Add limited support for "sudo -l -h other_host". Since group lookups

are done on the local host, rules that use group membership may be incorrect if the group database is not synchronized between hosts.
2013-08-14 13:49:14 -06:00
parent 79104ce751
commit d0e3867587
8 changed files with 39 additions and 15 deletions
--- a/doc/sudo.cat
+++ b/doc/sudo.cat
@@ -153,6 +153,8 @@ DDEESSCCRRIIPPTTIIOONN
                 Run the command on the specified _h_o_s_t if the security policy
                 plugin supports remote commands.  Note that the _s_u_d_o_e_r_s
                 plugin does not currently support running remote commands.
+                 This may also be used in conjunction with the --ll option to
+                 list a user's privileges for the remote host.

     --ii, ----llooggiinn
                 Run the shell specified by the target user's password
--- a/doc/sudo.man.in
+++ b/doc/sudo.man.in
@@ -348,6 +348,9 @@ if the security policy plugin supports remote commands.
 Note that the
 \fIsudoers\fR
 plugin does not currently support running remote commands.
+This may also be used in conjunction with the
+\fB\-l\fR
+option to list a user's privileges for the remote host.
 .TP 12n
 \fB\-i\fR, \fB\--login\fR
 Run the shell specified by the target user's password database entry
--- a/doc/sudo.mdoc.in
+++ b/doc/sudo.mdoc.in
@@ -372,6 +372,9 @@ if the security policy plugin supports remote commands.
 Note that the
 .Em sudoers
 plugin does not currently support running remote commands.
+This may also be used in conjunction with the
+.Fl l
+option to list a user's privileges for the remote host.
 .It Fl i , -login
 Run the shell specified by the target user's password database entry
 as a login shell.
--- a/plugins/sudoers/logging.c
+++ b/plugins/sudoers/logging.c
@@ -200,19 +200,23 @@ do_logfile(char *msg)
 	time(&now);
 	if (def_loglinelen < sizeof(LOG_INDENT)) {
 	    /* Don't pretty-print long log file lines (hard to grep) */
-	    if (def_log_host)
+	    if (def_log_host) {
 		(void) fprintf(fp, "%s : %s : HOST=%s : %s\n",
-		    get_timestr(now, def_log_year), user_name, user_shost, msg);
-	    else
+		    get_timestr(now, def_log_year), user_name, user_srunhost,
+		    msg);
+	    } else {
 		(void) fprintf(fp, "%s : %s : %s\n",
 		    get_timestr(now, def_log_year), user_name, msg);
+	    }
 	} else {
-	    if (def_log_host)
+	    if (def_log_host) {
 		len = easprintf(&full_line, "%s : %s : HOST=%s : %s",
-		    get_timestr(now, def_log_year), user_name, user_shost, msg);
-	    else
+		    get_timestr(now, def_log_year), user_name, user_srunhost,
+		    msg);
+	    } else {
 		len = easprintf(&full_line, "%s : %s : %s",
 		    get_timestr(now, def_log_year), user_name, msg);
+	    }

 	    /*
 	     * Print out full_line with word wrap around def_loglinelen chars.
@@ -290,10 +294,10 @@ log_denial(int status, bool inform_user)
 	} else if (ISSET(status, FLAG_NO_HOST)) {
 	    sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not allowed to run sudo "
 		"on %s.  This incident will be reported.\n"),
-		user_name, user_shost);
+		user_name, user_srunhost);
 	} else if (ISSET(status, FLAG_NO_CHECK)) {
 	    sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s may not run "
-		"sudo on %s.\n"), user_name, user_shost);
+		"sudo on %s.\n"), user_name, user_srunhost);
 	} else {
 	    sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed "
 		"to execute '%s%s%s' as %s%s%s on %s.\n"),
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -275,7 +275,7 @@ hostlist_matches(struct member_list *list)
 		matched = !m->negated;
 		break;
 	    case NETGROUP:
-		if (netgr_matches(m->name, user_host, user_shost, NULL))
+		if (netgr_matches(m->name, user_runhost, user_srunhost, NULL))
 		    matched = !m->negated;
 		break;
 	    case NTWKADDR:
@@ -292,7 +292,7 @@ hostlist_matches(struct member_list *list)
 		}
 		/* FALLTHROUGH */
 	    case WORD:
-		if (hostname_matches(user_shost, user_host, m->name))
+		if (hostname_matches(user_srunhost, user_runhost, m->name))
 		    matched = !m->negated;
 		break;
 	}
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -89,6 +89,7 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
    char * const *cur;
    const char *p, *errstr, *groups = NULL;
    const char *debug_flags = NULL;
+    const char *remhost = NULL;
    int flags = 0;
    debug_decl(sudoers_policy_deserialize_info, SUDO_DEBUG_PLUGIN)

@@ -251,6 +252,10 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 	    sudo_user.max_groups = atoi(*cur + sizeof("max_groups=") - 1);
 	    continue;
 	}
+	if (MATCHES(*cur, "remote_host=")) {
+	    remhost = *cur + sizeof("remote_host=") - 1;
+	    continue;
+	}
    }

    for (cur = info->user_info; *cur != NULL; cur++) {
@@ -308,6 +313,9 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 	    continue;
 	}
    }
+    user_runhost = user_srunhost = estrdup(remhost ? remhost : user_host);
+    if ((p = strchr(user_runhost, '.')))
+	user_srunhost = estrndup(user_runhost, (size_t)(p - user_runhost));
    if (user_cwd == NULL)
 	user_cwd = "unknown";
    if (user_tty == NULL)
--- a/plugins/sudoers/sudo_nss.c
+++ b/plugins/sudoers/sudo_nss.c
@@ -262,7 +262,7 @@ output(const char *buf)

 /*
 * Print out privileges for the specified user.
- * We only get here if the user is allowed to run something on this host.
+ * We only get here if the user is allowed to run something.
 */
 void
 display_privs(struct sudo_nss_list *snl, struct passwd *pw)
@@ -280,8 +280,8 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw)
    lbuf_init(&privs, output, 8, NULL, cols);

    /* Display defaults from all sources. */
-    lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
-	pw->pw_name);
+    lbuf_append(&defs, _("Matching Defaults entries for %s on %s:\n"),
+	pw->pw_name, user_srunhost);
    count = 0;
    tq_foreach_fwd(snl, nss) {
 	count += nss->display_defaults(nss, pw, &defs);
@@ -306,8 +306,8 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw)

    /* Display privileges from all sources. */
    lbuf_append(&privs,
-	_("User %s may run the following commands on this host:\n"),
-	pw->pw_name);
+	_("User %s may run the following commands on %s:\n"),
+	pw->pw_name, user_srunhost);
    count = 0;
    tq_foreach_fwd(snl, nss) {
 	count += nss->display_privs(nss, pw, &privs);
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -68,6 +68,8 @@ struct sudo_user {
    char *ttypath;
    char *host;
    char *shost;
+    char *runhost;
+    char *srunhost;
    char *prompt;
    char *cmnd;
    char *cmnd_args;
@@ -192,6 +194,8 @@ struct sudo_user {
 #define user_prompt		(sudo_user.prompt)
 #define user_host		(sudo_user.host)
 #define user_shost		(sudo_user.shost)
+#define user_runhost		(sudo_user.runhost)
+#define user_srunhost		(sudo_user.srunhost)
 #define user_ccname		(sudo_user.krb5_ccname)
 #define safe_cmnd		(sudo_user.cmnd_safe)
 #define login_class		(sudo_user.class_name)