isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

In -l mode, only check local sudoers file if def_ignore_sudoers is not set

Browse Source 
and call LDAP versions from display_privs() and display_cmnd() instead
of directly from main().  Because of this we need to defer closing
the ldap connection until after -l processing has ocurred and we
must pass in the ldap pointer to display_privs() and display_cmnd().
This commit is contained in:
Todd C. Miller
2005-04-12 01:37:08 +00:00
parent fe4f33ab94
commit f261a99f22
3 changed files with 92 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
parse.c
View File

@@ -206,7 +206,8 @@ sudoers_lookup(pwflag)
* Print out privileges for the specified user. * Print out privileges for the specified user.
*/ */
void void
display_privs(pw) display_privs(v, pw)
VOID *v;
struct passwd *pw; struct passwd *pw;
{ {
struct cmndspec *cs; struct cmndspec *cs;
@@ -218,60 +219,66 @@ display_privs(pw)
#if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS) #if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS)
/* Set group vector so group matching works correctly. */ /* Set group vector so group matching works correctly. */
if (pw != sudo_user.pw) { if (pw != sudo_user.pw) {
(void) initgroups(pw->pw_name, pw->pw_gid); (void) initgroups(pw->pw_name, pw->pw_gid);
if ((user_ngroups = getgroups(0, NULL)) > 0) { if ((user_ngroups = getgroups(0, NULL)) > 0) {
user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t)); user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t));
if (getgroups(user_ngroups, user_groups) < 0) if (getgroups(user_ngroups, user_groups) < 0)
log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
} else } else
user_ngroups = 0; user_ngroups = 0;
} }
#endif #endif
display_defaults(pw); if (!def_ignore_local_sudoers) {
display_defaults(pw);
print_priv3("User ", pw->pw_name, print_priv3("User ", pw->pw_name,
" may run the following commands on this host:\n"); " may run the following commands on this host:\n");
for (us = userspecs; us != NULL; us = us->next) { for (us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE || if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE) host_matches(us->privileges->hostlist) != TRUE)
continue; continue;
for (priv = us->privileges; priv != NULL; priv = priv->next) { for (priv = us->privileges; priv != NULL; priv = priv->next) {
tags.monitor = def_monitor; tags.monitor = def_monitor;
tags.noexec = def_noexec; tags.noexec = def_noexec;
tags.nopasswd = !def_authenticate; tags.nopasswd = !def_authenticate;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs != priv->cmndlist) if (cs != priv->cmndlist)
print_priv(", "); print_priv(", ");
if (cs->runaslist != NULL) { if (cs->runaslist != NULL) {
print_priv(" ("); print_priv(" (");
for (m = cs->runaslist; m != NULL; m = m->next) { for (m = cs->runaslist; m != NULL; m = m->next) {
if (m != cs->runaslist) if (m != cs->runaslist)
print_priv(", "); print_priv(", ");
print_member(m->name, m->type, m->negated, RUNASALIAS); print_member(m->name, m->type, m->negated, RUNASALIAS);
}
print_priv(") ");
} }
print_priv(") "); if (TAG_CHANGED(monitor)) {
print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
tags.monitor = cs->tags.monitor;
}
if (TAG_CHANGED(noexec)) {
print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: ");
tags.noexec = cs->tags.noexec;
}
if (TAG_CHANGED(nopasswd)) {
print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: ");
tags.nopasswd = cs->tags.nopasswd;
}
m = cs->cmnd;
print_member(m->name, m->type, m->negated, CMNDALIAS);
} }
if (TAG_CHANGED(monitor)) { print_priv("\n");
print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
tags.monitor = cs->tags.monitor;
}
if (TAG_CHANGED(noexec)) {
print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: ");
tags.noexec = cs->tags.noexec;
}
if (TAG_CHANGED(nopasswd)) {
print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: ");
tags.nopasswd = cs->tags.nopasswd;
}
m = cs->cmnd;
print_member(m->name, m->type, m->negated, CMNDALIAS);
} }
print_priv("\n");
} }
} }
#ifdef HAVE_LDAP
if (v != NULL)
sudo_ldap_display_privs(v, pw);
#endif
} }
/* /*
@@ -392,35 +399,43 @@ display_bound_defaults(dtype)
* command is allowed. * command is allowed.
*/ */
int int
display_cmnd(pw) display_cmnd(v, pw)
VOID *v;
struct passwd *pw; struct passwd *pw;
{ {
struct cmndspec *cs; struct cmndspec *cs;
struct member *match, *runas; struct member *match, *runas;
struct privilege *priv; struct privilege *priv;
struct userspec *us; struct userspec *us;
int rval = 1;
for (match = NULL, us = userspecs; us != NULL; us = us->next) { #ifdef HAVE_LDAP
if (user_matches(pw, us->user) != TRUE || rval = sudo_ldap_display_cmnd(v, pw);
host_matches(us->privileges->hostlist) != TRUE) #endif
continue; if (rval != 0 && !def_ignore_local_sudoers) {
for (match = NULL, us = userspecs; us != NULL; us = us->next) {
if (user_matches(pw, us->user) != TRUE ||
host_matches(us->privileges->hostlist) != TRUE)
continue;
for (priv = us->privileges; priv != NULL; priv = priv->next) { for (priv = us->privileges; priv != NULL; priv = priv->next) {
runas = NULL; runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (cs->runaslist != NULL) if (cs->runaslist != NULL)
runas = cs->runaslist; runas = cs->runaslist;
if (runas_matches(runas) == TRUE && if (runas_matches(runas) == TRUE &&
cmnd_matches(cs->cmnd) != UNSPEC) cmnd_matches(cs->cmnd) != UNSPEC)
match = cs->cmnd; match = cs->cmnd;
}
} }
} }
if (match != NULL && !match->negated) {
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
user_args ? user_args : "");
rval = 0;
}
} }
if (match == NULL || match->negated) return(rval);
return(1);
printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
user_args ? user_args : "");
return(0);
} }
/* /*

22
sudo.c
View File

@@ -152,9 +152,7 @@ main(argc, argv)
int sudo_mode; int sudo_mode;
int pwflag; int pwflag;
sigaction_t sa; sigaction_t sa;
#ifdef HAVE_LDAP VOID *ld = NULL;
VOID *ld;
#endif
extern char **environ; extern char **environ;
#ifdef HAVE_SETLOCALE #ifdef HAVE_SETLOCALE
@@ -294,10 +292,8 @@ main(argc, argv)
cmnd_status = set_cmnd(sudo_mode); cmnd_status = set_cmnd(sudo_mode);
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
if (ld != NULL) { if (ld != NULL)
validated = sudo_ldap_check(ld, pwflag); validated = sudo_ldap_check(ld, pwflag);
sudo_ldap_close(ld);
}
/* Fallback to sudoers if we are allowed to and we aren't validated. */ /* Fallback to sudoers if we are allowed to and we aren't validated. */
if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK)) if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK))
#endif #endif
@@ -373,15 +369,19 @@ main(argc, argv)
if (sudo_mode == MODE_VALIDATE) if (sudo_mode == MODE_VALIDATE)
exit(0); exit(0);
else if (sudo_mode == MODE_CHECK) else if (sudo_mode == MODE_CHECK)
exit(display_cmnd(list_pw ? list_pw : sudo_user.pw)); exit(display_cmnd(ld, list_pw ? list_pw : sudo_user.pw));
else if (sudo_mode == MODE_LIST) { else if (sudo_mode == MODE_LIST) {
display_privs(list_pw ? list_pw : sudo_user.pw); display_privs(ld, list_pw ? list_pw : sudo_user.pw);
#ifdef HAVE_LDAP
sudo_ldap_display_privs(); /* XXX - use list_pw */
#endif
exit(0); exit(0);
} }
#ifdef HAVE_LDAP
if (ld != NULL) {
sudo_ldap_close(ld);
ld = NULL;
}
#endif
#ifdef HAVE_SYSTRACE #ifdef HAVE_SYSTRACE
if (def_monitor) if (def_monitor)
systrace_attach(getpid()); systrace_attach(getpid());

7
sudo.h
View File

@@ -216,7 +216,8 @@ int sudoers_lookup __P((int));
int parse_sudoers __P((const char *)); int parse_sudoers __P((const char *));
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
int sudo_ldap_check __P((VOID *, int)); int sudo_ldap_check __P((VOID *, int));
void sudo_ldap_display_privs __P((void)); void sudo_ldap_display_privs __P((VOID *, struct passwd *));
int sudo_ldap_display_cmnd __P((VOID *, struct passwd *));
void sudo_ldap_update_defaults __P((VOID *)); void sudo_ldap_update_defaults __P((VOID *));
VOID *sudo_ldap_open __P((void)); VOID *sudo_ldap_open __P((void));
void sudo_ldap_close __P((VOID *)); void sudo_ldap_close __P((VOID *));
@@ -251,8 +252,8 @@ int pam_prep_user __P((struct passwd *));
void zero_bytes __P((volatile VOID *, size_t)); void zero_bytes __P((volatile VOID *, size_t));
int gettime __P((struct timespec *)); int gettime __P((struct timespec *));
FILE *open_sudoers __P((const char *, int *)); FILE *open_sudoers __P((const char *, int *));
void display_privs __P((struct passwd *)); void display_privs __P((VOID *, struct passwd *));
int display_cmnd __P((struct passwd *)); int display_cmnd __P((VOID *, struct passwd *));
void sudo_setgrent __P((void)); void sudo_setgrent __P((void));
void sudo_endgrent __P((void)); void sudo_endgrent __P((void));
void sudo_setpwent __P((void)); void sudo_setpwent __P((void));