diff --git a/plugins/sudoers/check.h b/plugins/sudoers/check.h index 39c61fc49..e4970008f 100644 --- a/plugins/sudoers/check.h +++ b/plugins/sudoers/check.h @@ -85,5 +85,6 @@ int timestamp_status(void *vcookie, struct passwd *pw); int get_starttime(pid_t pid, struct timespec *starttime); bool already_lectured(int status); int set_lectured(void); +int create_admin_success_flag(void); #endif /* SUDOERS_CHECK_H */ diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.c b/plugins/sudoers/regress/fuzz/fuzz_policy.c index 9081df367..0b99f40f9 100644 --- a/plugins/sudoers/regress/fuzz/fuzz_policy.c +++ b/plugins/sudoers/regress/fuzz/fuzz_policy.c @@ -500,6 +500,13 @@ timestamp_remove(bool unlink_it) return true; } +/* STUB */ +int +create_admin_success_flag(void) +{ + return true; +} + /* STUB */ static int sudo_file_open(struct sudo_nss *nss) diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 8a9251fe3..c9fa26480 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -63,6 +63,7 @@ #include "sudoers.h" #include "parse.h" +#include "check.h" #include "auth/sudo_auth.h" #include "sudo_iolog.h" @@ -70,7 +71,6 @@ * Prototypes */ static int set_cmnd(void); -static int create_admin_success_flag(void); static bool init_vars(char * const *); static bool set_loginclass(struct passwd *); static bool set_runasgr(const char *, bool); @@ -1620,45 +1620,6 @@ sudoers_cleanup(void) debug_return; } -#ifdef USE_ADMIN_FLAG -static int -create_admin_success_flag(void) -{ - char flagfile[PATH_MAX]; - int len, ret = -1; - debug_decl(create_admin_success_flag, SUDOERS_DEBUG_PLUGIN); - - /* Check whether the user is in the sudo or admin group. */ - if (!user_in_group(sudo_user.pw, "sudo") && - !user_in_group(sudo_user.pw, "admin")) - debug_return_int(true); - - /* Build path to flag file. */ - len = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", - user_dir); - if (len < 0 || len >= ssizeof(flagfile)) - debug_return_int(false); - - /* Create admin flag file if it doesn't already exist. */ - if (set_perms(PERM_USER)) { - int fd = open(flagfile, O_CREAT|O_WRONLY|O_NONBLOCK|O_EXCL, 0644); - ret = fd != -1 || errno == EEXIST; - if (fd != -1) - close(fd); - if (!restore_perms()) - ret = -1; - } - debug_return_int(ret); -} -#else /* !USE_ADMIN_FLAG */ -static int -create_admin_success_flag(void) -{ - /* STUB */ - return true; -} -#endif /* USE_ADMIN_FLAG */ - static bool tty_present(void) { diff --git a/plugins/sudoers/timestamp.c b/plugins/sudoers/timestamp.c index dfc9bdfc5..75391eee1 100644 --- a/plugins/sudoers/timestamp.c +++ b/plugins/sudoers/timestamp.c @@ -1082,3 +1082,42 @@ set_lectured(void) done: debug_return_int(ret); } + +#ifdef USE_ADMIN_FLAG +int +create_admin_success_flag(void) +{ + char flagfile[PATH_MAX]; + int len, ret = -1; + debug_decl(create_admin_success_flag, SUDOERS_DEBUG_AUTH); + + /* Check whether the user is in the sudo or admin group. */ + if (!user_in_group(sudo_user.pw, "sudo") && + !user_in_group(sudo_user.pw, "admin")) + debug_return_int(true); + + /* Build path to flag file. */ + len = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", + user_dir); + if (len < 0 || len >= ssizeof(flagfile)) + debug_return_int(false); + + /* Create admin flag file if it doesn't already exist. */ + if (set_perms(PERM_USER)) { + int fd = open(flagfile, O_CREAT|O_WRONLY|O_NONBLOCK|O_EXCL, 0644); + ret = fd != -1 || errno == EEXIST; + if (fd != -1) + close(fd); + if (!restore_perms()) + ret = -1; + } + debug_return_int(ret); +} +#else /* !USE_ADMIN_FLAG */ +int +create_admin_success_flag(void) +{ + /* STUB */ + return true; +} +#endif /* USE_ADMIN_FLAG */