diff --git a/MANIFEST b/MANIFEST index ac115970e..2ce6ad4d7 100644 --- a/MANIFEST +++ b/MANIFEST @@ -631,6 +631,7 @@ plugins/sudoers/def_data.in plugins/sudoers/defaults.c plugins/sudoers/defaults.h plugins/sudoers/digestname.c +plugins/sudoers/display.c plugins/sudoers/editor.c plugins/sudoers/env.c plugins/sudoers/env_pattern.c diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index 69af3d16e..beb2c4382 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -183,8 +183,8 @@ LIBPARSESUDOERS_OBJS = alias.lo b64_decode.lo canon_path.lo defaults.lo \ LIBPARSESUDOERS_IOBJS = $(LIBPARSESUDOERS_OBJS:.lo=.i) passwd.i -SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boottime.lo check.lo editor.lo \ - env.lo sudoers_hooks.lo env_pattern.lo file.lo \ +SUDOERS_OBJS = $(AUTH_OBJS) audit.lo boottime.lo check.lo display.lo \ + editor.lo env.lo sudoers_hooks.lo env_pattern.lo file.lo \ find_path.lo fmtsudoers.lo gc.lo goodpath.lo group_plugin.lo \ interfaces.lo iolog.lo iolog_path_escapes.lo locale.lo \ log_client.lo logging.lo parse.lo pivot.lo policy.lo \ @@ -261,8 +261,8 @@ FUZZ_POLICY_OBJS = editor.lo env.lo env_pattern.lo fuzz_policy.o fuzz_stubs.o \ FUZZ_POLICY_CORPUS = $(srcdir)/regress/corpus/seed/policy/policy.* -FUZZ_SUDOERS_OBJS = check_aliases.o fuzz_stubs.o fuzz_sudoers.o fmtsudoers.lo \ - parse.lo locale.lo +FUZZ_SUDOERS_OBJS = check_aliases.o display.lo fuzz_stubs.o fuzz_sudoers.o \ + fmtsudoers.lo parse.lo locale.lo FUZZ_SUDOERS_CORPUS = $(top_builddir)/examples/sudoers \ $(srcdir)/regress/sudoers/test1.in \ @@ -1472,6 +1472,30 @@ digestname.i: $(srcdir)/digestname.c $(incdir)/compat/stdbool.h \ $(CC) -E -o $@ $(CPPFLAGS) $< digestname.plog: digestname.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/digestname.c --i-file $< --output-file $@ +display.lo: $(srcdir)/display.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/display.c +display.i: $(srcdir)/display.c $(devdir)/def_data.h $(devdir)/gram.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -E -o $@ $(CPPFLAGS) $< +display.plog: display.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/display.c --i-file $< --output-file $@ editor.lo: $(srcdir)/editor.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ @@ -2366,20 +2390,20 @@ parse.lo: $(srcdir)/parse.c $(devdir)/def_data.h $(devdir)/gram.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ - $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ - $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/parse.c parse.i: $(srcdir)/parse.c $(devdir)/def_data.h $(devdir)/gram.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ - $(incdir)/sudo_gettext.h $(incdir)/sudo_lbuf.h \ - $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< parse.plog: parse.i diff --git a/plugins/sudoers/display.c b/plugins/sudoers/display.c new file mode 100644 index 000000000..431798014 --- /dev/null +++ b/plugins/sudoers/display.c @@ -0,0 +1,609 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include + +#include +#include +#include +#include +#include +#include +#include + +#include "sudoers.h" +#include "sudo_lbuf.h" +#include + +static int +display_priv_short(struct sudoers_parse_tree *parse_tree, struct passwd *pw, + struct userspec *us, struct sudo_lbuf *lbuf) +{ + struct privilege *priv; + int nfound = 0; + debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER); + + TAILQ_FOREACH(priv, &us->privileges, entries) { + struct cmndspec *cs; + struct cmndtag tags; + + if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW) + continue; + + sudoers_defaults_list_to_tags(&priv->defaults, &tags); + TAILQ_FOREACH(cs, &priv->cmndlist, entries) { + struct cmndspec *prev_cs = TAILQ_PREV(cs, cmndspec_list, entries); + + if (prev_cs == NULL || RUNAS_CHANGED(cs, prev_cs)) { + struct member *m; + + /* Start new line, first entry or RunAs changed. */ + if (prev_cs != NULL) + sudo_lbuf_append(lbuf, "\n"); + sudo_lbuf_append(lbuf, " ("); + if (cs->runasuserlist != NULL) { + TAILQ_FOREACH(m, cs->runasuserlist, entries) { + if (m != TAILQ_FIRST(cs->runasuserlist)) + sudo_lbuf_append(lbuf, ", "); + sudoers_format_member(lbuf, parse_tree, m, ", ", + RUNASALIAS); + } + } else if (cs->runasgrouplist == NULL) { + sudo_lbuf_append(lbuf, "%s", def_runas_default); + } else { + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } + if (cs->runasgrouplist != NULL) { + sudo_lbuf_append(lbuf, " : "); + TAILQ_FOREACH(m, cs->runasgrouplist, entries) { + if (m != TAILQ_FIRST(cs->runasgrouplist)) + sudo_lbuf_append(lbuf, ", "); + sudoers_format_member(lbuf, parse_tree, m, ", ", + RUNASALIAS); + } + } + sudo_lbuf_append(lbuf, ") "); + sudoers_format_cmndspec(lbuf, parse_tree, cs, NULL, tags, true); + } else { + /* Continue existing line. */ + sudo_lbuf_append(lbuf, ", "); + sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, tags, + true); + } + nfound++; + } + sudo_lbuf_append(lbuf, "\n"); + } + debug_return_int(nfound); +} + +/* + * Compare the current cmndspec with the previous one to determine + * whether we need to start a new long entry for "sudo -ll". + * Returns true if we should start a new long entry, else false. + */ +static bool +new_long_entry(struct cmndspec *cs, struct cmndspec *prev_cs) +{ + debug_decl(new_long_entry, SUDOERS_DEBUG_PARSER); + + if (prev_cs == NULL) + debug_return_bool(true); + if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags)) + debug_return_bool(true); +#ifdef HAVE_PRIV_SET + if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0)) + debug_return_bool(true); + if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0)) + debug_return_bool(true); +#endif /* HAVE_PRIV_SET */ +#ifdef HAVE_SELINUX + if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0)) + debug_return_bool(true); + if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0)) + debug_return_bool(true); +#endif /* HAVE_SELINUX */ +#ifdef HAVE_APPARMOR + if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0)) + debug_return_bool(true); +#endif /* HAVE_APPARMOR */ + if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0)) + debug_return_bool(true); + if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0)) + debug_return_bool(true); + if (cs->timeout != prev_cs->timeout) + debug_return_bool(true); + if (cs->notbefore != prev_cs->notbefore) + debug_return_bool(true); + if (cs->notafter != prev_cs->notafter) + debug_return_bool(true); + debug_return_bool(false); +} + +static int +display_priv_long(struct sudoers_parse_tree *parse_tree, struct passwd *pw, + struct userspec *us, struct sudo_lbuf *lbuf) +{ + struct privilege *priv; + int nfound = 0; + debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER); + + TAILQ_FOREACH(priv, &us->privileges, entries) { + struct cmndspec *cs, *prev_cs; + + if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW) + continue; + prev_cs = NULL; + TAILQ_FOREACH(cs, &priv->cmndlist, entries) { + struct defaults *d; + struct member *m; + + if (new_long_entry(cs, prev_cs)) { + unsigned int olen; + + if (priv->ldap_role != NULL) { + sudo_lbuf_append(lbuf, _("\nLDAP Role: %s\n"), + priv->ldap_role); + } else { + sudo_lbuf_append(lbuf, "%s", _("\nSudoers entry:\n")); + } + sudo_lbuf_append(lbuf, "%s", _(" RunAsUsers: ")); + if (cs->runasuserlist != NULL) { + TAILQ_FOREACH(m, cs->runasuserlist, entries) { + if (m != TAILQ_FIRST(cs->runasuserlist)) + sudo_lbuf_append(lbuf, ", "); + sudoers_format_member(lbuf, parse_tree, m, ", ", + RUNASALIAS); + } + } else if (cs->runasgrouplist == NULL) { + sudo_lbuf_append(lbuf, "%s", def_runas_default); + } else { + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } + sudo_lbuf_append(lbuf, "\n"); + if (cs->runasgrouplist != NULL) { + sudo_lbuf_append(lbuf, "%s", _(" RunAsGroups: ")); + TAILQ_FOREACH(m, cs->runasgrouplist, entries) { + if (m != TAILQ_FIRST(cs->runasgrouplist)) + sudo_lbuf_append(lbuf, ", "); + sudoers_format_member(lbuf, parse_tree, m, ", ", + RUNASALIAS); + } + sudo_lbuf_append(lbuf, "\n"); + } + olen = lbuf->len; + sudo_lbuf_append(lbuf, "%s", _(" Options: ")); + TAILQ_FOREACH(d, &priv->defaults, entries) { + sudoers_format_default(lbuf, d); + sudo_lbuf_append(lbuf, ", "); + } + if (TAG_SET(cs->tags.setenv)) + sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!"); + if (TAG_SET(cs->tags.noexec)) + sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!"); + if (TAG_SET(cs->tags.intercept)) + sudo_lbuf_append(lbuf, "%sintercept, ", cs->tags.intercept ? "" : "!"); + if (TAG_SET(cs->tags.nopasswd)) + sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : ""); + if (TAG_SET(cs->tags.log_input)) + sudo_lbuf_append(lbuf, "%slog_input, ", cs->tags.log_input ? "" : "!"); + if (TAG_SET(cs->tags.log_output)) + sudo_lbuf_append(lbuf, "%slog_output, ", cs->tags.log_output ? "" : "!"); + if (lbuf->buf[lbuf->len - 2] == ',') { + lbuf->len -= 2; /* remove trailing ", " */ + sudo_lbuf_append(lbuf, "\n"); + } else { + lbuf->len = olen; /* no options */ + } +#ifdef HAVE_PRIV_SET + if (cs->privs) + sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs); + if (cs->limitprivs) + sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs); +#endif /* HAVE_PRIV_SET */ +#ifdef HAVE_SELINUX + if (cs->role) + sudo_lbuf_append(lbuf, " Role: %s\n", cs->role); + if (cs->type) + sudo_lbuf_append(lbuf, " Type: %s\n", cs->type); +#endif /* HAVE_SELINUX */ + if (cs->runchroot != NULL) + sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot); + if (cs->runcwd != NULL) + sudo_lbuf_append(lbuf, " Cwd: %s\n", cs->runcwd); + if (cs->timeout > 0) { + char numbuf[(((sizeof(int) * 8) + 2) / 3) + 2]; + (void)snprintf(numbuf, sizeof(numbuf), "%d", cs->timeout); + sudo_lbuf_append(lbuf, " Timeout: %s\n", numbuf); + } + if (cs->notbefore != UNSPEC) { + char buf[sizeof("CCYYMMDDHHMMSSZ")] = ""; + struct tm gmt; + size_t len; + if (gmtime_r(&cs->notbefore, &gmt) != NULL) { + len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt); + if (len != 0 && buf[sizeof(buf) - 1] == '\0') + sudo_lbuf_append(lbuf, " NotBefore: %s\n", buf); + } + } + if (cs->notafter != UNSPEC) { + char buf[sizeof("CCYYMMDDHHMMSSZ")] = ""; + struct tm gmt; + size_t len; + if (gmtime_r(&cs->notafter, &gmt) != NULL) { + len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt); + if (len != 0 && buf[sizeof(buf) - 1] == '\0') + sudo_lbuf_append(lbuf, " NotAfter: %s\n", buf); + } + } + sudo_lbuf_append(lbuf, "%s", _(" Commands:\n")); + } + sudo_lbuf_append(lbuf, "\t"); + sudoers_format_member(lbuf, parse_tree, cs->cmnd, "\n\t", + CMNDALIAS); + sudo_lbuf_append(lbuf, "\n"); + prev_cs = cs; + nfound++; + } + } + debug_return_int(nfound); +} + +static int +sudo_display_userspecs(struct sudoers_parse_tree *parse_tree, struct passwd *pw, + struct sudo_lbuf *lbuf, bool verbose) +{ + struct userspec *us; + int nfound = 0; + debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_PARSER); + + TAILQ_FOREACH(us, &parse_tree->userspecs, entries) { + if (userlist_matches(parse_tree, pw, &us->users) != ALLOW) + continue; + + if (verbose) + nfound += display_priv_long(parse_tree, pw, us, lbuf); + else + nfound += display_priv_short(parse_tree, pw, us, lbuf); + } + if (sudo_lbuf_error(lbuf)) + debug_return_int(-1); + debug_return_int(nfound); +} + +/* + * Display matching Defaults entries for the given user on this host. + */ +static int +display_defaults(struct sudoers_parse_tree *parse_tree, struct passwd *pw, + struct sudo_lbuf *lbuf) +{ + struct defaults *d; + const char *prefix; + int nfound = 0; + debug_decl(display_defaults, SUDOERS_DEBUG_PARSER); + + if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1])) + prefix = " "; + else + prefix = ", "; + + TAILQ_FOREACH(d, &parse_tree->defaults, entries) { + switch (d->type) { + case DEFAULTS_HOST: + if (hostlist_matches(parse_tree, pw, &d->binding->members) != ALLOW) + continue; + break; + case DEFAULTS_USER: + if (userlist_matches(parse_tree, pw, &d->binding->members) != ALLOW) + continue; + break; + case DEFAULTS_RUNAS: + case DEFAULTS_CMND: + continue; + } + sudo_lbuf_append(lbuf, "%s", prefix); + sudoers_format_default(lbuf, d); + prefix = ", "; + nfound++; + } + if (sudo_lbuf_error(lbuf)) + debug_return_int(-1); + debug_return_int(nfound); +} + +/* + * Display Defaults entries of the given type. + */ +static int +display_bound_defaults_by_type(struct sudoers_parse_tree *parse_tree, + int deftype, struct sudo_lbuf *lbuf) +{ + struct defaults *d; + struct defaults_binding *binding = NULL; + struct member *m; + const char *dsep; + int atype, nfound = 0; + debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER); + + switch (deftype) { + case DEFAULTS_HOST: + atype = HOSTALIAS; + dsep = "@"; + break; + case DEFAULTS_USER: + atype = USERALIAS; + dsep = ":"; + break; + case DEFAULTS_RUNAS: + atype = RUNASALIAS; + dsep = ">"; + break; + case DEFAULTS_CMND: + atype = CMNDALIAS; + dsep = "!"; + break; + default: + debug_return_int(-1); + } + TAILQ_FOREACH(d, &parse_tree->defaults, entries) { + if (d->type != deftype) + continue; + + nfound++; + if (binding != d->binding) { + binding = d->binding; + if (nfound != 1) + sudo_lbuf_append(lbuf, "\n"); + sudo_lbuf_append(lbuf, " Defaults%s", dsep); + TAILQ_FOREACH(m, &binding->members, entries) { + if (m != TAILQ_FIRST(&binding->members)) + sudo_lbuf_append(lbuf, ", "); + sudoers_format_member(lbuf, parse_tree, m, ", ", atype); + } + sudo_lbuf_append(lbuf, " "); + } else + sudo_lbuf_append(lbuf, ", "); + sudoers_format_default(lbuf, d); + } + + if (sudo_lbuf_error(lbuf)) + debug_return_int(-1); + debug_return_int(nfound); +} + +/* + * Display Defaults entries that are per-runas or per-command + */ +static int +display_bound_defaults(struct sudoers_parse_tree *parse_tree, + struct passwd *pw, struct sudo_lbuf *lbuf) +{ + int nfound = 0; + debug_decl(display_bound_defaults, SUDOERS_DEBUG_PARSER); + + /* XXX - should only print ones that match what the user can do. */ + nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_RUNAS, lbuf); + nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_CMND, lbuf); + + if (sudo_lbuf_error(lbuf)) + debug_return_int(-1); + debug_return_int(nfound); +} + +static int +output(const char *buf) +{ + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + debug_decl(output, SUDOERS_DEBUG_NSS); + + /* Call conversation function */ + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_INFO_MSG; + msg.msg = buf; + memset(&repl, 0, sizeof(repl)); + if (sudo_conv(1, &msg, &repl, NULL) == -1) + debug_return_int(0); + debug_return_int(strlen(buf)); +} + +/* + * Print out privileges for the specified user. + * Returns true on success or -1 on error. + */ +int +display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose) +{ + struct sudo_nss *nss; + struct sudo_lbuf def_buf, priv_buf; + struct stat sb; + int cols, count, olen, n; + debug_decl(display_privs, SUDOERS_DEBUG_PARSER); + + cols = sudo_user.cols; + if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) + cols = 0; + sudo_lbuf_init(&def_buf, output, 4, NULL, cols); + sudo_lbuf_init(&priv_buf, output, 8, NULL, cols); + + sudo_lbuf_append(&def_buf, _("Matching Defaults entries for %s on %s:\n"), + pw->pw_name, user_srunhost); + count = 0; + TAILQ_FOREACH(nss, snl, entries) { + n = display_defaults(nss->parse_tree, pw, &def_buf); + if (n == -1) + goto bad; + count += n; + } + if (count != 0) { + sudo_lbuf_append(&def_buf, "\n\n"); + } else { + /* Undo Defaults header. */ + def_buf.len = 0; + } + + /* Display Runas and Cmnd-specific defaults. */ + olen = def_buf.len; + sudo_lbuf_append(&def_buf, _("Runas and Command-specific defaults for %s:\n"), + pw->pw_name); + count = 0; + TAILQ_FOREACH(nss, snl, entries) { + n = display_bound_defaults(nss->parse_tree, pw, &def_buf); + if (n == -1) + goto bad; + count += n; + } + if (count != 0) { + sudo_lbuf_append(&def_buf, "\n\n"); + } else { + /* Undo Defaults header. */ + def_buf.len = olen; + } + + /* Display privileges from all sources. */ + sudo_lbuf_append(&priv_buf, + _("User %s may run the following commands on %s:\n"), + pw->pw_name, user_srunhost); + count = 0; + TAILQ_FOREACH(nss, snl, entries) { + if (nss->query(nss, pw) != -1) { + n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf, verbose); + if (n == -1) + goto bad; + count += n; + } + } + if (count == 0) { + def_buf.len = 0; + priv_buf.len = 0; + sudo_lbuf_append(&priv_buf, + _("User %s is not allowed to run sudo on %s.\n"), + pw->pw_name, user_srunhost); + } + if (sudo_lbuf_error(&def_buf) || sudo_lbuf_error(&priv_buf)) + goto bad; + + sudo_lbuf_print(&def_buf); + sudo_lbuf_print(&priv_buf); + + sudo_lbuf_destroy(&def_buf); + sudo_lbuf_destroy(&priv_buf); + + debug_return_int(true); +bad: + sudo_lbuf_destroy(&def_buf); + sudo_lbuf_destroy(&priv_buf); + + debug_return_int(-1); +} + +static int +display_cmnd_check(struct sudoers_parse_tree *parse_tree, struct passwd *pw, + time_t now) +{ + int host_match, runas_match, cmnd_match = UNSPEC; + char *saved_user_cmnd, *saved_user_base; + struct cmndspec *cs; + struct privilege *priv; + struct userspec *us; + debug_decl(display_cmnd_check, SUDOERS_DEBUG_PARSER); + + /* + * For "sudo -l command", user_cmnd is "list" and the actual + * command we are checking is in list_cmnd. + */ + saved_user_cmnd = user_cmnd; + saved_user_base = user_base; + user_cmnd = list_cmnd; + user_base = sudo_basename(user_cmnd); + + TAILQ_FOREACH_REVERSE(us, &parse_tree->userspecs, userspec_list, entries) { + if (userlist_matches(parse_tree, pw, &us->users) != ALLOW) + continue; + TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) { + host_match = hostlist_matches(parse_tree, pw, &priv->hostlist); + if (host_match != ALLOW) + continue; + TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) { + if (cs->notbefore != UNSPEC) { + if (now < cs->notbefore) + continue; + } + if (cs->notafter != UNSPEC) { + if (now > cs->notafter) + continue; + } + runas_match = runaslist_matches(parse_tree, cs->runasuserlist, + cs->runasgrouplist, NULL, NULL); + if (runas_match == ALLOW) { + cmnd_match = cmnd_matches(parse_tree, cs->cmnd, + cs->runchroot, NULL); + if (cmnd_match != UNSPEC) + goto done; + } + } + } + } +done: + user_cmnd = saved_user_cmnd; + user_base = saved_user_base; + debug_return_int(cmnd_match); +} + +/* + * Check user_cmnd against sudoers and print the matching entry if the + * command is allowed. + * Returns true if the command is allowed, false if not or -1 on error. + */ +int +display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) +{ + struct sudo_nss *nss; + int m, match = UNSPEC; + int ret = false; + time_t now; + debug_decl(display_cmnd, SUDOERS_DEBUG_PARSER); + + /* Iterate over each source, checking for the command. */ + time(&now); + TAILQ_FOREACH(nss, snl, entries) { + if (nss->query(nss, pw) == -1) { + /* The query function should have printed an error message. */ + debug_return_int(-1); + } + + m = display_cmnd_check(nss->parse_tree, pw, now); + if (m != UNSPEC) + match = m; + + if (!sudo_nss_can_continue(nss, m)) + break; + } + if (match == ALLOW) { + const int len = sudo_printf(SUDO_CONV_INFO_MSG, "%s%s%s\n", + list_cmnd, user_args ? " " : "", user_args ? user_args : ""); + ret = len < 0 ? -1 : true; + } + debug_return_int(ret); +} diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index 137ec8683..9485a851a 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -23,16 +23,13 @@ #include -#include #include #include #include #include -#include #include #include "sudoers.h" -#include "sudo_lbuf.h" #include static int @@ -512,576 +509,3 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int *cmnd_status, SET(validated, VALIDATE_ERROR); debug_return_int(validated); } - -static int -display_priv_short(struct sudoers_parse_tree *parse_tree, struct passwd *pw, - struct userspec *us, struct sudo_lbuf *lbuf) -{ - struct privilege *priv; - int nfound = 0; - debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER); - - TAILQ_FOREACH(priv, &us->privileges, entries) { - struct cmndspec *cs; - struct cmndtag tags; - - if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW) - continue; - - sudoers_defaults_list_to_tags(&priv->defaults, &tags); - TAILQ_FOREACH(cs, &priv->cmndlist, entries) { - struct cmndspec *prev_cs = TAILQ_PREV(cs, cmndspec_list, entries); - - if (prev_cs == NULL || RUNAS_CHANGED(cs, prev_cs)) { - struct member *m; - - /* Start new line, first entry or RunAs changed. */ - if (prev_cs != NULL) - sudo_lbuf_append(lbuf, "\n"); - sudo_lbuf_append(lbuf, " ("); - if (cs->runasuserlist != NULL) { - TAILQ_FOREACH(m, cs->runasuserlist, entries) { - if (m != TAILQ_FIRST(cs->runasuserlist)) - sudo_lbuf_append(lbuf, ", "); - sudoers_format_member(lbuf, parse_tree, m, ", ", - RUNASALIAS); - } - } else if (cs->runasgrouplist == NULL) { - sudo_lbuf_append(lbuf, "%s", def_runas_default); - } else { - sudo_lbuf_append(lbuf, "%s", pw->pw_name); - } - if (cs->runasgrouplist != NULL) { - sudo_lbuf_append(lbuf, " : "); - TAILQ_FOREACH(m, cs->runasgrouplist, entries) { - if (m != TAILQ_FIRST(cs->runasgrouplist)) - sudo_lbuf_append(lbuf, ", "); - sudoers_format_member(lbuf, parse_tree, m, ", ", - RUNASALIAS); - } - } - sudo_lbuf_append(lbuf, ") "); - sudoers_format_cmndspec(lbuf, parse_tree, cs, NULL, tags, true); - } else { - /* Continue existing line. */ - sudo_lbuf_append(lbuf, ", "); - sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, tags, - true); - } - nfound++; - } - sudo_lbuf_append(lbuf, "\n"); - } - debug_return_int(nfound); -} - -/* - * Compare the current cmndspec with the previous one to determine - * whether we need to start a new long entry for "sudo -ll". - * Returns true if we should start a new long entry, else false. - */ -static bool -new_long_entry(struct cmndspec *cs, struct cmndspec *prev_cs) -{ - debug_decl(new_long_entry, SUDOERS_DEBUG_PARSER); - - if (prev_cs == NULL) - debug_return_bool(true); - if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags)) - debug_return_bool(true); -#ifdef HAVE_PRIV_SET - if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0)) - debug_return_bool(true); - if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0)) - debug_return_bool(true); -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX - if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0)) - debug_return_bool(true); - if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0)) - debug_return_bool(true); -#endif /* HAVE_SELINUX */ -#ifdef HAVE_APPARMOR - if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0)) - debug_return_bool(true); -#endif /* HAVE_APPARMOR */ - if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0)) - debug_return_bool(true); - if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0)) - debug_return_bool(true); - if (cs->timeout != prev_cs->timeout) - debug_return_bool(true); - if (cs->notbefore != prev_cs->notbefore) - debug_return_bool(true); - if (cs->notafter != prev_cs->notafter) - debug_return_bool(true); - debug_return_bool(false); -} - -static int -display_priv_long(struct sudoers_parse_tree *parse_tree, struct passwd *pw, - struct userspec *us, struct sudo_lbuf *lbuf) -{ - struct privilege *priv; - int nfound = 0; - debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER); - - TAILQ_FOREACH(priv, &us->privileges, entries) { - struct cmndspec *cs, *prev_cs; - - if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW) - continue; - prev_cs = NULL; - TAILQ_FOREACH(cs, &priv->cmndlist, entries) { - struct defaults *d; - struct member *m; - - if (new_long_entry(cs, prev_cs)) { - unsigned int olen; - - if (priv->ldap_role != NULL) { - sudo_lbuf_append(lbuf, _("\nLDAP Role: %s\n"), - priv->ldap_role); - } else { - sudo_lbuf_append(lbuf, "%s", _("\nSudoers entry:\n")); - } - sudo_lbuf_append(lbuf, "%s", _(" RunAsUsers: ")); - if (cs->runasuserlist != NULL) { - TAILQ_FOREACH(m, cs->runasuserlist, entries) { - if (m != TAILQ_FIRST(cs->runasuserlist)) - sudo_lbuf_append(lbuf, ", "); - sudoers_format_member(lbuf, parse_tree, m, ", ", - RUNASALIAS); - } - } else if (cs->runasgrouplist == NULL) { - sudo_lbuf_append(lbuf, "%s", def_runas_default); - } else { - sudo_lbuf_append(lbuf, "%s", pw->pw_name); - } - sudo_lbuf_append(lbuf, "\n"); - if (cs->runasgrouplist != NULL) { - sudo_lbuf_append(lbuf, "%s", _(" RunAsGroups: ")); - TAILQ_FOREACH(m, cs->runasgrouplist, entries) { - if (m != TAILQ_FIRST(cs->runasgrouplist)) - sudo_lbuf_append(lbuf, ", "); - sudoers_format_member(lbuf, parse_tree, m, ", ", - RUNASALIAS); - } - sudo_lbuf_append(lbuf, "\n"); - } - olen = lbuf->len; - sudo_lbuf_append(lbuf, "%s", _(" Options: ")); - TAILQ_FOREACH(d, &priv->defaults, entries) { - sudoers_format_default(lbuf, d); - sudo_lbuf_append(lbuf, ", "); - } - if (TAG_SET(cs->tags.setenv)) - sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!"); - if (TAG_SET(cs->tags.noexec)) - sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!"); - if (TAG_SET(cs->tags.intercept)) - sudo_lbuf_append(lbuf, "%sintercept, ", cs->tags.intercept ? "" : "!"); - if (TAG_SET(cs->tags.nopasswd)) - sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : ""); - if (TAG_SET(cs->tags.log_input)) - sudo_lbuf_append(lbuf, "%slog_input, ", cs->tags.log_input ? "" : "!"); - if (TAG_SET(cs->tags.log_output)) - sudo_lbuf_append(lbuf, "%slog_output, ", cs->tags.log_output ? "" : "!"); - if (lbuf->buf[lbuf->len - 2] == ',') { - lbuf->len -= 2; /* remove trailing ", " */ - sudo_lbuf_append(lbuf, "\n"); - } else { - lbuf->len = olen; /* no options */ - } -#ifdef HAVE_PRIV_SET - if (cs->privs) - sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs); - if (cs->limitprivs) - sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs); -#endif /* HAVE_PRIV_SET */ -#ifdef HAVE_SELINUX - if (cs->role) - sudo_lbuf_append(lbuf, " Role: %s\n", cs->role); - if (cs->type) - sudo_lbuf_append(lbuf, " Type: %s\n", cs->type); -#endif /* HAVE_SELINUX */ - if (cs->runchroot != NULL) - sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot); - if (cs->runcwd != NULL) - sudo_lbuf_append(lbuf, " Cwd: %s\n", cs->runcwd); - if (cs->timeout > 0) { - char numbuf[(((sizeof(int) * 8) + 2) / 3) + 2]; - (void)snprintf(numbuf, sizeof(numbuf), "%d", cs->timeout); - sudo_lbuf_append(lbuf, " Timeout: %s\n", numbuf); - } - if (cs->notbefore != UNSPEC) { - char buf[sizeof("CCYYMMDDHHMMSSZ")] = ""; - struct tm gmt; - size_t len; - if (gmtime_r(&cs->notbefore, &gmt) != NULL) { - len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt); - if (len != 0 && buf[sizeof(buf) - 1] == '\0') - sudo_lbuf_append(lbuf, " NotBefore: %s\n", buf); - } - } - if (cs->notafter != UNSPEC) { - char buf[sizeof("CCYYMMDDHHMMSSZ")] = ""; - struct tm gmt; - size_t len; - if (gmtime_r(&cs->notafter, &gmt) != NULL) { - len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt); - if (len != 0 && buf[sizeof(buf) - 1] == '\0') - sudo_lbuf_append(lbuf, " NotAfter: %s\n", buf); - } - } - sudo_lbuf_append(lbuf, "%s", _(" Commands:\n")); - } - sudo_lbuf_append(lbuf, "\t"); - sudoers_format_member(lbuf, parse_tree, cs->cmnd, "\n\t", - CMNDALIAS); - sudo_lbuf_append(lbuf, "\n"); - prev_cs = cs; - nfound++; - } - } - debug_return_int(nfound); -} - -static int -sudo_display_userspecs(struct sudoers_parse_tree *parse_tree, struct passwd *pw, - struct sudo_lbuf *lbuf, bool verbose) -{ - struct userspec *us; - int nfound = 0; - debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_PARSER); - - TAILQ_FOREACH(us, &parse_tree->userspecs, entries) { - if (userlist_matches(parse_tree, pw, &us->users) != ALLOW) - continue; - - if (verbose) - nfound += display_priv_long(parse_tree, pw, us, lbuf); - else - nfound += display_priv_short(parse_tree, pw, us, lbuf); - } - if (sudo_lbuf_error(lbuf)) - debug_return_int(-1); - debug_return_int(nfound); -} - -/* - * Display matching Defaults entries for the given user on this host. - */ -static int -display_defaults(struct sudoers_parse_tree *parse_tree, struct passwd *pw, - struct sudo_lbuf *lbuf) -{ - struct defaults *d; - const char *prefix; - int nfound = 0; - debug_decl(display_defaults, SUDOERS_DEBUG_PARSER); - - if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1])) - prefix = " "; - else - prefix = ", "; - - TAILQ_FOREACH(d, &parse_tree->defaults, entries) { - switch (d->type) { - case DEFAULTS_HOST: - if (hostlist_matches(parse_tree, pw, &d->binding->members) != ALLOW) - continue; - break; - case DEFAULTS_USER: - if (userlist_matches(parse_tree, pw, &d->binding->members) != ALLOW) - continue; - break; - case DEFAULTS_RUNAS: - case DEFAULTS_CMND: - continue; - } - sudo_lbuf_append(lbuf, "%s", prefix); - sudoers_format_default(lbuf, d); - prefix = ", "; - nfound++; - } - if (sudo_lbuf_error(lbuf)) - debug_return_int(-1); - debug_return_int(nfound); -} - -/* - * Display Defaults entries of the given type. - */ -static int -display_bound_defaults_by_type(struct sudoers_parse_tree *parse_tree, - int deftype, struct sudo_lbuf *lbuf) -{ - struct defaults *d; - struct defaults_binding *binding = NULL; - struct member *m; - const char *dsep; - int atype, nfound = 0; - debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER); - - switch (deftype) { - case DEFAULTS_HOST: - atype = HOSTALIAS; - dsep = "@"; - break; - case DEFAULTS_USER: - atype = USERALIAS; - dsep = ":"; - break; - case DEFAULTS_RUNAS: - atype = RUNASALIAS; - dsep = ">"; - break; - case DEFAULTS_CMND: - atype = CMNDALIAS; - dsep = "!"; - break; - default: - debug_return_int(-1); - } - TAILQ_FOREACH(d, &parse_tree->defaults, entries) { - if (d->type != deftype) - continue; - - nfound++; - if (binding != d->binding) { - binding = d->binding; - if (nfound != 1) - sudo_lbuf_append(lbuf, "\n"); - sudo_lbuf_append(lbuf, " Defaults%s", dsep); - TAILQ_FOREACH(m, &binding->members, entries) { - if (m != TAILQ_FIRST(&binding->members)) - sudo_lbuf_append(lbuf, ", "); - sudoers_format_member(lbuf, parse_tree, m, ", ", atype); - } - sudo_lbuf_append(lbuf, " "); - } else - sudo_lbuf_append(lbuf, ", "); - sudoers_format_default(lbuf, d); - } - - if (sudo_lbuf_error(lbuf)) - debug_return_int(-1); - debug_return_int(nfound); -} - -/* - * Display Defaults entries that are per-runas or per-command - */ -static int -display_bound_defaults(struct sudoers_parse_tree *parse_tree, - struct passwd *pw, struct sudo_lbuf *lbuf) -{ - int nfound = 0; - debug_decl(display_bound_defaults, SUDOERS_DEBUG_PARSER); - - /* XXX - should only print ones that match what the user can do. */ - nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_RUNAS, lbuf); - nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_CMND, lbuf); - - if (sudo_lbuf_error(lbuf)) - debug_return_int(-1); - debug_return_int(nfound); -} - -static int -output(const char *buf) -{ - struct sudo_conv_message msg; - struct sudo_conv_reply repl; - debug_decl(output, SUDOERS_DEBUG_NSS); - - /* Call conversation function */ - memset(&msg, 0, sizeof(msg)); - msg.msg_type = SUDO_CONV_INFO_MSG; - msg.msg = buf; - memset(&repl, 0, sizeof(repl)); - if (sudo_conv(1, &msg, &repl, NULL) == -1) - debug_return_int(0); - debug_return_int(strlen(buf)); -} - -/* - * Print out privileges for the specified user. - * Returns true on success or -1 on error. - */ -int -display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose) -{ - struct sudo_nss *nss; - struct sudo_lbuf def_buf, priv_buf; - struct stat sb; - int cols, count, olen, n; - debug_decl(display_privs, SUDOERS_DEBUG_PARSER); - - cols = sudo_user.cols; - if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) - cols = 0; - sudo_lbuf_init(&def_buf, output, 4, NULL, cols); - sudo_lbuf_init(&priv_buf, output, 8, NULL, cols); - - sudo_lbuf_append(&def_buf, _("Matching Defaults entries for %s on %s:\n"), - pw->pw_name, user_srunhost); - count = 0; - TAILQ_FOREACH(nss, snl, entries) { - n = display_defaults(nss->parse_tree, pw, &def_buf); - if (n == -1) - goto bad; - count += n; - } - if (count != 0) { - sudo_lbuf_append(&def_buf, "\n\n"); - } else { - /* Undo Defaults header. */ - def_buf.len = 0; - } - - /* Display Runas and Cmnd-specific defaults. */ - olen = def_buf.len; - sudo_lbuf_append(&def_buf, _("Runas and Command-specific defaults for %s:\n"), - pw->pw_name); - count = 0; - TAILQ_FOREACH(nss, snl, entries) { - n = display_bound_defaults(nss->parse_tree, pw, &def_buf); - if (n == -1) - goto bad; - count += n; - } - if (count != 0) { - sudo_lbuf_append(&def_buf, "\n\n"); - } else { - /* Undo Defaults header. */ - def_buf.len = olen; - } - - /* Display privileges from all sources. */ - sudo_lbuf_append(&priv_buf, - _("User %s may run the following commands on %s:\n"), - pw->pw_name, user_srunhost); - count = 0; - TAILQ_FOREACH(nss, snl, entries) { - if (nss->query(nss, pw) != -1) { - n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf, verbose); - if (n == -1) - goto bad; - count += n; - } - } - if (count == 0) { - def_buf.len = 0; - priv_buf.len = 0; - sudo_lbuf_append(&priv_buf, - _("User %s is not allowed to run sudo on %s.\n"), - pw->pw_name, user_srunhost); - } - if (sudo_lbuf_error(&def_buf) || sudo_lbuf_error(&priv_buf)) - goto bad; - - sudo_lbuf_print(&def_buf); - sudo_lbuf_print(&priv_buf); - - sudo_lbuf_destroy(&def_buf); - sudo_lbuf_destroy(&priv_buf); - - debug_return_int(true); -bad: - sudo_lbuf_destroy(&def_buf); - sudo_lbuf_destroy(&priv_buf); - - debug_return_int(-1); -} - -static int -display_cmnd_check(struct sudoers_parse_tree *parse_tree, struct passwd *pw, - time_t now) -{ - int host_match, runas_match, cmnd_match = UNSPEC; - char *saved_user_cmnd, *saved_user_base; - struct cmndspec *cs; - struct privilege *priv; - struct userspec *us; - debug_decl(display_cmnd_check, SUDOERS_DEBUG_PARSER); - - /* - * For "sudo -l command", user_cmnd is "list" and the actual - * command we are checking is in list_cmnd. - */ - saved_user_cmnd = user_cmnd; - saved_user_base = user_base; - user_cmnd = list_cmnd; - user_base = sudo_basename(user_cmnd); - - TAILQ_FOREACH_REVERSE(us, &parse_tree->userspecs, userspec_list, entries) { - if (userlist_matches(parse_tree, pw, &us->users) != ALLOW) - continue; - TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) { - host_match = hostlist_matches(parse_tree, pw, &priv->hostlist); - if (host_match != ALLOW) - continue; - TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) { - if (cs->notbefore != UNSPEC) { - if (now < cs->notbefore) - continue; - } - if (cs->notafter != UNSPEC) { - if (now > cs->notafter) - continue; - } - runas_match = runaslist_matches(parse_tree, cs->runasuserlist, - cs->runasgrouplist, NULL, NULL); - if (runas_match == ALLOW) { - cmnd_match = cmnd_matches(parse_tree, cs->cmnd, - cs->runchroot, NULL); - if (cmnd_match != UNSPEC) - goto done; - } - } - } - } -done: - user_cmnd = saved_user_cmnd; - user_base = saved_user_base; - debug_return_int(cmnd_match); -} - -/* - * Check user_cmnd against sudoers and print the matching entry if the - * command is allowed. - * Returns true if the command is allowed, false if not or -1 on error. - */ -int -display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) -{ - struct sudo_nss *nss; - int m, match = UNSPEC; - int ret = false; - time_t now; - debug_decl(display_cmnd, SUDOERS_DEBUG_PARSER); - - /* Iterate over each source, checking for the command. */ - time(&now); - TAILQ_FOREACH(nss, snl, entries) { - if (nss->query(nss, pw) == -1) { - /* The query function should have printed an error message. */ - debug_return_int(-1); - } - - m = display_cmnd_check(nss->parse_tree, pw, now); - if (m != UNSPEC) - match = m; - - if (!sudo_nss_can_continue(nss, m)) - break; - } - if (match == ALLOW) { - const int len = sudo_printf(SUDO_CONV_INFO_MSG, "%s%s%s\n", - list_cmnd, user_args ? " " : "", user_args ? user_args : ""); - ret = len < 0 ? -1 : true; - } - debug_return_int(ret); -} diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index e868986bd..e2768da56 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -474,6 +474,8 @@ const char *digest_type_to_name(unsigned int digest_type); /* parse.c */ struct sudo_nss_list; int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int *cmnd_status, int pwflag); + +/* display.c */ int display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose); int display_cmnd(struct sudo_nss_list *snl, struct passwd *pw);