version 1.1.1.5, 2013/10/14 07:56:35
|
version 1.1.1.6, 2014/06/15 16:12:54
|
Line 100 struct sudo_user sudo_user;
|
Line 100 struct sudo_user sudo_user;
|
struct passwd *list_pw; |
struct passwd *list_pw; |
int long_list; |
int long_list; |
uid_t timestamp_uid; |
uid_t timestamp_uid; |
extern int errorlineno; |
|
extern bool parse_error; |
|
extern char *errorfile; |
|
#ifdef HAVE_BSD_AUTH_H |
#ifdef HAVE_BSD_AUTH_H |
char *login_style; |
char *login_style; |
#endif /* HAVE_BSD_AUTH_H */ |
#endif /* HAVE_BSD_AUTH_H */ |
Line 150 sudoers_policy_init(void *info, char * const envp[])
|
Line 147 sudoers_policy_init(void *info, char * const envp[])
|
set_perms(PERM_ROOT); |
set_perms(PERM_ROOT); |
|
|
/* Open and parse sudoers, set global defaults */ |
/* Open and parse sudoers, set global defaults */ |
for (nss = snl->first; nss != NULL; nss = nss_next) { | TAILQ_FOREACH_SAFE(nss, snl, entries, nss_next) { |
nss_next = nss->next; | |
if (nss->open(nss) == 0 && nss->parse(nss) == 0) { |
if (nss->open(nss) == 0 && nss->parse(nss) == 0) { |
sources++; |
sources++; |
if (nss->setdefs(nss) != 0) |
if (nss->setdefs(nss) != 0) |
log_warning(NO_STDERR, N_("problem with defaults entries")); |
log_warning(NO_STDERR, N_("problem with defaults entries")); |
} else { |
} else { |
tq_remove(snl, nss); | TAILQ_REMOVE(snl, nss, entries); |
} |
} |
} |
} |
if (sources == 0) { |
if (sources == 0) { |
warningx(_("no valid sudoers sources found, quitting")); | warningx(U_("no valid sudoers sources found, quitting")); |
debug_return_bool(-1); |
debug_return_bool(-1); |
} |
} |
|
|
Line 223 sudoers_policy_main(int argc, char * const argv[], int
|
Line 219 sudoers_policy_main(int argc, char * const argv[], int
|
|
|
/* Is root even allowed to run sudo? */ |
/* Is root even allowed to run sudo? */ |
if (user_uid == 0 && !def_root_sudo) { |
if (user_uid == 0 && !def_root_sudo) { |
warningx(_("sudoers specifies that root is not allowed to sudo")); | warningx(U_("sudoers specifies that root is not allowed to sudo")); |
goto bad; |
goto bad; |
} |
} |
|
|
Line 262 sudoers_policy_main(int argc, char * const argv[], int
|
Line 258 sudoers_policy_main(int argc, char * const argv[], int
|
/* Check for -C overriding def_closefrom. */ |
/* Check for -C overriding def_closefrom. */ |
if (user_closefrom >= 0 && user_closefrom != def_closefrom) { |
if (user_closefrom >= 0 && user_closefrom != def_closefrom) { |
if (!def_closefrom_override) { |
if (!def_closefrom_override) { |
warningx(_("you are not permitted to use the -C option")); | warningx(U_("you are not permitted to use the -C option")); |
goto bad; |
goto bad; |
} |
} |
def_closefrom = user_closefrom; |
def_closefrom = user_closefrom; |
Line 273 sudoers_policy_main(int argc, char * const argv[], int
|
Line 269 sudoers_policy_main(int argc, char * const argv[], int
|
*/ |
*/ |
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); |
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); |
validated = FLAG_NO_USER | FLAG_NO_HOST; |
validated = FLAG_NO_USER | FLAG_NO_HOST; |
tq_foreach_fwd(snl, nss) { | TAILQ_FOREACH(nss, snl, entries) { |
validated = nss->lookup(nss, validated, pwflag); |
validated = nss->lookup(nss, validated, pwflag); |
|
|
if (ISSET(validated, VALIDATE_OK)) { |
if (ISSET(validated, VALIDATE_OK)) { |
Line 301 sudoers_policy_main(int argc, char * const argv[], int
|
Line 297 sudoers_policy_main(int argc, char * const argv[], int
|
* Look up the timestamp dir owner if one is specified. |
* Look up the timestamp dir owner if one is specified. |
*/ |
*/ |
if (def_timestampowner) { |
if (def_timestampowner) { |
struct passwd *pw; | struct passwd *pw = NULL; |
|
|
if (*def_timestampowner == '#') | if (*def_timestampowner == '#') { |
pw = sudo_getpwuid(atoi(def_timestampowner + 1)); | const char *errstr; |
else | uid_t uid = atoid(def_timestampowner + 1, NULL, NULL, &errstr); |
| if (errstr == NULL) |
| pw = sudo_getpwuid(uid); |
| } |
| if (pw == NULL) |
pw = sudo_getpwnam(def_timestampowner); |
pw = sudo_getpwnam(def_timestampowner); |
if (pw != NULL) { |
if (pw != NULL) { |
timestamp_uid = pw->pw_uid; |
timestamp_uid = pw->pw_uid; |
Line 326 sudoers_policy_main(int argc, char * const argv[], int
|
Line 326 sudoers_policy_main(int argc, char * const argv[], int
|
/* Bail if a tty is required and we don't have one. */ |
/* Bail if a tty is required and we don't have one. */ |
if (def_requiretty && !tty_present()) { |
if (def_requiretty && !tty_present()) { |
audit_failure(NewArgv, N_("no tty")); |
audit_failure(NewArgv, N_("no tty")); |
warningx(_("sorry, you must have a tty to run sudo")); | warningx(U_("sorry, you must have a tty to run sudo")); |
goto bad; |
goto bad; |
} |
} |
|
|
Line 375 sudoers_policy_main(int argc, char * const argv[], int
|
Line 375 sudoers_policy_main(int argc, char * const argv[], int
|
/* Finally tell the user if the command did not exist. */ |
/* Finally tell the user if the command did not exist. */ |
if (cmnd_status == NOT_FOUND_DOT) { |
if (cmnd_status == NOT_FOUND_DOT) { |
audit_failure(NewArgv, N_("command in current directory")); |
audit_failure(NewArgv, N_("command in current directory")); |
warningx(_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd); | warningx(U_("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run."), user_cmnd, user_cmnd, user_cmnd); |
goto bad; |
goto bad; |
} else if (cmnd_status == NOT_FOUND) { |
} else if (cmnd_status == NOT_FOUND) { |
if (ISSET(sudo_mode, MODE_CHECK)) { |
if (ISSET(sudo_mode, MODE_CHECK)) { |
audit_failure(NewArgv, N_("%s: command not found"), NewArgv[0]); |
audit_failure(NewArgv, N_("%s: command not found"), NewArgv[0]); |
warningx(_("%s: command not found"), NewArgv[0]); | warningx(U_("%s: command not found"), NewArgv[0]); |
} else { |
} else { |
audit_failure(NewArgv, N_("%s: command not found"), user_cmnd); |
audit_failure(NewArgv, N_("%s: command not found"), user_cmnd); |
warningx(_("%s: command not found"), user_cmnd); | warningx(U_("%s: command not found"), user_cmnd); |
} |
} |
goto bad; |
goto bad; |
} |
} |
Line 391 sudoers_policy_main(int argc, char * const argv[], int
|
Line 391 sudoers_policy_main(int argc, char * const argv[], int
|
/* If user specified env vars make sure sudoers allows it. */ |
/* If user specified env vars make sure sudoers allows it. */ |
if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) { |
if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) { |
if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { |
if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { |
warningx(_("sorry, you are not allowed to preserve the environment")); | warningx(U_("sorry, you are not allowed to preserve the environment")); |
goto bad; |
goto bad; |
} else |
} else |
validate_env_vars(sudo_user.env_vars); |
validate_env_vars(sudo_user.env_vars); |
Line 413 sudoers_policy_main(int argc, char * const argv[], int
|
Line 413 sudoers_policy_main(int argc, char * const argv[], int
|
display_privs(snl, list_pw ? list_pw : sudo_user.pw); /* XXX - return val */ |
display_privs(snl, list_pw ? list_pw : sudo_user.pw); /* XXX - return val */ |
|
|
/* Cleanup sudoers sources */ |
/* Cleanup sudoers sources */ |
tq_foreach_fwd(snl, nss) { | TAILQ_FOREACH(nss, snl, entries) { |
nss->close(nss); |
nss->close(nss); |
} |
} |
if (def_group_plugin) |
if (def_group_plugin) |
Line 559 init_vars(char * const envp[])
|
Line 559 init_vars(char * const envp[])
|
* YP/NIS/NIS+/LDAP/etc daemon has died. |
* YP/NIS/NIS+/LDAP/etc daemon has died. |
*/ |
*/ |
if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) |
if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) |
fatalx(_("unknown uid: %u"), (unsigned int) user_uid); | fatalx(U_("unknown uid: %u"), (unsigned int) user_uid); |
|
|
/* Need to make a fake struct passwd for the call to log_fatal(). */ |
/* Need to make a fake struct passwd for the call to log_fatal(). */ |
sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL); |
sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL); |
Line 653 set_cmnd(void)
|
Line 653 set_cmnd(void)
|
for (to = user_args, av = NewArgv + 1; *av; av++) { |
for (to = user_args, av = NewArgv + 1; *av; av++) { |
n = strlcpy(to, *av, size - (to - user_args)); |
n = strlcpy(to, *av, size - (to - user_args)); |
if (n >= size - (to - user_args)) |
if (n >= size - (to - user_args)) |
fatalx(_("internal error, %s overflow"), "set_cmnd()"); | fatalx(U_("internal error, %s overflow"), "set_cmnd()"); |
to += n; |
to += n; |
*to++ = ' '; |
*to++ = ' '; |
} |
} |
Line 693 open_sudoers(const char *sudoers, bool doedit, bool *k
|
Line 693 open_sudoers(const char *sudoers, bool doedit, bool *k
|
switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) { |
switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) { |
case SUDO_PATH_SECURE: |
case SUDO_PATH_SECURE: |
/* |
/* |
* If we are expecting sudoers to be group readable but | * If we are expecting sudoers to be group readable by |
* it is not, we must open the file as root, not uid 1. | * SUDOERS_GID but it is not, we must open the file as root, |
| * not uid 1. |
*/ |
*/ |
if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP)) { | if (sudoers_uid == ROOT_UID && ISSET(sudoers_mode, S_IRGRP)) { |
if ((sb.st_mode & S_IRGRP) == 0) { | if (!ISSET(sb.st_mode, S_IRGRP) || sb.st_gid != SUDOERS_GID) { |
restore_perms(); |
restore_perms(); |
set_perms(PERM_ROOT); |
set_perms(PERM_ROOT); |
} |
} |
Line 760 set_loginclass(struct passwd *pw)
|
Line 761 set_loginclass(struct passwd *pw)
|
debug_return; |
debug_return; |
|
|
if (login_class && strcmp(login_class, "-") != 0) { |
if (login_class && strcmp(login_class, "-") != 0) { |
if (user_uid != 0 && | if (user_uid != 0 && pw->pw_uid != 0) |
strcmp(runas_user ? runas_user : def_runas_default, "root") != 0) | fatalx(U_("only root can use `-c %s'"), login_class); |
fatalx(_("only root can use `-c %s'"), login_class); | |
} else { |
} else { |
login_class = pw->pw_class; |
login_class = pw->pw_class; |
if (!login_class || !*login_class) |
if (!login_class || !*login_class) |
Line 835 set_fqdn(void)
|
Line 835 set_fqdn(void)
|
static void |
static void |
set_runaspw(const char *user) |
set_runaspw(const char *user) |
{ |
{ |
|
struct passwd *pw = NULL; |
debug_decl(set_runaspw, SUDO_DEBUG_PLUGIN) |
debug_decl(set_runaspw, SUDO_DEBUG_PLUGIN) |
|
|
if (runas_pw != NULL) |
|
sudo_pw_delref(runas_pw); |
|
if (*user == '#') { |
if (*user == '#') { |
if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL) | const char *errstr; |
runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); | uid_t uid = atoid(user + 1, NULL, NULL, &errstr); |
} else { | if (errstr == NULL) { |
if ((runas_pw = sudo_getpwnam(user)) == NULL) | if ((pw = sudo_getpwuid(uid)) == NULL) |
| pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); |
| } |
| } |
| if (pw == NULL) { |
| if ((pw = sudo_getpwnam(user)) == NULL) |
log_fatal(NO_MAIL|MSG_ONLY, N_("unknown user: %s"), user); |
log_fatal(NO_MAIL|MSG_ONLY, N_("unknown user: %s"), user); |
} |
} |
|
if (runas_pw != NULL) |
|
sudo_pw_delref(runas_pw); |
|
runas_pw = pw; |
debug_return; |
debug_return; |
} |
} |
|
|
Line 856 set_runaspw(const char *user)
|
Line 863 set_runaspw(const char *user)
|
static void |
static void |
set_runasgr(const char *group) |
set_runasgr(const char *group) |
{ |
{ |
|
struct group *gr = NULL; |
debug_decl(set_runasgr, SUDO_DEBUG_PLUGIN) |
debug_decl(set_runasgr, SUDO_DEBUG_PLUGIN) |
|
|
if (runas_gr != NULL) |
|
sudo_gr_delref(runas_gr); |
|
if (*group == '#') { |
if (*group == '#') { |
if ((runas_gr = sudo_getgrgid(atoi(group + 1))) == NULL) | const char *errstr; |
runas_gr = sudo_fakegrnam(group); | gid_t gid = atoid(group + 1, NULL, NULL, &errstr); |
} else { | if (errstr == NULL) { |
if ((runas_gr = sudo_getgrnam(group)) == NULL) | if ((gr = sudo_getgrgid(gid)) == NULL) |
| gr = sudo_fakegrnam(group); |
| } |
| } |
| if (gr == NULL) { |
| if ((gr = sudo_getgrnam(group)) == NULL) |
log_fatal(NO_MAIL|MSG_ONLY, N_("unknown group: %s"), group); |
log_fatal(NO_MAIL|MSG_ONLY, N_("unknown group: %s"), group); |
} |
} |
|
if (runas_gr != NULL) |
|
sudo_gr_delref(runas_gr); |
|
runas_gr = gr; |
debug_return; |
debug_return; |
} |
} |
|
|
Line 902 sudoers_cleanup(void)
|
Line 916 sudoers_cleanup(void)
|
debug_decl(sudoers_cleanup, SUDO_DEBUG_PLUGIN) |
debug_decl(sudoers_cleanup, SUDO_DEBUG_PLUGIN) |
|
|
if (snl != NULL) { |
if (snl != NULL) { |
tq_foreach_fwd(snl, nss) | TAILQ_FOREACH(nss, snl, entries) { |
nss->close(nss); |
nss->close(nss); |
|
} |
} |
} |
if (def_group_plugin) |
if (def_group_plugin) |
group_plugin_unload(); |
group_plugin_unload(); |
Line 1001 find_editor(int nfiles, char **files, char ***argv_out
|
Line 1016 find_editor(int nfiles, char **files, char ***argv_out
|
} |
} |
if (!editor_path) { |
if (!editor_path) { |
audit_failure(NewArgv, N_("%s: command not found"), editor); |
audit_failure(NewArgv, N_("%s: command not found"), editor); |
warningx(_("%s: command not found"), editor); | warningx(U_("%s: command not found"), editor); |
} |
} |
debug_return_str(editor_path); |
debug_return_str(editor_path); |
} |
} |
Line 1022 create_admin_success_flag(void)
|
Line 1037 create_admin_success_flag(void)
|
/* Build path to flag file. */ |
/* Build path to flag file. */ |
n = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", |
n = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", |
user_dir); |
user_dir); |
if (n <= 0 || n >= sizeof(flagfile)) | if (n <= 0 || (size_t)n >= sizeof(flagfile)) |
debug_return; |
debug_return; |
|
|
/* Create admin flag file if it doesn't already exist. */ |
/* Create admin flag file if it doesn't already exist. */ |