nss-ify display_privs and display_cmnd.
This commit is contained in:
Todd C. Miller
25
ldap.c
25
ldap.c
@@ -217,7 +217,6 @@ static struct ldap_config_table ldap_conf_table[] = {
|
||||
{ NULL }
|
||||
};
|
||||
|
||||
/* XXX - add display_cmnd and display_privs */
|
||||
struct sudo_nss sudo_nss_ldap = {
|
||||
&sudo_nss_ldap,
|
||||
NULL,
|
||||
@@ -225,7 +224,9 @@ struct sudo_nss sudo_nss_ldap = {
|
||||
sudo_ldap_close,
|
||||
sudo_ldap_parse,
|
||||
sudo_ldap_setdefs,
|
||||
sudo_ldap_lookup
|
||||
sudo_ldap_lookup,
|
||||
sudo_ldap_display_privs,
|
||||
sudo_ldap_display_cmnd
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -849,19 +850,22 @@ sudo_ldap_read_config()
|
||||
}
|
||||
|
||||
/*
|
||||
* Like sudo_ldap_check(), except we just print entries.
|
||||
* Like sudo_ldap_lookup(), except we just print entries.
|
||||
*/
|
||||
void
|
||||
sudo_ldap_display_privs(ldv, pw)
|
||||
void *ldv;
|
||||
sudo_ldap_display_privs(nss, pw)
|
||||
struct sudo_nss *nss;
|
||||
struct passwd *pw;
|
||||
{
|
||||
LDAP *ld = (LDAP *) ldv;
|
||||
LDAP *ld = (LDAP *) nss->handle;
|
||||
LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
|
||||
char *filt; /* used to parse attributes */
|
||||
char *dn, **edn, **v, **p;
|
||||
int rc, do_netgr;
|
||||
|
||||
if (ld == NULL)
|
||||
return;
|
||||
|
||||
/*
|
||||
* First, get (and display) the global Options.
|
||||
*/
|
||||
@@ -983,15 +987,18 @@ sudo_ldap_display_privs(ldv, pw)
|
||||
}
|
||||
|
||||
int
|
||||
sudo_ldap_display_cmnd(ldv, pw)
|
||||
void *ldv;
|
||||
sudo_ldap_display_cmnd(nss, pw)
|
||||
struct sudo_nss *nss;
|
||||
struct passwd *pw;
|
||||
{
|
||||
LDAP *ld = (LDAP *) ldv;
|
||||
LDAP *ld = (LDAP *) nss->handle;
|
||||
LDAPMessage *entry = NULL, *result = NULL; /* used for searches */
|
||||
char *filt; /* used to parse attributes */
|
||||
int rc, found, do_netgr; /* temp/final return values */
|
||||
|
||||
if (ld == NULL)
|
||||
return(1);
|
||||
|
||||
/*
|
||||
* Okay - time to search for anything that matches this user
|
||||
* Lets limit it to only two queries of the LDAP server
|
||||
|
||||
231
parse.c
231
parse.c
@@ -63,7 +63,9 @@ struct sudo_nss sudo_nss_file = {
|
||||
sudo_file_close,
|
||||
sudo_file_parse,
|
||||
sudo_file_setdefs,
|
||||
sudo_file_lookup
|
||||
sudo_file_lookup,
|
||||
sudo_file_display_privs,
|
||||
sudo_file_display_cmnd
|
||||
};
|
||||
|
||||
/*
|
||||
@@ -296,23 +298,21 @@ sudo_file_lookup(nss, pwflag)
|
||||
|
||||
/*
|
||||
* Print out privileges for the specified user.
|
||||
* XXX - move out of parse.c
|
||||
*/
|
||||
void
|
||||
display_privs(v, pw)
|
||||
void *v;
|
||||
display_privs(snl, pw)
|
||||
struct sudo_nss_list *snl;
|
||||
struct passwd *pw;
|
||||
{
|
||||
struct lbuf lbuf;
|
||||
struct cmndspec *cs;
|
||||
struct member *m;
|
||||
struct privilege *priv;
|
||||
struct userspec *us;
|
||||
struct cmndtag tags;
|
||||
struct sudo_nss *nss;
|
||||
|
||||
#if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS)
|
||||
/* XXX - refactor and call for display_cmnd too */
|
||||
/* Set group vector so group matching works correctly. */
|
||||
if (pw != sudo_user.pw) {
|
||||
(void) initgroups(pw->pw_name, pw->pw_gid);
|
||||
efree(user_groups);
|
||||
if ((user_ngroups = getgroups(0, NULL)) > 0) {
|
||||
user_groups = erealloc3(user_groups, user_ngroups,
|
||||
sizeof(GETGROUPS_T));
|
||||
@@ -323,77 +323,86 @@ display_privs(v, pw)
|
||||
}
|
||||
#endif
|
||||
|
||||
if (!def_ignore_local_sudoers) {
|
||||
display_defaults(pw);
|
||||
tq_foreach_fwd(snl, nss)
|
||||
nss->display_privs(nss, pw);
|
||||
}
|
||||
|
||||
lbuf_init(&lbuf, NULL, 8, '\\');
|
||||
printf("User %s may run the following commands on this host:\n",
|
||||
pw->pw_name);
|
||||
void
|
||||
sudo_file_display_privs(nss, pw)
|
||||
struct sudo_nss *nss;
|
||||
struct passwd *pw;
|
||||
{
|
||||
struct lbuf lbuf;
|
||||
struct cmndspec *cs;
|
||||
struct member *m;
|
||||
struct privilege *priv;
|
||||
struct userspec *us;
|
||||
struct cmndtag tags;
|
||||
|
||||
tq_foreach_fwd(&userspecs, us) {
|
||||
/* XXX - why only check the first privilege here? */
|
||||
if (userlist_matches(pw, &us->users) != ALLOW ||
|
||||
hostlist_matches(&us->privileges.first->hostlist) != ALLOW)
|
||||
continue;
|
||||
display_defaults(pw);
|
||||
|
||||
tq_foreach_fwd(&us->privileges, priv) {
|
||||
tags.noexec = def_noexec;
|
||||
tags.setenv = def_setenv;
|
||||
tags.nopasswd = !def_authenticate;
|
||||
lbuf_append(&lbuf, " ", NULL);
|
||||
tq_foreach_fwd(&priv->cmndlist, cs) {
|
||||
if (cs != tq_first(&priv->cmndlist))
|
||||
lbuf_append(&lbuf, ", ", NULL);
|
||||
lbuf_append(&lbuf, "(", NULL);
|
||||
if (!tq_empty(&cs->runasuserlist)) {
|
||||
tq_foreach_fwd(&cs->runasuserlist, m) {
|
||||
if (m != tq_first(&cs->runasuserlist))
|
||||
lbuf_append(&lbuf, ", ", NULL);
|
||||
print_member(&lbuf, m->name, m->type, m->negated,
|
||||
RUNASALIAS);
|
||||
}
|
||||
} else {
|
||||
lbuf_append(&lbuf, def_runas_default, NULL);
|
||||
lbuf_init(&lbuf, NULL, 8, '\\');
|
||||
printf("User %s may run the following commands on this host:\n",
|
||||
pw->pw_name);
|
||||
|
||||
tq_foreach_fwd(&userspecs, us) {
|
||||
/* XXX - why only check the first privilege here? */
|
||||
if (userlist_matches(pw, &us->users) != ALLOW ||
|
||||
hostlist_matches(&us->privileges.first->hostlist) != ALLOW)
|
||||
continue;
|
||||
|
||||
tq_foreach_fwd(&us->privileges, priv) {
|
||||
tags.noexec = def_noexec;
|
||||
tags.setenv = def_setenv;
|
||||
tags.nopasswd = !def_authenticate;
|
||||
lbuf_append(&lbuf, " ", NULL);
|
||||
tq_foreach_fwd(&priv->cmndlist, cs) {
|
||||
if (cs != tq_first(&priv->cmndlist))
|
||||
lbuf_append(&lbuf, ", ", NULL);
|
||||
lbuf_append(&lbuf, "(", NULL);
|
||||
if (!tq_empty(&cs->runasuserlist)) {
|
||||
tq_foreach_fwd(&cs->runasuserlist, m) {
|
||||
if (m != tq_first(&cs->runasuserlist))
|
||||
lbuf_append(&lbuf, ", ", NULL);
|
||||
print_member(&lbuf, m->name, m->type, m->negated,
|
||||
RUNASALIAS);
|
||||
}
|
||||
if (!tq_empty(&cs->runasgrouplist)) {
|
||||
lbuf_append(&lbuf, " : ", NULL);
|
||||
tq_foreach_fwd(&cs->runasgrouplist, m) {
|
||||
if (m != tq_first(&cs->runasgrouplist))
|
||||
lbuf_append(&lbuf, ", ", NULL);
|
||||
print_member(&lbuf, m->name, m->type, m->negated,
|
||||
RUNASALIAS);
|
||||
}
|
||||
}
|
||||
lbuf_append(&lbuf, ") ", NULL);
|
||||
if (TAG_CHANGED(setenv)) {
|
||||
lbuf_append(&lbuf, cs->tags.setenv ? "SETENV: " :
|
||||
"NOSETENV: ", NULL);
|
||||
tags.setenv = cs->tags.setenv;
|
||||
}
|
||||
if (TAG_CHANGED(noexec)) {
|
||||
lbuf_append(&lbuf, cs->tags.noexec ? "NOEXEC: " :
|
||||
"EXEC: ", NULL);
|
||||
tags.noexec = cs->tags.noexec;
|
||||
}
|
||||
if (TAG_CHANGED(nopasswd)) {
|
||||
lbuf_append(&lbuf, cs->tags.nopasswd ? "NOPASSWD: " :
|
||||
"PASSWD: ", NULL);
|
||||
tags.nopasswd = cs->tags.nopasswd;
|
||||
}
|
||||
m = cs->cmnd;
|
||||
print_member(&lbuf, m->name, m->type, m->negated,
|
||||
CMNDALIAS);
|
||||
} else {
|
||||
lbuf_append(&lbuf, def_runas_default, NULL);
|
||||
}
|
||||
lbuf_print(&lbuf);
|
||||
if (!tq_empty(&cs->runasgrouplist)) {
|
||||
lbuf_append(&lbuf, " : ", NULL);
|
||||
tq_foreach_fwd(&cs->runasgrouplist, m) {
|
||||
if (m != tq_first(&cs->runasgrouplist))
|
||||
lbuf_append(&lbuf, ", ", NULL);
|
||||
print_member(&lbuf, m->name, m->type, m->negated,
|
||||
RUNASALIAS);
|
||||
}
|
||||
}
|
||||
lbuf_append(&lbuf, ") ", NULL);
|
||||
if (TAG_CHANGED(setenv)) {
|
||||
lbuf_append(&lbuf, cs->tags.setenv ? "SETENV: " :
|
||||
"NOSETENV: ", NULL);
|
||||
tags.setenv = cs->tags.setenv;
|
||||
}
|
||||
if (TAG_CHANGED(noexec)) {
|
||||
lbuf_append(&lbuf, cs->tags.noexec ? "NOEXEC: " :
|
||||
"EXEC: ", NULL);
|
||||
tags.noexec = cs->tags.noexec;
|
||||
}
|
||||
if (TAG_CHANGED(nopasswd)) {
|
||||
lbuf_append(&lbuf, cs->tags.nopasswd ? "NOPASSWD: " :
|
||||
"PASSWD: ", NULL);
|
||||
tags.nopasswd = cs->tags.nopasswd;
|
||||
}
|
||||
m = cs->cmnd;
|
||||
print_member(&lbuf, m->name, m->type, m->negated,
|
||||
CMNDALIAS);
|
||||
}
|
||||
lbuf_print(&lbuf);
|
||||
}
|
||||
lbuf_destroy(&lbuf);
|
||||
}
|
||||
/* XXX - nss */
|
||||
#ifdef HAVE_LDAP
|
||||
if (v != NULL)
|
||||
sudo_ldap_display_privs(v, pw);
|
||||
#endif
|
||||
lbuf_destroy(&lbuf);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -526,10 +535,28 @@ display_bound_defaults(dtype)
|
||||
/*
|
||||
* Check user_cmnd against sudoers and print the matching entry if the
|
||||
* command is allowed.
|
||||
* XXX - move out of parse.c
|
||||
*/
|
||||
int
|
||||
display_cmnd(v, pw)
|
||||
void *v;
|
||||
display_cmnd(snl, pw)
|
||||
struct sudo_nss_list *snl;
|
||||
struct passwd *pw;
|
||||
{
|
||||
struct sudo_nss *nss;
|
||||
int rval = 1;
|
||||
|
||||
/* XXX - reset group vector? */
|
||||
|
||||
tq_foreach_fwd(snl, nss) {
|
||||
if (nss->display_cmnd(nss, pw) == 0)
|
||||
rval = 0;
|
||||
}
|
||||
return(rval);
|
||||
}
|
||||
|
||||
int
|
||||
sudo_file_display_cmnd(nss, pw)
|
||||
struct sudo_nss *nss;
|
||||
struct passwd *pw;
|
||||
{
|
||||
struct cmndspec *cs;
|
||||
@@ -539,41 +566,37 @@ display_cmnd(v, pw)
|
||||
int rval = 1;
|
||||
int host_match, runas_match, cmnd_match;
|
||||
|
||||
/* XXX - nss */
|
||||
#ifdef HAVE_LDAP
|
||||
if (v != NULL)
|
||||
rval = sudo_ldap_display_cmnd(v, pw);
|
||||
#endif
|
||||
if (rval != 0 && !def_ignore_local_sudoers) {
|
||||
match = NULL;
|
||||
tq_foreach_rev(&userspecs, us) {
|
||||
if (userlist_matches(pw, &us->users) != ALLOW)
|
||||
continue;
|
||||
if (nss->handle == NULL)
|
||||
return(rval);
|
||||
|
||||
tq_foreach_rev(&us->privileges, priv) {
|
||||
host_match = hostlist_matches(&priv->hostlist);
|
||||
if (host_match != ALLOW)
|
||||
continue;
|
||||
tq_foreach_rev(&priv->cmndlist, cs) {
|
||||
runas_match = runaslist_matches(&cs->runasuserlist,
|
||||
&cs->runasgrouplist);
|
||||
if (runas_match == ALLOW) {
|
||||
cmnd_match = cmnd_matches(cs->cmnd);
|
||||
if (cmnd_match != UNSPEC) {
|
||||
match = host_match && runas_match ?
|
||||
cs->cmnd : NULL;
|
||||
goto matched;
|
||||
}
|
||||
match = NULL;
|
||||
tq_foreach_rev(&userspecs, us) {
|
||||
if (userlist_matches(pw, &us->users) != ALLOW)
|
||||
continue;
|
||||
|
||||
tq_foreach_rev(&us->privileges, priv) {
|
||||
host_match = hostlist_matches(&priv->hostlist);
|
||||
if (host_match != ALLOW)
|
||||
continue;
|
||||
tq_foreach_rev(&priv->cmndlist, cs) {
|
||||
runas_match = runaslist_matches(&cs->runasuserlist,
|
||||
&cs->runasgrouplist);
|
||||
if (runas_match == ALLOW) {
|
||||
cmnd_match = cmnd_matches(cs->cmnd);
|
||||
if (cmnd_match != UNSPEC) {
|
||||
match = host_match && runas_match ?
|
||||
cs->cmnd : NULL;
|
||||
goto matched;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
matched:
|
||||
if (match != NULL && !match->negated) {
|
||||
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
|
||||
user_args ? user_args : "");
|
||||
rval = 0;
|
||||
}
|
||||
}
|
||||
matched:
|
||||
if (match != NULL && !match->negated) {
|
||||
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
|
||||
user_args ? user_args : "");
|
||||
rval = 0;
|
||||
}
|
||||
return(rval);
|
||||
}
|
||||
|
||||
4
sudo.c
4
sudo.c
@@ -421,9 +421,9 @@ main(argc, argv, envp)
|
||||
|
||||
log_auth(validated, 1);
|
||||
if (sudo_mode == MODE_CHECK)
|
||||
rc = display_cmnd(NULL, list_pw ? list_pw : sudo_user.pw);
|
||||
rc = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);
|
||||
else if (sudo_mode == MODE_LIST)
|
||||
display_privs(NULL, list_pw ? list_pw : sudo_user.pw);
|
||||
display_privs(snl, list_pw ? list_pw : sudo_user.pw);
|
||||
|
||||
/* Cleanup sudoers sources */
|
||||
tq_foreach_fwd(snl, nss)
|
||||
|
||||
10
sudo.h
10
sudo.h
@@ -227,13 +227,13 @@ int find_path __P((char *, char **, struct stat *, char *));
|
||||
void check_user __P((int));
|
||||
void verify_user __P((struct passwd *, char *));
|
||||
#ifdef HAVE_LDAP
|
||||
void sudo_ldap_display_privs __P((void *, struct passwd *));
|
||||
int sudo_ldap_display_cmnd __P((void *, struct passwd *));
|
||||
int sudo_ldap_open __P((struct sudo_nss *));
|
||||
int sudo_ldap_close __P((struct sudo_nss *));
|
||||
int sudo_ldap_setdefs __P((struct sudo_nss *));
|
||||
int sudo_ldap_lookup __P((struct sudo_nss *, int));
|
||||
int sudo_ldap_parse __P((struct sudo_nss *));
|
||||
void sudo_ldap_display_privs __P((struct sudo_nss *, struct passwd *));
|
||||
int sudo_ldap_display_cmnd __P((struct sudo_nss *, struct passwd *));
|
||||
#endif
|
||||
#if 1
|
||||
int sudo_file_open __P((struct sudo_nss *));
|
||||
@@ -241,6 +241,8 @@ int sudo_file_close __P((struct sudo_nss *));
|
||||
int sudo_file_setdefs __P((struct sudo_nss *));
|
||||
int sudo_file_lookup __P((struct sudo_nss *, int));
|
||||
int sudo_file_parse __P((struct sudo_nss *));
|
||||
void sudo_file_display_privs __P((struct sudo_nss *, struct passwd *));
|
||||
int sudo_file_display_cmnd __P((struct sudo_nss *, struct passwd *));
|
||||
#endif
|
||||
void set_perms __P((int));
|
||||
void remove_timestamp __P((int));
|
||||
@@ -273,8 +275,8 @@ int pam_prep_user __P((struct passwd *));
|
||||
void zero_bytes __P((volatile void *, size_t));
|
||||
int gettime __P((struct timespec *));
|
||||
FILE *open_sudoers __P((const char *, int *));
|
||||
void display_privs __P((void *, struct passwd *));
|
||||
int display_cmnd __P((void *, struct passwd *));
|
||||
void display_privs __P((struct sudo_nss_list *, struct passwd *));
|
||||
int display_cmnd __P((struct sudo_nss_list *, struct passwd *));
|
||||
int get_ttycols __P((void));
|
||||
void sudo_setenv __P((const char *, const char *, int));
|
||||
void sudo_unsetenv __P((const char *));
|
||||
|
||||
Reference in New Issue
Block a user