isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use a common function for resolviong the user's editor in sudoedit

Browse Source 
and visudo.  The find_path() function now returns a dynamically
allocated path instead of using a static string.
This commit is contained in:
Todd C. Miller
2015-06-18 09:51:36 -06:00
parent a38253b101
commit ac13264b44
8 changed files with 366 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
MANIFEST
View File

@@ -256,6 +256,7 @@ plugins/sudoers/def_data.h
plugins/sudoers/def_data.in plugins/sudoers/def_data.in
plugins/sudoers/defaults.c plugins/sudoers/defaults.c
plugins/sudoers/defaults.h plugins/sudoers/defaults.h
plugins/sudoers/editor.c
plugins/sudoers/env.c plugins/sudoers/env.c
plugins/sudoers/find_path.c plugins/sudoers/find_path.c
plugins/sudoers/getdate.c plugins/sudoers/getdate.c

14
plugins/sudoers/Makefile.in
View File

@@ -147,13 +147,13 @@ LIBPARSESUDOERS_OBJS = alias.lo audit.lo base64.lo defaults.lo hexchar.lo \
redblack.lo sudoers_debug.lo timestr.lo toke.lo \ redblack.lo sudoers_debug.lo timestr.lo toke.lo \
toke_util.lo toke_util.lo
SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo env.lo find_path.lo \ SUDOERS_OBJS = $(AUTH_OBJS) boottime.lo check.lo editor.lo env.lo find_path.lo \
goodpath.lo group_plugin.lo interfaces.lo iolog.lo \ goodpath.lo group_plugin.lo interfaces.lo iolog.lo \
iolog_path.lo locale.lo logging.lo logwrap.lo parse.lo \ iolog_path.lo locale.lo logging.lo logwrap.lo parse.lo \
policy.lo prompt.lo set_perms.lo sudo_nss.lo sudoers.lo \ policy.lo prompt.lo set_perms.lo sudo_nss.lo sudoers.lo \
timestamp.lo @SUDOERS_OBJS@ timestamp.lo @SUDOERS_OBJS@
VISUDO_OBJS = find_path.o goodpath.o locale.o sudo_printf.o visudo.o \ VISUDO_OBJS = editor.o find_path.o goodpath.o locale.o sudo_printf.o visudo.o \
visudo_json.o visudo_json.o
REPLAY_OBJS = getdate.o locale.o sudoreplay.o REPLAY_OBJS = getdate.o locale.o sudoreplay.o
@@ -615,6 +615,16 @@ defaults.lo: $(srcdir)/defaults.c $(devdir)/def_data.c $(devdir)/def_data.h \
$(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \
$(top_builddir)/config.h $(top_builddir)/pathnames.h $(top_builddir)/config.h $(top_builddir)/pathnames.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/defaults.c $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/defaults.c
editor.lo: $(srcdir)/editor.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_conf.h \
$(incdir)/sudo_debug.h $(incdir)/sudo_fatal.h \
$(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
$(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \
$(srcdir)/logging.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
$(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
$(top_builddir)/pathnames.h
$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(srcdir)/editor.c
editor.o: editor.lo
env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ env.lo: $(srcdir)/env.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \
$(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
$(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \

120
plugins/sudoers/editor.c Normal file
View File

@@ -0,0 +1,120 @@
/*
* Copyright (c) 2010-2015 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
#include <config.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
# include <memory.h>
# endif
# include <string.h>
#endif /* HAVE_STRING_H */
#ifdef HAVE_STRINGS_H
# include <strings.h>
#endif /* HAVE_STRINGS_H */
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <errno.h>
#include "sudoers.h"
/*
* Search for the specified editor in the user's PATH, checking
* the result against whitelist if non-NULL. An argument vector
* suitable for execve() is allocated and stored in argv_out.
* If nfiles is non-zero, files[] is added to the end of argv_out.
* Returns the path to be executed on success, else NULL.
* The caller is responsible for freeing the returned editor path
* as well as the argument vector.
*/
char *
resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
int *argc_out, char ***argv_out, char * const *whitelist)
{
char **nargv, *editor, *editor_path = NULL;
const char *cp, *ep, *tmp;
const char *edend = ed + edlen;
struct stat user_editor_sb;
int nargc;
debug_decl(resolve_editor, SUDOERS_DEBUG_UTIL)
/*
* Split editor into an argument vector, including files to edit.
* The EDITOR and VISUAL environment variables may contain command
* line args so look for those and alloc space for them too.
*/
cp = sudo_strsplit(ed, edend, " \t", &ep);
if (cp == NULL)
debug_return_str(NULL);
editor = strndup(cp, (size_t)(ep - cp));
if (editor == NULL) {
sudo_warnx(U_("unable to allocate memory"));
debug_return_str(NULL);
}
/* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, whitelist) != FOUND) {
free(editor);
errno = ENOENT;
debug_return_str(NULL);
}
/* Count rest of arguments and allocate editor argv. */
for (nargc = 1, tmp = ep; sudo_strsplit(NULL, edend, " \t", &tmp) != NULL; )
nargc++;
if (nfiles != 0)
nargc += nfiles + 1;
nargv = reallocarray(NULL, nargc + 1, sizeof(char *));
if (nargv == NULL) {
sudo_warnx(U_("unable to allocate memory"));
free(editor);
debug_return_str(NULL);
}
/* Fill in editor argv (assumes files[] is NULL-terminated). */
nargv[0] = editor;
for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) {
nargv[nargc] = strndup(cp, (size_t)(ep - cp));
if (nargv[nargc] == NULL) {
sudo_warnx(U_("unable to allocate memory"));
while (nargc--)
free(nargv[nargc]);
debug_return_str(NULL);
}
}
if (nfiles != 0) {
nargv[nargc++] = "--";
while (nfiles--)
nargv[nargc++] = *files++;
}
nargv[nargc] = NULL;
*argc_out = nargc;
*argv_out = nargv;
debug_return_str(editor_path);
}

81
plugins/sudoers/find_path.c
View File

@@ -45,40 +45,82 @@
#include "sudoers.h" #include "sudoers.h"
/*
* Check the given command against the specified whitelist (NULL-terminated).
* On success, rewrites cmnd based on the whitelist and returns true.
* On failure, returns false.
*/
static bool
cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
char * const *whitelist)
{
const char *cmnd_base;
char * const *wl;
debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL)
if (!sudo_goodpath(cmnd, cmnd_sbp))
debug_return_bool(false);
if (whitelist == NULL)
debug_return_bool(true); /* nothing to check */
/* We compare the base names to avoid excessive stat()ing. */
if ((cmnd_base = strrchr(cmnd, '/')) == NULL)
debug_return_bool(false); /* can't happen */
cmnd_base++;
for (wl = whitelist; *wl != NULL; wl++) {
struct stat sb;
const char *base;
if ((base = strrchr(*wl, '/')) == NULL)
continue; /* XXX - warn? */
base++;
if (strcmp(cmnd_base, base) != 0)
continue;
if (sudo_goodpath(*wl, &sb) &&
sb.st_dev == cmnd_sbp->st_dev && sb.st_ino == cmnd_sbp->st_ino) {
/* Overwrite cmnd with safe version from whitelist. */
if (strlcpy(cmnd, *wl, cmnd_size) < cmnd_size)
return true;
debug_return_bool(true);
}
}
debug_return_bool(false);
}
/* /*
* This function finds the full pathname for a command and * This function finds the full pathname for a command and
* stores it in a statically allocated array, filling in a pointer * stores it in a statically allocated array, filling in a pointer
* to the array. Returns FOUND if the command was found, NOT_FOUND * to the array. Returns FOUND if the command was found, NOT_FOUND
* if it was not found, or NOT_FOUND_DOT if it would have been found * if it was not found, or NOT_FOUND_DOT if it would have been found
* but it is in '.' and IGNORE_DOT is set. * but it is in '.' and IGNORE_DOT is set.
* The caller is responsible for freeing the output file.
*/ */
int int
find_path(const char *infile, char **outfile, struct stat *sbp, find_path(const char *infile, char **outfile, struct stat *sbp,
const char *path, int ignore_dot) const char *path, int ignore_dot, char * const *whitelist)
{ {
static char command[PATH_MAX]; char command[PATH_MAX];
const char *cp, *ep, *pathend; const char *cp, *ep, *pathend;
bool found = false; bool found = false;
bool checkdot = false; bool checkdot = false;
int len; int len;
debug_decl(find_path, SUDOERS_DEBUG_UTIL) debug_decl(find_path, SUDOERS_DEBUG_UTIL)
if (strlen(infile) >= PATH_MAX) {
errno = ENAMETOOLONG;
debug_return_int(NOT_FOUND_ERROR);
}
/* /*
* If we were given a fully qualified or relative path * If we were given a fully qualified or relative path
* there is no need to look at $PATH. * there is no need to look at $PATH.
*/ */
if (strchr(infile, '/') != NULL) { if (strchr(infile, '/') != NULL) {
strlcpy(command, infile, sizeof(command)); /* paranoia */ if (strlcpy(command, infile, sizeof(command)) >= sizeof(command)) {
if (sudo_goodpath(command, sbp)) { errno = ENAMETOOLONG;
*outfile = command; debug_return_int(NOT_FOUND_ERROR);
debug_return_int(FOUND); }
} else found = cmnd_allowed(command, sizeof(command), sbp, whitelist);
debug_return_int(NOT_FOUND); goto done;
} }
if (path == NULL) if (path == NULL)
@@ -106,7 +148,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
errno = ENAMETOOLONG; errno = ENAMETOOLONG;
debug_return_int(NOT_FOUND_ERROR); debug_return_int(NOT_FOUND_ERROR);
} }
if ((found = sudo_goodpath(command, sbp))) found = cmnd_allowed(command, sizeof(command), sbp, whitelist);
if (found)
break; break;
} }
@@ -119,14 +162,16 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
errno = ENAMETOOLONG; errno = ENAMETOOLONG;
debug_return_int(NOT_FOUND_ERROR); debug_return_int(NOT_FOUND_ERROR);
} }
found = sudo_goodpath(command, sbp); found = cmnd_allowed(command, sizeof(command), sbp, whitelist);
if (found && ignore_dot) if (found && ignore_dot)
debug_return_int(NOT_FOUND_DOT); debug_return_int(NOT_FOUND_DOT);
} }
done:
if (found) { if (found) {
*outfile = command; if ((*outfile = strdup(command)) == NULL)
debug_return_int(NOT_FOUND_ERROR);
debug_return_int(FOUND); debug_return_int(FOUND);
} else }
debug_return_int(NOT_FOUND); debug_return_int(NOT_FOUND);
} }

22
plugins/sudoers/goodpath.c
View File

@@ -43,18 +43,22 @@
bool bool
sudo_goodpath(const char *path, struct stat *sbp) sudo_goodpath(const char *path, struct stat *sbp)
{ {
struct stat sb;
bool rval = false; bool rval = false;
debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL) debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL)
if (path != NULL && stat(path, &sb) == 0) { if (path != NULL) {
/* Make sure path describes an executable regular file. */ struct stat sb;
if (S_ISREG(sb.st_mode) && ISSET(sb.st_mode, 0111))
rval = true; if (sbp == NULL)
else sbp = &sb;
errno = EACCES;
if (sbp) if (stat(path, sbp) == 0) {
(void) memcpy(sbp, &sb, sizeof(struct stat)); /* Make sure path describes an executable regular file. */
if (S_ISREG(sbp->st_mode) && ISSET(sbp->st_mode, 0111))
rval = true;
else
errno = EACCES;
}
} }
debug_return_bool(rval); debug_return_bool(rval);

95
plugins/sudoers/sudoers.c
View File

@@ -604,7 +604,8 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
int edit_argc; int edit_argc;
free(safe_cmnd); free(safe_cmnd);
safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc, &edit_argv); safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
&edit_argv);
if (safe_cmnd == NULL || audit_success(edit_argc, edit_argv) != 0) if (safe_cmnd == NULL || audit_success(edit_argc, edit_argv) != 0)
goto bad; goto bad;
@@ -754,7 +755,7 @@ set_cmnd(void)
if (!set_perms(PERM_RUNAS)) if (!set_perms(PERM_RUNAS))
debug_return_int(-1); debug_return_int(-1);
rval = find_path(NewArgv[0], &user_cmnd, user_stat, path, rval = find_path(NewArgv[0], &user_cmnd, user_stat, path,
def_ignore_dot); def_ignore_dot, NULL);
if (!restore_perms()) if (!restore_perms())
debug_return_int(-1); debug_return_int(-1);
if (rval == NOT_FOUND) { if (rval == NOT_FOUND) {
@@ -762,7 +763,7 @@ set_cmnd(void)
if (!set_perms(PERM_USER)) if (!set_perms(PERM_USER))
debug_return_int(-1); debug_return_int(-1);
rval = find_path(NewArgv[0], &user_cmnd, user_stat, path, rval = find_path(NewArgv[0], &user_cmnd, user_stat, path,
def_ignore_dot); def_ignore_dot, NULL);
if (!restore_perms()) if (!restore_perms())
debug_return_int(-1); debug_return_int(-1);
} }
@@ -1169,78 +1170,18 @@ sudoers_cleanup(void)
debug_return; debug_return;
} }
static char *
resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
int *argc_out, char ***argv_out)
{
char **nargv, *editor, *editor_path = NULL;
const char *cp, *ep, *tmp;
const char *edend = ed + edlen;
int nargc;
debug_decl(resolve_editor, SUDOERS_DEBUG_PLUGIN)
/*
* Split editor into an argument vector, including files to edit.
* The EDITOR and VISUAL environment variables may contain command
* line args so look for those and alloc space for them too.
*/
cp = sudo_strsplit(ed, edend, " \t", &ep);
if (cp == NULL)
debug_return_str(NULL);
editor = strndup(cp, (size_t)(ep - cp));
if (editor == NULL) {
sudo_warnx(U_("unable to allocate memory"));
debug_return_str(NULL);
}
/* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, NULL, getenv("PATH"), 0) != FOUND) {
free(editor);
errno = ENOENT;
debug_return_str(NULL);
}
/* Count rest of arguments and allocate editor argv. */
for (nargc = 1, tmp = ep; sudo_strsplit(NULL, edend, " \t", &tmp) != NULL; )
nargc++;
nargv = reallocarray(NULL, nargc + 1 + nfiles + 1, sizeof(char *));
if (nargv == NULL) {
sudo_warnx(U_("unable to allocate memory"));
free(editor);
debug_return_str(NULL);
}
/* Fill in editor argv (assumes files[] is NULL-terminated). */
nargv[0] = editor;
for (nargc = 1; (cp = sudo_strsplit(NULL, edend, " \t", &ep)) != NULL; nargc++) {
nargv[nargc] = strndup(cp, (size_t)(ep - cp));
if (nargv[nargc] == NULL) {
sudo_warnx(U_("unable to allocate memory"));
while (nargc--)
free(nargv[nargc]);
debug_return_str(NULL);
}
}
nargv[nargc++] = "--";
while ((nargv[nargc++] = *files++) != NULL)
continue;
*argc_out = nargc;
*argv_out = nargv;
debug_return_str(editor_path);
}
/* /*
* Determine which editor to use. We don't need to worry about restricting * Determine which editor to use. We don't need to worry about restricting
* this to a "safe" editor since it runs with the uid of the invoking user, * this to a "safe" editor since it runs with the uid of the invoking user,
* not the runas (privileged) user. * not the runas (privileged) user.
* Returns a fully-qualified path to the editor on success and fills
* in argc_out and argv_out accordingly. Returns NULL on failure.
*/ */
static char * static char *
find_editor(int nfiles, char **files, int *argc_out, char ***argv_out) find_editor(int nfiles, char **files, int *argc_out, char ***argv_out)
{ {
const char *cp, *ep, *editor; const char *cp, *ep, *editor = NULL;
char *editor_path = NULL, **ev, *ev0[4]; char *editor_path = NULL, **ev, *ev0[4];
size_t len;
debug_decl(find_editor, SUDOERS_DEBUG_PLUGIN) debug_decl(find_editor, SUDOERS_DEBUG_PLUGIN)
/* /*
@@ -1252,29 +1193,27 @@ find_editor(int nfiles, char **files, int *argc_out, char ***argv_out)
ev0[3] = NULL; ev0[3] = NULL;
for (ev = ev0; editor_path == NULL && *ev != NULL; ev++) { for (ev = ev0; editor_path == NULL && *ev != NULL; ev++) {
if ((editor = getenv(*ev)) != NULL && *editor != '\0') { if ((editor = getenv(*ev)) != NULL && *editor != '\0') {
editor_path = resolve_editor(editor, strlen(editor), nfiles, editor_path = resolve_editor(editor, strlen(editor),
files, argc_out, argv_out); nfiles, files, argc_out, argv_out, NULL);
if (editor_path == NULL && errno != ENOENT) if (editor_path == NULL && errno != ENOENT)
debug_return_str(NULL); debug_return_str(NULL);
} }
} }
if (editor_path == NULL) { if (editor_path == NULL) {
/* def_editor could be a path, split it up, avoiding strtok() */ /* def_editor could be a path, split it up, avoiding strtok() */
cp = editor = def_editor; const char *def_editor_end = def_editor + strlen(def_editor);
do { for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep);
if ((ep = strchr(cp, ':')) != NULL) cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) {
len = ep - cp; editor_path = resolve_editor(cp, (size_t)(ep - cp), nfiles,
else files, argc_out, argv_out, NULL);
len = strlen(cp);
editor_path = resolve_editor(cp, len, nfiles, files, argc_out, argv_out);
if (editor_path == NULL && errno != ENOENT) if (editor_path == NULL && errno != ENOENT)
debug_return_str(NULL); debug_return_str(NULL);
cp = ep + 1;
} while (ep != NULL && editor_path == NULL); } while (ep != NULL && editor_path == NULL);
} }
if (!editor_path) { if (!editor_path) {
audit_failure(NewArgc, NewArgv, N_("%s: command not found"), editor); audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
sudo_warnx(U_("%s: command not found"), editor); editor ? editor : def_editor);
sudo_warnx(U_("%s: command not found"), editor ? editor : def_editor);
} }
debug_return_str(editor_path); debug_return_str(editor_path);
} }

10
plugins/sudoers/sudoers.h
View File

@@ -130,6 +130,7 @@ struct sudo_user {
#define NOT_FOUND 1 #define NOT_FOUND 1
#define NOT_FOUND_DOT 2 #define NOT_FOUND_DOT 2
#define NOT_FOUND_ERROR 3 #define NOT_FOUND_ERROR 3
#define NOT_FOUND_PATH 4
/* /*
* Various modes sudo can be in (based on arguments) in hex * Various modes sudo can be in (based on arguments) in hex
@@ -223,10 +224,11 @@ struct timeval;
#define YY_DECL int sudoerslex(void) #define YY_DECL int sudoerslex(void)
/* goodpath.c */ /* goodpath.c */
bool sudo_goodpath(const char *, struct stat *); bool sudo_goodpath(const char *path, struct stat *sbp);
/* findpath.c */ /* findpath.c */
int find_path(const char *, char **, struct stat *, const char *, int); int find_path(const char *infile, char **outfile, struct stat *sbp,
const char *path, int ignore_dot, char * const *whitelist);
/* check.c */ /* check.c */
int check_user(int validate, int mode); int check_user(int validate, int mode);
@@ -369,4 +371,8 @@ void group_plugin_unload(void);
int group_plugin_query(const char *user, const char *group, int group_plugin_query(const char *user, const char *group,
const struct passwd *pwd); const struct passwd *pwd);
/* editor.c */
char *resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
int *argc_out, char ***argv_out, char * const *whitelist);
#endif /* SUDOERS_SUDOERS_H */ #endif /* SUDOERS_SUDOERS_H */

331
plugins/sudoers/visudo.c
View File

@@ -99,16 +99,15 @@ TAILQ_HEAD(sudoersfile_list, sudoersfile);
* Function prototypes * Function prototypes
*/ */
static void quit(int); static void quit(int);
static char *get_args(char *);
static char *get_editor(char **);
static void get_hostname(void); static void get_hostname(void);
static int whatnow(void); static int whatnow(void);
static int check_aliases(bool, bool); static int check_aliases(bool, bool);
static char *get_editor(int *editor_argc, char ***editor_argv);
static bool check_syntax(const char *, bool, bool, bool); static bool check_syntax(const char *, bool, bool, bool);
static bool edit_sudoers(struct sudoersfile *, char *, char *, int); static bool edit_sudoers(struct sudoersfile *, char *, int, char **, int);
static bool install_sudoers(struct sudoersfile *, bool); static bool install_sudoers(struct sudoersfile *, bool);
static int print_unused(void *, void *); static int print_unused(void *, void *);
static bool reparse_sudoers(char *, char *, bool, bool); static bool reparse_sudoers(char *, int, char **, bool, bool);
static int run_command(char *, char **); static int run_command(char *, char **);
static void parse_sudoers_options(void); static void parse_sudoers_options(void);
static void setup_signals(void); static void setup_signals(void);
@@ -147,8 +146,8 @@ int
main(int argc, char *argv[]) main(int argc, char *argv[])
{ {
struct sudoersfile *sp; struct sudoersfile *sp;
char *args, *editor; char *editor, **editor_argv;
int ch, exitcode = 0; int ch, editor_argc, exitcode = 0;
bool quiet, strict, oldperms; bool quiet, strict, oldperms;
const char *export_path; const char *export_path;
debug_decl(main, SUDOERS_DEBUG_MAIN) debug_decl(main, SUDOERS_DEBUG_MAIN)
@@ -253,7 +252,7 @@ main(int argc, char *argv[])
sudoersparse(); sudoersparse();
(void) update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER); (void) update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER);
editor = get_editor(&args); editor = get_editor(&editor_argc, &editor_argv);
/* Install signal handlers to clean up temp files if we are killed. */ /* Install signal handlers to clean up temp files if we are killed. */
setup_signals(); setup_signals();
@@ -267,14 +266,14 @@ main(int argc, char *argv[])
while ((ch = getchar()) != EOF && ch != '\n') while ((ch = getchar()) != EOF && ch != '\n')
continue; continue;
} }
edit_sudoers(sp, editor, args, -1); edit_sudoers(sp, editor, editor_argc, editor_argv, -1);
} }
/* /*
* Check edited files for a parse error, re-edit any that fail * Check edited files for a parse error, re-edit any that fail
* and install the edited files as needed. * and install the edited files as needed.
*/ */
if (reparse_sudoers(editor, args, strict, quiet)) { if (reparse_sudoers(editor, editor_argc, editor_argv, strict, quiet)) {
TAILQ_FOREACH(sp, &sudoerslist, entries) { TAILQ_FOREACH(sp, &sudoerslist, entries) {
if (sp->doedit) if (sp->doedit)
(void) install_sudoers(sp, oldperms); (void) install_sudoers(sp, oldperms);
@@ -286,6 +285,75 @@ done:
exit(exitcode); exit(exitcode);
} }
static char *
get_editor(int *editor_argc, char ***editor_argv)
{
char *editor, *editor_path = NULL, **whitelist = NULL;
static char *files[] = { "+1", "sudoers" };
unsigned int whitelist_len = 0;
debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
/* Build up editor whitelist from def_editor unless env_editor is set. */
if (!def_env_editor) {
const char *cp, *ep;
const char *def_editor_end = def_editor + strlen(def_editor);
/* Count number of entries in whitelist and split into a list. */
for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep);
cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) {
whitelist_len++;
}
whitelist = reallocarray(NULL, whitelist_len + 1, sizeof(char *));
if (whitelist == NULL)
sudo_fatalx(U_("unable to allocate memory"));
whitelist_len = 0;
for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep);
cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) {
whitelist[whitelist_len] = strndup(cp, (size_t)(ep - cp));
if (whitelist[whitelist_len] == NULL)
sudo_fatalx(U_("unable to allocate memory"));
whitelist_len++;
}
whitelist[whitelist_len] = NULL;
}
/* First try to use user's VISUAL or EDITOR environment vars. */
if ((editor = getenv("VISUAL")) == NULL || *editor == '\0')
editor = getenv("EDITOR");
if (editor && *editor == '\0')
editor = NULL;
if (editor != NULL) {
editor_path = resolve_editor(editor, strlen(editor), 2, files,
editor_argc, editor_argv, whitelist);
if (def_env_editor && editor_path == NULL) {
/* If we are honoring $EDITOR this is a fatal error. */
sudo_fatalx(U_("specified editor (%s) doesn't exist"), editor);
}
}
if (editor_path == NULL) {
/* def_editor could be a path, split it up, avoiding strtok() */
const char *def_editor_end = def_editor + strlen(def_editor);
const char *cp, *ep;
for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep);
cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) {
editor_path = resolve_editor(cp, (size_t)(ep - cp), 2, files,
editor_argc, editor_argv, whitelist);
if (editor_path == NULL && errno != ENOENT)
debug_return_str(NULL);
} while (ep != NULL && editor_path == NULL);
}
if (editor_path == NULL)
sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
if (whitelist != NULL) {
while (whitelist_len--)
free(whitelist[whitelist_len]);
free(whitelist);
}
debug_return_str(editor_path);
}
/* /*
* List of editors that support the "+lineno" command line syntax. * List of editors that support the "+lineno" command line syntax.
* If an entry starts with '*' the tail end of the string is matched. * If an entry starts with '*' the tail end of the string is matched.
@@ -310,19 +378,52 @@ static char *lineno_editors[] = {
NULL NULL
}; };
/*
* Check whether or not the specified editor matched lineno_editors[].
* Returns true if yes, false if no.
*/
static bool
editor_supports_plus(const char *editor)
{
const char *editor_base = strrchr(editor, '/');
const char *cp;
char **av;
debug_decl(editor_supports_plus, SUDOERS_DEBUG_UTIL)
if (editor_base != NULL)
editor_base++;
else
editor_base = editor;
if (*editor_base == 'r')
editor_base++;
for (av = lineno_editors; (cp = *av) != NULL; av++) {
/* We only handle a leading '*' wildcard. */
if (*cp == '*') {
size_t blen = strlen(editor_base);
size_t clen = strlen(++cp);
if (blen >= clen) {
if (strcmp(cp, editor_base + blen - clen) == 0)
break;
}
} else if (strcmp(cp, editor_base) == 0)
break;
}
debug_return_bool(cp != NULL);
}
/* /*
* Edit each sudoers file. * Edit each sudoers file.
* Returns true on success, else false. * Returns true on success, else false.
*/ */
static bool static bool
edit_sudoers(struct sudoersfile *sp, char *editor, char *args, int lineno) edit_sudoers(struct sudoersfile *sp, char *editor, int editor_argc,
char **editor_argv, int lineno)
{ {
int tfd; /* sudoers temp file descriptor */ int tfd; /* sudoers temp file descriptor */
bool modified; /* was the file modified? */ bool modified; /* was the file modified? */
int ac; /* argument count */ int ac; /* argument count */
char **av; /* argument vector for run_command */ char buf[4096]; /* buffer used for copying files */
char *cp; /* scratch char pointer */
char buf[PATH_MAX*2]; /* buffer used for copying files */
char linestr[64]; /* string version of lineno */ char linestr[64]; /* string version of lineno */
struct timespec ts, times[2]; /* time before and after edit */ struct timespec ts, times[2]; /* time before and after edit */
struct timespec orig_mtim; /* starting mtime of sudoers file */ struct timespec orig_mtim; /* starting mtime of sudoers file */
@@ -365,69 +466,21 @@ edit_sudoers(struct sudoersfile *sp, char *editor, char *args, int lineno)
times[0].tv_nsec = times[1].tv_nsec = orig_mtim.tv_nsec; times[0].tv_nsec = times[1].tv_nsec = orig_mtim.tv_nsec;
(void) utimensat(AT_FDCWD, sp->tpath, times, 0); (void) utimensat(AT_FDCWD, sp->tpath, times, 0);
/* Does the editor support +lineno? */ /* Disable +lineno if editor doesn't support it. */
if (lineno > 0) if (lineno > 0 && !editor_supports_plus(editor))
{
char *editor_base = strrchr(editor, '/');
if (editor_base != NULL)
editor_base++;
else
editor_base = editor;
if (*editor_base == 'r')
editor_base++;
for (av = lineno_editors; (cp = *av) != NULL; av++) {
/* We only handle a leading '*' wildcard. */
if (*cp == '*') {
size_t blen = strlen(editor_base);
size_t clen = strlen(++cp);
if (blen >= clen) {
if (strcmp(cp, editor_base + blen - clen) == 0)
break;
}
} else if (strcmp(cp, editor_base) == 0)
break;
}
/* Disable +lineno if editor doesn't support it. */
if (cp == NULL)
lineno = -1; lineno = -1;
}
/* Find the length of the argument vector */ /*
ac = 3 + (lineno > 0); * We pre-allocated 2 extra spaces for "+n filename" in argv.
if (args) { * Replace those placeholders with the real values.
bool wasblank; */
ac = editor_argc - 2;
ac++;
for (wasblank = false, cp = args; *cp; cp++) {
if (isblank((unsigned char) *cp))
wasblank = true;
else if (wasblank) {
wasblank = false;
ac++;
}
}
}
/* Build up argument vector for the command */
av = reallocarray(NULL, ac, sizeof(char *));
if (av == NULL)
sudo_fatalx(U_("unable to allocate memory"));
if ((av[0] = strrchr(editor, '/')) != NULL)
av[0]++;
else
av[0] = editor;
ac = 1;
if (lineno > 0) { if (lineno > 0) {
(void) snprintf(linestr, sizeof(linestr), "+%d", lineno); (void)snprintf(linestr, sizeof(linestr), "+%d", lineno);
av[ac++] = linestr; editor_argv[ac++] = linestr;
} }
if (args) { editor_argv[ac++] = sp->tpath;
for ((cp = strtok(args, " \t")); cp; (cp = strtok(NULL, " \t"))) editor_argv[ac++] = NULL;
av[ac++] = cp;
}
av[ac++] = sp->tpath;
av[ac++] = NULL;
/* /*
* Do the edit: * Do the edit:
@@ -440,7 +493,7 @@ edit_sudoers(struct sudoersfile *sp, char *editor, char *args, int lineno)
goto done; goto done;
} }
if (run_command(editor, av) != -1) { if (run_command(editor, editor_argv) != -1) {
if (sudo_gettime_real(&times[1]) == -1) { if (sudo_gettime_real(&times[1]) == -1) {
sudo_warn(U_("unable to read the clock")); sudo_warn(U_("unable to read the clock"));
goto done; goto done;
@@ -495,7 +548,8 @@ done:
* Parse sudoers after editing and re-edit any ones that caused a parse error. * Parse sudoers after editing and re-edit any ones that caused a parse error.
*/ */
static bool static bool
reparse_sudoers(char *editor, char *args, bool strict, bool quiet) reparse_sudoers(char *editor, int editor_argc, char **editor_argv,
bool strict, bool quiet)
{ {
struct sudoersfile *sp, *last; struct sudoersfile *sp, *last;
FILE *fp; FILE *fp;
@@ -550,7 +604,8 @@ reparse_sudoers(char *editor, char *args, bool strict, bool quiet)
/* Edit file with the parse error */ /* Edit file with the parse error */
TAILQ_FOREACH(sp, &sudoerslist, entries) { TAILQ_FOREACH(sp, &sudoerslist, entries) {
if (errorfile == NULL || strcmp(sp->path, errorfile) == 0) { if (errorfile == NULL || strcmp(sp->path, errorfile) == 0) {
edit_sudoers(sp, editor, args, errorlineno); edit_sudoers(sp, editor, editor_argc, editor_argv,
errorlineno);
if (errorfile != NULL) if (errorfile != NULL)
break; break;
} }
@@ -568,7 +623,8 @@ reparse_sudoers(char *editor, char *args, bool strict, bool quiet)
printf(_("press return to edit %s: "), sp->path); printf(_("press return to edit %s: "), sp->path);
while ((ch = getchar()) != EOF && ch != '\n') while ((ch = getchar()) != EOF && ch != '\n')
continue; continue;
edit_sudoers(sp, editor, args, errorlineno); edit_sudoers(sp, editor, editor_argc, editor_argv,
errorlineno);
} }
/* If all sudoers files parsed OK we are done. */ /* If all sudoers files parsed OK we are done. */
@@ -952,129 +1008,6 @@ open_sudoers(const char *path, bool doedit, bool *keepopen)
debug_return_ptr(fp); debug_return_ptr(fp);
} }
static char *
get_editor(char **args)
{
char *Editor, *EditorArgs, *EditorPath, *UserEditor, *UserEditorArgs;
debug_decl(get_editor, SUDOERS_DEBUG_UTIL)
/*
* Check VISUAL and EDITOR environment variables to see which editor
* the user wants to use (we may not end up using it though).
* If the path is not fully-qualified, make it so and check that
* the specified executable actually exists.
*/
UserEditorArgs = NULL;
if ((UserEditor = getenv("VISUAL")) == NULL || *UserEditor == '\0')
UserEditor = getenv("EDITOR");
if (UserEditor && *UserEditor == '\0')
UserEditor = NULL;
else if (UserEditor) {
UserEditorArgs = get_args(UserEditor);
if (find_path(UserEditor, &Editor, NULL, getenv("PATH"), 0) == FOUND) {
UserEditor = Editor;
} else {
if (def_env_editor) {
/* If we are honoring $EDITOR this is a fatal error. */
sudo_fatalx(U_("specified editor (%s) doesn't exist"), UserEditor);
} else {
/* Otherwise, just ignore $EDITOR. */
UserEditor = NULL;
}
}
}
/*
* See if we can use the user's choice of editors either because
* we allow any $EDITOR or because $EDITOR is in the allowable list.
*/
Editor = EditorArgs = EditorPath = NULL;
if (def_env_editor && UserEditor) {
Editor = UserEditor;
EditorArgs = UserEditorArgs;
} else if (UserEditor) {
struct stat editor_sb;
struct stat user_editor_sb;
char *base, *userbase;
if (stat(UserEditor, &user_editor_sb) != 0) {
/* Should never happen since we already checked above. */
sudo_fatal(U_("unable to stat editor (%s)"), UserEditor);
}
if ((EditorPath = strdup(def_editor)) == NULL)
sudo_fatalx(U_("unable to allocate memory"));
Editor = strtok(EditorPath, ":");
do {
EditorArgs = get_args(Editor);
/*
* Both Editor and UserEditor should be fully qualified but
* check anyway...
*/
if ((base = strrchr(Editor, '/')) == NULL)
continue;
if ((userbase = strrchr(UserEditor, '/')) == NULL) {
Editor = NULL;
break;
}
base++, userbase++;
/*
* We compare the basenames first and then use stat to match
* for sure.
*/
if (strcmp(base, userbase) == 0) {
if (stat(Editor, &editor_sb) == 0 && S_ISREG(editor_sb.st_mode)
&& (editor_sb.st_mode & 0000111) &&
editor_sb.st_dev == user_editor_sb.st_dev &&
editor_sb.st_ino == user_editor_sb.st_ino)
break;
}
} while ((Editor = strtok(NULL, ":")));
}
/*
* Can't use $EDITOR, try each element of def_editor until we
* find one that exists, is regular, and is executable.
*/
if (Editor == NULL || *Editor == '\0') {
free(EditorPath);
if ((EditorPath = strdup(def_editor)) == NULL)
sudo_fatalx(U_("unable to allocate memory"));
Editor = strtok(EditorPath, ":");
do {
EditorArgs = get_args(Editor);
if (sudo_goodpath(Editor, NULL))
break;
} while ((Editor = strtok(NULL, ":")));
/* Bleah, none of the editors existed! */
if (Editor == NULL || *Editor == '\0')
sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor);
}
*args = EditorArgs;
debug_return_str(Editor);
}
/*
* Split out any command line arguments and return them.
*/
static char *
get_args(char *cmnd)
{
char *args;
debug_decl(get_args, SUDOERS_DEBUG_UTIL)
args = cmnd;
while (*args && !isblank((unsigned char) *args))
args++;
if (*args) {
*args++ = '\0';
while (*args && isblank((unsigned char) *args))
args++;
}
debug_return_str(*args ? args : NULL);
}
/* /*
* Look up the hostname and set user_host and user_shost. * Look up the hostname and set user_host and user_shost.
*/ */