isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for base64-encoding non-safe strings in LDIF output.

Browse Source
This commit is contained in:
Todd C. Miller
2018-05-20 07:01:26 -06:00
parent 574c9fcd7a
commit 1bc8e9abfd
4 changed files with 204 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
MANIFEST
View File

@@ -431,6 +431,8 @@ plugins/sudoers/regress/cvtsudoers/test24.out.ok
plugins/sudoers/regress/cvtsudoers/test24.sh plugins/sudoers/regress/cvtsudoers/test24.sh
plugins/sudoers/regress/cvtsudoers/test25.out.ok plugins/sudoers/regress/cvtsudoers/test25.out.ok
plugins/sudoers/regress/cvtsudoers/test25.sh plugins/sudoers/regress/cvtsudoers/test25.sh
plugins/sudoers/regress/cvtsudoers/test26.out.ok
plugins/sudoers/regress/cvtsudoers/test26.sh
plugins/sudoers/regress/cvtsudoers/test3.out.ok plugins/sudoers/regress/cvtsudoers/test3.out.ok
plugins/sudoers/regress/cvtsudoers/test3.sh plugins/sudoers/regress/cvtsudoers/test3.sh
plugins/sudoers/regress/cvtsudoers/test4.out.ok plugins/sudoers/regress/cvtsudoers/test4.out.ok

223
plugins/sudoers/cvtsudoers_ldif.c
View File

@@ -60,6 +60,61 @@ seen_user_free(void *v)
free(su); free(su);
} }
static bool
safe_string(const char *str)
{
unsigned int ch = *str++;
debug_decl(safe_string, SUDOERS_DEBUG_UTIL)
/* Initial char must be <= 127 and not LF, CR, SPACE, ':', '<' */
switch (ch) {
case '\n':
case '\r':
case ' ':
case ':':
case '<':
debug_return_bool(false);
default:
if (ch > 127)
debug_return_bool(false);
}
/* Any value <= 127 decimal except NUL, LF, and CR is safe */
while ((ch = *str++) != '\0') {
if (ch > 127 || ch == '\n' || ch == '\r')
debug_return_bool(false);
}
debug_return_bool(true);
}
static bool
print_attribute_ldif(FILE *fp, const char *name, const char *value)
{
char *encoded = NULL;
size_t esize;
debug_decl(print_attribute_ldif, SUDOERS_DEBUG_UTIL)
if (!safe_string(value)) {
const size_t vlen = strlen(value);
esize = ((vlen + 2) / 3 * 4) + 1;
if ((encoded = malloc(esize)) == NULL)
debug_return_bool(false);
if (base64_encode(value, vlen, encoded, esize) == (size_t)-1) {
free(encoded);
debug_return_bool(false);
}
fprintf(fp, "%s:: %s\n", name, encoded);
free(encoded);
} else if (*value != '\0') {
fprintf(fp, "%s: %s\n", name, value);
} else {
fprintf(fp, "%s:\n", name);
}
debug_return_bool(true);
}
/* /*
* Print sudoOptions from a defaults_list. * Print sudoOptions from a defaults_list.
*/ */
@@ -67,6 +122,8 @@ static bool
print_options_ldif(FILE *fp, struct defaults_list *options) print_options_ldif(FILE *fp, struct defaults_list *options)
{ {
struct defaults *opt; struct defaults *opt;
char *attr_val;
int len;
debug_decl(print_options_ldif, SUDOERS_DEBUG_UTIL) debug_decl(print_options_ldif, SUDOERS_DEBUG_UTIL)
TAILQ_FOREACH(opt, options, entries) { TAILQ_FOREACH(opt, options, entries) {
@@ -75,13 +132,19 @@ print_options_ldif(FILE *fp, struct defaults_list *options)
if (opt->val != NULL) { if (opt->val != NULL) {
/* There is no need to double quote values here. */ /* There is no need to double quote values here. */
fprintf(fp, "sudoOption: %s%s%s\n", opt->var, len = asprintf(&attr_val, "%s%s%s", opt->var,
opt->op == '+' ? "+=" : opt->op == '-' ? "-=" : "=", opt->val); opt->op == '+' ? "+=" : opt->op == '-' ? "-=" : "=", opt->val);
} else { } else {
/* Boolean flag. */ /* Boolean flag. */
fprintf(fp, "sudoOption: %s%s\n", opt->op == false ? "!" : "", len = asprintf(&attr_val, "%s%s",
opt->var); opt->op == false ? "!" : "", opt->var);
} }
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, "sudoOption", attr_val);
free(attr_val);
} }
debug_return_bool(!ferror(fp)); debug_return_bool(!ferror(fp));
@@ -96,6 +159,7 @@ print_global_defaults_ldif(FILE *fp, const char *base)
unsigned int count = 0; unsigned int count = 0;
struct sudo_lbuf lbuf; struct sudo_lbuf lbuf;
struct defaults *opt; struct defaults *opt;
char *dn;
debug_decl(print_global_defaults_ldif, SUDOERS_DEBUG_UTIL) debug_decl(print_global_defaults_ldif, SUDOERS_DEBUG_UTIL)
sudo_lbuf_init(&lbuf, NULL, 0, NULL, 80); sudo_lbuf_init(&lbuf, NULL, 0, NULL, 80);
@@ -117,11 +181,16 @@ print_global_defaults_ldif(FILE *fp, const char *base)
if (count == 0) if (count == 0)
debug_return_bool(true); debug_return_bool(true);
fprintf(fp, "dn: cn=defaults,%s\n", base); if (asprintf(&dn, "cn=defaults,%s", base) == -1) {
fputs("objectClass: top\n", fp); sudo_fatalx(U_("%s: %s"), __func__,
fputs("objectClass: sudoRole\n", fp); U_("unable to allocate memory"));
fputs("cn: defaults\n", fp); }
fputs("description: Default sudoOption's go here\n", fp); print_attribute_ldif(fp, "dn", dn);
free(dn);
print_attribute_ldif(fp, "objectClass", "top");
print_attribute_ldif(fp, "objectClass", "sudoRole");
print_attribute_ldif(fp, "cn", "defaults");
print_attribute_ldif(fp, "description", "Default sudoOption's go here");
print_options_ldif(fp, &defaults); print_options_ldif(fp, &defaults);
putc('\n', fp); putc('\n', fp);
@@ -130,50 +199,60 @@ print_global_defaults_ldif(FILE *fp, const char *base)
} }
/* /*
* Print struct member in LDIF format, with specified prefix. * Print struct member in LDIF format as the specified attribute.
* See print_member_int() in parse.c. * See print_member_int() in parse.c.
*/ */
static void static void
print_member_ldif(FILE *fp, char *name, int type, bool negated, print_member_ldif(FILE *fp, char *name, int type, bool negated,
int alias_type, const char *prefix) int alias_type, const char *attr_name)
{ {
struct alias *a; struct alias *a;
struct member *m; struct member *m;
struct sudo_command *c; struct sudo_command *c;
char *attr_val;
int len;
debug_decl(print_member_ldif, SUDOERS_DEBUG_UTIL) debug_decl(print_member_ldif, SUDOERS_DEBUG_UTIL)
switch (type) { switch (type) {
case ALL: case ALL:
fprintf(fp, "%s: %sALL\n", prefix, negated ? "!" : ""); print_attribute_ldif(fp, attr_name, negated ? "!ALL" : "ALL");
break; break;
case MYSELF: case MYSELF:
/* Only valid for sudoRunasUser */ /* Only valid for sudoRunasUser */
fprintf(fp, "%s:\n", prefix); print_attribute_ldif(fp, attr_name, "");
break; break;
case COMMAND: case COMMAND:
c = (struct sudo_command *)name; c = (struct sudo_command *)name;
fprintf(fp, "%s: ", prefix); len = asprintf(&attr_val, "%s%s%s%s%s%s%s%s",
if (c->digest != NULL) { c->digest ? digest_type_to_name(c->digest->digest_type) : "",
fprintf(fp, "%s:%s ", digest_type_to_name(c->digest->digest_type), c->digest ? ":" : "", c->digest ? c->digest->digest_str : "",
c->digest->digest_str); c->digest ? " " : "", negated ? "!" : "", c->cmnd,
c->args ? " " : "", c->args ? c->args : "");
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
} }
fprintf(fp, "%s%s", negated ? "!" : "", c->cmnd); print_attribute_ldif(fp, attr_name, attr_val);
if (c->args != NULL) free(attr_val);
fprintf(fp, " %s", c->args);
putc('\n', fp);
break; break;
case ALIAS: case ALIAS:
if ((a = alias_get(name, alias_type)) != NULL) { if ((a = alias_get(name, alias_type)) != NULL) {
TAILQ_FOREACH(m, &a->members, entries) { TAILQ_FOREACH(m, &a->members, entries) {
print_member_ldif(fp, m->name, m->type, print_member_ldif(fp, m->name, m->type,
negated ? !m->negated : m->negated, alias_type, prefix); negated ? !m->negated : m->negated, alias_type, attr_name);
} }
alias_put(a); alias_put(a);
break; break;
} }
/* FALLTHROUGH */ /* FALLTHROUGH */
default: default:
fprintf(fp, "%s: %s%s\n", prefix, negated ? "!" : "", name); len = asprintf(&attr_val, "%s%s", negated ? "!" : "", name);
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, attr_name, attr_val);
free(attr_val);
break; break;
} }
@@ -219,7 +298,7 @@ print_cmndspec_ldif(FILE *fp, struct cmndspec *cs, struct cmndspec **nextp, stru
if (strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", tp) == 0) { if (strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", tp) == 0) {
sudo_warnx(U_("unable to format timestamp")); sudo_warnx(U_("unable to format timestamp"));
} else { } else {
fprintf(fp, "sudoNotBefore: %s\n", timebuf); print_attribute_ldif(fp, "sudoNotBefore", timebuf);
} }
} }
} }
@@ -230,14 +309,20 @@ print_cmndspec_ldif(FILE *fp, struct cmndspec *cs, struct cmndspec **nextp, stru
if (strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", tp) == 0) { if (strftime(timebuf, sizeof(timebuf), "%Y%m%d%H%M%SZ", tp) == 0) {
sudo_warnx(U_("unable to format timestamp")); sudo_warnx(U_("unable to format timestamp"));
} else { } else {
fprintf(fp, "sudoNotAfter: %s\n", timebuf); print_attribute_ldif(fp, "sudoNotAfter", timebuf);
} }
} }
} }
/* Print timeout as a sudoOption. */ /* Print timeout as a sudoOption. */
if (cs->timeout > 0) { if (cs->timeout > 0) {
fprintf(fp, "sudoOption: command_timeout=%d\n", cs->timeout); char *attr_val;
if (asprintf(&attr_val, "command_timeout=%d", cs->timeout) == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, "sudoOption", attr_val);
free(attr_val);
} }
/* Print tags as sudoOption attributes */ /* Print tags as sudoOption attributes */
@@ -245,31 +330,37 @@ print_cmndspec_ldif(FILE *fp, struct cmndspec *cs, struct cmndspec **nextp, stru
struct cmndtag tag = cs->tags; struct cmndtag tag = cs->tags;
if (tag.nopasswd != UNSPEC) { if (tag.nopasswd != UNSPEC) {
fprintf(fp, "sudoOption: %sauthenticate\n", tag.nopasswd ? "!" : ""); print_attribute_ldif(fp, "sudoOption",
tag.nopasswd ? "!authenticate" : "authenticate");
} }
if (tag.noexec != UNSPEC) { if (tag.noexec != UNSPEC) {
fprintf(fp, "sudoOption: %snoexec\n", tag.noexec ? "" : "!"); print_attribute_ldif(fp, "sudoOption",
tag.noexec ? "noexec" : "!noexec");
} }
if (tag.send_mail != UNSPEC) { if (tag.send_mail != UNSPEC) {
if (tag.send_mail) { if (tag.send_mail) {
fprintf(fp, "sudoOption: mail_all_cmnds\n"); print_attribute_ldif(fp, "sudoOption", "mail_all_cmnds");
} else { } else {
fprintf(fp, "sudoOption: !mail_all_cmnds\n"); print_attribute_ldif(fp, "sudoOption", "!mail_all_cmnds");
fprintf(fp, "sudoOption: !mail_always\n"); print_attribute_ldif(fp, "sudoOption", "!mail_always");
fprintf(fp, "sudoOption: !mail_no_perms\n"); print_attribute_ldif(fp, "sudoOption", "!mail_no_perms");
} }
} }
if (tag.setenv != UNSPEC && tag.setenv != IMPLIED) { if (tag.setenv != UNSPEC && tag.setenv != IMPLIED) {
fprintf(fp, "sudoOption: %ssetenv\n", tag.setenv ? "" : "!"); print_attribute_ldif(fp, "sudoOption",
tag.setenv ? "setenv" : "!setenv");
} }
if (tag.follow != UNSPEC) { if (tag.follow != UNSPEC) {
fprintf(fp, "sudoOption: %ssudoedit_follow\n", tag.follow ? "" : "!"); print_attribute_ldif(fp, "sudoOption",
tag.follow ? "sudoedit_follow" : "!sudoedit_follow");
} }
if (tag.log_input != UNSPEC) { if (tag.log_input != UNSPEC) {
fprintf(fp, "sudoOption: %slog_input\n", tag.log_input ? "" : "!"); print_attribute_ldif(fp, "sudoOption",
tag.log_input ? "log_input" : "!log_input");
} }
if (tag.log_output != UNSPEC) { if (tag.log_output != UNSPEC) {
fprintf(fp, "sudoOption: %slog_output\n", tag.log_output ? "" : "!"); print_attribute_ldif(fp, "sudoOption",
tag.log_output ? "log_output" : "!log_output");
} }
} }
print_options_ldif(fp, options); print_options_ldif(fp, options);
@@ -277,18 +368,49 @@ print_cmndspec_ldif(FILE *fp, struct cmndspec *cs, struct cmndspec **nextp, stru
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
/* Print SELinux role/type */ /* Print SELinux role/type */
if (cs->role != NULL && cs->type != NULL) { if (cs->role != NULL && cs->type != NULL) {
fprintf(fp, "sudoOption: role=%s\n", cs->role); char *attr_val;
fprintf(fp, "sudoOption: type=%s\n", cs->type);
len = asprintf(&attr_val, "role=%s", cs->role);
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, "sudoOption", attr_val);
free(attr_val);
len = asprintf(&attr_val, "type=%s", cs->type);
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, "sudoOption", attr_val);
free(attr_val);
} }
#endif /* HAVE_SELINUX */ #endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET #ifdef HAVE_PRIV_SET
/* Print Solaris privs/limitprivs */ /* Print Solaris privs/limitprivs */
if (cs->privs != NULL || cs->limitprivs != NULL) { if (cs->privs != NULL || cs->limitprivs != NULL) {
if (cs->privs != NULL) char *attr_val;
fprintf(fp, "sudoOption: privs=%s\n", cs->privs);
if (cs->limitprivs != NULL) if (cs->privs != NULL) {
fprintf(fp, "sudoOption: limitprivs=%s\n", cs->limitprivs); len = asprintf(&attr_val, "privs=%s", cs->privs);
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, "sudoOption", attr_val);
free(attr_val);
}
if (cs->limitprivs != NULL) {
len = asprintf(&attr_val, "limitprivs=%s", cs->limitprivs);
if (len == -1) {
sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
}
print_attribute_ldif(fp, "sudoOption", attr_val);
free(attr_val);
}
} }
#endif /* HAVE_PRIV_SET */ #endif /* HAVE_PRIV_SET */
@@ -419,7 +541,8 @@ print_userspec_ldif(FILE *fp, struct userspec *us, struct cvtsudoers_config *con
*/ */
TAILQ_FOREACH(priv, &us->privileges, entries) { TAILQ_FOREACH(priv, &us->privileges, entries) {
TAILQ_FOREACH_SAFE(cs, &priv->cmndlist, entries, next) { TAILQ_FOREACH_SAFE(cs, &priv->cmndlist, entries, next) {
char *cn; const char *base = conf->sudoers_base;
char *cn, *dn;
/* /*
* Increment the number of times we have seen this user. * Increment the number of times we have seen this user.
@@ -427,16 +550,17 @@ print_userspec_ldif(FILE *fp, struct userspec *us, struct cvtsudoers_config *con
*/ */
m = TAILQ_FIRST(&us->users); m = TAILQ_FIRST(&us->users);
cn = user_to_cn(m->type == ALL ? "ALL" : m->name); cn = user_to_cn(m->type == ALL ? "ALL" : m->name);
if (cn == NULL) { if (cn == NULL || asprintf(&dn, "cn=%s,%s", cn, base) == -1) {
sudo_fatalx(U_("%s: %s"), __func__, sudo_fatalx(U_("%s: %s"), __func__,
U_("unable to allocate memory")); U_("unable to allocate memory"));
} }
fprintf(fp, "dn: cn=%s,%s\n", cn, conf->sudoers_base); print_attribute_ldif(fp, "dn", dn);
fprintf(fp, "objectClass: top\n"); print_attribute_ldif(fp, "objectClass", "top");
fprintf(fp, "objectClass: sudoRole\n"); print_attribute_ldif(fp, "objectClass", "sudoRole");
fprintf(fp, "cn: %s\n", cn); print_attribute_ldif(fp, "cn", cn);
free(cn); free(cn);
free(dn);
TAILQ_FOREACH(m, &us->users, entries) { TAILQ_FOREACH(m, &us->users, entries) {
print_member_ldif(fp, m->name, m->type, m->negated, print_member_ldif(fp, m->name, m->type, m->negated,
@@ -451,7 +575,10 @@ print_userspec_ldif(FILE *fp, struct userspec *us, struct cvtsudoers_config *con
print_cmndspec_ldif(fp, cs, &next, &priv->defaults); print_cmndspec_ldif(fp, cs, &next, &priv->defaults);
if (conf->sudo_order != 0) { if (conf->sudo_order != 0) {
fprintf(fp, "sudoOrder: %u\n\n", conf->sudo_order); char numbuf[(((sizeof(conf->sudo_order) * 8) + 2) / 3) + 2];
(void)snprintf(numbuf, sizeof(numbuf), "%u", conf->sudo_order);
print_attribute_ldif(fp, "sudoOrder", numbuf);
putc('\n', fp);
conf->sudo_order += conf->order_increment; conf->sudo_order += conf->order_increment;
} }
} }

16
plugins/sudoers/regress/cvtsudoers/test26.out.ok Normal file
View File

@@ -0,0 +1,16 @@
dn:: Y249ZGVmYXVsdHMsb3U9U1VET2Vyc8KpLGRjPXN1ZG8sZGM9d3M=
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
sudoOption:: YmFkcGFzc19tZXNzYWdlPUJhZCBwYXNzd29yZMKh
dn:: Y249cm9vdCxvdT1TVURPZXJzwqksZGM9c3VkbyxkYz13cw==
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoCommand: ALL
sudoOrder: 1

11
plugins/sudoers/regress/cvtsudoers/test26.sh Executable file
View File

@@ -0,0 +1,11 @@
#!/bin/sh
#
# Test base64 encoding of non-safe strings
#
exec 2>&1
./cvtsudoers -c "" -b "ou=SUDOers©,dc=sudo,dc=ws" <<EOF
Defaults badpass_message="Bad password¡"
root ALL = ALL
EOF