isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move check_user_shell() to pwutil.c as user_shell_valid()

Browse Source 
This will make it possible to support a different backend which may
be used by testsudoers in the future.
This commit is contained in:
Todd C. Miller
2023-09-09 14:07:28 -06:00
parent 28a13501d8
commit d18ee8e0e7
8 changed files with 41 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
plugins/sudoers/check_util.c
View File

@@ -31,31 +31,6 @@
#include "sudoers.h" #include "sudoers.h"
/*
* Returns true if the specified shell is allowed by /etc/shells, else false.
*/
bool
check_user_shell(const struct passwd *pw)
{
const char *shell;
debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH);
if (!def_runas_check_shell)
debug_return_bool(true);
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: checking /etc/shells for %s", __func__, pw->pw_shell);
setusershell();
while ((shell = getusershell()) != NULL) {
if (strcmp(shell, pw->pw_shell) == 0)
debug_return_bool(true);
}
endusershell();
debug_return_bool(false);
}
/* /*
* Check whether specified runchroot matches def_runchroot. * Check whether specified runchroot matches def_runchroot.
* Returns true if matched, false if not matched and -1 on error. * Returns true if matched, false if not matched and -1 on error.

14
plugins/sudoers/pwutil.c
View File

@@ -1198,3 +1198,17 @@ done:
__func__, pw->pw_name, matched ? "" : "NOT ", group); __func__, pw->pw_name, matched ? "" : "NOT ", group);
debug_return_bool(matched); debug_return_bool(matched);
} }
/*
* Returns true if the user's shell is considered to be valid.
*/
bool
user_shell_valid(const struct passwd *pw)
{
debug_decl(user_shell_valid, SUDOERS_DEBUG_NSS);
if (!def_runas_check_shell)
debug_return_bool(true);
debug_return_bool(valid_shell(pw->pw_shell));
}

1
plugins/sudoers/pwutil.h
View File

@@ -73,5 +73,6 @@ struct cache_item *sudo_make_gritem(gid_t gid, const char *group);
struct cache_item *sudo_make_grlist_item(const struct passwd *pw, char * const *groups); struct cache_item *sudo_make_grlist_item(const struct passwd *pw, char * const *groups);
struct cache_item *sudo_make_gidlist_item(const struct passwd *pw, int ngids, GETGROUPS_T *gids, char * const *gidstrs, unsigned int type); struct cache_item *sudo_make_gidlist_item(const struct passwd *pw, int ngids, GETGROUPS_T *gids, char * const *gidstrs, unsigned int type);
struct cache_item *sudo_make_pwitem(uid_t uid, const char *user); struct cache_item *sudo_make_pwitem(uid_t uid, const char *user);
bool valid_shell(const char *shell);
#endif /* SUDOERS_PWUTIL_H */ #endif /* SUDOERS_PWUTIL_H */

23
plugins/sudoers/pwutil_impl.c
View File

@@ -449,3 +449,26 @@ again:
debug_return_ptr(&grlitem->cache); debug_return_ptr(&grlitem->cache);
} }
/*
* Returns true if the specified shell is allowed by /etc/shells, else false.
*/
bool
valid_shell(const char *shell)
{
const char *entry;
debug_decl(valid_shell, SUDOERS_DEBUG_NSS);
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: checking /etc/shells for %s", __func__, shell);
setusershell();
while ((entry = getusershell()) != NULL) {
if (strcmp(entry, shell) == 0)
debug_return_bool(true);
}
endusershell();
debug_return_bool(false);
}

7
plugins/sudoers/regress/fuzz/fuzz_policy.c
View File

@@ -728,13 +728,6 @@ check_user_runcwd(const char *runcwd)
return true; return true;
} }
/* STUB */
bool
check_user_shell(const struct passwd *pw)
{
return true;
}
/* STUB */ /* STUB */
void void
group_plugin_unload(void) group_plugin_unload(void)

2
plugins/sudoers/sudoers.c
View File

@@ -444,7 +444,7 @@ sudoers_check_common(struct sudoers_context *ctx, int pwflag)
/* Check runas user's shell if running (or checking) a command. */ /* Check runas user's shell if running (or checking) a command. */
if (ISSET(ctx->mode, MODE_RUN|MODE_CHECK)) { if (ISSET(ctx->mode, MODE_RUN|MODE_CHECK)) {
if (!check_user_shell(ctx->runas.pw)) { if (!user_shell_valid(ctx->runas.pw)) {
log_warningx(ctx, SLOG_RAW_MSG|SLOG_AUDIT, log_warningx(ctx, SLOG_RAW_MSG|SLOG_AUDIT,
N_("invalid shell for user %s: %s"), N_("invalid shell for user %s: %s"),
ctx->runas.pw->pw_name, ctx->runas.pw->pw_shell); ctx->runas.pw->pw_name, ctx->runas.pw->pw_shell);

2
plugins/sudoers/sudoers.h
View File

@@ -311,7 +311,6 @@ int check_user(struct sudoers_context *ctx, unsigned int validated, unsigned int
bool user_is_exempt(const struct sudoers_context *ctx); bool user_is_exempt(const struct sudoers_context *ctx);
/* check_util.c */ /* check_util.c */
bool check_user_shell(const struct passwd *pw);
int check_user_runchroot(const char *runchroot); int check_user_runchroot(const char *runchroot);
int check_user_runcwd(const char *runcwd); int check_user_runcwd(const char *runcwd);
@@ -373,6 +372,7 @@ int sudo_pwutil_get_max_groups(void);
void sudo_pwutil_set_max_groups(int); void sudo_pwutil_set_max_groups(int);
void sudo_pwutil_set_backend(sudo_make_pwitem_t, sudo_make_gritem_t, sudo_make_gidlist_item_t, sudo_make_grlist_item_t); void sudo_pwutil_set_backend(sudo_make_pwitem_t, sudo_make_gritem_t, sudo_make_gidlist_item_t, sudo_make_grlist_item_t);
void sudo_setspent(void); void sudo_setspent(void);
bool user_shell_valid(const struct passwd *pw);
/* timestr.c */ /* timestr.c */
char *get_timestr(time_t, int); char *get_timestr(time_t, int);

2
plugins/sudoers/testsudoers.c
View File

@@ -383,7 +383,7 @@ main(int argc, char *argv[])
/* Validate user-specified chroot or cwd (if any) and runas user shell. */ /* Validate user-specified chroot or cwd (if any) and runas user shell. */
if (ISSET(validated, VALIDATE_SUCCESS)) { if (ISSET(validated, VALIDATE_SUCCESS)) {
if (!check_user_shell(test_ctx.runas.pw)) { if (!user_shell_valid(test_ctx.runas.pw)) {
printf(U_("\nInvalid shell for user %s: %s\n"), printf(U_("\nInvalid shell for user %s: %s\n"),
test_ctx.runas.pw->pw_name, test_ctx.runas.pw->pw_shell); test_ctx.runas.pw->pw_name, test_ctx.runas.pw->pw_shell);
CLR(validated, VALIDATE_SUCCESS); CLR(validated, VALIDATE_SUCCESS);