isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

In -l mode, only check local sudoers file if def_ignore_sudoers is not set

Browse Source 
and call LDAP versions from display_privs() and display_cmnd() instead
of directly from main().  Because of this we need to defer closing
the ldap connection until after -l processing has ocurred and we
must pass in the ldap pointer to display_privs() and display_cmnd().
This commit is contained in:
Todd C. Miller
2005-04-12 01:37:08 +00:00
parent fe4f33ab94
commit f261a99f22
3 changed files with 92 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
parse.c
View File

@@ -206,7 +206,8 @@ sudoers_lookup(pwflag)
* Print out privileges for the specified user.
*/
void
display_privs(pw)
display_privs(v, pw)
VOID *v;
struct passwd *pw;
{
struct cmndspec *cs;
@@ -218,60 +219,66 @@ display_privs(pw)
#if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS)
/* Set group vector so group matching works correctly. */
if (pw != sudo_user.pw) {
(void) initgroups(pw->pw_name, pw->pw_gid);
if ((user_ngroups = getgroups(0, NULL)) > 0) {
user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t));
if (getgroups(user_ngroups, user_groups) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
} else
user_ngroups = 0;
(void) initgroups(pw->pw_name, pw->pw_gid);
if ((user_ngroups = getgroups(0, NULL)) > 0) {
user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t));
if (getgroups(user_ngroups, user_groups) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
} else
user_ngroups = 0;
}
#endif
display_defaults(pw);
if (!def_ignore_local_sudoers) {
display_defaults(pw);
print_priv3("User ", pw->pw_name,
" may run the following commands on this host:\n");
print_priv3("User ", pw->pw_name,
" may run the following commands on this host:\n");
for (us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE)
continue;
for (us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE)
continue;
for (priv = us->privileges; priv != NULL; priv = priv->next) {
tags.monitor = def_monitor;
tags.noexec = def_noexec;
tags.nopasswd = !def_authenticate;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs != priv->cmndlist)
print_priv(", ");
if (cs->runaslist != NULL) {
print_priv(" (");
for (m = cs->runaslist; m != NULL; m = m->next) {
if (m != cs->runaslist)
print_priv(", ");
print_member(m->name, m->type, m->negated, RUNASALIAS);
for (priv = us->privileges; priv != NULL; priv = priv->next) {
tags.monitor = def_monitor;
tags.noexec = def_noexec;
tags.nopasswd = !def_authenticate;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs != priv->cmndlist)
print_priv(", ");
if (cs->runaslist != NULL) {
print_priv(" (");
for (m = cs->runaslist; m != NULL; m = m->next) {
if (m != cs->runaslist)
print_priv(", ");
print_member(m->name, m->type, m->negated, RUNASALIAS);
}
print_priv(") ");
}
print_priv(") ");
if (TAG_CHANGED(monitor)) {
print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
tags.monitor = cs->tags.monitor;
}
if (TAG_CHANGED(noexec)) {
print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: ");
tags.noexec = cs->tags.noexec;
}
if (TAG_CHANGED(nopasswd)) {
print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: ");
tags.nopasswd = cs->tags.nopasswd;
}
m = cs->cmnd;
print_member(m->name, m->type, m->negated, CMNDALIAS);
}
if (TAG_CHANGED(monitor)) {
print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
tags.monitor = cs->tags.monitor;
}
if (TAG_CHANGED(noexec)) {
print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: ");
tags.noexec = cs->tags.noexec;
}
if (TAG_CHANGED(nopasswd)) {
print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: ");
tags.nopasswd = cs->tags.nopasswd;
}
m = cs->cmnd;
print_member(m->name, m->type, m->negated, CMNDALIAS);
print_priv("\n");
}
print_priv("\n");
}
}
#ifdef HAVE_LDAP
if (v != NULL)
sudo_ldap_display_privs(v, pw);
#endif
}
/*
@@ -392,35 +399,43 @@ display_bound_defaults(dtype)
* command is allowed.
*/
int
display_cmnd(pw)
display_cmnd(v, pw)
VOID *v;
struct passwd *pw;
{
struct cmndspec *cs;
struct member *match, *runas;
struct privilege *priv;
struct userspec *us;
int rval = 1;
for (match = NULL, us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE)
continue;
#ifdef HAVE_LDAP
rval = sudo_ldap_display_cmnd(v, pw);
#endif
if (rval != 0 && !def_ignore_local_sudoers) {
for (match = NULL, us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE)
continue;
for (priv = us->privileges; priv != NULL; priv = priv->next) {
runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs->runaslist != NULL)
runas = cs->runaslist;
if (runas_matches(runas) == TRUE &&
cmnd_matches(cs->cmnd) != UNSPEC)
match = cs->cmnd;
for (priv = us->privileges; priv != NULL; priv = priv->next) {
runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs->runaslist != NULL)
runas = cs->runaslist;
if (runas_matches(runas) == TRUE &&
cmnd_matches(cs->cmnd) != UNSPEC)
match = cs->cmnd;
}
}
}
if (match != NULL && !match->negated) {
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
user_args ? user_args : "");
rval = 0;
}
}
if (match == NULL || match->negated)
return(1);
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
user_args ? user_args : "");
return(0);
return(rval);
}
/*

22
sudo.c
View File

@@ -152,9 +152,7 @@ main(argc, argv)
int sudo_mode;
int pwflag;
sigaction_t sa;
#ifdef HAVE_LDAP
VOID *ld;
#endif
VOID *ld = NULL;
extern char **environ;
#ifdef HAVE_SETLOCALE
@@ -294,10 +292,8 @@ main(argc, argv)
cmnd_status = set_cmnd(sudo_mode);
#ifdef HAVE_LDAP
if (ld != NULL) {
if (ld != NULL)
validated = sudo_ldap_check(ld, pwflag);
sudo_ldap_close(ld);
}
/* Fallback to sudoers if we are allowed to and we aren't validated. */
if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK))
#endif
@@ -373,15 +369,19 @@ main(argc, argv)
if (sudo_mode == MODE_VALIDATE)
exit(0);
else if (sudo_mode == MODE_CHECK)
exit(display_cmnd(list_pw ? list_pw : sudo_user.pw));
exit(display_cmnd(ld, list_pw ? list_pw : sudo_user.pw));
else if (sudo_mode == MODE_LIST) {
display_privs(list_pw ? list_pw : sudo_user.pw);
#ifdef HAVE_LDAP
sudo_ldap_display_privs(); /* XXX - use list_pw */
#endif
display_privs(ld, list_pw ? list_pw : sudo_user.pw);
exit(0);
}
#ifdef HAVE_LDAP
if (ld != NULL) {
sudo_ldap_close(ld);
ld = NULL;
}
#endif
#ifdef HAVE_SYSTRACE
if (def_monitor)
systrace_attach(getpid());

7
sudo.h
View File

@@ -216,7 +216,8 @@ int sudoers_lookup __P((int));
int parse_sudoers __P((const char *));
#ifdef HAVE_LDAP
int sudo_ldap_check __P((VOID *, int));
void sudo_ldap_display_privs __P((void));
void sudo_ldap_display_privs __P((VOID *, struct passwd *));
int sudo_ldap_display_cmnd __P((VOID *, struct passwd *));
void sudo_ldap_update_defaults __P((VOID *));
VOID *sudo_ldap_open __P((void));
void sudo_ldap_close __P((VOID *));
@@ -251,8 +252,8 @@ int pam_prep_user __P((struct passwd *));
void zero_bytes __P((volatile VOID *, size_t));
int gettime __P((struct timespec *));
FILE *open_sudoers __P((const char *, int *));
void display_privs __P((struct passwd *));
int display_cmnd __P((struct passwd *));
void display_privs __P((VOID *, struct passwd *));
int display_cmnd __P((VOID *, struct passwd *));
void sudo_setgrent __P((void));
void sudo_endgrent __P((void));
void sudo_setpwent __P((void));