--- embedaddon/sudo/src/sudo.c 2012/05/29 12:26:49 1.1.1.2 +++ embedaddon/sudo/src/sudo.c 2014/06/15 16:12:55 1.1.1.6 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009-2012 Todd C. Miller + * Copyright (c) 2009-2013 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,7 +21,6 @@ #include #include -#include #include #include #include @@ -55,12 +54,9 @@ #include #include #include -#if TIME_WITH_SYS_TIME +#ifdef TIME_WITH_SYS_TIME # include #endif -#ifdef HAVE_SETLOCALE -# include -#endif #ifdef HAVE_LOGIN_CAP_H # include # ifndef LOGIN_SETENV @@ -86,25 +82,20 @@ # endif /* __hpux */ # include #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ -#if defined(HAVE_STRUCT_KINFO_PROC_P_TDEV) || defined (HAVE_STRUCT_KINFO_PROC_KP_EPROC_E_TDEV) -# include -#elif defined(HAVE_STRUCT_KINFO_PROC_KI_TDEV) -# include -# include -#endif +#include #include "sudo.h" #include "sudo_plugin.h" #include "sudo_plugin_int.h" -#include /* * Local variables */ struct plugin_container policy_plugin; -struct plugin_container_list io_plugins; +struct plugin_container_list io_plugins = TAILQ_HEAD_INITIALIZER(io_plugins); struct user_details user_details; -const char *list_user, *runas_user, *runas_group; /* extern for parse_args.c */ +const char *list_user; /* extern for parse_args.c */ +static struct command_details command_details; static int sudo_mode; /* @@ -142,11 +133,13 @@ static void iolog_unlink(struct plugin_container *plug #ifdef RLIMIT_CORE static struct rlimit corelimit; -#endif /* RLIMIT_CORE */ -#if defined(__linux__) +#endif +#ifdef __linux__ static struct rlimit nproclimit; #endif +__dso_public int main(int argc, char *argv[], char *envp[]); + int main(int argc, char *argv[], char *envp[]) { @@ -154,28 +147,19 @@ main(int argc, char *argv[], char *envp[]) char **nargv, **settings, **env_add; char **user_info, **command_info, **argv_out, **user_env_out; struct plugin_container *plugin, *next; - struct command_details command_details; sigset_t mask; debug_decl(main, SUDO_DEBUG_MAIN) -#if defined(SUDO_DEVEL) && defined(__OpenBSD__) - { - extern char *malloc_options; - malloc_options = "AFGJPR"; - } -#endif + os_init(argc, argv, envp); -#if !defined(HAVE_GETPROGNAME) && !defined(HAVE___PROGNAME) - if (argc > 0) - setprogname(argv[0]); -#endif - -#ifdef HAVE_SETLOCALE setlocale(LC_ALL, ""); -#endif bindtextdomain(PACKAGE_NAME, LOCALEDIR); textdomain(PACKAGE_NAME); +#ifdef HAVE_TZSET + (void) tzset(); +#endif /* HAVE_TZSET */ + /* Must be done before we do any password lookups */ #if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS) (void) set_auth_parameters(argc, argv); @@ -187,18 +171,19 @@ main(int argc, char *argv[], char *envp[]) /* Make sure we are setuid root. */ sudo_check_suid(argv[0]); - /* Reset signal mask and make sure fds 0-2 are open. */ + /* Reset signal mask, save signal state and make sure fds 0-2 are open. */ (void) sigemptyset(&mask); (void) sigprocmask(SIG_SETMASK, &mask, NULL); + save_signals(); fix_fds(); + /* Read sudo.conf. */ + sudo_conf_read(NULL); + /* Fill in user_info with user name, uid, cwd, etc. */ memset(&user_details, 0, sizeof(user_details)); user_info = get_user_info(&user_details); - /* Read sudo.conf. */ - sudo_conf_read(); - /* Disable core dumps if not enabled in sudo.conf. */ disable_coredumps(); @@ -215,7 +200,7 @@ main(int argc, char *argv[], char *envp[]) /* Load plugins. */ if (!sudo_load_plugins(&policy_plugin, &io_plugins)) - errorx(1, _("fatal error, unable to load plugins")); + fatalx(U_("fatal error, unable to load plugins")); /* Open policy plugin. */ ok = policy_open(&policy_plugin, settings, user_info, envp); @@ -223,16 +208,18 @@ main(int argc, char *argv[], char *envp[]) if (ok == -2) usage(1); else - errorx(1, _("unable to initialize policy plugin")); + fatalx(U_("unable to initialize policy plugin")); } + init_signals(); + switch (sudo_mode & MODE_MASK) { case MODE_VERSION: policy_show_version(&policy_plugin, !user_details.uid); - tq_foreach_fwd(&io_plugins, plugin) { + TAILQ_FOREACH(plugin, &io_plugins, entries) { ok = iolog_open(plugin, settings, user_info, NULL, nargc, nargv, envp); - if (ok == 1) + if (ok != -1) iolog_show_version(plugin, !user_details.uid); } break; @@ -263,8 +250,7 @@ main(int argc, char *argv[], char *envp[]) exit(1); /* plugin printed error message */ } /* Open I/O plugins once policy plugin succeeds. */ - for (plugin = io_plugins.first; plugin != NULL; plugin = next) { - next = plugin->next; + TAILQ_FOREACH_SAFE(plugin, &io_plugins, entries, next) { ok = iolog_open(plugin, settings, user_info, command_info, nargc, nargv, envp); switch (ok) { @@ -278,7 +264,7 @@ main(int argc, char *argv[], char *envp[]) usage(1); break; default: - errorx(1, _("error initializing I/O plugin %s"), + fatalx(U_("error initializing I/O plugin %s"), plugin->name); } } @@ -289,7 +275,8 @@ main(int argc, char *argv[], char *envp[]) if (ISSET(sudo_mode, MODE_BACKGROUND)) SET(command_details.flags, CD_BACKGROUND); /* Become full root (not just setuid) so user cannot kill us. */ - (void) setuid(ROOT_UID); + if (setuid(ROOT_UID) == -1) + warning("setuid(%d)", ROOT_UID); /* Restore coredumpsize resource limit before running. */ #ifdef RLIMIT_CORE if (sudo_conf_disable_coredump()) @@ -303,12 +290,22 @@ main(int argc, char *argv[], char *envp[]) /* The close method was called by sudo_edit/run_command. */ break; default: - errorx(1, _("unexpected sudo mode 0x%x"), sudo_mode); + fatalx(U_("unexpected sudo mode 0x%x"), sudo_mode); } sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, exitcode); exit(exitcode); } +int +os_init_common(int argc, char *argv[], char *envp[]) +{ + initprogname(argc > 0 ? argv[0] : "sudo"); +#ifdef STATIC_SUDOERS_PLUGIN + preload_static_symbols(); +#endif + return 0; +} + /* * Ensure that stdin, stdout and stderr are open; set to /dev/null if not. * Some operating systems do this automatically in the kernel or libc. @@ -328,13 +325,13 @@ fix_fds(void) miss[STDERR_FILENO] = fcntl(STDERR_FILENO, F_GETFL, 0) == -1; if (miss[STDIN_FILENO] || miss[STDOUT_FILENO] || miss[STDERR_FILENO]) { if ((devnull = open(_PATH_DEVNULL, O_RDWR, 0644)) == -1) - error(1, _("unable to open %s"), _PATH_DEVNULL); + fatal(U_("unable to open %s"), _PATH_DEVNULL); if (miss[STDIN_FILENO] && dup2(devnull, STDIN_FILENO) == -1) - error(1, "dup2"); + fatal("dup2"); if (miss[STDOUT_FILENO] && dup2(devnull, STDOUT_FILENO) == -1) - error(1, "dup2"); + fatal("dup2"); if (miss[STDERR_FILENO] && dup2(devnull, STDERR_FILENO) == -1) - error(1, "dup2"); + fatal("dup2"); if (devnull > STDERR_FILENO) close(devnull); } @@ -343,32 +340,38 @@ fix_fds(void) /* * Allocate space for groups and fill in using getgrouplist() - * for when we cannot use getgroups(). + * for when we cannot (or don't want to) use getgroups(). */ static int -fill_group_list(struct user_details *ud) +fill_group_list(struct user_details *ud, int system_maxgroups) { - int maxgroups, tries, rval = -1; + int tries, rval = -1; debug_decl(fill_group_list, SUDO_DEBUG_UTIL) -#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) - maxgroups = (int)sysconf(_SC_NGROUPS_MAX); - if (maxgroups < 0) -#endif - maxgroups = NGROUPS_MAX; - /* - * It is possible to belong to more groups in the group database - * than NGROUPS_MAX. We start off with NGROUPS_MAX * 2 entries - * and double this as needed. + * If user specified a max number of groups, use it, otherwise keep + * trying getgrouplist() until we have enough room in the array. */ - ud->groups = NULL; - ud->ngroups = maxgroups; - for (tries = 0; tries < 10 && rval == -1; tries++) { - ud->ngroups *= 2; - efree(ud->groups); + ud->ngroups = sudo_conf_max_groups(); + if (ud->ngroups > 0) { ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); - rval = getgrouplist(ud->username, ud->gid, ud->groups, &ud->ngroups); + /* No error on insufficient space if user specified max_groups. */ + (void)getgrouplist(ud->username, ud->gid, ud->groups, &ud->ngroups); + rval = 0; + } else { + /* + * It is possible to belong to more groups in the group database + * than NGROUPS_MAX. We start off with NGROUPS_MAX * 4 entries + * and double this as needed. + */ + ud->groups = NULL; + ud->ngroups = system_maxgroups << 1; + for (tries = 0; tries < 10 && rval == -1; tries++) { + ud->ngroups <<= 1; + efree(ud->groups); + ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); + rval = getgrouplist(ud->username, ud->gid, ud->groups, &ud->ngroups); + } } debug_return_int(rval); } @@ -378,26 +381,36 @@ get_user_groups(struct user_details *ud) { char *cp, *gid_list = NULL; size_t glsize; - int i, len; + int i, len, maxgroups, group_source; debug_decl(get_user_groups, SUDO_DEBUG_UTIL) - /* - * Systems with mbr_check_membership() support more than NGROUPS_MAX - * groups so we cannot use getgroups(). - */ +#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) + maxgroups = (int)sysconf(_SC_NGROUPS_MAX); + if (maxgroups < 0) +#endif + maxgroups = NGROUPS_MAX; + ud->groups = NULL; -#ifndef HAVE_MBR_CHECK_MEMBERSHIP - if ((ud->ngroups = getgroups(0, NULL)) > 0) { - ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); - if (getgroups(ud->ngroups, ud->groups) < 0) { - efree(ud->groups); - ud->groups = NULL; + group_source = sudo_conf_group_source(); + if (group_source != GROUP_SOURCE_DYNAMIC) { + if ((ud->ngroups = getgroups(0, NULL)) > 0) { + /* Use groups from kernel if not too many or source is static. */ + if (ud->ngroups < maxgroups || group_source == GROUP_SOURCE_STATIC) { + ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); + if (getgroups(ud->ngroups, ud->groups) < 0) { + efree(ud->groups); + ud->groups = NULL; + } + } } } -#endif /* HAVE_MBR_CHECK_MEMBERSHIP */ if (ud->groups == NULL) { - if (fill_group_list(ud) == -1) - error(1, _("unable to get group vector")); + /* + * Query group database if kernel list is too small or disabled. + * Typically, this is because NFS can only support up to 16 groups. + */ + if (fill_group_list(ud, maxgroups) == -1) + fatal(U_("unable to get group vector")); } /* @@ -423,7 +436,7 @@ get_user_groups(struct user_details *ud) static char ** get_user_info(struct user_details *ud) { - char *cp, **user_info, cwd[PATH_MAX], host[MAXHOSTNAMELEN]; + char *cp, **user_info, cwd[PATH_MAX], host[HOST_NAME_MAX + 1]; struct passwd *pw; int fd, i = 0; debug_decl(get_user_info, SUDO_DEBUG_UTIL) @@ -449,11 +462,11 @@ get_user_info(struct user_details *ud) pw = getpwuid(ud->uid); if (pw == NULL) - errorx(1, _("unknown uid %u: who are you?"), (unsigned int)ud->uid); + fatalx(U_("unknown uid %u: who are you?"), (unsigned int)ud->uid); user_info[i] = fmt_string("user", pw->pw_name); if (user_info[i] == NULL) - errorx(1, _("unable to allocate memory")); + fatal(NULL); ud->username = user_info[i] + sizeof("user=") - 1; /* Stash user's shell for use with the -s flag; don't pass to plugin. */ @@ -479,14 +492,14 @@ get_user_info(struct user_details *ud) if (getcwd(cwd, sizeof(cwd)) != NULL) { user_info[++i] = fmt_string("cwd", cwd); if (user_info[i] == NULL) - errorx(1, _("unable to allocate memory")); + fatal(NULL); ud->cwd = user_info[i] + sizeof("cwd=") - 1; } if ((cp = get_process_ttyname()) != NULL) { user_info[++i] = fmt_string("tty", cp); if (user_info[i] == NULL) - errorx(1, _("unable to allocate memory")); + fatal(NULL); ud->tty = user_info[i] + sizeof("tty=") - 1; efree(cp); } @@ -497,7 +510,7 @@ get_user_info(struct user_details *ud) strlcpy(host, "localhost", sizeof(host)); user_info[++i] = fmt_string("host", host); if (user_info[i] == NULL) - errorx(1, _("unable to allocate memory")); + fatal(NULL); ud->host = user_info[i] + sizeof("host=") - 1; get_ttysize(&ud->ts_lines, &ud->ts_cols); @@ -516,13 +529,14 @@ static void command_info_to_details(char * const info[], struct command_details *details) { int i; - long lval; - unsigned long ulval; - char *cp, *ep; + id_t id; + char *cp; + const char *errstr; debug_decl(command_info_to_details, SUDO_DEBUG_PCOMM) memset(details, 0, sizeof(*details)); details->closefrom = -1; + TAILQ_INIT(&details->preserved_fds); #define SET_STRING(s, n) \ if (strncmp(s, info[i], sizeof(s) - 1) == 0 && info[i][sizeof(s) - 1]) { \ @@ -540,37 +554,29 @@ command_info_to_details(char * const info[], struct co SET_STRING("cwd=", cwd) if (strncmp("closefrom=", info[i], sizeof("closefrom=") - 1) == 0) { cp = info[i] + sizeof("closefrom=") - 1; - if (*cp == '\0') - break; - errno = 0; - lval = strtol(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - !(errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) && - lval < INT_MAX && lval > INT_MIN) { - details->closefrom = (int)lval; - } + details->closefrom = strtonum(cp, 0, INT_MAX, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); break; } break; + case 'e': + if (strncmp("exec_background=", info[i], sizeof("exec_background=") - 1) == 0) { + if (atobool(info[i] + sizeof("exec_background=") - 1) == true) + SET(details->flags, CD_EXEC_BG); + break; + } + break; case 'l': SET_STRING("login_class=", login_class) break; case 'n': - /* XXX - bounds check -NZERO to NZERO (inclusive). */ if (strncmp("nice=", info[i], sizeof("nice=") - 1) == 0) { cp = info[i] + sizeof("nice=") - 1; - if (*cp == '\0') - break; - errno = 0; - lval = strtol(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - !(errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) && - lval < INT_MAX && lval > INT_MIN) { - details->priority = (int)lval; - SET(details->flags, CD_SET_PRIORITY); - } + details->priority = strtonum(cp, INT_MIN, INT_MAX, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + SET(details->flags, CD_SET_PRIORITY); break; } if (strncmp("noexec=", info[i], sizeof("noexec=") - 1) == 0) { @@ -585,91 +591,77 @@ command_info_to_details(char * const info[], struct co SET(details->flags, CD_PRESERVE_GROUPS); break; } + if (strncmp("preserve_fds=", info[i], sizeof("preserve_fds=") - 1) == 0) { + parse_preserved_fds(&details->preserved_fds, + info[i] + sizeof("preserve_fds=") - 1); + break; + } break; case 'r': if (strncmp("runas_egid=", info[i], sizeof("runas_egid=") - 1) == 0) { cp = info[i] + sizeof("runas_egid=") - 1; - if (*cp == '\0') - break; - errno = 0; - ulval = strtoul(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - (errno != ERANGE || ulval != ULONG_MAX)) { - details->egid = (gid_t)ulval; - SET(details->flags, CD_SET_EGID); - } + id = atoid(cp, NULL, NULL, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + details->egid = (gid_t)id; + SET(details->flags, CD_SET_EGID); break; } if (strncmp("runas_euid=", info[i], sizeof("runas_euid=") - 1) == 0) { cp = info[i] + sizeof("runas_euid=") - 1; - if (*cp == '\0') - break; - errno = 0; - ulval = strtoul(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - (errno != ERANGE || ulval != ULONG_MAX)) { - details->euid = (uid_t)ulval; - SET(details->flags, CD_SET_EUID); - } + id = atoid(cp, NULL, NULL, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + details->euid = (uid_t)id; + SET(details->flags, CD_SET_EUID); break; } if (strncmp("runas_gid=", info[i], sizeof("runas_gid=") - 1) == 0) { cp = info[i] + sizeof("runas_gid=") - 1; - if (*cp == '\0') - break; - errno = 0; - ulval = strtoul(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - (errno != ERANGE || ulval != ULONG_MAX)) { - details->gid = (gid_t)ulval; - SET(details->flags, CD_SET_GID); - } + id = atoid(cp, NULL, NULL, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + details->gid = (gid_t)id; + SET(details->flags, CD_SET_GID); break; } if (strncmp("runas_groups=", info[i], sizeof("runas_groups=") - 1) == 0) { - int j; - - /* count groups, alloc and fill in */ + /* parse_gid_list() will call fatalx() on error. */ cp = info[i] + sizeof("runas_groups=") - 1; - if (*cp == '\0') - break; - for (;;) { - details->ngroups++; - if ((cp = strchr(cp, ',')) == NULL) - break; - cp++; - } - if (details->ngroups != 0) { - details->groups = - emalloc2(details->ngroups, sizeof(GETGROUPS_T)); - cp = info[i] + sizeof("runas_groups=") - 1; - for (j = 0; j < details->ngroups;) { - errno = 0; - ulval = strtoul(cp, &ep, 0); - if (*cp == '\0' || (*ep != ',' && *ep != '\0') || - (ulval == ULONG_MAX && errno == ERANGE)) { - break; - } - details->groups[j++] = (gid_t)ulval; - cp = ep + 1; - } - details->ngroups = j; - } + details->ngroups = parse_gid_list(cp, NULL, &details->groups); break; } if (strncmp("runas_uid=", info[i], sizeof("runas_uid=") - 1) == 0) { cp = info[i] + sizeof("runas_uid=") - 1; - if (*cp == '\0') - break; - errno = 0; - ulval = strtoul(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - (errno != ERANGE || ulval != ULONG_MAX)) { - details->uid = (uid_t)ulval; - SET(details->flags, CD_SET_UID); + id = atoid(cp, NULL, NULL, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + details->uid = (uid_t)id; + SET(details->flags, CD_SET_UID); + break; + } +#ifdef HAVE_PRIV_SET + if (strncmp("runas_privs=", info[i], sizeof("runas_privs=") - 1) == 0) { + const char *endp; + cp = info[i] + sizeof("runas_privs=") - 1; + if (*cp != '\0') { + details->privs = priv_str_to_set(cp, ",", &endp); + if (details->privs == NULL) + warning("invalid runas_privs %s", endp); } break; } + if (strncmp("runas_limitprivs=", info[i], sizeof("runas_limitprivs=") - 1) == 0) { + const char *endp; + cp = info[i] + sizeof("runas_limitprivs=") - 1; + if (*cp != '\0') { + details->limitprivs = priv_str_to_set(cp, ",", &endp); + if (details->limitprivs == NULL) + warning("invalid runas_limitprivs %s", endp); + } + break; + } +#endif /* HAVE_PRIV_SET */ break; case 's': SET_STRING("selinux_role=", selinux_role) @@ -688,32 +680,20 @@ command_info_to_details(char * const info[], struct co case 't': if (strncmp("timeout=", info[i], sizeof("timeout=") - 1) == 0) { cp = info[i] + sizeof("timeout=") - 1; - if (*cp == '\0') - break; - errno = 0; - lval = strtol(cp, &ep, 0); - if (*cp != '\0' && *ep == '\0' && - !(errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) && - lval <= INT_MAX && lval >= 0) { - details->timeout = (int)lval; - SET(details->flags, CD_SET_TIMEOUT); - } + details->timeout = strtonum(cp, 0, INT_MAX, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + SET(details->flags, CD_SET_TIMEOUT); break; } break; case 'u': if (strncmp("umask=", info[i], sizeof("umask=") - 1) == 0) { cp = info[i] + sizeof("umask=") - 1; - if (*cp == '\0') - break; - errno = 0; - ulval = strtoul(cp, &ep, 8); - if (*cp != '\0' && *ep == '\0' && - (errno != ERANGE || ulval != ULONG_MAX)) { - details->umask = (uid_t)ulval; - SET(details->flags, CD_SET_UMASK); - } + details->umask = atomode(cp, &errstr); + if (errstr != NULL) + fatalx(U_("%s: %s"), info[i], U_(errstr)); + SET(details->flags, CD_SET_UMASK); break; } if (strncmp("use_pty=", info[i], sizeof("use_pty=") - 1) == 0) { @@ -734,7 +714,7 @@ command_info_to_details(char * const info[], struct co #endif details->pw = getpwuid(details->euid); if (details->pw != NULL && (details->pw = pw_dup(details->pw)) == NULL) - errorx(1, _("unable to allocate memory")); + fatal(NULL); #ifdef HAVE_SETAUTHDB aix_restoreauthdb(); #endif @@ -747,26 +727,54 @@ command_info_to_details(char * const info[], struct co } static void -sudo_check_suid(const char *path) +sudo_check_suid(const char *sudo) { + char pathbuf[PATH_MAX]; struct stat sb; + bool qualified; debug_decl(sudo_check_suid, SUDO_DEBUG_PCOMM) if (geteuid() != 0) { - if (strchr(path, '/') != NULL && stat(path, &sb) == 0) { + /* Search for sudo binary in PATH if not fully qualified. */ + qualified = strchr(sudo, '/') != NULL; + if (!qualified) { + char *path = getenv_unhooked("PATH"); + if (path != NULL) { + int len; + char *cp, *colon; + + cp = path = estrdup(path); + do { + if ((colon = strchr(cp, ':'))) + *colon = '\0'; + len = snprintf(pathbuf, sizeof(pathbuf), "%s/%s", cp, sudo); + if (len <= 0 || (size_t)len >= sizeof(pathbuf)) + continue; + if (access(pathbuf, X_OK) == 0) { + sudo = pathbuf; + qualified = true; + break; + } + cp = colon + 1; + } while (colon); + efree(path); + } + } + + if (qualified && stat(sudo, &sb) == 0) { /* Try to determine why sudo was not running as root. */ if (sb.st_uid != ROOT_UID || !ISSET(sb.st_mode, S_ISUID)) { - errorx(1, - _("%s must be owned by uid %d and have the setuid bit set"), - path, ROOT_UID); + fatalx( + U_("%s must be owned by uid %d and have the setuid bit set"), + sudo, ROOT_UID); } else { - errorx(1, _("effective uid is not %d, is %s on a file system " + fatalx(U_("effective uid is not %d, is %s on a file system " "with the 'nosuid' option set or an NFS file system without" - " root privileges?"), ROOT_UID, path); + " root privileges?"), ROOT_UID, sudo); } } else { - errorx(1, - _("effective uid is not %d, is sudo installed setuid root?"), + fatalx( + U_("effective uid is not %d, is sudo installed setuid root?"), ROOT_UID); } } @@ -781,27 +789,11 @@ sudo_check_suid(const char *path) static void disable_coredumps(void) { -#if defined(__linux__) || defined(RLIMIT_CORE) +#if defined(RLIMIT_CORE) struct rlimit rl; -#endif debug_decl(disable_coredumps, SUDO_DEBUG_UTIL) -#if defined(__linux__) /* - * Unlimit the number of processes since Linux's setuid() will - * apply resource limits when changing uid and return EAGAIN if - * nproc would be violated by the uid switch. - */ - (void) getrlimit(RLIMIT_NPROC, &nproclimit); - rl.rlim_cur = rl.rlim_max = RLIM_INFINITY; - if (setrlimit(RLIMIT_NPROC, &rl)) { - memcpy(&rl, &nproclimit, sizeof(struct rlimit)); - rl.rlim_cur = rl.rlim_max; - (void)setrlimit(RLIMIT_NPROC, &rl); - } -#endif /* __linux__ */ -#ifdef RLIMIT_CORE - /* * Turn off core dumps? */ if (sudo_conf_disable_coredump()) { @@ -810,75 +802,49 @@ disable_coredumps(void) rl.rlim_cur = 0; (void) setrlimit(RLIMIT_CORE, &rl); } -#endif /* RLIMIT_CORE */ debug_return; +#endif /* RLIMIT_CORE */ } -#ifdef HAVE_PROJECT_H +/* + * Unlimit the number of processes since Linux's setuid() will + * apply resource limits when changing uid and return EAGAIN if + * nproc would be exceeded by the uid switch. + */ static void -set_project(struct passwd *pw) +unlimit_nproc(void) { - struct project proj; - char buf[PROJECT_BUFSZ]; - int errval; - debug_decl(set_project, SUDO_DEBUG_UTIL) +#ifdef __linux__ + struct rlimit rl; + debug_decl(unlimit_nproc, SUDO_DEBUG_UTIL) - /* - * Collect the default project for the user and settaskid - */ - setprojent(); - if (getdefaultproj(pw->pw_name, &proj, buf, sizeof(buf)) != NULL) { - errval = setproject(proj.pj_name, pw->pw_name, TASK_NORMAL); - switch(errval) { - case 0: - break; - case SETPROJ_ERR_TASK: - switch (errno) { - case EAGAIN: - warningx(_("resource control limit has been reached")); - break; - case ESRCH: - warningx(_("user \"%s\" is not a member of project \"%s\""), - pw->pw_name, proj.pj_name); - break; - case EACCES: - warningx(_("the invoking task is final")); - break; - default: - warningx(_("could not join project \"%s\""), proj.pj_name); - } - case SETPROJ_ERR_POOL: - switch (errno) { - case EACCES: - warningx(_("no resource pool accepting default bindings " - "exists for project \"%s\""), proj.pj_name); - break; - case ESRCH: - warningx(_("specified resource pool does not exist for " - "project \"%s\""), proj.pj_name); - break; - default: - warningx(_("could not bind to default resource pool for " - "project \"%s\""), proj.pj_name); - } - break; - default: - if (errval <= 0) { - warningx(_("setproject failed for project \"%s\""), proj.pj_name); - } else { - warningx(_("warning, resource control assignment failed for " - "project \"%s\""), proj.pj_name); - } - } - } else { - warning("getdefaultproj"); + (void) getrlimit(RLIMIT_NPROC, &nproclimit); + rl.rlim_cur = rl.rlim_max = RLIM_INFINITY; + if (setrlimit(RLIMIT_NPROC, &rl) != 0) { + memcpy(&rl, &nproclimit, sizeof(struct rlimit)); + rl.rlim_cur = rl.rlim_max; + (void)setrlimit(RLIMIT_NPROC, &rl); } - endprojent(); debug_return; +#endif /* __linux__ */ } -#endif /* HAVE_PROJECT_H */ /* + * Restore saved value of RLIMIT_NPROC. + */ +static void +restore_nproc(void) +{ +#ifdef __linux__ + debug_decl(restore_nproc, SUDO_DEBUG_UTIL) + + (void) setrlimit(RLIMIT_NPROC, &nproclimit); + + debug_return; +#endif /* __linux__ */ +} + +/* * Setup the execution environment immediately prior to the call to execve() * Returns true on success and false on failure. */ @@ -900,6 +866,26 @@ exec_setup(struct command_details *details, const char #ifdef HAVE_PROJECT_H set_project(details->pw); #endif +#ifdef HAVE_PRIV_SET + if (details->privs != NULL) { + if (setppriv(PRIV_SET, PRIV_INHERITABLE, details->privs) != 0) { + warning("unable to set privileges"); + goto done; + } + } + if (details->limitprivs != NULL) { + if (setppriv(PRIV_SET, PRIV_LIMIT, details->limitprivs) != 0) { + warning("unable to set limit privileges"); + goto done; + } + } else if (details->privs != NULL) { + if (setppriv(PRIV_SET, PRIV_LIMIT, details->privs) != 0) { + warning("unable to set limit privileges"); + goto done; + } + } +#endif /* HAVE_PRIV_SET */ + #ifdef HAVE_GETUSERATTR aix_prep_user(details->pw->pw_name, ptyname ? ptyname : user_details.tty); #endif @@ -914,7 +900,7 @@ exec_setup(struct command_details *details, const char */ lc = login_getclass((char *)details->login_class); if (!lc) { - warningx(_("unknown login class %s"), details->login_class); + warningx(U_("unknown login class %s"), details->login_class); errno = ENOENT; goto done; } @@ -927,11 +913,9 @@ exec_setup(struct command_details *details, const char flags = LOGIN_SETRESOURCES|LOGIN_SETPRIORITY; } if (setusercontext(lc, details->pw, details->pw->pw_uid, flags)) { - if (details->pw->pw_uid != ROOT_UID) { - warning(_("unable to set user context")); + warning(U_("unable to set user context")); + if (details->pw->pw_uid != ROOT_UID) goto done; - } else - warning(_("unable to set user context")); } } #endif /* HAVE_LOGIN_CAP_H */ @@ -943,27 +927,27 @@ exec_setup(struct command_details *details, const char if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { if (details->ngroups >= 0) { if (sudo_setgroups(details->ngroups, details->groups) < 0) { - warning(_("unable to set supplementary group IDs")); + warning(U_("unable to set supplementary group IDs")); goto done; } } } #ifdef HAVE_SETEUID if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { - warning(_("unable to set effective gid to runas gid %u"), + warning(U_("unable to set effective gid to runas gid %u"), (unsigned int)details->egid); goto done; } #endif if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { - warning(_("unable to set gid to runas gid %u"), + warning(U_("unable to set gid to runas gid %u"), (unsigned int)details->gid); goto done; } if (ISSET(details->flags, CD_SET_PRIORITY)) { if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) { - warning(_("unable to set process priority")); + warning(U_("unable to set process priority")); goto done; } } @@ -971,31 +955,40 @@ exec_setup(struct command_details *details, const char (void) umask(details->umask); if (details->chroot) { if (chroot(details->chroot) != 0 || chdir("/") != 0) { - warning(_("unable to change root to %s"), details->chroot); + warning(U_("unable to change root to %s"), details->chroot); goto done; } } + /* + * Unlimit the number of processes since Linux's setuid() will + * return EAGAIN if RLIMIT_NPROC would be exceeded by the uid switch. + */ + unlimit_nproc(); + #ifdef HAVE_SETRESUID if (setresuid(details->uid, details->euid, details->euid) != 0) { - warning(_("unable to change to runas uid (%u, %u)"), details->uid, + warning(U_("unable to change to runas uid (%u, %u)"), details->uid, details->euid); goto done; } -#elif HAVE_SETREUID +#elif defined(HAVE_SETREUID) if (setreuid(details->uid, details->euid) != 0) { - warning(_("unable to change to runas uid (%u, %u)"), + warning(U_("unable to change to runas uid (%u, %u)"), (unsigned int)details->uid, (unsigned int)details->euid); goto done; } #else if (seteuid(details->euid) != 0 || setuid(details->euid) != 0) { - warning(_("unable to change to runas uid (%u, %u)"), details->uid, + warning(U_("unable to change to runas uid (%u, %u)"), details->uid, details->euid); goto done; } #endif /* !HAVE_SETRESUID && !HAVE_SETREUID */ + /* Restore previous value of RLIMIT_NPROC. */ + restore_nproc(); + /* * Only change cwd if we have chroot()ed or the policy modules * specifies a different cwd. Must be done after uid change. @@ -1004,27 +997,12 @@ exec_setup(struct command_details *details, const char if (details->chroot || strcmp(details->cwd, user_details.cwd) != 0) { /* Note: cwd is relative to the new root, if any. */ if (chdir(details->cwd) != 0) { - warning(_("unable to change directory to %s"), details->cwd); + warning(U_("unable to change directory to %s"), details->cwd); goto done; } } } - /* - * Restore nproc resource limit if pam_limits didn't do it for us. - * We must do this *after* the uid change to avoid potential EAGAIN - * from setuid(). - */ -#if defined(__linux__) - { - struct rlimit rl; - if (getrlimit(RLIMIT_NPROC, &rl) == 0) { - if (rl.rlim_cur == RLIM_INFINITY && rl.rlim_max == RLIM_INFINITY) - (void) setrlimit(RLIMIT_NPROC, &nproclimit); - } - } -#endif - rval = true; done: @@ -1053,7 +1031,7 @@ run_command(struct command_details *details) sudo_debug_printf(SUDO_DEBUG_DEBUG, "calling policy close with errno %d", cstat.val); policy_close(&policy_plugin, 0, cstat.val); - tq_foreach_fwd(&io_plugins, plugin) { + TAILQ_FOREACH(plugin, &io_plugins, entries) { sudo_debug_printf(SUDO_DEBUG_DEBUG, "calling I/O close with errno %d", cstat.val); iolog_close(plugin, 0, cstat.val); @@ -1065,7 +1043,7 @@ run_command(struct command_details *details) sudo_debug_printf(SUDO_DEBUG_DEBUG, "calling policy close with wait status %d", cstat.val); policy_close(&policy_plugin, cstat.val, 0); - tq_foreach_fwd(&io_plugins, plugin) { + TAILQ_FOREACH(plugin, &io_plugins, entries) { sudo_debug_printf(SUDO_DEBUG_DEBUG, "calling I/O close with wait status %d", cstat.val); iolog_close(plugin, cstat.val, 0); @@ -1076,7 +1054,7 @@ run_command(struct command_details *details) exitcode = WTERMSIG(cstat.val) | 128; break; default: - warningx(_("unexpected child termination condition: %d"), cstat.type); + warningx(U_("unexpected child termination condition: %d"), cstat.type); break; } debug_return_int(exitcode); @@ -1110,7 +1088,10 @@ static void policy_close(struct plugin_container *plugin, int exit_status, int error) { debug_decl(policy_close, SUDO_DEBUG_PCOMM) - plugin->u.policy->close(exit_status, error); + if (plugin->u.policy->close != NULL) + plugin->u.policy->close(exit_status, error); + else + warning(U_("unable to execute %s"), command_details.command); debug_return; } @@ -1118,6 +1099,8 @@ static int policy_show_version(struct plugin_container *plugin, int verbose) { debug_decl(policy_show_version, SUDO_DEBUG_PCOMM) + if (plugin->u.policy->show_version == NULL) + debug_return_bool(true); debug_return_bool(plugin->u.policy->show_version(verbose)); } @@ -1127,6 +1110,10 @@ policy_check(struct plugin_container *plugin, int argc char **user_env_out[]) { debug_decl(policy_check, SUDO_DEBUG_PCOMM) + if (plugin->u.policy->check_policy == NULL) { + fatalx(U_("policy plugin %s is missing the `check_policy' method"), + plugin->name); + } debug_return_bool(plugin->u.policy->check_policy(argc, argv, env_add, command_info, argv_out, user_env_out)); } @@ -1137,7 +1124,7 @@ policy_list(struct plugin_container *plugin, int argc, { debug_decl(policy_list, SUDO_DEBUG_PCOMM) if (plugin->u.policy->list == NULL) { - warningx(_("policy plugin %s does not support listing privileges"), + warningx(U_("policy plugin %s does not support listing privileges"), plugin->name); debug_return_bool(false); } @@ -1149,7 +1136,7 @@ policy_validate(struct plugin_container *plugin) { debug_decl(policy_validate, SUDO_DEBUG_PCOMM) if (plugin->u.policy->validate == NULL) { - warningx(_("policy plugin %s does not support the -v option"), + warningx(U_("policy plugin %s does not support the -v option"), plugin->name); debug_return_bool(false); } @@ -1161,7 +1148,7 @@ policy_invalidate(struct plugin_container *plugin, int { debug_decl(policy_invalidate, SUDO_DEBUG_PCOMM) if (plugin->u.policy->invalidate == NULL) { - errorx(1, _("policy plugin %s does not support the -k/-K options"), + fatalx(U_("policy plugin %s does not support the -k/-K options"), plugin->name); } plugin->u.policy->invalidate(remove); @@ -1225,7 +1212,8 @@ static void iolog_close(struct plugin_container *plugin, int exit_status, int error) { debug_decl(iolog_close, SUDO_DEBUG_PCOMM) - plugin->u.io->close(exit_status, error); + if (plugin->u.io->close != NULL) + plugin->u.io->close(exit_status, error); debug_return; } @@ -1233,6 +1221,8 @@ static int iolog_show_version(struct plugin_container *plugin, int verbose) { debug_decl(iolog_show_version, SUDO_DEBUG_PCOMM) + if (plugin->u.io->show_version == NULL) + debug_return_bool(true); debug_return_bool(plugin->u.io->show_version(verbose)); } @@ -1252,7 +1242,7 @@ iolog_unlink(struct plugin_container *plugin) deregister_hook); } /* Remove from io_plugins list and free. */ - tq_remove(&io_plugins, plugin); + TAILQ_REMOVE(&io_plugins, plugin, entries); efree(plugin); debug_return;