Ignore a missing or insecure #includedir, it is not a fatal error.
This commit is contained in:
Todd C. Miller
@@ -2549,8 +2549,8 @@ YY_RULE_SETUP
|
|||||||
LEXTRACE("INCLUDEDIR\n");
|
LEXTRACE("INCLUDEDIR\n");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Push current buffer and switch to include file.
|
* Push current buffer and switch to include file,
|
||||||
* We simply ignore empty directories.
|
* ignoring missing or empty directories.
|
||||||
*/
|
*/
|
||||||
if (!push_includedir(path))
|
if (!push_includedir(path))
|
||||||
yyterminate();
|
yyterminate();
|
||||||
@@ -4185,6 +4185,12 @@ init_lexer(void)
|
|||||||
debug_return;
|
debug_return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Open an include file (or file from a directory), push the old
|
||||||
|
* sudoers file buffer and switch to the new one.
|
||||||
|
* A missing or insecure include dir is simply ignored.
|
||||||
|
* Returns false on error, else true.
|
||||||
|
*/
|
||||||
static bool
|
static bool
|
||||||
push_include_int(char *path, bool isdir)
|
push_include_int(char *path, bool isdir)
|
||||||
{
|
{
|
||||||
@@ -4212,40 +4218,35 @@ push_include_int(char *path, bool isdir)
|
|||||||
SLIST_INIT(&istack[idepth].more);
|
SLIST_INIT(&istack[idepth].more);
|
||||||
if (isdir) {
|
if (isdir) {
|
||||||
struct stat sb;
|
struct stat sb;
|
||||||
int count;
|
int count, status;
|
||||||
switch (sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb)) {
|
|
||||||
case SUDO_PATH_SECURE:
|
status = sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb);
|
||||||
break;
|
if (status != SUDO_PATH_SECURE) {
|
||||||
case SUDO_PATH_MISSING:
|
if (sudoers_warnings) {
|
||||||
debug_return_bool(false);
|
switch (status) {
|
||||||
case SUDO_PATH_BAD_TYPE:
|
case SUDO_PATH_BAD_TYPE:
|
||||||
errno = ENOTDIR;
|
errno = ENOTDIR;
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warn("%s", path);
|
sudo_warn("%s", path);
|
||||||
}
|
break;
|
||||||
debug_return_bool(false);
|
case SUDO_PATH_WRONG_OWNER:
|
||||||
case SUDO_PATH_WRONG_OWNER:
|
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warnx(U_("%s is owned by uid %u, should be %u"),
|
sudo_warnx(U_("%s is owned by uid %u, should be %u"),
|
||||||
path, (unsigned int) sb.st_uid,
|
path, (unsigned int) sb.st_uid,
|
||||||
(unsigned int) sudoers_uid);
|
(unsigned int) sudoers_uid);
|
||||||
}
|
break;
|
||||||
debug_return_bool(false);
|
case SUDO_PATH_WORLD_WRITABLE:
|
||||||
case SUDO_PATH_WORLD_WRITABLE:
|
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warnx(U_("%s is world writable"), path);
|
sudo_warnx(U_("%s is world writable"), path);
|
||||||
}
|
break;
|
||||||
debug_return_bool(false);
|
case SUDO_PATH_GROUP_WRITABLE:
|
||||||
case SUDO_PATH_GROUP_WRITABLE:
|
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warnx(U_("%s is owned by gid %u, should be %u"),
|
sudo_warnx(U_("%s is owned by gid %u, should be %u"),
|
||||||
path, (unsigned int) sb.st_gid,
|
path, (unsigned int) sb.st_gid,
|
||||||
(unsigned int) sudoers_gid);
|
(unsigned int) sudoers_gid);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
debug_return_bool(false);
|
}
|
||||||
default:
|
/* A missing or insecure include dir is not a fatal error. */
|
||||||
/* NOTREACHED */
|
debug_return_bool(true);
|
||||||
debug_return_bool(false);
|
|
||||||
}
|
}
|
||||||
count = switch_dir(&istack[idepth], path);
|
count = switch_dir(&istack[idepth], path);
|
||||||
if (count <= 0) {
|
if (count <= 0) {
|
||||||
@@ -4285,6 +4286,11 @@ push_include_int(char *path, bool isdir)
|
|||||||
debug_return_bool(true);
|
debug_return_bool(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Restore the previous sudoers file and buffer, or, in the case
|
||||||
|
* of an includedir, switch to the next file in the dir.
|
||||||
|
* Returns false if there is nothing to pop, else true.
|
||||||
|
*/
|
||||||
static bool
|
static bool
|
||||||
pop_include(void)
|
pop_include(void)
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -319,8 +319,8 @@ DEFVAR [a-z_]+
|
|||||||
LEXTRACE("INCLUDEDIR\n");
|
LEXTRACE("INCLUDEDIR\n");
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Push current buffer and switch to include file.
|
* Push current buffer and switch to include file,
|
||||||
* We simply ignore empty directories.
|
* ignoring missing or empty directories.
|
||||||
*/
|
*/
|
||||||
if (!push_includedir(path))
|
if (!push_includedir(path))
|
||||||
yyterminate();
|
yyterminate();
|
||||||
@@ -902,6 +902,12 @@ init_lexer(void)
|
|||||||
debug_return;
|
debug_return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Open an include file (or file from a directory), push the old
|
||||||
|
* sudoers file buffer and switch to the new one.
|
||||||
|
* A missing or insecure include dir is simply ignored.
|
||||||
|
* Returns false on error, else true.
|
||||||
|
*/
|
||||||
static bool
|
static bool
|
||||||
push_include_int(char *path, bool isdir)
|
push_include_int(char *path, bool isdir)
|
||||||
{
|
{
|
||||||
@@ -929,40 +935,35 @@ push_include_int(char *path, bool isdir)
|
|||||||
SLIST_INIT(&istack[idepth].more);
|
SLIST_INIT(&istack[idepth].more);
|
||||||
if (isdir) {
|
if (isdir) {
|
||||||
struct stat sb;
|
struct stat sb;
|
||||||
int count;
|
int count, status;
|
||||||
switch (sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb)) {
|
|
||||||
case SUDO_PATH_SECURE:
|
status = sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb);
|
||||||
break;
|
if (status != SUDO_PATH_SECURE) {
|
||||||
case SUDO_PATH_MISSING:
|
if (sudoers_warnings) {
|
||||||
debug_return_bool(false);
|
switch (status) {
|
||||||
case SUDO_PATH_BAD_TYPE:
|
case SUDO_PATH_BAD_TYPE:
|
||||||
errno = ENOTDIR;
|
errno = ENOTDIR;
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warn("%s", path);
|
sudo_warn("%s", path);
|
||||||
}
|
break;
|
||||||
debug_return_bool(false);
|
case SUDO_PATH_WRONG_OWNER:
|
||||||
case SUDO_PATH_WRONG_OWNER:
|
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warnx(U_("%s is owned by uid %u, should be %u"),
|
sudo_warnx(U_("%s is owned by uid %u, should be %u"),
|
||||||
path, (unsigned int) sb.st_uid,
|
path, (unsigned int) sb.st_uid,
|
||||||
(unsigned int) sudoers_uid);
|
(unsigned int) sudoers_uid);
|
||||||
}
|
break;
|
||||||
debug_return_bool(false);
|
case SUDO_PATH_WORLD_WRITABLE:
|
||||||
case SUDO_PATH_WORLD_WRITABLE:
|
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warnx(U_("%s is world writable"), path);
|
sudo_warnx(U_("%s is world writable"), path);
|
||||||
}
|
break;
|
||||||
debug_return_bool(false);
|
case SUDO_PATH_GROUP_WRITABLE:
|
||||||
case SUDO_PATH_GROUP_WRITABLE:
|
|
||||||
if (sudoers_warnings) {
|
|
||||||
sudo_warnx(U_("%s is owned by gid %u, should be %u"),
|
sudo_warnx(U_("%s is owned by gid %u, should be %u"),
|
||||||
path, (unsigned int) sb.st_gid,
|
path, (unsigned int) sb.st_gid,
|
||||||
(unsigned int) sudoers_gid);
|
(unsigned int) sudoers_gid);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
debug_return_bool(false);
|
}
|
||||||
default:
|
/* A missing or insecure include dir is not a fatal error. */
|
||||||
/* NOTREACHED */
|
debug_return_bool(true);
|
||||||
debug_return_bool(false);
|
|
||||||
}
|
}
|
||||||
count = switch_dir(&istack[idepth], path);
|
count = switch_dir(&istack[idepth], path);
|
||||||
if (count <= 0) {
|
if (count <= 0) {
|
||||||
@@ -1002,6 +1003,11 @@ push_include_int(char *path, bool isdir)
|
|||||||
debug_return_bool(true);
|
debug_return_bool(true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Restore the previous sudoers file and buffer, or, in the case
|
||||||
|
* of an includedir, switch to the next file in the dir.
|
||||||
|
* Returns false if there is nothing to pop, else true.
|
||||||
|
*/
|
||||||
static bool
|
static bool
|
||||||
pop_include(void)
|
pop_include(void)
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user