isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Parse sudoers file as PERM_RUNAS not PERM_ROOT and remove a useless

Browse Source 
PERM_SUDOERS.  Restore to PERM_ROOT upon exit of the parse.
This commit is contained in:
Todd C. Miller
2004-07-23 20:43:09 +00:00
parent 8573f78c95
commit 8ce996770c
1 changed files with 12 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
parse.c
View File

@@ -109,9 +109,6 @@ sudoers_lookup(pwflag)
int error, nopass; int error, nopass;
enum def_tupple pwcheck; enum def_tupple pwcheck;
/* Become sudoers file owner */
set_perms(PERM_SUDOERS);
/* We opened _PATH_SUDOERS in check_sudoers() so just rewind it. */ /* We opened _PATH_SUDOERS in check_sudoers() so just rewind it. */
rewind(sudoers_fp); rewind(sudoers_fp);
yyin = sudoers_fp; yyin = sudoers_fp;
@@ -124,16 +121,18 @@ sudoers_lookup(pwflag)
if (pwflag > 0) if (pwflag > 0)
keepall = TRUE; keepall = TRUE;
/* Need to be root while stat'ing things in the parser. */ /* Need to be runas user while stat'ing things in the parser. */
set_perms(PERM_ROOT); set_perms(PERM_RUNAS);
error = yyparse(); error = yyparse();
/* Close the sudoers file now that we are done with it. */ /* Close the sudoers file now that we are done with it. */
(void) fclose(sudoers_fp); (void) fclose(sudoers_fp);
sudoers_fp = NULL; sudoers_fp = NULL;
if (error || parse_error) if (error || parse_error) {
set_perms(PERM_ROOT);
return(VALIDATE_ERROR); return(VALIDATE_ERROR);
}
/* /*
* The pw options may have changed during sudoers parse so we * The pw options may have changed during sudoers parse so we
@@ -185,6 +184,7 @@ sudoers_lookup(pwflag)
top--; top--;
} }
if (found) { if (found) {
set_perms(PERM_ROOT);
if (nopass == -1) if (nopass == -1)
nopass = 0; nopass = 0;
return(VALIDATE_OK | nopass); return(VALIDATE_OK | nopass);
@@ -197,6 +197,7 @@ sudoers_lookup(pwflag)
/* /*
* User was granted access to cmnd on host as user. * User was granted access to cmnd on host as user.
*/ */
set_perms(PERM_ROOT);
return(VALIDATE_OK | return(VALIDATE_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) | (no_passwd == TRUE ? FLAG_NOPASS : 0) |
(no_execve == TRUE ? FLAG_NOEXEC : 0)); (no_execve == TRUE ? FLAG_NOEXEC : 0));
@@ -205,6 +206,7 @@ sudoers_lookup(pwflag)
/* /*
* User was explicitly denied access to cmnd on host. * User was explicitly denied access to cmnd on host.
*/ */
set_perms(PERM_ROOT);
return(VALIDATE_NOT_OK | return(VALIDATE_NOT_OK |
(no_passwd == TRUE ? FLAG_NOPASS : 0) | (no_passwd == TRUE ? FLAG_NOPASS : 0) |
(no_execve == TRUE ? FLAG_NOEXEC : 0)); (no_execve == TRUE ? FLAG_NOEXEC : 0));
@@ -213,6 +215,7 @@ sudoers_lookup(pwflag)
top--; top--;
} }
} }
set_perms(PERM_ROOT);
/* /*
* The user was neither explicitly granted nor denied access. * The user was neither explicitly granted nor denied access.
@@ -233,7 +236,7 @@ command_matches(cmnd, cmnd_args, path, sudoers_args)
char *path; char *path;
char *sudoers_args; char *sudoers_args;
{ {
int plen, error; int plen;
static struct stat cst; static struct stat cst;
struct stat pst; struct stat pst;
DIR *dirp; DIR *dirp;
@@ -267,15 +270,8 @@ command_matches(cmnd, cmnd_args, path, sudoers_args)
/* Only need to stat cmnd once since it never changes */ /* Only need to stat cmnd once since it never changes */
if (cst.st_dev == 0) { if (cst.st_dev == 0) {
if ((error = stat(cmnd, &cst))) { if (stat(cmnd, &cst) == -1)
if (runas_pw->pw_uid != 0) {
set_perms(PERM_RUNAS);
error = stat(cmnd, &cst);
set_perms(PERM_ROOT);
}
if (error)
return(FALSE); return(FALSE);
}
if ((cmnd_base = strrchr(cmnd, '/')) == NULL) if ((cmnd_base = strrchr(cmnd, '/')) == NULL)
cmnd_base = cmnd; cmnd_base = cmnd;
else else