diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index e3f6bb5f6..fe79ce9e9 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -153,9 +153,9 @@ AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo digestname.lo \ filedigest.lo gentime.lo gmtoff.lo gram.lo hexchar.lo \ - match.lo match_addr.lo pwutil.lo pwutil_impl.lo \ - rcstr.lo redblack.lo sudoers_debug.lo timeout.lo \ - timestr.lo toke.lo toke_util.lo + match.lo match_addr.lo match_digest.lo pwutil.lo \ + pwutil_impl.lo rcstr.lo redblack.lo sudoers_debug.lo \ + timeout.lo timestr.lo toke.lo toke_util.lo LIBPARSESUDOERS_IOBJS = $(LIBPARSESUDOERS_OBJS:.lo=.i) passwd.i @@ -1803,6 +1803,30 @@ match_addr.i: $(srcdir)/match_addr.c $(devdir)/def_data.h \ $(CC) -E -o $@ $(CPPFLAGS) $< match_addr.plog: match_addr.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/match_addr.c --i-file $< --output-file $@ +match_digest.lo: $(srcdir)/match_digest.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ + $(incdir)/sudo_debug.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/match_digest.c +match_digest.i: $(srcdir)/match_digest.c $(devdir)/def_data.h \ + $(devdir)/gram.h $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \ + $(incdir)/sudo_debug.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -E -o $@ $(CPPFLAGS) $< +match_digest.plog: match_digest.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/match_digest.c --i-file $< --output-file $@ mkdir_parents.lo: $(srcdir)/mkdir_parents.c $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ @@ -2285,21 +2309,21 @@ sudo_nss.lo: $(srcdir)/sudo_nss.c $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ - $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ - $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/sudo_nss.c sudo_nss.i: $(srcdir)/sudo_nss.c $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ - $(incdir)/sudo_lbuf.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ - $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ + $(incdir)/sudo_util.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< sudo_nss.plog: sudo_nss.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/sudo_nss.c --i-file $< --output-file $@ diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 93dd8eede..3ced7b662 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -84,7 +84,6 @@ static bool command_matches_glob(const char *sudoers_cmnd, const char *sudoers_a #endif static bool command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest); static bool command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest); -static bool digest_matches(int fd, const char *file, const struct command_digest *digest); /* * Returns true if string 's' contains meta characters. @@ -817,79 +816,8 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const debug_return_bool(false); } -static bool -digest_matches(int fd, const char *file, const struct command_digest *digest) -{ - debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) - - /* Digests are not supported when matching only by name. */ - - debug_return_bool(false); -} #else /* !SUDOERS_NAME_MATCH */ -static bool -digest_matches(int fd, const char *file, const struct command_digest *digest) -{ - unsigned char *file_digest = NULL; - unsigned char *sudoers_digest = NULL; - bool matched = false; - size_t digest_len; - debug_decl(digest_matches, SUDOERS_DEBUG_MATCH) - - file_digest = sudo_filedigest(fd, file, digest->digest_type, &digest_len); - if (lseek(fd, (off_t)0, SEEK_SET) == -1) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO|SUDO_DEBUG_LINENO, - "unable to rewind digest fd"); - } - if (file_digest == NULL) { - /* Warning (if any) printed by sudo_filedigest() */ - goto done; - } - - /* Convert the command digest from ascii to binary. */ - if ((sudoers_digest = malloc(digest_len)) == NULL) { - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - goto done; - } - if (strlen(digest->digest_str) == digest_len * 2) { - /* Convert ascii hex to binary. */ - unsigned int i; - for (i = 0; i < digest_len; i++) { - const int h = hexchar(&digest->digest_str[i + i]); - if (h == -1) - goto bad_format; - sudoers_digest[i] = (unsigned char)h; - } - } else { - /* Convert base64 to binary. */ - size_t len = base64_decode(digest->digest_str, sudoers_digest, digest_len); - if (len != digest_len) { - sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, - "incorrect length for digest, expected %zu, got %zu", - digest_len, len); - goto bad_format; - } - } - - if (memcmp(file_digest, sudoers_digest, digest_len) == 0) { - matched = true; - } else { - sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, - "%s digest mismatch for %s, expecting %s", - digest_type_to_name(digest->digest_type), file, digest->digest_str); - } - goto done; - -bad_format: - sudo_warnx(U_("digest for %s (%s) is not in %s form"), file, - digest->digest_str, digest_type_to_name(digest->digest_type)); -done: - free(sudoers_digest); - free(file_digest); - debug_return_bool(matched); -} - static bool command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest) { diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index 7dcbdca63..0d6023d56 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -297,6 +297,9 @@ void reparent_parse_tree(struct sudoers_parse_tree *new_tree); /* match_addr.c */ bool addr_matches(char *n); +/* match_digest.c */ +bool digest_matches(int fd, const char *file, const struct command_digest *digest); + /* match.c */ struct group; struct passwd;