sudoers plugin: make more bit flags unsigned.

plugins/sudoers/auth/API

@@ -7,7 +7,7 @@ Purpose: to provide a simple API for authentication methods that
 The sudo_auth struct looks like this:
 
 typedef struct sudo_auth {
-    int flags;                  /* various flags, see below */
+    unsigned int flags;         /* various flags, see below */
     int status;                 /* status from verify routine */
     char *name;			/* name of the method in string form */
     void *data;                 /* method-specific data pointer */

plugins/sudoers/auth/sudo_auth.c

@@ -99,7 +99,7 @@ static bool standalone;
  * Returns 0 on success and -1 on error.
  */
 int
-sudo_auth_init(struct passwd *pw, int mode)
+sudo_auth_init(struct passwd *pw, unsigned int mode)
 {
     sudo_auth *auth;
     int status = AUTH_SUCCESS;
@@ -172,7 +172,7 @@ sudo_auth_init(struct passwd *pw, int mode)
  * Returns true on success, false on failure and -1 on error.
  */
 int
-sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
+sudo_auth_approval(struct passwd *pw, unsigned int validated, bool exempt)
 {
     sudo_auth *auth;
     debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH);
@@ -243,7 +243,7 @@ user_interrupted(void)
  * Returns true if verified, false if not or -1 on error.
  */
 int
-verify_user(struct passwd *pw, char *prompt, int validated,
+verify_user(struct passwd *pw, char *prompt, unsigned int validated,
     struct sudo_conv_callback *callback)
 {
     unsigned int ntries;

plugins/sudoers/auth/sudo_auth.h

@@ -27,7 +27,7 @@
 #define AUTH_NONINTERACTIVE	4
 
 typedef struct sudo_auth {
-    int flags;			/* various flags, see below */
+    unsigned int flags;		/* various flags, see below */
     int status;			/* status from verify routine */
     const char *name;		/* name of the method as a string */
     void *data;			/* method-specific data pointer */
@@ -41,10 +41,10 @@ typedef struct sudo_auth {
 } sudo_auth;
 
 /* Values for sudo_auth.flags.  */
-#define FLAG_DISABLED		0x02	/* method disabled */
+#define FLAG_DISABLED		0x02U	/* method disabled */
-#define FLAG_STANDALONE		0x04	/* standalone auth method */
+#define FLAG_STANDALONE		0x04U	/* standalone auth method */
-#define FLAG_ONEANDONLY		0x08	/* one and only auth method */
+#define FLAG_ONEANDONLY		0x08U	/* one and only auth method */
-#define FLAG_NONINTERACTIVE	0x10	/* no user input allowed */
+#define FLAG_NONINTERACTIVE	0x10U	/* no user input allowed */
 
 /* Shortcuts for using the flags above. */
 #define IS_DISABLED(x)		((x)->flags & FLAG_DISABLED)

plugins/sudoers/check.c

@@ -49,7 +49,7 @@ struct getpass_closure {
     struct passwd *auth_pw;
 };
 
-static struct passwd *get_authpw(int);
+static struct passwd *get_authpw(unsigned int);
 
 /*
  * Called when getpass is suspended so we can drop the lock.
@@ -85,7 +85,8 @@ getpass_resume(int signo, void *vclosure)
  * or -1 on fatal error.
  */
 static int
-check_user_interactive(int validated, int mode, struct getpass_closure *closure)
+check_user_interactive(unsigned int validated, unsigned int mode,
+    struct getpass_closure *closure)
 {
     struct sudo_conv_callback callback;
     int ret = -1;
@@ -157,7 +158,7 @@ done:
  * or -1 on error.
  */
 int
-check_user(int validated, int mode)
+check_user(unsigned int validated, unsigned int mode)
 {
     struct getpass_closure closure = { TS_ERROR };
     int ret = -1;
@@ -338,7 +339,7 @@ user_is_exempt(void)
  * case, this matches sudo_user.pw or runas_pw.
  */
 static struct passwd *
-get_authpw(int mode)
+get_authpw(unsigned int mode)
 {
     struct passwd *pw = NULL;
     debug_decl(get_authpw, SUDOERS_DEBUG_AUTH);

plugins/sudoers/check.h

@@ -39,14 +39,14 @@
 #define	TS_VERSION		2
 
 /* Time stamp entry types */
-#define TS_GLOBAL		0x01	/* not restricted by tty or ppid */
+#define TS_GLOBAL		0x01U	/* not restricted by tty or ppid */
-#define TS_TTY			0x02	/* restricted by tty */
+#define TS_TTY			0x02U	/* restricted by tty */
-#define TS_PPID			0x03	/* restricted by ppid */
+#define TS_PPID			0x03U	/* restricted by ppid */
-#define TS_LOCKEXCL		0x04	/* special lock record */
+#define TS_LOCKEXCL		0x04U	/* special lock record */
 
 /* Time stamp flags */
-#define TS_DISABLED		0x01	/* entry disabled */
+#define TS_DISABLED		0x01U	/* entry disabled */
-#define TS_ANYUID		0x02	/* ignore uid, only valid in the key */
+#define TS_ANYUID		0x02U	/* ignore uid, only valid in the key */
 
 struct timestamp_entry_v1 {
     unsigned short version;	/* version number */

plugins/sudoers/cvtsudoers.c

@@ -95,8 +95,8 @@ static bool parse_ldif(struct sudoers_parse_tree *parse_tree, const char *input_
 static bool cvtsudoers_parse_filter(char *expression);
 static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file);
 static void cvtsudoers_conf_free(struct cvtsudoers_config *conf);
-static int cvtsudoers_parse_defaults(char *expression);
+static unsigned int cvtsudoers_parse_defaults(char *expression);
-static int cvtsudoers_parse_suppression(char *expression);
+static unsigned int cvtsudoers_parse_suppression(char *expression);
 static void filter_userspecs(struct sudoers_parse_tree *parse_tree, struct cvtsudoers_config *conf);
 static void filter_defaults(struct sudoers_parse_tree *parse_tree, struct cvtsudoers_config *conf);
 static void alias_remove_unused(struct sudoers_parse_tree *parse_tree);
@@ -309,12 +309,12 @@ main(int argc, char *argv[])
     }
     if (conf->defstr != NULL) {
 	conf->defaults = cvtsudoers_parse_defaults(conf->defstr);
-	if (conf->defaults == -1)
+	if (conf->defaults == (unsigned int)-1)
 	    usage();
     }
     if (conf->supstr != NULL) {
 	conf->suppress = cvtsudoers_parse_suppression(conf->supstr);
-	if (conf->suppress == -1)
+	if (conf->suppress == (unsigned int)-1)
 	    usage();
     }
 
@@ -632,11 +632,11 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf)
     debug_return;
 }
 
-static int
+static unsigned int
 cvtsudoers_parse_defaults(char *expression)
 {
     char *last, *cp = expression;
-    int flags = 0;
+    unsigned int flags = 0;
     debug_decl(cvtsudoers_parse_defaults, SUDOERS_DEBUG_UTIL);
 
     for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) {
@@ -654,18 +654,18 @@ cvtsudoers_parse_defaults(char *expression)
 	    SET(flags, CVT_DEFAULTS_CMND);
 	} else {
 	    sudo_warnx(U_("invalid defaults type: %s"), cp);
-	    debug_return_int(-1);
+	    debug_return_uint((unsigned int)-1);
 	}
     }
 
-    debug_return_int(flags);
+    debug_return_uint(flags);
 }
 
-static int
+static unsigned int
 cvtsudoers_parse_suppression(char *expression)
 {
     char *last, *cp = expression;
-    int flags = 0;
+    unsigned int flags = 0;
     debug_decl(cvtsudoers_parse_suppression, SUDOERS_DEBUG_UTIL);
 
     for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) {
@@ -677,11 +677,11 @@ cvtsudoers_parse_suppression(char *expression)
 	    SET(flags, SUPPRESS_PRIVS);
 	} else {
 	    sudo_warnx(U_("invalid suppression type: %s"), cp);
-	    debug_return_int(-1);
+	    debug_return_uint((unsigned int)-1);
 	}
     }
 
-    debug_return_int(flags);
+    debug_return_uint(flags);
 }
 
 static bool

plugins/sudoers/cvtsudoers.h

@@ -30,17 +30,17 @@ enum sudoers_formats {
 };
 
 /* Flags for cvtsudoers_config.defaults */
-#define CVT_DEFAULTS_GLOBAL	0x01
+#define CVT_DEFAULTS_GLOBAL	0x01U
-#define CVT_DEFAULTS_USER	0x02
+#define CVT_DEFAULTS_USER	0x02U
-#define CVT_DEFAULTS_RUNAS	0x04
+#define CVT_DEFAULTS_RUNAS	0x04U
-#define CVT_DEFAULTS_HOST	0x08
+#define CVT_DEFAULTS_HOST	0x08U
-#define CVT_DEFAULTS_CMND	0x10
+#define CVT_DEFAULTS_CMND	0x10U
-#define CVT_DEFAULTS_ALL	0xff
+#define CVT_DEFAULTS_ALL	0xffU
 
 /* Flags for cvtsudoers_config.suppress */
-#define SUPPRESS_DEFAULTS	0x01
+#define SUPPRESS_DEFAULTS	0x01U
-#define SUPPRESS_ALIASES	0x02
+#define SUPPRESS_ALIASES	0x02U
-#define SUPPRESS_PRIVS		0x04
+#define SUPPRESS_PRIVS		0x04U
 
 /* cvtsudoers.conf settings */
 struct cvtsudoers_config {
@@ -48,8 +48,8 @@ struct cvtsudoers_config {
     unsigned int order_increment;
     unsigned int order_padding;
     unsigned int order_max;
-    int defaults;
+    unsigned int defaults;
-    int suppress;
+    unsigned int suppress;
     bool store_options;
     bool expand_aliases;
     bool prune_matches;

plugins/sudoers/logging.c

@@ -67,7 +67,7 @@ STAILQ_HEAD(parse_error_list, parse_error);
 static struct parse_error_list parse_error_list =
     STAILQ_HEAD_INITIALIZER(parse_error_list);
 
-static bool should_mail(int);
+static bool should_mail(unsigned int);
 static bool warned = false;
 
 #ifdef SUDOERS_LOG_CLIENT
@@ -275,7 +275,7 @@ log_reject(const char *message, bool logit, bool mailit)
  * Log, audit and mail the denial message, optionally informing the user.
  */
 bool
-log_denial(int status, bool inform_user)
+log_denial(unsigned int status, bool inform_user)
 {
     const char *message;
     int oldlocale;
@@ -342,14 +342,14 @@ log_denial(int status, bool inform_user)
  * Log and audit that user was not allowed to run the command.
  */
 bool
-log_failure(int status, int flags)
+log_failure(unsigned int status, int cmnd_status)
 {
     bool ret, inform_user = true;
     debug_decl(log_failure, SUDOERS_DEBUG_LOGGING);
 
     /* The user doesn't always get to see the log message (path info). */
     if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && list_pw == NULL &&
-	    def_path_info && (flags == NOT_FOUND_DOT || flags == NOT_FOUND))
+	    def_path_info && (cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND))
 	inform_user = false;
     ret = log_denial(status, inform_user);
 
@@ -365,9 +365,9 @@ log_failure(int status, int flags)
 	 * is just "no foo in path" since the user can trivially set
 	 * their path to just contain a single dir.
 	 */
-	if (flags == NOT_FOUND)
+	if (cmnd_status == NOT_FOUND)
 	    sudo_warnx(U_("%s: command not found"), cmnd);
-	else if (flags == NOT_FOUND_DOT)
+	else if (cmnd_status == NOT_FOUND_DOT)
 	    sudo_warnx(U_("ignoring \"%s\" found in '.'\nUse \"sudo ./%s\" if this is the \"%s\" you wish to run."), cmnd, cmnd, cmnd);
     }
 
@@ -468,7 +468,7 @@ overflow:
  * Log and audit that user was not able to authenticate themselves.
  */
 bool
-log_auth_failure(int status, unsigned int tries)
+log_auth_failure(unsigned int status, unsigned int tries)
 {
     char *message = NULL;
     int oldlocale;
@@ -659,7 +659,8 @@ journal_parse_error(char *message)
  * Perform logging for log_warning()/log_warningx().
  */
 static bool
-vlog_warning(int flags, int errnum, const char * restrict fmt, va_list ap)
+vlog_warning(unsigned int flags, int errnum, const char * restrict fmt,
+    va_list ap)
 {
     struct eventlog evlog;
     struct timespec now;
@@ -766,7 +767,7 @@ done:
 }
 
 bool
-log_warning(int flags, const char * restrict fmt, ...)
+log_warning(unsigned int flags, const char * restrict fmt, ...)
 {
     va_list ap;
     bool ret;
@@ -781,7 +782,7 @@ log_warning(int flags, const char * restrict fmt, ...)
 }
 
 bool
-log_warningx(int flags, const char * restrict fmt, ...)
+log_warningx(unsigned int flags, const char * restrict fmt, ...)
 {
     va_list ap;
     bool ret;
@@ -796,7 +797,7 @@ log_warningx(int flags, const char * restrict fmt, ...)
 }
 
 bool
-gai_log_warning(int flags, int errnum, const char * restrict fmt, ...)
+gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...)
 {
     va_list ap;
     bool ret;
@@ -874,7 +875,7 @@ bool
 log_parse_error(const char *file, int line, int column, const char * restrict fmt,
     va_list args)
 {
-    const int flags = SLOG_RAW_MSG|SLOG_NO_STDERR;
+    const unsigned int flags = SLOG_RAW_MSG|SLOG_NO_STDERR;
     char *message, *tofree = NULL;
     const char *errstr;
     bool ret;
@@ -920,7 +921,7 @@ log_parse_error(const char *file, int line, int column, const char * restrict fm
  * Determine whether we should send mail based on "status" and defaults options.
  */
 static bool
-should_mail(int status)
+should_mail(unsigned int status)
 {
     debug_decl(should_mail, SUDOERS_DEBUG_LOGGING);
 

plugins/sudoers/logging.h

@@ -77,14 +77,14 @@ int audit_failure(char *const argv[], char const * restrict const fmt, ...) sudo
 int vaudit_failure(char *const argv[], char const * restrict const fmt, va_list ap) sudo_printflike(2, 0);
 bool log_allowed(struct eventlog *evlog);
 bool log_exit_status(int exit_status);
-bool log_auth_failure(int status, unsigned int tries);
+bool log_auth_failure(unsigned int status, unsigned int tries);
-bool log_denial(int status, bool inform_user);
+bool log_denial(unsigned int status, bool inform_user);
-bool log_failure(int status, int flags);
+bool log_failure(unsigned int status, int flags);
 bool log_server_alert(struct eventlog *evlog, struct timespec *now, const char *message, const char *errstr);
 bool log_server_reject(struct eventlog *evlog, const char *message);
-bool log_warning(int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
+bool log_warning(unsigned int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
-bool log_warningx(int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
+bool log_warningx(unsigned int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
-bool gai_log_warning(int flags, int errnum, const char * restrict fmt, ...) sudo_printflike(3, 4);
+bool gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...) sudo_printflike(3, 4);
 bool sudoers_initlocale(const char *ulocale, const char *slocale);
 bool sudoers_locale_callback(const char *file, int line, int column, const union sudo_defs_val *sd_un, int op);
 void sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd, char * const argv[], char *const envp[], const char *uuid_str);

plugins/sudoers/lookup.c

@@ -53,7 +53,7 @@ runas_matches_pw(struct sudoers_parse_tree *parse_tree,
  * Look up the user in the sudoers parse tree for pseudo-commands like
  * list, verify and kill.
  */
-static int
+static unsigned int
 sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int pwflag)
 {
     char *saved_runchroot;
@@ -64,7 +64,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int pwflag)
     struct userspec *us;
     struct defaults *def;
     int cmnd_match, nopass, match = DENY;
-    int validated = 0;
+    unsigned int validated = 0;
     enum def_tuple pwcheck;
     debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER);
 
@@ -177,7 +177,7 @@ done:
     /* Restore original def_runchroot. */
     def_runchroot = saved_runchroot;
 
-    debug_return_int(validated);
+    debug_return_uint(validated);
 }
 
 static void
@@ -190,7 +190,7 @@ init_cmnd_info(struct cmnd_info *info)
 
 static int
 sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw,
-    int *validated, struct cmnd_info *info, time_t now,
+    unsigned int *validated, struct cmnd_info *info, time_t now,
     struct sudoers_lookup_callbacks *callbacks, struct cmndspec **matching_cs,
     struct defaults_list **defs)
 {
@@ -457,16 +457,17 @@ apply_cmndspec(struct cmndspec *cs)
  * Look up the user in the sudoers parse tree and check to see if they are
  * allowed to run the specified command on this host as the target user.
  */
-int
+unsigned int
 sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
-    struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag)
+    struct sudoers_lookup_callbacks *callbacks, int *cmnd_status,
+    int pwflag)
 {
     struct defaults_list *defs = NULL;
     struct sudoers_parse_tree *parse_tree = NULL;
     struct cmndspec *cs = NULL;
     struct sudo_nss *nss;
     struct cmnd_info info;
-    int validated = FLAG_NO_USER | FLAG_NO_HOST;
+    unsigned int validated = FLAG_NO_USER | FLAG_NO_HOST;
     int m, match = UNSPEC;
     debug_decl(sudoers_lookup, SUDOERS_DEBUG_PARSER);
 
@@ -474,11 +475,11 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
      * Special case checking the "validate", "list" and "kill" pseudo-commands.
      */
     if (pwflag)
-	debug_return_int(sudoers_lookup_pseudo(snl, pw, pwflag));
+	debug_return_uint(sudoers_lookup_pseudo(snl, pw, pwflag));
 
     /* Need to be runas user while stat'ing things. */
     if (!set_perms(PERM_RUNAS))
-	debug_return_int(validated);
+	debug_return_uint(validated);
 
     /* Query each sudoers source and check the user. */
     TAILQ_FOREACH(nss, snl, entries) {
@@ -518,5 +519,5 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
     }
     if (!restore_perms())
 	SET(validated, VALIDATE_ERROR);
-    debug_return_int(validated);
+    debug_return_uint(validated);
 }

plugins/sudoers/parse.h

@@ -481,7 +481,7 @@ const char *digest_type_to_name(unsigned int digest_type);
 
 /* parse.c */
 struct sudo_nss_list;
-int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag);
+unsigned int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag);
 
 /* display.c */
 int display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose);

plugins/sudoers/policy.c

@@ -65,7 +65,7 @@ int sudoedit_nfiles;
 extern sudo_dso_public struct policy_plugin sudoers_policy;
 
 static int
-parse_bool(const char *line, int varlen, int *flags, int fval)
+parse_bool(const char *line, int varlen, unsigned int *flags, unsigned int fval)
 {
     debug_decl(parse_bool, SUDOERS_DEBUG_PLUGIN);
 
@@ -93,12 +93,12 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
  * Deserialize args, settings and user_info arrays.
  * Fills in struct sudo_user and other common sudoers state.
  */
-int
+unsigned int
 sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 {
     const char *p, *errstr, *groups = NULL;
     struct sudoers_open_info *info = v;
-    int flags = MODE_UPDATE_TICKET;
+    unsigned int flags = MODE_UPDATE_TICKET;
     const char *remhost = NULL;
     unsigned char uuid[16];
     char * const *cur;
@@ -612,12 +612,12 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 #undef MATCHES
 #undef INVALID
 #undef CHECK
-    debug_return_int(flags);
+    debug_return_uint(flags);
 
 oom:
     sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 bad:
-    debug_return_int(MODE_ERROR);
+    debug_return_uint(MODE_ERROR);
 }
 
 /* Return the policy's struct sudoers_parser_config. */
@@ -1181,7 +1181,7 @@ sudoers_policy_check(int argc, char * const argv[], char *env_add[],
     char **command_infop[], char **argv_out[], char **user_env_out[],
     const char **errstr)
 {
-    int valid_flags = RUN_VALID_FLAGS;
+    unsigned int valid_flags = RUN_VALID_FLAGS;
     struct sudoers_exec_args exec_args;
     int ret;
     debug_decl(sudoers_policy_check, SUDOERS_DEBUG_PLUGIN);

plugins/sudoers/regress/fuzz/fuzz_policy.c

@@ -707,7 +707,7 @@ sudo_read_nss(void)
 
 /* STUB */
 int
-check_user(int validated, int mode)
+check_user(unsigned int validated, unsigned int mode)
 {
     return true;
 }
@@ -742,35 +742,35 @@ group_plugin_unload(void)
 
 /* STUB */
 bool
-log_warning(int flags, const char * restrict fmt, ...)
+log_warning(unsigned int flags, const char * restrict fmt, ...)
 {
     return true;
 }
 
 /* STUB */
 bool
-log_warningx(int flags, const char * restrict fmt, ...)
+log_warningx(unsigned int flags, const char * restrict fmt, ...)
 {
     return true;
 }
 
 /* STUB */
 bool
-gai_log_warning(int flags, int errnum, const char * restrict fmt, ...)
+gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...)
 {
     return true;
 }
 
 /* STUB */
 bool
-log_denial(int status, bool inform_user)
+log_denial(unsigned int status, bool inform_user)
 {
     return true;
 }
 
 /* STUB */
 bool
-log_failure(int status, int flags)
+log_failure(unsigned int status, int flags)
 {
     return true;
 }
@@ -805,7 +805,7 @@ audit_failure(char *const argv[], char const * restrict const fmt, ...)
 }
 
 /* STUB */
-int
+unsigned int
 sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
     struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag)
 {

plugins/sudoers/regress/fuzz/fuzz_sudoers.c

@@ -53,7 +53,7 @@ struct sudo_user sudo_user;
 struct passwd *list_pw;
 sudo_conv_t sudo_conv = fuzz_conversation;
 sudo_printf_t sudo_printf = fuzz_printf;
-int sudo_mode;
+unsigned int sudo_mode;
 
 FILE *
 open_sudoers(const char *file, char **outfile, bool doedit, bool *keepopen)
@@ -125,7 +125,7 @@ mail_parse_errors(void)
 
 /* STUB */
 bool
-log_warningx(int flags, const char * restrict fmt, ...)
+log_warningx(unsigned int flags, const char * restrict fmt, ...)
 {
     return true;
 }

plugins/sudoers/regress/iolog_plugin/check_iolog_plugin.c

@@ -408,7 +408,7 @@ restore_perms(void)
 }
 
 bool
-log_warning(int flags, const char * restrict fmt, ...)
+log_warning(unsigned int flags, const char * restrict fmt, ...)
 {
     va_list ap;
 
@@ -420,7 +420,7 @@ log_warning(int flags, const char * restrict fmt, ...)
 }
 
 bool
-log_warningx(int flags, const char * restrict fmt, ...)
+log_warningx(unsigned int flags, const char * restrict fmt, ...)
 {
     va_list ap;
 

plugins/sudoers/sudoers.c

@@ -82,14 +82,14 @@ static void set_callbacks(void);
  */
 struct sudo_user sudo_user;
 struct passwd *list_pw;
-int sudo_mode;
+unsigned int sudo_mode;
 
 static char *prev_user;
 static struct sudo_nss_list *snl;
 static bool unknown_runas_uid;
 static bool unknown_runas_gid;
 static bool override_umask;
-static int cmnd_status = -1;
+static int cmnd_status = NOT_FOUND_ERROR;
 static struct defaults_list initial_defaults = TAILQ_HEAD_INITIALIZER(initial_defaults);
 
 #ifdef __linux__
@@ -336,7 +336,8 @@ done:
 static int
 sudoers_check_common(int pwflag)
 {
-    int oldlocale, validated, ret = -1;
+    int oldlocale, ret = -1;
+    unsigned int validated;
     time_t now;
     debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
 
@@ -1319,7 +1320,7 @@ open_sudoers(const char *path, char **outfile, bool doedit, bool *keepopen)
 static bool
 set_loginclass(struct passwd *pw)
 {
-    const int errflags = SLOG_RAW_MSG;
+    const unsigned int errflags = SLOG_RAW_MSG;
     login_cap_t *lc;
     bool ret = true;
     debug_decl(set_loginclass, SUDOERS_DEBUG_PLUGIN);

plugins/sudoers/sudoers.h

@@ -129,7 +129,7 @@ struct sudo_user {
     int   closefrom;
     int   lines;
     int   cols;
-    int   flags;
+    unsigned int   flags;
     int   max_groups;
     int   timeout;
     mode_t umask;
@@ -150,25 +150,25 @@ struct sudo_user {
 /*
  * sudo_user flag values
  */
-#define RUNAS_USER_SPECIFIED	0x01
+#define RUNAS_USER_SPECIFIED	0x01U
-#define RUNAS_GROUP_SPECIFIED	0x02
+#define RUNAS_GROUP_SPECIFIED	0x02U
-#define CAN_INTERCEPT_SETID	0x04
+#define CAN_INTERCEPT_SETID	0x04U
-#define HAVE_INTERCEPT_PTRACE	0x08
+#define HAVE_INTERCEPT_PTRACE	0x08U
-#define USER_INTERCEPT_SETID	0x10
+#define USER_INTERCEPT_SETID	0x10U
 
 /*
  * Return values for sudoers_lookup(), also used as arguments for log_auth()
  * Note: cannot use '0' as a value here.
  */
-#define VALIDATE_ERROR		0x001
+#define VALIDATE_ERROR		0x001U
-#define VALIDATE_SUCCESS	0x002
+#define VALIDATE_SUCCESS	0x002U
-#define VALIDATE_FAILURE	0x004
+#define VALIDATE_FAILURE	0x004U
-#define FLAG_CHECK_USER		0x010
+#define FLAG_CHECK_USER		0x010U
-#define FLAG_NO_USER		0x020
+#define FLAG_NO_USER		0x020U
-#define FLAG_NO_HOST		0x040
+#define FLAG_NO_HOST		0x040U
-#define FLAG_NO_CHECK		0x080
+#define FLAG_NO_CHECK		0x080U
-#define FLAG_NO_USER_INPUT	0x100
+#define FLAG_NO_USER_INPUT	0x100U
-#define FLAG_BAD_PASSWORD	0x200
+#define FLAG_BAD_PASSWORD	0x200U
 
 /*
  * find_path()/set_cmnd() return values
@@ -182,30 +182,30 @@ struct sudo_user {
 /*
  * Various modes sudo can be in (based on arguments) in hex
  */
-#define MODE_RUN		0x00000001
+#define MODE_RUN		0x00000001U
-#define MODE_EDIT		0x00000002
+#define MODE_EDIT		0x00000002U
-#define MODE_VALIDATE		0x00000004
+#define MODE_VALIDATE		0x00000004U
-#define MODE_INVALIDATE		0x00000008
+#define MODE_INVALIDATE		0x00000008U
-#define MODE_KILL		0x00000010
+#define MODE_KILL		0x00000010U
-#define MODE_VERSION		0x00000020
+#define MODE_VERSION		0x00000020U
-#define MODE_HELP		0x00000040
+#define MODE_HELP		0x00000040U
-#define MODE_LIST		0x00000080
+#define MODE_LIST		0x00000080U
-#define MODE_CHECK		0x00000100
+#define MODE_CHECK		0x00000100U
-#define MODE_ERROR		0x00000200
+#define MODE_ERROR		0x00000200U
-#define MODE_MASK		0x0000ffff
+#define MODE_MASK		0x0000ffffU
 
 /* Mode flags */
-#define MODE_ASKPASS		0x00010000
+#define MODE_ASKPASS		0x00010000U
-#define MODE_SHELL		0x00020000
+#define MODE_SHELL		0x00020000U
-#define MODE_LOGIN_SHELL	0x00040000
+#define MODE_LOGIN_SHELL	0x00040000U
-#define MODE_IMPLIED_SHELL	0x00080000
+#define MODE_IMPLIED_SHELL	0x00080000U
-#define MODE_RESET_HOME		0x00100000
+#define MODE_RESET_HOME		0x00100000U
-#define MODE_PRESERVE_GROUPS	0x00200000
+#define MODE_PRESERVE_GROUPS	0x00200000U
-#define MODE_PRESERVE_ENV	0x00400000
+#define MODE_PRESERVE_ENV	0x00400000U
-#define MODE_NONINTERACTIVE	0x00800000
+#define MODE_NONINTERACTIVE	0x00800000U
-#define MODE_IGNORE_TICKET	0x01000000
+#define MODE_IGNORE_TICKET	0x01000000U
-#define MODE_UPDATE_TICKET	0x02000000
+#define MODE_UPDATE_TICKET	0x02000000U
-#define MODE_POLICY_INTERCEPTED	0x04000000
+#define MODE_POLICY_INTERCEPTED	0x04000000U
 
 /* Mode bits allowed for intercepted commands. */
 #define MODE_INTERCEPT_MASK	(MODE_RUN|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_POLICY_INTERCEPTED)
@@ -295,7 +295,7 @@ int find_path(const char *infile, char **outfile, struct stat *sbp,
     const char *path, int ignore_dot, char * const *allowlist);
 
 /* check.c */
-int check_user(int validate, int mode);
+int check_user(unsigned int validated, unsigned int mode);
 bool user_is_exempt(void);
 
 /* check_util.c */
@@ -311,11 +311,11 @@ int timestamp_remove(bool unlinkit);
 
 /* sudo_auth.c */
 bool sudo_auth_needs_end_session(void);
-int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv_callback *callback);
+int verify_user(struct passwd *pw, char *prompt, unsigned int validated, struct sudo_conv_callback *callback);
 int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
 int sudo_auth_end_session(struct passwd *pw);
-int sudo_auth_init(struct passwd *pw, int mode);
+int sudo_auth_init(struct passwd *pw, unsigned int mode);
-int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
+int sudo_auth_approval(struct passwd *pw, unsigned int validated, bool exempt);
 int sudo_auth_cleanup(struct passwd *pw, bool force);
 
 /* set_perms.c */
@@ -418,7 +418,7 @@ bool sudoers_override_umask(void);
 void sudo_user_free(void);
 extern struct sudo_user sudo_user;
 extern struct passwd *list_pw;
-extern int sudo_mode;
+extern unsigned int sudo_mode;
 extern int sudoedit_nfiles;
 extern sudo_conv_t sudo_conv;
 extern sudo_printf_t sudo_printf;
@@ -430,7 +430,7 @@ bool sudoers_debug_register(const char *plugin_path, struct sudo_conf_debug_file
 void sudoers_debug_deregister(void);
 
 /* policy.c */
-int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults);
+unsigned int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults);
 bool sudoers_policy_store_result(bool accepted, char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
 const struct sudoers_parser_config *policy_sudoers_conf(void);
 const char *policy_path_ldap_conf(void);

plugins/sudoers/testsudoers.c

@@ -86,7 +86,7 @@ struct sudo_user sudo_user;
 struct passwd *list_pw;
 static const char *orig_cmnd;
 static char *runas_group, *runas_user;
-int sudo_mode = MODE_RUN;
+unsigned int sudo_mode = MODE_RUN;
 
 #if defined(SUDO_DEVEL) && defined(__OpenBSD__)
 extern char *malloc_options;
@@ -106,7 +106,8 @@ main(int argc, char *argv[])
     char *p, *grfile, *pwfile;
     const char *errstr;
     int ch, dflag, exitcode = EXIT_FAILURE;
-    int validated, status = FOUND;
+    unsigned int validated;
+    int status = FOUND;
     char cwdbuf[PATH_MAX];
     time_t now;
     id_t id;