isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

You can now specifiy a host list instead of just a host or alias.

Browse Source 
Ie: user = host1,host2,ALIAS,!host3 my_command
now works.
This commit is contained in:
Todd C. Miller
1999-04-07 23:18:52 +00:00
parent 3a8971f654
commit 622b7a1d97
7 changed files with 128 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
parse.yacc
View File

@@ -230,7 +230,7 @@ privileges : privilege
| privileges ':' privilege
;
privilege : hostspec '=' cmndspeclist {
privilege : hostlist '=' cmndspeclist {
/*
* We already did a push if necessary in
* cmndspec so just reset some values so

120
sudo.tab.c
View File

@@ -213,11 +213,11 @@ typedef union {
#define YYERRCODE 256
short yylhs[] = { -1,
0, 0, 3, 3, 5, 3, 3, 3, 3, 3,
6, 6, 11, 14, 15, 14, 12, 12, 12, 12,
12, 12, 13, 13, 16, 2, 19, 2, 17, 17,
20, 20, 21, 23, 21, 22, 22, 22, 22, 22,
18, 18, 18, 1, 1, 1, 8, 8, 25, 24,
26, 26, 9, 9, 28, 27, 29, 29, 10, 10,
6, 6, 11, 14, 16, 14, 15, 15, 15, 15,
15, 15, 13, 13, 17, 2, 20, 2, 18, 18,
21, 21, 22, 24, 22, 23, 23, 23, 23, 23,
19, 19, 19, 1, 1, 1, 8, 8, 26, 25,
12, 12, 9, 9, 28, 27, 29, 29, 10, 10,
31, 30, 7, 7, 33, 32, 34, 34, 35, 36,
35, 4, 4, 4, 4, 4,
};
@@ -236,62 +236,62 @@ short yydefred[] = { 0,
49, 0, 47, 55, 0, 53, 65, 0, 63, 61,
0, 59, 2, 75, 74, 73, 72, 76, 0, 0,
0, 0, 0, 0, 0, 0, 0, 22, 18, 21,
19, 20, 17, 0, 11, 0, 0, 48, 0, 54,
0, 64, 0, 60, 0, 0, 15, 14, 51, 0,
45, 46, 44, 27, 26, 57, 0, 70, 69, 0,
67, 39, 38, 37, 36, 40, 34, 0, 31, 33,
12, 0, 0, 23, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 42, 43, 0, 16, 52,
19, 20, 17, 15, 0, 11, 0, 51, 14, 0,
48, 0, 54, 0, 64, 0, 60, 0, 0, 0,
0, 0, 45, 46, 44, 27, 26, 57, 0, 70,
69, 0, 67, 39, 38, 37, 36, 40, 34, 0,
31, 33, 16, 12, 0, 0, 23, 0, 52, 0,
0, 0, 0, 0, 0, 0, 0, 42, 43, 0,
28, 58, 71, 68, 35, 32, 24, 25,
};
short yydgoto[] = { 7,
65, 66, 8, 69, 9, 44, 18, 12, 15, 21,
45, 58, 83, 59, 86, 84, 85, 98, 88, 78,
79, 80, 92, 13, 30, 60, 16, 32, 67, 22,
36, 19, 34, 70, 71, 90,
67, 68, 8, 71, 9, 45, 18, 12, 15, 21,
46, 47, 86, 48, 49, 58, 87, 88, 100, 90,
80, 81, 82, 94, 13, 30, 16, 32, 69, 22,
36, 19, 34, 72, 73, 92,
};
short yysindex[] = { -250,
-264, 0, -246, -234, -230, -215, -250, 0, -252, 0,
0, -51, 0, 0, -12, 0, 0, -8, 0, 0,
-5, 0, 0, 0, 0, 0, 0, 0, -221, -7,
-246, -6, -234, -4, -230, -3, -215, 0, 0, 0,
0, 0, 0, 2, 0, 3, -33, 0, -2, 0,
-29, 0, -20, 0, -221, -207, 0, 0, 0, 17,
0, 0, 0, 0, 0, 0, 19, 0, 0, 21,
0, 0, 0, 0, 0, 0, 0, 22, 0, 0,
0, -20, 23, 0, -239, -33, -33, -2, -2, -29,
-29, -20, -20, 22, -207, 0, 0, -2, 0, 0,
short yysindex[] = { -247,
-262, 0, -242, -223, -216, -215, -247, 0, -254, 0,
0, -37, 0, 0, -15, 0, 0, -13, 0, 0,
-12, 0, 0, 0, 0, 0, 0, 0, -33, -14,
-242, -11, -223, -10, -216, -8, -215, 0, 0, 0,
0, 0, 0, 0, -9, 0, -42, 0, 0, -33,
0, -2, 0, -29, 0, -20, 0, -33, -33, -209,
-33, 4, 0, 0, 0, 0, 0, 0, 11, 0,
0, 12, 0, 0, 0, 0, 0, 0, 0, 13,
0, 0, 0, 0, -20, 14, 0, -236, 0, -2,
-2, -29, -29, -20, -20, 13, -209, 0, 0, -2,
0, 0, 0, 0, 0, 0, 0, 0,
};
short yyrindex[] = { -217,
0, 0, 0, 0, 0, 0, -217, 0, 0, 0,
short yyrindex[] = { -224,
0, 0, 0, 0, 0, 0, -224, 0, 0, 0,
0, 86, 0, 0, 103, 0, 0, 120, 0, 0,
137, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 154, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, -21, 0, 0, 0, 1,
0, 0, 0, 0, 0, 0, 18, 0, 0, 35,
0, 0, 0, 0, 0, 0, 0, 52, 0, 0,
0, 0, 69, 0, -1, 0, 0, 0, 0, 0,
0, 0, 0, 163, -21, 0, 0, 0, 0, 0,
0, 0, 0, 0, 154, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, -21,
0, 1, 0, 0, 0, 0, 0, 0, 18, 0,
0, 35, 0, 0, 0, 0, 0, 0, 0, 52,
0, 0, 0, 0, 0, 69, 0, -1, 0, 0,
0, 0, 0, 0, 0, 163, -21, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
};
short yygindex[] = { 0,
0, -74, 55, 59, 0, 0, 0, 0, 0, 0,
15, -27, 0, -57, 0, -24, 0, 0, 0, -10,
-59, 0, 0, 42, 0, 0, 41, 0, 0, 38,
0, 43, 0, 0, -42, 0,
0, -74, 53, 54, 0, 0, 0, 0, 0, 0,
2, 15, 0, -31, 0, 0, -35, 0, 0, 0,
-19, -84, 0, 0, 33, 0, 34, 0, 0, 31,
0, 36, 0, 0, -53, 0,
};
#define YYTABLESIZE 431
short yytable[] = { 57,
50, 46, 10, 68, 24, 1, 31, 25, 26, 27,
11, 29, 77, 101, 102, 28, 2, 56, 3, 4,
5, 6, 14, 108, 96, 97, 17, 46, 99, 100,
64, 41, 105, 106, 66, 38, 39, 40, 41, 5,
42, 20, 5, 5, 5, 33, 43, 103, 104, 35,
5, 62, 37, 47, 49, 82, 51, 53, 50, 55,
87, 23, 89, 56, 91, 93, 95, 29, 13, 81,
107, 94, 48, 50, 54, 56, 0, 52, 0, 0,
short yytable[] = { 44,
50, 61, 24, 70, 10, 25, 26, 27, 1, 105,
106, 29, 79, 28, 11, 101, 102, 56, 60, 2,
31, 3, 4, 5, 6, 108, 83, 98, 99, 89,
66, 41, 5, 14, 66, 5, 5, 5, 103, 104,
17, 20, 33, 5, 35, 37, 50, 61, 59, 52,
54, 62, 56, 85, 91, 93, 95, 97, 50, 23,
84, 107, 29, 51, 62, 96, 53, 57, 13, 0,
55, 0, 0, 0, 0, 56, 0, 0, 0, 0,
0, 0, 0, 0, 0, 8, 0, 0, 0, 0,
0, 0, 66, 0, 0, 0, 0, 0, 0, 0,
0, 0, 9, 0, 0, 0, 0, 0, 0, 62,
@@ -307,10 +307,10 @@ short yytable[] = { 57,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 38, 39, 40, 41, 24, 42, 0,
25, 26, 27, 0, 43, 29, 72, 0, 28, 73,
74, 75, 29, 29, 29, 0, 29, 76, 0, 0,
0, 0, 0, 0, 61, 41, 50, 50, 0, 0,
50, 50, 50, 62, 41, 63, 41, 50, 50, 50,
25, 26, 27, 0, 43, 29, 74, 0, 28, 75,
76, 77, 29, 29, 29, 0, 29, 78, 0, 0,
0, 0, 0, 0, 63, 41, 50, 50, 0, 0,
50, 50, 50, 64, 41, 65, 41, 50, 50, 50,
50, 50, 50, 56, 56, 0, 0, 56, 56, 56,
0, 0, 0, 0, 56, 56, 56, 56, 56, 56,
66, 66, 0, 0, 66, 66, 66, 0, 0, 0,
@@ -330,14 +330,14 @@ short yytable[] = { 57,
30,
};
short yycheck[] = { 33,
0, 29, 267, 33, 257, 256, 58, 260, 261, 262,
257, 33, 33, 88, 89, 268, 267, 0, 269, 270,
271, 272, 257, 98, 264, 265, 257, 55, 86, 87,
33, 33, 92, 93, 0, 257, 258, 259, 260, 257,
262, 257, 260, 261, 262, 58, 268, 90, 91, 58,
268, 0, 58, 61, 61, 263, 61, 61, 58, 58,
44, 7, 44, 61, 44, 44, 44, 9, 0, 55,
95, 82, 31, 33, 37, 58, -1, 35, -1, -1,
0, 44, 257, 33, 267, 260, 261, 262, 256, 94,
95, 33, 33, 268, 257, 90, 91, 0, 61, 267,
58, 269, 270, 271, 272, 100, 58, 264, 265, 61,
33, 33, 257, 257, 0, 260, 261, 262, 92, 93,
257, 257, 58, 268, 58, 58, 61, 44, 58, 61,
61, 0, 61, 263, 44, 44, 44, 44, 58, 7,
59, 97, 9, 31, 50, 85, 33, 37, 0, -1,
35, -1, -1, -1, -1, 58, -1, -1, -1, -1,
-1, -1, -1, -1, -1, 0, -1, -1, -1, -1,
-1, -1, 58, -1, -1, -1, -1, -1, -1, -1,
-1, -1, 0, -1, -1, -1, -1, -1, -1, 58,
@@ -407,7 +407,7 @@ char *yyrule[] = {
"entry : RUNASALIAS runasaliases",
"privileges : privilege",
"privileges : privileges ':' privilege",
"privilege : hostspec '=' cmndspeclist",
"privilege : hostlist '=' cmndspeclist",
"ophostspec : hostspec",
"$$2 :",
"ophostspec : '!' $$2 ophostspec",

24
sudo.tab.h Normal file
View File

@@ -0,0 +1,24 @@
#define ALIAS 257
#define NTWKADDR 258
#define FQHOST 259
#define NETGROUP 260
#define USERGROUP 261
#define NAME 262
#define RUNAS 263
#define NOPASSWD 264
#define PASSWD 265
#define COMMAND 266
#define COMMENT 267
#define ALL 268
#define HOSTALIAS 269
#define CMNDALIAS 270
#define USERALIAS 271
#define RUNASALIAS 272
#define ERROR 273
typedef union {
char *string;
int BOOLEAN;
struct sudo_command command;
int tok;
} YYSTYPE;
extern YYSTYPE yylval;

68
sudoers.cat
View File

@@ -24,11 +24,8 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
user access_group [: access_group] ...
access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
[,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
@@ -57,11 +54,14 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
of these.
rrrruuuunnnnaaaassss aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt::::
Runas_Alias RUNASALIAS = runas-list
6/Apr/99 1.6 1
7/Apr/99 1.6 1
@@ -70,11 +70,6 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN
sudoers(5) FILE FORMATS sudoers(5)
rrrruuuunnnnaaaassss aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt::::
Runas_Alias RUNASALIAS = runas-list
Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
@@ -124,10 +119,15 @@ sudoers(5) FILE FORMATS sudoers(5)
an _a_c_c_e_s_s___g_r_o_u_p. For example given:
oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm,
/bin/rmdir User oper will be able to run /usr/bin/kill,
/bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we
change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD:
/bin/rm, /bin/rmdir User oper can still run /usr/bin/kill
without a password but must give a password to run /bin/rm
6/Apr/99 1.6 2
7/Apr/99 1.6 2
@@ -136,11 +136,6 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
/bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we
change that to:
oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD:
/bin/rm, /bin/rmdir User oper can still run /usr/bin/kill
without a password but must give a password to run /bin/rm
and /bin/rmdir.
wwwwiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss))))::::
@@ -191,9 +186,14 @@ sudoers(5) FILE FORMATS sudoers(5)
elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
Commands may have optional command line arguments. If
they do, then the arguments in the _s_u_d_o_e_r_s file must
exactly match those on the command line. It is also
possible to have a command's arguments span multiple lines
6/Apr/99 1.6 3
7/Apr/99 1.6 3
@@ -202,10 +202,6 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
Commands may have optional command line arguments. If
they do, then the arguments in the _s_u_d_o_e_r_s file must
exactly match those on the command line. It is also
possible to have a command's arguments span multiple lines
as long as the line continuance character "\" is used.
The following characters must be escaped with a "\" if
used in command arguments: ",", ":", "=", "\".
@@ -256,10 +252,14 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
three machines merlin, kodiakthorn and spirit. Similarly,
SERVERS is set to the machines houdini, merlin,
kodiakthorn and spirit. The CSNETS alias will match any
host on the 128.138.243.0, 128.138.204.0, or
128.138.205.192 nets. The CUNETS alias will match any
host on the 128.138.0.0 (class B) network. Note that
these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an
6/Apr/99 1.6 4
7/Apr/99 1.6 4
@@ -268,10 +268,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS
sudoers(5) FILE FORMATS sudoers(5)
host on the 128.138.243.0, 128.138.204.0, or
128.138.205.192 nets. The CUNETS alias will match any
host on the 128.138.0.0 (class B) network. Note that
these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an
explicit netmask is given, the local _n_e_t_m_a_s_k is used to
determine whether or not the current host belongs to a
network.
@@ -322,10 +318,14 @@ sudoers(5) FILE FORMATS sudoers(5)
jill The user jill may run /sbin/shutdown -h
now or /sbin/shutdown -r now as well as
the commands in the MISC alias on houdini.
markm The user markm may run any command on the
HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n,
6/Apr/99 1.6 5
7/Apr/99 1.6 5
@@ -334,10 +334,6 @@ sudoers(5) FILE FORMATS sudoers(5)
sudoers(5) FILE FORMATS sudoers(5)
the commands in the MISC alias on houdini.
markm The user markm may run any command on the
HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n,
_/_s_b_i_n_/_h_a_l_t, and commands listed in the
MISC alias.
@@ -391,7 +387,11 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO
6/Apr/99 1.6 6
7/Apr/99 1.6 6
@@ -457,6 +457,6 @@ sudoers(5) FILE FORMATS sudoers(5)
6/Apr/99 1.6 7
7/Apr/99 1.6 7

5
sudoers.html
View File

@@ -79,11 +79,8 @@ entry that grants access the user will be allowed to run the command.
<P>
<PRE> access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
<PRE> access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
[,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
cmnd_type ::= a command OR a command alias.
op ::= the logical &quot;!&quot; NOT operator.
</PRE>

15
sudoers.man
View File

@@ -2,8 +2,10 @@
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
''' Revision 1.8 1999/04/07 00:24:35 millert
''' runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most everywhere
''' Revision 1.9 1999/04/07 23:18:51 millert
''' You can now specifiy a host list instead of just a host or alias.
''' Ie: user = host1,host2,ALIAS,!host3 my_command
''' now works.
'''
'''
.de Sh
@@ -96,7 +98,7 @@
.nr % 0
.rr F
.\}
.TH sudoers 5 "1.6" "6/Apr/99" "FILE FORMATS"
.TH sudoers 5 "1.6" "7/Apr/99" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
@@ -206,12 +208,9 @@ will be allowed to run the command.
.Vb 1
\& user access_group [: access_group] ...
.Ve
.Vb 7
\& access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
.Vb 4
\& access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
\& [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
\& host_type ::= a lower-case hostname, netgroup, ip address,
\& network number, network number/netmask,
\& or host alias.
\& cmnd_type ::= a command OR a command alias.
\& op ::= the logical "!" NOT operator.
.Ve

5
sudoers.pod
View File

@@ -21,11 +21,8 @@ will be allowed to run the command.
user access_group [: access_group] ...
access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
[,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.