Rename sample_group plugin to group_file.

Install group_file and system_group plugins by default.

plugins/group_file/Makefile.in

@@ -0,0 +1,150 @@
+#
+# Copyright (c) 2011, 2013 Todd C. Miller <Todd.Miller@courtesan.com>
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+# @configure_input@
+#
+
+#### Start of system configuration section. ####
+
+srcdir = @srcdir@
+devdir = @devdir@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+incdir = $(top_srcdir)/include
+cross_compiling = @CROSS_COMPILING@
+
+# Compiler & tools to use
+CC = @CC@
+LIBTOOL = @LIBTOOL@ @LT_STATIC@
+
+# Our install program supports extra flags...
+INSTALL = $(SHELL) $(top_srcdir)/install-sh -c
+
+# Libraries
+LT_LIBS = $(LIBOBJDIR)libreplace.la
+LIBS = $(LT_LIBS)
+
+# C preprocessor flags
+CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(top_srcdir) @CPPFLAGS@
+
+# Usually -O and/or -g
+CFLAGS = @CFLAGS@
+
+# Flags to pass to the link stage
+LDFLAGS = @LDFLAGS@
+LT_LDFLAGS = @LT_LDFLAGS@ @LT_LDMAP@ @LT_LDOPT@ @LT_LDEXPORTS@
+
+# PIE flags
+PIE_CFLAGS = @PIE_CFLAGS@
+PIE_LDFLAGS = @PIE_LDFLAGS@
+
+# Stack smashing protection flags
+SSP_CFLAGS = @SSP_CFLAGS@
+SSP_LDFLAGS = @SSP_LDFLAGS@
+
+# Where to install things...
+prefix = @prefix@
+exec_prefix = @exec_prefix@
+bindir = @bindir@
+sbindir = @sbindir@
+sysconfdir = @sysconfdir@
+libexecdir = @libexecdir@
+datarootdir = @datarootdir@
+localstatedir = @localstatedir@
+plugindir = @PLUGINDIR@
+
+# File extension, mode and map file to use for shared libraries/objects
+soext = @SOEXT@
+shlib_mode = @SHLIB_MODE@
+shlib_exp = $(srcdir)/group_file.exp
+shlib_map = group_file.map
+shlib_opt = group_file.opt
+
+# OS dependent defines
+DEFS = @OSDEFS@
+
+#### End of system configuration section. ####
+
+SHELL = @SHELL@
+
+OBJS =	group_file.lo getgrent.lo
+
+LIBOBJDIR = $(top_builddir)/@ac_config_libobj_dir@/
+
+VERSION = @PACKAGE_VERSION@
+
+all: group_file.la
+
+Makefile: $(srcdir)/Makefile.in
+	(cd $(top_builddir) && ./config.status --file plugins/group_file/Makefile)
+
+.SUFFIXES: .o .c .h .lo
+
+.c.lo:
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $<
+
+$(shlib_map): $(shlib_exp)
+	@awk 'BEGIN { print "{\n\tglobal:" } { print "\t\t"$$0";" } END { print "\tlocal:\n\t\t*;\n};" }' $(shlib_exp) > $@
+
+$(shlib_opt): $(shlib_exp)
+	@sed 's/^/+e /' $(shlib_exp) > $@
+
+group_file.la: $(OBJS) $(LT_LIBS) @LT_LDDEP@
+	$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) -o $@ $(OBJS) $(LIBS) -module -avoid-version -rpath $(plugindir)
+
+pre-install:
+
+install: install-plugin
+
+install-dirs:
+	$(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir)
+
+install-binaries:
+
+install-includes:
+
+install-doc:
+
+install-plugin: install-dirs group_file.la
+	$(INSTALL) -b~ -m $(shlib_mode) .libs/group_file$(soext) $(DESTDIR)$(plugindir)
+
+uninstall:
+	-rm -f $(DESTDIR)$(plugindir)/group_file$(soext)
+
+check:
+
+clean:
+	-$(LIBTOOL) --mode=clean rm -f *.lo *.o *.la *.a stamp-* core *.core core.*
+
+mostlyclean: clean
+
+distclean: clean
+	-rm -rf Makefile .libs
+
+clobber: distclean
+
+realclean: distclean
+	rm -f TAGS tags
+
+cleandir: realclean
+
+# Autogenerated dependencies, do not modify
+getgrent.lo: $(srcdir)/getgrent.c $(top_builddir)/config.h $(incdir)/missing.h
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/getgrent.c
+group_file.lo: $(srcdir)/group_file.c $(top_builddir)/config.h \
+                 $(top_srcdir)/compat/stdbool.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/missing.h
+	$(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(PIE_CFLAGS) $(SSP_CFLAGS) $(DEFS) $(srcdir)/group_file.c

plugins/group_file/getgrent.c

@@ -0,0 +1,183 @@
+/*
+ * Copyright (c) 2005,2008,2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Trivial replacements for the libc getgr{uid,nam}() routines.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef HAVE_STRING_H
+# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <fcntl.h>
+#include <limits.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include "missing.h"
+
+#ifndef LINE_MAX
+# define LINE_MAX 2048
+#endif
+
+#undef GRMEM_MAX
+#define GRMEM_MAX 200
+
+static FILE *grf;
+static const char *grfile = "/etc/group";
+static int gr_stayopen;
+
+void mysetgrfile(const char *);
+void mysetgrent(void);
+void myendgrent(void);
+struct group *mygetgrent(void);
+struct group *mygetgrnam(const char *);
+struct group *mygetgrgid(gid_t);
+
+void
+mysetgrfile(const char *file)
+{
+    grfile = file;
+    if (grf != NULL)
+	myendgrent();
+}
+
+void
+mysetgrent(void)
+{
+    if (grf == NULL) {
+	grf = fopen(grfile, "r");
+	if (grf != NULL)
+	    fcntl(fileno(grf), F_SETFD, FD_CLOEXEC);
+    } else {
+	rewind(grf);
+    }
+    gr_stayopen = 1;
+}
+
+void
+myendgrent(void)
+{
+    if (grf != NULL) {
+	fclose(grf);
+	grf = NULL;
+    }
+    gr_stayopen = 0;
+}
+
+struct group *
+mygetgrent(void)
+{
+    static struct group gr;
+    static char grbuf[LINE_MAX], *gr_mem[GRMEM_MAX+1];
+    size_t len;
+    char *cp, *colon;
+    int n;
+
+    if ((colon = fgets(grbuf, sizeof(grbuf), grf)) == NULL)
+	return NULL;
+
+    memset(&gr, 0, sizeof(gr));
+    if ((colon = strchr(cp = colon, ':')) == NULL)
+	return NULL;
+    *colon++ = '\0';
+    gr.gr_name = cp;
+    if ((colon = strchr(cp = colon, ':')) == NULL)
+	return NULL;
+    *colon++ = '\0';
+    gr.gr_passwd = cp;
+    if ((colon = strchr(cp = colon, ':')) == NULL)
+	return NULL;
+    *colon++ = '\0';
+    gr.gr_gid = atoi(cp);
+    len = strlen(colon);
+    if (len > 0 && colon[len - 1] == '\n')
+	colon[len - 1] = '\0';
+    if (*colon != '\0') {
+	gr.gr_mem = gr_mem;
+	cp = strtok(colon, ",");
+	for (n = 0; cp != NULL && n < GRMEM_MAX; n++) {
+	    gr.gr_mem[n] = cp;
+	    cp = strtok(NULL, ",");
+	}
+	gr.gr_mem[n++] = NULL;
+    } else
+	gr.gr_mem = NULL;
+    return &gr;
+}
+
+struct group *
+mygetgrnam(const char *name)
+{
+    struct group *gr;
+
+    if (grf == NULL) {
+	if ((grf = fopen(grfile, "r")) == NULL)
+	    return NULL;
+	fcntl(fileno(grf), F_SETFD, FD_CLOEXEC);
+    } else {
+	rewind(grf);
+    }
+    while ((gr = mygetgrent()) != NULL) {
+	if (strcmp(gr->gr_name, name) == 0)
+	    break;
+    }
+    if (!gr_stayopen) {
+	fclose(grf);
+	grf = NULL;
+    }
+    return gr;
+}
+
+struct group *
+mygetgrgid(gid_t gid)
+{
+    struct group *gr;
+
+    if (grf == NULL) {
+	if ((grf = fopen(grfile, "r")) == NULL)
+	    return NULL;
+	fcntl(fileno(grf), F_SETFD, FD_CLOEXEC);
+    } else {
+	rewind(grf);
+    }
+    while ((gr = mygetgrent()) != NULL) {
+	if (gr->gr_gid == gid)
+	    break;
+    }
+    if (!gr_stayopen) {
+	fclose(grf);
+	grf = NULL;
+    }
+    return gr;
+}

plugins/group_file/group_file.c

@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <stdio.h>
+#ifdef STDC_HEADERS
+# include <stdlib.h>
+# include <stddef.h>
+#else
+# ifdef HAVE_STDLIB_H
+#  include <stdlib.h>
+# endif
+#endif /* STDC_HEADERS */
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include "compat/stdbool.h"
+#endif /* HAVE_STDBOOL_H */
+#ifdef HAVE_STRING_H
+# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
+#  include <memory.h>
+# endif
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#ifdef HAVE_UNISTD_H
+# include <unistd.h>
+#endif /* HAVE_UNISTD_H */
+#include <ctype.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <grp.h>
+#include <pwd.h>
+
+#include "sudo_plugin.h"
+#include "missing.h"
+
+/*
+ * Sample sudoers group plugin that uses an extra group file with the
+ * same format as /etc/group.
+ */
+
+static sudo_printf_t sudo_log;
+
+extern void mysetgrfile(const char *);
+extern void mysetgrent(void);
+extern void myendgrent(void);
+extern struct group *mygetgrnam(const char *);
+
+static int
+sample_init(int version, sudo_printf_t sudo_printf, char *const argv[])
+{
+    struct stat sb;
+
+    sudo_log = sudo_printf;
+
+    if (GROUP_API_VERSION_GET_MAJOR(version) != GROUP_API_VERSION_MAJOR) {
+	sudo_log(SUDO_CONV_ERROR_MSG,
+	    "group_file: incompatible major version %d, expected %d\n",
+	    GROUP_API_VERSION_GET_MAJOR(version),
+	    GROUP_API_VERSION_MAJOR);
+	return -1;
+    }
+
+    /* Sanity check the specified group file. */
+    if (argv == NULL || argv[0] == NULL) {
+	sudo_log(SUDO_CONV_ERROR_MSG,
+	    "group_file: path to group file not specified\n");
+	return -1;
+    }
+    if (stat(argv[0], &sb) != 0) {
+	sudo_log(SUDO_CONV_ERROR_MSG,
+	    "group_file: %s: %s\n", argv[0], strerror(errno));
+	return -1;
+    }
+    if ((sb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
+	sudo_log(SUDO_CONV_ERROR_MSG,
+	    "%s must be only be writable by owner\n", argv[0]);
+	return -1;
+    }
+
+    mysetgrfile(argv[0]);
+    mysetgrent();
+
+    return true;
+}
+
+static void
+sample_cleanup(void)
+{
+    myendgrent();
+}
+
+/*
+ * Returns true if "user" is a member of "group", else false.
+ */
+static int
+sample_query(const char *user, const char *group, const struct passwd *pwd)
+{
+    struct group *grp;
+    char **member;
+
+    grp = mygetgrnam(group);
+    if (grp != NULL) {
+	for (member = grp->gr_mem; *member != NULL; member++) {
+	    if (strcasecmp(user, *member) == 0)
+		return true;
+	}
+    }
+
+    return false;
+}
+
+__dso_public struct sudoers_group_plugin group_plugin = {
+    GROUP_API_VERSION,
+    sample_init,
+    sample_cleanup,
+    sample_query
+};

plugins/group_file/group_file.exp

@@ -0,0 +1 @@
+group_plugin

plugins/group_file/plugin_test.c

@@ -0,0 +1,211 @@
+/*
+ * Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <dlfcn.h>
+#include <errno.h>
+#include <limits.h>
+#include <pwd.h>
+
+#include "sudo_plugin.h"
+
+__dso_public int main(int argc, char *argv[]);
+
+/*
+ * Simple driver to test sudoer group plugins.
+ * usage: plugin_test [-p "plugin.so plugin_args ..."] user:group ...
+ */
+
+static void *group_handle;
+static struct sudoers_group_plugin *group_plugin;
+
+static int
+plugin_printf(int msg_type, const char *fmt, ...)
+{
+    va_list ap;
+    FILE *fp;
+	    
+    switch (msg_type) {
+    case SUDO_CONV_INFO_MSG:
+	fp = stdout;
+	break;
+    case SUDO_CONV_ERROR_MSG:
+	fp = stderr;
+	break;
+    default:
+	errno = EINVAL;
+	return -1;
+    }
+
+    va_start(ap, fmt);
+    vfprintf(fp, fmt, ap);
+    va_end(ap);
+
+    return 0;
+}
+
+/*
+ * Load the specified plugin and run its init function.
+ * Returns -1 if unable to open the plugin, else it returns
+ * the value from the plugin's init function.
+ */
+static int
+group_plugin_load(char *plugin_info)
+{
+    char *args, path[PATH_MAX], savedch;
+    char **argv = NULL;
+    int rc;
+
+    /*
+     * Fill in .so path and split out args (if any).
+     */
+    if ((args = strpbrk(plugin_info, " \t")) != NULL) {
+	savedch = *args;
+	*args = '\0';
+    }
+    strncpy(path, plugin_info, sizeof(path) - 1);
+    path[sizeof(path) - 1] = '\0';
+    if (args != NULL)
+	*args++ = savedch;
+
+    /* Open plugin and map in symbol. */
+    group_handle = dlopen(path, RTLD_LAZY);
+    if (!group_handle) {
+	fprintf(stderr, "unable to dlopen %s: %s\n", path, dlerror());
+	return -1;
+    }
+    group_plugin = dlsym(group_handle, "group_plugin");
+    if (group_plugin == NULL) {
+	fprintf(stderr, "unable to find symbol \"group_plugin\" in %s\n", path);
+	return -1;
+    }
+
+    if (GROUP_API_VERSION_GET_MAJOR(group_plugin->version) != GROUP_API_VERSION_MAJOR) {
+	fprintf(stderr,
+	    "%s: incompatible group plugin major version %d, expected %d\n",
+	    path, GROUP_API_VERSION_GET_MAJOR(group_plugin->version),
+	    GROUP_API_VERSION_MAJOR);
+	return -1;
+    }
+
+    /*
+     * Split args into a vector if specified.
+     */
+    if (args != NULL) {
+	int ac = 0, wasblank = 1;
+	char *cp;
+
+        for (cp = args; *cp != '\0'; cp++) {
+            if (isblank((unsigned char)*cp)) {
+                wasblank = 1;
+            } else if (wasblank) {
+                wasblank = 0;
+                ac++;
+            }
+        }
+	if (ac != 0) 	{
+	    argv = malloc(ac * sizeof(char *));
+	    if (argv == NULL) {
+		perror(NULL);
+		return -1;
+	    }
+	    ac = 0;
+	    for ((cp = strtok(args, " \t")); cp; (cp = strtok(NULL, " \t")))
+		argv[ac++] = cp;
+	}
+    }
+
+    rc = (group_plugin->init)(GROUP_API_VERSION, plugin_printf, argv);
+
+    free(argv);
+
+    return rc;
+}
+
+static void
+group_plugin_unload(void)
+{
+    (group_plugin->cleanup)();
+    dlclose(group_handle);
+    group_handle = NULL;
+}
+
+static int
+group_plugin_query(const char *user, const char *group,
+    const struct passwd *pwd)
+{
+    return group_plugin->query)(user, group, pwd;
+}
+
+static void
+usage(void)
+{
+    fprintf(stderr,
+	"usage: plugin_test [-p \"plugin.so plugin_args ...\"] user:group ...\n");
+    exit(1);
+}
+
+int
+main(int argc, char *argv[])
+{
+    int ch, i, found;
+    char *plugin = "group_file.so";
+    char *user, *group;
+    struct passwd *pwd;
+
+    while ((ch = getopt(argc, argv, "p:")) != -1) {
+	switch (ch) {
+	case 'p':
+	    plugin = optarg;
+	    break;
+	default:
+	    usage();
+	}
+    }
+    argc -= optind;
+    argv += optind;
+
+    if (argc < 1)
+	usage();
+
+    if (group_plugin_load(plugin) != 1) {
+	fprintf(stderr, "unable to load plugin: %s\n", plugin);
+	exit(1);
+    }
+
+    for (i = 0; argv[i] != NULL; i++) {
+	user = argv[i];
+	group = strchr(argv[i], ':');
+	if (group == NULL)
+	    continue;
+	*group++ = '\0';
+	pwd = getpwnam(user);
+	found = group_plugin_query(user, group, pwd);
+	printf("user %s %s in group %s\n", user, found ? "is" : "NOT ", group);
+    }
+    group_plugin_unload();
+
+    exit(0);
+}
+