693 open_sudoers(const char sudoers, bool doedit, bool k
switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {	switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {
case SUDO_PATH_SECURE:	case SUDO_PATH_SECURE:
/*	/*
* If we are expecting sudoers to be group readable but	* If we are expecting sudoers to be group readable by
* it is not, we must open the file as root, not uid 1.	* SUDOERS_GID but it is not, we must open the file as root,
	* not uid 1.
*/	*/
if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP)) {	if (sudoers_uid == ROOT_UID && ISSET(sudoers_mode, S_IRGRP)) {
if ((sb.st_mode & S_IRGRP) == 0) {	if (!ISSET(sb.st_mode, S_IRGRP) \|\| sb.st_gid != SUDOERS_GID) {
restore_perms();	restore_perms();
set_perms(PERM_ROOT);	set_perms(PERM_ROOT);
}	}
Line 760 set_loginclass(struct passwd *pw)	Line 761 set_loginclass(struct passwd *pw)
debug_return;	debug_return;

if (login_class && strcmp(login_class, "-") != 0) {	if (login_class && strcmp(login_class, "-") != 0) {
if (user_uid != 0 &&	if (user_uid != 0 && pw->pw_uid != 0)
strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)	fatalx(U_("only root can use `-c %s'"), login_class);
fatalx(_("only root can use `-c %s'"), login_class);
} else {	} else {
login_class = pw->pw_class;	login_class = pw->pw_class;
if (!login_class \|\| !*login_class)	if (!login_class \|\| !*login_class)
Line 835 set_fqdn(void)	Line 835 set_fqdn(void)
static void	static void
set_runaspw(const char *user)	set_runaspw(const char *user)
{	{
	struct passwd *pw = NULL;
debug_decl(set_runaspw, SUDO_DEBUG_PLUGIN)	debug_decl(set_runaspw, SUDO_DEBUG_PLUGIN)

if (runas_pw != NULL)
sudo_pw_delref(runas_pw);
if (*user == '#') {	if (*user == '#') {
if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL)	const char *errstr;
runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);	uid_t uid = atoid(user + 1, NULL, NULL, &errstr);
} else {	if (errstr == NULL) {
if ((runas_pw = sudo_getpwnam(user)) == NULL)	if ((pw = sudo_getpwuid(uid)) == NULL)
	pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);
	}
	}
	if (pw == NULL) {
	if ((pw = sudo_getpwnam(user)) == NULL)
log_fatal(NO_MAIL\|MSG_ONLY, N_("unknown user: %s"), user);	log_fatal(NO_MAIL\|MSG_ONLY, N_("unknown user: %s"), user);
}	}
	if (runas_pw != NULL)
	sudo_pw_delref(runas_pw);
	runas_pw = pw;
debug_return;	debug_return;
}	}

Line 856 set_runaspw(const char *user)	Line 863 set_runaspw(const char *user)
static void	static void
set_runasgr(const char *group)	set_runasgr(const char *group)
{	{
	struct group *gr = NULL;
debug_decl(set_runasgr, SUDO_DEBUG_PLUGIN)	debug_decl(set_runasgr, SUDO_DEBUG_PLUGIN)

if (runas_gr != NULL)
sudo_gr_delref(runas_gr);
if (*group == '#') {	if (*group == '#') {
if ((runas_gr = sudo_getgrgid(atoi(group + 1))) == NULL)	const char *errstr;
runas_gr = sudo_fakegrnam(group);	gid_t gid = atoid(group + 1, NULL, NULL, &errstr);
} else {	if (errstr == NULL) {
if ((runas_gr = sudo_getgrnam(group)) == NULL)	if ((gr = sudo_getgrgid(gid)) == NULL)
	gr = sudo_fakegrnam(group);
	}
	}
	if (gr == NULL) {
	if ((gr = sudo_getgrnam(group)) == NULL)
log_fatal(NO_MAIL\|MSG_ONLY, N_("unknown group: %s"), group);	log_fatal(NO_MAIL\|MSG_ONLY, N_("unknown group: %s"), group);
}	}
	if (runas_gr != NULL)
	sudo_gr_delref(runas_gr);
	runas_gr = gr;
debug_return;	debug_return;
}	}

Line 902 sudoers_cleanup(void)	Line 916 sudoers_cleanup(void)
debug_decl(sudoers_cleanup, SUDO_DEBUG_PLUGIN)	debug_decl(sudoers_cleanup, SUDO_DEBUG_PLUGIN)

if (snl != NULL) {	if (snl != NULL) {
tq_foreach_fwd(snl, nss)	TAILQ_FOREACH(nss, snl, entries) {
nss->close(nss);	nss->close(nss);
	}
}	}
if (def_group_plugin)	if (def_group_plugin)
group_plugin_unload();	group_plugin_unload();
Line 1001 find_editor(int nfiles, char files, char *argv_out	Line 1016 find_editor(int nfiles, char files, char *argv_out
}	}
if (!editor_path) {	if (!editor_path) {
audit_failure(NewArgv, N_("%s: command not found"), editor);	audit_failure(NewArgv, N_("%s: command not found"), editor);
warningx(_("%s: command not found"), editor);	warningx(U_("%s: command not found"), editor);
}	}
debug_return_str(editor_path);	debug_return_str(editor_path);
}	}
Line 1022 create_admin_success_flag(void)	Line 1037 create_admin_success_flag(void)
/* Build path to flag file. */	/* Build path to flag file. */
n = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful",	n = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful",
user_dir);	user_dir);
if (n <= 0 \|\| n >= sizeof(flagfile))	if (n <= 0 \|\| (size_t)n >= sizeof(flagfile))
debug_return;	debug_return;

/* Create admin flag file if it doesn't already exist. */	/* Create admin flag file if it doesn't already exist. */

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>

Removed from v.1.1.1.5
changed lines
	Added in v.1.1.1.6