From aa1ca9c9ba54167f75f7bf2997f081de45838c03 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 6 Feb 2020 13:53:09 -0700 Subject: [PATCH] Add sample approval plugin that simply tests for "business hours" --- MANIFEST | 3 + plugins/sample_approval/Makefile.in | 219 ++++++++++++++++++++ plugins/sample_approval/sample_approval.c | 194 +++++++++++++++++ plugins/sample_approval/sample_approval.exp | 1 + 4 files changed, 417 insertions(+) create mode 100644 plugins/sample_approval/Makefile.in create mode 100644 plugins/sample_approval/sample_approval.c create mode 100644 plugins/sample_approval/sample_approval.exp diff --git a/MANIFEST b/MANIFEST index e24744e58..ae9341251 100644 --- a/MANIFEST +++ b/MANIFEST @@ -338,6 +338,9 @@ plugins/sample/Makefile.in plugins/sample/README plugins/sample/sample_plugin.c plugins/sample/sample_plugin.exp +plugins/sample_approval/Makefile.in +plugins/sample_approval/sample_approval.c +plugins/sample_approval/sample_approval.exp plugins/sudoers/Makefile.in plugins/sudoers/alias.c plugins/sudoers/audit.c diff --git a/plugins/sample_approval/Makefile.in b/plugins/sample_approval/Makefile.in new file mode 100644 index 000000000..f156c19c2 --- /dev/null +++ b/plugins/sample_approval/Makefile.in @@ -0,0 +1,219 @@ +# +# SPDX-License-Identifier: ISC +# +# Copyright (c) 2020 Todd C. Miller +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# @configure_input@ +# + +#### Start of system configuration section. #### + +srcdir = @srcdir@ +devdir = @devdir@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +incdir = $(top_srcdir)/include +cross_compiling = @CROSS_COMPILING@ + +# Compiler & tools to use +CC = @CC@ +LIBTOOL = @LIBTOOL@ +SED = @SED@ +AWK = @AWK@ + +# Our install program supports extra flags... +INSTALL = $(SHELL) $(top_srcdir)/install-sh -c +INSTALL_OWNER = -o $(install_uid) -g $(install_gid) +INSTALL_BACKUP = @INSTALL_BACKUP@ + +# Libraries +LT_LIBS = $(top_builddir)/lib/util/libsudo_util.la +LIBS = $(LT_LIBS) + +# C preprocessor flags +CPPFLAGS = -I$(incdir) -I$(top_builddir) @CPPFLAGS@ + +# Usually -O and/or -g +CFLAGS = @CFLAGS@ + +# Flags to pass to the link stage +LDFLAGS = @LDFLAGS@ +LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDEXPORTS@ + +# Flags to pass to libtool +LTFLAGS = --tag=disable-static + +# Address sanitizer flags +ASAN_CFLAGS = @ASAN_CFLAGS@ +ASAN_LDFLAGS = @ASAN_LDFLAGS@ + +# PIE flags +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ + +# Stack smashing protection flags +SSP_CFLAGS = @SSP_CFLAGS@ +SSP_LDFLAGS = @SSP_LDFLAGS@ + +# cppcheck options, usually set in the top-level Makefile +CPPCHECK_OPTS = -q --force --enable=warning,performance,portability --suppress=constStatement --error-exitcode=1 --inline-suppr -Dva_copy=va_copy -U__cplusplus -UQUAD_MAX -UQUAD_MIN -UUQUAD_MAX -U_POSIX_HOST_NAME_MAX -U_POSIX_PATH_MAX -U__NBBY -DNSIG=64 + +# splint options, usually set in the top-level Makefile +SPLINT_OPTS = -D__restrict= -checks + +# PVS-studio options +PVS_CFG = $(top_srcdir)/PVS-Studio.cfg +PVS_IGNORE = 'V707,V011,V002,V536' +PVS_LOG_OPTS = -a 'GA:1,2' -e -t errorfile -d $(PVS_IGNORE) + +# Where to install things... +prefix = @prefix@ +exec_prefix = @exec_prefix@ +bindir = @bindir@ +sbindir = @sbindir@ +sysconfdir = @sysconfdir@ +libexecdir = @libexecdir@ +datarootdir = @datarootdir@ +localstatedir = @localstatedir@ +plugindir = @plugindir@ + +# File mode and map file to use for shared libraries/objects +shlib_enable = @SHLIB_ENABLE@ +shlib_mode = @SHLIB_MODE@ +shlib_exp = $(srcdir)/sample_approval.exp +shlib_map = sample_approval.map +shlib_opt = sample_approval.opt + +# User and group ids the installed files should be "owned" by +install_uid = 0 +install_gid = 0 + +#### End of system configuration section. #### + +SHELL = @SHELL@ + +OBJS = sample_approval.lo + +IOBJS = $(OBJS:.lo=.i) + +POBJS = $(IOBJS:.i=.plog) + +LIBOBJDIR = $(top_builddir)/@ac_config_libobj_dir@/ + +VERSION = @PACKAGE_VERSION@ + +all: sample_approval.la + +depend: + $(top_srcdir)/mkdep.pl --srcdir=$(top_srcdir) \ + --builddir=`pwd`/$(top_builddir) plugins/sample_approval/Makefile.in + cd $(top_builddir) && ./config.status --file plugins/sample_approval/Makefile + +Makefile: $(srcdir)/Makefile.in + cd $(top_builddir) && ./config.status --file plugins/sample_approval/Makefile + +.SUFFIXES: .c .h .i .lo .plog + +.c.lo: + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $< + +.c.i: + $(CC) -E -o $@ $(CPPFLAGS) $< + +.i.plog: + ifile=$<; rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $${ifile%i}c --i-file $< --output-file $@ + +$(shlib_map): $(shlib_exp) + @$(AWK) 'BEGIN { print "{\n\tglobal:" } { print "\t\t"$$0";" } END { print "\tlocal:\n\t\t*;\n};" }' $(shlib_exp) > $@ + +$(shlib_opt): $(shlib_exp) + @$(SED) 's/^/+e /' $(shlib_exp) > $@ + +sample_approval.la: $(OBJS) $(LT_LIBS) @LT_LDDEP@ + $(LIBTOOL) $(LTFLAGS) --mode=link $(CC) $(LDFLAGS) $(ASAN_LDFLAGS) $(SSP_LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir) -shrext .so + +pre-install: + +install: install-plugin + +install-dirs: + $(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir) + +install-binaries: + +install-includes: + +install-doc: + +install-plugin: install-dirs sample_approval.la + if [ X"$(shlib_enable)" = X"yes" ]; then \ + INSTALL_BACKUP='$(INSTALL_BACKUP)' $(LIBTOOL) $(LTFLAGS) --mode=install $(INSTALL) $(INSTALL_OWNER) -m $(shlib_mode) sample_approval.la $(DESTDIR)$(plugindir); \ + fi + +uninstall: + -$(LIBTOOL) $(LTFLAGS) --mode=uninstall rm -f $(DESTDIR)$(plugindir)/sample_approval.la + -test -z "$(INSTALL_BACKUP)" || \ + rm -f $(DESTDIR)$(plugindir)/sample_approval.so$(INSTALL_BACKUP) + +splint: + splint $(SPLINT_OPTS) -I$(incdir) -I$(top_builddir) $(srcdir)/*.c + +cppcheck: + cppcheck $(CPPCHECK_OPTS) -I$(incdir) -I$(top_builddir) $(srcdir)/*.c + +pvs-log-files: $(POBJS) + +pvs-studio: $(POBJS) + plog-converter $(PVS_LOG_OPTS) $(POBJS) + +check: + +clean: + -$(LIBTOOL) $(LTFLAGS) --mode=clean rm -f *.lo *.o *.la *.a *.i *.plog \ + stamp-* core *.core core.* + +mostlyclean: clean + +distclean: clean + -rm -rf Makefile .libs $(shlib_map) $(shlib_opt) + +clobber: distclean + +realclean: distclean + rm -f TAGS tags + +cleandir: realclean + +# Autogenerated dependencies, do not modify +getgrent.lo: $(srcdir)/getgrent.c $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_util.h \ + $(top_builddir)/config.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/getgrent.c +getgrent.i: $(srcdir)/getgrent.c $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_util.h \ + $(top_builddir)/config.h + $(CC) -E -o $@ $(CPPFLAGS) $< +getgrent.plog: getgrent.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/getgrent.c --i-file $< --output-file $@ +sample_approval.lo: $(srcdir)/sample_approval.c $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_plugin.h \ + $(top_builddir)/config.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/sample_approval.c +sample_approval.i: $(srcdir)/sample_approval.c $(incdir)/compat/stdbool.h \ + $(incdir)/sudo_compat.h $(incdir)/sudo_plugin.h \ + $(top_builddir)/config.h + $(CC) -E -o $@ $(CPPFLAGS) $< +sample_approval.plog: sample_approval.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/sample_approval.c --i-file $< --output-file $@ diff --git a/plugins/sample_approval/sample_approval.c b/plugins/sample_approval/sample_approval.c new file mode 100644 index 000000000..e1f1d83aa --- /dev/null +++ b/plugins/sample_approval/sample_approval.c @@ -0,0 +1,194 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2020 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include + +#include + +#include +#include +#ifdef HAVE_STDBOOL_H +# include +#else +# include "compat/stdbool.h" +#endif /* HAVE_STDBOOL_H */ +#ifdef HAVE_STRING_H +# include +#endif /* HAVE_STRING_H */ +#ifdef HAVE_STRINGS_H +# include +#endif /* HAVE_STRINGS_H */ +#include +#include +#include + +#include "sudo_gettext.h" /* must be included before sudo_compat.h */ + +#include "sudo_compat.h" +#include "sudo_conf.h" +#include "sudo_debug.h" +#include "sudo_fatal.h" +#include "sudo_plugin.h" +#include "sudo_util.h" + +static int approval_debug_instance = SUDO_DEBUG_INSTANCE_INITIALIZER; + +/* + * Parse the "filename flags,..." debug_flags entry and insert a new + * sudo_debug_file struct into debug_files. + * XXX - move to libsudoutil + */ +static bool +sudo_debug_parse_flags(struct sudo_conf_debug_file_list *debug_files, + const char *entry) +{ + struct sudo_debug_file *debug_file; + const char *filename, *flags; + size_t namelen; + + /* Only process new-style debug flags: filename flags,... */ + filename = entry; + if (*filename != '/' || (flags = strpbrk(filename, " \t")) == NULL) + return true; + namelen = (size_t)(flags - filename); + while (isblank((unsigned char)*flags)) + flags++; + if (*flags != '\0') { + if ((debug_file = calloc(1, sizeof(*debug_file))) == NULL) + goto oom; + if ((debug_file->debug_file = strndup(filename, namelen)) == NULL) + goto oom; + if ((debug_file->debug_flags = strdup(flags)) == NULL) + goto oom; + TAILQ_INSERT_TAIL(debug_files, debug_file, entries); + } + return true; +oom: + if (debug_file != NULL) { + free(debug_file->debug_file); + free(debug_file->debug_flags); + free(debug_file); + } + return false; +} + +static int +approval_check(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, char * const settings[], + char * const user_info[], int submit_optind, char * const submit_argv[], + char * const submit_envp[], char * const command_info[], + char * const run_argv[], char * const run_envp[], + char * const plugin_options[], const char **errstr) +{ + struct sudo_conf_debug_file_list debug_files = + TAILQ_HEAD_INITIALIZER(debug_files); + struct sudo_debug_file *debug_file; + const char *cp, *plugin_path = NULL; + char * const *cur; + struct tm *tm; + time_t now; + int ret = -1; + debug_decl(approval_check, SUDO_DEBUG_PLUGIN); + + /* Initialize the debug subsystem. */ + for (cur = settings; (cp = *cur) != NULL; cur++) { + if (strncmp(cp, "debug_flags=", sizeof("debug_flags=") - 1) == 0) { + cp += sizeof("debug_flags=") - 1; + if (!sudo_debug_parse_flags(&debug_files, cp)) { + goto oom; + } + continue; + } + if (strncmp(cp, "plugin_path=", sizeof("plugin_path=") - 1) == 0) { + plugin_path = cp + sizeof("plugin_path=") - 1; + continue; + } + } + if (plugin_path != NULL && !TAILQ_EMPTY(&debug_files)) { + approval_debug_instance = + sudo_debug_register(plugin_path, NULL, NULL, &debug_files); + if (approval_debug_instance == SUDO_DEBUG_INSTANCE_ERROR) { + *errstr = U_("unable to initialize debugging"); + goto bad; + } + } + + /* + * Only approve requests that are within business hours, + * which are 9am - 5pm local time. Does not check holidays. + */ + ret = 0; + time(&now); + tm = localtime(&now); + if (tm->tm_wday < 1 || tm->tm_wday > 5) { + /* bad weekday */ + goto bad; + } + if (tm->tm_hour < 9 || tm->tm_hour > 17 || + (tm->tm_hour == 17 && tm->tm_min > 0)) { + /* bad hour */ + goto bad; + } + + ret = 1; + goto done; + +oom: + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + *errstr = U_("unable to allocate memory"); + +bad: + if (ret == 0) { + *errstr = U_("You are not allowed to use sudo outside business hours"); + plugin_printf(SUDO_CONV_ERROR_MSG, "%s\n", *errstr); + } + +done: + while ((debug_file = TAILQ_FIRST(&debug_files))) { + TAILQ_REMOVE(&debug_files, debug_file, entries); + free(debug_file->debug_file); + free(debug_file->debug_flags); + free(debug_file); + } + + debug_return_int(ret); +} + +static int +approval_show_version(unsigned int version, sudo_conv_t conversation, + sudo_printf_t plugin_printf, int verbose) +{ + debug_decl(approval_show_version, SUDO_DEBUG_PLUGIN); + + plugin_printf(SUDO_CONV_INFO_MSG, "sample approval plugin version %s\n", + PACKAGE_VERSION); + + debug_return_int(true); +} + +__dso_public struct approval_plugin sample_approval = { + SUDO_APPROVAL_PLUGIN, + SUDO_API_VERSION, + approval_check, + approval_show_version +}; diff --git a/plugins/sample_approval/sample_approval.exp b/plugins/sample_approval/sample_approval.exp new file mode 100644 index 000000000..917a0d1da --- /dev/null +++ b/plugins/sample_approval/sample_approval.exp @@ -0,0 +1 @@ +approval_plugin