isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge command tags, SELinux type/role and Solaris privs settings

Browse Source 
into "command options".  This relaxes the order of things so tags
and other options can be interspersed.
This commit is contained in:
Todd C. Miller
2017-02-14 15:56:34 -07:00
parent fb419ba066
commit 4f9dcd7264
7 changed files with 490 additions and 570 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
doc/sudoers.cat
View File

@@ -474,10 +474,12 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd Cmnd_Spec ::= Runas_Spec? Option_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Tag_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -564,6 +566,12 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
user aallaann may run any command as either user root or bin, optionally user aallaann may run any command as either user root or bin, optionally
setting the group to operator or system. setting the group to operator or system.
OOppttiioonn__SSppeecc
A command may include zero or more options. These options include
SELinux and Solaris settings as well as tags, described below. Once an
option is set for a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
that option unless overridden by another option.
SSEELLiinnuuxx__SSppeecc SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have
an SELinux role and/or type associated with a command. If a role or type an SELinux role and/or type associated with a command. If a role or type
@@ -2678,4 +2686,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.20 February 5, 2017 Sudo 1.8.20 Sudo 1.8.20 February 13, 2017 Sudo 1.8.20

17
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "February 5, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "February 13, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -982,10 +982,12 @@ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd Cmnd_Spec ::= Runas_Spec? Option_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Tag_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -1185,6 +1187,17 @@ user
\fBalan\fR \fBalan\fR
may run any command as either user root or bin, may run any command as either user root or bin,
optionally setting the group to operator or system. optionally setting the group to operator or system.
.SS "Option_Spec"
A command may include zero or more options.
These options include SELinux and Solaris settings as well
as tags, described below.
Once an option is set for a
\fRCmnd\fR,
subsequent
\fRCmnd\fRs
in the
\fRCmnd_Spec_List\fR,
inherit that option unless overridden by another option.
.SS "SELinux_Spec" .SS "SELinux_Spec"
On systems with SELinux support, On systems with SELinux support,
\fIsudoers\fR \fIsudoers\fR

17
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd February 5, 2017 .Dd February 13, 2017
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -935,10 +935,12 @@ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd Cmnd_Spec ::= Runas_Spec? Option_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Tag_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset') Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -1113,6 +1115,17 @@ user
.Sy alan .Sy alan
may run any command as either user root or bin, may run any command as either user root or bin,
optionally setting the group to operator or system. optionally setting the group to operator or system.
.Ss Option_Spec
A command may include zero or more options.
These options include SELinux and Solaris settings as well
as tags, described below.
Once an option is set for a
.Li Cmnd ,
subsequent
.Li Cmnd Ns s
in the
.Li Cmnd_Spec_List ,
inherit that option unless overridden by another option.
.Ss SELinux_Spec .Ss SELinux_Spec
On systems with SELinux support, On systems with SELinux support,
.Em sudoers .Em sudoers

838
plugins/sudoers/gram.c
View File

File diff suppressed because it is too large Load Diff

4
plugins/sudoers/gram.h
View File

@@ -51,9 +51,7 @@ typedef union {
struct privilege *privilege; struct privilege *privilege;
struct sudo_digest *digest; struct sudo_digest *digest;
struct sudo_command command; struct sudo_command command;
struct cmndtag tag; struct command_options options;
struct selinux_info seinfo;
struct solaris_privs_info privinfo;
char *string; char *string;
int tok; int tok;
} YYSTYPE; } YYSTYPE;

148
plugins/sudoers/gram.y
View File

@@ -81,9 +81,7 @@ static struct sudo_digest *new_digest(int, const char *);
struct privilege *privilege; struct privilege *privilege;
struct sudo_digest *digest; struct sudo_digest *digest;
struct sudo_command command; struct sudo_command command;
struct cmndtag tag; struct command_options options;
struct selinux_info seinfo;
struct solaris_privs_info privinfo;
char *string; char *string;
int tok; int tok;
} }
@@ -156,11 +154,9 @@ static struct sudo_digest *new_digest(int, const char *);
%type <runas> runaslist %type <runas> runaslist
%type <privilege> privilege %type <privilege> privilege
%type <privilege> privileges %type <privilege> privileges
%type <tag> cmndtag %type <options> options
%type <seinfo> selinux
%type <string> rolespec %type <string> rolespec
%type <string> typespec %type <string> typespec
%type <privinfo> solarisprivs
%type <string> privsspec %type <string> privsspec
%type <string> limitprivsspec %type <string> limitprivsspec
%type <digest> digest %type <digest> digest
@@ -378,7 +374,7 @@ cmndspeclist : cmndspec
} }
; ;
cmndspec : runasspec selinux solarisprivs cmndtag digcmnd { cmndspec : runasspec options digcmnd {
struct cmndspec *cs = calloc(1, sizeof(*cs)); struct cmndspec *cs = calloc(1, sizeof(*cs));
if (cs == NULL) { if (cs == NULL) {
sudoerserror(N_("unable to allocate memory")); sudoerserror(N_("unable to allocate memory"));
@@ -412,11 +408,11 @@ cmndspec : runasspec selinux solarisprivs cmndtag digcmnd {
cs->type = $2.type; cs->type = $2.type;
#endif #endif
#ifdef HAVE_PRIV_SET #ifdef HAVE_PRIV_SET
cs->privs = $3.privs; cs->privs = $2.privs;
cs->limitprivs = $3.limitprivs; cs->limitprivs = $2.limitprivs;
#endif #endif
cs->tags = $4; cs->tags = $2.tags;
cs->cmnd = $5; cs->cmnd = $3;
HLTQ_INIT(cs, entries); HLTQ_INIT(cs, entries);
/* sudo "ALL" implies the SETENV tag */ /* sudo "ALL" implies the SETENV tag */
if (cs->cmnd->type == ALL && !cs->cmnd->negated && if (cs->cmnd->type == ALL && !cs->cmnd->negated &&
@@ -490,28 +486,6 @@ typespec : TYPE '=' WORD {
} }
; ;
selinux : /* empty */ {
$$.role = NULL;
$$.type = NULL;
}
| rolespec {
$$.role = $1;
$$.type = NULL;
}
| typespec {
$$.type = $1;
$$.role = NULL;
}
| rolespec typespec {
$$.role = $1;
$$.type = $2;
}
| typespec rolespec {
$$.type = $1;
$$.role = $2;
}
;
privsspec : PRIVS '=' WORD { privsspec : PRIVS '=' WORD {
$$ = $3; $$ = $3;
} }
@@ -521,28 +495,6 @@ limitprivsspec : LIMITPRIVS '=' WORD {
} }
; ;
solarisprivs : /* empty */ {
$$.privs = NULL;
$$.limitprivs = NULL;
}
| privsspec {
$$.privs = $1;
$$.limitprivs = NULL;
}
| limitprivsspec {
$$.privs = NULL;
$$.limitprivs = $1;
}
| privsspec limitprivsspec {
$$.privs = $1;
$$.limitprivs = $2;
}
| limitprivsspec privsspec {
$$.limitprivs = $1;
$$.privs = $2;
}
;
runasspec : /* empty */ { runasspec : /* empty */ {
$$ = NULL; $$ = NULL;
} }
@@ -610,50 +562,76 @@ runaslist : /* empty */ {
} }
; ;
cmndtag : /* empty */ { options : /* empty */ {
TAGS_INIT($$); TAGS_INIT($$.tags);
#ifdef HAVE_SELINUX
$$.role = NULL, $$.type = NULL;
#endif
#ifdef HAVE_PRIV_SET
$$.privs = NULL, $$.limitprivs = NULL;
#endif
} }
| cmndtag NOPASSWD { | options NOPASSWD {
$$.nopasswd = true; $$.tags.nopasswd = true;
} }
| cmndtag PASSWD { | options PASSWD {
$$.nopasswd = false; $$.tags.nopasswd = false;
} }
| cmndtag NOEXEC { | options NOEXEC {
$$.noexec = true; $$.tags.noexec = true;
} }
| cmndtag EXEC { | options EXEC {
$$.noexec = false; $$.tags.noexec = false;
} }
| cmndtag SETENV { | options SETENV {
$$.setenv = true; $$.tags.setenv = true;
} }
| cmndtag NOSETENV { | options NOSETENV {
$$.setenv = false; $$.tags.setenv = false;
} }
| cmndtag LOG_INPUT { | options LOG_INPUT {
$$.log_input = true; $$.tags.log_input = true;
} }
| cmndtag NOLOG_INPUT { | options NOLOG_INPUT {
$$.log_input = false; $$.tags.log_input = false;
} }
| cmndtag LOG_OUTPUT { | options LOG_OUTPUT {
$$.log_output = true; $$.tags.log_output = true;
} }
| cmndtag NOLOG_OUTPUT { | options NOLOG_OUTPUT {
$$.log_output = false; $$.tags.log_output = false;
} }
| cmndtag FOLLOW { | options FOLLOW {
$$.follow = true; $$.tags.follow = true;
} }
| cmndtag NOFOLLOW { | options NOFOLLOW {
$$.follow = false; $$.tags.follow = false;
} }
| cmndtag MAIL { | options MAIL {
$$.send_mail = true; $$.tags.send_mail = true;
} }
| cmndtag NOMAIL { | options NOMAIL {
$$.send_mail = false; $$.tags.send_mail = false;
}
| options rolespec {
#ifdef HAVE_SELINUX
$$.role = $2;
#endif
}
| options typespec {
#ifdef HAVE_SELINUX
$$.type = $2;
#endif
}
| options privsspec {
#ifdef HAVE_PRIV_SET
$$.privs = $2;
#endif
}
| options limitprivsspec {
#ifdef HAVE_PRIV_SET
$$.limitprivs = $2;
#endif
} }
; ;

24
plugins/sudoers/parse.h
View File

@@ -110,22 +110,16 @@ struct cmndtag {
}; };
/* /*
* SELinux-specific container struct. * Per-command option container struct.
* Currently just contains a role and type.
*/ */
struct selinux_info { struct command_options {
char *role; struct cmndtag tags; /* Command tags */
char *type; #ifdef HAVE_SELINUX
}; char *role, *type; /* SELinux role and type */
#endif
/* #ifdef HAVE_PRIV_SET
* Solaris privileges container struct char *privs, *limitprivs; /* Solaris privilege sets */
* Currently just contains permitted and limit privileges. #endif
* It could have PFEXEC and PRIV_AWARE flags added in the future.
*/
struct solaris_privs_info {
char *privs;
char *limitprivs;
}; };
/* /*