diff --git a/plugins/sudoers/auth/API b/plugins/sudoers/auth/API index 36096709a..ad242fd02 100644 --- a/plugins/sudoers/auth/API +++ b/plugins/sudoers/auth/API @@ -7,7 +7,7 @@ Purpose: to provide a simple API for authentication methods that The sudo_auth struct looks like this: typedef struct sudo_auth { - int flags; /* various flags, see below */ + unsigned int flags; /* various flags, see below */ int status; /* status from verify routine */ char *name; /* name of the method in string form */ void *data; /* method-specific data pointer */ diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index b58b3f9a6..bfe7eadc3 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -99,7 +99,7 @@ static bool standalone; * Returns 0 on success and -1 on error. */ int -sudo_auth_init(struct passwd *pw, int mode) +sudo_auth_init(struct passwd *pw, unsigned int mode) { sudo_auth *auth; int status = AUTH_SUCCESS; @@ -172,7 +172,7 @@ sudo_auth_init(struct passwd *pw, int mode) * Returns true on success, false on failure and -1 on error. */ int -sudo_auth_approval(struct passwd *pw, int validated, bool exempt) +sudo_auth_approval(struct passwd *pw, unsigned int validated, bool exempt) { sudo_auth *auth; debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH); @@ -243,7 +243,7 @@ user_interrupted(void) * Returns true if verified, false if not or -1 on error. */ int -verify_user(struct passwd *pw, char *prompt, int validated, +verify_user(struct passwd *pw, char *prompt, unsigned int validated, struct sudo_conv_callback *callback) { unsigned int ntries; diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 70979b4b9..c9fc94b02 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -27,7 +27,7 @@ #define AUTH_NONINTERACTIVE 4 typedef struct sudo_auth { - int flags; /* various flags, see below */ + unsigned int flags; /* various flags, see below */ int status; /* status from verify routine */ const char *name; /* name of the method as a string */ void *data; /* method-specific data pointer */ @@ -41,10 +41,10 @@ typedef struct sudo_auth { } sudo_auth; /* Values for sudo_auth.flags. */ -#define FLAG_DISABLED 0x02 /* method disabled */ -#define FLAG_STANDALONE 0x04 /* standalone auth method */ -#define FLAG_ONEANDONLY 0x08 /* one and only auth method */ -#define FLAG_NONINTERACTIVE 0x10 /* no user input allowed */ +#define FLAG_DISABLED 0x02U /* method disabled */ +#define FLAG_STANDALONE 0x04U /* standalone auth method */ +#define FLAG_ONEANDONLY 0x08U /* one and only auth method */ +#define FLAG_NONINTERACTIVE 0x10U /* no user input allowed */ /* Shortcuts for using the flags above. */ #define IS_DISABLED(x) ((x)->flags & FLAG_DISABLED) diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 521fb05e8..be0cd7f75 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -49,7 +49,7 @@ struct getpass_closure { struct passwd *auth_pw; }; -static struct passwd *get_authpw(int); +static struct passwd *get_authpw(unsigned int); /* * Called when getpass is suspended so we can drop the lock. @@ -85,7 +85,8 @@ getpass_resume(int signo, void *vclosure) * or -1 on fatal error. */ static int -check_user_interactive(int validated, int mode, struct getpass_closure *closure) +check_user_interactive(unsigned int validated, unsigned int mode, + struct getpass_closure *closure) { struct sudo_conv_callback callback; int ret = -1; @@ -157,7 +158,7 @@ done: * or -1 on error. */ int -check_user(int validated, int mode) +check_user(unsigned int validated, unsigned int mode) { struct getpass_closure closure = { TS_ERROR }; int ret = -1; @@ -338,7 +339,7 @@ user_is_exempt(void) * case, this matches sudo_user.pw or runas_pw. */ static struct passwd * -get_authpw(int mode) +get_authpw(unsigned int mode) { struct passwd *pw = NULL; debug_decl(get_authpw, SUDOERS_DEBUG_AUTH); diff --git a/plugins/sudoers/check.h b/plugins/sudoers/check.h index de57fdbb5..f96a141bb 100644 --- a/plugins/sudoers/check.h +++ b/plugins/sudoers/check.h @@ -39,14 +39,14 @@ #define TS_VERSION 2 /* Time stamp entry types */ -#define TS_GLOBAL 0x01 /* not restricted by tty or ppid */ -#define TS_TTY 0x02 /* restricted by tty */ -#define TS_PPID 0x03 /* restricted by ppid */ -#define TS_LOCKEXCL 0x04 /* special lock record */ +#define TS_GLOBAL 0x01U /* not restricted by tty or ppid */ +#define TS_TTY 0x02U /* restricted by tty */ +#define TS_PPID 0x03U /* restricted by ppid */ +#define TS_LOCKEXCL 0x04U /* special lock record */ /* Time stamp flags */ -#define TS_DISABLED 0x01 /* entry disabled */ -#define TS_ANYUID 0x02 /* ignore uid, only valid in the key */ +#define TS_DISABLED 0x01U /* entry disabled */ +#define TS_ANYUID 0x02U /* ignore uid, only valid in the key */ struct timestamp_entry_v1 { unsigned short version; /* version number */ diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c index 197978637..7b41c0a68 100644 --- a/plugins/sudoers/cvtsudoers.c +++ b/plugins/sudoers/cvtsudoers.c @@ -95,8 +95,8 @@ static bool parse_ldif(struct sudoers_parse_tree *parse_tree, const char *input_ static bool cvtsudoers_parse_filter(char *expression); static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file); static void cvtsudoers_conf_free(struct cvtsudoers_config *conf); -static int cvtsudoers_parse_defaults(char *expression); -static int cvtsudoers_parse_suppression(char *expression); +static unsigned int cvtsudoers_parse_defaults(char *expression); +static unsigned int cvtsudoers_parse_suppression(char *expression); static void filter_userspecs(struct sudoers_parse_tree *parse_tree, struct cvtsudoers_config *conf); static void filter_defaults(struct sudoers_parse_tree *parse_tree, struct cvtsudoers_config *conf); static void alias_remove_unused(struct sudoers_parse_tree *parse_tree); @@ -309,12 +309,12 @@ main(int argc, char *argv[]) } if (conf->defstr != NULL) { conf->defaults = cvtsudoers_parse_defaults(conf->defstr); - if (conf->defaults == -1) + if (conf->defaults == (unsigned int)-1) usage(); } if (conf->supstr != NULL) { conf->suppress = cvtsudoers_parse_suppression(conf->supstr); - if (conf->suppress == -1) + if (conf->suppress == (unsigned int)-1) usage(); } @@ -632,11 +632,11 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf) debug_return; } -static int +static unsigned int cvtsudoers_parse_defaults(char *expression) { char *last, *cp = expression; - int flags = 0; + unsigned int flags = 0; debug_decl(cvtsudoers_parse_defaults, SUDOERS_DEBUG_UTIL); for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) { @@ -654,18 +654,18 @@ cvtsudoers_parse_defaults(char *expression) SET(flags, CVT_DEFAULTS_CMND); } else { sudo_warnx(U_("invalid defaults type: %s"), cp); - debug_return_int(-1); + debug_return_uint((unsigned int)-1); } } - debug_return_int(flags); + debug_return_uint(flags); } -static int +static unsigned int cvtsudoers_parse_suppression(char *expression) { char *last, *cp = expression; - int flags = 0; + unsigned int flags = 0; debug_decl(cvtsudoers_parse_suppression, SUDOERS_DEBUG_UTIL); for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) { @@ -677,11 +677,11 @@ cvtsudoers_parse_suppression(char *expression) SET(flags, SUPPRESS_PRIVS); } else { sudo_warnx(U_("invalid suppression type: %s"), cp); - debug_return_int(-1); + debug_return_uint((unsigned int)-1); } } - debug_return_int(flags); + debug_return_uint(flags); } static bool diff --git a/plugins/sudoers/cvtsudoers.h b/plugins/sudoers/cvtsudoers.h index 6d360dd93..40fac5eeb 100644 --- a/plugins/sudoers/cvtsudoers.h +++ b/plugins/sudoers/cvtsudoers.h @@ -30,17 +30,17 @@ enum sudoers_formats { }; /* Flags for cvtsudoers_config.defaults */ -#define CVT_DEFAULTS_GLOBAL 0x01 -#define CVT_DEFAULTS_USER 0x02 -#define CVT_DEFAULTS_RUNAS 0x04 -#define CVT_DEFAULTS_HOST 0x08 -#define CVT_DEFAULTS_CMND 0x10 -#define CVT_DEFAULTS_ALL 0xff +#define CVT_DEFAULTS_GLOBAL 0x01U +#define CVT_DEFAULTS_USER 0x02U +#define CVT_DEFAULTS_RUNAS 0x04U +#define CVT_DEFAULTS_HOST 0x08U +#define CVT_DEFAULTS_CMND 0x10U +#define CVT_DEFAULTS_ALL 0xffU /* Flags for cvtsudoers_config.suppress */ -#define SUPPRESS_DEFAULTS 0x01 -#define SUPPRESS_ALIASES 0x02 -#define SUPPRESS_PRIVS 0x04 +#define SUPPRESS_DEFAULTS 0x01U +#define SUPPRESS_ALIASES 0x02U +#define SUPPRESS_PRIVS 0x04U /* cvtsudoers.conf settings */ struct cvtsudoers_config { @@ -48,8 +48,8 @@ struct cvtsudoers_config { unsigned int order_increment; unsigned int order_padding; unsigned int order_max; - int defaults; - int suppress; + unsigned int defaults; + unsigned int suppress; bool store_options; bool expand_aliases; bool prune_matches; diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index 568873d37..103dc6c8a 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -67,7 +67,7 @@ STAILQ_HEAD(parse_error_list, parse_error); static struct parse_error_list parse_error_list = STAILQ_HEAD_INITIALIZER(parse_error_list); -static bool should_mail(int); +static bool should_mail(unsigned int); static bool warned = false; #ifdef SUDOERS_LOG_CLIENT @@ -275,7 +275,7 @@ log_reject(const char *message, bool logit, bool mailit) * Log, audit and mail the denial message, optionally informing the user. */ bool -log_denial(int status, bool inform_user) +log_denial(unsigned int status, bool inform_user) { const char *message; int oldlocale; @@ -342,14 +342,14 @@ log_denial(int status, bool inform_user) * Log and audit that user was not allowed to run the command. */ bool -log_failure(int status, int flags) +log_failure(unsigned int status, int cmnd_status) { bool ret, inform_user = true; debug_decl(log_failure, SUDOERS_DEBUG_LOGGING); /* The user doesn't always get to see the log message (path info). */ if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && list_pw == NULL && - def_path_info && (flags == NOT_FOUND_DOT || flags == NOT_FOUND)) + def_path_info && (cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND)) inform_user = false; ret = log_denial(status, inform_user); @@ -365,9 +365,9 @@ log_failure(int status, int flags) * is just "no foo in path" since the user can trivially set * their path to just contain a single dir. */ - if (flags == NOT_FOUND) + if (cmnd_status == NOT_FOUND) sudo_warnx(U_("%s: command not found"), cmnd); - else if (flags == NOT_FOUND_DOT) + else if (cmnd_status == NOT_FOUND_DOT) sudo_warnx(U_("ignoring \"%s\" found in '.'\nUse \"sudo ./%s\" if this is the \"%s\" you wish to run."), cmnd, cmnd, cmnd); } @@ -468,7 +468,7 @@ overflow: * Log and audit that user was not able to authenticate themselves. */ bool -log_auth_failure(int status, unsigned int tries) +log_auth_failure(unsigned int status, unsigned int tries) { char *message = NULL; int oldlocale; @@ -659,7 +659,8 @@ journal_parse_error(char *message) * Perform logging for log_warning()/log_warningx(). */ static bool -vlog_warning(int flags, int errnum, const char * restrict fmt, va_list ap) +vlog_warning(unsigned int flags, int errnum, const char * restrict fmt, + va_list ap) { struct eventlog evlog; struct timespec now; @@ -766,7 +767,7 @@ done: } bool -log_warning(int flags, const char * restrict fmt, ...) +log_warning(unsigned int flags, const char * restrict fmt, ...) { va_list ap; bool ret; @@ -781,7 +782,7 @@ log_warning(int flags, const char * restrict fmt, ...) } bool -log_warningx(int flags, const char * restrict fmt, ...) +log_warningx(unsigned int flags, const char * restrict fmt, ...) { va_list ap; bool ret; @@ -796,7 +797,7 @@ log_warningx(int flags, const char * restrict fmt, ...) } bool -gai_log_warning(int flags, int errnum, const char * restrict fmt, ...) +gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...) { va_list ap; bool ret; @@ -874,7 +875,7 @@ bool log_parse_error(const char *file, int line, int column, const char * restrict fmt, va_list args) { - const int flags = SLOG_RAW_MSG|SLOG_NO_STDERR; + const unsigned int flags = SLOG_RAW_MSG|SLOG_NO_STDERR; char *message, *tofree = NULL; const char *errstr; bool ret; @@ -920,7 +921,7 @@ log_parse_error(const char *file, int line, int column, const char * restrict fm * Determine whether we should send mail based on "status" and defaults options. */ static bool -should_mail(int status) +should_mail(unsigned int status) { debug_decl(should_mail, SUDOERS_DEBUG_LOGGING); diff --git a/plugins/sudoers/logging.h b/plugins/sudoers/logging.h index df488c791..7d2cfc5f3 100644 --- a/plugins/sudoers/logging.h +++ b/plugins/sudoers/logging.h @@ -77,14 +77,14 @@ int audit_failure(char *const argv[], char const * restrict const fmt, ...) sudo int vaudit_failure(char *const argv[], char const * restrict const fmt, va_list ap) sudo_printflike(2, 0); bool log_allowed(struct eventlog *evlog); bool log_exit_status(int exit_status); -bool log_auth_failure(int status, unsigned int tries); -bool log_denial(int status, bool inform_user); -bool log_failure(int status, int flags); +bool log_auth_failure(unsigned int status, unsigned int tries); +bool log_denial(unsigned int status, bool inform_user); +bool log_failure(unsigned int status, int flags); bool log_server_alert(struct eventlog *evlog, struct timespec *now, const char *message, const char *errstr); bool log_server_reject(struct eventlog *evlog, const char *message); -bool log_warning(int flags, const char * restrict fmt, ...) sudo_printflike(2, 3); -bool log_warningx(int flags, const char * restrict fmt, ...) sudo_printflike(2, 3); -bool gai_log_warning(int flags, int errnum, const char * restrict fmt, ...) sudo_printflike(3, 4); +bool log_warning(unsigned int flags, const char * restrict fmt, ...) sudo_printflike(2, 3); +bool log_warningx(unsigned int flags, const char * restrict fmt, ...) sudo_printflike(2, 3); +bool gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...) sudo_printflike(3, 4); bool sudoers_initlocale(const char *ulocale, const char *slocale); bool sudoers_locale_callback(const char *file, int line, int column, const union sudo_defs_val *sd_un, int op); void sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd, char * const argv[], char *const envp[], const char *uuid_str); diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c index 64ffa5d6d..1d2ac264f 100644 --- a/plugins/sudoers/lookup.c +++ b/plugins/sudoers/lookup.c @@ -53,7 +53,7 @@ runas_matches_pw(struct sudoers_parse_tree *parse_tree, * Look up the user in the sudoers parse tree for pseudo-commands like * list, verify and kill. */ -static int +static unsigned int sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int pwflag) { char *saved_runchroot; @@ -64,7 +64,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int pwflag) struct userspec *us; struct defaults *def; int cmnd_match, nopass, match = DENY; - int validated = 0; + unsigned int validated = 0; enum def_tuple pwcheck; debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER); @@ -177,7 +177,7 @@ done: /* Restore original def_runchroot. */ def_runchroot = saved_runchroot; - debug_return_int(validated); + debug_return_uint(validated); } static void @@ -190,7 +190,7 @@ init_cmnd_info(struct cmnd_info *info) static int sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw, - int *validated, struct cmnd_info *info, time_t now, + unsigned int *validated, struct cmnd_info *info, time_t now, struct sudoers_lookup_callbacks *callbacks, struct cmndspec **matching_cs, struct defaults_list **defs) { @@ -457,16 +457,17 @@ apply_cmndspec(struct cmndspec *cs) * Look up the user in the sudoers parse tree and check to see if they are * allowed to run the specified command on this host as the target user. */ -int +unsigned int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, - struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag) + struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, + int pwflag) { struct defaults_list *defs = NULL; struct sudoers_parse_tree *parse_tree = NULL; struct cmndspec *cs = NULL; struct sudo_nss *nss; struct cmnd_info info; - int validated = FLAG_NO_USER | FLAG_NO_HOST; + unsigned int validated = FLAG_NO_USER | FLAG_NO_HOST; int m, match = UNSPEC; debug_decl(sudoers_lookup, SUDOERS_DEBUG_PARSER); @@ -474,11 +475,11 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, * Special case checking the "validate", "list" and "kill" pseudo-commands. */ if (pwflag) - debug_return_int(sudoers_lookup_pseudo(snl, pw, pwflag)); + debug_return_uint(sudoers_lookup_pseudo(snl, pw, pwflag)); /* Need to be runas user while stat'ing things. */ if (!set_perms(PERM_RUNAS)) - debug_return_int(validated); + debug_return_uint(validated); /* Query each sudoers source and check the user. */ TAILQ_FOREACH(nss, snl, entries) { @@ -518,5 +519,5 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, } if (!restore_perms()) SET(validated, VALIDATE_ERROR); - debug_return_int(validated); + debug_return_uint(validated); } diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index 71d9a8a87..70d94f47b 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -481,7 +481,7 @@ const char *digest_type_to_name(unsigned int digest_type); /* parse.c */ struct sudo_nss_list; -int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag); +unsigned int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag); /* display.c */ int display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose); diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index b2e210afc..9f011d9c7 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -65,7 +65,7 @@ int sudoedit_nfiles; extern sudo_dso_public struct policy_plugin sudoers_policy; static int -parse_bool(const char *line, int varlen, int *flags, int fval) +parse_bool(const char *line, int varlen, unsigned int *flags, unsigned int fval) { debug_decl(parse_bool, SUDOERS_DEBUG_PLUGIN); @@ -93,12 +93,12 @@ parse_bool(const char *line, int varlen, int *flags, int fval) * Deserialize args, settings and user_info arrays. * Fills in struct sudo_user and other common sudoers state. */ -int +unsigned int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults) { const char *p, *errstr, *groups = NULL; struct sudoers_open_info *info = v; - int flags = MODE_UPDATE_TICKET; + unsigned int flags = MODE_UPDATE_TICKET; const char *remhost = NULL; unsigned char uuid[16]; char * const *cur; @@ -612,12 +612,12 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults) #undef MATCHES #undef INVALID #undef CHECK - debug_return_int(flags); + debug_return_uint(flags); oom: sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); bad: - debug_return_int(MODE_ERROR); + debug_return_uint(MODE_ERROR); } /* Return the policy's struct sudoers_parser_config. */ @@ -1181,7 +1181,7 @@ sudoers_policy_check(int argc, char * const argv[], char *env_add[], char **command_infop[], char **argv_out[], char **user_env_out[], const char **errstr) { - int valid_flags = RUN_VALID_FLAGS; + unsigned int valid_flags = RUN_VALID_FLAGS; struct sudoers_exec_args exec_args; int ret; debug_decl(sudoers_policy_check, SUDOERS_DEBUG_PLUGIN); diff --git a/plugins/sudoers/regress/fuzz/fuzz_policy.c b/plugins/sudoers/regress/fuzz/fuzz_policy.c index 2eae8cab1..bbd737103 100644 --- a/plugins/sudoers/regress/fuzz/fuzz_policy.c +++ b/plugins/sudoers/regress/fuzz/fuzz_policy.c @@ -707,7 +707,7 @@ sudo_read_nss(void) /* STUB */ int -check_user(int validated, int mode) +check_user(unsigned int validated, unsigned int mode) { return true; } @@ -742,35 +742,35 @@ group_plugin_unload(void) /* STUB */ bool -log_warning(int flags, const char * restrict fmt, ...) +log_warning(unsigned int flags, const char * restrict fmt, ...) { return true; } /* STUB */ bool -log_warningx(int flags, const char * restrict fmt, ...) +log_warningx(unsigned int flags, const char * restrict fmt, ...) { return true; } /* STUB */ bool -gai_log_warning(int flags, int errnum, const char * restrict fmt, ...) +gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...) { return true; } /* STUB */ bool -log_denial(int status, bool inform_user) +log_denial(unsigned int status, bool inform_user) { return true; } /* STUB */ bool -log_failure(int status, int flags) +log_failure(unsigned int status, int flags) { return true; } @@ -805,7 +805,7 @@ audit_failure(char *const argv[], char const * restrict const fmt, ...) } /* STUB */ -int +unsigned int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag) { diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c index f890b7811..e5db90b8a 100644 --- a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c +++ b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c @@ -53,7 +53,7 @@ struct sudo_user sudo_user; struct passwd *list_pw; sudo_conv_t sudo_conv = fuzz_conversation; sudo_printf_t sudo_printf = fuzz_printf; -int sudo_mode; +unsigned int sudo_mode; FILE * open_sudoers(const char *file, char **outfile, bool doedit, bool *keepopen) @@ -125,7 +125,7 @@ mail_parse_errors(void) /* STUB */ bool -log_warningx(int flags, const char * restrict fmt, ...) +log_warningx(unsigned int flags, const char * restrict fmt, ...) { return true; } diff --git a/plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c b/plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c index 9d9b6410a..419f5737f 100644 --- a/plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c +++ b/plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c @@ -408,7 +408,7 @@ restore_perms(void) } bool -log_warning(int flags, const char * restrict fmt, ...) +log_warning(unsigned int flags, const char * restrict fmt, ...) { va_list ap; @@ -420,7 +420,7 @@ log_warning(int flags, const char * restrict fmt, ...) } bool -log_warningx(int flags, const char * restrict fmt, ...) +log_warningx(unsigned int flags, const char * restrict fmt, ...) { va_list ap; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index f7f0dbfe1..4483959c0 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -82,14 +82,14 @@ static void set_callbacks(void); */ struct sudo_user sudo_user; struct passwd *list_pw; -int sudo_mode; +unsigned int sudo_mode; static char *prev_user; static struct sudo_nss_list *snl; static bool unknown_runas_uid; static bool unknown_runas_gid; static bool override_umask; -static int cmnd_status = -1; +static int cmnd_status = NOT_FOUND_ERROR; static struct defaults_list initial_defaults = TAILQ_HEAD_INITIALIZER(initial_defaults); #ifdef __linux__ @@ -336,7 +336,8 @@ done: static int sudoers_check_common(int pwflag) { - int oldlocale, validated, ret = -1; + int oldlocale, ret = -1; + unsigned int validated; time_t now; debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN); @@ -1319,7 +1320,7 @@ open_sudoers(const char *path, char **outfile, bool doedit, bool *keepopen) static bool set_loginclass(struct passwd *pw) { - const int errflags = SLOG_RAW_MSG; + const unsigned int errflags = SLOG_RAW_MSG; login_cap_t *lc; bool ret = true; debug_decl(set_loginclass, SUDOERS_DEBUG_PLUGIN); diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index ae60ef2a8..91809d408 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -129,7 +129,7 @@ struct sudo_user { int closefrom; int lines; int cols; - int flags; + unsigned int flags; int max_groups; int timeout; mode_t umask; @@ -150,25 +150,25 @@ struct sudo_user { /* * sudo_user flag values */ -#define RUNAS_USER_SPECIFIED 0x01 -#define RUNAS_GROUP_SPECIFIED 0x02 -#define CAN_INTERCEPT_SETID 0x04 -#define HAVE_INTERCEPT_PTRACE 0x08 -#define USER_INTERCEPT_SETID 0x10 +#define RUNAS_USER_SPECIFIED 0x01U +#define RUNAS_GROUP_SPECIFIED 0x02U +#define CAN_INTERCEPT_SETID 0x04U +#define HAVE_INTERCEPT_PTRACE 0x08U +#define USER_INTERCEPT_SETID 0x10U /* * Return values for sudoers_lookup(), also used as arguments for log_auth() * Note: cannot use '0' as a value here. */ -#define VALIDATE_ERROR 0x001 -#define VALIDATE_SUCCESS 0x002 -#define VALIDATE_FAILURE 0x004 -#define FLAG_CHECK_USER 0x010 -#define FLAG_NO_USER 0x020 -#define FLAG_NO_HOST 0x040 -#define FLAG_NO_CHECK 0x080 -#define FLAG_NO_USER_INPUT 0x100 -#define FLAG_BAD_PASSWORD 0x200 +#define VALIDATE_ERROR 0x001U +#define VALIDATE_SUCCESS 0x002U +#define VALIDATE_FAILURE 0x004U +#define FLAG_CHECK_USER 0x010U +#define FLAG_NO_USER 0x020U +#define FLAG_NO_HOST 0x040U +#define FLAG_NO_CHECK 0x080U +#define FLAG_NO_USER_INPUT 0x100U +#define FLAG_BAD_PASSWORD 0x200U /* * find_path()/set_cmnd() return values @@ -182,30 +182,30 @@ struct sudo_user { /* * Various modes sudo can be in (based on arguments) in hex */ -#define MODE_RUN 0x00000001 -#define MODE_EDIT 0x00000002 -#define MODE_VALIDATE 0x00000004 -#define MODE_INVALIDATE 0x00000008 -#define MODE_KILL 0x00000010 -#define MODE_VERSION 0x00000020 -#define MODE_HELP 0x00000040 -#define MODE_LIST 0x00000080 -#define MODE_CHECK 0x00000100 -#define MODE_ERROR 0x00000200 -#define MODE_MASK 0x0000ffff +#define MODE_RUN 0x00000001U +#define MODE_EDIT 0x00000002U +#define MODE_VALIDATE 0x00000004U +#define MODE_INVALIDATE 0x00000008U +#define MODE_KILL 0x00000010U +#define MODE_VERSION 0x00000020U +#define MODE_HELP 0x00000040U +#define MODE_LIST 0x00000080U +#define MODE_CHECK 0x00000100U +#define MODE_ERROR 0x00000200U +#define MODE_MASK 0x0000ffffU /* Mode flags */ -#define MODE_ASKPASS 0x00010000 -#define MODE_SHELL 0x00020000 -#define MODE_LOGIN_SHELL 0x00040000 -#define MODE_IMPLIED_SHELL 0x00080000 -#define MODE_RESET_HOME 0x00100000 -#define MODE_PRESERVE_GROUPS 0x00200000 -#define MODE_PRESERVE_ENV 0x00400000 -#define MODE_NONINTERACTIVE 0x00800000 -#define MODE_IGNORE_TICKET 0x01000000 -#define MODE_UPDATE_TICKET 0x02000000 -#define MODE_POLICY_INTERCEPTED 0x04000000 +#define MODE_ASKPASS 0x00010000U +#define MODE_SHELL 0x00020000U +#define MODE_LOGIN_SHELL 0x00040000U +#define MODE_IMPLIED_SHELL 0x00080000U +#define MODE_RESET_HOME 0x00100000U +#define MODE_PRESERVE_GROUPS 0x00200000U +#define MODE_PRESERVE_ENV 0x00400000U +#define MODE_NONINTERACTIVE 0x00800000U +#define MODE_IGNORE_TICKET 0x01000000U +#define MODE_UPDATE_TICKET 0x02000000U +#define MODE_POLICY_INTERCEPTED 0x04000000U /* Mode bits allowed for intercepted commands. */ #define MODE_INTERCEPT_MASK (MODE_RUN|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_POLICY_INTERCEPTED) @@ -295,7 +295,7 @@ int find_path(const char *infile, char **outfile, struct stat *sbp, const char *path, int ignore_dot, char * const *allowlist); /* check.c */ -int check_user(int validate, int mode); +int check_user(unsigned int validated, unsigned int mode); bool user_is_exempt(void); /* check_util.c */ @@ -311,11 +311,11 @@ int timestamp_remove(bool unlinkit); /* sudo_auth.c */ bool sudo_auth_needs_end_session(void); -int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv_callback *callback); +int verify_user(struct passwd *pw, char *prompt, unsigned int validated, struct sudo_conv_callback *callback); int sudo_auth_begin_session(struct passwd *pw, char **user_env[]); int sudo_auth_end_session(struct passwd *pw); -int sudo_auth_init(struct passwd *pw, int mode); -int sudo_auth_approval(struct passwd *pw, int validated, bool exempt); +int sudo_auth_init(struct passwd *pw, unsigned int mode); +int sudo_auth_approval(struct passwd *pw, unsigned int validated, bool exempt); int sudo_auth_cleanup(struct passwd *pw, bool force); /* set_perms.c */ @@ -418,7 +418,7 @@ bool sudoers_override_umask(void); void sudo_user_free(void); extern struct sudo_user sudo_user; extern struct passwd *list_pw; -extern int sudo_mode; +extern unsigned int sudo_mode; extern int sudoedit_nfiles; extern sudo_conv_t sudo_conv; extern sudo_printf_t sudo_printf; @@ -430,7 +430,7 @@ bool sudoers_debug_register(const char *plugin_path, struct sudo_conf_debug_file void sudoers_debug_deregister(void); /* policy.c */ -int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults); +unsigned int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults); bool sudoers_policy_store_result(bool accepted, char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v); const struct sudoers_parser_config *policy_sudoers_conf(void); const char *policy_path_ldap_conf(void); diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c index 66424528e..fdc88c148 100644 --- a/plugins/sudoers/testsudoers.c +++ b/plugins/sudoers/testsudoers.c @@ -86,7 +86,7 @@ struct sudo_user sudo_user; struct passwd *list_pw; static const char *orig_cmnd; static char *runas_group, *runas_user; -int sudo_mode = MODE_RUN; +unsigned int sudo_mode = MODE_RUN; #if defined(SUDO_DEVEL) && defined(__OpenBSD__) extern char *malloc_options; @@ -106,7 +106,8 @@ main(int argc, char *argv[]) char *p, *grfile, *pwfile; const char *errstr; int ch, dflag, exitcode = EXIT_FAILURE; - int validated, status = FOUND; + unsigned int validated; + int status = FOUND; char cwdbuf[PATH_MAX]; time_t now; id_t id;