isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

o Add a "pedentic" flag to the parser. This makes sudo warn in cases

Browse Source 
where an alias may be used before it is defined.  Only turned on for visudo
and testsudoers.
o Add --disable-authentication option that makes sudo not require
authentication by default.  The PASSWD tag can be used to require
authentication for an entry.  We no longer overload --without-passwd.
This commit is contained in:
Todd C. Miller
1999-08-12 14:37:27 +00:00
parent f14dd25b01
commit 2386dc1b45
11 changed files with 608 additions and 501 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
INSTALL
View File

@@ -380,9 +380,15 @@ Special features/options:
on some SysV-based OS's using STREAMS. on some SysV-based OS's using STREAMS.
--without-passwd --without-passwd
This option disables passwd/shadow file authentication. If This option authentication via the the passwd (or shadow) file.
no other authentication function is defined, sudo will not It should only be used when another, alternate, authentication
prompt for a password at all. scheme is in use.
--disable-authentication
By default, sudo requires the user to authenticate via a
password or similar means. This options causes sudo to
*not* require authentication. It is possible to turn
authentication back on in sudoers via the PASSWD attribute.
--disable-shadow --disable-shadow
Disable shadow password support. Normally, sudo will compile in shadow Disable shadow password support. Normally, sudo will compile in shadow

4
auth/sudo_auth.c
View File

@@ -34,8 +34,6 @@
#include "config.h" #include "config.h"
#ifndef NO_PASSWD
#include <stdio.h> #include <stdio.h>
#ifdef STDC_HEADERS #ifdef STDC_HEADERS
#include <stdlib.h> #include <stdlib.h>
@@ -210,5 +208,3 @@ pass_warn(fp)
(void) fprintf(fp, "%s\n", INCORRECT_PASSWORD); (void) fprintf(fp, "%s\n", INCORRECT_PASSWORD);
#endif /* USE_INSULTS */ #endif /* USE_INSULTS */
} }
#endif /* NO_PASSWD */

13
check.c
View File

@@ -74,7 +74,6 @@ static const char rcsid[] = "$Sudo$";
int user_is_exempt __P((void)); int user_is_exempt __P((void));
static void build_timestamp __P((char **, char **)); static void build_timestamp __P((char **, char **));
static int timestamp_status __P((char *, char *, char *, int)); static int timestamp_status __P((char *, char *, char *, int));
#ifndef NO_PASSWD
static char *expand_prompt __P((char *, char *, char *)); static char *expand_prompt __P((char *, char *, char *));
static void lecture __P((void)); static void lecture __P((void));
static void update_timestamp __P((char *, char *)); static void update_timestamp __P((char *, char *));
@@ -220,18 +219,6 @@ expand_prompt(old_prompt, user, host)
return(new_prompt); return(new_prompt);
} }
#else /* NO_PASSWD */
/*
* Stub function, just returns.
*/
void
check_user()
{
return;
}
#endif /* NO_PASSWD */
/* /*
* Checks if the user is exempt from supplying a password. * Checks if the user is exempt from supplying a password.
*/ */

6
config.h.in
View File

@@ -362,11 +362,11 @@
/* Define if your struct sockadr has an sa_len field. */ /* Define if your struct sockadr has an sa_len field. */
#undef HAVE_SA_LEN #undef HAVE_SA_LEN
/* Define if you want to disable passwd/shadow file authentication. */ /* Define to avoid using the passwd/shadow file for authentication. */
#undef WITHOUT_PASSWD #undef WITHOUT_PASSWD
/* Define if you don't want sudo to prompt for a password at all. */ /* Define if you don't want sudo to prompt for a password by default. */
#undef NO_PASSWD #undef NO_AUTHENTICATION
/* Define to void if your C compiler fully groks void, else char */ /* Define to void if your C compiler fully groks void, else char */
#undef VOID #undef VOID

783
configure vendored
View File

File diff suppressed because it is too large Load Diff

50
configure.in
View File

@@ -30,7 +30,7 @@ CPPFLAGS=""
AC_SUBST(CPPFLAGS)dnl AC_SUBST(CPPFLAGS)dnl
OSDEFS="" OSDEFS=""
AC_SUBST(OSDEFS)dnl AC_SUBST(OSDEFS)dnl
AUTH_OBJS="passwd.o" AUTH_OBJS=""
AC_SUBST(AUTH_OBJS)dnl AC_SUBST(AUTH_OBJS)dnl
LIBOBJS="" LIBOBJS=""
AC_SUBST(LIBOBJS)dnl AC_SUBST(LIBOBJS)dnl
@@ -141,16 +141,12 @@ AC_ARG_WITH(csops, [ --with-csops add CSOps standard options],
;; ;;
esac]) esac])
dnl AC_ARG_WITH(passwd, [ --without-passwd don't use passwd/shadow file for authentication],
dnl Must be the first thing to modify ${AUTH_OBJS}
dnl
AC_ARG_WITH(passwd, [ --without-passwd no passwd/shadow file authentication],
[case $with_passwd in [case $with_passwd in
yes) ;; yes) ;;
no) AC_DEFINE(WITHOUT_PASSWD) no) AC_DEFINE(WITHOUT_PASSWD)
AC_MSG_CHECKING(whether to check shadow/passwd file) AC_MSG_CHECKING(whether to use shadow/passwd file authentication)
AC_MSG_RESULT(no) AC_MSG_RESULT(no)
AUTH_OBJS=""
;; ;;
*) echo "Sorry, --with-passwd does not take an argument." *) echo "Sorry, --with-passwd does not take an argument."
exit 1 exit 1
@@ -219,6 +215,7 @@ AC_ARG_WITH(SecurID, [ --with-SecurID enable SecurID support],
*) AC_DEFINE(HAVE_SECURID) *) AC_DEFINE(HAVE_SECURID)
AC_MSG_CHECKING(whether to use SecurID for authentication) AC_MSG_CHECKING(whether to use SecurID for authentication)
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
with_passwd=no
AUTH_OBJS="securid.o" AUTH_OBJS="securid.o"
;; ;;
esac]) esac])
@@ -228,6 +225,7 @@ AC_ARG_WITH(fwtk, [ --with-fwtk enable FWTK AuthSRV support],
yes) AC_DEFINE(HAVE_FWTK) yes) AC_DEFINE(HAVE_FWTK)
AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication) AC_MSG_CHECKING(whether to use FWTK AuthSRV for authentication)
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
with_passwd=no
AUTH_OBJS="fwtk.o" AUTH_OBJS="fwtk.o"
;; ;;
no) ;; no) ;;
@@ -236,6 +234,7 @@ AC_ARG_WITH(fwtk, [ --with-fwtk enable FWTK AuthSRV support],
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
SUDO_LDFLAGS="${SUDO_LDFLAGS} -L${with_fwtk}" SUDO_LDFLAGS="${SUDO_LDFLAGS} -L${with_fwtk}"
CPPFLAGS="${CPPFLAGS} -I${with_fwtk}" CPPFLAGS="${CPPFLAGS} -I${with_fwtk}"
with_passwd=no
AUTH_OBJS="fwtk.o" AUTH_OBJS="fwtk.o"
with_fwtk=yes with_fwtk=yes
;; ;;
@@ -268,6 +267,7 @@ AC_ARG_WITH(authenticate, [ --with-authenticate enable AIX general authenti
yes) AC_DEFINE(HAVE_AUTHENTICATE) yes) AC_DEFINE(HAVE_AUTHENTICATE)
AC_MSG_CHECKING(whether to use AIX general authentication) AC_MSG_CHECKING(whether to use AIX general authentication)
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
with_passwd=no
AUTH_OBJS="authenticate.o" AUTH_OBJS="authenticate.o"
;; ;;
no) ;; no) ;;
@@ -281,6 +281,7 @@ AC_ARG_WITH(pam, [ --with-pam enable PAM support],
yes) AC_DEFINE(HAVE_PAM) yes) AC_DEFINE(HAVE_PAM)
AC_MSG_CHECKING(whether to use PAM authentication) AC_MSG_CHECKING(whether to use PAM authentication)
AC_MSG_RESULT(yes) AC_MSG_RESULT(yes)
with_passwd=no
AUTH_OBJS="pam.o" AUTH_OBJS="pam.o"
;; ;;
no) ;; no) ;;
@@ -846,6 +847,22 @@ dnl
dnl Options for --enable dnl Options for --enable
dnl dnl
AC_MSG_CHECKING(whether to do user authentication by default)
AC_ARG_ENABLE(authentication,
[ --disable-authentication
Do not require authentication by default],
[ case "$enableval" in
yes) AC_MSG_RESULT(yes)
;;
no) AC_MSG_RESULT(no)
AC_DEFINE(NO_AUTHENTICATION)
;;
*) AC_MSG_RESULT(no)
echo "Ignoring unknown argument to --enable-authentication: $enableval"
;;
esac
], AC_MSG_RESULT(yes))
AC_MSG_CHECKING(whether to disable shadow password support) AC_MSG_CHECKING(whether to disable shadow password support)
AC_ARG_ENABLE(shadow, AC_ARG_ENABLE(shadow,
[ --disable-shadow Never use shadow passwords], [ --disable-shadow Never use shadow passwords],
@@ -1169,7 +1186,6 @@ case "$host" in
fi fi
if test -n "$SECUREWARE"; then if test -n "$SECUREWARE"; then
AUTH_OBJS="${AUTH_OBJS} secureware.o"
AC_DEFINE(HAVE_GETPRPWNAM) AC_DEFINE(HAVE_GETPRPWNAM)
# 4.x and higher need -ldb too... # 4.x and higher need -ldb too...
AC_CHECK_LIB(db, dbopen, [SUDO_LIBS="${SUDO_LIBS} -lsecurity -ldb -laud -lm"; LIBS="${LIBS} -lsecurity -ldb -laud -lm"], [SUDO_LIBS="${SUDO_LIBS} -lsecurity -ldb -laud -lm"; LIBS="${LIBS} -lsecurity -ldb -laud -lm"]) AC_CHECK_LIB(db, dbopen, [SUDO_LIBS="${SUDO_LIBS} -lsecurity -ldb -laud -lm"; LIBS="${LIBS} -lsecurity -ldb -laud -lm"], [SUDO_LIBS="${SUDO_LIBS} -lsecurity -ldb -laud -lm"; LIBS="${LIBS} -lsecurity -ldb -laud -lm"])
@@ -1184,6 +1200,7 @@ case "$host" in
sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h sed 's:<acl.h>:<sys/acl.h>:g' < /usr/include/prot.h > prot.h
]) ])
else else
with_passwd=no
AUTH_OBJS="sia.o" AUTH_OBJS="sia.o"
fi fi
;; ;;
@@ -1597,12 +1614,19 @@ SUDO_LOGFILE
SUDO_TIMEDIR SUDO_TIMEDIR
dnl dnl
dnl If ${AUTH_OBJS} is empty, define NO_PASSWD dnl Use passwd (and secureware) auth modules?
dnl The meaning of --without-passwd is overloaded...
dnl dnl
if test -z "$AUTH_OBJS"; then if test "$with_passwd" = "no"; then
AC_DEFINE(NO_PASSWD) AC_DEFINE(WITHOUT_PASSWD)
AC_MSG_WARN(no user authentication will be performed) if test -z "$AUTH_OBJS"; then
AC_MSG_ERROR([Error: no authentication methods defined.])
fi
else
if test -n "$SECUREWARE"; then
AUTH_OBJS="${AUTH_OBJS} passwd.o secureware.o"
else
AUTH_OBJS="${AUTH_OBJS} passwd.o"
fi
fi fi
dnl dnl

48
parse.yacc
View File

@@ -88,8 +88,14 @@ static const char rcsid[] = "$Sudo$";
*/ */
extern int sudolineno, parse_error; extern int sudolineno, parse_error;
int errorlineno = -1; int errorlineno = -1;
int clearaliases = 1; int clearaliases = TRUE;
int printmatches = FALSE; int printmatches = FALSE;
int pedantic = FALSE;
#ifdef NO_AUTHENTICATION
int pwdef = TRUE;
#else
int pwdef = -1;
#endif
/* /*
* Alias types * Alias types
@@ -115,7 +121,7 @@ int top = 0, stacksize = 0;
match[top].cmnd = -1; \ match[top].cmnd = -1; \
match[top].host = -1; \ match[top].host = -1; \
match[top].runas = -1; \ match[top].runas = -1; \
match[top].nopass = -1; \ match[top].nopass = pwdef; \
top++; \ top++; \
} }
@@ -226,14 +232,14 @@ yyerror(s)
%token <tok> CMNDALIAS /* Cmnd_Alias keyword */ %token <tok> CMNDALIAS /* Cmnd_Alias keyword */
%token <tok> USERALIAS /* User_Alias keyword */ %token <tok> USERALIAS /* User_Alias keyword */
%token <tok> RUNASALIAS /* Runas_Alias keyword */ %token <tok> RUNASALIAS /* Runas_Alias keyword */
%token <tok> ':' '=' ',' '!' '.' /* union member tokens */ %token <tok> ':' '=' ',' '!' /* union member tokens */
%token <tok> ERROR %token <tok> ERROR
/* /*
* NOTE: these are not true booleans as there are actually 3 possible values: * NOTE: these are not true booleans as there are actually 3 possible values:
* 1) TRUE (item matched and user is allowed) * 1) TRUE (positive match)
* 0) FALSE (item matched and user is *not* allowed because of '!') * 0) FALSE (negative match due to a '!' somewhere)
* -1) No change (don't change the value of *_matches) * -1) No match (don't change the value of *_matches)
*/ */
%type <BOOLEAN> cmnd %type <BOOLEAN> cmnd
%type <BOOLEAN> hostspec %type <BOOLEAN> hostspec
@@ -277,7 +283,7 @@ privilege : hostlist '=' cmndspeclist {
*/ */
host_matches = -1; host_matches = -1;
runas_matches = -1; runas_matches = -1;
no_passwd = -1; no_passwd = pwdef;
} }
; ;
@@ -330,8 +336,12 @@ hostspec : ALL {
$$ = aip->val; $$ = aip->val;
else if (strcasecmp(user_shost, $1) == 0) else if (strcasecmp(user_shost, $1) == 0)
$$ = TRUE; $$ = TRUE;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared Host_Alias `%s' referenced near line %d\n", $1, sudolineno);
$$ = -1; $$ = -1;
}
free($1); free($1);
} }
; ;
@@ -476,8 +486,12 @@ runasuser : NAME {
$$ = aip->val; $$ = aip->val;
else if (strcmp($1, user_runas) == 0) else if (strcmp($1, user_runas) == 0)
$$ = TRUE; $$ = TRUE;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared Runas_Alias `%s' referenced near line %d\n", $1, sudolineno);
$$ = -1; $$ = -1;
}
free($1); free($1);
} }
| ALL { | ALL {
@@ -550,8 +564,12 @@ cmnd : ALL {
if ((aip = find_alias($1, CMND_ALIAS))) if ((aip = find_alias($1, CMND_ALIAS)))
$$ = aip->val; $$ = aip->val;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared Cmnd_Alias `%s' referenced near line %d", $1, sudolineno);
$$ = -1; $$ = -1;
}
free($1); free($1);
} }
| COMMAND { | COMMAND {
@@ -705,8 +723,12 @@ user : NAME {
$$ = aip->val; $$ = aip->val;
else if (strcmp($1, user_name) == 0) else if (strcmp($1, user_name) == 0)
$$ = TRUE; $$ = TRUE;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared User_Alias `%s' referenced near line %d\n", $1, sudolineno);
$$ = -1; $$ = -1;
}
free($1); free($1);
} }
| ALL { | ALL {
@@ -897,8 +919,10 @@ list_matches()
} }
/* Is a password required? */ /* Is a password required? */
if (cm_list[i].nopasswd == TRUE) if (cm_list[i].nopasswd == TRUE && pwdef != TRUE)
(void) fputs("NOPASSWD: ", stdout); (void) fputs("NOPASSWD: ", stdout);
else if (cm_list[i].nopasswd == FALSE && pwdef == TRUE)
(void) fputs("PASSWD: ", stdout);
/* Print the actual command or expanded Cmnd_Alias. */ /* Print the actual command or expanded Cmnd_Alias. */
key.alias = cm_list[i].cmnd; key.alias = cm_list[i].cmnd;

174
sudo.tab.c
View File

@@ -106,8 +106,14 @@ static const char rcsid[] = "$Sudo$";
*/ */
extern int sudolineno, parse_error; extern int sudolineno, parse_error;
int errorlineno = -1; int errorlineno = -1;
int clearaliases = 1; int clearaliases = TRUE;
int printmatches = FALSE; int printmatches = FALSE;
int pedantic = FALSE;
#ifdef NO_AUTHENTICATION
int pwdef = TRUE;
#else
int pwdef = -1;
#endif
/* /*
* Alias types * Alias types
@@ -133,7 +139,7 @@ int top = 0, stacksize = 0;
match[top].cmnd = -1; \ match[top].cmnd = -1; \
match[top].host = -1; \ match[top].host = -1; \
match[top].runas = -1; \ match[top].runas = -1; \
match[top].nopass = -1; \ match[top].nopass = pwdef; \
top++; \ top++; \
} }
@@ -216,14 +222,14 @@ yyerror(s)
#endif #endif
parse_error = TRUE; parse_error = TRUE;
} }
#line 203 "parse.yacc" #line 209 "parse.yacc"
typedef union { typedef union {
char *string; char *string;
int BOOLEAN; int BOOLEAN;
struct sudo_command command; struct sudo_command command;
int tok; int tok;
} YYSTYPE; } YYSTYPE;
#line 227 "sudo.tab.c" #line 233 "sudo.tab.c"
#define ALIAS 257 #define ALIAS 257
#define NTWKADDR 258 #define NTWKADDR 258
#define FQHOST 259 #define FQHOST 259
@@ -530,7 +536,7 @@ short *yyss;
short *yysslim; short *yysslim;
YYSTYPE *yyvs; YYSTYPE *yyvs;
int yystacksize; int yystacksize;
#line 719 "parse.yacc" #line 741 "parse.yacc"
#define MOREALIASES (32) #define MOREALIASES (32)
aliasinfo *aliases = NULL; aliasinfo *aliases = NULL;
@@ -712,8 +718,10 @@ list_matches()
} }
/* Is a password required? */ /* Is a password required? */
if (cm_list[i].nopasswd == TRUE) if (cm_list[i].nopasswd == TRUE && pwdef != TRUE)
(void) fputs("NOPASSWD: ", stdout); (void) fputs("NOPASSWD: ", stdout);
else if (cm_list[i].nopasswd == FALSE && pwdef == TRUE)
(void) fputs("PASSWD: ", stdout);
/* Print the actual command or expanded Cmnd_Alias. */ /* Print the actual command or expanded Cmnd_Alias. */
key.alias = cm_list[i].cmnd; key.alias = cm_list[i].cmnd;
@@ -869,7 +877,7 @@ init_parser()
if (printmatches == TRUE) if (printmatches == TRUE)
expand_match_list(); expand_match_list();
} }
#line 873 "sudo.tab.c" #line 881 "sudo.tab.c"
/* allocate initial stack or double stack size, up to YYMAXDEPTH */ /* allocate initial stack or double stack size, up to YYMAXDEPTH */
#if defined(__cplusplus) || __STDC__ #if defined(__cplusplus) || __STDC__
static int yygrowstack(void) static int yygrowstack(void)
@@ -1050,42 +1058,42 @@ yyreduce:
switch (yyn) switch (yyn)
{ {
case 3: case 3:
#line 250 "parse.yacc" #line 256 "parse.yacc"
{ ; } { ; }
break; break;
case 4: case 4:
#line 252 "parse.yacc" #line 258 "parse.yacc"
{ yyerrok; } { yyerrok; }
break; break;
case 5: case 5:
#line 253 "parse.yacc" #line 259 "parse.yacc"
{ push; } { push; }
break; break;
case 6: case 6:
#line 253 "parse.yacc" #line 259 "parse.yacc"
{ {
while (top && user_matches != TRUE) while (top && user_matches != TRUE)
pop; pop;
} }
break; break;
case 7: case 7:
#line 258 "parse.yacc"
{ ; }
break;
case 8:
#line 260 "parse.yacc"
{ ; }
break;
case 9:
#line 262 "parse.yacc"
{ ; }
break;
case 10:
#line 264 "parse.yacc" #line 264 "parse.yacc"
{ ; } { ; }
break; break;
case 8:
#line 266 "parse.yacc"
{ ; }
break;
case 9:
#line 268 "parse.yacc"
{ ; }
break;
case 10:
#line 270 "parse.yacc"
{ ; }
break;
case 13: case 13:
#line 272 "parse.yacc" #line 278 "parse.yacc"
{ {
/* /*
* We already did a push if necessary in * We already did a push if necessary in
@@ -1094,32 +1102,32 @@ case 13:
*/ */
host_matches = -1; host_matches = -1;
runas_matches = -1; runas_matches = -1;
no_passwd = -1; no_passwd = pwdef;
} }
break; break;
case 14: case 14:
#line 284 "parse.yacc" #line 290 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
host_matches = yyvsp[0].BOOLEAN; host_matches = yyvsp[0].BOOLEAN;
} }
break; break;
case 15: case 15:
#line 288 "parse.yacc" #line 294 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
host_matches = !yyvsp[0].BOOLEAN; host_matches = !yyvsp[0].BOOLEAN;
} }
break; break;
case 16: case 16:
#line 293 "parse.yacc" #line 299 "parse.yacc"
{ {
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
free(yyvsp[0].string); free(yyvsp[0].string);
} }
break; break;
case 17: case 17:
#line 297 "parse.yacc" #line 303 "parse.yacc"
{ {
if (addr_matches(yyvsp[0].string)) if (addr_matches(yyvsp[0].string))
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1129,7 +1137,7 @@ case 17:
} }
break; break;
case 18: case 18:
#line 304 "parse.yacc" #line 310 "parse.yacc"
{ {
if (netgr_matches(yyvsp[0].string, user_host, NULL)) if (netgr_matches(yyvsp[0].string, user_host, NULL))
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1139,7 +1147,7 @@ case 18:
} }
break; break;
case 19: case 19:
#line 311 "parse.yacc" #line 317 "parse.yacc"
{ {
if (strcasecmp(user_shost, yyvsp[0].string) == 0) if (strcasecmp(user_shost, yyvsp[0].string) == 0)
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1149,7 +1157,7 @@ case 19:
} }
break; break;
case 20: case 20:
#line 318 "parse.yacc" #line 324 "parse.yacc"
{ {
if (strcasecmp(user_host, yyvsp[0].string) == 0) if (strcasecmp(user_host, yyvsp[0].string) == 0)
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1159,7 +1167,7 @@ case 20:
} }
break; break;
case 21: case 21:
#line 325 "parse.yacc" #line 331 "parse.yacc"
{ {
aliasinfo *aip = find_alias(yyvsp[0].string, HOST_ALIAS); aliasinfo *aip = find_alias(yyvsp[0].string, HOST_ALIAS);
@@ -1168,13 +1176,17 @@ case 21:
yyval.BOOLEAN = aip->val; yyval.BOOLEAN = aip->val;
else if (strcasecmp(user_shost, yyvsp[0].string) == 0) else if (strcasecmp(user_shost, yyvsp[0].string) == 0)
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared Host_Alias `%s' referenced near line %d\n", yyvsp[0].string, sudolineno);
yyval.BOOLEAN = -1; yyval.BOOLEAN = -1;
}
free(yyvsp[0].string); free(yyvsp[0].string);
} }
break; break;
case 24: case 24:
#line 343 "parse.yacc" #line 353 "parse.yacc"
{ {
/* /*
* Push the entry onto the stack if it is worth * Push the entry onto the stack if it is worth
@@ -1189,14 +1201,14 @@ case 24:
} }
break; break;
case 25: case 25:
#line 357 "parse.yacc" #line 367 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
cmnd_matches = yyvsp[0].BOOLEAN; cmnd_matches = yyvsp[0].BOOLEAN;
} }
break; break;
case 26: case 26:
#line 361 "parse.yacc" #line 371 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1208,14 +1220,14 @@ case 26:
} }
break; break;
case 27: case 27:
#line 369 "parse.yacc" #line 379 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
cmnd_matches = !yyvsp[0].BOOLEAN; cmnd_matches = !yyvsp[0].BOOLEAN;
} }
break; break;
case 28: case 28:
#line 375 "parse.yacc" #line 385 "parse.yacc"
{ {
if (printmatches == TRUE && host_matches == TRUE && if (printmatches == TRUE && host_matches == TRUE &&
user_matches == TRUE) { user_matches == TRUE) {
@@ -1241,18 +1253,18 @@ case 28:
} }
break; break;
case 29: case 29:
#line 398 "parse.yacc" #line 408 "parse.yacc"
{ ; } { ; }
break; break;
case 32: case 32:
#line 405 "parse.yacc" #line 415 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
runas_matches = yyvsp[0].BOOLEAN; runas_matches = yyvsp[0].BOOLEAN;
} }
break; break;
case 33: case 33:
#line 409 "parse.yacc" #line 419 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1264,14 +1276,14 @@ case 33:
} }
break; break;
case 34: case 34:
#line 417 "parse.yacc" #line 427 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
runas_matches = !yyvsp[0].BOOLEAN; runas_matches = !yyvsp[0].BOOLEAN;
} }
break; break;
case 35: case 35:
#line 422 "parse.yacc" #line 432 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1288,7 +1300,7 @@ case 35:
} }
break; break;
case 36: case 36:
#line 436 "parse.yacc" #line 446 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1305,7 +1317,7 @@ case 36:
} }
break; break;
case 37: case 37:
#line 450 "parse.yacc" #line 460 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1322,7 +1334,7 @@ case 37:
} }
break; break;
case 38: case 38:
#line 464 "parse.yacc" #line 474 "parse.yacc"
{ {
aliasinfo *aip = find_alias(yyvsp[0].string, RUNAS_ALIAS); aliasinfo *aip = find_alias(yyvsp[0].string, RUNAS_ALIAS);
@@ -1338,13 +1350,17 @@ case 38:
yyval.BOOLEAN = aip->val; yyval.BOOLEAN = aip->val;
else if (strcmp(yyvsp[0].string, user_runas) == 0) else if (strcmp(yyvsp[0].string, user_runas) == 0)
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared Runas_Alias `%s' referenced near line %d\n", yyvsp[0].string, sudolineno);
yyval.BOOLEAN = -1; yyval.BOOLEAN = -1;
}
free(yyvsp[0].string); free(yyvsp[0].string);
} }
break; break;
case 39: case 39:
#line 483 "parse.yacc" #line 497 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1358,7 +1374,7 @@ case 39:
} }
break; break;
case 40: case 40:
#line 496 "parse.yacc" #line 510 "parse.yacc"
{ {
/* Inherit NOPASSWD/PASSWD status. */ /* Inherit NOPASSWD/PASSWD status. */
if (printmatches == TRUE && host_matches == TRUE && if (printmatches == TRUE && host_matches == TRUE &&
@@ -1371,7 +1387,7 @@ case 40:
} }
break; break;
case 41: case 41:
#line 506 "parse.yacc" #line 520 "parse.yacc"
{ {
no_passwd = TRUE; no_passwd = TRUE;
if (printmatches == TRUE && host_matches == TRUE && if (printmatches == TRUE && host_matches == TRUE &&
@@ -1380,7 +1396,7 @@ case 41:
} }
break; break;
case 42: case 42:
#line 512 "parse.yacc" #line 526 "parse.yacc"
{ {
no_passwd = FALSE; no_passwd = FALSE;
if (printmatches == TRUE && host_matches == TRUE && if (printmatches == TRUE && host_matches == TRUE &&
@@ -1389,7 +1405,7 @@ case 42:
} }
break; break;
case 43: case 43:
#line 520 "parse.yacc" #line 534 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) if (in_alias == TRUE)
@@ -1410,7 +1426,7 @@ case 43:
} }
break; break;
case 44: case 44:
#line 538 "parse.yacc" #line 552 "parse.yacc"
{ {
aliasinfo *aip; aliasinfo *aip;
@@ -1426,13 +1442,17 @@ case 44:
if ((aip = find_alias(yyvsp[0].string, CMND_ALIAS))) if ((aip = find_alias(yyvsp[0].string, CMND_ALIAS)))
yyval.BOOLEAN = aip->val; yyval.BOOLEAN = aip->val;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared Cmnd_Alias `%s' referenced near line %d", yyvsp[0].string, sudolineno);
yyval.BOOLEAN = -1; yyval.BOOLEAN = -1;
}
free(yyvsp[0].string); free(yyvsp[0].string);
} }
break; break;
case 45: case 45:
#line 557 "parse.yacc" #line 575 "parse.yacc"
{ {
if (printmatches == TRUE) { if (printmatches == TRUE) {
if (in_alias == TRUE) { if (in_alias == TRUE) {
@@ -1461,11 +1481,11 @@ case 45:
} }
break; break;
case 48: case 48:
#line 589 "parse.yacc" #line 607 "parse.yacc"
{ push; } { push; }
break; break;
case 49: case 49:
#line 589 "parse.yacc" #line 607 "parse.yacc"
{ {
if (host_matches != -1 && if (host_matches != -1 &&
!add_alias(yyvsp[-3].string, HOST_ALIAS, host_matches)) !add_alias(yyvsp[-3].string, HOST_ALIAS, host_matches))
@@ -1474,7 +1494,7 @@ case 49:
} }
break; break;
case 54: case 54:
#line 605 "parse.yacc" #line 623 "parse.yacc"
{ {
push; push;
if (printmatches == TRUE) { if (printmatches == TRUE) {
@@ -1486,7 +1506,7 @@ case 54:
} }
break; break;
case 55: case 55:
#line 613 "parse.yacc" #line 631 "parse.yacc"
{ {
if (cmnd_matches != -1 && if (cmnd_matches != -1 &&
!add_alias(yyvsp[-3].string, CMND_ALIAS, cmnd_matches)) !add_alias(yyvsp[-3].string, CMND_ALIAS, cmnd_matches))
@@ -1499,11 +1519,11 @@ case 55:
} }
break; break;
case 56: case 56:
#line 625 "parse.yacc" #line 643 "parse.yacc"
{ ; } { ; }
break; break;
case 60: case 60:
#line 633 "parse.yacc" #line 651 "parse.yacc"
{ {
push; push;
if (printmatches == TRUE) { if (printmatches == TRUE) {
@@ -1515,7 +1535,7 @@ case 60:
} }
break; break;
case 61: case 61:
#line 641 "parse.yacc" #line 659 "parse.yacc"
{ {
if (runas_matches != -1 && if (runas_matches != -1 &&
!add_alias(yyvsp[-3].string, RUNAS_ALIAS, runas_matches)) !add_alias(yyvsp[-3].string, RUNAS_ALIAS, runas_matches))
@@ -1528,11 +1548,11 @@ case 61:
} }
break; break;
case 64: case 64:
#line 657 "parse.yacc" #line 675 "parse.yacc"
{ push; } { push; }
break; break;
case 65: case 65:
#line 657 "parse.yacc" #line 675 "parse.yacc"
{ {
if (user_matches != -1 && if (user_matches != -1 &&
!add_alias(yyvsp[-3].string, USER_ALIAS, user_matches)) !add_alias(yyvsp[-3].string, USER_ALIAS, user_matches))
@@ -1542,25 +1562,25 @@ case 65:
} }
break; break;
case 66: case 66:
#line 666 "parse.yacc" #line 684 "parse.yacc"
{ ; } { ; }
break; break;
case 68: case 68:
#line 670 "parse.yacc" #line 688 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
user_matches = yyvsp[0].BOOLEAN; user_matches = yyvsp[0].BOOLEAN;
} }
break; break;
case 69: case 69:
#line 674 "parse.yacc" #line 692 "parse.yacc"
{ {
if (yyvsp[0].BOOLEAN != -1) if (yyvsp[0].BOOLEAN != -1)
user_matches = !yyvsp[0].BOOLEAN; user_matches = !yyvsp[0].BOOLEAN;
} }
break; break;
case 70: case 70:
#line 679 "parse.yacc" #line 697 "parse.yacc"
{ {
if (strcmp(yyvsp[0].string, user_name) == 0) if (strcmp(yyvsp[0].string, user_name) == 0)
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1570,7 +1590,7 @@ case 70:
} }
break; break;
case 71: case 71:
#line 686 "parse.yacc" #line 704 "parse.yacc"
{ {
if (usergr_matches(yyvsp[0].string, user_name)) if (usergr_matches(yyvsp[0].string, user_name))
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1580,7 +1600,7 @@ case 71:
} }
break; break;
case 72: case 72:
#line 693 "parse.yacc" #line 711 "parse.yacc"
{ {
if (netgr_matches(yyvsp[0].string, NULL, user_name)) if (netgr_matches(yyvsp[0].string, NULL, user_name))
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
@@ -1590,7 +1610,7 @@ case 72:
} }
break; break;
case 73: case 73:
#line 700 "parse.yacc" #line 718 "parse.yacc"
{ {
aliasinfo *aip = find_alias(yyvsp[0].string, USER_ALIAS); aliasinfo *aip = find_alias(yyvsp[0].string, USER_ALIAS);
@@ -1599,19 +1619,23 @@ case 73:
yyval.BOOLEAN = aip->val; yyval.BOOLEAN = aip->val;
else if (strcmp(yyvsp[0].string, user_name) == 0) else if (strcmp(yyvsp[0].string, user_name) == 0)
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
else else {
if (pedantic)
(void) fprintf(stderr,
"Warning: undeclared User_Alias `%s' referenced near line %d\n", yyvsp[0].string, sudolineno);
yyval.BOOLEAN = -1; yyval.BOOLEAN = -1;
}
free(yyvsp[0].string); free(yyvsp[0].string);
} }
break; break;
case 74: case 74:
#line 712 "parse.yacc" #line 734 "parse.yacc"
{ {
yyval.BOOLEAN = TRUE; yyval.BOOLEAN = TRUE;
free(yyvsp[0].string); free(yyvsp[0].string);
} }
break; break;
#line 1615 "sudo.tab.c" #line 1639 "sudo.tab.c"
} }
yyssp -= yym; yyssp -= yym;
yystate = *yyssp; yystate = *yyssp;

6
testsudoers.c
View File

@@ -90,6 +90,7 @@ int num_interfaces;
struct interface *interfaces; struct interface *interfaces;
struct sudo_user sudo_user; struct sudo_user sudo_user;
extern int clearaliases; extern int clearaliases;
extern int pedantic;
/* /*
* Prototypes for external functions * Prototypes for external functions
@@ -339,8 +340,11 @@ main(argc, argv)
} }
} }
/* Warn about aliases that are used before being defined. */
pedantic = TRUE;
/* Need to keep aliases around for dumpaliases(). */ /* Need to keep aliases around for dumpaliases(). */
clearaliases = 0; clearaliases = FALSE;
/* Load ip addr/mask for each interface. */ /* Load ip addr/mask for each interface. */
load_interfaces(); load_interfaces();

8
version.c
View File

@@ -85,16 +85,16 @@ print_version()
_PATH_SUDOERS, SUDOERS_MODE, SUDOERS_UID, SUDOERS_GID); _PATH_SUDOERS, SUDOERS_MODE, SUDOERS_UID, SUDOERS_GID);
(void) printf("Sudoers temp file: %s\n", _PATH_SUDOERS_TMP); (void) printf("Sudoers temp file: %s\n", _PATH_SUDOERS_TMP);
#ifdef WITHOUT_PASSWD #ifdef NO_AUTHENTICATION
(void) puts("No Authentication configured\n"); (void) puts("No Authentication required by default.\n");
#else #endif
(void) fputs("Authentication methods:", stdout); (void) fputs("Authentication methods:", stdout);
for (auth = auth_switch; auth->name; auth++) { for (auth = auth_switch; auth->name; auth++) {
(void) putchar(' '); (void) putchar(' ');
(void) fputs(auth->name, stdout); (void) fputs(auth->name, stdout);
} }
(void) putchar('\n'); (void) putchar('\n');
#endif
(void) fputs("Logging:\n", stdout); (void) fputs("Logging:\n", stdout);
#if (LOGGING & SLOG_SYSLOG) #if (LOGGING & SLOG_SYSLOG)

5
visudo.c
View File

@@ -102,6 +102,7 @@ void init_parser __P((void));
*/ */
extern FILE *yyin, *yyout; extern FILE *yyin, *yyout;
extern int errorlineno; extern int errorlineno;
extern int pedantic;
/* /*
* Globals * Globals
@@ -128,7 +129,6 @@ main(argc, argv)
time_t now; /* time now */ time_t now; /* time now */
struct stat stmp_sb, sudoers_sb; /* to check for changes */ struct stat stmp_sb, sudoers_sb; /* to check for changes */
/* /*
* Parse command line options * Parse command line options
*/ */
@@ -157,6 +157,9 @@ main(argc, argv)
exit(1); exit(1);
} }
/* Warn about aliases that are used before being defined. */
pedantic = TRUE;
#ifdef ENV_EDITOR #ifdef ENV_EDITOR
/* /*
* If we are allowing EDITOR and VISUAL envariables set Editor * If we are allowing EDITOR and VISUAL envariables set Editor