isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

For "sudo -l", if a word includes spaces, print it in double quotes.

Browse Source 
Also escape spaces in the command path.  This matches the sudoers
quoting rules.
This commit is contained in:
Todd C. Miller
2018-02-04 12:53:32 -07:00
parent 3189de5bb9
commit 57e7b4b49e
1 changed files with 74 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
plugins/sudoers/ldap.c
View File

@@ -1156,7 +1156,7 @@ static bool
sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry) sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
{ {
struct berval **bv, **p; struct berval **bv, **p;
char *cn, *copy, *var, *val, *source = NULL; char *cn, *var, *val, *source = NULL;
bool ret = false; bool ret = false;
int op; int op;
debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP) debug_decl(sudo_ldap_parse_options, SUDOERS_DEBUG_LDAP)
@@ -1178,7 +1178,9 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
/* walk through options, early ones first */ /* walk through options, early ones first */
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
struct early_default *early; struct early_default *early;
char *copy;
/* Avoid modifying bv as we need to use it again below. */
if ((copy = strdup((*p)->bv_val)) == NULL) { if ((copy = strdup((*p)->bv_val)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
goto done; goto done;
@@ -1195,16 +1197,11 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMessage *entry)
/* walk through options again, skipping early ones */ /* walk through options again, skipping early ones */
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
if ((copy = strdup((*p)->bv_val)) == NULL) { op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
goto done;
}
op = sudo_ldap_parse_option(copy, &var, &val);
if (is_early_default(var) == NULL) { if (is_early_default(var) == NULL) {
set_default(var, val, op, set_default(var, val, op,
source ? source : "sudoRole UNKNOWN", 0, false); source ? source : "sudoRole UNKNOWN", 0, false);
} }
free(copy);
} }
ret = true; ret = true;
@@ -2372,6 +2369,46 @@ sudo_ldap_get_first_rdn(LDAP *ld, LDAPMessage *entry)
#endif #endif
} }
static void
sudo_ldap_print_quoted3(struct sudo_lbuf *lbuf, const char *prefix, const char *str, const char *suffix)
{
const char *name = str;
/* Prefix is not quoted. */
if (prefix != NULL)
sudo_lbuf_append(lbuf, "%s", prefix);
/* Do not quote UID/GID, all others get quoted. */
while (*name == '!')
name++;
if (name[0] == '#' &&
name[strspn(name + 1, "0123456789") + 1] == '\0') {
sudo_lbuf_append(lbuf, "%s", str);
} else if (strpbrk(str, " \t") != NULL) {
sudo_lbuf_append(lbuf, "\"");
sudo_lbuf_append_quoted(lbuf, "\"", "%s", str);
sudo_lbuf_append(lbuf, "\"");
} else {
sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", str);
}
/* Suffix is not quoted. */
if (suffix != NULL)
sudo_lbuf_append(lbuf, "%s", suffix);
}
static void
sudo_ldap_print_quoted2(struct sudo_lbuf *lbuf, const char *prefix, const char *str)
{
return sudo_ldap_print_quoted3(lbuf, prefix, str, NULL);
}
static void
sudo_ldap_print_quoted(struct sudo_lbuf *lbuf, const char *str)
{
return sudo_ldap_print_quoted3(lbuf, NULL, str, NULL);
}
/* /*
* Fetch and display the global Options. * Fetch and display the global Options.
*/ */
@@ -2385,8 +2422,8 @@ sudo_ldap_display_defaults(struct sudo_nss *nss, struct passwd *pw,
struct sudo_ldap_handle *handle = nss->handle; struct sudo_ldap_handle *handle = nss->handle;
LDAP *ld; LDAP *ld;
LDAPMessage *entry, *result; LDAPMessage *entry, *result;
char *prefix, *filt; char *prefix, *filt, *var, *val;
int rc, count = 0; int op, rc, count = 0;
debug_decl(sudo_ldap_display_defaults, SUDOERS_DEBUG_LDAP) debug_decl(sudo_ldap_display_defaults, SUDOERS_DEBUG_LDAP)
if (handle == NULL || handle->ld == NULL) if (handle == NULL || handle->ld == NULL)
@@ -2416,7 +2453,10 @@ sudo_ldap_display_defaults(struct sudo_nss *nss, struct passwd *pw,
else else
prefix = ", "; prefix = ", ";
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
sudo_lbuf_append(lbuf, "%s%s", prefix, (*p)->bv_val); op = sudo_ldap_parse_option((*p)->bv_val, &var, &val);
sudo_lbuf_append(lbuf, "%s%s%s", prefix, var,
op == '+' ? "+=" : op == '-' ? "-=" : "=");
sudo_ldap_print_quoted(lbuf, val);
prefix = ", "; prefix = ", ";
count++; count++;
} }
@@ -2463,7 +2503,7 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
bv = ldap_get_values_len(ld, entry, "sudoRunAs"); bv = ldap_get_values_len(ld, entry, "sudoRunAs");
if (bv != NULL) { if (bv != NULL) {
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", sudo_ldap_print_quoted2(lbuf, p != bv ? ", " : "",
(*p)->bv_val[0] ? (*p)->bv_val : user_name); (*p)->bv_val[0] ? (*p)->bv_val : user_name);
} }
ldap_value_free_len(bv); ldap_value_free_len(bv);
@@ -2475,17 +2515,17 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
if (bv != NULL) { if (bv != NULL) {
if (no_runas_user) { if (no_runas_user) {
/* finish printing sudoRunAs */ /* finish printing sudoRunAs */
sudo_lbuf_append(lbuf, "%s", pw->pw_name); sudo_ldap_print_quoted(lbuf, pw->pw_name);
} }
sudo_lbuf_append(lbuf, " : "); sudo_lbuf_append(lbuf, " : ");
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); sudo_ldap_print_quoted2(lbuf, p != bv ? ", " : "", (*p)->bv_val);
} }
ldap_value_free_len(bv); ldap_value_free_len(bv);
} else { } else {
if (no_runas_user) { if (no_runas_user) {
/* finish printing sudoRunAs */ /* finish printing sudoRunAs */
sudo_lbuf_append(lbuf, "%s", def_runas_default); sudo_ldap_print_quoted(lbuf, def_runas_default);
} }
} }
sudo_lbuf_append(lbuf, ") "); sudo_lbuf_append(lbuf, ") ");
@@ -2494,14 +2534,14 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
bv = ldap_get_values_len(ld, entry, "sudoNotBefore"); bv = ldap_get_values_len(ld, entry, "sudoNotBefore");
if (bv != NULL) { if (bv != NULL) {
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
sudo_lbuf_append(lbuf, "NOTBEFORE=%s ", (*p)->bv_val); sudo_ldap_print_quoted3(lbuf, "NOTBEFORE=", (*p)->bv_val, " ");
} }
ldap_value_free_len(bv); ldap_value_free_len(bv);
} }
bv = ldap_get_values_len(ld, entry, "sudoNotAfter"); bv = ldap_get_values_len(ld, entry, "sudoNotAfter");
if (bv != NULL) { if (bv != NULL) {
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
sudo_lbuf_append(lbuf, "NOTAFTER=%s ", (*p)->bv_val); sudo_ldap_print_quoted3(lbuf, "NOTAFTER=", (*p)->bv_val, " ");
} }
ldap_value_free_len(bv); ldap_value_free_len(bv);
} }
@@ -2523,18 +2563,18 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
else if (strcmp(val, "mail_all_cmnds") == 0 || strcmp(val, "mail_always") == 0) else if (strcmp(val, "mail_all_cmnds") == 0 || strcmp(val, "mail_always") == 0)
sudo_lbuf_append(lbuf, negated ? "NOMAIL: " : "MAIL: "); sudo_lbuf_append(lbuf, negated ? "NOMAIL: " : "MAIL: ");
else if (!negated && strncmp(val, "command_timeout=", 16) == 0) else if (!negated && strncmp(val, "command_timeout=", 16) == 0)
sudo_lbuf_append(lbuf, "TIMEOUT=%s ", val + 16); sudo_ldap_print_quoted3(lbuf, "TIMEOUT=", val + 16, " ");
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
else if (!negated && strncmp(val, "role=", 5) == 0) else if (!negated && strncmp(val, "role=", 5) == 0)
sudo_lbuf_append(lbuf, "ROLE=%s ", val + 5); sudo_ldap_print_quoted3(lbuf, "ROLE=", val + 5, " ");
else if (!negated && strncmp(val, "type=", 5) == 0) else if (!negated && strncmp(val, "type=", 5) == 0)
sudo_lbuf_append(lbuf, "TYPE=%s ", val + 5); sudo_ldap_print_quoted3(lbuf, "TYPE=", val + 5, " ");
#endif /* HAVE_SELINUX */ #endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET #ifdef HAVE_PRIV_SET
else if (!negated && strncmp(val, "privs=", 6) == 0) else if (!negated && strncmp(val, "privs=", 6) == 0)
sudo_lbuf_append(lbuf, "PRIVS=%s ", val + 6); sudo_ldap_print_quoted3(lbuf, "PRIVS=", val + 6, " ");
else if (!negated && strncmp(val, "limitprivs=", 11) == 0) else if (!negated && strncmp(val, "limitprivs=", 11) == 0)
sudo_lbuf_append(lbuf, "LIMITPRIVS=%s ", val + 11); sudo_ldap_print_quoted3(lbuf, "LIMITPRIVS=", val + 11, " ");
#endif /* HAVE_PRIV_SET */ #endif /* HAVE_PRIV_SET */
} }
ldap_value_free_len(bv); ldap_value_free_len(bv);
@@ -2544,7 +2584,17 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
bv = ldap_get_values_len(ld, entry, "sudoCommand"); bv = ldap_get_values_len(ld, entry, "sudoCommand");
if (bv != NULL) { if (bv != NULL) {
for (p = bv; *p != NULL; p++) { for (p = bv; *p != NULL; p++) {
sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); char *args = strpbrk((*p)->bv_val, " \t");
if (args != NULL)
*args++ = '\0';
if (p != bv)
sudo_lbuf_append(lbuf, ", ");
sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED" \t", "%s",
(*p)->bv_val);
if (args != NULL) {
sudo_lbuf_append(lbuf, " ");
sudo_lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", args);
}
count++; count++;
} }
ldap_value_free_len(bv); ldap_value_free_len(bv);