isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Take the chroot into account when search for the command.

Browse Source 
This could a a user-specific chroot via the -R option, a runchroot
Defaults value, or a per-command CHROOT spec in the sudoers rule.
This commit is contained in:
Todd C. Miller
2020-09-09 15:26:44 -06:00
parent e9997c8ec4
commit b6dbfe5094
12 changed files with 342 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/defaults.c
View File

@@ -688,7 +688,7 @@ default_binding_matches(struct sudoers_parse_tree *parse_tree,
debug_return_bool(true); debug_return_bool(true);
break; break;
case DEFAULTS_CMND: case DEFAULTS_CMND:
if (cmndlist_matches(parse_tree, d->binding) == ALLOW) if (cmndlist_matches(parse_tree, d->binding, NULL) == ALLOW)
debug_return_bool(true); debug_return_bool(true);
break; break;
} }

3
plugins/sudoers/editor.c
View File

@@ -68,7 +68,8 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char **files,
} }
/* If we can't find the editor in the user's PATH, give up. */ /* If we can't find the editor in the user's PATH, give up. */
if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), 0, whitelist) != FOUND) { if (find_path(editor, &editor_path, &user_editor_sb, getenv("PATH"), NULL,
0, whitelist) != FOUND) {
free(editor); free(editor);
errno = ENOENT; errno = ENOENT;
debug_return_str(NULL); debug_return_str(NULL);

27
plugins/sudoers/find_path.c
View File

@@ -43,14 +43,14 @@
* On failure, returns false. * On failure, returns false.
*/ */
static bool static bool
cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp, cmnd_allowed(char *cmnd, size_t cmnd_size, const char *runchroot,
char * const *whitelist) struct stat *cmnd_sbp, char * const *whitelist)
{ {
const char *cmnd_base; const char *cmnd_base;
char * const *wl; char * const *wl;
debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL); debug_decl(cmnd_allowed, SUDOERS_DEBUG_UTIL);
if (!sudo_goodpath(cmnd, cmnd_sbp)) if (!sudo_goodpath(cmnd, runchroot, cmnd_sbp))
debug_return_bool(false); debug_return_bool(false);
if (whitelist == NULL) if (whitelist == NULL)
@@ -62,21 +62,20 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
cmnd_base++; cmnd_base++;
for (wl = whitelist; *wl != NULL; wl++) { for (wl = whitelist; *wl != NULL; wl++) {
const char *base, *path = *wl;
struct stat sb; struct stat sb;
const char *base;
if ((base = strrchr(*wl, '/')) == NULL) if ((base = strrchr(path, '/')) == NULL)
continue; /* XXX - warn? */ continue; /* XXX - warn? */
base++; base++;
if (strcmp(cmnd_base, base) != 0) if (strcmp(cmnd_base, base) != 0)
continue; continue;
if (sudo_goodpath(*wl, &sb) && if (sudo_goodpath(path, runchroot, &sb) &&
sb.st_dev == cmnd_sbp->st_dev && sb.st_ino == cmnd_sbp->st_ino) { sb.st_dev == cmnd_sbp->st_dev && sb.st_ino == cmnd_sbp->st_ino) {
/* Overwrite cmnd with safe version from whitelist. */ /* Overwrite cmnd with safe version from whitelist. */
if (strlcpy(cmnd, *wl, cmnd_size) < cmnd_size) if (strlcpy(cmnd, path, cmnd_size) < cmnd_size)
return true;
debug_return_bool(true); debug_return_bool(true);
} }
} }
@@ -93,7 +92,8 @@ cmnd_allowed(char *cmnd, size_t cmnd_size, struct stat *cmnd_sbp,
*/ */
int int
find_path(const char *infile, char **outfile, struct stat *sbp, find_path(const char *infile, char **outfile, struct stat *sbp,
const char *path, int ignore_dot, char * const *whitelist) const char *path, const char *runchroot, int ignore_dot,
char * const *whitelist)
{ {
char command[PATH_MAX]; char command[PATH_MAX];
const char *cp, *ep, *pathend; const char *cp, *ep, *pathend;
@@ -111,7 +111,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
errno = ENAMETOOLONG; errno = ENAMETOOLONG;
debug_return_int(NOT_FOUND_ERROR); debug_return_int(NOT_FOUND_ERROR);
} }
found = cmnd_allowed(command, sizeof(command), sbp, whitelist); found = cmnd_allowed(command, sizeof(command), runchroot, sbp,
whitelist);
goto done; goto done;
} }
@@ -140,7 +141,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
errno = ENAMETOOLONG; errno = ENAMETOOLONG;
debug_return_int(NOT_FOUND_ERROR); debug_return_int(NOT_FOUND_ERROR);
} }
found = cmnd_allowed(command, sizeof(command), sbp, whitelist); found = cmnd_allowed(command, sizeof(command), runchroot,
sbp, whitelist);
if (found) if (found)
break; break;
} }
@@ -154,7 +156,8 @@ find_path(const char *infile, char **outfile, struct stat *sbp,
errno = ENAMETOOLONG; errno = ENAMETOOLONG;
debug_return_int(NOT_FOUND_ERROR); debug_return_int(NOT_FOUND_ERROR);
} }
found = cmnd_allowed(command, sizeof(command), sbp, whitelist); found = cmnd_allowed(command, sizeof(command), runchroot,
sbp, whitelist);
if (found && ignore_dot) if (found && ignore_dot)
debug_return_int(NOT_FOUND_DOT); debug_return_int(NOT_FOUND_DOT);
} }

14
plugins/sudoers/goodpath.c
View File

@@ -39,14 +39,24 @@
* Verify that path is a normal file and executable by root. * Verify that path is a normal file and executable by root.
*/ */
bool bool
sudo_goodpath(const char *path, struct stat *sbp) sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp)
{ {
bool ret = false; bool ret = false;
debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL); debug_decl(sudo_goodpath, SUDOERS_DEBUG_UTIL);
if (path != NULL) { if (path != NULL) {
char pathbuf[PATH_MAX];
struct stat sb; struct stat sb;
if (runchroot != NULL) {
const int len =
snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
if (len >= ssizeof(pathbuf)) {
errno = ENAMETOOLONG;
goto done;
}
path = pathbuf;
}
if (sbp == NULL) if (sbp == NULL)
sbp = &sb; sbp = &sb;
@@ -58,6 +68,6 @@ sudo_goodpath(const char *path, struct stat *sbp)
errno = EACCES; errno = EACCES;
} }
} }
done:
debug_return_bool(ret); debug_return_bool(ret);
} }

11
plugins/sudoers/match.c
View File

@@ -366,14 +366,14 @@ host_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw,
*/ */
int int
cmndlist_matches(struct sudoers_parse_tree *parse_tree, cmndlist_matches(struct sudoers_parse_tree *parse_tree,
const struct member_list *list) const struct member_list *list, const char *runchroot)
{ {
struct member *m; struct member *m;
int matched = UNSPEC; int matched = UNSPEC;
debug_decl(cmndlist_matches, SUDOERS_DEBUG_MATCH); debug_decl(cmndlist_matches, SUDOERS_DEBUG_MATCH);
TAILQ_FOREACH_REVERSE(m, list, member_list, entries) { TAILQ_FOREACH_REVERSE(m, list, member_list, entries) {
matched = cmnd_matches(parse_tree, m); matched = cmnd_matches(parse_tree, m, runchroot);
if (matched != UNSPEC) if (matched != UNSPEC)
break; break;
} }
@@ -385,7 +385,8 @@ cmndlist_matches(struct sudoers_parse_tree *parse_tree,
* Returns ALLOW, DENY or UNSPEC. * Returns ALLOW, DENY or UNSPEC.
*/ */
int int
cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m) cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m,
const char *runchroot)
{ {
struct alias *a; struct alias *a;
struct sudo_command *c; struct sudo_command *c;
@@ -401,13 +402,13 @@ cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m)
FALLTHROUGH; FALLTHROUGH;
case COMMAND: case COMMAND:
c = (struct sudo_command *)m->name; c = (struct sudo_command *)m->name;
if (command_matches(c->cmnd, c->args, &c->digests)) if (command_matches(c->cmnd, c->args, runchroot, &c->digests))
matched = !m->negated; matched = !m->negated;
break; break;
case ALIAS: case ALIAS:
a = alias_get(parse_tree, m->name, CMNDALIAS); a = alias_get(parse_tree, m->name, CMNDALIAS);
if (a != NULL) { if (a != NULL) {
rc = cmndlist_matches(parse_tree, &a->members); rc = cmndlist_matches(parse_tree, &a->members, runchroot);
if (rc != UNSPEC) if (rc != UNSPEC)
matched = m->negated ? !rc : rc; matched = m->negated ? !rc : rc;
alias_put(a); alias_put(a);

155
plugins/sudoers/match_command.c
View File

@@ -84,12 +84,24 @@ command_args_match(const char *sudoers_cmnd, const char *sudoers_args)
* Returns true on success, else false. * Returns true on success, else false.
*/ */
static bool static bool
do_stat(int fd, const char *path, struct stat *sb) do_stat(int fd, const char *path, const char *runchroot, struct stat *sb)
{ {
char pathbuf[PATH_MAX];
debug_decl(do_stat, SUDOERS_DEBUG_MATCH); debug_decl(do_stat, SUDOERS_DEBUG_MATCH);
if (fd != -1) if (fd != -1)
debug_return_bool(fstat(fd, sb) == 0); debug_return_bool(fstat(fd, sb) == 0);
/* Make path relative to the new root, if any. */
if (runchroot != NULL) {
const int len =
snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
if (len >= ssizeof(pathbuf)) {
errno = ENAMETOOLONG;
debug_return_bool(false);
}
path = pathbuf;
}
debug_return_bool(stat(path, sb) == 0); debug_return_bool(stat(path, sb) == 0);
} }
@@ -119,15 +131,28 @@ is_script(int fd)
* Returns false on error, else true. * Returns false on error, else true.
*/ */
static bool static bool
open_cmnd(const char *path, const struct command_digest_list *digests, int *fdp) open_cmnd(const char *path, const char *runchroot,
const struct command_digest_list *digests, int *fdp)
{ {
int fd = -1; int fd = -1;
char pathbuf[PATH_MAX];
debug_decl(open_cmnd, SUDOERS_DEBUG_MATCH); debug_decl(open_cmnd, SUDOERS_DEBUG_MATCH);
/* Only open the file for fdexec or for digest matching. */ /* Only open the file for fdexec or for digest matching. */
if (def_fdexec != always && TAILQ_EMPTY(digests)) if (def_fdexec != always && TAILQ_EMPTY(digests))
debug_return_bool(true); debug_return_bool(true);
/* Make path relative to the new root, if any. */
if (runchroot != NULL) {
const int len =
snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, path);
if (len >= ssizeof(pathbuf)) {
errno = ENAMETOOLONG;
debug_return_bool(false);
}
path = pathbuf;
}
fd = open(path, O_RDONLY|O_NONBLOCK); fd = open(path, O_RDONLY|O_NONBLOCK);
# ifdef O_EXEC # ifdef O_EXEC
if (fd == -1 && errno == EACCES && TAILQ_EMPTY(digests)) { if (fd == -1 && errno == EACCES && TAILQ_EMPTY(digests)) {
@@ -189,16 +214,29 @@ set_cmnd_fd(int fd)
* Return true if user_cmnd names one of the inodes in dir, else false. * Return true if user_cmnd names one of the inodes in dir, else false.
*/ */
static bool static bool
command_matches_dir(const char *sudoers_dir, size_t dlen, command_matches_dir(const char *sudoers_dir, size_t dlen, const char *runchroot,
const struct command_digest_list *digests) const struct command_digest_list *digests)
{ {
char buf[PATH_MAX], sdbuf[PATH_MAX];
struct stat sudoers_stat; struct stat sudoers_stat;
struct dirent *dent; struct dirent *dent;
char buf[PATH_MAX]; size_t chrootlen = 0;
int fd = -1; int fd = -1;
DIR *dirp; DIR *dirp;
debug_decl(command_matches_dir, SUDOERS_DEBUG_MATCH); debug_decl(command_matches_dir, SUDOERS_DEBUG_MATCH);
/* Make sudoers_dir relative to the new root, if any. */
if (runchroot != NULL) {
const int len =
snprintf(sdbuf, sizeof(sdbuf), "%s%s", runchroot, sudoers_dir);
if (len >= ssizeof(sdbuf)) {
errno = ENAMETOOLONG;
debug_return_bool(false);
}
sudoers_dir = sdbuf;
chrootlen = strlen(runchroot);
}
/* /*
* Grot through directory entries, looking for user_base. * Grot through directory entries, looking for user_base.
*/ */
@@ -226,9 +264,9 @@ command_matches_dir(const char *sudoers_dir, size_t dlen,
continue; continue;
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(buf, digests, &fd)) if (!open_cmnd(buf, NULL, digests, &fd))
continue; continue;
if (!do_stat(fd, buf, &sudoers_stat)) if (!do_stat(fd, buf, NULL, &sudoers_stat))
continue; continue;
if (user_stat == NULL || if (user_stat == NULL ||
@@ -237,7 +275,7 @@ command_matches_dir(const char *sudoers_dir, size_t dlen,
if (!digest_matches(fd, buf, digests)) if (!digest_matches(fd, buf, digests))
continue; continue;
free(safe_cmnd); free(safe_cmnd);
if ((safe_cmnd = strdup(buf)) == NULL) { if ((safe_cmnd = strdup(buf + chrootlen)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory")); U_("unable to allocate memory"));
dent = NULL; dent = NULL;
@@ -257,7 +295,8 @@ command_matches_dir(const char *sudoers_dir, size_t dlen,
} }
static bool static bool
command_matches_all(const struct command_digest_list *digests) command_matches_all(const char *runchroot,
const struct command_digest_list *digests)
{ {
struct stat sb; /* XXX - unused */ struct stat sb; /* XXX - unused */
int fd = -1; int fd = -1;
@@ -265,9 +304,9 @@ command_matches_all(const struct command_digest_list *digests)
if (user_cmnd[0] == '/') { if (user_cmnd[0] == '/') {
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(user_cmnd, digests, &fd)) if (!open_cmnd(user_cmnd, runchroot, digests, &fd))
goto bad; goto bad;
if (!do_stat(fd, user_cmnd, &sb)) if (!do_stat(fd, user_cmnd, runchroot, &sb))
goto bad; goto bad;
} }
@@ -288,7 +327,7 @@ bad:
static bool static bool
command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args, command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args,
const struct command_digest_list *digests) const char *runchroot, const struct command_digest_list *digests)
{ {
struct stat sb; /* XXX - unused */ struct stat sb; /* XXX - unused */
int fd = -1; int fd = -1;
@@ -299,15 +338,17 @@ command_matches_fnmatch(const char *sudoers_cmnd, const char *sudoers_args,
* a) there are no args in sudoers OR * a) there are no args in sudoers OR
* b) there are no args on command line and none required by sudoers OR * b) there are no args on command line and none required by sudoers OR
* c) there are args in sudoers and on command line and they match * c) there are args in sudoers and on command line and they match
* else return false. * else return false.
*
* Neither sudoers_cmnd nor user_cmnd are relative to runchroot.
*/ */
if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0) if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0)
debug_return_bool(false); debug_return_bool(false);
if (command_args_match(sudoers_cmnd, sudoers_args)) { if (command_args_match(sudoers_cmnd, sudoers_args)) {
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(user_cmnd, digests, &fd)) if (!open_cmnd(user_cmnd, runchroot, digests, &fd))
goto bad; goto bad;
if (!do_stat(fd, user_cmnd, &sb)) if (!do_stat(fd, user_cmnd, runchroot, &sb))
goto bad; goto bad;
/* Check digest of user_cmnd since sudoers_cmnd is a pattern. */ /* Check digest of user_cmnd since sudoers_cmnd is a pattern. */
if (!digest_matches(fd, user_cmnd, digests)) if (!digest_matches(fd, user_cmnd, digests))
@@ -328,13 +369,14 @@ bad:
static bool static bool
command_matches_glob(const char *sudoers_cmnd, const char *sudoers_args, command_matches_glob(const char *sudoers_cmnd, const char *sudoers_args,
const struct command_digest_list *digests) const char *runchroot, const struct command_digest_list *digests)
{ {
struct stat sudoers_stat; struct stat sudoers_stat;
bool bad_digest = false; bool bad_digest = false;
char **ap, *base, *cp; char **ap, *base, *cp;
char pathbuf[PATH_MAX];
int fd = -1; int fd = -1;
size_t dlen; size_t dlen, chrootlen = 0;
glob_t gl; glob_t gl;
debug_decl(command_matches_glob, SUDOERS_DEBUG_MATCH); debug_decl(command_matches_glob, SUDOERS_DEBUG_MATCH);
@@ -351,6 +393,19 @@ command_matches_glob(const char *sudoers_cmnd, const char *sudoers_args,
debug_return_bool(false); debug_return_bool(false);
} }
} }
/* Make sudoers_cmnd relative to the new root, if any. */
if (runchroot != NULL) {
const int len =
snprintf(pathbuf, sizeof(pathbuf), "%s%s", runchroot, sudoers_cmnd);
if (len >= ssizeof(pathbuf)) {
errno = ENAMETOOLONG;
debug_return_bool(false);
}
sudoers_cmnd = pathbuf;
chrootlen = strlen(runchroot);
}
/* /*
* Return true if we find a match in the glob(3) results AND * Return true if we find a match in the glob(3) results AND
* a) there are no args in sudoers OR * a) there are no args in sudoers OR
@@ -369,12 +424,15 @@ command_matches_glob(const char *sudoers_cmnd, const char *sudoers_args,
close(fd); close(fd);
fd = -1; fd = -1;
} }
/* Remove the runchroot, if any. */
cp += chrootlen;
if (strcmp(cp, user_cmnd) != 0) if (strcmp(cp, user_cmnd) != 0)
continue; continue;
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(cp, digests, &fd)) if (!open_cmnd(cp, runchroot, digests, &fd))
continue; continue;
if (!do_stat(fd, cp, &sudoers_stat)) if (!do_stat(fd, cp, runchroot, &sudoers_stat))
continue; continue;
if (user_stat == NULL || if (user_stat == NULL ||
(user_stat->st_dev == sudoers_stat.st_dev && (user_stat->st_dev == sudoers_stat.st_dev &&
@@ -405,10 +463,13 @@ command_matches_glob(const char *sudoers_cmnd, const char *sudoers_args,
fd = -1; fd = -1;
} }
/* Remove the runchroot, if any. */
cp += chrootlen;
/* If it ends in '/' it is a directory spec. */ /* If it ends in '/' it is a directory spec. */
dlen = strlen(cp); dlen = strlen(cp);
if (cp[dlen - 1] == '/') { if (cp[dlen - 1] == '/') {
if (command_matches_dir(cp, dlen, digests)) if (command_matches_dir(cp, dlen, runchroot, digests))
debug_return_bool(true); debug_return_bool(true);
continue; continue;
} }
@@ -422,9 +483,9 @@ command_matches_glob(const char *sudoers_cmnd, const char *sudoers_args,
continue; continue;
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(cp, digests, &fd)) if (!open_cmnd(cp, runchroot, digests, &fd))
continue; continue;
if (!do_stat(fd, cp, &sudoers_stat)) if (!do_stat(fd, cp, runchroot, &sudoers_stat))
continue; continue;
if (user_stat == NULL || if (user_stat == NULL ||
(user_stat->st_dev == sudoers_stat.st_dev && (user_stat->st_dev == sudoers_stat.st_dev &&
@@ -456,7 +517,8 @@ done:
} }
static bool static bool
command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest_list *digests) command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args,
const char *runchroot, const struct command_digest_list *digests)
{ {
struct stat sudoers_stat; struct stat sudoers_stat;
const char *base; const char *base;
@@ -467,7 +529,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const
/* If it ends in '/' it is a directory spec. */ /* If it ends in '/' it is a directory spec. */
dlen = strlen(sudoers_cmnd); dlen = strlen(sudoers_cmnd);
if (sudoers_cmnd[dlen - 1] == '/') if (sudoers_cmnd[dlen - 1] == '/')
debug_return_bool(command_matches_dir(sudoers_cmnd, dlen, digests)); debug_return_bool(command_matches_dir(sudoers_cmnd, dlen, runchroot, digests));
/* Only proceed if user_base and basename(sudoers_cmnd) match */ /* Only proceed if user_base and basename(sudoers_cmnd) match */
if ((base = strrchr(sudoers_cmnd, '/')) == NULL) if ((base = strrchr(sudoers_cmnd, '/')) == NULL)
@@ -478,7 +540,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const
debug_return_bool(false); debug_return_bool(false);
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(sudoers_cmnd, digests, &fd)) if (!open_cmnd(sudoers_cmnd, runchroot, digests, &fd))
goto bad; goto bad;
/* /*
@@ -488,7 +550,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args, const
* c) there are args in sudoers and on command line and they match * c) there are args in sudoers and on command line and they match
* d) there is a digest and it matches * d) there is a digest and it matches
*/ */
if (user_stat != NULL && do_stat(fd, sudoers_cmnd, &sudoers_stat)) { if (user_stat != NULL && do_stat(fd, sudoers_cmnd, runchroot, &sudoers_stat)) {
if (user_stat->st_dev != sudoers_stat.st_dev || if (user_stat->st_dev != sudoers_stat.st_dev ||
user_stat->st_ino != sudoers_stat.st_ino) user_stat->st_ino != sudoers_stat.st_ino)
goto bad; goto bad;
@@ -521,13 +583,37 @@ bad:
* otherwise, return true if user_cmnd names one of the inodes in path. * otherwise, return true if user_cmnd names one of the inodes in path.
*/ */
bool bool
command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest_list *digests) command_matches(const char *sudoers_cmnd, const char *sudoers_args,
const char *runchroot, const struct command_digest_list *digests)
{ {
char *saved_user_cmnd = NULL;
struct stat saved_user_stat;
bool rc = false; bool rc = false;
debug_decl(command_matches, SUDOERS_DEBUG_MATCH); debug_decl(command_matches, SUDOERS_DEBUG_MATCH);
if (user_runchroot != NULL) {
if (runchroot != NULL && strcmp(runchroot, "*") != 0 &&
strcmp(runchroot, user_runchroot) != 0) {
/* CHROOT mismatch */
goto done;
}
/* User-specified runchroot (user_stat already set appropriately). */
runchroot = user_runchroot;
} else if (runchroot == NULL) {
/* No rule-specific runchroot, use global (user_stat already set). */
if (def_runchroot != NULL && strcmp(def_runchroot, "*") != '\0')
runchroot = def_runchroot;
} else {
/* Rule-specific runchroot, reset user_cmnd and user_stat. */
saved_user_cmnd = user_cmnd;
if (user_stat != NULL)
saved_user_stat = *user_stat;
if (set_cmnd_path(runchroot) != FOUND)
saved_user_cmnd = NULL;
}
if (sudoers_cmnd == NULL) { if (sudoers_cmnd == NULL) {
rc = command_matches_all(digests); rc = command_matches_all(runchroot, digests);
goto done; goto done;
} }
@@ -554,17 +640,24 @@ command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct
* use glob(3) and/or fnmatch(3) to do the matching. * use glob(3) and/or fnmatch(3) to do the matching.
*/ */
if (def_fast_glob) if (def_fast_glob)
rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digests); rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, runchroot, digests);
else else
rc = command_matches_glob(sudoers_cmnd, sudoers_args, digests); rc = command_matches_glob(sudoers_cmnd, sudoers_args, runchroot, digests);
} else { } else {
rc = command_matches_normal(sudoers_cmnd, sudoers_args, digests); rc = command_matches_normal(sudoers_cmnd, sudoers_args, runchroot, digests);
} }
done: done:
if (saved_user_cmnd != NULL) {
free(user_cmnd);
user_cmnd = saved_user_cmnd;
if (user_stat != NULL)
*user_stat = saved_user_stat;
}
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"user command \"%s%s%s\" matches sudoers command \"%s%s%s\": %s", "user command \"%s%s%s\" matches sudoers command \"%s%s%s\"%s%s: %s",
user_cmnd, user_args ? " " : "", user_args ? user_args : "", user_cmnd, user_args ? " " : "", user_args ? user_args : "",
sudoers_cmnd, sudoers_args ? " " : "", sudoers_args ? sudoers_args : "", sudoers_cmnd, sudoers_args ? " " : "", sudoers_args ? sudoers_args : "",
runchroot ? ", chroot " : "", runchroot ? runchroot : "",
rc ? "true" : "false"); rc ? "true" : "false");
debug_return_bool(rc); debug_return_bool(rc);
} }

60
plugins/sudoers/parse.c
View File

@@ -92,7 +92,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw,
/* Only check the command when listing another user. */ /* Only check the command when listing another user. */
if (user_uid == 0 || list_pw == NULL || if (user_uid == 0 || list_pw == NULL ||
user_uid == list_pw->pw_uid || user_uid == list_pw->pw_uid ||
cmnd_matches(nss->parse_tree, cs->cmnd) == ALLOW) cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot) == ALLOW)
match = ALLOW; match = ALLOW;
} }
} }
@@ -146,7 +146,8 @@ sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw,
cs->runasuserlist, cs->runasgrouplist, &matching_user, cs->runasuserlist, cs->runasgrouplist, &matching_user,
NULL); NULL);
if (runas_match == ALLOW) { if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(nss->parse_tree, cs->cmnd); cmnd_match = cmnd_matches(nss->parse_tree, cs->cmnd,
cs->runchroot);
if (cmnd_match != UNSPEC) { if (cmnd_match != UNSPEC) {
/* /*
* If user is running command as himself, * If user is running command as himself,
@@ -196,6 +197,8 @@ apply_cmndspec(struct cmndspec *cs)
} else { } else {
user_role = def_role; user_role = def_role;
} }
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"user_role -> %s", user_role);
} }
if (user_type == NULL) { if (user_type == NULL) {
if (cs->type != NULL) { if (cs->type != NULL) {
@@ -208,6 +211,8 @@ apply_cmndspec(struct cmndspec *cs)
} else { } else {
user_type = def_type; user_type = def_type;
} }
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"user_type -> %s", user_type);
} }
#endif /* HAVE_SELINUX */ #endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET #ifdef HAVE_PRIV_SET
@@ -223,6 +228,8 @@ apply_cmndspec(struct cmndspec *cs)
} else { } else {
runas_privs = def_privs; runas_privs = def_privs;
} }
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"runas_privs -> %s", runas_privs);
} }
if (runas_limitprivs == NULL) { if (runas_limitprivs == NULL) {
if (cs->limitprivs != NULL) { if (cs->limitprivs != NULL) {
@@ -235,10 +242,15 @@ apply_cmndspec(struct cmndspec *cs)
} else { } else {
runas_limitprivs = def_limitprivs; runas_limitprivs = def_limitprivs;
} }
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"runas_limitprivs -> %s", runas_limitprivs);
} }
#endif /* HAVE_PRIV_SET */ #endif /* HAVE_PRIV_SET */
if (cs->timeout > 0) if (cs->timeout > 0) {
def_command_timeout = cs->timeout; def_command_timeout = cs->timeout;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_command_timeout -> %d", def_command_timeout);
}
if (cs->runcwd != NULL) { if (cs->runcwd != NULL) {
free(def_runcwd); free(def_runcwd);
def_runcwd = strdup(cs->runcwd); def_runcwd = strdup(cs->runcwd);
@@ -247,6 +259,8 @@ apply_cmndspec(struct cmndspec *cs)
U_("unable to allocate memory")); U_("unable to allocate memory"));
debug_return_bool(false); debug_return_bool(false);
} }
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_runcwd -> %s", def_runcwd);
} }
if (cs->runchroot != NULL) { if (cs->runchroot != NULL) {
free(def_runchroot); free(def_runchroot);
@@ -256,28 +270,53 @@ apply_cmndspec(struct cmndspec *cs)
U_("unable to allocate memory")); U_("unable to allocate memory"));
debug_return_bool(false); debug_return_bool(false);
} }
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_runchroot -> %s", def_runchroot);
} }
if (cs->tags.nopasswd != UNSPEC) if (cs->tags.nopasswd != UNSPEC) {
def_authenticate = !cs->tags.nopasswd; def_authenticate = !cs->tags.nopasswd;
if (cs->tags.noexec != UNSPEC) sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_authenticate -> %s", def_authenticate ? "true" : "false");
}
if (cs->tags.noexec != UNSPEC) {
def_noexec = cs->tags.noexec; def_noexec = cs->tags.noexec;
if (cs->tags.setenv != UNSPEC) sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_noexec -> %s", def_noexec ? "true" : "false");
}
if (cs->tags.setenv != UNSPEC) {
def_setenv = cs->tags.setenv; def_setenv = cs->tags.setenv;
if (cs->tags.log_input != UNSPEC) sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_setenv -> %s", def_setenv ? "true" : "false");
}
if (cs->tags.log_input != UNSPEC) {
def_log_input = cs->tags.log_input; def_log_input = cs->tags.log_input;
if (cs->tags.log_output != UNSPEC) sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_log_input -> %s", def_log_input ? "true" : "false");
}
if (cs->tags.log_output != UNSPEC) {
def_log_output = cs->tags.log_output; def_log_output = cs->tags.log_output;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_log_output -> %s", def_log_output ? "true" : "false");
}
if (cs->tags.send_mail != UNSPEC) { if (cs->tags.send_mail != UNSPEC) {
if (cs->tags.send_mail) { if (cs->tags.send_mail) {
def_mail_all_cmnds = true; def_mail_all_cmnds = true;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_mail_all_cmnds -> true");
} else { } else {
def_mail_all_cmnds = false; def_mail_all_cmnds = false;
def_mail_always = false; def_mail_always = false;
def_mail_no_perms = false; def_mail_no_perms = false;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_mail_all_cmnds -> false, def_mail_always -> false, "
"def_mail_no_perms -> false");
} }
} }
if (cs->tags.follow != UNSPEC) if (cs->tags.follow != UNSPEC) {
def_sudoedit_follow = cs->tags.follow; def_sudoedit_follow = cs->tags.follow;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_sudoedit_follow -> %s", def_sudoedit_follow ? "true" : "false");
}
} }
debug_return_bool(true); debug_return_bool(true);
@@ -836,7 +875,8 @@ display_cmnd_check(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
runas_match = runaslist_matches(parse_tree, cs->runasuserlist, runas_match = runaslist_matches(parse_tree, cs->runasuserlist,
cs->runasgrouplist, NULL, NULL); cs->runasgrouplist, NULL, NULL);
if (runas_match == ALLOW) { if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(parse_tree, cs->cmnd); cmnd_match = cmnd_matches(parse_tree, cs->cmnd,
cs->runchroot);
if (cmnd_match != UNSPEC) if (cmnd_match != UNSPEC)
debug_return_int(cmnd_match); debug_return_int(cmnd_match);
} }

6
plugins/sudoers/parse.h
View File

@@ -312,7 +312,7 @@ void reparent_parse_tree(struct sudoers_parse_tree *new_tree);
bool addr_matches(char *n); bool addr_matches(char *n);
/* match_command.c */ /* match_command.c */
bool command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest_list *digests); bool command_matches(const char *sudoers_cmnd, const char *sudoers_args, const char *runchroot, const struct command_digest_list *digests);
/* match_digest.c */ /* match_digest.c */
bool digest_matches(int fd, const char *file, const struct command_digest_list *digests); bool digest_matches(int fd, const char *file, const struct command_digest_list *digests);
@@ -325,8 +325,8 @@ bool hostname_matches(const char *shost, const char *lhost, const char *pattern)
bool netgr_matches(const char *netgr, const char *lhost, const char *shost, const char *user); bool netgr_matches(const char *netgr, const char *lhost, const char *shost, const char *user);
bool usergr_matches(const char *group, const char *user, const struct passwd *pw); bool usergr_matches(const char *group, const char *user, const struct passwd *pw);
bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw); bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw);
int cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m); int cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m, const char *runchroot);
int cmndlist_matches(struct sudoers_parse_tree *parse_tree, const struct member_list *list); int cmndlist_matches(struct sudoers_parse_tree *parse_tree, const struct member_list *list, const char *runchroot);
int host_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const char *host, const char *shost, const struct member *m); int host_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const char *host, const char *shost, const struct member *m);
int hostlist_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member_list *list); int hostlist_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member_list *list);
int runaslist_matches(struct sudoers_parse_tree *parse_tree, const struct member_list *user_list, const struct member_list *group_list, struct member **matching_user, struct member **matching_group); int runaslist_matches(struct sudoers_parse_tree *parse_tree, const struct member_list *user_list, const struct member_list *group_list, struct member **matching_user, struct member **matching_group);

7
plugins/sudoers/stubs.c
View File

@@ -80,6 +80,13 @@ get_interfaces(void)
return &dummy; return &dummy;
} }
/* STUB */
int
set_cmnd_path(const char *runchroot)
{
return FOUND;
}
/* /*
* Look up the hostname and set user_host and user_shost. * Look up the hostname and set user_host and user_shost.
*/ */

155
plugins/sudoers/sudoers.c
View File

@@ -275,6 +275,59 @@ done:
debug_return_str(iolog_path); debug_return_str(iolog_path);
} }
static int
check_runchroot(void)
{
debug_decl(check_runchroot, SUDOERS_DEBUG_PLUGIN);
if (user_runchroot == NULL)
debug_return_bool(true);
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_runchroot %s, user_runchroot %s",
def_runchroot ? def_runchroot : "NULL", user_runchroot);
if (def_runchroot == NULL || (strcmp(def_runchroot, "*") != 0 &&
strcmp(def_runchroot, user_runchroot) != 0)) {
audit_failure(NewArgv,
N_("user not allowed to change root directory to %s"),
user_runchroot);
sudo_warnx("%s", U_("you are not permitted to use the -R option"));
debug_return_bool(false);
}
free(def_runchroot);
if ((def_runchroot = strdup(user_runchroot)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
debug_return_bool(-1);
}
debug_return_bool(true);
}
static int
check_runcwd(void)
{
debug_decl(check_runcwd, SUDOERS_DEBUG_PLUGIN);
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_runcwd %s, user_runcwd %s, user_cwd %s",
def_runcwd, user_runcwd, user_cwd);
if (strcmp(user_cwd, user_runcwd) != 0) {
if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) {
audit_failure(NewArgv,
N_("user not allowed to change directory to %s"), user_runcwd);
sudo_warnx("%s", U_("you are not permitted to use the -D option"));
debug_return_bool(false);
}
free(def_runcwd);
if ((def_runcwd = strdup(user_runcwd)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
debug_return_int(-1);
}
}
debug_return_bool(true);
}
int int
sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
bool verbose, void *closure) bool verbose, void *closure)
@@ -396,32 +449,24 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
} }
} }
if (user_runchroot != NULL) { /* Check whether user_runchroot is permitted (if specified). */
if (def_runchroot == NULL || strcmp(def_runchroot, "*") != 0) { switch (check_runchroot()) {
audit_failure(NewArgv, case true:
N_("user not allowed to change root directory to %s"), break;
user_runchroot); case false:
sudo_warnx("%s", U_("you are not permitted to use the -R option")); goto bad;
goto bad; default:
} goto done;
free(def_runchroot);
if ((def_runchroot = strdup(user_runchroot)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
goto done;
}
} }
if (strcmp(user_cwd, user_runcwd) != 0) {
if (def_runcwd == NULL || strcmp(def_runcwd, "*") != 0) { /* Check whether user_runcwd is permitted (if specified). */
audit_failure(NewArgv, switch (check_runcwd()) {
N_("user not allowed to change directory to %s"), user_runcwd); case true:
sudo_warnx("%s", U_("you are not permitted to use the -D option")); break;
goto bad; case false:
} goto bad;
free(def_runcwd); default:
if ((def_runcwd = strdup(user_runcwd)) == NULL) { goto done;
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
goto done;
}
} }
/* /*
@@ -861,6 +906,38 @@ init_vars(char * const envp[])
debug_return_bool(true); debug_return_bool(true);
} }
/*
* Fill in user_cmnd and user_stat variables.
* Does not fill in user_base.
*/
int
set_cmnd_path(const char *runchroot)
{
char *path = user_path;
int ret;
debug_decl(set_cmnd_path, SUDOERS_DEBUG_PLUGIN);
if (def_secure_path && !user_is_exempt())
path = def_secure_path;
if (!set_perms(PERM_RUNAS))
debug_return_int(NOT_FOUND_ERROR);
ret = find_path(NewArgv[0], &user_cmnd, user_stat, path,
runchroot, def_ignore_dot, NULL);
if (!restore_perms())
debug_return_int(NOT_FOUND_ERROR);
if (ret == NOT_FOUND) {
/* Failed as root, try as invoking user. */
if (!set_perms(PERM_USER))
debug_return_int(false);
ret = find_path(NewArgv[0], &user_cmnd, user_stat, path,
runchroot, def_ignore_dot, NULL);
if (!restore_perms())
debug_return_int(NOT_FOUND_ERROR);
}
debug_return_int(ret);
}
/* /*
* Fill in user_cmnd, user_args, user_base and user_stat variables * Fill in user_cmnd, user_args, user_base and user_stat variables
* and apply any command-specific defaults entries. * and apply any command-specific defaults entries.
@@ -869,7 +946,6 @@ static int
set_cmnd(void) set_cmnd(void)
{ {
struct sudo_nss *nss; struct sudo_nss *nss;
char *path = user_path;
int ret = FOUND; int ret = FOUND;
debug_decl(set_cmnd, SUDOERS_DEBUG_PLUGIN); debug_decl(set_cmnd, SUDOERS_DEBUG_PLUGIN);
@@ -886,23 +962,12 @@ set_cmnd(void)
if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
if (def_secure_path && !user_is_exempt()) const char *runchroot = user_runchroot;
path = def_secure_path; if (runchroot == NULL && def_runchroot != NULL &&
if (!set_perms(PERM_RUNAS)) strcmp(def_runchroot, "*") != 0)
debug_return_int(-1); runchroot = def_runchroot;
ret = find_path(NewArgv[0], &user_cmnd, user_stat, path,
def_ignore_dot, NULL); ret = set_cmnd_path(runchroot);
if (!restore_perms())
debug_return_int(-1);
if (ret == NOT_FOUND) {
/* Failed as root, try as invoking user. */
if (!set_perms(PERM_USER))
debug_return_int(-1);
ret = find_path(NewArgv[0], &user_cmnd, user_stat, path,
def_ignore_dot, NULL);
if (!restore_perms())
debug_return_int(-1);
}
if (ret == NOT_FOUND_ERROR) { if (ret == NOT_FOUND_ERROR) {
if (errno == ENAMETOOLONG) { if (errno == ENAMETOOLONG) {
audit_failure(NewArgv, N_("command too long")); audit_failure(NewArgv, N_("command too long"));
@@ -922,7 +987,7 @@ set_cmnd(void)
size += strlen(*av) + 1; size += strlen(*av) + 1;
if (size == 0 || (user_args = malloc(size)) == NULL) { if (size == 0 || (user_args = malloc(size)) == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
debug_return_int(-1); debug_return_int(NOT_FOUND_ERROR);
} }
if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) { if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
/* /*
@@ -944,7 +1009,7 @@ set_cmnd(void)
n = strlcpy(to, *av, size - (to - user_args)); n = strlcpy(to, *av, size - (to - user_args));
if (n >= size - (to - user_args)) { if (n >= size - (to - user_args)) {
sudo_warnx(U_("internal error, %s overflow"), __func__); sudo_warnx(U_("internal error, %s overflow"), __func__);
debug_return_int(-1); debug_return_int(NOT_FOUND_ERROR);
} }
to += n; to += n;
*to++ = ' '; *to++ = ' ';

6
plugins/sudoers/sudoers.h
View File

@@ -263,11 +263,12 @@ struct timespec;
#define YY_DECL int sudoerslex(void) #define YY_DECL int sudoerslex(void)
/* goodpath.c */ /* goodpath.c */
bool sudo_goodpath(const char *path, struct stat *sbp); bool sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp);
/* findpath.c */ /* findpath.c */
int find_path(const char *infile, char **outfile, struct stat *sbp, int find_path(const char *infile, char **outfile, struct stat *sbp,
const char *path, int ignore_dot, char * const *whitelist); const char *path, const char *runchroot, int ignore_dot,
char * const *whitelist);
/* check.c */ /* check.c */
int check_user(int validate, int mode); int check_user(int validate, int mode);
@@ -394,6 +395,7 @@ bool matches_env_pattern(const char *pattern, const char *var, bool *full_match)
/* sudoers.c */ /* sudoers.c */
FILE *open_sudoers(const char *, bool, bool *); FILE *open_sudoers(const char *, bool, bool *);
int set_cmnd_path(const char *runchroot);
int sudoers_init(void *info, char * const envp[]); int sudoers_init(void *info, char * const envp[]);
int sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], bool verbose, void *closure); int sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], bool verbose, void *closure);
void sudoers_cleanup(void); void sudoers_cleanup(void);

9
plugins/sudoers/testsudoers.c
View File

@@ -336,7 +336,8 @@ main(int argc, char *argv[])
cs->runasuserlist, cs->runasgrouplist, NULL, NULL); cs->runasuserlist, cs->runasgrouplist, NULL, NULL);
if (runas_match == ALLOW) { if (runas_match == ALLOW) {
puts("\trunas matched"); puts("\trunas matched");
cmnd_match = cmnd_matches(&parsed_policy, cs->cmnd); cmnd_match = cmnd_matches(&parsed_policy, cs->cmnd,
cs->runchroot);
if (cmnd_match != UNSPEC) if (cmnd_match != UNSPEC)
match = cmnd_match; match = cmnd_match;
printf("\tcmnd %s\n", match == ALLOW ? "allowed" : printf("\tcmnd %s\n", match == ALLOW ? "allowed" :
@@ -499,6 +500,12 @@ restore_perms(void)
return true; return true;
} }
int
set_cmnd_path(const char *runchroot)
{
return FOUND;
}
static bool static bool
print_defaults(struct sudo_lbuf *lbuf) print_defaults(struct sudo_lbuf *lbuf)
{ {