Merge in Solaris privilege support by Darren Moffat and John Zolnowsky

NEWS

@@ -36,6 +36,10 @@ What's new in Sudo 1.8.6?
  * The sudo manuals are now formatted in mdoc.  Versions using the
    legacy man macros are provided for systems that lack mdoc.
 
+ * New support for Solaris privilege sets.  This makes it possible
+   to specify fine-grained privileges in the sudoers file on Solaris
+   10 and above.
+
 What's new in Sudo 1.8.5p2?
 
  * Fixed use of the SUDO_ASKPASS environment variable which was

configure.in

@@ -48,6 +48,7 @@ AC_SUBST([SUDOERS_GID])
 AC_SUBST([DEVEL])
 AC_SUBST([BAMAN])
 AC_SUBST([LCMAN])
+AC_SUBST([PSMAN])
 AC_SUBST([SEMAN])
 AC_SUBST([devdir])
 AC_SUBST([mansectsu])
@@ -175,6 +176,7 @@ DEVEL=
 LDAP="#"
 BAMAN=0
 LCMAN=0
+PSMAN=0
 SEMAN=0
 LIBINTL=
 ZLIB=
@@ -1558,7 +1560,7 @@ case "$host" in
 		: ${mansectform='4'}
 		: ${with_rpath='yes'}
 		test -z "$with_pam" && AUTH_EXCL_DEF="PAM"
-		AC_CHECK_FUNCS(priv_set)
+		AC_CHECK_FUNCS(priv_set, [PSMAN=1])
 		;;
     *-*-aix*)
 		# To get all prototypes (so we pass -Wall)

doc/CONTRIBUTORS

@@ -96,6 +96,7 @@ you believe you should be listed, please send a note to sudo@sudo.ws.
     Michael Meskes
     Todd C. Miller
     Loic Minier
+    Darren Moffat
     Jan Thomas Moldung
     Charles Morris
     Andreas Mueller
@@ -163,3 +164,4 @@ you believe you should be listed, please send a note to sudo@sudo.ws.
     Marco van Wieringen
     David Wood
     Gustavo Zacarias
+    John Zolnowsky

doc/Makefile.in

@@ -95,7 +95,7 @@ Makefile: $(srcdir)/Makefile.in
 
 varsub: $(top_srcdir)/configure.in
 	@if [ -n "$(DEVEL)" ]; then \
-	    printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
+	    printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN PSMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
 	    sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
 	fi
 

doc/contributors.pod

@@ -99,6 +99,7 @@ you believe you should be listed, please send a note to sudo@sudo.ws.
     Michael Meskes
     Todd C. Miller
     Loic Minier
+    Darren Moffat
     Jan Thomas Moldung
     Charles Morris
     Andreas Mueller
@@ -166,3 +167,4 @@ you believe you should be listed, please send a note to sudo@sudo.ws.
     Marco van Wieringen
     David Wood
     Gustavo Zacarias
+    John Zolnowsky

doc/sudoers.cat

@@ -339,12 +339,14 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      Cmnd_Spec_List ::= Cmnd_Spec |
                         Cmnd_Spec ',' Cmnd_Spec_List
 
-     Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+     Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
 
      Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
      SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
 
+     Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
      Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
                    'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
                    'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
@@ -432,6 +434,12 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      in _s_u_d_o_e_r_s.  A role or type specified on the command line, however, will
      supercede the values in _s_u_d_o_e_r_s.
 
+   SSoollaarriiss__PPrriivv__SSppeecc
+     On Solaris systems, _s_u_d_o_e_r_s entries may optionally specify Solaris
+     privilege set and/or limit privilege set associated with a command.  If
+     privileges or limit privileges are specified with the command it will
+     override any default values specified in _s_u_d_o_e_r_s.
+
    TTaagg__SSppeecc
      A command may have zero or more tags associated with it.  There are ten
      possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
@@ -1108,6 +1116,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        unique combination of digits and letters, similar to
                        the mktemp(3) function.
 
+     limitprivs        The default Solaris limit privileges to use when
+                       constructing a new privilege set for a command.  This
+                       bounds all privileges of the executing process.  The
+                       default limit privileges may be overridden on a per-
+                       command basis in _s_u_d_o_e_r_s.  This option is only
+                       available if ssuuddooeerrss is built on Solaris 10 or higher.
+
      mailsub           Subject of the mail sent to the _m_a_i_l_t_o user.  The
                        escape %h will expand to the host name of the machine.
                        Default is ``*** SECURITY information for %h ***''.
@@ -1142,11 +1157,21 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
 
                        The default value is ``Password:''.
 
+     privs             The default Solaris privileges to use when constructing
+                       a new privilege set for a command.  This is passed to
+                       the executing process via the inherited privilege set,
+                       but is bounded by the limit privileges.  If the _p_r_i_v_s
+                       option is specified but the _l_i_m_i_t_p_r_i_v_s option is not,
+                       the limit privileges of the executing process is set to
+                       _p_r_i_v_s.  The default privileges may be overridden on a
+                       per-command basis in _s_u_d_o_e_r_s.  This option is only
+                       available if ssuuddooeerrss is built on Solaris 10 or higher.
+
      role              The default SELinux role to use when constructing a new
                        security context to run the command.  The default role
                        may be overridden on a per-command basis in _s_u_d_o_e_r_s or
                        via command line options.  This option is only
-                       available whe ssuuddoo is built with SELinux support.
+                       available when ssuuddoo is built with SELinux support.
 
      runas_default     The default user to run commands as if the --uu option is
                        not specified on the command line.  This defaults to

doc/sudoers.man.in

@@ -742,12 +742,14 @@ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
 Cmnd_Spec_List ::= Cmnd_Spec |
                    Cmnd_Spec ',' Cmnd_Spec_List
 
-Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
 
 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
 
+Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
               'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
               'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
@@ -951,6 +953,14 @@ specified in
 A role or type specified on the command line,
 however, will supercede the values in
 \fIsudoers\fR.
+.SS "Solaris_Priv_Spec"
+On Solaris systems,
+\fIsudoers\fR
+entries may optionally specify Solaris privilege set and/or limit
+privilege set associated with a command.
+If privileges or limit privileges are specified with the command
+it will override any default values specified in
+\fIsudoers\fR.
 .SS "Tag_Spec"
 A command may have zero or more tags associated with it.
 There are
@@ -2398,6 +2408,16 @@ mktemp(3)
 function.
 .PD
 .TP 18n
+limitprivs
+The default Solaris limit privileges to use when constructing a new
+privilege set for a command.
+This bounds all privileges of the executing process.
+The default limit privileges may be overridden on a per-command basis in
+\fIsudoers\fR.
+This option is only available if
+\fBsudoers\fR
+is built on Solaris 10 or higher.
+.TP 18n
 mailsub
 Subject of the mail sent to the
 \fImailto\fR
@@ -2463,16 +2483,33 @@ The default value is
 .RE
 .PD 0
 .TP 18n
+privs
+The default Solaris privileges to use when constructing a new
+privilege set for a command.
+This is passed to the executing process via the inherited privilege set,
+but is bounded by the limit privileges.
+If the
+\fIprivs\fR
+option is specified but the
+\fIlimitprivs\fR
+option is not, the limit privileges of the executing process is set to
+\fIprivs\fR.
+The default privileges may be overridden on a per-command basis in
+\fIsudoers\fR.
+This option is only available if
+\fBsudoers\fR
+is built on Solaris 10 or higher.
+.PD
+.TP 18n
 role
 The default SELinux role to use when constructing a new security
 context to run the command.
 The default role may be overridden on a per-command basis in
 \fIsudoers\fR
 or via command line options.
-This option is only available whe
+This option is only available when
 \fBsudo\fR
 is built with SELinux support.
-.PD
 .TP 18n
 runas_default
 The default user to run commands as if the

doc/sudoers.man.pl

@@ -4,33 +4,54 @@ BEGIN {
     $cond = -1;
 }
 
-# Initialize the numeric register we use for conditionals
+# Initialize the numeric registers we use for conditionals
 if ($cond == -1) {
-    $_ = ".nr SL \@SEMAN\@\n.nr BA \@BAMAN\@\n.nr LC \@LCMAN\@\n.\\\"\n$_";
+    $prefix = "";
+    $prefix = "$prefix.nr BA \@BAMAN\@\n";
+    $prefix = "$prefix.nr LC \@LCMAN\@\n";
+    $prefix = "$prefix.nr PS \@PSMAN\@\n";
+    $prefix = "$prefix.nr SL \@SEMAN\@\n";
+    $_ = "$prefix.\\\"\n$_";
     $cond = 0;
 }
 
-# Make SELinux_Spec conditional
-if (/(.*)SELinux_Spec\? (.*)$/) {
-    $_ = ".ie \\n(SL $_.el $1$2\n";
+# Make SELinux_Spec and Solaris_Priv_Spec conditional
+if (/(.*) SELinux_Spec\? Solaris_Priv_Spec(.*)$/) {
+    $_ = "$1\\*(S+$2\n";
+    $prefix = "";
+    $prefix = "$prefix.ds S+\n";
+    $prefix = "$prefix.if \\n(SL .as S+ \" SELinux_Spec?\n";
+    $prefix = "$prefix.if \\n(PS .as S+ \" Solaris_Priv_Spec?\n";
+    $_ = "$prefix$_";
 } elsif (/^(.*SELinux_Spec ::=)/) {
     $_ = ".if \\n(SL \\{\\\n$_";
+} elsif (/^(.*Solaris_Priv_Spec ::=)/) {
+    $_ = "\\}\n.if \\n(PS \\{\\\n$_";
 } elsif (/^(.*Tag_Spec ::=)/) {
     $_ = "\\}\n$_";
 }
 
+if (/^\.(Sh|SS|IP|PP)/) {
+    $prefix = $cond ? "\\}\n" : "";
+    $cond = 0;
+}
 if (/^\.S[Sh] "SELinux_Spec"/) {
-    $_ = ".if \\n(SL \\{\\\n$_";
+    $_ = "$prefix.if \\n(SL \\{\\\n$_";
     $cond = 1;
 } elsif (/^\.IP "(role|type)"/) {
-    $_ = ".if \\n(SL \\{\\\n$_";
+    $_ = "$prefix.if \\n(SL \\{\\\n$_";
+    $cond = 1;
+} elsif (/^\.S[Sh] "Solaris_Priv_Spec"/) {
+    $_ = "$prefix.if \\n(PS \\{\\\n$_";
+    $cond = 1;
+} elsif (/^\.IP "(privs|limitprivs)"/) {
+    $_ = "$prefix.if \\n(PS \\{\\\n$_";
     $cond = 1;
 } elsif (/^\.IP "use_loginclass"/) {
-    $_ = ".if \\n(LC \\{\\\n$_";
+    $_ = "$prefix.if \\n(LC \\{\\\n$_";
     $cond = 1;
-} elsif ($cond && /^\.(Sh|SS|IP|PP)/) {
-    $_ = "\\}\n$_";
-    $cond = 0;
+} elsif (/^\.(Sh|SS|IP|PP)/) {
+    $_ = "$prefix$_";
 }
 
 # Fix up broken pod2man formatting of F<@foo@/bar>

doc/sudoers.mdoc.in

@@ -714,12 +714,14 @@ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
 Cmnd_Spec_List ::= Cmnd_Spec |
                    Cmnd_Spec ',' Cmnd_Spec_List
 
-Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
 
 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
 
+Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
               'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
               'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
@@ -898,6 +900,14 @@ specified in
 A role or type specified on the command line,
 however, will supercede the values in
 .Em sudoers .
+.Ss Solaris_Priv_Spec
+On Solaris systems,
+.Em sudoers
+entries may optionally specify Solaris privilege set and/or limit
+privilege set associated with a command.
+If privileges or limit privileges are specified with the command
+it will override any default values specified in
+.Em sudoers .
 .Ss Tag_Spec
 A command may have zero or more tags associated with it.
 There are
@@ -2266,6 +2276,15 @@ will have the
 replaced with a unique combination of digits and letters, similar to the
 .Xr mktemp 3
 function.
+.It limitprivs
+The default Solaris limit privileges to use when constructing a new
+privilege set for a command.
+This bounds all privileges of the executing process.
+The default limit privileges may be overridden on a per-command basis in
+.Em sudoers .
+This option is only available if
+.Nm
+is built on Solaris 10 or higher.
 .It mailsub
 Subject of the mail sent to the
 .Em mailto
@@ -2320,13 +2339,29 @@ character
 .Pp
 The default value is
 .Dq Li @passprompt@ .
+.It privs
+The default Solaris privileges to use when constructing a new
+privilege set for a command.
+This is passed to the executing process via the inherited privilege set,
+but is bounded by the limit privileges.
+If the
+.Em privs
+option is specified but the
+.Em limitprivs
+option is not, the limit privileges of the executing process is set to
+.Em privs .
+The default privileges may be overridden on a per-command basis in
+.Em sudoers .
+This option is only available if
+.Nm
+is built on Solaris 10 or higher.
 .It role
 The default SELinux role to use when constructing a new security
 context to run the command.
 The default role may be overridden on a per-command basis in
 .Em sudoers
 or via command line options.
-This option is only available whe
+This option is only available when
 .Nm sudo
 is built with SELinux support.
 .It runas_default

doc/sudoers.pod

@@ -402,12 +402,14 @@ See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
  Cmnd_Spec_List ::= Cmnd_Spec |
 		    Cmnd_Spec ',' Cmnd_Spec_List
 
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
 
  Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
 
  SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
 
+ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
  Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
 	       'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
                'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
@@ -499,6 +501,13 @@ type is specified with the command it will override any default values
 specified in I<sudoers>.  A role or type specified on the command line,
 however, will supercede the values in I<sudoers>.
 
+=head2 Solaris_Priv_Spec
+
+On Solaris systems, I<sudoers> entries may optionally specify
+a Solaris privilege set and/or limit privilege set associated with a command.
+If privileges or limit privileges are specified with the command
+it will override any default values specified in I<sudoers>.
+
 =head2 Tag_Spec
 
 A command may have zero or more tags associated with it.  There are
@@ -1279,6 +1288,16 @@ In addition to the escape sequences, path names that end in six or
 more C<X>s will have the C<X>s replaced with a unique combination
 of digits and letters, similar to the mktemp() function.
 
+=item limitprivs
+
+The default Solaris limit privileges to use
+when constructing a new privilege set for a command.
+This bounds all privileges of the executing process.
+The default limit privileges may be overridden
+on a per-command basis in I<sudoers>.
+This option is only available when B<sudo> is built on
+Solaris 10 or higher.
+
 =item mailsub
 
 Subject of the mail sent to the I<mailto> user. The escape C<%h>
@@ -1330,12 +1349,24 @@ two consecutive C<%> characters are collapsed into a single C<%> character
 
 The default value is "C<@passprompt@>".
 
+=item privs
+
+The default Solaris privileges to use
+when constructing a new privilege set to run the command.
+This is passed to the executing process via the inherited privilege set,
+but is bounded by the limit privileges.
+If the I<privs> option is specified but the I<limitprivs> option is not,
+the limit privileges of the executing process is set to I<privs>.
+The default privileges may be overridden on a per-command basis in I<sudoers>.
+This option is only available when B<sudo> is built on
+Solaris 10 or higher.
+
 =item role
 
 The default SELinux role to use when constructing a new security
 context to run the command.  The default role may be overridden on
 a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
+This option is only available when B<sudo> is built with SELinux support.
 
 =item runas_default
 

plugins/sudoers/def_data.c

@@ -342,6 +342,14 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"utmp_runas", T_FLAG,
 	N_("Set the user in utmp to the runas user, not the invoking user"),
 	NULL,
+    }, {
+	"privs", T_STR,
+	N_("Set of permitted privileges"),
+	NULL,
+    }, {
+	"limitprivs", T_STR,
+	N_("Set of limit privileges"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }

plugins/sudoers/def_data.h

@@ -158,6 +158,10 @@
 #define I_SET_UTMP              78
 #define def_utmp_runas          (sudo_defs_table[79].sd_un.flag)
 #define I_UTMP_RUNAS            79
+#define def_privs               (sudo_defs_table[80].sd_un.str)
+#define I_PRIVS                 80
+#define def_limitprivs          (sudo_defs_table[81].sd_un.str)
+#define I_LIMITPRIVS            81
 
 enum def_tuple {
 	never,

plugins/sudoers/def_data.in

@@ -253,3 +253,9 @@ set_utmp
 utmp_runas
 	T_FLAG
 	"Set the user in utmp to the runas user, not the invoking user"
+privs
+	T_STR
+	"Set of permitted privileges"
+limitprivs
+	T_STR
+	"Set of limit privileges"

plugins/sudoers/gram.h

@@ -29,6 +29,8 @@
 #define ERROR 285
 #define TYPE 286
 #define ROLE 287
+#define PRIVS 288
+#define LIMITPRIVS 289
 #ifndef YYSTYPE_DEFINED
 #define YYSTYPE_DEFINED
 typedef union {
@@ -40,6 +42,7 @@ typedef union {
     struct sudo_command command;
     struct cmndtag tag;
     struct selinux_info seinfo;
+    struct solaris_privs_info privinfo;
     char *string;
     int tok;
 } YYSTYPE;

plugins/sudoers/gram.y

@@ -123,6 +123,7 @@ yyerror(const char *s)
     struct sudo_command command;
     struct cmndtag tag;
     struct selinux_info seinfo;
+    struct solaris_privs_info privinfo;
     char *string;
     int tok;
 }
@@ -161,6 +162,8 @@ yyerror(const char *s)
 %token <tok>	 ERROR
 %token <tok>	 TYPE			/* SELinux type */
 %token <tok>	 ROLE			/* SELinux role */
+%token <tok>	 PRIVS			/* Solaris privileges */
+%token <tok>	 LIMITPRIVS		/* Solaris limit privileges */
 
 %type <cmndspec>  cmndspec
 %type <cmndspec>  cmndspeclist
@@ -186,6 +189,9 @@ yyerror(const char *s)
 %type <seinfo>	  selinux
 %type <string>	  rolespec
 %type <string>	  typespec
+%type <privinfo>  solarisprivs
+%type <string>	  privsspec
+%type <string>	  limitprivsspec
 
 %%
 
@@ -313,6 +319,13 @@ cmndspeclist	:	cmndspec
 			    if ($3->type == NULL)
 				$3->type = $3->prev->type;
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+			    /* propagate privs & limitprivs */
+			    if ($3->privs == NULL)
+			        $3->privs = $3->prev->privs;
+			    if ($3->limitprivs == NULL)
+			        $3->limitprivs = $3->prev->limitprivs;
+#endif /* HAVE_PRIV_SET */
 			    /* propagate tags and runas list */
 			    if ($3->tags.nopasswd == UNSPEC)
 				$3->tags.nopasswd = $3->prev->tags.nopasswd;
@@ -336,7 +349,7 @@ cmndspeclist	:	cmndspec
 			}
 		;
 
-cmndspec	:	runasspec selinux cmndtag opcmnd {
+cmndspec	:	runasspec selinux solarisprivs cmndtag opcmnd {
 			    struct cmndspec *cs = ecalloc(1, sizeof(*cs));
 			    if ($1 != NULL) {
 				list2tq(&cs->runasuserlist, $1->runasusers);
@@ -350,8 +363,12 @@ cmndspec	:	runasspec selinux cmndtag opcmnd {
 			    cs->role = $2.role;
 			    cs->type = $2.type;
 #endif
-			    cs->tags = $3;
-			    cs->cmnd = $4;
+#ifdef HAVE_PRIV_SET
+			    cs->privs = $3.privs;
+			    cs->limitprivs = $3.limitprivs;
+#endif
+			    cs->tags = $4;
+			    cs->cmnd = $5;
 			    cs->prev = cs;
 			    cs->next = NULL;
 			    /* sudo "ALL" implies the SETENV tag */
@@ -404,6 +421,36 @@ selinux		:	/* empty */ {
 			}
 		;
 
+privsspec	:	PRIVS '=' WORD {
+			    $$ = $3;
+			}
+		;
+limitprivsspec	:	LIMITPRIVS '=' WORD {
+			    $$ = $3;
+			}
+		;
+
+solarisprivs	:	/* empty */ {
+			    $$.privs = NULL;
+			    $$.limitprivs = NULL;
+			}
+		|	privsspec {
+			    $$.privs = $1;
+			    $$.limitprivs = NULL;
+			}	
+		|	limitprivsspec {
+			    $$.privs = NULL;
+			    $$.limitprivs = $1;
+			}	
+		|	privsspec limitprivsspec {
+			    $$.privs = $1;
+			    $$.limitprivs = $2;
+			}	
+		|	limitprivsspec privsspec {
+			    $$.limitprivs = $1;
+			    $$.privs = $2;
+			}	
+
 runasspec	:	/* empty */ {
 			    $$ = NULL;
 			}
@@ -716,6 +763,9 @@ init_parser(const char *path, int quiet)
 #ifdef HAVE_SELINUX
 	    char *role = NULL, *type = NULL;
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+	    char *privs = NULL, *limitprivs = NULL;
+#endif /* HAVE_PRIV_SET */
 
 	    while ((m = tq_pop(&priv->hostlist)) != NULL) {
 		efree(m->name);
@@ -733,6 +783,17 @@ init_parser(const char *path, int quiet)
 		    efree(cs->type);
 		}
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+		/* Only free the first instance of privs/limitprivs. */
+		if (cs->privs != privs) {
+		    privs = cs->privs;
+		    efree(cs->privs);
+		}
+		if (cs->limitprivs != limitprivs) {
+		    limitprivs = cs->limitprivs;
+		    efree(cs->limitprivs);
+		}
+#endif /* HAVE_PRIV_SET */
 		if (tq_last(&cs->runasuserlist) != runasuser) {
 		    runasuser = tq_last(&cs->runasuserlist);
 		    while ((m = tq_pop(&cs->runasuserlist)) != NULL) {

plugins/sudoers/parse.c

@@ -239,6 +239,13 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
 			if (user_type == NULL)
 			    user_type = cs->type ? estrdup(cs->type) : def_type;
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+			/* Set Solaris privilege sets */
+			if (runas_privs == NULL)
+			    runas_privs = cs->privs ? estrdup(cs->privs) : def_privs;
+			if (runas_limitprivs == NULL)
+			    runas_limitprivs = cs->limitprivs ? estrdup(cs->limitprivs) : def_limitprivs;
+#endif /* HAVE_PRIV_SET */
 			goto matched2;
 		    }
 		}
@@ -281,6 +288,12 @@ sudo_file_append_cmnd(struct cmndspec *cs, struct cmndtag *tags,
     struct member *m;
     debug_decl(sudo_file_append_cmnd, SUDO_DEBUG_NSS)
 
+#ifdef HAVE_PRIV_SET
+    if (cs->privs)
+	lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
+    if (cs->limitprivs)
+	lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs);
+#endif /* HAVE_PRIV_SET */
 #ifdef HAVE_SELINUX
     if (cs->role)
 	lbuf_append(lbuf, "ROLE=%s ", cs->role);

plugins/sudoers/parse.h

@@ -57,7 +57,17 @@ struct selinux_info {
 };
 
 /*
- * The parses sudoers file is stored as a collection of linked lists,
+ * Solaris privileges container struct
+ * Currently just contains permitted and limit privileges.
+ * It could have PFEXEC and PRIV_AWARE flags added in the future.
+ */
+struct solaris_privs_info {
+    char *privs;
+    char *limitprivs;
+};
+
+/*
+ * The parsed sudoers file is stored as a collection of linked lists,
  * modelled after the yacc grammar.
  *
  * Other than the alias struct, which is stored in a red-black tree,
@@ -111,6 +121,9 @@ struct cmndspec {
 #ifdef HAVE_SELINUX
     char *role, *type;			/* SELinux role and type */
 #endif
+#ifdef HAVE_PRIV_SET
+    char *privs, *limitprivs;		/* Solaris privilege sets */
+#endif
 };
 
 /*

plugins/sudoers/sudoers.c

@@ -697,6 +697,12 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     if (user_type != NULL)
 	command_info[info_len++] = fmt_string("selinux_type", user_type);
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+    if (runas_privs != NULL)
+	command_info[info_len++] = fmt_string("runas_privs", runas_privs);
+    if (runas_limitprivs != NULL)
+	command_info[info_len++] = fmt_string("runas_limitprivs", runas_limitprivs);
+#endif /* HAVE_SELINUX */
 
     /* Must audit before uid change. */
     audit_success(NewArgv);
@@ -1312,6 +1318,16 @@ deserialize_info(char * const args[], char * const settings[], char * const user
 	    def_use_loginclass = true;
 	    continue;
 	}
+#ifdef HAVE_PRIV_SET
+	if (MATCHES(*cur, "runas_privs=")) {
+	    def_privs = *cur + sizeof("runas_privs=") - 1;
+	    continue;
+	}
+	if (MATCHES(*cur, "runas_limitprivs=")) {
+	    def_limitprivs = *cur + sizeof("runas_limitprivs=") - 1;
+	    continue;
+	}
+#endif /* HAVE_PRIV_SET */
 #ifdef HAVE_SELINUX
 	if (MATCHES(*cur, "selinux_role=")) {
 	    user_role = *cur + sizeof("selinux_role=") - 1;

plugins/sudoers/sudoers.h

@@ -80,6 +80,10 @@ struct sudo_user {
 #ifdef HAVE_SELINUX
     char *role;
     char *type;
+#endif
+#ifdef HAVE_PRIV_SET
+    char *privs;
+    char *limitprivs;
 #endif
     char *cwd;
     char *iolog_file;
@@ -185,6 +189,8 @@ struct sudo_user {
 #define user_role		(sudo_user.role)
 #define user_type		(sudo_user.type)
 #define user_closefrom		(sudo_user.closefrom)
+#define	runas_privs		(sudo_user.privs)
+#define	runas_limitprivs	(sudo_user.limitprivs)
 
 #ifdef __TANDEM
 # define ROOT_UID       65535

plugins/sudoers/testsudoers.c

@@ -636,6 +636,12 @@ print_privilege(struct privilege *priv)
 	    if (cs->type)
 		printf("TYPE=%s ", cs->type);
 #endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+	    if (cs->privs)
+		printf("PRIVS=%s ", cs->privs);
+	    if (cs->limitprivs)
+		printf("LIMITPRIVS=%s ", cs->limitprivs);
+#endif /* HAVE_PRIV_SET */
 	    if (cs->tags.nopasswd != UNSPEC && cs->tags.nopasswd != tags.nopasswd)
 		printf("%sPASSWD: ", cs->tags.nopasswd ? "NO" : "");
 	    if (cs->tags.noexec != UNSPEC && cs->tags.noexec != tags.noexec)

plugins/sudoers/toke.l

@@ -504,6 +504,23 @@ ALL {
 			    goto got_alias;
 #endif
 			}
+<INITIAL>PRIVS {
+#ifdef HAVE_PRIV_SET
+			    LEXTRACE("PRIVS ");
+			    LEXRETURN(PRIVS);
+#else
+			    goto got_alias;
+#endif
+			}
+
+<INITIAL>LIMITPRIVS {
+#ifdef HAVE_PRIV_SET
+			    LEXTRACE("LIMITPRIVS ");
+			    LEXRETURN(LIMITPRIVS);
+#else
+			    goto got_alias;
+#endif
+			}
 
 [[:upper:]][[:upper:][:digit:]_]* {
 #ifndef HAVE_SELINUX

src/sudo.c

@@ -670,6 +670,28 @@ command_info_to_details(char * const info[], struct command_details *details)
 		    }
 		    break;
 		}
+#ifdef HAVE_PRIV_SET
+		if (strncmp("runas_privs=", info[i], sizeof("runas_privs=") - 1) == 0) {
+                    const char *endp;
+		    cp = info[i] + sizeof("runas_privs=") - 1;
+	            if (*cp == '\0')
+		        break;
+	            errno = 0;
+	            details->privs = priv_str_to_set(cp, ",", &endp);
+		    if (details->privs == NULL)
+			    warning("invalid runas_privs %s", endp);
+		}
+		if (strncmp("runas_limitprivs=", info[i], sizeof("runas_limitprivs=") - 1) == 0) {
+                    const char *endp;
+		    cp = info[i] + sizeof("runas_limitprivs=") - 1;
+	            if (*cp == '\0')
+		        break;
+	            errno = 0;
+	            details->limitprivs = priv_str_to_set(cp, ",", &endp);
+		    if (details->limitprivs == NULL)
+			    warning("invalid runas_limitprivs %s", endp);
+		}
+#endif /* HAVE_PRIV_SET */
 		break;
 	    case 's':
 		SET_STRING("selinux_role=", selinux_role)
@@ -900,6 +922,26 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
 #ifdef HAVE_PROJECT_H
 	set_project(details->pw);
 #endif
+#ifdef HAVE_PRIV_SET
+    if (details->privs != NULL) {
+	if (setppriv(PRIV_SET, PRIV_INHERITABLE, details->privs) != 0) {
+	    warning("unable to set privileges");
+	    goto done;
+	}
+    }
+    if (details->limitprivs != NULL) {
+        if (setppriv(PRIV_SET, PRIV_LIMIT, details->limitprivs) != 0) {
+	    warning("unable to set limit privileges");
+	    goto done;
+	}
+    } else if (details->privs != NULL) {
+	if (setppriv(PRIV_SET, PRIV_LIMIT, details->privs) != 0) {
+	    warning("unable to set limit privileges");
+	    goto done;
+	}
+    }
+#endif /* HAVE_PRIV_SET */
+
 #ifdef HAVE_GETUSERATTR
 	aix_prep_user(details->pw->pw_name, ptyname ? ptyname : user_details.tty);
 #endif

src/sudo.h

@@ -41,6 +41,10 @@
 #include "sudo_debug.h"
 #include "gettext.h"
 
+#ifdef HAVE_PRIV_SET
+# include <priv.h>
+#endif
+
 #ifdef __TANDEM
 # define ROOT_UID       65535
 #else
@@ -149,6 +153,10 @@ struct command_details {
     const char *utmp_user;
     char **argv;
     char **envp;
+#ifdef HAVE_PRIV_SET
+    priv_set_t *privs;
+    priv_set_t *limitprivs;
+#endif
 };
 
 /* Status passed between parent and child via socketpair */