isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nss-ify display_privs and display_cmnd.

Browse Source
This commit is contained in:
Todd C. Miller
2007-12-31 15:08:30 +00:00
parent 3008bb494a
commit adfaebdb4d
4 changed files with 151 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
ldap.c
View File

@@ -217,7 +217,6 @@ static struct ldap_config_table ldap_conf_table[] = {
{ NULL } { NULL }
}; };
/* XXX - add display_cmnd and display_privs */
struct sudo_nss sudo_nss_ldap = { struct sudo_nss sudo_nss_ldap = {
&sudo_nss_ldap, &sudo_nss_ldap,
NULL, NULL,
@@ -225,7 +224,9 @@ struct sudo_nss sudo_nss_ldap = {
sudo_ldap_close, sudo_ldap_close,
sudo_ldap_parse, sudo_ldap_parse,
sudo_ldap_setdefs, sudo_ldap_setdefs,
sudo_ldap_lookup sudo_ldap_lookup,
sudo_ldap_display_privs,
sudo_ldap_display_cmnd
}; };
/* /*
@@ -849,19 +850,22 @@ sudo_ldap_read_config()
} }
/* /*
* Like sudo_ldap_check(), except we just print entries. * Like sudo_ldap_lookup(), except we just print entries.
*/ */
void void
sudo_ldap_display_privs(ldv, pw) sudo_ldap_display_privs(nss, pw)
void *ldv; struct sudo_nss *nss;
struct passwd *pw; struct passwd *pw;
{ {
LDAP *ld = (LDAP *) ldv; LDAP *ld = (LDAP *) nss->handle;
LDAPMessage *entry = NULL, *result = NULL; /* used for searches */ LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
char *filt; /* used to parse attributes */ char *filt; /* used to parse attributes */
char *dn, **edn, **v, **p; char *dn, **edn, **v, **p;
int rc, do_netgr; int rc, do_netgr;
if (ld == NULL)
return;
/* /*
* First, get (and display) the global Options. * First, get (and display) the global Options.
*/ */
@@ -983,15 +987,18 @@ sudo_ldap_display_privs(ldv, pw)
} }
int int
sudo_ldap_display_cmnd(ldv, pw) sudo_ldap_display_cmnd(nss, pw)
void *ldv; struct sudo_nss *nss;
struct passwd *pw; struct passwd *pw;
{ {
LDAP *ld = (LDAP *) ldv; LDAP *ld = (LDAP *) nss->handle;
LDAPMessage *entry = NULL, *result = NULL; /* used for searches */ LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
char *filt; /* used to parse attributes */ char *filt; /* used to parse attributes */
int rc, found, do_netgr; /* temp/final return values */ int rc, found, do_netgr; /* temp/final return values */
if (ld == NULL)
return(1);
/* /*
* Okay - time to search for anything that matches this user * Okay - time to search for anything that matches this user
* Lets limit it to only two queries of the LDAP server * Lets limit it to only two queries of the LDAP server

231
parse.c
View File

@@ -63,7 +63,9 @@ struct sudo_nss sudo_nss_file = {
sudo_file_close, sudo_file_close,
sudo_file_parse, sudo_file_parse,
sudo_file_setdefs, sudo_file_setdefs,
sudo_file_lookup sudo_file_lookup,
sudo_file_display_privs,
sudo_file_display_cmnd
}; };
/* /*
@@ -296,23 +298,21 @@ sudo_file_lookup(nss, pwflag)
/* /*
* Print out privileges for the specified user. * Print out privileges for the specified user.
* XXX - move out of parse.c
*/ */
void void
display_privs(v, pw) display_privs(snl, pw)
void *v; struct sudo_nss_list *snl;
struct passwd *pw; struct passwd *pw;
{ {
struct lbuf lbuf; struct sudo_nss *nss;
struct cmndspec *cs;
struct member *m;
struct privilege *priv;
struct userspec *us;
struct cmndtag tags;
#if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS) #if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS)
/* XXX - refactor and call for display_cmnd too */
/* Set group vector so group matching works correctly. */ /* Set group vector so group matching works correctly. */
if (pw != sudo_user.pw) { if (pw != sudo_user.pw) {
(void) initgroups(pw->pw_name, pw->pw_gid); (void) initgroups(pw->pw_name, pw->pw_gid);
efree(user_groups);
if ((user_ngroups = getgroups(0, NULL)) > 0) { if ((user_ngroups = getgroups(0, NULL)) > 0) {
user_groups = erealloc3(user_groups, user_ngroups, user_groups = erealloc3(user_groups, user_ngroups,
sizeof(GETGROUPS_T)); sizeof(GETGROUPS_T));
@@ -323,77 +323,86 @@ display_privs(v, pw)
} }
#endif #endif
if (!def_ignore_local_sudoers) { tq_foreach_fwd(snl, nss)
display_defaults(pw); nss->display_privs(nss, pw);
}
lbuf_init(&lbuf, NULL, 8, '\\'); void
printf("User %s may run the following commands on this host:\n", sudo_file_display_privs(nss, pw)
pw->pw_name); struct sudo_nss *nss;
struct passwd *pw;
{
struct lbuf lbuf;
struct cmndspec *cs;
struct member *m;
struct privilege *priv;
struct userspec *us;
struct cmndtag tags;
tq_foreach_fwd(&userspecs, us) { display_defaults(pw);
/* XXX - why only check the first privilege here? */
if (userlist_matches(pw, &us->users) != ALLOW ||
hostlist_matches(&us->privileges.first->hostlist) != ALLOW)
continue;
tq_foreach_fwd(&us->privileges, priv) { lbuf_init(&lbuf, NULL, 8, '\\');
tags.noexec = def_noexec; printf("User %s may run the following commands on this host:\n",
tags.setenv = def_setenv; pw->pw_name);
tags.nopasswd = !def_authenticate;
lbuf_append(&lbuf, " ", NULL); tq_foreach_fwd(&userspecs, us) {
tq_foreach_fwd(&priv->cmndlist, cs) { /* XXX - why only check the first privilege here? */
if (cs != tq_first(&priv->cmndlist)) if (userlist_matches(pw, &us->users) != ALLOW ||
lbuf_append(&lbuf, ", ", NULL); hostlist_matches(&us->privileges.first->hostlist) != ALLOW)
lbuf_append(&lbuf, "(", NULL); continue;
if (!tq_empty(&cs->runasuserlist)) {
tq_foreach_fwd(&cs->runasuserlist, m) { tq_foreach_fwd(&us->privileges, priv) {
if (m != tq_first(&cs->runasuserlist)) tags.noexec = def_noexec;
lbuf_append(&lbuf, ", ", NULL); tags.setenv = def_setenv;
print_member(&lbuf, m->name, m->type, m->negated, tags.nopasswd = !def_authenticate;
RUNASALIAS); lbuf_append(&lbuf, " ", NULL);
} tq_foreach_fwd(&priv->cmndlist, cs) {
} else { if (cs != tq_first(&priv->cmndlist))
lbuf_append(&lbuf, def_runas_default, NULL); lbuf_append(&lbuf, ", ", NULL);
lbuf_append(&lbuf, "(", NULL);
if (!tq_empty(&cs->runasuserlist)) {
tq_foreach_fwd(&cs->runasuserlist, m) {
if (m != tq_first(&cs->runasuserlist))
lbuf_append(&lbuf, ", ", NULL);
print_member(&lbuf, m->name, m->type, m->negated,
RUNASALIAS);
} }
if (!tq_empty(&cs->runasgrouplist)) { } else {
lbuf_append(&lbuf, " : ", NULL); lbuf_append(&lbuf, def_runas_default, NULL);
tq_foreach_fwd(&cs->runasgrouplist, m) {
if (m != tq_first(&cs->runasgrouplist))
lbuf_append(&lbuf, ", ", NULL);
print_member(&lbuf, m->name, m->type, m->negated,
RUNASALIAS);
}
}
lbuf_append(&lbuf, ") ", NULL);
if (TAG_CHANGED(setenv)) {
lbuf_append(&lbuf, cs->tags.setenv ? "SETENV: " :
"NOSETENV: ", NULL);
tags.setenv = cs->tags.setenv;
}
if (TAG_CHANGED(noexec)) {
lbuf_append(&lbuf, cs->tags.noexec ? "NOEXEC: " :
"EXEC: ", NULL);
tags.noexec = cs->tags.noexec;
}
if (TAG_CHANGED(nopasswd)) {
lbuf_append(&lbuf, cs->tags.nopasswd ? "NOPASSWD: " :
"PASSWD: ", NULL);
tags.nopasswd = cs->tags.nopasswd;
}
m = cs->cmnd;
print_member(&lbuf, m->name, m->type, m->negated,
CMNDALIAS);
} }
lbuf_print(&lbuf); if (!tq_empty(&cs->runasgrouplist)) {
lbuf_append(&lbuf, " : ", NULL);
tq_foreach_fwd(&cs->runasgrouplist, m) {
if (m != tq_first(&cs->runasgrouplist))
lbuf_append(&lbuf, ", ", NULL);
print_member(&lbuf, m->name, m->type, m->negated,
RUNASALIAS);
}
}
lbuf_append(&lbuf, ") ", NULL);
if (TAG_CHANGED(setenv)) {
lbuf_append(&lbuf, cs->tags.setenv ? "SETENV: " :
"NOSETENV: ", NULL);
tags.setenv = cs->tags.setenv;
}
if (TAG_CHANGED(noexec)) {
lbuf_append(&lbuf, cs->tags.noexec ? "NOEXEC: " :
"EXEC: ", NULL);
tags.noexec = cs->tags.noexec;
}
if (TAG_CHANGED(nopasswd)) {
lbuf_append(&lbuf, cs->tags.nopasswd ? "NOPASSWD: " :
"PASSWD: ", NULL);
tags.nopasswd = cs->tags.nopasswd;
}
m = cs->cmnd;
print_member(&lbuf, m->name, m->type, m->negated,
CMNDALIAS);
} }
lbuf_print(&lbuf);
} }
lbuf_destroy(&lbuf);
} }
/* XXX - nss */ lbuf_destroy(&lbuf);
#ifdef HAVE_LDAP
if (v != NULL)
sudo_ldap_display_privs(v, pw);
#endif
} }
/* /*
@@ -526,10 +535,28 @@ display_bound_defaults(dtype)
/* /*
* Check user_cmnd against sudoers and print the matching entry if the * Check user_cmnd against sudoers and print the matching entry if the
* command is allowed. * command is allowed.
* XXX - move out of parse.c
*/ */
int int
display_cmnd(v, pw) display_cmnd(snl, pw)
void *v; struct sudo_nss_list *snl;
struct passwd *pw;
{
struct sudo_nss *nss;
int rval = 1;
/* XXX - reset group vector? */
tq_foreach_fwd(snl, nss) {
if (nss->display_cmnd(nss, pw) == 0)
rval = 0;
}
return(rval);
}
int
sudo_file_display_cmnd(nss, pw)
struct sudo_nss *nss;
struct passwd *pw; struct passwd *pw;
{ {
struct cmndspec *cs; struct cmndspec *cs;
@@ -539,41 +566,37 @@ display_cmnd(v, pw)
int rval = 1; int rval = 1;
int host_match, runas_match, cmnd_match; int host_match, runas_match, cmnd_match;
/* XXX - nss */ if (nss->handle == NULL)
#ifdef HAVE_LDAP return(rval);
if (v != NULL)
rval = sudo_ldap_display_cmnd(v, pw);
#endif
if (rval != 0 && !def_ignore_local_sudoers) {
match = NULL;
tq_foreach_rev(&userspecs, us) {
if (userlist_matches(pw, &us->users) != ALLOW)
continue;
tq_foreach_rev(&us->privileges, priv) { match = NULL;
host_match = hostlist_matches(&priv->hostlist); tq_foreach_rev(&userspecs, us) {
if (host_match != ALLOW) if (userlist_matches(pw, &us->users) != ALLOW)
continue; continue;
tq_foreach_rev(&priv->cmndlist, cs) {
runas_match = runaslist_matches(&cs->runasuserlist, tq_foreach_rev(&us->privileges, priv) {
&cs->runasgrouplist); host_match = hostlist_matches(&priv->hostlist);
if (runas_match == ALLOW) { if (host_match != ALLOW)
cmnd_match = cmnd_matches(cs->cmnd); continue;
if (cmnd_match != UNSPEC) { tq_foreach_rev(&priv->cmndlist, cs) {
match = host_match && runas_match ? runas_match = runaslist_matches(&cs->runasuserlist,
cs->cmnd : NULL; &cs->runasgrouplist);
goto matched; if (runas_match == ALLOW) {
} cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) {
match = host_match && runas_match ?
cs->cmnd : NULL;
goto matched;
} }
} }
} }
} }
matched: }
if (match != NULL && !match->negated) { matched:
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "", if (match != NULL && !match->negated) {
user_args ? user_args : ""); printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
rval = 0; user_args ? user_args : "");
} rval = 0;
} }
return(rval); return(rval);
} }

4
sudo.c
View File

@@ -421,9 +421,9 @@ main(argc, argv, envp)
log_auth(validated, 1); log_auth(validated, 1);
if (sudo_mode == MODE_CHECK) if (sudo_mode == MODE_CHECK)
rc = display_cmnd(NULL, list_pw ? list_pw : sudo_user.pw); rc = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);
else if (sudo_mode == MODE_LIST) else if (sudo_mode == MODE_LIST)
display_privs(NULL, list_pw ? list_pw : sudo_user.pw); display_privs(snl, list_pw ? list_pw : sudo_user.pw);
/* Cleanup sudoers sources */ /* Cleanup sudoers sources */
tq_foreach_fwd(snl, nss) tq_foreach_fwd(snl, nss)

10
sudo.h
View File

@@ -227,13 +227,13 @@ int find_path __P((char *, char **, struct stat *, char *));
void check_user __P((int)); void check_user __P((int));
void verify_user __P((struct passwd *, char *)); void verify_user __P((struct passwd *, char *));
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
void sudo_ldap_display_privs __P((void *, struct passwd *));
int sudo_ldap_display_cmnd __P((void *, struct passwd *));
int sudo_ldap_open __P((struct sudo_nss *)); int sudo_ldap_open __P((struct sudo_nss *));
int sudo_ldap_close __P((struct sudo_nss *)); int sudo_ldap_close __P((struct sudo_nss *));
int sudo_ldap_setdefs __P((struct sudo_nss *)); int sudo_ldap_setdefs __P((struct sudo_nss *));
int sudo_ldap_lookup __P((struct sudo_nss *, int)); int sudo_ldap_lookup __P((struct sudo_nss *, int));
int sudo_ldap_parse __P((struct sudo_nss *)); int sudo_ldap_parse __P((struct sudo_nss *));
void sudo_ldap_display_privs __P((struct sudo_nss *, struct passwd *));
int sudo_ldap_display_cmnd __P((struct sudo_nss *, struct passwd *));
#endif #endif
#if 1 #if 1
int sudo_file_open __P((struct sudo_nss *)); int sudo_file_open __P((struct sudo_nss *));
@@ -241,6 +241,8 @@ int sudo_file_close __P((struct sudo_nss *));
int sudo_file_setdefs __P((struct sudo_nss *)); int sudo_file_setdefs __P((struct sudo_nss *));
int sudo_file_lookup __P((struct sudo_nss *, int)); int sudo_file_lookup __P((struct sudo_nss *, int));
int sudo_file_parse __P((struct sudo_nss *)); int sudo_file_parse __P((struct sudo_nss *));
void sudo_file_display_privs __P((struct sudo_nss *, struct passwd *));
int sudo_file_display_cmnd __P((struct sudo_nss *, struct passwd *));
#endif #endif
void set_perms __P((int)); void set_perms __P((int));
void remove_timestamp __P((int)); void remove_timestamp __P((int));
@@ -273,8 +275,8 @@ int pam_prep_user __P((struct passwd *));
void zero_bytes __P((volatile void *, size_t)); void zero_bytes __P((volatile void *, size_t));
int gettime __P((struct timespec *)); int gettime __P((struct timespec *));
FILE *open_sudoers __P((const char *, int *)); FILE *open_sudoers __P((const char *, int *));
void display_privs __P((void *, struct passwd *)); void display_privs __P((struct sudo_nss_list *, struct passwd *));
int display_cmnd __P((void *, struct passwd *)); int display_cmnd __P((struct sudo_nss_list *, struct passwd *));
int get_ttycols __P((void)); int get_ttycols __P((void));
void sudo_setenv __P((const char *, const char *, int)); void sudo_setenv __P((const char *, const char *, int));
void sudo_unsetenv __P((const char *)); void sudo_unsetenv __P((const char *));