isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Rename struct sudo_user -> struct sudo_user_context.

Browse Source 
Also rename the sudo_user global to user_ctx.
This commit is contained in:
Todd C. Miller
2023-08-12 10:39:47 -06:00
parent d148e7d8f9
commit bd8cccb5dd
21 changed files with 199 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/sudoers/audit.c
View File

@@ -355,7 +355,7 @@ sudoers_audit_accept(const char *plugin_name, unsigned int plugin_type,
ret = false;
if (!ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
uuid_str = sudo_user.uuid_str;
uuid_str = user_ctx.uuid_str;
audit_to_eventlog(&evlog, command_info, run_argv, run_envp, uuid_str);
if (!log_allowed(&evlog) && !def_ignore_logfile_errors)

4
plugins/sudoers/callbacks.c
View File

@@ -409,7 +409,7 @@ cb_intercept_type(const char *file, int line, int column,
/* Set explicitly in sudoers. */
if (sd_un->tuple == dso) {
/* Reset intercept_allow_setid default value. */
if (!ISSET(sudo_user.flags, USER_INTERCEPT_SETID))
if (!ISSET(user_ctx.flags, USER_INTERCEPT_SETID))
def_intercept_allow_setid = false;
}
}
@@ -426,7 +426,7 @@ cb_intercept_allow_setid(const char *file, int line, int column,
/* Operator will be -1 if set by front-end. */
if (op != -1) {
/* Set explicitly in sudoers. */
SET(sudo_user.flags, USER_INTERCEPT_SETID);
SET(user_ctx.flags, USER_INTERCEPT_SETID);
}
debug_return_bool(true);

14
plugins/sudoers/check.c
View File

@@ -197,7 +197,7 @@ check_user(unsigned int validated, unsigned int mode)
goto done;
}
if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))) {
(!runas_gr || user_in_group(user_ctx.pw, runas_gr->gr_name)))) {
#ifdef HAVE_SELINUX
if (user_role == NULL && user_type == NULL)
#endif
@@ -327,7 +327,7 @@ user_is_exempt(void)
debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH);
if (def_exempt_group) {
if (user_in_group(sudo_user.pw, def_exempt_group))
if (user_in_group(user_ctx.pw, def_exempt_group))
ret = true;
}
debug_return_bool(ret);
@@ -336,7 +336,7 @@ user_is_exempt(void)
/*
* Get passwd entry for the user we are going to authenticate as.
* By default, this is the user invoking sudo. In the most common
* case, this matches sudo_user.pw or runas_pw.
* case, this matches user_ctx.pw or runas_pw.
*/
static struct passwd *
get_authpw(unsigned int mode)
@@ -346,8 +346,8 @@ get_authpw(unsigned int mode)
if (ISSET(mode, (MODE_CHECK|MODE_LIST))) {
/* In list mode we always prompt for the user's password. */
sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
sudo_pw_addref(user_ctx.pw);
pw = user_ctx.pw;
} else {
if (def_rootpw) {
if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) {
@@ -368,8 +368,8 @@ get_authpw(unsigned int mode)
pw = runas_pw;
}
} else {
sudo_pw_addref(sudo_user.pw);
pw = sudo_user.pw;
sudo_pw_addref(user_ctx.pw);
pw = user_ctx.pw;
}
}

2
plugins/sudoers/cvtsudoers.c
View File

@@ -61,7 +61,7 @@
* Globals
*/
struct cvtsudoers_filter *filters;
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
static FILE *logfp;
static const char short_opts[] = "b:c:d:ef:hi:I:l:m:Mo:O:pP:s:V";

4
plugins/sudoers/defaults.c
View File

@@ -706,7 +706,7 @@ default_binding_matches(struct sudoers_parse_tree *parse_tree,
case DEFAULTS:
debug_return_bool(true);
case DEFAULTS_USER:
if (userlist_matches(parse_tree, sudo_user.pw, &d->binding->members) == ALLOW)
if (userlist_matches(parse_tree, user_ctx.pw, &d->binding->members) == ALLOW)
debug_return_bool(true);
break;
case DEFAULTS_RUNAS:
@@ -714,7 +714,7 @@ default_binding_matches(struct sudoers_parse_tree *parse_tree,
debug_return_bool(true);
break;
case DEFAULTS_HOST:
if (hostlist_matches(parse_tree, sudo_user.pw, &d->binding->members) == ALLOW)
if (hostlist_matches(parse_tree, user_ctx.pw, &d->binding->members) == ALLOW)
debug_return_bool(true);
break;
case DEFAULTS_CMND:

2
plugins/sudoers/display.c
View File

@@ -459,7 +459,7 @@ display_privs(const struct sudo_nss_list *snl, struct passwd *pw, bool verbose)
struct stat sb;
debug_decl(display_privs, SUDOERS_DEBUG_PARSER);
cols = sudo_user.cols;
cols = user_ctx.cols;
if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
cols = 0;
sudo_lbuf_init(&def_buf, output, 4, NULL, cols);

34
plugins/sudoers/logging.c
View File

@@ -156,7 +156,7 @@ log_server_reject(struct eventlog *evlog, const char *message)
debug_return_bool(false);
/* Open connection to log server, send hello and reject messages. */
client_closure = log_server_open(&details, &sudo_user.submit_time,
client_closure = log_server_open(&details, &user_ctx.submit_time,
false, SEND_REJECT, message);
if (client_closure != NULL) {
client_closure_free(client_closure);
@@ -256,7 +256,7 @@ log_reject(const char *message, bool logit, bool mailit)
debug_decl(log_reject, SUDOERS_DEBUG_LOGGING);
if (!ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
uuid_str = sudo_user.uuid_str;
uuid_str = user_ctx.uuid_str;
if (mailit) {
SET(evl_flags, EVLOG_MAIL);
@@ -604,7 +604,7 @@ log_exit_status(int status)
ret = false;
goto done;
}
sudo_timespecsub(&run_time, &sudo_user.submit_time, &run_time);
sudo_timespecsub(&run_time, &user_ctx.submit_time, &run_time);
if (WIFEXITED(status)) {
exit_value = WEXITSTATUS(status);
@@ -625,7 +625,7 @@ log_exit_status(int status)
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
sudoers_to_eventlog(&evlog, saved_cmnd, saved_argv, env_get(),
sudo_user.uuid_str);
user_ctx.uuid_str);
if (def_mail_always) {
SET(evl_flags, EVLOG_MAIL);
if (!def_log_exit_status)
@@ -728,7 +728,7 @@ vlog_warning(unsigned int flags, int errnum, const char * restrict fmt,
SET(evl_flags, EVLOG_MAIL_ONLY);
}
sudoers_to_eventlog(&evlog, safe_cmnd, NewArgv, env_get(),
sudo_user.uuid_str);
user_ctx.uuid_str);
if (!eventlog_alert(&evlog, evl_flags, &now, message, errstr))
ret = false;
if (!log_server_alert(&evlog, &now, message, errstr))
@@ -843,7 +843,7 @@ mail_parse_errors(void)
goto done;
}
sudoers_to_eventlog(&evlog, safe_cmnd, NewArgv, env_get(),
sudo_user.uuid_str);
user_ctx.uuid_str);
/* Convert parse_error_list to a string vector. */
n = 0;
@@ -955,12 +955,12 @@ sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd,
debug_decl(sudoers_to_eventlog, SUDOERS_DEBUG_LOGGING);
/* We rely on the reference held by the group cache. */
if ((grp = sudo_getgrgid(sudo_user.pw->pw_gid)) != NULL)
if ((grp = sudo_getgrgid(user_ctx.pw->pw_gid)) != NULL)
sudo_gr_delref(grp);
memset(evlog, 0, sizeof(*evlog));
evlog->iolog_file = sudo_user.iolog_file;
evlog->iolog_path = sudo_user.iolog_path;
evlog->iolog_file = user_ctx.iolog_file;
evlog->iolog_path = user_ctx.iolog_path;
evlog->command = cmnd ? (char *)cmnd : (argv ? argv[0] : NULL);
evlog->cwd = user_cwd;
if (def_runchroot != NULL && strcmp(def_runchroot, "*") != 0) {
@@ -973,19 +973,19 @@ sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd,
} else {
evlog->runcwd = user_cwd;
}
evlog->rungroup = runas_gr ? runas_gr->gr_name : sudo_user.runas_group;
evlog->source = sudo_user.source;
evlog->rungroup = runas_gr ? runas_gr->gr_name : user_ctx.runas_group;
evlog->source = user_ctx.source;
evlog->submithost = user_host;
evlog->submituser = user_name;
if (grp != NULL)
evlog->submitgroup = grp->gr_name;
evlog->ttyname = user_ttypath;
evlog->argv = (char **)argv;
evlog->env_add = (char **)sudo_user.env_vars;
evlog->env_add = (char **)user_ctx.env_vars;
evlog->envp = (char **)envp;
evlog->submit_time = sudo_user.submit_time;
evlog->lines = sudo_user.lines;
evlog->columns = sudo_user.cols;
evlog->submit_time = user_ctx.submit_time;
evlog->lines = user_ctx.lines;
evlog->columns = user_ctx.cols;
if (runas_pw != NULL) {
evlog->rungid = runas_pw->pw_gid;
evlog->runuid = runas_pw->pw_uid;
@@ -993,7 +993,7 @@ sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd,
} else {
evlog->rungid = (gid_t)-1;
evlog->runuid = (uid_t)-1;
evlog->runuser = sudo_user.runas_user;
evlog->runuser = user_ctx.runas_user;
}
if (uuid_str == NULL) {
unsigned char uuid[16];
@@ -1009,7 +1009,7 @@ sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd,
if (sudo_gettime_real(&now) == -1) {
sudo_warn("%s", U_("unable to get time of day"));
} else {
sudo_timespecsub(&now, &sudo_user.submit_time, &evlog->iolog_offset);
sudo_timespecsub(&now, &user_ctx.submit_time, &evlog->iolog_offset);
}
}

6
plugins/sudoers/lookup.c
View File

@@ -291,13 +291,13 @@ sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw,
if (cmnd_match != UNSPEC) {
/*
* If user is running command as themselves,
* set runas_pw = sudo_user.pw.
* set runas_pw = user_ctx.pw.
* XXX - hack, want more general solution
*/
if (matching_user && matching_user->type == MYSELF) {
sudo_pw_delref(runas_pw);
sudo_pw_addref(sudo_user.pw);
runas_pw = sudo_user.pw;
sudo_pw_addref(user_ctx.pw);
runas_pw = user_ctx.pw;
}
*matching_cs = cs;
*defs = &priv->defaults;

8
plugins/sudoers/match.c
View File

@@ -135,7 +135,7 @@ runas_getgroups(void)
}
/* Only use results from a group db query, not the front end. */
pw = runas_pw ? runas_pw : sudo_user.pw;
pw = runas_pw ? runas_pw : user_ctx.pw;
debug_return_ptr(sudo_get_gidlist(pw, ENTRY_TYPE_QUERIED));
}
@@ -193,8 +193,8 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
* was specified on the command line without a user _or_
* the user specified their own name on the command line.
*/
if ((!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) ||
if ((!ISSET(user_ctx.flags, RUNAS_USER_SPECIFIED) &&
ISSET(user_ctx.flags, RUNAS_GROUP_SPECIFIED)) ||
strcmp(user_name, runas_pw->pw_name) == 0)
user_matched = !m->negated;
break;
@@ -303,7 +303,7 @@ runaslist_matches(const struct sudoers_parse_tree *parse_tree,
}
user_matched = runas_userlist_matches(parse_tree, user_list, matching_user);
if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) {
if (ISSET(user_ctx.flags, RUNAS_GROUP_SPECIFIED)) {
group_matched = runas_grouplist_matches(parse_tree, group_list,
matching_group);
}

44
plugins/sudoers/policy.c
View File

@@ -91,7 +91,7 @@ parse_bool(const char *line, int varlen, unsigned int *flags, unsigned int fval)
/*
* Deserialize args, settings and user_info arrays.
* Fills in struct sudo_user and other common sudoers state.
* Fills in struct sudoers_user_context and other common sudoers state.
*/
unsigned int
sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
@@ -119,7 +119,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
} \
} while (0)
if (sudo_gettime_real(&sudo_user.submit_time) == -1) {
if (sudo_gettime_real(&user_ctx.submit_time) == -1) {
sudo_warn("%s", U_("unable to get time of day"));
goto bad;
}
@@ -183,7 +183,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
sudoers_conf.sudoers_path = path_sudoers;
/* Parse command line settings. */
sudo_user.flags = 0;
user_ctx.flags = 0;
user_closefrom = -1;
sudoedit_nfiles = 0;
sudo_mode = 0;
@@ -218,14 +218,14 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "runas_user=")) {
CHECK(*cur, "runas_user=");
sudo_user.runas_user = *cur + sizeof("runas_user=") - 1;
SET(sudo_user.flags, RUNAS_USER_SPECIFIED);
user_ctx.runas_user = *cur + sizeof("runas_user=") - 1;
SET(user_ctx.flags, RUNAS_USER_SPECIFIED);
continue;
}
if (MATCHES(*cur, "runas_group=")) {
CHECK(*cur, "runas_group=");
sudo_user.runas_group = *cur + sizeof("runas_group=") - 1;
SET(sudo_user.flags, RUNAS_GROUP_SPECIFIED);
user_ctx.runas_group = *cur + sizeof("runas_group=") - 1;
SET(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
continue;
}
if (MATCHES(*cur, "prompt=")) {
@@ -303,13 +303,13 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
continue;
}
if (MATCHES(*cur, "intercept_ptrace=")) {
if (parse_bool(*cur, sizeof("intercept_ptrace") - 1, &sudo_user.flags,
if (parse_bool(*cur, sizeof("intercept_ptrace") - 1, &user_ctx.flags,
HAVE_INTERCEPT_PTRACE) == -1)
goto bad;
continue;
}
if (MATCHES(*cur, "intercept_setid=")) {
if (parse_bool(*cur, sizeof("intercept_setid") - 1, &sudo_user.flags,
if (parse_bool(*cur, sizeof("intercept_setid") - 1, &user_ctx.flags,
CAN_INTERCEPT_SETID) == -1)
goto bad;
continue;
@@ -361,8 +361,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
if (MATCHES(*cur, "max_groups=")) {
errno = 0;
p = *cur + sizeof("max_groups=") - 1;
sudo_user.max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr);
if (sudo_user.max_groups == 0) {
user_ctx.max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr);
if (user_ctx.max_groups == 0) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
@@ -473,8 +473,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
if (MATCHES(*cur, "lines=")) {
errno = 0;
p = *cur + sizeof("lines=") - 1;
sudo_user.lines = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (sudo_user.lines == 0) {
user_ctx.lines = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (user_ctx.lines == 0) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
@@ -483,8 +483,8 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
if (MATCHES(*cur, "cols=")) {
errno = 0;
p = *cur + sizeof("cols=") - 1;
sudo_user.cols = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (sudo_user.cols == 0) {
user_ctx.cols = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
if (user_ctx.cols == 0) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
}
@@ -510,7 +510,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
}
if (MATCHES(*cur, "umask=")) {
p = *cur + sizeof("umask=") - 1;
sudo_user.umask = sudo_strtomode(p, &errstr);
user_ctx.umask = sudo_strtomode(p, &errstr);
if (errstr != NULL) {
sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
goto bad;
@@ -581,7 +581,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
/* Create a UUID to store in the event log. */
sudo_uuid_create(uuid);
if (sudo_uuid_to_string(uuid, sudo_user.uuid_str, sizeof(sudo_user.uuid_str)) == NULL) {
if (sudo_uuid_to_string(uuid, user_ctx.uuid_str, sizeof(user_ctx.uuid_str)) == NULL) {
sudo_warnx("%s", U_("unable to generate UUID"));
goto bad;
}
@@ -590,11 +590,11 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
* Set intercept defaults based on flags set above.
* We pass -1 as the operator to indicate it is set by the front end.
*/
if (ISSET(sudo_user.flags, HAVE_INTERCEPT_PTRACE)) {
if (ISSET(user_ctx.flags, HAVE_INTERCEPT_PTRACE)) {
if (!append_default("intercept_type", "trace", -1, NULL, defaults))
goto oom;
}
if (ISSET(sudo_user.flags, CAN_INTERCEPT_SETID)) {
if (ISSET(user_ctx.flags, CAN_INTERCEPT_SETID)) {
if (!append_default("intercept_allow_setid", NULL, -1, NULL, defaults))
goto oom;
}
@@ -1002,8 +1002,8 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
if ((command_info[info_len++] = sudo_new_key_val("rlimit_stack", def_rlimit_stack)) == NULL)
goto oom;
}
if (sudo_user.source != NULL) {
command_info[info_len] = sudo_new_key_val("source", sudo_user.source);
if (user_ctx.source != NULL) {
command_info[info_len] = sudo_new_key_val("source", user_ctx.source);
if (command_info[info_len++] == NULL)
goto oom;
}
@@ -1139,7 +1139,7 @@ sudoers_policy_close(int exit_status, int error_code)
/* Free stashed copy of the environment. */
(void)env_init(NULL);
/* Free sudoers sources, sudo_user and passwd/group caches. */
/* Free sudoers sources, user_ctx and passwd/group caches. */
sudoers_cleanup();
/* command_info was freed by the g/c code. */

10
plugins/sudoers/pwutil_impl.c
View File

@@ -264,7 +264,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
* Ignore supplied gids if the entry type says we must query the group db.
*/
if (type != ENTRY_TYPE_QUERIED && (gidstrs != NULL ||
(pw == sudo_user.pw && sudo_user.gids != NULL))) {
(pw == user_ctx.pw && user_ctx.gids != NULL))) {
if (gidstrs != NULL) {
/* Use supplied gids list (string format). */
ngids = 1;
@@ -290,7 +290,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
gids[ngids++] = gid;
}
} else {
/* Adopt sudo_user.gids. */
/* Adopt user_ctx.gids. */
gids = user_gids;
ngids = user_ngids;
user_gids = NULL;
@@ -299,8 +299,8 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
type = ENTRY_TYPE_FRONTEND;
} else {
type = ENTRY_TYPE_QUERIED;
if (sudo_user.max_groups > 0) {
ngids = sudo_user.max_groups;
if (user_ctx.max_groups > 0) {
ngids = user_ctx.max_groups;
gids = reallocarray(NULL, (size_t)ngids, sizeof(GETGROUPS_T));
if (gids == NULL) {
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
@@ -309,7 +309,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
}
/* Clamp to max_groups if insufficient space for all groups. */
if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1)
ngids = sudo_user.max_groups;
ngids = user_ctx.max_groups;
} else {
gids = NULL;
if (PREFIX(getgrouplist2)(pw->pw_name, pw->pw_gid, &gids, &ngids) == -1) {

2
plugins/sudoers/regress/exptilde/check_exptilde.c
View File

@@ -31,7 +31,7 @@
#include <def_data.c>
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct test_data {
const char *input;

48
plugins/sudoers/regress/fuzz/fuzz_sudoers.c
View File

@@ -49,7 +49,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
static const char *orig_cmnd;
/* Required to link with parser. */
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
sudo_conv_t sudo_conv = fuzz_conversation;
sudo_printf_t sudo_printf = fuzz_printf;
@@ -326,10 +326,10 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
/* Invoking user. */
user_name = (char *)ud->user;
if (sudo_user.pw != NULL)
sudo_pw_delref(sudo_user.pw);
sudo_user.pw = sudo_getpwnam(user_name);
if (sudo_user.pw == NULL) {
if (user_ctx.pw != NULL)
sudo_pw_delref(user_ctx.pw);
user_ctx.pw = sudo_getpwnam(user_name);
if (user_ctx.pw == NULL) {
sudo_warnx_nodebug("unknown user %s", user_name);
continue;
}
@@ -338,16 +338,16 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
if (runas_pw != NULL)
sudo_pw_delref(runas_pw);
if (ud->runuser != NULL) {
sudo_user.runas_user = (char *)ud->runuser;
SET(sudo_user.flags, RUNAS_USER_SPECIFIED);
runas_pw = sudo_getpwnam(sudo_user.runas_user);
user_ctx.runas_user = (char *)ud->runuser;
SET(user_ctx.flags, RUNAS_USER_SPECIFIED);
runas_pw = sudo_getpwnam(user_ctx.runas_user);
} else {
sudo_user.runas_user = NULL;
CLR(sudo_user.flags, RUNAS_USER_SPECIFIED);
user_ctx.runas_user = NULL;
CLR(user_ctx.flags, RUNAS_USER_SPECIFIED);
runas_pw = sudo_getpwnam("root");
}
if (runas_pw == NULL) {
sudo_warnx_nodebug("unknown run user %s", sudo_user.runas_user);
sudo_warnx_nodebug("unknown run user %s", user_ctx.runas_user);
continue;
}
@@ -355,32 +355,32 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
if (runas_gr != NULL)
sudo_gr_delref(runas_gr);
if (ud->rungroup != NULL) {
sudo_user.runas_group = (char *)ud->rungroup;
SET(sudo_user.flags, RUNAS_GROUP_SPECIFIED);
runas_gr = sudo_getgrnam(sudo_user.runas_group);
user_ctx.runas_group = (char *)ud->rungroup;
SET(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
runas_gr = sudo_getgrnam(user_ctx.runas_group);
if (runas_gr == NULL) {
sudo_warnx_nodebug("unknown run group %s",
sudo_user.runas_group);
user_ctx.runas_group);
continue;
}
} else {
sudo_user.runas_group = NULL;
CLR(sudo_user.flags, RUNAS_GROUP_SPECIFIED);
user_ctx.runas_group = NULL;
CLR(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
runas_gr = NULL;
}
update_defaults(&parse_tree, NULL, SETDEF_ALL, false);
sudoers_lookup(&snl, sudo_user.pw, now, NULL, NULL, &cmnd_status,
sudoers_lookup(&snl, user_ctx.pw, now, NULL, NULL, &cmnd_status,
false);
/* Match again as a pseudo-command (list, validate, etc). */
sudoers_lookup(&snl, sudo_user.pw, now, NULL, NULL, &cmnd_status,
sudoers_lookup(&snl, user_ctx.pw, now, NULL, NULL, &cmnd_status,
true);
/* Display privileges. */
display_privs(&snl, sudo_user.pw, false);
display_privs(&snl, sudo_user.pw, true);
display_privs(&snl, user_ctx.pw, false);
display_privs(&snl, user_ctx.pw, true);
}
/* Expand tildes in runcwd and runchroot. */
@@ -403,8 +403,8 @@ done:
fclose(fp);
free_parse_tree(&parse_tree);
reset_parser();
if (sudo_user.pw != NULL)
sudo_pw_delref(sudo_user.pw);
if (user_ctx.pw != NULL)
sudo_pw_delref(user_ctx.pw);
if (runas_pw != NULL)
sudo_pw_delref(runas_pw);
if (runas_gr != NULL)
@@ -414,7 +414,7 @@ done:
free(user_cmnd);
free(safe_cmnd);
free(list_cmnd);
memset(&sudo_user, 0, sizeof(sudo_user));
memset(&user_ctx, 0, sizeof(user_ctx));
sudoers_setlocale(SUDOERS_LOCALE_USER, NULL);
sudoers_debug_deregister();
fflush(stdout);

2
plugins/sudoers/regress/fuzz/fuzz_sudoers_ldif.c
View File

@@ -32,7 +32,7 @@ static int fuzz_printf(int msg_type, const char * restrict fmt, ...);
int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
/* Required to link with parser. */
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
sudo_printf_t sudo_printf = fuzz_printf;

8
plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c
View File

@@ -36,7 +36,7 @@
extern struct io_plugin sudoers_io;
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
sudo_printf_t sudo_printf;
sudo_conv_t sudo_conv;
@@ -385,15 +385,15 @@ main(int argc, char *argv[], char *envp[])
if ((tpw = getpwnam("root")) == NULL)
sudo_fatalx("unable to look up uid 0 or root");
}
sudo_user._runas_pw = pw_dup(tpw);
user_ctx._runas_pw = pw_dup(tpw);
/* Set invoking user. */
if ((tpw = getpwuid(geteuid())) == NULL)
sudo_fatalx("unable to look up invoking user's uid");
sudo_user.pw = pw_dup(tpw);
user_ctx.pw = pw_dup(tpw);
/* Set iolog uid/gid to invoking user. */
iolog_set_owner(sudo_user.pw->pw_uid, sudo_user.pw->pw_gid);
iolog_set_owner(user_ctx.pw->pw_uid, user_ctx.pw->pw_gid);
test_endpoints(&tests, &errors, iolog_dir, envp);

4
plugins/sudoers/sssd.c
View File

@@ -754,8 +754,8 @@ sudo_sss_getdefs(const struct sudo_nss *nss)
sudo_debug_printf(SUDO_DEBUG_DIAG, "Looking for cn=defaults");
/* NOTE: these are global defaults, user-ID and name are not used. */
rc = handle->fn_send_recv_defaults(sudo_user.pw->pw_uid,
sudo_user.pw->pw_name, &sss_error, &handle->domainname, &sss_result);
rc = handle->fn_send_recv_defaults(user_ctx.pw->pw_uid,
user_ctx.pw->pw_name, &sss_error, &handle->domainname, &sss_result);
switch (rc) {
case 0:
break;

82
plugins/sudoers/sudoers.c
View File

@@ -79,7 +79,7 @@ static bool tty_present(void);
/*
* Globals
*/
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
unsigned int sudo_mode;
@@ -268,7 +268,7 @@ sudoers_init(void *info, sudoers_logger_t logger, char * const envp[])
}
/* Set login class if applicable (after sudoers is parsed). */
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
if (set_loginclass(runas_pw ? runas_pw : user_ctx.pw))
ret = true;
cleanup:
@@ -287,7 +287,7 @@ cleanup:
/*
* Expand I/O log dir and file into a full path.
* Returns the full I/O log path prefixed with "iolog_path=".
* Sets sudo_user.iolog_file as a side effect.
* Sets user_ctx.iolog_file as a side effect.
*/
static char *
format_iolog_path(void)
@@ -316,8 +316,8 @@ format_iolog_path(void)
}
/* Stash pointer to the I/O log for the event log. */
sudo_user.iolog_path = iolog_path + sizeof("iolog_path=") - 1;
sudo_user.iolog_file = sudo_user.iolog_path + 1 + strlen(dir);
user_ctx.iolog_path = iolog_path + sizeof("iolog_path=") - 1;
user_ctx.iolog_file = user_ctx.iolog_path + 1 + strlen(dir);
done:
debug_return_str(iolog_path);
@@ -389,7 +389,7 @@ sudoers_check_common(int pwflag)
*/
time(&now);
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
validated = sudoers_lookup(snl, sudo_user.pw, now, cb_lookup, &match_info,
validated = sudoers_lookup(snl, user_ctx.pw, now, cb_lookup, &match_info,
&cmnd_status, pwflag);
sudoers_setlocale(oldlocale, NULL);
if (ISSET(validated, VALIDATE_ERROR)) {
@@ -398,15 +398,15 @@ sudoers_check_common(int pwflag)
}
if (match_info.us != NULL && match_info.us->file != NULL) {
free(sudo_user.source);
free(user_ctx.source);
if (match_info.us->line != 0) {
if (asprintf(&sudo_user.source, "%s:%d:%d", match_info.us->file,
if (asprintf(&user_ctx.source, "%s:%d:%d", match_info.us->file,
match_info.us->line, match_info.us->column) == -1)
sudo_user.source = NULL;
user_ctx.source = NULL;
} else {
sudo_user.source = strdup(match_info.us->file);
user_ctx.source = strdup(match_info.us->file);
}
if (sudo_user.source == NULL) {
if (user_ctx.source == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
goto done;
}
@@ -515,16 +515,16 @@ sudoers_check_common(int pwflag)
goto done;
}
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
/* If run as root with SUDO_USER set, set user_ctx.pw to that user. */
/* XXX - causes confusion when root is not listed in sudoers */
if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT) && prev_user != NULL) {
if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
struct passwd *pw;
if ((pw = sudo_getpwnam(prev_user)) != NULL) {
if (sudo_user.pw != NULL)
sudo_pw_delref(sudo_user.pw);
sudo_user.pw = pw;
if (user_ctx.pw != NULL)
sudo_pw_delref(user_ctx.pw);
user_ctx.pw = pw;
}
}
}
@@ -584,7 +584,7 @@ sudoers_check_common(int pwflag)
U_("sorry, you are not allowed to preserve the environment"));
goto bad;
} else {
if (!validate_env_vars(sudo_user.env_vars))
if (!validate_env_vars(user_ctx.env_vars))
goto bad;
}
}
@@ -643,7 +643,7 @@ sudoers_check_cmnd(int argc, char * const argv[], char *env_add[],
/* Environment variables specified on the command line. */
if (env_add != NULL && env_add[0] != NULL)
sudo_user.env_vars = env_add;
user_ctx.env_vars = env_add;
/*
* Make a local copy of argc/argv, with special handling for the
@@ -754,7 +754,7 @@ sudoers_check_cmnd(int argc, char * const argv[], char *env_add[],
}
/* Insert user-specified environment variables. */
if (!insert_env_vars(sudo_user.env_vars)) {
if (!insert_env_vars(user_ctx.env_vars)) {
sudo_warnx("%s",
U_("error setting user-specified environment variables"));
goto error;
@@ -943,9 +943,9 @@ sudoers_list(int argc, char * const argv[], const char *list_user, bool verbose)
goto done;
if (ISSET(sudo_mode, MODE_CHECK))
ret = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw, verbose);
ret = display_cmnd(snl, list_pw ? list_pw : user_ctx.pw, verbose);
else
ret = display_privs(snl, list_pw ? list_pw : sudo_user.pw, verbose);
ret = display_privs(snl, list_pw ? list_pw : user_ctx.pw, verbose);
done:
mail_parse_errors();
@@ -970,7 +970,7 @@ done:
}
/*
* Initialize timezone and fill in sudo_user struct.
* Initialize timezone and fill in user_ctx.
*/
static bool
init_vars(char * const envp[])
@@ -1015,8 +1015,8 @@ init_vars(char * const envp[])
* Get a local copy of the user's passwd struct and group list if we
* don't already have them.
*/
if (sudo_user.pw == NULL) {
if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL) {
if (user_ctx.pw == NULL) {
if ((user_ctx.pw = sudo_getpwnam(user_name)) == NULL) {
/*
* It is not unusual for users to place "sudo -k" in a .logout
* file which can cause sudo to be run during reboot after the
@@ -1028,12 +1028,12 @@ init_vars(char * const envp[])
}
/* Need to make a fake struct passwd for the call to log_warningx(). */
sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL);
user_ctx.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL);
unknown_user = true;
}
}
if (user_gid_list == NULL)
user_gid_list = sudo_get_gidlist(sudo_user.pw, ENTRY_TYPE_ANY);
user_gid_list = sudo_get_gidlist(user_ctx.pw, ENTRY_TYPE_ANY);
/* Store initialize permissions so we can restore them later. */
if (!set_perms(PERM_INITIAL))
@@ -1053,15 +1053,15 @@ init_vars(char * const envp[])
* Note that if runas_group was specified without runas_user we
* run the command as the invoking user.
*/
if (sudo_user.runas_group != NULL) {
if (!set_runasgr(sudo_user.runas_group, false))
if (user_ctx.runas_group != NULL) {
if (!set_runasgr(user_ctx.runas_group, false))
debug_return_bool(false);
if (!set_runaspw(sudo_user.runas_user ?
sudo_user.runas_user : user_name, false))
if (!set_runaspw(user_ctx.runas_user ?
user_ctx.runas_user : user_name, false))
debug_return_bool(false);
} else {
if (!set_runaspw(sudo_user.runas_user ?
sudo_user.runas_user : def_runas_default, false))
if (!set_runaspw(user_ctx.runas_user ?
user_ctx.runas_user : def_runas_default, false))
debug_return_bool(false);
}
@@ -1483,7 +1483,7 @@ cb_runas_default(const char *file, int line, int column,
debug_decl(cb_runas_default, SUDOERS_DEBUG_PLUGIN);
/* Only reset runaspw if user didn't specify one. */
if (sudo_user.runas_user == NULL && sudo_user.runas_group == NULL)
if (user_ctx.runas_user == NULL && user_ctx.runas_group == NULL)
debug_return_bool(set_runaspw(sd_un->str, true));
debug_return_bool(true);
}
@@ -1515,7 +1515,7 @@ sudoers_cleanup(void)
need_reinit = false;
if (def_group_plugin)
group_plugin_unload();
sudo_user_free();
sudoers_user_ctx_free();
sudo_freepwcache();
sudo_freegrcache();
canon_path_free_cache();
@@ -1552,16 +1552,16 @@ tty_present(void)
}
/*
* Free memory allocated for struct sudo_user.
* Free memory allocated for struct sudoers_user_context.
*/
void
sudo_user_free(void)
sudoers_user_ctx_free(void)
{
debug_decl(sudo_user_free, SUDOERS_DEBUG_PLUGIN);
debug_decl(sudoers_user_ctx_free, SUDOERS_DEBUG_PLUGIN);
/* Free remaining references to password and group entries. */
if (sudo_user.pw != NULL)
sudo_pw_delref(sudo_user.pw);
if (user_ctx.pw != NULL)
sudo_pw_delref(user_ctx.pw);
if (runas_pw != NULL)
sudo_pw_delref(runas_pw);
if (runas_gr != NULL)
@@ -1569,7 +1569,7 @@ sudo_user_free(void)
if (user_gid_list != NULL)
sudo_gidlist_delref(user_gid_list);
/* Free dynamic contents of sudo_user. */
/* Free dynamic contents of user_ctx. */
free(user_cwd);
free(user_name);
free(user_gids);
@@ -1589,7 +1589,7 @@ sudo_user_free(void)
free(list_cmnd);
free(safe_cmnd);
free(saved_cmnd);
free(sudo_user.source);
free(user_ctx.source);
free(user_stat);
#ifdef HAVE_SELINUX
free(user_role);
@@ -1602,7 +1602,7 @@ sudo_user_free(void)
free(runas_privs);
free(runas_limitprivs);
#endif
memset(&sudo_user, 0, sizeof(sudo_user));
memset(&user_ctx, 0, sizeof(user_ctx));
debug_return;
}

94
plugins/sudoers/sudoers.h
View File

@@ -79,7 +79,7 @@ struct group_list {
* Info pertaining to the invoking user.
* XXX - can we embed struct eventlog here or use it instead?
*/
struct sudo_user {
struct sudoers_user_context {
struct timespec submit_time;
struct passwd *pw;
struct passwd *_runas_pw;
@@ -149,7 +149,7 @@ struct sudo_user {
#define ENTRY_TYPE_FRONTEND 0x02
/*
* sudo_user flag values
* user_ctx.flag values
*/
#define RUNAS_USER_SPECIFIED 0x01U
#define RUNAS_GROUP_SPECIFIED 0x02U
@@ -224,50 +224,50 @@ struct sudo_user {
#define PERM_IOLOG 0x07
/*
* Shortcuts for sudo_user contents.
* Shortcuts for user_ctx contents.
*/
#define user_name (sudo_user.name)
#define user_uid (sudo_user.uid)
#define user_gid (sudo_user.gid)
#define user_sid (sudo_user.sid)
#define user_tcpgid (sudo_user.tcpgid)
#define user_umask (sudo_user.umask)
#define user_passwd (sudo_user.pw->pw_passwd)
#define user_dir (sudo_user.pw->pw_dir)
#define user_gids (sudo_user.gids)
#define user_ngids (sudo_user.ngids)
#define user_gid_list (sudo_user.gid_list)
#define user_tty (sudo_user.tty)
#define user_ttypath (sudo_user.ttypath)
#define user_cwd (sudo_user.cwd)
#define user_cmnd (sudo_user.cmnd)
#define user_cmnd_dir (sudo_user.cmnd_dir)
#define user_args (sudo_user.cmnd_args)
#define user_base (sudo_user.cmnd_base)
#define user_stat (sudo_user.cmnd_stat)
#define user_path (sudo_user.path)
#define user_prompt (sudo_user.prompt)
#define user_host (sudo_user.host)
#define user_shost (sudo_user.shost)
#define user_runhost (sudo_user.runhost)
#define user_srunhost (sudo_user.srunhost)
#define user_ccname (sudo_user.krb5_ccname)
#define list_cmnd (sudo_user.cmnd_list)
#define safe_cmnd (sudo_user.cmnd_safe)
#define saved_cmnd (sudo_user.cmnd_saved)
#define cmnd_fd (sudo_user.execfd)
#define login_class (sudo_user.class_name)
#define runas_pw (sudo_user._runas_pw)
#define runas_gr (sudo_user._runas_gr)
#define user_role (sudo_user.role)
#define user_type (sudo_user.type)
#define user_apparmor_profile (sudo_user.apparmor_profile)
#define user_closefrom (sudo_user.closefrom)
#define runas_privs (sudo_user.privs)
#define runas_limitprivs (sudo_user.limitprivs)
#define user_timeout (sudo_user.timeout)
#define user_runchroot (sudo_user.runchroot)
#define user_runcwd (sudo_user.runcwd)
#define user_name (user_ctx.name)
#define user_uid (user_ctx.uid)
#define user_gid (user_ctx.gid)
#define user_sid (user_ctx.sid)
#define user_tcpgid (user_ctx.tcpgid)
#define user_umask (user_ctx.umask)
#define user_passwd (user_ctx.pw->pw_passwd)
#define user_dir (user_ctx.pw->pw_dir)
#define user_gids (user_ctx.gids)
#define user_ngids (user_ctx.ngids)
#define user_gid_list (user_ctx.gid_list)
#define user_tty (user_ctx.tty)
#define user_ttypath (user_ctx.ttypath)
#define user_cwd (user_ctx.cwd)
#define user_cmnd (user_ctx.cmnd)
#define user_cmnd_dir (user_ctx.cmnd_dir)
#define user_args (user_ctx.cmnd_args)
#define user_base (user_ctx.cmnd_base)
#define user_stat (user_ctx.cmnd_stat)
#define user_path (user_ctx.path)
#define user_prompt (user_ctx.prompt)
#define user_host (user_ctx.host)
#define user_shost (user_ctx.shost)
#define user_runhost (user_ctx.runhost)
#define user_srunhost (user_ctx.srunhost)
#define user_ccname (user_ctx.krb5_ccname)
#define list_cmnd (user_ctx.cmnd_list)
#define safe_cmnd (user_ctx.cmnd_safe)
#define saved_cmnd (user_ctx.cmnd_saved)
#define cmnd_fd (user_ctx.execfd)
#define login_class (user_ctx.class_name)
#define runas_pw (user_ctx._runas_pw)
#define runas_gr (user_ctx._runas_gr)
#define user_role (user_ctx.role)
#define user_type (user_ctx.type)
#define user_apparmor_profile (user_ctx.apparmor_profile)
#define user_closefrom (user_ctx.closefrom)
#define runas_privs (user_ctx.privs)
#define runas_limitprivs (user_ctx.limitprivs)
#define user_timeout (user_ctx.timeout)
#define user_runchroot (user_ctx.runchroot)
#define user_runcwd (user_ctx.runcwd)
/* Default sudoers uid/gid/mode if not set by the Makefile. */
#ifndef SUDOERS_UID
@@ -421,8 +421,8 @@ int sudoers_list(int argc, char *const argv[], const char *list_user, bool verbo
int sudoers_validate_user(void);
void sudoers_cleanup(void);
bool sudoers_override_umask(void);
void sudo_user_free(void);
extern struct sudo_user sudo_user;
void sudoers_user_ctx_free(void);
extern struct sudoers_user_context user_ctx;
extern struct passwd *list_pw;
extern unsigned int sudo_mode;
extern int sudoedit_nfiles;

14
plugins/sudoers/testsudoers.c
View File

@@ -79,7 +79,7 @@ static int testsudoers_query(const struct sudo_nss *nss, struct passwd *pw);
/*
* Globals
*/
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
static const char *orig_cmnd;
static char *runas_group, *runas_user;
@@ -149,7 +149,7 @@ main(int argc, char *argv[])
break;
case 'g':
runas_group = optarg;
SET(sudo_user.flags, RUNAS_GROUP_SPECIFIED);
SET(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
break;
case 'h':
user_host = optarg;
@@ -206,7 +206,7 @@ main(int argc, char *argv[])
break;
case 'u':
runas_user = optarg;
SET(sudo_user.flags, RUNAS_USER_SPECIFIED);
SET(user_ctx.flags, RUNAS_USER_SPECIFIED);
break;
case 'v':
if (sudo_mode != MODE_RUN) {
@@ -267,10 +267,10 @@ main(int argc, char *argv[])
strlcpy(cwdbuf, "/", sizeof(cwdbuf));
user_cwd = cwdbuf;
if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL)
if ((user_ctx.pw = sudo_getpwnam(user_name)) == NULL)
sudo_fatalx(U_("unknown user %s"), user_name);
user_uid = sudo_user.pw->pw_uid;
user_gid = sudo_user.pw->pw_gid;
user_uid = user_ctx.pw->pw_uid;
user_gid = user_ctx.pw->pw_gid;
if (user_host == NULL) {
if ((user_host = sudo_gethostname()) == NULL)
@@ -380,7 +380,7 @@ main(int argc, char *argv[])
testsudoers_nss.parse_tree = &parsed_policy;
printf("\nEntries for user %s:\n", user_name);
validated = sudoers_lookup(&snl, sudo_user.pw, now, cb_lookup, NULL,
validated = sudoers_lookup(&snl, user_ctx.pw, now, cb_lookup, NULL,
&status, pwflag);
/* Validate user-specified chroot or cwd (if any) and runas user shell. */

4
plugins/sudoers/timestamp.c
View File

@@ -1163,8 +1163,8 @@ create_admin_success_flag(void)
debug_return_int(true);
/* Check whether the user is in the sudo or admin group. */
if (!user_in_group(sudo_user.pw, "sudo") &&
!user_in_group(sudo_user.pw, "admin"))
if (!user_in_group(user_ctx.pw, "sudo") &&
!user_in_group(user_ctx.pw, "admin"))
debug_return_int(true);
/* Build path to flag file. */

10
plugins/sudoers/visudo.c
View File

@@ -108,7 +108,7 @@ extern void get_hostname(void);
/*
* Globals
*/
struct sudo_user sudo_user;
struct sudoers_user_context user_ctx;
struct passwd *list_pw;
static const char *path_sudoers = _PATH_SUDOERS;
static struct sudoersfile_list sudoerslist = TAILQ_HEAD_INITIALIZER(sudoerslist);
@@ -258,17 +258,17 @@ main(int argc, char *argv[])
export_sudoers(path_sudoers, export_path);
}
/* Mock up a fake sudo_user struct. */
/* Mock up a fake struct sudoers_user_context. */
user_cmnd = user_base = strdup("true");
if (user_cmnd == NULL)
sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
if (geteuid() == 0) {
const char *user = getenv("SUDO_USER");
if (user != NULL && *user != '\0')
sudo_user.pw = sudo_getpwnam(user);
user_ctx.pw = sudo_getpwnam(user);
}
if (sudo_user.pw == NULL) {
if ((sudo_user.pw = sudo_getpwuid(getuid())) == NULL)
if (user_ctx.pw == NULL) {
if ((user_ctx.pw = sudo_getpwuid(getuid())) == NULL)
sudo_fatalx(U_("you do not exist in the %s database"), "passwd");
}
get_hostname();