isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add a sudoers_context struct that embeds the user and runas structs.

Browse Source
This commit is contained in:
Todd C. Miller
2023-08-20 16:27:08 -06:00
parent 1b9fb405a3
commit 2d2529a15e
36 changed files with 920 additions and 912 deletions
Download Patch File Download Diff File Expand all files Collapse all files

252
plugins/sudoers/policy.c
View File

@@ -120,7 +120,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
} \
} while (0)
if (sudo_gettime_real(&user_ctx.submit_time) == -1) {
if (sudo_gettime_real(&ctx.user.submit_time) == -1) {
sudo_warn("%s", U_("unable to get time of day"));
goto bad;
}
@@ -184,15 +184,15 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
sudoers_conf.sudoers_path = path_sudoers;
/* Parse command line settings. */
user_ctx.flags = 0;
user_ctx.closefrom = -1;
ctx.settings.flags = 0;
ctx.user.closefrom = -1;
sudoedit_nfiles = 0;
sudo_mode = 0;
for (cur = info->settings; *cur != NULL; cur++) {
if (MATCHES(*cur, "closefrom=")) {
p = *cur + sizeof("closefrom=") - 1;
user_ctx.closefrom = (int)sudo_strtonum(p, 3, INT_MAX, &errstr);
if (user_ctx.closefrom == 0) {
ctx.user.closefrom = (int)sudo_strtonum(p, 3, INT_MAX, &errstr);
if (ctx.user.closefrom == 0) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
@@ -200,8 +200,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "cmnd_chroot=")) {
CHECK(*cur, "cmnd_chroot=");
runas_ctx.chroot = *cur + sizeof("cmnd_chroot=") - 1;
if (strlen(runas_ctx.chroot) >= PATH_MAX) {
ctx.runas.chroot = *cur + sizeof("cmnd_chroot=") - 1;
if (strlen(ctx.runas.chroot) >= PATH_MAX) {
sudo_warnx(U_("path name for \"%s\" too long"), "cmnd_chroot");
goto bad;
}
@@ -209,8 +209,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "cmnd_cwd=")) {
CHECK(*cur, "cmnd_cwd=");
runas_ctx.cwd = *cur + sizeof("cmnd_cwd=") - 1;
if (strlen(runas_ctx.cwd) >= PATH_MAX) {
ctx.runas.cwd = *cur + sizeof("cmnd_cwd=") - 1;
if (strlen(ctx.runas.cwd) >= PATH_MAX) {
sudo_warnx(U_("path name for \"%s\" too long"), "cmnd_cwd");
goto bad;
}
@@ -218,19 +218,19 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "runas_user=")) {
CHECK(*cur, "runas_user=");
runas_ctx.user = *cur + sizeof("runas_user=") - 1;
SET(runas_ctx.flags, RUNAS_USER_SPECIFIED);
ctx.runas.user = *cur + sizeof("runas_user=") - 1;
SET(ctx.settings.flags, RUNAS_USER_SPECIFIED);
continue;
}
if (MATCHES(*cur, "runas_group=")) {
CHECK(*cur, "runas_group=");
runas_ctx.group = *cur + sizeof("runas_group=") - 1;
SET(runas_ctx.flags, RUNAS_GROUP_SPECIFIED);
ctx.runas.group = *cur + sizeof("runas_group=") - 1;
SET(ctx.settings.flags, RUNAS_GROUP_SPECIFIED);
continue;
}
if (MATCHES(*cur, "prompt=")) {
/* Allow epmpty prompt. */
user_ctx.prompt = *cur + sizeof("prompt=") - 1;
ctx.user.prompt = *cur + sizeof("prompt=") - 1;
if (!append_default("passprompt_override", NULL, true, NULL, defaults))
goto oom;
continue;
@@ -297,19 +297,19 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "login_class=")) {
CHECK(*cur, "login_class=");
runas_ctx.class = *cur + sizeof("login_class=") - 1;
ctx.runas.class = *cur + sizeof("login_class=") - 1;
if (!append_default("use_loginclass", NULL, true, NULL, defaults))
goto oom;
continue;
}
if (MATCHES(*cur, "intercept_ptrace=")) {
if (parse_bool(*cur, sizeof("intercept_ptrace") - 1, &user_ctx.flags,
if (parse_bool(*cur, sizeof("intercept_ptrace") - 1, &ctx.settings.flags,
HAVE_INTERCEPT_PTRACE) == -1)
goto bad;
continue;
}
if (MATCHES(*cur, "intercept_setid=")) {
if (parse_bool(*cur, sizeof("intercept_setid") - 1, &user_ctx.flags,
if (parse_bool(*cur, sizeof("intercept_setid") - 1, &ctx.settings.flags,
CAN_INTERCEPT_SETID) == -1)
goto bad;
continue;
@@ -317,17 +317,17 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
#ifdef HAVE_SELINUX
if (MATCHES(*cur, "selinux_role=")) {
CHECK(*cur, "selinux_role=");
free(runas_ctx.role);
runas_ctx.role = strdup(*cur + sizeof("selinux_role=") - 1);
if (runas_ctx.role == NULL)
free(ctx.runas.role);
ctx.runas.role = strdup(*cur + sizeof("selinux_role=") - 1);
if (ctx.runas.role == NULL)
goto oom;
continue;
}
if (MATCHES(*cur, "selinux_type=")) {
CHECK(*cur, "selinux_type=");
free(runas_ctx.type);
runas_ctx.type = strdup(*cur + sizeof("selinux_type=") - 1);
if (runas_ctx.type == NULL)
free(ctx.runas.type);
ctx.runas.type = strdup(*cur + sizeof("selinux_type=") - 1);
if (ctx.runas.type == NULL)
goto oom;
continue;
}
@@ -335,9 +335,9 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
#ifdef HAVE_APPARMOR
if (MATCHES(*cur, "apparmor_profile=")) {
CHECK(*cur, "apparmor_profile=");
free(runas_ctx.apparmor_profile);
runas_ctx.apparmor_profile = strdup(*cur + sizeof("apparmor_profile=") - 1);
if (runas_ctx.apparmor_profile == NULL)
free(ctx.runas.apparmor_profile);
ctx.runas.apparmor_profile = strdup(*cur + sizeof("apparmor_profile=") - 1);
if (ctx.runas.apparmor_profile == NULL)
goto oom;
continue;
}
@@ -376,8 +376,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "timeout=")) {
p = *cur + sizeof("timeout=") - 1;
user_ctx.timeout = parse_timeout(p);
if (user_ctx.timeout == -1) {
ctx.user.timeout = parse_timeout(p);
if (ctx.user.timeout == -1) {
if (errno == ERANGE)
sudo_warnx(U_("%s: %s"), p, U_("timeout value too large"));
else
@@ -404,20 +404,20 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
if (ISSET(flags, MODE_IGNORE_TICKET))
CLR(flags, MODE_UPDATE_TICKET);
user_ctx.gid = (gid_t)-1;
user_ctx.uid = (gid_t)-1;
user_ctx.umask = (mode_t)-1;
ctx.user.gid = (gid_t)-1;
ctx.user.uid = (gid_t)-1;
ctx.user.umask = (mode_t)-1;
for (cur = info->user_info; *cur != NULL; cur++) {
if (MATCHES(*cur, "user=")) {
CHECK(*cur, "user=");
free(user_ctx.name);
if ((user_ctx.name = strdup(*cur + sizeof("user=") - 1)) == NULL)
free(ctx.user.name);
if ((ctx.user.name = strdup(*cur + sizeof("user=") - 1)) == NULL)
goto oom;
continue;
}
if (MATCHES(*cur, "uid=")) {
p = *cur + sizeof("uid=") - 1;
user_ctx.uid = (uid_t) sudo_strtoid(p, &errstr);
ctx.user.uid = (uid_t) sudo_strtoid(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
@@ -426,7 +426,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "gid=")) {
p = *cur + sizeof("gid=") - 1;
user_ctx.gid = (gid_t) sudo_strtoid(p, &errstr);
ctx.user.gid = (gid_t) sudo_strtoid(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
@@ -440,41 +440,41 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "cwd=")) {
CHECK(*cur, "cwd=");
free(user_ctx.cwd);
if ((user_ctx.cwd = strdup(*cur + sizeof("cwd=") - 1)) == NULL)
free(ctx.user.cwd);
if ((ctx.user.cwd = strdup(*cur + sizeof("cwd=") - 1)) == NULL)
goto oom;
continue;
}
if (MATCHES(*cur, "tty=")) {
CHECK(*cur, "tty=");
free(user_ctx.ttypath);
if ((user_ctx.ttypath = strdup(*cur + sizeof("tty=") - 1)) == NULL)
free(ctx.user.ttypath);
if ((ctx.user.ttypath = strdup(*cur + sizeof("tty=") - 1)) == NULL)
goto oom;
user_ctx.tty = user_ctx.ttypath;
if (strncmp(user_ctx.tty, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
user_ctx.tty += sizeof(_PATH_DEV) - 1;
ctx.user.tty = ctx.user.ttypath;
if (strncmp(ctx.user.tty, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
ctx.user.tty += sizeof(_PATH_DEV) - 1;
continue;
}
if (MATCHES(*cur, "host=")) {
CHECK(*cur, "host=");
if (user_ctx.shost != user_ctx.host)
free(user_ctx.shost);
free(user_ctx.host);
if ((user_ctx.host = strdup(*cur + sizeof("host=") - 1)) == NULL)
if (ctx.user.shost != ctx.user.host)
free(ctx.user.shost);
free(ctx.user.host);
if ((ctx.user.host = strdup(*cur + sizeof("host=") - 1)) == NULL)
goto oom;
if ((p = strchr(user_ctx.host, '.')) != NULL) {
user_ctx.shost = strndup(user_ctx.host, (size_t)(p - user_ctx.host));
if (user_ctx.shost == NULL)
if ((p = strchr(ctx.user.host, '.')) != NULL) {
ctx.user.shost = strndup(ctx.user.host, (size_t)(p - ctx.user.host));
if (ctx.user.shost == NULL)
goto oom;
} else {
user_ctx.shost = user_ctx.host;
ctx.user.shost = ctx.user.host;
}
continue;
}
if (MATCHES(*cur, "lines=")) {
p = *cur + sizeof("lines=") - 1;
user_ctx.lines = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (user_ctx.lines == 0) {
ctx.user.lines = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (ctx.user.lines == 0) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
@@ -482,8 +482,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "cols=")) {
p = *cur + sizeof("cols=") - 1;
user_ctx.cols = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (user_ctx.cols == 0) {
ctx.user.cols = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (ctx.user.cols == 0) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
@@ -491,7 +491,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "sid=")) {
p = *cur + sizeof("sid=") - 1;
user_ctx.sid = (pid_t) sudo_strtoid(p, &errstr);
ctx.user.sid = (pid_t) sudo_strtoid(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
@@ -500,7 +500,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "tcpgid=")) {
p = *cur + sizeof("tcpgid=") - 1;
user_ctx.tcpgid = (pid_t) sudo_strtoid(p, &errstr);
ctx.user.tcpgid = (pid_t) sudo_strtoid(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
@@ -509,7 +509,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "umask=")) {
p = *cur + sizeof("umask=") - 1;
user_ctx.umask = sudo_strtomode(p, &errstr);
ctx.user.umask = sudo_strtomode(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
@@ -519,56 +519,56 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
/* User name, user-ID, group-ID and host name must be specified. */
if (user_ctx.name == NULL) {
if (ctx.user.name == NULL) {
sudo_warnx("%s", U_("user name not set by sudo front-end"));
goto bad;
}
if (user_ctx.uid == (uid_t)-1) {
if (ctx.user.uid == (uid_t)-1) {
sudo_warnx("%s", U_("user-ID not set by sudo front-end"));
goto bad;
}
if (user_ctx.gid == (gid_t)-1) {
if (ctx.user.gid == (gid_t)-1) {
sudo_warnx("%s", U_("group-ID not set by sudo front-end"));
goto bad;
}
if (user_ctx.host == NULL) {
if (ctx.user.host == NULL) {
sudo_warnx("%s", U_("host name not set by sudo front-end"));
goto bad;
}
if (runas_ctx.shost != runas_ctx.host)
free(runas_ctx.shost);
free(runas_ctx.host);
if ((runas_ctx.host = strdup(remhost ? remhost : user_ctx.host)) == NULL)
if (ctx.runas.shost != ctx.runas.host)
free(ctx.runas.shost);
free(ctx.runas.host);
if ((ctx.runas.host = strdup(remhost ? remhost : ctx.user.host)) == NULL)
goto oom;
if ((p = strchr(runas_ctx.host, '.')) != NULL) {
runas_ctx.shost = strndup(runas_ctx.host, (size_t)(p - runas_ctx.host));
if (runas_ctx.shost == NULL)
if ((p = strchr(ctx.runas.host, '.')) != NULL) {
ctx.runas.shost = strndup(ctx.runas.host, (size_t)(p - ctx.runas.host));
if (ctx.runas.shost == NULL)
goto oom;
} else {
runas_ctx.shost = runas_ctx.host;
ctx.runas.shost = ctx.runas.host;
}
if (user_ctx.cwd == NULL) {
if ((user_ctx.cwd = strdup("unknown")) == NULL)
if (ctx.user.cwd == NULL) {
if ((ctx.user.cwd = strdup("unknown")) == NULL)
goto oom;
}
if (user_ctx.tty == NULL) {
if ((user_ctx.tty = strdup("unknown")) == NULL)
if (ctx.user.tty == NULL) {
if ((ctx.user.tty = strdup("unknown")) == NULL)
goto oom;
/* user_ctx.ttypath remains NULL */
/* ctx.user.ttypath remains NULL */
}
if (groups != NULL) {
/* sudo_parse_gids() will print a warning on error. */
user_ctx.ngids = sudo_parse_gids(groups, &user_ctx.gid, &user_ctx.gids);
if (user_ctx.ngids == -1)
ctx.user.ngids = sudo_parse_gids(groups, &ctx.user.gid, &ctx.user.gids);
if (ctx.user.ngids == -1)
goto bad;
}
/* umask is only set in user_info[] for API 1.10 and above. */
if (user_ctx.umask == (mode_t)-1) {
user_ctx.umask = umask(0);
umask(user_ctx.umask);
if (ctx.user.umask == (mode_t)-1) {
ctx.user.umask = umask(0);
umask(ctx.user.umask);
}
/* Always reset the environment for a login shell. */
@@ -576,11 +576,11 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
def_env_reset = true;
/* Some systems support fexecve() which we use for digest matches. */
runas_ctx.execfd = -1;
ctx.runas.execfd = -1;
/* Create a UUID to store in the event log. */
sudo_uuid_create(uuid);
if (sudo_uuid_to_string(uuid, user_ctx.uuid_str, sizeof(user_ctx.uuid_str)) == NULL) {
if (sudo_uuid_to_string(uuid, ctx.user.uuid_str, sizeof(ctx.user.uuid_str)) == NULL) {
sudo_warnx("%s", U_("unable to generate UUID"));
goto bad;
}
@@ -589,17 +589,17 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
* Set intercept defaults based on flags set above.
* We pass -1 as the operator to indicate it is set by the front end.
*/
if (ISSET(user_ctx.flags, HAVE_INTERCEPT_PTRACE)) {
if (ISSET(ctx.settings.flags, HAVE_INTERCEPT_PTRACE)) {
if (!append_default("intercept_type", "trace", -1, NULL, defaults))
goto oom;
}
if (ISSET(user_ctx.flags, CAN_INTERCEPT_SETID)) {
if (ISSET(ctx.settings.flags, CAN_INTERCEPT_SETID)) {
if (!append_default("intercept_allow_setid", NULL, -1, NULL, defaults))
goto oom;
}
#ifdef NO_ROOT_MAILER
eventlog_set_mailuid(user_ctx.uid);
eventlog_set_mailuid(ctx.user.uid);
#endif
/* Dump settings and user info (XXX - plugin args) */
@@ -678,8 +678,8 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if (command_info == NULL)
goto oom;
if (runas_ctx.cmnd != NULL) {
command_info[info_len] = sudo_new_key_val("command", runas_ctx.cmnd);
if (ctx.runas.cmnd != NULL) {
command_info[info_len] = sudo_new_key_val("command", ctx.runas.cmnd);
if (command_info[info_len++] == NULL)
goto oom;
}
@@ -752,7 +752,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
}
if (def_runcwd && strcmp(def_runcwd, "*") != 0) {
/* Set cwd to explicit value (sudoers or user-specified). */
if (!expand_tilde(&def_runcwd, runas_ctx.pw->pw_name)) {
if (!expand_tilde(&def_runcwd, ctx.runas.pw->pw_name)) {
sudo_warnx(U_("invalid working directory: %s"), def_runcwd);
goto bad;
}
@@ -760,38 +760,38 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
goto oom;
} else if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
/* Set cwd to run user's homedir. */
if ((command_info[info_len++] = sudo_new_key_val("cwd", runas_ctx.pw->pw_dir)) == NULL)
if ((command_info[info_len++] = sudo_new_key_val("cwd", ctx.runas.pw->pw_dir)) == NULL)
goto oom;
if ((command_info[info_len++] = strdup("cwd_optional=true")) == NULL)
goto oom;
}
if ((command_info[info_len++] = sudo_new_key_val("runas_user", runas_ctx.pw->pw_name)) == NULL)
if ((command_info[info_len++] = sudo_new_key_val("runas_user", ctx.runas.pw->pw_name)) == NULL)
goto oom;
if (runas_ctx.gr != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("runas_group", runas_ctx.gr->gr_name)) == NULL)
if (ctx.runas.gr != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("runas_group", ctx.runas.gr->gr_name)) == NULL)
goto oom;
}
if (def_stay_setuid) {
if (asprintf(&command_info[info_len++], "runas_uid=%u",
(unsigned int)user_ctx.uid) == -1)
(unsigned int)ctx.user.uid) == -1)
goto oom;
if (asprintf(&command_info[info_len++], "runas_gid=%u",
(unsigned int)user_ctx.gid) == -1)
(unsigned int)ctx.user.gid) == -1)
goto oom;
if (asprintf(&command_info[info_len++], "runas_euid=%u",
(unsigned int)runas_ctx.pw->pw_uid) == -1)
(unsigned int)ctx.runas.pw->pw_uid) == -1)
goto oom;
if (asprintf(&command_info[info_len++], "runas_egid=%u",
runas_ctx.gr ? (unsigned int)runas_ctx.gr->gr_gid :
(unsigned int)runas_ctx.pw->pw_gid) == -1)
ctx.runas.gr ? (unsigned int)ctx.runas.gr->gr_gid :
(unsigned int)ctx.runas.pw->pw_gid) == -1)
goto oom;
} else {
if (asprintf(&command_info[info_len++], "runas_uid=%u",
(unsigned int)runas_ctx.pw->pw_uid) == -1)
(unsigned int)ctx.runas.pw->pw_uid) == -1)
goto oom;
if (asprintf(&command_info[info_len++], "runas_gid=%u",
runas_ctx.gr ? (unsigned int)runas_ctx.gr->gr_gid :
(unsigned int)runas_ctx.pw->pw_gid) == -1)
ctx.runas.gr ? (unsigned int)ctx.runas.gr->gr_gid :
(unsigned int)ctx.runas.pw->pw_gid) == -1)
goto oom;
}
if (def_preserve_groups) {
@@ -805,7 +805,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
struct gid_list *gidlist;
/* Only use results from a group db query, not the front end. */
gidlist = sudo_get_gidlist(runas_ctx.pw, ENTRY_TYPE_QUERIED);
gidlist = sudo_get_gidlist(ctx.runas.pw, ENTRY_TYPE_QUERIED);
/* We reserve an extra spot in the list for the effective gid. */
glsize = sizeof("runas_groups=") - 1 +
@@ -820,8 +820,8 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
glsize -= (size_t)(cp - gid_list);
/* On BSD systems the effective gid is the first group in the list. */
egid = runas_ctx.gr ? (unsigned int)runas_ctx.gr->gr_gid :
(unsigned int)runas_ctx.pw->pw_gid;
egid = ctx.runas.gr ? (unsigned int)ctx.runas.gr->gr_gid :
(unsigned int)ctx.runas.pw->pw_gid;
len = snprintf(cp, glsize, "%u", (unsigned int)egid);
if (len < 0 || (size_t)len >= glsize) {
sudo_warnx(U_("internal error, %s overflow"), __func__);
@@ -885,7 +885,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
goto oom;
}
if (def_utmp_runas) {
if ((command_info[info_len++] = sudo_new_key_val("utmp_user", runas_ctx.pw->pw_name)) == NULL)
if ((command_info[info_len++] = sudo_new_key_val("utmp_user", ctx.runas.pw->pw_name)) == NULL)
goto oom;
}
if (def_iolog_mode != (S_IRUSR|S_IWUSR)) {
@@ -931,15 +931,15 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
goto oom;
}
if (def_command_timeout > 0 || user_ctx.timeout > 0) {
int timeout = user_ctx.timeout;
if (def_command_timeout > 0 || ctx.user.timeout > 0) {
int timeout = ctx.user.timeout;
if (timeout == 0 || (def_command_timeout > 0 && def_command_timeout < timeout))
timeout = def_command_timeout;
if (asprintf(&command_info[info_len++], "timeout=%u", timeout) == -1)
goto oom;
}
if (def_runchroot != NULL && strcmp(def_runchroot, "*") != 0) {
if (!expand_tilde(&def_runchroot, runas_ctx.pw->pw_name)) {
if (!expand_tilde(&def_runchroot, ctx.runas.pw->pw_name)) {
sudo_warnx(U_("invalid chroot directory: %s"), def_runchroot);
goto bad;
}
@@ -954,13 +954,13 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if ((command_info[info_len++] = strdup("umask_override=true")) == NULL)
goto oom;
}
if (runas_ctx.execfd != -1) {
if (ctx.runas.execfd != -1) {
if (sudo_version < SUDO_API_MKVERSION(1, 9)) {
/* execfd only supported by plugin API 1.9 and higher */
close(runas_ctx.execfd);
runas_ctx.execfd = -1;
close(ctx.runas.execfd);
ctx.runas.execfd = -1;
} else {
if (asprintf(&command_info[info_len++], "execfd=%d", runas_ctx.execfd) == -1)
if (asprintf(&command_info[info_len++], "execfd=%d", ctx.runas.execfd) == -1)
goto oom;
}
}
@@ -1008,40 +1008,40 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if ((command_info[info_len++] = sudo_new_key_val("rlimit_stack", def_rlimit_stack)) == NULL)
goto oom;
}
if (user_ctx.source != NULL) {
command_info[info_len] = sudo_new_key_val("source", user_ctx.source);
if (ctx.user.source != NULL) {
command_info[info_len] = sudo_new_key_val("source", ctx.user.source);
if (command_info[info_len++] == NULL)
goto oom;
}
#ifdef HAVE_LOGIN_CAP_H
if (def_use_loginclass) {
if ((command_info[info_len++] = sudo_new_key_val("login_class", runas_ctx.class)) == NULL)
if ((command_info[info_len++] = sudo_new_key_val("login_class", ctx.runas.class)) == NULL)
goto oom;
}
#endif /* HAVE_LOGIN_CAP_H */
#ifdef HAVE_SELINUX
if (def_selinux && runas_ctx.role != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_role", runas_ctx.role)) == NULL)
if (def_selinux && ctx.runas.role != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_role", ctx.runas.role)) == NULL)
goto oom;
}
if (def_selinux && runas_ctx.type != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_type", runas_ctx.type)) == NULL)
if (def_selinux && ctx.runas.type != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("selinux_type", ctx.runas.type)) == NULL)
goto oom;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_APPARMOR
if (runas_ctx.apparmor_profile != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", runas_ctx.apparmor_profile)) == NULL)
if (ctx.runas.apparmor_profile != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("apparmor_profile", ctx.runas.apparmor_profile)) == NULL)
goto oom;
}
#endif /* HAVE_APPARMOR */
#ifdef HAVE_PRIV_SET
if (runas_ctx.privs != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("privs", runas_ctx.privs)) == NULL)
if (ctx.runas.privs != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("privs", ctx.runas.privs)) == NULL)
goto oom;
}
if (runas_ctx.limitprivs != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("limitprivs", runas_ctx.limitprivs)) == NULL)
if (ctx.runas.limitprivs != NULL) {
if ((command_info[info_len++] = sudo_new_key_val("limitprivs", ctx.runas.limitprivs)) == NULL)
goto oom;
}
#endif /* HAVE_PRIV_SET */
@@ -1129,11 +1129,11 @@ sudoers_policy_close(int exit_status, int error_code)
if (session_opened) {
/* Close the session we opened in sudoers_policy_init_session(). */
(void)sudo_auth_end_session(runas_ctx.pw);
(void)sudo_auth_end_session(ctx.runas.pw);
if (error_code) {
errno = error_code;
sudo_warn(U_("unable to execute %s"), runas_ctx.cmnd);
sudo_warn(U_("unable to execute %s"), ctx.runas.cmnd);
} else {
log_exit_status(exit_status);
}
@@ -1145,7 +1145,7 @@ sudoers_policy_close(int exit_status, int error_code)
/* Free stashed copy of the environment. */
(void)env_init(NULL);
/* Free sudoers sources, user_ctx and passwd/group caches. */
/* Free sudoers sources, ctx.user.and passwd/group caches. */
sudoers_cleanup();
/* command_info was freed by the g/c code. */