Convert perm setting to push/pop model; still needs some work
Use the stashed runas groups instead of using getgrouplist() Reset perms to the initial value on error
This commit is contained in:
Todd C. Miller
@@ -136,7 +136,7 @@ verify_user(struct passwd *pw, char *prompt)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (NEEDS_USER(auth))
|
if (NEEDS_USER(auth))
|
||||||
set_perms(PERM_ROOT);
|
restore_perms();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -158,7 +158,7 @@ verify_user(struct passwd *pw, char *prompt)
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (NEEDS_USER(auth))
|
if (NEEDS_USER(auth))
|
||||||
set_perms(PERM_ROOT);
|
restore_perms();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -180,7 +180,7 @@ verify_user(struct passwd *pw, char *prompt)
|
|||||||
success = auth->status = (auth->verify)(pw, (char *)p, auth);
|
success = auth->status = (auth->verify)(pw, (char *)p, auth);
|
||||||
|
|
||||||
if (NEEDS_USER(auth))
|
if (NEEDS_USER(auth))
|
||||||
set_perms(PERM_ROOT);
|
restore_perms();
|
||||||
|
|
||||||
if (auth->status != AUTH_FAILURE)
|
if (auth->status != AUTH_FAILURE)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
@@ -210,7 +210,7 @@ cleanup:
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (NEEDS_USER(auth))
|
if (NEEDS_USER(auth))
|
||||||
set_perms(PERM_ROOT);
|
restore_perms();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -126,6 +126,10 @@ extern int sudo_edit(int, char **, char **);
|
|||||||
void validate_env_vars(struct list_member *);
|
void validate_env_vars(struct list_member *);
|
||||||
void insert_env_vars(struct list_member *);
|
void insert_env_vars(struct list_member *);
|
||||||
|
|
||||||
|
/* XXX */
|
||||||
|
extern int runas_ngroups;
|
||||||
|
extern GETGROUPS_T *runas_groups;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Globals
|
* Globals
|
||||||
*/
|
*/
|
||||||
@@ -182,6 +186,7 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
|
|||||||
|
|
||||||
if (sigsetjmp(error_jmp, 1)) {
|
if (sigsetjmp(error_jmp, 1)) {
|
||||||
/* called via error(), errorx() or log_error() */
|
/* called via error(), errorx() or log_error() */
|
||||||
|
rewind_perms();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -220,6 +225,8 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
|
|||||||
/* Parse nsswitch.conf for sudoers order. */
|
/* Parse nsswitch.conf for sudoers order. */
|
||||||
snl = sudo_read_nss();
|
snl = sudo_read_nss();
|
||||||
|
|
||||||
|
set_perms(PERM_INITIAL);
|
||||||
|
|
||||||
/* Open and parse sudoers, set global defaults */
|
/* Open and parse sudoers, set global defaults */
|
||||||
tq_foreach_fwd(snl, nss) {
|
tq_foreach_fwd(snl, nss) {
|
||||||
if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
|
if (nss->open(nss) == 0 && nss->parse(nss) == 0) {
|
||||||
@@ -255,6 +262,8 @@ sudoers_policy_open(unsigned int version, sudo_conv_t conversation,
|
|||||||
/* Initialize environment functions (including replacements). */
|
/* Initialize environment functions (including replacements). */
|
||||||
env_init(envp);
|
env_init(envp);
|
||||||
|
|
||||||
|
restore_perms();
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -286,9 +295,12 @@ sudoers_policy_main(int argc, char * const argv[], char *env_add[],
|
|||||||
|
|
||||||
if (sigsetjmp(error_jmp, 1)) {
|
if (sigsetjmp(error_jmp, 1)) {
|
||||||
/* error recovery via error(), errorx() or log_error() */
|
/* error recovery via error(), errorx() or log_error() */
|
||||||
|
rewind_perms();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_perms(PERM_INITIAL);
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Make a local copy of argc/argv, with special handling
|
* Make a local copy of argc/argv, with special handling
|
||||||
* for the '-e', '-i' or '-s' options.
|
* for the '-e', '-i' or '-s' options.
|
||||||
@@ -530,32 +542,22 @@ sudoers_policy_main(int argc, char * const argv[], char *env_add[],
|
|||||||
}
|
}
|
||||||
if (def_preserve_groups) {
|
if (def_preserve_groups) {
|
||||||
command_info[info_len++] = "preserve_groups=true";
|
command_info[info_len++] = "preserve_groups=true";
|
||||||
} else {
|
} else if (runas_ngroups != -1) {
|
||||||
/* XXX - what about when runas user has no passwd entry? */
|
int i, len;
|
||||||
#ifdef HAVE_GETGRSET
|
|
||||||
char *gid_list = getgrset(runas_pw->pw_name);
|
|
||||||
easprintf(&command_info[info_len++], "runas_groups=%s", gid_list);
|
|
||||||
efree(gid_list);
|
|
||||||
#else
|
|
||||||
gid_t groups[NGROUPS_MAX * 2]; /* should use sysconf */
|
|
||||||
int i, len, ngroups = NGROUPS_MAX * 2;
|
|
||||||
size_t glsize;
|
size_t glsize;
|
||||||
char *cp, *gid_list;
|
char *cp, *gid_list;
|
||||||
|
|
||||||
/* XXX - rval */
|
glsize = sizeof("runas_groups=") - 1 + (runas_ngroups * (MAX_UID_T_LEN + 1));
|
||||||
getgrouplist(runas_pw->pw_name, runas_pw->pw_gid, groups, &ngroups);
|
|
||||||
glsize = sizeof("runas_groups=") - 1 + (user_ngroups * (MAX_UID_T_LEN + 1));
|
|
||||||
gid_list = emalloc(glsize);
|
gid_list = emalloc(glsize);
|
||||||
memcpy(gid_list, "runas_groups=", sizeof("runas_groups=") - 1);
|
memcpy(gid_list, "runas_groups=", sizeof("runas_groups=") - 1);
|
||||||
cp = gid_list + sizeof("runas_groups=") - 1;
|
cp = gid_list + sizeof("runas_groups=") - 1;
|
||||||
for (i = 0; i < ngroups; i++) {
|
for (i = 0; i < runas_ngroups; i++) {
|
||||||
/* XXX - check rval */
|
/* XXX - check rval */
|
||||||
len = snprintf(cp, glsize - (cp - gid_list), "%s%lu",
|
len = snprintf(cp, glsize - (cp - gid_list), "%s%lu",
|
||||||
i ? "," : "", (unsigned long)groups[i]);
|
i ? "," : "", (unsigned long)runas_groups[i]);
|
||||||
cp += len;
|
cp += len;
|
||||||
}
|
}
|
||||||
command_info[info_len++] = gid_list;
|
command_info[info_len++] = gid_list;
|
||||||
#endif
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Must audit before uid change. */
|
/* Must audit before uid change. */
|
||||||
@@ -568,6 +570,8 @@ sudoers_policy_main(int argc, char * const argv[], char *env_add[],
|
|||||||
|
|
||||||
rval = TRUE;
|
rval = TRUE;
|
||||||
|
|
||||||
|
restore_perms();
|
||||||
|
|
||||||
done:
|
done:
|
||||||
return rval;
|
return rval;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -236,8 +236,9 @@ int sudo_file_display_cmnd(struct sudo_nss *, struct passwd *);
|
|||||||
int sudo_file_display_defaults(struct sudo_nss *, struct passwd *, struct lbuf *);
|
int sudo_file_display_defaults(struct sudo_nss *, struct passwd *, struct lbuf *);
|
||||||
int sudo_file_display_bound_defaults(struct sudo_nss *, struct passwd *, struct lbuf *);
|
int sudo_file_display_bound_defaults(struct sudo_nss *, struct passwd *, struct lbuf *);
|
||||||
int sudo_file_display_privs(struct sudo_nss *, struct passwd *, struct lbuf *);
|
int sudo_file_display_privs(struct sudo_nss *, struct passwd *, struct lbuf *);
|
||||||
|
void rewind_perms(void);
|
||||||
int set_perms(int);
|
int set_perms(int);
|
||||||
int restore_perms(void);
|
void restore_perms(void);
|
||||||
void remove_timestamp(int);
|
void remove_timestamp(int);
|
||||||
int check_secureware(char *);
|
int check_secureware(char *);
|
||||||
void sia_attempt_auth(void);
|
void sia_attempt_auth(void);
|
||||||
|
|||||||
@@ -363,10 +363,14 @@ init_envtables()
|
|||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
set_perms(perm)
|
set_perms(int perm)
|
||||||
int perm;
|
{
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
restore_perms(void)
|
||||||
{
|
{
|
||||||
return(1);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void
|
void
|
||||||
|
|||||||
Reference in New Issue
Block a user