Add CHROOT and CWD sudoers options.
Also matching runchroot and runcwd Defaults settings.
This commit is contained in:
Todd C. Miller
1
MANIFEST
1
MANIFEST
@@ -471,6 +471,7 @@ plugins/sudoers/digestname.c
|
||||
plugins/sudoers/editor.c
|
||||
plugins/sudoers/env.c
|
||||
plugins/sudoers/env_pattern.c
|
||||
plugins/sudoers/exptilde.c
|
||||
plugins/sudoers/file.c
|
||||
plugins/sudoers/filedigest.c
|
||||
plugins/sudoers/find_path.c
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
.nr BA @BAMAN@
|
||||
.nr LC @LCMAN@
|
||||
.nr PS @PSMAN@
|
||||
.TH "SUDOERS" "@mansectform@" "August 27, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.TH "SUDOERS" "@mansectform@" "August 28, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
|
||||
.nh
|
||||
.if n .ad l
|
||||
.SH "NAME"
|
||||
@@ -1163,6 +1163,10 @@ Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
|
||||
|
||||
Timeout_Spec ::= 'TIMEOUT=timeout'
|
||||
|
||||
Chdir_Spec ::= 'CWD=directory'
|
||||
|
||||
Chroot_Spec ::= 'CHROOT=directory'
|
||||
|
||||
Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
|
||||
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
|
||||
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
|
||||
@@ -1502,6 +1506,54 @@ timeout values:
|
||||
\fR1d2d3h\fR.
|
||||
.PP
|
||||
This setting is only supported by version 1.8.20 or higher.
|
||||
.SS "Chdir_Spec"
|
||||
The working directory that the command will be run in can be specified
|
||||
using the
|
||||
\fRCWD\fR
|
||||
setting.
|
||||
The
|
||||
\fIdirectory\fR
|
||||
must be a fully-qualified path name beginning with a
|
||||
\(oq/\(cq
|
||||
or
|
||||
\(oq~\(cq
|
||||
character.
|
||||
By default, commands are run from the invoking user's current working
|
||||
directory, unless the
|
||||
\fB\-i\fR
|
||||
option is given.
|
||||
Path names of the form
|
||||
\fR~user/path/name\fR
|
||||
are interpreted as being relative to the named user's home directory.
|
||||
If the user name is omitted, the path will be relative to the runas
|
||||
user's home directory.
|
||||
.PP
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.SS "Chroot_Spec"
|
||||
The root directory that the command will be run in can be specified
|
||||
using the
|
||||
\fRCHROOT\fR
|
||||
setting.
|
||||
The
|
||||
\fIdirectory\fR
|
||||
must be a fully-qualified path name beginning with a
|
||||
\(oq/\(cq
|
||||
or
|
||||
\(oq~\(cq
|
||||
character.
|
||||
This setting can be used to run the command in a
|
||||
chroot(2)
|
||||
\(lqsandbox\(rq
|
||||
similar to the
|
||||
chroot(@mansectsu@)
|
||||
utility.
|
||||
Path names of the form
|
||||
\fR~user/path/name\fR
|
||||
are interpreted as being relative to the named user's home directory.
|
||||
If the user name is omitted, the path will be relative to the runas
|
||||
user's home directory.
|
||||
.PP
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.SS "Tag_Spec"
|
||||
A command may have zero or more tags associated with it.
|
||||
The following tag values are supported:
|
||||
@@ -4399,6 +4451,26 @@ In either case, the contents of
|
||||
are processed before the contents of
|
||||
\fIenv_file\fR.
|
||||
.TP 14n
|
||||
runchroot
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
will use this value for the root directory when running a command.
|
||||
See the
|
||||
\fIChroot_Spec\fR
|
||||
section for more details.
|
||||
.sp
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.TP 14n
|
||||
runcwd
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
will use this value for the working directory when running a command.
|
||||
See the
|
||||
\fIChdir_Spec\fR
|
||||
section for more details.
|
||||
.sp
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.TP 14n
|
||||
secure_path
|
||||
If set,
|
||||
\fBsudo\fR
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
.nr BA @BAMAN@
|
||||
.nr LC @LCMAN@
|
||||
.nr PS @PSMAN@
|
||||
.Dd August 27, 2020
|
||||
.Dd August 28, 2020
|
||||
.Dt SUDOERS @mansectform@
|
||||
.Os Sudo @PACKAGE_VERSION@
|
||||
.Sh NAME
|
||||
@@ -1096,12 +1096,12 @@ Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
|
||||
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
|
||||
|
||||
.ie \n(SL \{\
|
||||
.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
|
||||
.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
|
||||
.ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
|
||||
.el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
|
||||
.\}
|
||||
.el \{\
|
||||
.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
|
||||
.el Option_Spec ::= (Date_Spec | Timeout_Spec)
|
||||
.ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
|
||||
.el Option_Spec ::= (Date_Spec | Timeout_Spec | Chdir_Spec | Chroot_Spec)
|
||||
.\}
|
||||
|
||||
.if \n(SL \{\
|
||||
@@ -1116,6 +1116,10 @@ Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
|
||||
|
||||
Timeout_Spec ::= 'TIMEOUT=timeout'
|
||||
|
||||
Chdir_Spec ::= 'CWD=directory'
|
||||
|
||||
Chroot_Spec ::= 'CHROOT=directory'
|
||||
|
||||
Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
|
||||
'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
|
||||
'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
|
||||
@@ -1422,6 +1426,54 @@ timeout values:
|
||||
.Li 1d2d3h .
|
||||
.Pp
|
||||
This setting is only supported by version 1.8.20 or higher.
|
||||
.Ss Chdir_Spec
|
||||
The working directory that the command will be run in can be specified
|
||||
using the
|
||||
.Li CWD
|
||||
setting.
|
||||
The
|
||||
.Fa directory
|
||||
must be a fully-qualified path name beginning with a
|
||||
.Sq /
|
||||
or
|
||||
.Sq ~
|
||||
character.
|
||||
By default, commands are run from the invoking user's current working
|
||||
directory, unless the
|
||||
.Fl i
|
||||
option is given.
|
||||
Path names of the form
|
||||
.Li ~user/path/name
|
||||
are interpreted as being relative to the named user's home directory.
|
||||
If the user name is omitted, the path will be relative to the runas
|
||||
user's home directory.
|
||||
.Pp
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.Ss Chroot_Spec
|
||||
The root directory that the command will be run in can be specified
|
||||
using the
|
||||
.Li CHROOT
|
||||
setting.
|
||||
The
|
||||
.Fa directory
|
||||
must be a fully-qualified path name beginning with a
|
||||
.Sq /
|
||||
or
|
||||
.Sq ~
|
||||
character.
|
||||
This setting can be used to run the command in a
|
||||
.Xr chroot 2
|
||||
.Dq sandbox
|
||||
similar to the
|
||||
.Xr chroot @mansectsu@
|
||||
utility.
|
||||
Path names of the form
|
||||
.Li ~user/path/name
|
||||
are interpreted as being relative to the named user's home directory.
|
||||
If the user name is omitted, the path will be relative to the runas
|
||||
user's home directory.
|
||||
.Pp
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.Ss Tag_Spec
|
||||
A command may have zero or more tags associated with it.
|
||||
The following tag values are supported:
|
||||
@@ -4110,6 +4162,24 @@ In either case, the contents of
|
||||
.Em restricted_env_file
|
||||
are processed before the contents of
|
||||
.Em env_file .
|
||||
.It runchroot
|
||||
If set,
|
||||
.Nm sudo
|
||||
will use this value for the root directory when running a command.
|
||||
See the
|
||||
.Sx Chroot_Spec
|
||||
section for more details.
|
||||
.Pp
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.It runcwd
|
||||
If set,
|
||||
.Nm sudo
|
||||
will use this value for the working directory when running a command.
|
||||
See the
|
||||
.Sx Chdir_Spec
|
||||
section for more details.
|
||||
.Pp
|
||||
This setting is only supported by version 1.9.3 or higher.
|
||||
.It secure_path
|
||||
If set,
|
||||
.Nm sudo
|
||||
|
||||
@@ -159,11 +159,11 @@ TEST_PROGS = check_addr check_base64 check_digest check_env_pattern check_fill \
|
||||
AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@
|
||||
|
||||
LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo digestname.lo \
|
||||
filedigest.lo gentime.lo gmtoff.lo gram.lo hexchar.lo \
|
||||
match.lo match_addr.lo match_command.lo match_digest.lo \
|
||||
pwutil.lo pwutil_impl.lo rcstr.lo redblack.lo \
|
||||
strlist.lo sudoers_debug.lo timeout.lo timestr.lo \
|
||||
toke.lo toke_util.lo
|
||||
exptilde.lo filedigest.lo gentime.lo gmtoff.lo gram.lo \
|
||||
hexchar.lo match.lo match_addr.lo match_command.lo \
|
||||
match_digest.lo pwutil.lo pwutil_impl.lo rcstr.lo \
|
||||
redblack.lo strlist.lo sudoers_debug.lo timeout.lo \
|
||||
timestr.lo toke.lo toke_util.lo
|
||||
|
||||
LIBPARSESUDOERS_IOBJS = $(LIBPARSESUDOERS_OBJS:.lo=.i) passwd.i
|
||||
|
||||
@@ -1217,6 +1217,28 @@ env_pattern.i: $(srcdir)/env_pattern.c $(devdir)/def_data.h \
|
||||
$(CC) -E -o $@ $(CPPFLAGS) $<
|
||||
env_pattern.plog: env_pattern.i
|
||||
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/env_pattern.c --i-file $< --output-file $@
|
||||
exptilde.lo: $(srcdir)/exptilde.c $(devdir)/def_data.h \
|
||||
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
|
||||
$(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
|
||||
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
|
||||
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
|
||||
$(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
|
||||
$(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
|
||||
$(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
|
||||
$(top_builddir)/config.h $(top_builddir)/pathnames.h
|
||||
$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/exptilde.c
|
||||
exptilde.i: $(srcdir)/exptilde.c $(devdir)/def_data.h \
|
||||
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
|
||||
$(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
|
||||
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \
|
||||
$(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \
|
||||
$(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \
|
||||
$(srcdir)/parse.h $(srcdir)/pwutil.h $(srcdir)/sudo_nss.h \
|
||||
$(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
|
||||
$(top_builddir)/config.h $(top_builddir)/pathnames.h
|
||||
$(CC) -E -o $@ $(CPPFLAGS) $<
|
||||
exptilde.plog: exptilde.i
|
||||
rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/exptilde.c --i-file $< --output-file $@
|
||||
file.lo: $(srcdir)/file.c $(devdir)/def_data.h $(devdir)/gram.h \
|
||||
$(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
|
||||
$(incdir)/sudo_conf.h $(incdir)/sudo_debug.h $(incdir)/sudo_fatal.h \
|
||||
|
||||
@@ -551,6 +551,14 @@ struct sudo_defs_types sudo_defs_table[] = {
|
||||
"pam_rhost", T_FLAG,
|
||||
N_("Set the pam remote host to the local host name"),
|
||||
NULL,
|
||||
}, {
|
||||
"runcwd", T_STR|T_BOOL|T_PATH|T_TILDE,
|
||||
N_("Working directory to change to before executing the command: %s"),
|
||||
NULL,
|
||||
}, {
|
||||
"runchroot", T_STR|T_BOOL|T_PATH|T_TILDE,
|
||||
N_("Root directory to change to before executing the command: %s"),
|
||||
NULL,
|
||||
}, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
|
||||
@@ -256,6 +256,10 @@
|
||||
#define def_pam_ruser (sudo_defs_table[I_PAM_RUSER].sd_un.flag)
|
||||
#define I_PAM_RHOST 127
|
||||
#define def_pam_rhost (sudo_defs_table[I_PAM_RHOST].sd_un.flag)
|
||||
#define I_RUNCWD 128
|
||||
#define def_runcwd (sudo_defs_table[I_RUNCWD].sd_un.str)
|
||||
#define I_RUNCHROOT 129
|
||||
#define def_runchroot (sudo_defs_table[I_RUNCHROOT].sd_un.str)
|
||||
|
||||
enum def_tuple {
|
||||
never,
|
||||
|
||||
@@ -399,3 +399,9 @@ pam_ruser
|
||||
pam_rhost
|
||||
T_FLAG
|
||||
"Set the pam remote host to the local host name"
|
||||
runcwd
|
||||
T_STR|T_BOOL|T_PATH|T_TILDE
|
||||
"Working directory to change to before executing the command: %s"
|
||||
runchroot
|
||||
T_STR|T_BOOL|T_PATH|T_TILDE
|
||||
"Root directory to change to before executing the command: %s"
|
||||
|
||||
@@ -249,7 +249,8 @@ parse_default_entry(struct sudo_defs_types *def, const char *val, int op,
|
||||
rc = store_syslogpri(val, &def->sd_un);
|
||||
break;
|
||||
case T_STR:
|
||||
if (ISSET(def->type, T_PATH) && val != NULL && *val != '/') {
|
||||
if (ISSET(def->type, T_PATH) && val != NULL && *val != '/' &&
|
||||
(!ISSET(def->type, T_TILDE) || *val != '~')) {
|
||||
if (!quiet) {
|
||||
if (lineno > 0) {
|
||||
sudo_warnx(U_("%s:%d: values for \"%s\" must start with a '/'"),
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* SPDX-License-Identifier: ISC
|
||||
*
|
||||
* Copyright (c) 1999-2005, 2008-2018
|
||||
* Copyright (c) 1999-2005, 2008-2020
|
||||
* Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -111,6 +111,8 @@ struct early_default {
|
||||
#define T_BOOL 0x100
|
||||
#undef T_PATH
|
||||
#define T_PATH 0x200
|
||||
#undef T_TILDE
|
||||
#define T_TILDE 0x400
|
||||
|
||||
/*
|
||||
* Argument to update_defaults()
|
||||
|
||||
100
plugins/sudoers/exptilde.c
Normal file
100
plugins/sudoers/exptilde.c
Normal file
@@ -0,0 +1,100 @@
|
||||
/*
|
||||
* SPDX-License-Identifier: ISC
|
||||
*
|
||||
* Copyright (c) 2020 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
* copyright notice and this permission notice appear in all copies.
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
||||
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
||||
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
||||
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
||||
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
||||
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
||||
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
||||
*/
|
||||
|
||||
/*
|
||||
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
|
||||
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
||||
*/
|
||||
|
||||
#include <config.h>
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
|
||||
#include "sudoers.h"
|
||||
#include "pwutil.h"
|
||||
|
||||
/*
|
||||
* Expand leading tilde in *path, which must be dynamically allocated.
|
||||
* Replaces path with the expanded version as needed, freeing the old one.
|
||||
* Returns true on success, false on failure.
|
||||
*/
|
||||
bool
|
||||
expand_tilde(char **path, const char *user)
|
||||
{
|
||||
char *npath, *opath = *path;
|
||||
char *slash = NULL;
|
||||
struct passwd *pw;
|
||||
int len;
|
||||
debug_decl(expand_tilde, SUDOERS_DEBUG_UTIL);
|
||||
|
||||
switch (*opath++) {
|
||||
case '/':
|
||||
/* A fully-qualified path, nothing to do. */
|
||||
debug_return_bool(true);
|
||||
case '~':
|
||||
/* See below. */
|
||||
break;
|
||||
default:
|
||||
/* Not a fully-qualified path or one that starts with a tilde. */
|
||||
debug_return_bool(false);
|
||||
}
|
||||
|
||||
switch (*opath) {
|
||||
case '\0':
|
||||
/* format: ~ */
|
||||
break;
|
||||
case '/':
|
||||
/* format: ~/foo */
|
||||
opath++;
|
||||
break;
|
||||
default:
|
||||
/* format: ~user/foo */
|
||||
user = opath;
|
||||
slash = strchr(opath, '/');
|
||||
if (slash != NULL) {
|
||||
*slash = '\0';
|
||||
opath = slash + 1;
|
||||
} else {
|
||||
opath = NULL;
|
||||
}
|
||||
}
|
||||
pw = sudo_getpwnam(user);
|
||||
if (slash != NULL)
|
||||
*slash = '/';
|
||||
if (pw == NULL) {
|
||||
/* Unknown user. */
|
||||
sudo_warnx(U_("unknown user: %s"), user);
|
||||
debug_return_bool(false);
|
||||
}
|
||||
|
||||
len = asprintf(&npath, "%s%s%s", pw->pw_dir, opath ? "/" : "",
|
||||
opath ? opath : "");
|
||||
sudo_pw_delref(pw);
|
||||
if (len == -1) {
|
||||
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||
debug_return_bool(false);
|
||||
}
|
||||
|
||||
free(*path);
|
||||
*path = npath;
|
||||
debug_return_bool(true);
|
||||
}
|
||||
File diff suppressed because it is too large
Load Diff
@@ -35,18 +35,20 @@
|
||||
#define RUNASALIAS 290
|
||||
#define ERROR 291
|
||||
#define NOMATCH 292
|
||||
#define TYPE 293
|
||||
#define ROLE 294
|
||||
#define PRIVS 295
|
||||
#define LIMITPRIVS 296
|
||||
#define CMND_TIMEOUT 297
|
||||
#define NOTBEFORE 298
|
||||
#define NOTAFTER 299
|
||||
#define MYSELF 300
|
||||
#define SHA224_TOK 301
|
||||
#define SHA256_TOK 302
|
||||
#define SHA384_TOK 303
|
||||
#define SHA512_TOK 304
|
||||
#define CHROOT 293
|
||||
#define CWD 294
|
||||
#define TYPE 295
|
||||
#define ROLE 296
|
||||
#define PRIVS 297
|
||||
#define LIMITPRIVS 298
|
||||
#define CMND_TIMEOUT 299
|
||||
#define NOTBEFORE 300
|
||||
#define NOTAFTER 301
|
||||
#define MYSELF 302
|
||||
#define SHA224_TOK 303
|
||||
#define SHA256_TOK 304
|
||||
#define SHA384_TOK 305
|
||||
#define SHA512_TOK 306
|
||||
#ifndef YYSTYPE_DEFINED
|
||||
#define YYSTYPE_DEFINED
|
||||
typedef union {
|
||||
|
||||
@@ -129,6 +129,8 @@ static struct command_digest *new_digest(int, char *);
|
||||
%token <tok> '\n' /* newline (with optional comment) */
|
||||
%token <tok> ERROR /* error from lexer */
|
||||
%token <tok> NOMATCH /* no match from lexer */
|
||||
%token <tok> CHROOT /* root directory for command */
|
||||
%token <tok> CWD /* working directory for command */
|
||||
%token <tok> TYPE /* SELinux type */
|
||||
%token <tok> ROLE /* SELinux role */
|
||||
%token <tok> PRIVS /* Solaris privileges */
|
||||
@@ -165,6 +167,8 @@ static struct command_digest *new_digest(int, char *);
|
||||
%type <privilege> privileges
|
||||
%type <tag> cmndtag
|
||||
%type <options> options
|
||||
%type <string> chdirspec
|
||||
%type <string> chrootspec
|
||||
%type <string> rolespec
|
||||
%type <string> typespec
|
||||
%type <string> privsspec
|
||||
@@ -388,6 +392,12 @@ cmndspeclist : cmndspec
|
||||
struct cmndspec *prev;
|
||||
prev = HLTQ_LAST($1, cmndspec, entries);
|
||||
HLTQ_CONCAT($1, $3, entries);
|
||||
|
||||
/* propagate runcwd and runchroot */
|
||||
if ($3->runcwd == NULL)
|
||||
$3->runcwd = prev->runcwd;
|
||||
if ($3->runchroot == NULL)
|
||||
$3->runchroot = prev->runchroot;
|
||||
#ifdef HAVE_SELINUX
|
||||
/* propagate role and type */
|
||||
if ($3->role == NULL && $3->type == NULL) {
|
||||
@@ -479,6 +489,8 @@ cmndspec : runasspec options cmndtag digcmnd {
|
||||
cs->notbefore = $2.notbefore;
|
||||
cs->notafter = $2.notafter;
|
||||
cs->timeout = $2.timeout;
|
||||
cs->runcwd = $2.runcwd;
|
||||
cs->runchroot = $2.runchroot;
|
||||
cs->tags = $3;
|
||||
cs->cmnd = $4;
|
||||
HLTQ_INIT(cs, entries);
|
||||
@@ -561,6 +573,16 @@ opcmnd : cmnd {
|
||||
}
|
||||
;
|
||||
|
||||
chdirspec : CWD '=' WORD {
|
||||
$$ = $3;
|
||||
}
|
||||
;
|
||||
|
||||
chrootspec : CHROOT '=' WORD {
|
||||
$$ = $3;
|
||||
}
|
||||
;
|
||||
|
||||
timeoutspec : CMND_TIMEOUT '=' WORD {
|
||||
$$ = $3;
|
||||
}
|
||||
@@ -664,6 +686,14 @@ runaslist : /* empty */ {
|
||||
options : /* empty */ {
|
||||
init_options(&$$);
|
||||
}
|
||||
| options chdirspec {
|
||||
free($$.runcwd);
|
||||
$$.runcwd = $2;
|
||||
}
|
||||
| options chrootspec {
|
||||
free($$.runchroot);
|
||||
$$.runchroot = $2;
|
||||
}
|
||||
| options notbeforespec {
|
||||
$$.notbefore = parse_gentime($2);
|
||||
free($2);
|
||||
@@ -1260,6 +1290,7 @@ free_privilege(struct privilege *priv)
|
||||
struct member_list *prev_binding = NULL;
|
||||
struct cmndspec *cs;
|
||||
struct defaults *def;
|
||||
char *runcwd = NULL, *runchroot = NULL;
|
||||
#ifdef HAVE_SELINUX
|
||||
char *role = NULL, *type = NULL;
|
||||
#endif /* HAVE_SELINUX */
|
||||
@@ -1272,6 +1303,15 @@ free_privilege(struct privilege *priv)
|
||||
free_members(&priv->hostlist);
|
||||
while ((cs = TAILQ_FIRST(&priv->cmndlist)) != NULL) {
|
||||
TAILQ_REMOVE(&priv->cmndlist, cs, entries);
|
||||
/* Only free the first instance of runcwd/runchroot. */
|
||||
if (cs->runcwd != runcwd) {
|
||||
runcwd = cs->runcwd;
|
||||
free(cs->runcwd);
|
||||
}
|
||||
if (cs->runchroot != runchroot) {
|
||||
runcwd = cs->runchroot;
|
||||
free(cs->runchroot);
|
||||
}
|
||||
#ifdef HAVE_SELINUX
|
||||
/* Only free the first instance of a role/type. */
|
||||
if (cs->role != role) {
|
||||
|
||||
@@ -239,6 +239,24 @@ apply_cmndspec(struct cmndspec *cs)
|
||||
#endif /* HAVE_PRIV_SET */
|
||||
if (cs->timeout > 0)
|
||||
def_command_timeout = cs->timeout;
|
||||
if (cs->runcwd != NULL) {
|
||||
free(def_runcwd);
|
||||
def_runcwd = strdup(cs->runcwd);
|
||||
if (def_runcwd == NULL) {
|
||||
sudo_warnx(U_("%s: %s"), __func__,
|
||||
U_("unable to allocate memory"));
|
||||
debug_return_bool(false);
|
||||
}
|
||||
}
|
||||
if (cs->runchroot != NULL) {
|
||||
free(def_runchroot);
|
||||
def_runchroot = strdup(cs->runchroot);
|
||||
if (def_runchroot == NULL) {
|
||||
sudo_warnx(U_("%s: %s"), __func__,
|
||||
U_("unable to allocate memory"));
|
||||
debug_return_bool(false);
|
||||
}
|
||||
}
|
||||
if (cs->tags.nopasswd != UNSPEC)
|
||||
def_authenticate = !cs->tags.nopasswd;
|
||||
if (cs->tags.noexec != UNSPEC)
|
||||
|
||||
@@ -131,6 +131,8 @@ struct command_options {
|
||||
time_t notbefore; /* time restriction */
|
||||
time_t notafter; /* time restriction */
|
||||
int timeout; /* command timeout */
|
||||
char *runcwd; /* working directory */
|
||||
char *runchroot; /* root directory */
|
||||
#ifdef HAVE_SELINUX
|
||||
char *role, *type; /* SELinux role and type */
|
||||
#endif
|
||||
@@ -211,6 +213,8 @@ struct cmndspec {
|
||||
int timeout; /* command timeout */
|
||||
time_t notbefore; /* time restriction */
|
||||
time_t notafter; /* time restriction */
|
||||
char *runcwd; /* working directory */
|
||||
char *runchroot; /* root directory */
|
||||
#ifdef HAVE_SELINUX
|
||||
char *role, *type; /* SELinux role and type */
|
||||
#endif
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* SPDX-License-Identifier: ISC
|
||||
*
|
||||
* Copyright (c) 2010-2017 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
* Copyright (c) 2010-2020 Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
* purpose with or without fee is hereby granted, provided that the above
|
||||
@@ -567,7 +567,7 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
|
||||
debug_return_bool(true); /* nothing to do */
|
||||
|
||||
/* Increase the length of command_info as needed, it is *not* checked. */
|
||||
command_info = calloc(54, sizeof(char *));
|
||||
command_info = calloc(55, sizeof(char *));
|
||||
if (command_info == NULL)
|
||||
goto oom;
|
||||
|
||||
@@ -618,7 +618,15 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
|
||||
goto oom;
|
||||
}
|
||||
}
|
||||
if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
|
||||
if (def_runcwd) {
|
||||
/* Set cwd to explicit value in sudoers. */
|
||||
if (!expand_tilde(&def_runcwd, runas_pw->pw_name)) {
|
||||
sudo_warnx(U_("invalid working directory: %s"), def_runcwd);
|
||||
goto bad;
|
||||
}
|
||||
if ((command_info[info_len++] = sudo_new_key_val("cwd", def_runcwd)) == NULL)
|
||||
goto oom;
|
||||
} else if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
|
||||
/* Set cwd to run user's homedir. */
|
||||
if ((command_info[info_len++] = sudo_new_key_val("cwd", runas_pw->pw_dir)) == NULL)
|
||||
goto oom;
|
||||
@@ -779,6 +787,14 @@ sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask,
|
||||
if (asprintf(&command_info[info_len++], "timeout=%u", timeout) == -1)
|
||||
goto oom;
|
||||
}
|
||||
if (def_runchroot != NULL) {
|
||||
if (!expand_tilde(&def_runchroot, runas_pw->pw_name)) {
|
||||
sudo_warnx(U_("invalid chroot directory: %s"), def_runchroot);
|
||||
goto bad;
|
||||
}
|
||||
if ((command_info[info_len++] = sudo_new_key_val("chroot", def_runchroot)) == NULL)
|
||||
goto oom;
|
||||
}
|
||||
if (cmnd_umask != ACCESSPERMS) {
|
||||
if (asprintf(&command_info[info_len++], "umask=0%o", (unsigned int)cmnd_umask) == -1)
|
||||
goto oom;
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
#
|
||||
#
|
||||
#
|
||||
WORD(5) ALL = LOG_INPUT LOG_OUTPUT COMMAND ARG : ALL = NOLOG_INPUT NOLOG_OUTPUT COMMAND
|
||||
WORD(5) ALL = NOPASSWD NOEXEC SETENV COMMAND : ALL = PASSWD EXEC NOSETENV COMMAND
|
||||
WORD(5) ALL = MAIL COMMAND : ALL = NOMAIL COMMAND
|
||||
WORD(5) ALL = FOLLOW COMMAND ARG : ALL = NOFOLLOW COMMAND ARG
|
||||
WORD(6) ALL = LOG_INPUT LOG_OUTPUT COMMAND ARG : ALL = NOLOG_INPUT NOLOG_OUTPUT COMMAND
|
||||
WORD(6) ALL = NOPASSWD NOEXEC SETENV COMMAND : ALL = PASSWD EXEC NOSETENV COMMAND
|
||||
WORD(6) ALL = MAIL COMMAND : ALL = NOMAIL COMMAND
|
||||
WORD(6) ALL = FOLLOW COMMAND ARG : ALL = NOFOLLOW COMMAND ARG
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
WORD(5)
|
||||
WORD(6)
|
||||
<*>
|
||||
@@ -1,2 +1,2 @@
|
||||
WORD(5) ALL = ( ALL )
|
||||
WORD(6) ALL = ( ALL )
|
||||
<*>
|
||||
@@ -1 +1 @@
|
||||
WORD(5) ALL = ( ALL ) <*>
|
||||
WORD(6) ALL = ( ALL ) <*>
|
||||
@@ -1,6 +1,6 @@
|
||||
CMNDALIAS ALIAS = SHA224_TOK : DIGEST , SHA224_TOK : DIGEST COMMAND
|
||||
CMNDALIAS ALIAS = SHA256_TOK : DIGEST , SHA256_TOK : DIGEST COMMAND
|
||||
|
||||
WORD(5) ALL = ALIAS , ALIAS , SHA512_TOK : DIGEST COMMAND
|
||||
WORD(6) ALL = ALIAS , ALIAS , SHA512_TOK : DIGEST COMMAND
|
||||
|
||||
WORD(5) ALL = SHA256_TOK : DIGEST , SHA256_TOK : DIGEST ALL
|
||||
WORD(6) ALL = SHA256_TOK : DIGEST , SHA256_TOK : DIGEST ALL
|
||||
|
||||
@@ -1,2 +1,2 @@
|
||||
#
|
||||
WORD(5) ALL = COMMAND ARG
|
||||
WORD(6) ALL = COMMAND ARG
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
#
|
||||
CMNDALIAS ALIAS = COMMAND ARG
|
||||
WORD(5) ALL = ALIAS
|
||||
WORD(6) ALL = ALIAS
|
||||
|
||||
@@ -1,11 +1,11 @@
|
||||
#
|
||||
DEFAULTS DEFVAR = WORD(2)
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND , COMMAND , CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND , CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND , COMMAND , CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND , CMND_TIMEOUT = WORD(6) COMMAND
|
||||
|
||||
@@ -1,10 +1,10 @@
|
||||
#
|
||||
DEFAULTS DEFVAR = WORD(2)
|
||||
DEFAULTS_USER WORD(5) DEFVAR = WORD(2)
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND , COMMAND , CMND_TIMEOUT = WORD(5) COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND
|
||||
WORD(5) ALL = CMND_TIMEOUT = WORD(5) <*> COMMAND
|
||||
DEFAULTS_USER WORD(6) DEFVAR = WORD(2)
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND , COMMAND , CMND_TIMEOUT = WORD(6) COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND
|
||||
WORD(6) ALL = CMND_TIMEOUT = WORD(6) <*> COMMAND
|
||||
testsudoers: sudoers:2: value "2d8h10m59ss" is invalid for option "command_timeout"
|
||||
testsudoers: sudoers:3: value "15f" is invalid for option "command_timeout"
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
#
|
||||
#
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) NOTAFTER = WORD(5) COMMAND , COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND , NOTAFTER = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(5) ALL = NOTBEFORE = WORD(5) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) NOTAFTER = WORD(6) COMMAND , COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND , NOTAFTER = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
WORD(6) ALL = NOTBEFORE = WORD(6) COMMAND
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#
|
||||
|
||||
WORD(5) ALL = ( : ) ALL
|
||||
WORD(5) ALL = ( : ) ALL
|
||||
WORD(5) ALL = ( ) ALL
|
||||
WORD(5) ALL = ( ) ALL
|
||||
WORD(6) ALL = ( : ) ALL
|
||||
WORD(6) ALL = ( : ) ALL
|
||||
WORD(6) ALL = ( ) ALL
|
||||
WORD(6) ALL = ( ) ALL
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#
|
||||
USERALIAS ALIAS = WORD(5) , WORD(5)
|
||||
USERALIAS ALIAS = WORD(6) , WORD(6)
|
||||
DEFAULTS_USER ALIAS DEFVAR
|
||||
DEFAULTS_USER WORD(5) , WORD(5) DEFVAR
|
||||
DEFAULTS_USER WORD(5) , WORD(5) DEFVAR
|
||||
DEFAULTS_USER WORD(5) , WORD(5) DEFVAR
|
||||
DEFAULTS_USER WORD(6) , WORD(6) DEFVAR
|
||||
DEFAULTS_USER WORD(6) , WORD(6) DEFVAR
|
||||
DEFAULTS_USER WORD(6) , WORD(6) DEFVAR
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
USERALIAS ALIAS = WORD(5) : ALIAS = WORD(5)
|
||||
USERALIAS ALIAS = WORD(6) : ALIAS = WORD(6)
|
||||
|
||||
#
|
||||
USERALIAS ALIAS = WORD(5) <*> ERROR ALIAS = WORD(5)
|
||||
USERALIAS ALIAS = WORD(6) <*> ERROR ALIAS = WORD(6)
|
||||
|
||||
@@ -1,12 +1,12 @@
|
||||
#
|
||||
DEFAULTS_USER WORD(5) DEFVAR
|
||||
DEFAULTS_RUNAS WORD(5) DEFVAR
|
||||
DEFAULTS_USER WORD(6) DEFVAR
|
||||
DEFAULTS_RUNAS WORD(6) DEFVAR
|
||||
DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR
|
||||
|
||||
#
|
||||
WORD(5) ALL = ALL
|
||||
WORD(5) ALL = ( WORD(5) : WORD(5) ) ALL
|
||||
WORD(6) ALL = ALL
|
||||
WORD(6) ALL = ( WORD(6) : WORD(6) ) ALL
|
||||
BEGINSTR STRBODY ENDSTR WORD(4) ALL = ALL
|
||||
BEGINSTR STRBODY ENDSTR WORD(4) ALL = ( BEGINSTR STRBODY ENDSTR WORD(4) : BEGINSTR STRBODY ENDSTR WORD(4) ) ALL
|
||||
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
#
|
||||
USERALIAS ALIAS = BEGINSTR STRBODY ENDSTR WORD(4)
|
||||
USERALIAS ALIAS = BEGINSTR STRBODY STRBODY ENDSTR WORD(4)
|
||||
USERALIAS ALIAS = WORD(5)
|
||||
USERALIAS ALIAS = WORD(6)
|
||||
|
||||
#
|
||||
USERALIAS ALIAS = BEGINSTR STRBODY <*> ERROR ERROR
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* SPDX-License-Identifier: ISC
|
||||
*
|
||||
* Copyright (c) 1993-1996, 1998-2005, 2007-2017
|
||||
* Copyright (c) 1993-1996, 1998-2005, 2007-2020
|
||||
* Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -425,6 +425,9 @@ extern const char *path_plugin_dir;
|
||||
char *find_editor(int nfiles, char **files, int *argc_out, char ***argv_out,
|
||||
char * const *whitelist, const char **env_editor, bool env_error);
|
||||
|
||||
/* exptilde.c */
|
||||
bool expand_tilde(char **path, const char *user);
|
||||
|
||||
/* gc.c */
|
||||
enum sudoers_gc_types {
|
||||
GC_UNKNOWN,
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
/*
|
||||
* SPDX-License-Identifier: ISC
|
||||
*
|
||||
* Copyright (c) 2011-2013, 2015, 2017
|
||||
* Copyright (c) 2011-2013, 2015, 2017, 2019-2020
|
||||
* Todd C. Miller <Todd.Miller@sudo.ws>
|
||||
*
|
||||
* Permission to use, copy, modify, and distribute this software for any
|
||||
@@ -69,6 +69,7 @@
|
||||
* 46 sudo 1.8.20, added TIMEOUT, NOTBEFORE and NOTAFTER options.
|
||||
* 47 sudo 1.9.0, Cmd_Alias treated as Cmnd_Alias, support for multiple digests per command and for ALL.
|
||||
* 48 sudo 1.9.1, @include and @includedir, include path escaping/quoting.
|
||||
* 49 sudo 1.9.3, CWD and CHDIR options.
|
||||
*/
|
||||
|
||||
#ifndef SUDOERS_VERSION_H
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -115,6 +115,7 @@ DEFVAR [a-z_]+
|
||||
%x INSTR
|
||||
%s WANTDIGEST
|
||||
%x GOTINC
|
||||
%s EXPECTPATH
|
||||
|
||||
%%
|
||||
<GOTDEFS>[[:blank:]]*,[[:blank:]]* {
|
||||
@@ -573,6 +574,20 @@ ALL {
|
||||
LEXRETURN(NOTAFTER);
|
||||
}
|
||||
|
||||
<INITIAL>CWD {
|
||||
LEXTRACE("CWD ");
|
||||
prev_state = YY_START;
|
||||
BEGIN EXPECTPATH;
|
||||
LEXRETURN(CWD);
|
||||
}
|
||||
|
||||
<INITIAL>CHROOT {
|
||||
LEXTRACE("CHROOT ");
|
||||
prev_state = YY_START;
|
||||
BEGIN EXPECTPATH;
|
||||
LEXRETURN(CHROOT);
|
||||
}
|
||||
|
||||
<INITIAL>ROLE {
|
||||
#ifdef HAVE_SELINUX
|
||||
LEXTRACE("ROLE ");
|
||||
@@ -660,6 +675,14 @@ sudoedit {
|
||||
yyterminate();
|
||||
} /* sudo -e */
|
||||
|
||||
<EXPECTPATH>({PATH}|{WORD}) {
|
||||
BEGIN prev_state;
|
||||
if (!fill(sudoerstext, sudoersleng))
|
||||
yyterminate();
|
||||
LEXTRACE("WORD(5) ");
|
||||
LEXRETURN(WORD);
|
||||
}
|
||||
|
||||
{PATH} {
|
||||
/* directories can't have args... */
|
||||
if (sudoerstext[sudoersleng - 1] == '/') {
|
||||
@@ -667,12 +690,11 @@ sudoedit {
|
||||
if (!fill_cmnd(sudoerstext, sudoersleng))
|
||||
yyterminate();
|
||||
LEXRETURN(COMMAND);
|
||||
} else {
|
||||
}
|
||||
BEGIN GOTCMND;
|
||||
LEXTRACE("COMMAND ");
|
||||
if (!fill_cmnd(sudoerstext, sudoersleng))
|
||||
yyterminate();
|
||||
}
|
||||
} /* a pathname */
|
||||
|
||||
<INITIAL,GOTDEFS>\" {
|
||||
@@ -686,7 +708,7 @@ sudoedit {
|
||||
/* a word */
|
||||
if (!fill(sudoerstext, sudoersleng))
|
||||
yyterminate();
|
||||
LEXTRACE("WORD(5) ");
|
||||
LEXTRACE("WORD(6) ");
|
||||
LEXRETURN(WORD);
|
||||
}
|
||||
|
||||
@@ -696,7 +718,7 @@ sudoedit {
|
||||
if (!fill(sudoerstext, sudoersleng))
|
||||
yyterminate();
|
||||
BEGIN INITIAL;
|
||||
LEXTRACE("WORD(6) ");
|
||||
LEXTRACE("WORD(7) ");
|
||||
LEXRETURN(WORD);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user