isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add limited support for "sudo -l -h other_host". Since group lookups

Browse Source 
are done on the local host, rules that use group membership may be
incorrect if the group database is not synchronized between hosts.
This commit is contained in:
Todd C. Miller
2013-08-14 13:49:14 -06:00
parent 79104ce751
commit d0e3867587
8 changed files with 39 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
doc/sudo.cat
View File

@@ -153,6 +153,8 @@ DDEESSCCRRIIPPTTIIOONN
Run the command on the specified _h_o_s_t if the security policy Run the command on the specified _h_o_s_t if the security policy
plugin supports remote commands. Note that the _s_u_d_o_e_r_s plugin supports remote commands. Note that the _s_u_d_o_e_r_s
plugin does not currently support running remote commands. plugin does not currently support running remote commands.
This may also be used in conjunction with the --ll option to
list a user's privileges for the remote host.
--ii, ----llooggiinn --ii, ----llooggiinn
Run the shell specified by the target user's password Run the shell specified by the target user's password

3
doc/sudo.man.in
View File

@@ -348,6 +348,9 @@ if the security policy plugin supports remote commands.
Note that the Note that the
\fIsudoers\fR \fIsudoers\fR
plugin does not currently support running remote commands. plugin does not currently support running remote commands.
This may also be used in conjunction with the
\fB\-l\fR
option to list a user's privileges for the remote host.
.TP 12n .TP 12n
\fB\-i\fR, \fB\--login\fR \fB\-i\fR, \fB\--login\fR
Run the shell specified by the target user's password database entry Run the shell specified by the target user's password database entry

3
doc/sudo.mdoc.in
View File

@@ -372,6 +372,9 @@ if the security policy plugin supports remote commands.
Note that the Note that the
.Em sudoers .Em sudoers
plugin does not currently support running remote commands. plugin does not currently support running remote commands.
This may also be used in conjunction with the
.Fl l
option to list a user's privileges for the remote host.
.It Fl i , -login .It Fl i , -login
Run the shell specified by the target user's password database entry Run the shell specified by the target user's password database entry
as a login shell. as a login shell.

20
plugins/sudoers/logging.c
View File

@@ -200,19 +200,23 @@ do_logfile(char *msg)
time(&now); time(&now);
if (def_loglinelen < sizeof(LOG_INDENT)) { if (def_loglinelen < sizeof(LOG_INDENT)) {
/* Don't pretty-print long log file lines (hard to grep) */ /* Don't pretty-print long log file lines (hard to grep) */
if (def_log_host) if (def_log_host) {
(void) fprintf(fp, "%s : %s : HOST=%s : %s\n", (void) fprintf(fp, "%s : %s : HOST=%s : %s\n",
get_timestr(now, def_log_year), user_name, user_shost, msg); get_timestr(now, def_log_year), user_name, user_srunhost,
else msg);
} else {
(void) fprintf(fp, "%s : %s : %s\n", (void) fprintf(fp, "%s : %s : %s\n",
get_timestr(now, def_log_year), user_name, msg); get_timestr(now, def_log_year), user_name, msg);
}
} else { } else {
if (def_log_host) if (def_log_host) {
len = easprintf(&full_line, "%s : %s : HOST=%s : %s", len = easprintf(&full_line, "%s : %s : HOST=%s : %s",
get_timestr(now, def_log_year), user_name, user_shost, msg); get_timestr(now, def_log_year), user_name, user_srunhost,
else msg);
} else {
len = easprintf(&full_line, "%s : %s : %s", len = easprintf(&full_line, "%s : %s : %s",
get_timestr(now, def_log_year), user_name, msg); get_timestr(now, def_log_year), user_name, msg);
}
/* /*
* Print out full_line with word wrap around def_loglinelen chars. * Print out full_line with word wrap around def_loglinelen chars.
@@ -290,10 +294,10 @@ log_denial(int status, bool inform_user)
} else if (ISSET(status, FLAG_NO_HOST)) { } else if (ISSET(status, FLAG_NO_HOST)) {
sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not allowed to run sudo " sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not allowed to run sudo "
"on %s. This incident will be reported.\n"), "on %s. This incident will be reported.\n"),
user_name, user_shost); user_name, user_srunhost);
} else if (ISSET(status, FLAG_NO_CHECK)) { } else if (ISSET(status, FLAG_NO_CHECK)) {
sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s may not run " sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s may not run "
"sudo on %s.\n"), user_name, user_shost); "sudo on %s.\n"), user_name, user_srunhost);
} else { } else {
sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed " sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed "
"to execute '%s%s%s' as %s%s%s on %s.\n"), "to execute '%s%s%s' as %s%s%s on %s.\n"),

4
plugins/sudoers/match.c
View File

@@ -275,7 +275,7 @@ hostlist_matches(struct member_list *list)
matched = !m->negated; matched = !m->negated;
break; break;
case NETGROUP: case NETGROUP:
if (netgr_matches(m->name, user_host, user_shost, NULL)) if (netgr_matches(m->name, user_runhost, user_srunhost, NULL))
matched = !m->negated; matched = !m->negated;
break; break;
case NTWKADDR: case NTWKADDR:
@@ -292,7 +292,7 @@ hostlist_matches(struct member_list *list)
} }
/* FALLTHROUGH */ /* FALLTHROUGH */
case WORD: case WORD:
if (hostname_matches(user_shost, user_host, m->name)) if (hostname_matches(user_srunhost, user_runhost, m->name))
matched = !m->negated; matched = !m->negated;
break; break;
} }

8
plugins/sudoers/policy.c
View File

@@ -89,6 +89,7 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
char * const *cur; char * const *cur;
const char *p, *errstr, *groups = NULL; const char *p, *errstr, *groups = NULL;
const char *debug_flags = NULL; const char *debug_flags = NULL;
const char *remhost = NULL;
int flags = 0; int flags = 0;
debug_decl(sudoers_policy_deserialize_info, SUDO_DEBUG_PLUGIN) debug_decl(sudoers_policy_deserialize_info, SUDO_DEBUG_PLUGIN)
@@ -251,6 +252,10 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
sudo_user.max_groups = atoi(*cur + sizeof("max_groups=") - 1); sudo_user.max_groups = atoi(*cur + sizeof("max_groups=") - 1);
continue; continue;
} }
if (MATCHES(*cur, "remote_host=")) {
remhost = *cur + sizeof("remote_host=") - 1;
continue;
}
} }
for (cur = info->user_info; *cur != NULL; cur++) { for (cur = info->user_info; *cur != NULL; cur++) {
@@ -308,6 +313,9 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
continue; continue;
} }
} }
user_runhost = user_srunhost = estrdup(remhost ? remhost : user_host);
if ((p = strchr(user_runhost, '.')))
user_srunhost = estrndup(user_runhost, (size_t)(p - user_runhost));
if (user_cwd == NULL) if (user_cwd == NULL)
user_cwd = "unknown"; user_cwd = "unknown";
if (user_tty == NULL) if (user_tty == NULL)

10
plugins/sudoers/sudo_nss.c
View File

@@ -262,7 +262,7 @@ output(const char *buf)
/* /*
* Print out privileges for the specified user. * Print out privileges for the specified user.
* We only get here if the user is allowed to run something on this host. * We only get here if the user is allowed to run something.
*/ */
void void
display_privs(struct sudo_nss_list *snl, struct passwd *pw) display_privs(struct sudo_nss_list *snl, struct passwd *pw)
@@ -280,8 +280,8 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw)
lbuf_init(&privs, output, 8, NULL, cols); lbuf_init(&privs, output, 8, NULL, cols);
/* Display defaults from all sources. */ /* Display defaults from all sources. */
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), lbuf_append(&defs, _("Matching Defaults entries for %s on %s:\n"),
pw->pw_name); pw->pw_name, user_srunhost);
count = 0; count = 0;
tq_foreach_fwd(snl, nss) { tq_foreach_fwd(snl, nss) {
count += nss->display_defaults(nss, pw, &defs); count += nss->display_defaults(nss, pw, &defs);
@@ -306,8 +306,8 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw)
/* Display privileges from all sources. */ /* Display privileges from all sources. */
lbuf_append(&privs, lbuf_append(&privs,
_("User %s may run the following commands on this host:\n"), _("User %s may run the following commands on %s:\n"),
pw->pw_name); pw->pw_name, user_srunhost);
count = 0; count = 0;
tq_foreach_fwd(snl, nss) { tq_foreach_fwd(snl, nss) {
count += nss->display_privs(nss, pw, &privs); count += nss->display_privs(nss, pw, &privs);

4
plugins/sudoers/sudoers.h
View File

@@ -68,6 +68,8 @@ struct sudo_user {
char *ttypath; char *ttypath;
char *host; char *host;
char *shost; char *shost;
char *runhost;
char *srunhost;
char *prompt; char *prompt;
char *cmnd; char *cmnd;
char *cmnd_args; char *cmnd_args;
@@ -192,6 +194,8 @@ struct sudo_user {
#define user_prompt (sudo_user.prompt) #define user_prompt (sudo_user.prompt)
#define user_host (sudo_user.host) #define user_host (sudo_user.host)
#define user_shost (sudo_user.shost) #define user_shost (sudo_user.shost)
#define user_runhost (sudo_user.runhost)
#define user_srunhost (sudo_user.srunhost)
#define user_ccname (sudo_user.krb5_ccname) #define user_ccname (sudo_user.krb5_ccname)
#define safe_cmnd (sudo_user.cmnd_safe) #define safe_cmnd (sudo_user.cmnd_safe)
#define login_class (sudo_user.class_name) #define login_class (sudo_user.class_name)