isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move set_project() from sudoers module into sudo proper.

Browse Source
This commit is contained in:
Todd C. Miller
2010-10-01 13:52:42 -04:00
parent e59fa31bac
commit 6b4fe798d5
2 changed files with 69 additions and 72 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
plugins/sudoers/sudoers.c
View File

@@ -80,10 +80,6 @@
# define LOGIN_DEFROOTCLASS "daemon" # define LOGIN_DEFROOTCLASS "daemon"
# endif # endif
#endif #endif
#ifdef HAVE_PROJECT_H
# include <project.h>
# include <sys/task.h>
#endif
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
# include <selinux/selinux.h> # include <selinux/selinux.h>
#endif #endif
@@ -104,7 +100,6 @@
static void init_vars(char * const *); static void init_vars(char * const *);
static int set_cmnd(int); static int set_cmnd(int);
static void set_loginclass(struct passwd *); static void set_loginclass(struct passwd *);
static void set_project(struct passwd *);
static void set_runasgr(char *); static void set_runasgr(char *);
static void set_runaspw(char *); static void set_runaspw(char *);
static int sudoers_policy_version(int verbose); static int sudoers_policy_version(int verbose);
@@ -789,9 +784,6 @@ set_cmnd(int sudo_mode)
int rval; int rval;
char *path = user_path; char *path = user_path;
/* Set project if applicable. */
set_project(runas_pw);
/* Resolve the path and return. */ /* Resolve the path and return. */
rval = FOUND; rval = FOUND;
user_stat = emalloc(sizeof(struct stat)); user_stat = emalloc(sizeof(struct stat));
@@ -971,70 +963,6 @@ set_loginclass(struct passwd *pw)
} }
#endif /* HAVE_LOGIN_CAP_H */ #endif /* HAVE_LOGIN_CAP_H */
#ifdef HAVE_PROJECT_H
static void
set_project(struct passwd *pw)
{
int errflags = NO_MAIL|MSG_ONLY|NO_EXIT;
int errval;
struct project proj;
struct project *resultp = '\0';
char buf[1024];
/*
* Collect the default project for the user and settaskid
*/
setprojent();
if (resultp = getdefaultproj(pw->pw_name, &proj, buf, sizeof(buf))) {
errval = setproject(resultp->pj_name, pw->pw_name, TASK_NORMAL);
if (errval != 0) {
switch(errval) {
case SETPROJ_ERR_TASK:
if (errno == EAGAIN)
log_error(errflags, "resource control limit has been reached");
else if (errno == ESRCH)
log_error(errflags, "user \"%s\" is not a member of "
"project \"%s\"", pw->pw_name, resultp->pj_name);
else if (errno == EACCES)
log_error(errflags, "the invoking task is final");
else
log_error(errflags, "could not join project \"%s\"",
resultp->pj_name);
break;
case SETPROJ_ERR_POOL:
if (errno == EACCES)
log_error(errflags, "no resource pool accepting "
"default bindings exists for project \"%s\"",
resultp->pj_name);
else if (errno == ESRCH)
log_error(errflags, "specified resource pool does "
"not exist for project \"%s\"", resultp->pj_name);
else
log_error(errflags, "could not bind to default "
"resource pool for project \"%s\"", resultp->pj_name);
break;
default:
if (errval <= 0) {
log_error(errflags, "setproject failed for project \"%s\"",
resultp->pj_name);
} else {
log_error(errflags, "warning, resource control assignment "
"failed for project \"%s\"", resultp->pj_name);
}
}
}
} else {
log_error(errflags, "getdefaultproj() error: %s", strerror(errno));
}
endprojent();
}
#else
static void
set_project(struct passwd *pw)
{
}
#endif /* HAVE_PROJECT_H */
/* /*
* Look up the fully qualified domain name and set user_host and user_shost. * Look up the fully qualified domain name and set user_host and user_shost.
*/ */

69
src/sudo.c
View File

@@ -66,6 +66,10 @@
#ifdef HAVE_LOGIN_CAP_H #ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h> # include <login_cap.h>
#endif #endif
#ifdef HAVE_PROJECT_H
# include <project.h>
# include <sys/task.h>
#endif
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
# include <selinux/selinux.h> # include <selinux/selinux.h>
#endif #endif
@@ -637,6 +641,68 @@ disable_coredumps(void)
#endif /* RLIMIT_CORE && !SUDO_DEVEL */ #endif /* RLIMIT_CORE && !SUDO_DEVEL */
} }
#ifdef HAVE_PROJECT_H
static void
set_project(struct passwd *pw)
{
struct project proj;
char buf[PROJECT_BUFSZ];
int errval;
/*
* Collect the default project for the user and settaskid
*/
setprojent();
if (getdefaultproj(pw->pw_name, &proj, buf, sizeof(buf)) != NULL) {
errval = setproject(proj.pj_name, pw->pw_name, TASK_NORMAL);
switch(errval) {
case 0:
break;
case SETPROJ_ERR_TASK:
switch (errno) {
case EAGAIN:
warningx("resource control limit has been reached");
break;
case ESRCH:
warningx("user \"%s\" is not a member of project \"%s\"",
pw->pw_name, proj.pj_name);
break;
case EACCES:
warningx("the invoking task is final");
break;
default:
warningx("could not join project \"%s\"", proj.pj_name);
}
case SETPROJ_ERR_POOL:
switch (errno) {
case EACCES:
warningx("no resource pool accepting default bindings "
"exists for project \"%s\"", proj.pj_name);
break;
case ESRCH:
warningx("specified resource pool does not exist for "
"project \"%s\"", proj.pj_name);
break;
default:
warningx("could not bind to default resource pool for "
"project \"%s\"", proj.pj_name);
}
break;
default:
if (errval <= 0) {
warningx("setproject failed for project \"%s\"", proj.pj_name);
} else {
warningx("warning, resource control assignment failed for "
"project \"%s\"", proj.pj_name);
}
}
} else {
warning("getdefaultproj");
}
endprojent();
}
#endif /* HAVE_PROJECT_H */
/* /*
* Setup the execution environment immediately prior to the call to execve() * Setup the execution environment immediately prior to the call to execve()
* Returns TRUE on success and FALSE on failure. * Returns TRUE on success and FALSE on failure.
@@ -671,6 +737,9 @@ exec_setup(struct command_details *details, const char *ptyname, int ptyfd)
#endif #endif
if (pw != NULL) { if (pw != NULL) {
#ifdef HAVE_PROJECT_H
set_project(pw);
#endif
#ifdef HAVE_GETUSERATTR #ifdef HAVE_GETUSERATTR
aix_prep_user(pw->pw_name, ptyname ? ptyname : user_details.tty); aix_prep_user(pw->pw_name, ptyname ? ptyname : user_details.tty);
#endif #endif