version 1.1.1.3, 2012/10/09 09:29:52
|
version 1.1.1.4, 2013/07/22 10:46:13
|
Line 1
|
Line 1
|
/* |
/* |
* Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com> | * Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com> |
* |
* |
* Permission to use, copy, modify, and distribute this software for any |
* Permission to use, copy, modify, and distribute this software for any |
* purpose with or without fee is hereby granted, provided that the above |
* purpose with or without fee is hereby granted, provided that the above |
Line 21
|
Line 21
|
#include <config.h> |
#include <config.h> |
|
|
#include <sys/types.h> |
#include <sys/types.h> |
#include <sys/param.h> |
|
#include <sys/stat.h> |
#include <sys/stat.h> |
#include <sys/wait.h> |
#include <sys/wait.h> |
#include <sys/socket.h> |
#include <sys/socket.h> |
Line 58
|
Line 57
|
#if TIME_WITH_SYS_TIME |
#if TIME_WITH_SYS_TIME |
# include <time.h> |
# include <time.h> |
#endif |
#endif |
#ifdef HAVE_SETLOCALE |
|
# include <locale.h> |
|
#endif |
|
#ifdef HAVE_LOGIN_CAP_H |
#ifdef HAVE_LOGIN_CAP_H |
# include <login_cap.h> |
# include <login_cap.h> |
# ifndef LOGIN_SETENV |
# ifndef LOGIN_SETENV |
Line 86
|
Line 82
|
# endif /* __hpux */ |
# endif /* __hpux */ |
# include <prot.h> |
# include <prot.h> |
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ |
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ |
#if defined(HAVE_STRUCT_KINFO_PROC_P_TDEV) || defined (HAVE_STRUCT_KINFO_PROC_KP_EPROC_E_TDEV) |
|
# include <sys/sysctl.h> |
|
#elif defined(HAVE_STRUCT_KINFO_PROC_KI_TDEV) |
|
# include <sys/sysctl.h> |
|
# include <sys/user.h> |
|
#endif |
|
|
|
#include "sudo.h" |
#include "sudo.h" |
#include "sudo_plugin.h" |
#include "sudo_plugin.h" |
#include "sudo_plugin_int.h" |
#include "sudo_plugin_int.h" |
#include <sudo_usage.h> | #include "sudo_usage.h" |
|
|
/* |
/* |
* Local variables |
* Local variables |
Line 105 struct plugin_container policy_plugin;
|
Line 95 struct plugin_container policy_plugin;
|
struct plugin_container_list io_plugins; |
struct plugin_container_list io_plugins; |
struct user_details user_details; |
struct user_details user_details; |
const char *list_user, *runas_user, *runas_group; /* extern for parse_args.c */ |
const char *list_user, *runas_user, *runas_group; /* extern for parse_args.c */ |
|
static struct command_details command_details; |
static int sudo_mode; |
static int sudo_mode; |
|
|
/* |
/* |
Line 147 static struct rlimit corelimit;
|
Line 138 static struct rlimit corelimit;
|
static struct rlimit nproclimit; |
static struct rlimit nproclimit; |
#endif |
#endif |
|
|
|
__dso_public int main(int argc, char *argv[], char *envp[]); |
|
|
int |
int |
main(int argc, char *argv[], char *envp[]) |
main(int argc, char *argv[], char *envp[]) |
{ |
{ |
Line 154 main(int argc, char *argv[], char *envp[])
|
Line 147 main(int argc, char *argv[], char *envp[])
|
char **nargv, **settings, **env_add; |
char **nargv, **settings, **env_add; |
char **user_info, **command_info, **argv_out, **user_env_out; |
char **user_info, **command_info, **argv_out, **user_env_out; |
struct plugin_container *plugin, *next; |
struct plugin_container *plugin, *next; |
struct command_details command_details; |
|
sigset_t mask; |
sigset_t mask; |
debug_decl(main, SUDO_DEBUG_MAIN) |
debug_decl(main, SUDO_DEBUG_MAIN) |
|
|
#if defined(SUDO_DEVEL) && defined(__OpenBSD__) | os_init(argc, argv, envp); |
{ | |
extern char *malloc_options; | |
malloc_options = "AFGJPR"; | |
} | |
#endif | |
|
|
#if !defined(HAVE_GETPROGNAME) && !defined(HAVE___PROGNAME) |
|
if (argc > 0) |
|
setprogname(argv[0]); |
|
#endif |
|
|
|
#ifdef HAVE_SETLOCALE |
|
setlocale(LC_ALL, ""); |
setlocale(LC_ALL, ""); |
#endif |
|
bindtextdomain(PACKAGE_NAME, LOCALEDIR); |
bindtextdomain(PACKAGE_NAME, LOCALEDIR); |
textdomain(PACKAGE_NAME); |
textdomain(PACKAGE_NAME); |
|
|
|
#ifdef HAVE_TZSET |
|
(void) tzset(); |
|
#endif /* HAVE_TZSET */ |
|
|
/* Must be done before we do any password lookups */ |
/* Must be done before we do any password lookups */ |
#if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS) |
#if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS) |
(void) set_auth_parameters(argc, argv); |
(void) set_auth_parameters(argc, argv); |
Line 187 main(int argc, char *argv[], char *envp[])
|
Line 171 main(int argc, char *argv[], char *envp[])
|
/* Make sure we are setuid root. */ |
/* Make sure we are setuid root. */ |
sudo_check_suid(argv[0]); |
sudo_check_suid(argv[0]); |
|
|
/* Reset signal mask and make sure fds 0-2 are open. */ | /* Reset signal mask, save signal state and make sure fds 0-2 are open. */ |
(void) sigemptyset(&mask); |
(void) sigemptyset(&mask); |
(void) sigprocmask(SIG_SETMASK, &mask, NULL); |
(void) sigprocmask(SIG_SETMASK, &mask, NULL); |
|
save_signals(); |
fix_fds(); |
fix_fds(); |
|
|
/* Read sudo.conf. */ |
/* Read sudo.conf. */ |
sudo_conf_read(); | sudo_conf_read(NULL); |
|
|
/* Fill in user_info with user name, uid, cwd, etc. */ |
/* Fill in user_info with user name, uid, cwd, etc. */ |
memset(&user_details, 0, sizeof(user_details)); |
memset(&user_details, 0, sizeof(user_details)); |
Line 215 main(int argc, char *argv[], char *envp[])
|
Line 200 main(int argc, char *argv[], char *envp[])
|
|
|
/* Load plugins. */ |
/* Load plugins. */ |
if (!sudo_load_plugins(&policy_plugin, &io_plugins)) |
if (!sudo_load_plugins(&policy_plugin, &io_plugins)) |
errorx(1, _("fatal error, unable to load plugins")); | fatalx(_("fatal error, unable to load plugins")); |
|
|
/* Open policy plugin. */ |
/* Open policy plugin. */ |
ok = policy_open(&policy_plugin, settings, user_info, envp); |
ok = policy_open(&policy_plugin, settings, user_info, envp); |
Line 223 main(int argc, char *argv[], char *envp[])
|
Line 208 main(int argc, char *argv[], char *envp[])
|
if (ok == -2) |
if (ok == -2) |
usage(1); |
usage(1); |
else |
else |
errorx(1, _("unable to initialize policy plugin")); | fatalx(_("unable to initialize policy plugin")); |
} |
} |
|
|
|
init_signals(); |
|
|
switch (sudo_mode & MODE_MASK) { |
switch (sudo_mode & MODE_MASK) { |
case MODE_VERSION: |
case MODE_VERSION: |
policy_show_version(&policy_plugin, !user_details.uid); |
policy_show_version(&policy_plugin, !user_details.uid); |
tq_foreach_fwd(&io_plugins, plugin) { |
tq_foreach_fwd(&io_plugins, plugin) { |
ok = iolog_open(plugin, settings, user_info, NULL, |
ok = iolog_open(plugin, settings, user_info, NULL, |
nargc, nargv, envp); |
nargc, nargv, envp); |
if (ok == 1) | if (ok != -1) |
iolog_show_version(plugin, !user_details.uid); |
iolog_show_version(plugin, !user_details.uid); |
} |
} |
break; |
break; |
Line 278 main(int argc, char *argv[], char *envp[])
|
Line 265 main(int argc, char *argv[], char *envp[])
|
usage(1); |
usage(1); |
break; |
break; |
default: |
default: |
errorx(1, _("error initializing I/O plugin %s"), | fatalx(_("error initializing I/O plugin %s"), |
plugin->name); |
plugin->name); |
} |
} |
} |
} |
Line 289 main(int argc, char *argv[], char *envp[])
|
Line 276 main(int argc, char *argv[], char *envp[])
|
if (ISSET(sudo_mode, MODE_BACKGROUND)) |
if (ISSET(sudo_mode, MODE_BACKGROUND)) |
SET(command_details.flags, CD_BACKGROUND); |
SET(command_details.flags, CD_BACKGROUND); |
/* Become full root (not just setuid) so user cannot kill us. */ |
/* Become full root (not just setuid) so user cannot kill us. */ |
(void) setuid(ROOT_UID); | if (setuid(ROOT_UID) == -1) |
| warning("setuid(%d)", ROOT_UID); |
/* Restore coredumpsize resource limit before running. */ |
/* Restore coredumpsize resource limit before running. */ |
#ifdef RLIMIT_CORE |
#ifdef RLIMIT_CORE |
if (sudo_conf_disable_coredump()) |
if (sudo_conf_disable_coredump()) |
Line 303 main(int argc, char *argv[], char *envp[])
|
Line 291 main(int argc, char *argv[], char *envp[])
|
/* The close method was called by sudo_edit/run_command. */ |
/* The close method was called by sudo_edit/run_command. */ |
break; |
break; |
default: |
default: |
errorx(1, _("unexpected sudo mode 0x%x"), sudo_mode); | fatalx(_("unexpected sudo mode 0x%x"), sudo_mode); |
} |
} |
sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, exitcode); |
sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, exitcode); |
exit(exitcode); |
exit(exitcode); |
} |
} |
|
|
|
int |
|
os_init_common(int argc, char *argv[], char *envp[]) |
|
{ |
|
#if !defined(HAVE_GETPROGNAME) && !defined(HAVE___PROGNAME) |
|
if (argc > 0) |
|
setprogname(argv[0]); |
|
#endif |
|
return 0; |
|
} |
|
|
/* |
/* |
* Ensure that stdin, stdout and stderr are open; set to /dev/null if not. |
* Ensure that stdin, stdout and stderr are open; set to /dev/null if not. |
* Some operating systems do this automatically in the kernel or libc. |
* Some operating systems do this automatically in the kernel or libc. |
Line 328 fix_fds(void)
|
Line 326 fix_fds(void)
|
miss[STDERR_FILENO] = fcntl(STDERR_FILENO, F_GETFL, 0) == -1; |
miss[STDERR_FILENO] = fcntl(STDERR_FILENO, F_GETFL, 0) == -1; |
if (miss[STDIN_FILENO] || miss[STDOUT_FILENO] || miss[STDERR_FILENO]) { |
if (miss[STDIN_FILENO] || miss[STDOUT_FILENO] || miss[STDERR_FILENO]) { |
if ((devnull = open(_PATH_DEVNULL, O_RDWR, 0644)) == -1) |
if ((devnull = open(_PATH_DEVNULL, O_RDWR, 0644)) == -1) |
error(1, _("unable to open %s"), _PATH_DEVNULL); | fatal(_("unable to open %s"), _PATH_DEVNULL); |
if (miss[STDIN_FILENO] && dup2(devnull, STDIN_FILENO) == -1) |
if (miss[STDIN_FILENO] && dup2(devnull, STDIN_FILENO) == -1) |
error(1, "dup2"); | fatal("dup2"); |
if (miss[STDOUT_FILENO] && dup2(devnull, STDOUT_FILENO) == -1) |
if (miss[STDOUT_FILENO] && dup2(devnull, STDOUT_FILENO) == -1) |
error(1, "dup2"); | fatal("dup2"); |
if (miss[STDERR_FILENO] && dup2(devnull, STDERR_FILENO) == -1) |
if (miss[STDERR_FILENO] && dup2(devnull, STDERR_FILENO) == -1) |
error(1, "dup2"); | fatal("dup2"); |
if (devnull > STDERR_FILENO) |
if (devnull > STDERR_FILENO) |
close(devnull); |
close(devnull); |
} |
} |
Line 343 fix_fds(void)
|
Line 341 fix_fds(void)
|
|
|
/* |
/* |
* Allocate space for groups and fill in using getgrouplist() |
* Allocate space for groups and fill in using getgrouplist() |
* for when we cannot use getgroups(). | * for when we cannot (or don't want to) use getgroups(). |
*/ |
*/ |
static int |
static int |
fill_group_list(struct user_details *ud) | fill_group_list(struct user_details *ud, int system_maxgroups) |
{ |
{ |
int maxgroups, tries, rval = -1; | int tries, rval = -1; |
debug_decl(fill_group_list, SUDO_DEBUG_UTIL) |
debug_decl(fill_group_list, SUDO_DEBUG_UTIL) |
|
|
#if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) |
|
maxgroups = (int)sysconf(_SC_NGROUPS_MAX); |
|
if (maxgroups < 0) |
|
#endif |
|
maxgroups = NGROUPS_MAX; |
|
|
|
/* |
/* |
* It is possible to belong to more groups in the group database | * If user specified a max number of groups, use it, otherwise keep |
* than NGROUPS_MAX. We start off with NGROUPS_MAX * 2 entries | * trying getgrouplist() until we have enough room in the array. |
* and double this as needed. | |
*/ |
*/ |
ud->groups = NULL; | ud->ngroups = sudo_conf_max_groups(); |
ud->ngroups = maxgroups; | if (ud->ngroups != -1) { |
for (tries = 0; tries < 10 && rval == -1; tries++) { | |
ud->ngroups *= 2; | |
efree(ud->groups); | |
ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); |
ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); |
rval = getgrouplist(ud->username, ud->gid, ud->groups, &ud->ngroups); | /* No error on insufficient space if user specified max_groups. */ |
| (void)getgrouplist(ud->username, ud->gid, ud->groups, &ud->ngroups); |
| rval = 0; |
| } else { |
| /* |
| * It is possible to belong to more groups in the group database |
| * than NGROUPS_MAX. We start off with NGROUPS_MAX * 4 entries |
| * and double this as needed. |
| */ |
| ud->groups = NULL; |
| ud->ngroups = system_maxgroups << 1; |
| for (tries = 0; tries < 10 && rval == -1; tries++) { |
| ud->ngroups <<= 1; |
| efree(ud->groups); |
| ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); |
| rval = getgrouplist(ud->username, ud->gid, ud->groups, &ud->ngroups); |
| } |
} |
} |
debug_return_int(rval); |
debug_return_int(rval); |
} |
} |
Line 378 get_user_groups(struct user_details *ud)
|
Line 382 get_user_groups(struct user_details *ud)
|
{ |
{ |
char *cp, *gid_list = NULL; |
char *cp, *gid_list = NULL; |
size_t glsize; |
size_t glsize; |
int i, len; | int i, len, maxgroups, group_source; |
debug_decl(get_user_groups, SUDO_DEBUG_UTIL) |
debug_decl(get_user_groups, SUDO_DEBUG_UTIL) |
|
|
/* | #if defined(HAVE_SYSCONF) && defined(_SC_NGROUPS_MAX) |
* Systems with mbr_check_membership() support more than NGROUPS_MAX | maxgroups = (int)sysconf(_SC_NGROUPS_MAX); |
* groups so we cannot use getgroups(). | if (maxgroups < 0) |
*/ | #endif |
| maxgroups = NGROUPS_MAX; |
| |
ud->groups = NULL; |
ud->groups = NULL; |
#ifndef HAVE_MBR_CHECK_MEMBERSHIP | group_source = sudo_conf_group_source(); |
if ((ud->ngroups = getgroups(0, NULL)) > 0) { | if (group_source != GROUP_SOURCE_DYNAMIC) { |
ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); | if ((ud->ngroups = getgroups(0, NULL)) > 0) { |
if (getgroups(ud->ngroups, ud->groups) < 0) { | /* Use groups from kernel if not too many or source is static. */ |
efree(ud->groups); | if (ud->ngroups < maxgroups || group_source == GROUP_SOURCE_STATIC) { |
ud->groups = NULL; | ud->groups = emalloc2(ud->ngroups, sizeof(GETGROUPS_T)); |
| if (getgroups(ud->ngroups, ud->groups) < 0) { |
| efree(ud->groups); |
| ud->groups = NULL; |
| } |
| } |
} |
} |
} |
} |
#endif /* HAVE_MBR_CHECK_MEMBERSHIP */ |
|
if (ud->groups == NULL) { |
if (ud->groups == NULL) { |
if (fill_group_list(ud) == -1) | /* |
error(1, _("unable to get group vector")); | * Query group database if kernel list is too small or disabled. |
| * Typically, this is because NFS can only support up to 16 groups. |
| */ |
| if (fill_group_list(ud, maxgroups) == -1) |
| fatal(_("unable to get group vector")); |
} |
} |
|
|
/* |
/* |
Line 423 get_user_groups(struct user_details *ud)
|
Line 437 get_user_groups(struct user_details *ud)
|
static char ** |
static char ** |
get_user_info(struct user_details *ud) |
get_user_info(struct user_details *ud) |
{ |
{ |
char *cp, **user_info, cwd[PATH_MAX], host[MAXHOSTNAMELEN]; | char *cp, **user_info, cwd[PATH_MAX], host[HOST_NAME_MAX + 1]; |
struct passwd *pw; |
struct passwd *pw; |
int fd, i = 0; |
int fd, i = 0; |
debug_decl(get_user_info, SUDO_DEBUG_UTIL) |
debug_decl(get_user_info, SUDO_DEBUG_UTIL) |
Line 449 get_user_info(struct user_details *ud)
|
Line 463 get_user_info(struct user_details *ud)
|
|
|
pw = getpwuid(ud->uid); |
pw = getpwuid(ud->uid); |
if (pw == NULL) |
if (pw == NULL) |
errorx(1, _("unknown uid %u: who are you?"), (unsigned int)ud->uid); | fatalx(_("unknown uid %u: who are you?"), (unsigned int)ud->uid); |
|
|
user_info[i] = fmt_string("user", pw->pw_name); |
user_info[i] = fmt_string("user", pw->pw_name); |
if (user_info[i] == NULL) |
if (user_info[i] == NULL) |
errorx(1, _("unable to allocate memory")); | fatalx(NULL); |
ud->username = user_info[i] + sizeof("user=") - 1; |
ud->username = user_info[i] + sizeof("user=") - 1; |
|
|
/* Stash user's shell for use with the -s flag; don't pass to plugin. */ |
/* Stash user's shell for use with the -s flag; don't pass to plugin. */ |
Line 479 get_user_info(struct user_details *ud)
|
Line 493 get_user_info(struct user_details *ud)
|
if (getcwd(cwd, sizeof(cwd)) != NULL) { |
if (getcwd(cwd, sizeof(cwd)) != NULL) { |
user_info[++i] = fmt_string("cwd", cwd); |
user_info[++i] = fmt_string("cwd", cwd); |
if (user_info[i] == NULL) |
if (user_info[i] == NULL) |
errorx(1, _("unable to allocate memory")); | fatalx(NULL); |
ud->cwd = user_info[i] + sizeof("cwd=") - 1; |
ud->cwd = user_info[i] + sizeof("cwd=") - 1; |
} |
} |
|
|
if ((cp = get_process_ttyname()) != NULL) { |
if ((cp = get_process_ttyname()) != NULL) { |
user_info[++i] = fmt_string("tty", cp); |
user_info[++i] = fmt_string("tty", cp); |
if (user_info[i] == NULL) |
if (user_info[i] == NULL) |
errorx(1, _("unable to allocate memory")); | fatalx(NULL); |
ud->tty = user_info[i] + sizeof("tty=") - 1; |
ud->tty = user_info[i] + sizeof("tty=") - 1; |
efree(cp); |
efree(cp); |
} |
} |
Line 497 get_user_info(struct user_details *ud)
|
Line 511 get_user_info(struct user_details *ud)
|
strlcpy(host, "localhost", sizeof(host)); |
strlcpy(host, "localhost", sizeof(host)); |
user_info[++i] = fmt_string("host", host); |
user_info[++i] = fmt_string("host", host); |
if (user_info[i] == NULL) |
if (user_info[i] == NULL) |
errorx(1, _("unable to allocate memory")); | fatalx(NULL); |
ud->host = user_info[i] + sizeof("host=") - 1; |
ud->host = user_info[i] + sizeof("host=") - 1; |
|
|
get_ttysize(&ud->ts_lines, &ud->ts_cols); |
get_ttysize(&ud->ts_lines, &ud->ts_cols); |
Line 553 command_info_to_details(char * const info[], struct co
|
Line 567 command_info_to_details(char * const info[], struct co
|
break; |
break; |
} |
} |
break; |
break; |
|
case 'e': |
|
if (strncmp("exec_background=", info[i], sizeof("exec_background=") - 1) == 0) { |
|
if (atobool(info[i] + sizeof("exec_background=") - 1) == true) |
|
SET(details->flags, CD_EXEC_BG); |
|
break; |
|
} |
|
break; |
case 'l': |
case 'l': |
SET_STRING("login_class=", login_class) |
SET_STRING("login_class=", login_class) |
break; |
break; |
Line 756 command_info_to_details(char * const info[], struct co
|
Line 777 command_info_to_details(char * const info[], struct co
|
#endif |
#endif |
details->pw = getpwuid(details->euid); |
details->pw = getpwuid(details->euid); |
if (details->pw != NULL && (details->pw = pw_dup(details->pw)) == NULL) |
if (details->pw != NULL && (details->pw = pw_dup(details->pw)) == NULL) |
errorx(1, _("unable to allocate memory")); | fatalx(NULL); |
#ifdef HAVE_SETAUTHDB |
#ifdef HAVE_SETAUTHDB |
aix_restoreauthdb(); |
aix_restoreauthdb(); |
#endif |
#endif |
Line 778 sudo_check_suid(const char *path)
|
Line 799 sudo_check_suid(const char *path)
|
if (strchr(path, '/') != NULL && stat(path, &sb) == 0) { |
if (strchr(path, '/') != NULL && stat(path, &sb) == 0) { |
/* Try to determine why sudo was not running as root. */ |
/* Try to determine why sudo was not running as root. */ |
if (sb.st_uid != ROOT_UID || !ISSET(sb.st_mode, S_ISUID)) { |
if (sb.st_uid != ROOT_UID || !ISSET(sb.st_mode, S_ISUID)) { |
errorx(1, | fatalx( |
_("%s must be owned by uid %d and have the setuid bit set"), |
_("%s must be owned by uid %d and have the setuid bit set"), |
path, ROOT_UID); |
path, ROOT_UID); |
} else { |
} else { |
errorx(1, _("effective uid is not %d, is %s on a file system " | fatalx(_("effective uid is not %d, is %s on a file system " |
"with the 'nosuid' option set or an NFS file system without" |
"with the 'nosuid' option set or an NFS file system without" |
" root privileges?"), ROOT_UID, path); |
" root privileges?"), ROOT_UID, path); |
} |
} |
} else { |
} else { |
errorx(1, | fatalx( |
_("effective uid is not %d, is sudo installed setuid root?"), |
_("effective uid is not %d, is sudo installed setuid root?"), |
ROOT_UID); |
ROOT_UID); |
} |
} |
Line 836 disable_coredumps(void)
|
Line 857 disable_coredumps(void)
|
debug_return; |
debug_return; |
} |
} |
|
|
#ifdef HAVE_PROJECT_H |
|
static void |
|
set_project(struct passwd *pw) |
|
{ |
|
struct project proj; |
|
char buf[PROJECT_BUFSZ]; |
|
int errval; |
|
debug_decl(set_project, SUDO_DEBUG_UTIL) |
|
|
|
/* |
|
* Collect the default project for the user and settaskid |
|
*/ |
|
setprojent(); |
|
if (getdefaultproj(pw->pw_name, &proj, buf, sizeof(buf)) != NULL) { |
|
errval = setproject(proj.pj_name, pw->pw_name, TASK_NORMAL); |
|
switch(errval) { |
|
case 0: |
|
break; |
|
case SETPROJ_ERR_TASK: |
|
switch (errno) { |
|
case EAGAIN: |
|
warningx(_("resource control limit has been reached")); |
|
break; |
|
case ESRCH: |
|
warningx(_("user \"%s\" is not a member of project \"%s\""), |
|
pw->pw_name, proj.pj_name); |
|
break; |
|
case EACCES: |
|
warningx(_("the invoking task is final")); |
|
break; |
|
default: |
|
warningx(_("could not join project \"%s\""), proj.pj_name); |
|
} |
|
case SETPROJ_ERR_POOL: |
|
switch (errno) { |
|
case EACCES: |
|
warningx(_("no resource pool accepting default bindings " |
|
"exists for project \"%s\""), proj.pj_name); |
|
break; |
|
case ESRCH: |
|
warningx(_("specified resource pool does not exist for " |
|
"project \"%s\""), proj.pj_name); |
|
break; |
|
default: |
|
warningx(_("could not bind to default resource pool for " |
|
"project \"%s\""), proj.pj_name); |
|
} |
|
break; |
|
default: |
|
if (errval <= 0) { |
|
warningx(_("setproject failed for project \"%s\""), proj.pj_name); |
|
} else { |
|
warningx(_("warning, resource control assignment failed for " |
|
"project \"%s\""), proj.pj_name); |
|
} |
|
} |
|
} else { |
|
warning("getdefaultproj"); |
|
} |
|
endprojent(); |
|
debug_return; |
|
} |
|
#endif /* HAVE_PROJECT_H */ |
|
|
|
/* |
/* |
* Setup the execution environment immediately prior to the call to execve() |
* Setup the execution environment immediately prior to the call to execve() |
* Returns true on success and false on failure. |
* Returns true on success and false on failure. |
Line 923 exec_setup(struct command_details *details, const char
|
Line 880 exec_setup(struct command_details *details, const char
|
set_project(details->pw); |
set_project(details->pw); |
#endif |
#endif |
#ifdef HAVE_PRIV_SET |
#ifdef HAVE_PRIV_SET |
if (details->privs != NULL) { | if (details->privs != NULL) { |
if (setppriv(PRIV_SET, PRIV_INHERITABLE, details->privs) != 0) { | if (setppriv(PRIV_SET, PRIV_INHERITABLE, details->privs) != 0) { |
warning("unable to set privileges"); | warning("unable to set privileges"); |
goto done; | goto done; |
| } |
} |
} |
} | if (details->limitprivs != NULL) { |
if (details->limitprivs != NULL) { | if (setppriv(PRIV_SET, PRIV_LIMIT, details->limitprivs) != 0) { |
if (setppriv(PRIV_SET, PRIV_LIMIT, details->limitprivs) != 0) { | warning("unable to set limit privileges"); |
warning("unable to set limit privileges"); | goto done; |
goto done; | } |
| } else if (details->privs != NULL) { |
| if (setppriv(PRIV_SET, PRIV_LIMIT, details->privs) != 0) { |
| warning("unable to set limit privileges"); |
| goto done; |
| } |
} |
} |
} else if (details->privs != NULL) { |
|
if (setppriv(PRIV_SET, PRIV_LIMIT, details->privs) != 0) { |
|
warning("unable to set limit privileges"); |
|
goto done; |
|
} |
|
} |
|
#endif /* HAVE_PRIV_SET */ |
#endif /* HAVE_PRIV_SET */ |
|
|
#ifdef HAVE_GETUSERATTR |
#ifdef HAVE_GETUSERATTR |
Line 1164 static void
|
Line 1121 static void
|
policy_close(struct plugin_container *plugin, int exit_status, int error) |
policy_close(struct plugin_container *plugin, int exit_status, int error) |
{ |
{ |
debug_decl(policy_close, SUDO_DEBUG_PCOMM) |
debug_decl(policy_close, SUDO_DEBUG_PCOMM) |
plugin->u.policy->close(exit_status, error); | if (plugin->u.policy->close != NULL) |
| plugin->u.policy->close(exit_status, error); |
| else |
| warning(_("unable to execute %s"), command_details.command); |
debug_return; |
debug_return; |
} |
} |
|
|
Line 1172 static int
|
Line 1132 static int
|
policy_show_version(struct plugin_container *plugin, int verbose) |
policy_show_version(struct plugin_container *plugin, int verbose) |
{ |
{ |
debug_decl(policy_show_version, SUDO_DEBUG_PCOMM) |
debug_decl(policy_show_version, SUDO_DEBUG_PCOMM) |
|
if (plugin->u.policy->show_version == NULL) |
|
debug_return_bool(true); |
debug_return_bool(plugin->u.policy->show_version(verbose)); |
debug_return_bool(plugin->u.policy->show_version(verbose)); |
} |
} |
|
|
Line 1181 policy_check(struct plugin_container *plugin, int argc
|
Line 1143 policy_check(struct plugin_container *plugin, int argc
|
char **user_env_out[]) |
char **user_env_out[]) |
{ |
{ |
debug_decl(policy_check, SUDO_DEBUG_PCOMM) |
debug_decl(policy_check, SUDO_DEBUG_PCOMM) |
|
if (plugin->u.policy->check_policy == NULL) { |
|
fatalx(_("policy plugin %s is missing the `check_policy' method"), |
|
plugin->name); |
|
} |
debug_return_bool(plugin->u.policy->check_policy(argc, argv, env_add, |
debug_return_bool(plugin->u.policy->check_policy(argc, argv, env_add, |
command_info, argv_out, user_env_out)); |
command_info, argv_out, user_env_out)); |
} |
} |
Line 1215 policy_invalidate(struct plugin_container *plugin, int
|
Line 1181 policy_invalidate(struct plugin_container *plugin, int
|
{ |
{ |
debug_decl(policy_invalidate, SUDO_DEBUG_PCOMM) |
debug_decl(policy_invalidate, SUDO_DEBUG_PCOMM) |
if (plugin->u.policy->invalidate == NULL) { |
if (plugin->u.policy->invalidate == NULL) { |
errorx(1, _("policy plugin %s does not support the -k/-K options"), | fatalx(_("policy plugin %s does not support the -k/-K options"), |
plugin->name); |
plugin->name); |
} |
} |
plugin->u.policy->invalidate(remove); |
plugin->u.policy->invalidate(remove); |
Line 1279 static void
|
Line 1245 static void
|
iolog_close(struct plugin_container *plugin, int exit_status, int error) |
iolog_close(struct plugin_container *plugin, int exit_status, int error) |
{ |
{ |
debug_decl(iolog_close, SUDO_DEBUG_PCOMM) |
debug_decl(iolog_close, SUDO_DEBUG_PCOMM) |
plugin->u.io->close(exit_status, error); | if (plugin->u.io->close != NULL) |
| plugin->u.io->close(exit_status, error); |
debug_return; |
debug_return; |
} |
} |
|
|
Line 1287 static int
|
Line 1254 static int
|
iolog_show_version(struct plugin_container *plugin, int verbose) |
iolog_show_version(struct plugin_container *plugin, int verbose) |
{ |
{ |
debug_decl(iolog_show_version, SUDO_DEBUG_PCOMM) |
debug_decl(iolog_show_version, SUDO_DEBUG_PCOMM) |
|
if (plugin->u.io->show_version == NULL) |
|
debug_return_bool(true); |
debug_return_bool(plugin->u.io->show_version(verbose)); |
debug_return_bool(plugin->u.io->show_version(verbose)); |
} |
} |
|
|