isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge command tags, SELinux type/role and Solaris privs settings

Browse Source 
into "command options".  This relaxes the order of things so tags
and other options can be interspersed.
This commit is contained in:
Todd C. Miller
2017-02-14 15:56:34 -07:00
parent fb419ba066
commit 4f9dcd7264
7 changed files with 490 additions and 570 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
doc/sudoers.cat
View File

@@ -474,10 +474,12 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
Cmnd_Spec ::= Runas_Spec? Option_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Tag_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -564,6 +566,12 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
user aallaann may run any command as either user root or bin, optionally
setting the group to operator or system.
OOppttiioonn__SSppeecc
A command may include zero or more options. These options include
SELinux and Solaris settings as well as tags, described below. Once an
option is set for a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
that option unless overridden by another option.
SSEELLiinnuuxx__SSppeecc
On systems with SELinux support, _s_u_d_o_e_r_s file entries may optionally have
an SELinux role and/or type associated with a command. If a role or type
@@ -2678,4 +2686,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details.
Sudo 1.8.20 February 5, 2017 Sudo 1.8.20
Sudo 1.8.20 February 13, 2017 Sudo 1.8.20

17
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.TH "SUDOERS" "5" "February 5, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.TH "SUDOERS" "5" "February 13, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
@@ -982,10 +982,12 @@ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
Cmnd_Spec ::= Runas_Spec? Option_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Tag_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -1185,6 +1187,17 @@ user
\fBalan\fR
may run any command as either user root or bin,
optionally setting the group to operator or system.
.SS "Option_Spec"
A command may include zero or more options.
These options include SELinux and Solaris settings as well
as tags, described below.
Once an option is set for a
\fRCmnd\fR,
subsequent
\fRCmnd\fRs
in the
\fRCmnd_Spec_List\fR,
inherit that option unless overridden by another option.
.SS "SELinux_Spec"
On systems with SELinux support,
\fIsudoers\fR

17
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.Dd February 5, 2017
.Dd February 13, 2017
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
@@ -935,10 +935,12 @@ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
Cmnd_Spec ::= Runas_Spec? Option_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Tag_Spec)
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
@@ -1113,6 +1115,17 @@ user
.Sy alan
may run any command as either user root or bin,
optionally setting the group to operator or system.
.Ss Option_Spec
A command may include zero or more options.
These options include SELinux and Solaris settings as well
as tags, described below.
Once an option is set for a
.Li Cmnd ,
subsequent
.Li Cmnd Ns s
in the
.Li Cmnd_Spec_List ,
inherit that option unless overridden by another option.
.Ss SELinux_Spec
On systems with SELinux support,
.Em sudoers

838
plugins/sudoers/gram.c
View File

File diff suppressed because it is too large Load Diff

4
plugins/sudoers/gram.h
View File

@@ -51,9 +51,7 @@ typedef union {
struct privilege *privilege;
struct sudo_digest *digest;
struct sudo_command command;
struct cmndtag tag;
struct selinux_info seinfo;
struct solaris_privs_info privinfo;
struct command_options options;
char *string;
int tok;
} YYSTYPE;

148
plugins/sudoers/gram.y
View File

@@ -81,9 +81,7 @@ static struct sudo_digest *new_digest(int, const char *);
struct privilege *privilege;
struct sudo_digest *digest;
struct sudo_command command;
struct cmndtag tag;
struct selinux_info seinfo;
struct solaris_privs_info privinfo;
struct command_options options;
char *string;
int tok;
}
@@ -156,11 +154,9 @@ static struct sudo_digest *new_digest(int, const char *);
%type <runas> runaslist
%type <privilege> privilege
%type <privilege> privileges
%type <tag> cmndtag
%type <seinfo> selinux
%type <options> options
%type <string> rolespec
%type <string> typespec
%type <privinfo> solarisprivs
%type <string> privsspec
%type <string> limitprivsspec
%type <digest> digest
@@ -378,7 +374,7 @@ cmndspeclist : cmndspec
}
;
cmndspec : runasspec selinux solarisprivs cmndtag digcmnd {
cmndspec : runasspec options digcmnd {
struct cmndspec *cs = calloc(1, sizeof(*cs));
if (cs == NULL) {
sudoerserror(N_("unable to allocate memory"));
@@ -412,11 +408,11 @@ cmndspec : runasspec selinux solarisprivs cmndtag digcmnd {
cs->type = $2.type;
#endif
#ifdef HAVE_PRIV_SET
cs->privs = $3.privs;
cs->limitprivs = $3.limitprivs;
cs->privs = $2.privs;
cs->limitprivs = $2.limitprivs;
#endif
cs->tags = $4;
cs->cmnd = $5;
cs->tags = $2.tags;
cs->cmnd = $3;
HLTQ_INIT(cs, entries);
/* sudo "ALL" implies the SETENV tag */
if (cs->cmnd->type == ALL && !cs->cmnd->negated &&
@@ -490,28 +486,6 @@ typespec : TYPE '=' WORD {
}
;
selinux : /* empty */ {
$$.role = NULL;
$$.type = NULL;
}
| rolespec {
$$.role = $1;
$$.type = NULL;
}
| typespec {
$$.type = $1;
$$.role = NULL;
}
| rolespec typespec {
$$.role = $1;
$$.type = $2;
}
| typespec rolespec {
$$.type = $1;
$$.role = $2;
}
;
privsspec : PRIVS '=' WORD {
$$ = $3;
}
@@ -521,28 +495,6 @@ limitprivsspec : LIMITPRIVS '=' WORD {
}
;
solarisprivs : /* empty */ {
$$.privs = NULL;
$$.limitprivs = NULL;
}
| privsspec {
$$.privs = $1;
$$.limitprivs = NULL;
}
| limitprivsspec {
$$.privs = NULL;
$$.limitprivs = $1;
}
| privsspec limitprivsspec {
$$.privs = $1;
$$.limitprivs = $2;
}
| limitprivsspec privsspec {
$$.limitprivs = $1;
$$.privs = $2;
}
;
runasspec : /* empty */ {
$$ = NULL;
}
@@ -610,50 +562,76 @@ runaslist : /* empty */ {
}
;
cmndtag : /* empty */ {
TAGS_INIT($$);
options : /* empty */ {
TAGS_INIT($$.tags);
#ifdef HAVE_SELINUX
$$.role = NULL, $$.type = NULL;
#endif
#ifdef HAVE_PRIV_SET
$$.privs = NULL, $$.limitprivs = NULL;
#endif
}
| cmndtag NOPASSWD {
$$.nopasswd = true;
| options NOPASSWD {
$$.tags.nopasswd = true;
}
| cmndtag PASSWD {
$$.nopasswd = false;
| options PASSWD {
$$.tags.nopasswd = false;
}
| cmndtag NOEXEC {
$$.noexec = true;
| options NOEXEC {
$$.tags.noexec = true;
}
| cmndtag EXEC {
$$.noexec = false;
| options EXEC {
$$.tags.noexec = false;
}
| cmndtag SETENV {
$$.setenv = true;
| options SETENV {
$$.tags.setenv = true;
}
| cmndtag NOSETENV {
$$.setenv = false;
| options NOSETENV {
$$.tags.setenv = false;
}
| cmndtag LOG_INPUT {
$$.log_input = true;
| options LOG_INPUT {
$$.tags.log_input = true;
}
| cmndtag NOLOG_INPUT {
$$.log_input = false;
| options NOLOG_INPUT {
$$.tags.log_input = false;
}
| cmndtag LOG_OUTPUT {
$$.log_output = true;
| options LOG_OUTPUT {
$$.tags.log_output = true;
}
| cmndtag NOLOG_OUTPUT {
$$.log_output = false;
| options NOLOG_OUTPUT {
$$.tags.log_output = false;
}
| cmndtag FOLLOW {
$$.follow = true;
| options FOLLOW {
$$.tags.follow = true;
}
| cmndtag NOFOLLOW {
$$.follow = false;
| options NOFOLLOW {
$$.tags.follow = false;
}
| cmndtag MAIL {
$$.send_mail = true;
| options MAIL {
$$.tags.send_mail = true;
}
| cmndtag NOMAIL {
$$.send_mail = false;
| options NOMAIL {
$$.tags.send_mail = false;
}
| options rolespec {
#ifdef HAVE_SELINUX
$$.role = $2;
#endif
}
| options typespec {
#ifdef HAVE_SELINUX
$$.type = $2;
#endif
}
| options privsspec {
#ifdef HAVE_PRIV_SET
$$.privs = $2;
#endif
}
| options limitprivsspec {
#ifdef HAVE_PRIV_SET
$$.limitprivs = $2;
#endif
}
;

24
plugins/sudoers/parse.h
View File

@@ -110,22 +110,16 @@ struct cmndtag {
};
/*
* SELinux-specific container struct.
* Currently just contains a role and type.
* Per-command option container struct.
*/
struct selinux_info {
char *role;
char *type;
};
/*
* Solaris privileges container struct
* Currently just contains permitted and limit privileges.
* It could have PFEXEC and PRIV_AWARE flags added in the future.
*/
struct solaris_privs_info {
char *privs;
char *limitprivs;
struct command_options {
struct cmndtag tags; /* Command tags */
#ifdef HAVE_SELINUX
char *role, *type; /* SELinux role and type */
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs; /* Solaris privilege sets */
#endif
};
/*