sudoers plugin: make more bit flags unsigned.
This commit is contained in:
Todd C. Miller
@@ -7,7 +7,7 @@ Purpose: to provide a simple API for authentication methods that
|
||||
The sudo_auth struct looks like this:
|
||||
|
||||
typedef struct sudo_auth {
|
||||
int flags; /* various flags, see below */
|
||||
unsigned int flags; /* various flags, see below */
|
||||
int status; /* status from verify routine */
|
||||
char *name; /* name of the method in string form */
|
||||
void *data; /* method-specific data pointer */
|
||||
|
||||
@@ -99,7 +99,7 @@ static bool standalone;
|
||||
* Returns 0 on success and -1 on error.
|
||||
*/
|
||||
int
|
||||
sudo_auth_init(struct passwd *pw, int mode)
|
||||
sudo_auth_init(struct passwd *pw, unsigned int mode)
|
||||
{
|
||||
sudo_auth *auth;
|
||||
int status = AUTH_SUCCESS;
|
||||
@@ -172,7 +172,7 @@ sudo_auth_init(struct passwd *pw, int mode)
|
||||
* Returns true on success, false on failure and -1 on error.
|
||||
*/
|
||||
int
|
||||
sudo_auth_approval(struct passwd *pw, int validated, bool exempt)
|
||||
sudo_auth_approval(struct passwd *pw, unsigned int validated, bool exempt)
|
||||
{
|
||||
sudo_auth *auth;
|
||||
debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH);
|
||||
@@ -243,7 +243,7 @@ user_interrupted(void)
|
||||
* Returns true if verified, false if not or -1 on error.
|
||||
*/
|
||||
int
|
||||
verify_user(struct passwd *pw, char *prompt, int validated,
|
||||
verify_user(struct passwd *pw, char *prompt, unsigned int validated,
|
||||
struct sudo_conv_callback *callback)
|
||||
{
|
||||
unsigned int ntries;
|
||||
|
||||
@@ -27,7 +27,7 @@
|
||||
#define AUTH_NONINTERACTIVE 4
|
||||
|
||||
typedef struct sudo_auth {
|
||||
int flags; /* various flags, see below */
|
||||
unsigned int flags; /* various flags, see below */
|
||||
int status; /* status from verify routine */
|
||||
const char *name; /* name of the method as a string */
|
||||
void *data; /* method-specific data pointer */
|
||||
@@ -41,10 +41,10 @@ typedef struct sudo_auth {
|
||||
} sudo_auth;
|
||||
|
||||
/* Values for sudo_auth.flags. */
|
||||
#define FLAG_DISABLED 0x02 /* method disabled */
|
||||
#define FLAG_STANDALONE 0x04 /* standalone auth method */
|
||||
#define FLAG_ONEANDONLY 0x08 /* one and only auth method */
|
||||
#define FLAG_NONINTERACTIVE 0x10 /* no user input allowed */
|
||||
#define FLAG_DISABLED 0x02U /* method disabled */
|
||||
#define FLAG_STANDALONE 0x04U /* standalone auth method */
|
||||
#define FLAG_ONEANDONLY 0x08U /* one and only auth method */
|
||||
#define FLAG_NONINTERACTIVE 0x10U /* no user input allowed */
|
||||
|
||||
/* Shortcuts for using the flags above. */
|
||||
#define IS_DISABLED(x) ((x)->flags & FLAG_DISABLED)
|
||||
|
||||
@@ -49,7 +49,7 @@ struct getpass_closure {
|
||||
struct passwd *auth_pw;
|
||||
};
|
||||
|
||||
static struct passwd *get_authpw(int);
|
||||
static struct passwd *get_authpw(unsigned int);
|
||||
|
||||
/*
|
||||
* Called when getpass is suspended so we can drop the lock.
|
||||
@@ -85,7 +85,8 @@ getpass_resume(int signo, void *vclosure)
|
||||
* or -1 on fatal error.
|
||||
*/
|
||||
static int
|
||||
check_user_interactive(int validated, int mode, struct getpass_closure *closure)
|
||||
check_user_interactive(unsigned int validated, unsigned int mode,
|
||||
struct getpass_closure *closure)
|
||||
{
|
||||
struct sudo_conv_callback callback;
|
||||
int ret = -1;
|
||||
@@ -157,7 +158,7 @@ done:
|
||||
* or -1 on error.
|
||||
*/
|
||||
int
|
||||
check_user(int validated, int mode)
|
||||
check_user(unsigned int validated, unsigned int mode)
|
||||
{
|
||||
struct getpass_closure closure = { TS_ERROR };
|
||||
int ret = -1;
|
||||
@@ -338,7 +339,7 @@ user_is_exempt(void)
|
||||
* case, this matches sudo_user.pw or runas_pw.
|
||||
*/
|
||||
static struct passwd *
|
||||
get_authpw(int mode)
|
||||
get_authpw(unsigned int mode)
|
||||
{
|
||||
struct passwd *pw = NULL;
|
||||
debug_decl(get_authpw, SUDOERS_DEBUG_AUTH);
|
||||
|
||||
@@ -39,14 +39,14 @@
|
||||
#define TS_VERSION 2
|
||||
|
||||
/* Time stamp entry types */
|
||||
#define TS_GLOBAL 0x01 /* not restricted by tty or ppid */
|
||||
#define TS_TTY 0x02 /* restricted by tty */
|
||||
#define TS_PPID 0x03 /* restricted by ppid */
|
||||
#define TS_LOCKEXCL 0x04 /* special lock record */
|
||||
#define TS_GLOBAL 0x01U /* not restricted by tty or ppid */
|
||||
#define TS_TTY 0x02U /* restricted by tty */
|
||||
#define TS_PPID 0x03U /* restricted by ppid */
|
||||
#define TS_LOCKEXCL 0x04U /* special lock record */
|
||||
|
||||
/* Time stamp flags */
|
||||
#define TS_DISABLED 0x01 /* entry disabled */
|
||||
#define TS_ANYUID 0x02 /* ignore uid, only valid in the key */
|
||||
#define TS_DISABLED 0x01U /* entry disabled */
|
||||
#define TS_ANYUID 0x02U /* ignore uid, only valid in the key */
|
||||
|
||||
struct timestamp_entry_v1 {
|
||||
unsigned short version; /* version number */
|
||||
|
||||
@@ -95,8 +95,8 @@ static bool parse_ldif(struct sudoers_parse_tree *parse_tree, const char *input_
|
||||
static bool cvtsudoers_parse_filter(char *expression);
|
||||
static struct cvtsudoers_config *cvtsudoers_conf_read(const char *conf_file);
|
||||
static void cvtsudoers_conf_free(struct cvtsudoers_config *conf);
|
||||
static int cvtsudoers_parse_defaults(char *expression);
|
||||
static int cvtsudoers_parse_suppression(char *expression);
|
||||
static unsigned int cvtsudoers_parse_defaults(char *expression);
|
||||
static unsigned int cvtsudoers_parse_suppression(char *expression);
|
||||
static void filter_userspecs(struct sudoers_parse_tree *parse_tree, struct cvtsudoers_config *conf);
|
||||
static void filter_defaults(struct sudoers_parse_tree *parse_tree, struct cvtsudoers_config *conf);
|
||||
static void alias_remove_unused(struct sudoers_parse_tree *parse_tree);
|
||||
@@ -309,12 +309,12 @@ main(int argc, char *argv[])
|
||||
}
|
||||
if (conf->defstr != NULL) {
|
||||
conf->defaults = cvtsudoers_parse_defaults(conf->defstr);
|
||||
if (conf->defaults == -1)
|
||||
if (conf->defaults == (unsigned int)-1)
|
||||
usage();
|
||||
}
|
||||
if (conf->supstr != NULL) {
|
||||
conf->suppress = cvtsudoers_parse_suppression(conf->supstr);
|
||||
if (conf->suppress == -1)
|
||||
if (conf->suppress == (unsigned int)-1)
|
||||
usage();
|
||||
}
|
||||
|
||||
@@ -632,11 +632,11 @@ cvtsudoers_conf_free(struct cvtsudoers_config *conf)
|
||||
debug_return;
|
||||
}
|
||||
|
||||
static int
|
||||
static unsigned int
|
||||
cvtsudoers_parse_defaults(char *expression)
|
||||
{
|
||||
char *last, *cp = expression;
|
||||
int flags = 0;
|
||||
unsigned int flags = 0;
|
||||
debug_decl(cvtsudoers_parse_defaults, SUDOERS_DEBUG_UTIL);
|
||||
|
||||
for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) {
|
||||
@@ -654,18 +654,18 @@ cvtsudoers_parse_defaults(char *expression)
|
||||
SET(flags, CVT_DEFAULTS_CMND);
|
||||
} else {
|
||||
sudo_warnx(U_("invalid defaults type: %s"), cp);
|
||||
debug_return_int(-1);
|
||||
debug_return_uint((unsigned int)-1);
|
||||
}
|
||||
}
|
||||
|
||||
debug_return_int(flags);
|
||||
debug_return_uint(flags);
|
||||
}
|
||||
|
||||
static int
|
||||
static unsigned int
|
||||
cvtsudoers_parse_suppression(char *expression)
|
||||
{
|
||||
char *last, *cp = expression;
|
||||
int flags = 0;
|
||||
unsigned int flags = 0;
|
||||
debug_decl(cvtsudoers_parse_suppression, SUDOERS_DEBUG_UTIL);
|
||||
|
||||
for ((cp = strtok_r(cp, ",", &last)); cp != NULL; (cp = strtok_r(NULL, ",", &last))) {
|
||||
@@ -677,11 +677,11 @@ cvtsudoers_parse_suppression(char *expression)
|
||||
SET(flags, SUPPRESS_PRIVS);
|
||||
} else {
|
||||
sudo_warnx(U_("invalid suppression type: %s"), cp);
|
||||
debug_return_int(-1);
|
||||
debug_return_uint((unsigned int)-1);
|
||||
}
|
||||
}
|
||||
|
||||
debug_return_int(flags);
|
||||
debug_return_uint(flags);
|
||||
}
|
||||
|
||||
static bool
|
||||
|
||||
@@ -30,17 +30,17 @@ enum sudoers_formats {
|
||||
};
|
||||
|
||||
/* Flags for cvtsudoers_config.defaults */
|
||||
#define CVT_DEFAULTS_GLOBAL 0x01
|
||||
#define CVT_DEFAULTS_USER 0x02
|
||||
#define CVT_DEFAULTS_RUNAS 0x04
|
||||
#define CVT_DEFAULTS_HOST 0x08
|
||||
#define CVT_DEFAULTS_CMND 0x10
|
||||
#define CVT_DEFAULTS_ALL 0xff
|
||||
#define CVT_DEFAULTS_GLOBAL 0x01U
|
||||
#define CVT_DEFAULTS_USER 0x02U
|
||||
#define CVT_DEFAULTS_RUNAS 0x04U
|
||||
#define CVT_DEFAULTS_HOST 0x08U
|
||||
#define CVT_DEFAULTS_CMND 0x10U
|
||||
#define CVT_DEFAULTS_ALL 0xffU
|
||||
|
||||
/* Flags for cvtsudoers_config.suppress */
|
||||
#define SUPPRESS_DEFAULTS 0x01
|
||||
#define SUPPRESS_ALIASES 0x02
|
||||
#define SUPPRESS_PRIVS 0x04
|
||||
#define SUPPRESS_DEFAULTS 0x01U
|
||||
#define SUPPRESS_ALIASES 0x02U
|
||||
#define SUPPRESS_PRIVS 0x04U
|
||||
|
||||
/* cvtsudoers.conf settings */
|
||||
struct cvtsudoers_config {
|
||||
@@ -48,8 +48,8 @@ struct cvtsudoers_config {
|
||||
unsigned int order_increment;
|
||||
unsigned int order_padding;
|
||||
unsigned int order_max;
|
||||
int defaults;
|
||||
int suppress;
|
||||
unsigned int defaults;
|
||||
unsigned int suppress;
|
||||
bool store_options;
|
||||
bool expand_aliases;
|
||||
bool prune_matches;
|
||||
|
||||
@@ -67,7 +67,7 @@ STAILQ_HEAD(parse_error_list, parse_error);
|
||||
static struct parse_error_list parse_error_list =
|
||||
STAILQ_HEAD_INITIALIZER(parse_error_list);
|
||||
|
||||
static bool should_mail(int);
|
||||
static bool should_mail(unsigned int);
|
||||
static bool warned = false;
|
||||
|
||||
#ifdef SUDOERS_LOG_CLIENT
|
||||
@@ -275,7 +275,7 @@ log_reject(const char *message, bool logit, bool mailit)
|
||||
* Log, audit and mail the denial message, optionally informing the user.
|
||||
*/
|
||||
bool
|
||||
log_denial(int status, bool inform_user)
|
||||
log_denial(unsigned int status, bool inform_user)
|
||||
{
|
||||
const char *message;
|
||||
int oldlocale;
|
||||
@@ -342,14 +342,14 @@ log_denial(int status, bool inform_user)
|
||||
* Log and audit that user was not allowed to run the command.
|
||||
*/
|
||||
bool
|
||||
log_failure(int status, int flags)
|
||||
log_failure(unsigned int status, int cmnd_status)
|
||||
{
|
||||
bool ret, inform_user = true;
|
||||
debug_decl(log_failure, SUDOERS_DEBUG_LOGGING);
|
||||
|
||||
/* The user doesn't always get to see the log message (path info). */
|
||||
if (!ISSET(status, FLAG_NO_USER | FLAG_NO_HOST) && list_pw == NULL &&
|
||||
def_path_info && (flags == NOT_FOUND_DOT || flags == NOT_FOUND))
|
||||
def_path_info && (cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND))
|
||||
inform_user = false;
|
||||
ret = log_denial(status, inform_user);
|
||||
|
||||
@@ -365,9 +365,9 @@ log_failure(int status, int flags)
|
||||
* is just "no foo in path" since the user can trivially set
|
||||
* their path to just contain a single dir.
|
||||
*/
|
||||
if (flags == NOT_FOUND)
|
||||
if (cmnd_status == NOT_FOUND)
|
||||
sudo_warnx(U_("%s: command not found"), cmnd);
|
||||
else if (flags == NOT_FOUND_DOT)
|
||||
else if (cmnd_status == NOT_FOUND_DOT)
|
||||
sudo_warnx(U_("ignoring \"%s\" found in '.'\nUse \"sudo ./%s\" if this is the \"%s\" you wish to run."), cmnd, cmnd, cmnd);
|
||||
}
|
||||
|
||||
@@ -468,7 +468,7 @@ overflow:
|
||||
* Log and audit that user was not able to authenticate themselves.
|
||||
*/
|
||||
bool
|
||||
log_auth_failure(int status, unsigned int tries)
|
||||
log_auth_failure(unsigned int status, unsigned int tries)
|
||||
{
|
||||
char *message = NULL;
|
||||
int oldlocale;
|
||||
@@ -659,7 +659,8 @@ journal_parse_error(char *message)
|
||||
* Perform logging for log_warning()/log_warningx().
|
||||
*/
|
||||
static bool
|
||||
vlog_warning(int flags, int errnum, const char * restrict fmt, va_list ap)
|
||||
vlog_warning(unsigned int flags, int errnum, const char * restrict fmt,
|
||||
va_list ap)
|
||||
{
|
||||
struct eventlog evlog;
|
||||
struct timespec now;
|
||||
@@ -766,7 +767,7 @@ done:
|
||||
}
|
||||
|
||||
bool
|
||||
log_warning(int flags, const char * restrict fmt, ...)
|
||||
log_warning(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
bool ret;
|
||||
@@ -781,7 +782,7 @@ log_warning(int flags, const char * restrict fmt, ...)
|
||||
}
|
||||
|
||||
bool
|
||||
log_warningx(int flags, const char * restrict fmt, ...)
|
||||
log_warningx(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
bool ret;
|
||||
@@ -796,7 +797,7 @@ log_warningx(int flags, const char * restrict fmt, ...)
|
||||
}
|
||||
|
||||
bool
|
||||
gai_log_warning(int flags, int errnum, const char * restrict fmt, ...)
|
||||
gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
bool ret;
|
||||
@@ -874,7 +875,7 @@ bool
|
||||
log_parse_error(const char *file, int line, int column, const char * restrict fmt,
|
||||
va_list args)
|
||||
{
|
||||
const int flags = SLOG_RAW_MSG|SLOG_NO_STDERR;
|
||||
const unsigned int flags = SLOG_RAW_MSG|SLOG_NO_STDERR;
|
||||
char *message, *tofree = NULL;
|
||||
const char *errstr;
|
||||
bool ret;
|
||||
@@ -920,7 +921,7 @@ log_parse_error(const char *file, int line, int column, const char * restrict fm
|
||||
* Determine whether we should send mail based on "status" and defaults options.
|
||||
*/
|
||||
static bool
|
||||
should_mail(int status)
|
||||
should_mail(unsigned int status)
|
||||
{
|
||||
debug_decl(should_mail, SUDOERS_DEBUG_LOGGING);
|
||||
|
||||
|
||||
@@ -77,14 +77,14 @@ int audit_failure(char *const argv[], char const * restrict const fmt, ...) sudo
|
||||
int vaudit_failure(char *const argv[], char const * restrict const fmt, va_list ap) sudo_printflike(2, 0);
|
||||
bool log_allowed(struct eventlog *evlog);
|
||||
bool log_exit_status(int exit_status);
|
||||
bool log_auth_failure(int status, unsigned int tries);
|
||||
bool log_denial(int status, bool inform_user);
|
||||
bool log_failure(int status, int flags);
|
||||
bool log_auth_failure(unsigned int status, unsigned int tries);
|
||||
bool log_denial(unsigned int status, bool inform_user);
|
||||
bool log_failure(unsigned int status, int flags);
|
||||
bool log_server_alert(struct eventlog *evlog, struct timespec *now, const char *message, const char *errstr);
|
||||
bool log_server_reject(struct eventlog *evlog, const char *message);
|
||||
bool log_warning(int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
|
||||
bool log_warningx(int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
|
||||
bool gai_log_warning(int flags, int errnum, const char * restrict fmt, ...) sudo_printflike(3, 4);
|
||||
bool log_warning(unsigned int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
|
||||
bool log_warningx(unsigned int flags, const char * restrict fmt, ...) sudo_printflike(2, 3);
|
||||
bool gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...) sudo_printflike(3, 4);
|
||||
bool sudoers_initlocale(const char *ulocale, const char *slocale);
|
||||
bool sudoers_locale_callback(const char *file, int line, int column, const union sudo_defs_val *sd_un, int op);
|
||||
void sudoers_to_eventlog(struct eventlog *evlog, const char *cmnd, char * const argv[], char *const envp[], const char *uuid_str);
|
||||
|
||||
@@ -53,7 +53,7 @@ runas_matches_pw(struct sudoers_parse_tree *parse_tree,
|
||||
* Look up the user in the sudoers parse tree for pseudo-commands like
|
||||
* list, verify and kill.
|
||||
*/
|
||||
static int
|
||||
static unsigned int
|
||||
sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int pwflag)
|
||||
{
|
||||
char *saved_runchroot;
|
||||
@@ -64,7 +64,7 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int pwflag)
|
||||
struct userspec *us;
|
||||
struct defaults *def;
|
||||
int cmnd_match, nopass, match = DENY;
|
||||
int validated = 0;
|
||||
unsigned int validated = 0;
|
||||
enum def_tuple pwcheck;
|
||||
debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER);
|
||||
|
||||
@@ -177,7 +177,7 @@ done:
|
||||
/* Restore original def_runchroot. */
|
||||
def_runchroot = saved_runchroot;
|
||||
|
||||
debug_return_int(validated);
|
||||
debug_return_uint(validated);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -190,7 +190,7 @@ init_cmnd_info(struct cmnd_info *info)
|
||||
|
||||
static int
|
||||
sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw,
|
||||
int *validated, struct cmnd_info *info, time_t now,
|
||||
unsigned int *validated, struct cmnd_info *info, time_t now,
|
||||
struct sudoers_lookup_callbacks *callbacks, struct cmndspec **matching_cs,
|
||||
struct defaults_list **defs)
|
||||
{
|
||||
@@ -457,16 +457,17 @@ apply_cmndspec(struct cmndspec *cs)
|
||||
* Look up the user in the sudoers parse tree and check to see if they are
|
||||
* allowed to run the specified command on this host as the target user.
|
||||
*/
|
||||
int
|
||||
unsigned int
|
||||
sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
|
||||
struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag)
|
||||
struct sudoers_lookup_callbacks *callbacks, int *cmnd_status,
|
||||
int pwflag)
|
||||
{
|
||||
struct defaults_list *defs = NULL;
|
||||
struct sudoers_parse_tree *parse_tree = NULL;
|
||||
struct cmndspec *cs = NULL;
|
||||
struct sudo_nss *nss;
|
||||
struct cmnd_info info;
|
||||
int validated = FLAG_NO_USER | FLAG_NO_HOST;
|
||||
unsigned int validated = FLAG_NO_USER | FLAG_NO_HOST;
|
||||
int m, match = UNSPEC;
|
||||
debug_decl(sudoers_lookup, SUDOERS_DEBUG_PARSER);
|
||||
|
||||
@@ -474,11 +475,11 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
|
||||
* Special case checking the "validate", "list" and "kill" pseudo-commands.
|
||||
*/
|
||||
if (pwflag)
|
||||
debug_return_int(sudoers_lookup_pseudo(snl, pw, pwflag));
|
||||
debug_return_uint(sudoers_lookup_pseudo(snl, pw, pwflag));
|
||||
|
||||
/* Need to be runas user while stat'ing things. */
|
||||
if (!set_perms(PERM_RUNAS))
|
||||
debug_return_int(validated);
|
||||
debug_return_uint(validated);
|
||||
|
||||
/* Query each sudoers source and check the user. */
|
||||
TAILQ_FOREACH(nss, snl, entries) {
|
||||
@@ -518,5 +519,5 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
|
||||
}
|
||||
if (!restore_perms())
|
||||
SET(validated, VALIDATE_ERROR);
|
||||
debug_return_int(validated);
|
||||
debug_return_uint(validated);
|
||||
}
|
||||
|
||||
@@ -481,7 +481,7 @@ const char *digest_type_to_name(unsigned int digest_type);
|
||||
|
||||
/* parse.c */
|
||||
struct sudo_nss_list;
|
||||
int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag);
|
||||
unsigned int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now, struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag);
|
||||
|
||||
/* display.c */
|
||||
int display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose);
|
||||
|
||||
@@ -65,7 +65,7 @@ int sudoedit_nfiles;
|
||||
extern sudo_dso_public struct policy_plugin sudoers_policy;
|
||||
|
||||
static int
|
||||
parse_bool(const char *line, int varlen, int *flags, int fval)
|
||||
parse_bool(const char *line, int varlen, unsigned int *flags, unsigned int fval)
|
||||
{
|
||||
debug_decl(parse_bool, SUDOERS_DEBUG_PLUGIN);
|
||||
|
||||
@@ -93,12 +93,12 @@ parse_bool(const char *line, int varlen, int *flags, int fval)
|
||||
* Deserialize args, settings and user_info arrays.
|
||||
* Fills in struct sudo_user and other common sudoers state.
|
||||
*/
|
||||
int
|
||||
unsigned int
|
||||
sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
|
||||
{
|
||||
const char *p, *errstr, *groups = NULL;
|
||||
struct sudoers_open_info *info = v;
|
||||
int flags = MODE_UPDATE_TICKET;
|
||||
unsigned int flags = MODE_UPDATE_TICKET;
|
||||
const char *remhost = NULL;
|
||||
unsigned char uuid[16];
|
||||
char * const *cur;
|
||||
@@ -612,12 +612,12 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
|
||||
#undef MATCHES
|
||||
#undef INVALID
|
||||
#undef CHECK
|
||||
debug_return_int(flags);
|
||||
debug_return_uint(flags);
|
||||
|
||||
oom:
|
||||
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
|
||||
bad:
|
||||
debug_return_int(MODE_ERROR);
|
||||
debug_return_uint(MODE_ERROR);
|
||||
}
|
||||
|
||||
/* Return the policy's struct sudoers_parser_config. */
|
||||
@@ -1181,7 +1181,7 @@ sudoers_policy_check(int argc, char * const argv[], char *env_add[],
|
||||
char **command_infop[], char **argv_out[], char **user_env_out[],
|
||||
const char **errstr)
|
||||
{
|
||||
int valid_flags = RUN_VALID_FLAGS;
|
||||
unsigned int valid_flags = RUN_VALID_FLAGS;
|
||||
struct sudoers_exec_args exec_args;
|
||||
int ret;
|
||||
debug_decl(sudoers_policy_check, SUDOERS_DEBUG_PLUGIN);
|
||||
|
||||
@@ -707,7 +707,7 @@ sudo_read_nss(void)
|
||||
|
||||
/* STUB */
|
||||
int
|
||||
check_user(int validated, int mode)
|
||||
check_user(unsigned int validated, unsigned int mode)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
@@ -742,35 +742,35 @@ group_plugin_unload(void)
|
||||
|
||||
/* STUB */
|
||||
bool
|
||||
log_warning(int flags, const char * restrict fmt, ...)
|
||||
log_warning(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/* STUB */
|
||||
bool
|
||||
log_warningx(int flags, const char * restrict fmt, ...)
|
||||
log_warningx(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/* STUB */
|
||||
bool
|
||||
gai_log_warning(int flags, int errnum, const char * restrict fmt, ...)
|
||||
gai_log_warning(unsigned int flags, int errnum, const char * restrict fmt, ...)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/* STUB */
|
||||
bool
|
||||
log_denial(int status, bool inform_user)
|
||||
log_denial(unsigned int status, bool inform_user)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/* STUB */
|
||||
bool
|
||||
log_failure(int status, int flags)
|
||||
log_failure(unsigned int status, int flags)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
@@ -805,7 +805,7 @@ audit_failure(char *const argv[], char const * restrict const fmt, ...)
|
||||
}
|
||||
|
||||
/* STUB */
|
||||
int
|
||||
unsigned int
|
||||
sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, time_t now,
|
||||
struct sudoers_lookup_callbacks *callbacks, int *cmnd_status, int pwflag)
|
||||
{
|
||||
|
||||
@@ -53,7 +53,7 @@ struct sudo_user sudo_user;
|
||||
struct passwd *list_pw;
|
||||
sudo_conv_t sudo_conv = fuzz_conversation;
|
||||
sudo_printf_t sudo_printf = fuzz_printf;
|
||||
int sudo_mode;
|
||||
unsigned int sudo_mode;
|
||||
|
||||
FILE *
|
||||
open_sudoers(const char *file, char **outfile, bool doedit, bool *keepopen)
|
||||
@@ -125,7 +125,7 @@ mail_parse_errors(void)
|
||||
|
||||
/* STUB */
|
||||
bool
|
||||
log_warningx(int flags, const char * restrict fmt, ...)
|
||||
log_warningx(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
@@ -408,7 +408,7 @@ restore_perms(void)
|
||||
}
|
||||
|
||||
bool
|
||||
log_warning(int flags, const char * restrict fmt, ...)
|
||||
log_warning(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
@@ -420,7 +420,7 @@ log_warning(int flags, const char * restrict fmt, ...)
|
||||
}
|
||||
|
||||
bool
|
||||
log_warningx(int flags, const char * restrict fmt, ...)
|
||||
log_warningx(unsigned int flags, const char * restrict fmt, ...)
|
||||
{
|
||||
va_list ap;
|
||||
|
||||
|
||||
@@ -82,14 +82,14 @@ static void set_callbacks(void);
|
||||
*/
|
||||
struct sudo_user sudo_user;
|
||||
struct passwd *list_pw;
|
||||
int sudo_mode;
|
||||
unsigned int sudo_mode;
|
||||
|
||||
static char *prev_user;
|
||||
static struct sudo_nss_list *snl;
|
||||
static bool unknown_runas_uid;
|
||||
static bool unknown_runas_gid;
|
||||
static bool override_umask;
|
||||
static int cmnd_status = -1;
|
||||
static int cmnd_status = NOT_FOUND_ERROR;
|
||||
static struct defaults_list initial_defaults = TAILQ_HEAD_INITIALIZER(initial_defaults);
|
||||
|
||||
#ifdef __linux__
|
||||
@@ -336,7 +336,8 @@ done:
|
||||
static int
|
||||
sudoers_check_common(int pwflag)
|
||||
{
|
||||
int oldlocale, validated, ret = -1;
|
||||
int oldlocale, ret = -1;
|
||||
unsigned int validated;
|
||||
time_t now;
|
||||
debug_decl(sudoers_check_common, SUDOERS_DEBUG_PLUGIN);
|
||||
|
||||
@@ -1319,7 +1320,7 @@ open_sudoers(const char *path, char **outfile, bool doedit, bool *keepopen)
|
||||
static bool
|
||||
set_loginclass(struct passwd *pw)
|
||||
{
|
||||
const int errflags = SLOG_RAW_MSG;
|
||||
const unsigned int errflags = SLOG_RAW_MSG;
|
||||
login_cap_t *lc;
|
||||
bool ret = true;
|
||||
debug_decl(set_loginclass, SUDOERS_DEBUG_PLUGIN);
|
||||
|
||||
@@ -129,7 +129,7 @@ struct sudo_user {
|
||||
int closefrom;
|
||||
int lines;
|
||||
int cols;
|
||||
int flags;
|
||||
unsigned int flags;
|
||||
int max_groups;
|
||||
int timeout;
|
||||
mode_t umask;
|
||||
@@ -150,25 +150,25 @@ struct sudo_user {
|
||||
/*
|
||||
* sudo_user flag values
|
||||
*/
|
||||
#define RUNAS_USER_SPECIFIED 0x01
|
||||
#define RUNAS_GROUP_SPECIFIED 0x02
|
||||
#define CAN_INTERCEPT_SETID 0x04
|
||||
#define HAVE_INTERCEPT_PTRACE 0x08
|
||||
#define USER_INTERCEPT_SETID 0x10
|
||||
#define RUNAS_USER_SPECIFIED 0x01U
|
||||
#define RUNAS_GROUP_SPECIFIED 0x02U
|
||||
#define CAN_INTERCEPT_SETID 0x04U
|
||||
#define HAVE_INTERCEPT_PTRACE 0x08U
|
||||
#define USER_INTERCEPT_SETID 0x10U
|
||||
|
||||
/*
|
||||
* Return values for sudoers_lookup(), also used as arguments for log_auth()
|
||||
* Note: cannot use '0' as a value here.
|
||||
*/
|
||||
#define VALIDATE_ERROR 0x001
|
||||
#define VALIDATE_SUCCESS 0x002
|
||||
#define VALIDATE_FAILURE 0x004
|
||||
#define FLAG_CHECK_USER 0x010
|
||||
#define FLAG_NO_USER 0x020
|
||||
#define FLAG_NO_HOST 0x040
|
||||
#define FLAG_NO_CHECK 0x080
|
||||
#define FLAG_NO_USER_INPUT 0x100
|
||||
#define FLAG_BAD_PASSWORD 0x200
|
||||
#define VALIDATE_ERROR 0x001U
|
||||
#define VALIDATE_SUCCESS 0x002U
|
||||
#define VALIDATE_FAILURE 0x004U
|
||||
#define FLAG_CHECK_USER 0x010U
|
||||
#define FLAG_NO_USER 0x020U
|
||||
#define FLAG_NO_HOST 0x040U
|
||||
#define FLAG_NO_CHECK 0x080U
|
||||
#define FLAG_NO_USER_INPUT 0x100U
|
||||
#define FLAG_BAD_PASSWORD 0x200U
|
||||
|
||||
/*
|
||||
* find_path()/set_cmnd() return values
|
||||
@@ -182,30 +182,30 @@ struct sudo_user {
|
||||
/*
|
||||
* Various modes sudo can be in (based on arguments) in hex
|
||||
*/
|
||||
#define MODE_RUN 0x00000001
|
||||
#define MODE_EDIT 0x00000002
|
||||
#define MODE_VALIDATE 0x00000004
|
||||
#define MODE_INVALIDATE 0x00000008
|
||||
#define MODE_KILL 0x00000010
|
||||
#define MODE_VERSION 0x00000020
|
||||
#define MODE_HELP 0x00000040
|
||||
#define MODE_LIST 0x00000080
|
||||
#define MODE_CHECK 0x00000100
|
||||
#define MODE_ERROR 0x00000200
|
||||
#define MODE_MASK 0x0000ffff
|
||||
#define MODE_RUN 0x00000001U
|
||||
#define MODE_EDIT 0x00000002U
|
||||
#define MODE_VALIDATE 0x00000004U
|
||||
#define MODE_INVALIDATE 0x00000008U
|
||||
#define MODE_KILL 0x00000010U
|
||||
#define MODE_VERSION 0x00000020U
|
||||
#define MODE_HELP 0x00000040U
|
||||
#define MODE_LIST 0x00000080U
|
||||
#define MODE_CHECK 0x00000100U
|
||||
#define MODE_ERROR 0x00000200U
|
||||
#define MODE_MASK 0x0000ffffU
|
||||
|
||||
/* Mode flags */
|
||||
#define MODE_ASKPASS 0x00010000
|
||||
#define MODE_SHELL 0x00020000
|
||||
#define MODE_LOGIN_SHELL 0x00040000
|
||||
#define MODE_IMPLIED_SHELL 0x00080000
|
||||
#define MODE_RESET_HOME 0x00100000
|
||||
#define MODE_PRESERVE_GROUPS 0x00200000
|
||||
#define MODE_PRESERVE_ENV 0x00400000
|
||||
#define MODE_NONINTERACTIVE 0x00800000
|
||||
#define MODE_IGNORE_TICKET 0x01000000
|
||||
#define MODE_UPDATE_TICKET 0x02000000
|
||||
#define MODE_POLICY_INTERCEPTED 0x04000000
|
||||
#define MODE_ASKPASS 0x00010000U
|
||||
#define MODE_SHELL 0x00020000U
|
||||
#define MODE_LOGIN_SHELL 0x00040000U
|
||||
#define MODE_IMPLIED_SHELL 0x00080000U
|
||||
#define MODE_RESET_HOME 0x00100000U
|
||||
#define MODE_PRESERVE_GROUPS 0x00200000U
|
||||
#define MODE_PRESERVE_ENV 0x00400000U
|
||||
#define MODE_NONINTERACTIVE 0x00800000U
|
||||
#define MODE_IGNORE_TICKET 0x01000000U
|
||||
#define MODE_UPDATE_TICKET 0x02000000U
|
||||
#define MODE_POLICY_INTERCEPTED 0x04000000U
|
||||
|
||||
/* Mode bits allowed for intercepted commands. */
|
||||
#define MODE_INTERCEPT_MASK (MODE_RUN|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_POLICY_INTERCEPTED)
|
||||
@@ -295,7 +295,7 @@ int find_path(const char *infile, char **outfile, struct stat *sbp,
|
||||
const char *path, int ignore_dot, char * const *allowlist);
|
||||
|
||||
/* check.c */
|
||||
int check_user(int validate, int mode);
|
||||
int check_user(unsigned int validated, unsigned int mode);
|
||||
bool user_is_exempt(void);
|
||||
|
||||
/* check_util.c */
|
||||
@@ -311,11 +311,11 @@ int timestamp_remove(bool unlinkit);
|
||||
|
||||
/* sudo_auth.c */
|
||||
bool sudo_auth_needs_end_session(void);
|
||||
int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv_callback *callback);
|
||||
int verify_user(struct passwd *pw, char *prompt, unsigned int validated, struct sudo_conv_callback *callback);
|
||||
int sudo_auth_begin_session(struct passwd *pw, char **user_env[]);
|
||||
int sudo_auth_end_session(struct passwd *pw);
|
||||
int sudo_auth_init(struct passwd *pw, int mode);
|
||||
int sudo_auth_approval(struct passwd *pw, int validated, bool exempt);
|
||||
int sudo_auth_init(struct passwd *pw, unsigned int mode);
|
||||
int sudo_auth_approval(struct passwd *pw, unsigned int validated, bool exempt);
|
||||
int sudo_auth_cleanup(struct passwd *pw, bool force);
|
||||
|
||||
/* set_perms.c */
|
||||
@@ -418,7 +418,7 @@ bool sudoers_override_umask(void);
|
||||
void sudo_user_free(void);
|
||||
extern struct sudo_user sudo_user;
|
||||
extern struct passwd *list_pw;
|
||||
extern int sudo_mode;
|
||||
extern unsigned int sudo_mode;
|
||||
extern int sudoedit_nfiles;
|
||||
extern sudo_conv_t sudo_conv;
|
||||
extern sudo_printf_t sudo_printf;
|
||||
@@ -430,7 +430,7 @@ bool sudoers_debug_register(const char *plugin_path, struct sudo_conf_debug_file
|
||||
void sudoers_debug_deregister(void);
|
||||
|
||||
/* policy.c */
|
||||
int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults);
|
||||
unsigned int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults);
|
||||
bool sudoers_policy_store_result(bool accepted, char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
|
||||
const struct sudoers_parser_config *policy_sudoers_conf(void);
|
||||
const char *policy_path_ldap_conf(void);
|
||||
|
||||
@@ -86,7 +86,7 @@ struct sudo_user sudo_user;
|
||||
struct passwd *list_pw;
|
||||
static const char *orig_cmnd;
|
||||
static char *runas_group, *runas_user;
|
||||
int sudo_mode = MODE_RUN;
|
||||
unsigned int sudo_mode = MODE_RUN;
|
||||
|
||||
#if defined(SUDO_DEVEL) && defined(__OpenBSD__)
|
||||
extern char *malloc_options;
|
||||
@@ -106,7 +106,8 @@ main(int argc, char *argv[])
|
||||
char *p, *grfile, *pwfile;
|
||||
const char *errstr;
|
||||
int ch, dflag, exitcode = EXIT_FAILURE;
|
||||
int validated, status = FOUND;
|
||||
unsigned int validated;
|
||||
int status = FOUND;
|
||||
char cwdbuf[PATH_MAX];
|
||||
time_t now;
|
||||
id_t id;
|
||||
|
||||
Reference in New Issue
Block a user