isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Simplify the nss interface such that each sudoers provider fills

Browse Source 
in a per-nss list of userspecs and defaults instead of using separate
lookup and list functions.  This makes it possible to have a single
implementation of the code for sudoers lookup and listing.
This commit is contained in:
Todd C. Miller
2018-05-14 09:05:03 -06:00
parent 71e98d9493
commit f9be3a48a2
17 changed files with 980 additions and 1959 deletions
Download Patch File Download Diff File Expand all files Collapse all files

758
plugins/sudoers/parse.c
View File

@@ -19,6 +19,7 @@
#include <config.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
#ifdef HAVE_STRING_H
@@ -38,147 +39,57 @@
#include <gram.h>
/*
* Local prototypes.
* Look up the user in the sudoers prase tree for pseudo-commands like
* list, verify and kill.
*/
static int display_bound_defaults(int deftype, struct sudo_lbuf *lbuf);
static int sudo_file_close(struct sudo_nss *);
static int sudo_file_display_bound_defaults(struct sudo_nss *, struct passwd *, struct sudo_lbuf *);
static int sudo_file_display_cmnd(struct sudo_nss *, struct passwd *);
static int sudo_file_display_defaults(struct sudo_nss *, struct passwd *, struct sudo_lbuf *);
static int sudo_file_display_privs(struct sudo_nss *, struct passwd *, struct sudo_lbuf *);
static int sudo_file_lookup(struct sudo_nss *, int, int);
static int sudo_file_open(struct sudo_nss *);
static int sudo_file_parse(struct sudo_nss *);
static int sudo_file_setdefs(struct sudo_nss *);
/* sudo_nss implementation */
struct sudo_nss sudo_nss_file = {
{ NULL, NULL },
sudo_file_open,
sudo_file_close,
sudo_file_parse,
sudo_file_setdefs,
sudo_file_lookup,
sudo_file_display_cmnd,
sudo_file_display_defaults,
sudo_file_display_bound_defaults,
sudo_file_display_privs
};
int
sudo_file_open(struct sudo_nss *nss)
static int
sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw,
int validated, int pwflag)
{
debug_decl(sudo_file_open, SUDOERS_DEBUG_NSS)
if (def_ignore_local_sudoers)
debug_return_int(-1);
nss->handle = open_sudoers(sudoers_file, false, NULL);
debug_return_int(nss->handle ? 0 : -1);
}
int
sudo_file_close(struct sudo_nss *nss)
{
debug_decl(sudo_file_close, SUDOERS_DEBUG_NSS)
/* Free parser data structures and close sudoers file. */
init_parser(NULL, false);
if (nss->handle != NULL) {
fclose(nss->handle);
nss->handle = NULL;
sudoersin = NULL;
}
debug_return_int(0);
}
/*
* Parse the specified sudoers file.
*/
int
sudo_file_parse(struct sudo_nss *nss)
{
debug_decl(sudo_file_close, SUDOERS_DEBUG_NSS)
if (nss->handle == NULL)
debug_return_int(-1);
init_parser(sudoers_file, false);
sudoersin = nss->handle;
if (sudoersparse() != 0 || parse_error) {
if (errorlineno != -1) {
log_warningx(SLOG_SEND_MAIL, N_("parse error in %s near line %d"),
errorfile, errorlineno);
} else {
log_warningx(SLOG_SEND_MAIL, N_("parse error in %s"), errorfile);
}
debug_return_int(-1);
}
debug_return_int(0);
}
/*
* Wrapper around update_defaults() for nsswitch code.
*/
int
sudo_file_setdefs(struct sudo_nss *nss)
{
debug_decl(sudo_file_setdefs, SUDOERS_DEBUG_NSS)
if (nss->handle == NULL)
debug_return_int(-1);
if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS,
false))
debug_return_int(-1);
debug_return_int(0);
}
/*
* Look up the user in the parsed sudoers file and check to see if they are
* allowed to run the specified command on this host as the target user.
*/
int
sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
{
int match, host_match, runas_match, cmnd_match, timeout;
int match;
struct sudo_nss *nss;
struct cmndspec *cs;
struct cmndtag *tags = NULL;
struct privilege *priv;
struct userspec *us;
struct member *matching_user;
time_t now;
debug_decl(sudo_file_lookup, SUDOERS_DEBUG_NSS)
struct defaults *def;
int nopass;
enum def_tuple pwcheck;
debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER)
if (nss->handle == NULL)
debug_return_int(validated);
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
nopass = (pwcheck == all) ? true : false;
/*
* Only check the actual command if pwflag is not set.
* It is set for the "validate", "list" and "kill" pseudo-commands.
* Always check the host and user.
*/
if (pwflag) {
int nopass;
enum def_tuple pwcheck;
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
nopass = (pwcheck == all) ? true : false;
if (list_pw == NULL)
SET(validated, FLAG_NO_CHECK);
CLR(validated, FLAG_NO_USER);
CLR(validated, FLAG_NO_HOST);
match = DENY;
TAILQ_FOREACH(us, &userspecs, entries) {
if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
if (list_pw == NULL)
SET(validated, FLAG_NO_CHECK);
CLR(validated, FLAG_NO_USER);
CLR(validated, FLAG_NO_HOST);
match = DENY;
TAILQ_FOREACH(nss, snl, entries) {
if (nss->query(nss, pw) == -1) {
/* The query function should have printed an error message. */
SET(validated, VALIDATE_ERROR);
break;
}
TAILQ_FOREACH(us, &nss->userspecs, entries) {
if (userlist_matches(pw, &us->users) != ALLOW)
continue;
TAILQ_FOREACH(priv, &us->privileges, entries) {
if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
int priv_nopass = UNSPEC;
if (hostlist_matches(pw, &priv->hostlist) != ALLOW)
continue;
TAILQ_FOREACH(def, &priv->defaults, entries) {
if (strcmp(def->var, "authenticate") == 0)
priv_nopass = def->op;
}
TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
if ((pwcheck == any && cs->tags.nopasswd == true) ||
(pwcheck == all && cs->tags.nopasswd != true))
nopass = cs->tags.nopasswd;
if (pwcheck == any) {
if (cs->tags.nopasswd == true || priv_nopass == true)
nopass = true;
} else if (pwcheck == all) {
if (cs->tags.nopasswd != true && priv_nopass != true)
nopass = false;
}
if (match == ALLOW)
continue;
/* Only check the command when listing another user. */
@@ -189,34 +100,38 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
}
}
}
if (match == ALLOW || user_uid == 0) {
/* User has an entry for this host. */
SET(validated, VALIDATE_SUCCESS);
} else if (match == DENY)
SET(validated, VALIDATE_FAILURE);
if (pwcheck == always && def_authenticate)
SET(validated, FLAG_CHECK_USER);
else if (nopass == true)
SET(validated, FLAG_NOPASSWD);
else
CLR(validated, FLAG_NOPASSWD);
debug_return_int(validated);
}
if (match == ALLOW || user_uid == 0) {
/* User has an entry for this host. */
SET(validated, VALIDATE_SUCCESS);
} else if (match == DENY)
SET(validated, VALIDATE_FAILURE);
if (pwcheck == always && def_authenticate)
SET(validated, FLAG_CHECK_USER);
else if (nopass == true)
def_authenticate = false;
debug_return_int(validated);
}
/* Need to be runas user while stat'ing things. */
if (!set_perms(PERM_RUNAS))
debug_return_int(validated);
static int
sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw, int *validated,
struct cmndspec **matching_cs, struct defaults_list **defs, time_t now)
{
int host_match, runas_match, cmnd_match;
struct cmndspec *cs;
struct privilege *priv;
struct userspec *us;
struct member *matching_user;
debug_decl(sudoers_lookup_check, SUDOERS_DEBUG_PARSER)
time(&now);
match = UNSPEC;
TAILQ_FOREACH_REVERSE(us, &userspecs, userspec_list, entries) {
if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
TAILQ_FOREACH_REVERSE(us, &nss->userspecs, userspec_list, entries) {
if (userlist_matches(pw, &us->users) != ALLOW)
continue;
CLR(validated, FLAG_NO_USER);
CLR(*validated, FLAG_NO_USER);
TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
host_match = hostlist_matches(sudo_user.pw, &priv->hostlist);
host_match = hostlist_matches(pw, &priv->hostlist);
if (host_match == ALLOW)
CLR(validated, FLAG_NO_HOST);
CLR(*validated, FLAG_NO_HOST);
else
continue;
TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
@@ -234,63 +149,6 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) {
match = cmnd_match;
tags = &cs->tags;
timeout = cs->timeout;
#ifdef HAVE_SELINUX
/* Set role and type if not specified on command line. */
if (user_role == NULL) {
if (cs->role != NULL) {
user_role = strdup(cs->role);
if (user_role == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
SET(validated, VALIDATE_ERROR);
goto done;
}
} else {
user_role = def_role;
}
}
if (user_type == NULL) {
if (cs->type != NULL) {
user_type = strdup(cs->type);
if (user_type == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
SET(validated, VALIDATE_ERROR);
goto done;
}
} else {
user_type = def_type;
}
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* Set Solaris privilege sets */
if (runas_privs == NULL) {
if (cs->privs != NULL) {
runas_privs = strdup(cs->privs);
if (runas_privs == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
SET(validated, VALIDATE_ERROR);
goto done;
}
} else {
runas_privs = def_privs;
}
}
if (runas_limitprivs == NULL) {
if (cs->limitprivs != NULL) {
runas_limitprivs = strdup(cs->limitprivs);
if (runas_limitprivs == NULL) {
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
SET(validated, VALIDATE_ERROR);
goto done;
}
} else {
runas_limitprivs = def_limitprivs;
}
}
#endif /* HAVE_PRIV_SET */
/*
* If user is running command as himself,
* set runas_pw = sudo_user.pw.
@@ -301,75 +159,174 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
sudo_pw_addref(sudo_user.pw);
runas_pw = sudo_user.pw;
}
goto matched2;
*matching_cs = cs;
*defs = &priv->defaults;
debug_return_int(cmnd_match);
}
}
}
}
}
matched2:
if (match == ALLOW) {
SET(validated, VALIDATE_SUCCESS);
CLR(validated, VALIDATE_FAILURE);
if (timeout > 0)
def_command_timeout = timeout;
if (tags != NULL) {
if (tags->nopasswd != UNSPEC)
def_authenticate = !tags->nopasswd;
if (tags->noexec != UNSPEC)
def_noexec = tags->noexec;
if (tags->setenv != UNSPEC)
def_setenv = tags->setenv;
if (tags->log_input != UNSPEC)
def_log_input = tags->log_input;
if (tags->log_output != UNSPEC)
def_log_output = tags->log_output;
if (tags->send_mail != UNSPEC) {
if (tags->send_mail) {
def_mail_all_cmnds = true;
} else {
def_mail_all_cmnds = false;
def_mail_always = false;
def_mail_no_perms = false;
}
}
if (tags->follow != UNSPEC)
def_sudoedit_follow = tags->follow;
}
} else if (match == DENY) {
SET(validated, VALIDATE_FAILURE);
CLR(validated, VALIDATE_SUCCESS);
if (tags != NULL) {
if (tags->nopasswd != UNSPEC)
def_authenticate = !tags->nopasswd;
if (tags->send_mail != UNSPEC) {
if (tags->send_mail) {
def_mail_all_cmnds = true;
} else {
def_mail_all_cmnds = false;
def_mail_always = false;
def_mail_no_perms = false;
debug_return_int(UNSPEC);
}
/*
* Apply cmndspec-specific settngs including SELinux role/type,
* Solaris privs, and command tags.
*/
static bool
apply_cmndspec(struct cmndspec *cs)
{
debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER)
if (cs != NULL) {
#ifdef HAVE_SELINUX
/* Set role and type if not specified on command line. */
if (user_role == NULL) {
if (cs->role != NULL) {
user_role = strdup(cs->role);
if (user_role == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
} else {
user_role = def_role;
}
}
if (user_type == NULL) {
if (cs->type != NULL) {
user_type = strdup(cs->type);
if (user_type == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
} else {
user_type = def_type;
}
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* Set Solaris privilege sets */
if (runas_privs == NULL) {
if (cs->privs != NULL) {
runas_privs = strdup(cs->privs);
if (runas_privs == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
} else {
runas_privs = def_privs;
}
}
if (runas_limitprivs == NULL) {
if (cs->limitprivs != NULL) {
runas_limitprivs = strdup(cs->limitprivs);
if (runas_limitprivs == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
} else {
runas_limitprivs = def_limitprivs;
}
}
#endif /* HAVE_PRIV_SET */
if (cs->timeout > 0)
def_command_timeout = cs->timeout;
if (cs->tags.nopasswd != UNSPEC)
def_authenticate = !cs->tags.nopasswd;
if (cs->tags.noexec != UNSPEC)
def_noexec = cs->tags.noexec;
if (cs->tags.setenv != UNSPEC)
def_setenv = cs->tags.setenv;
if (cs->tags.log_input != UNSPEC)
def_log_input = cs->tags.log_input;
if (cs->tags.log_output != UNSPEC)
def_log_output = cs->tags.log_output;
if (cs->tags.send_mail != UNSPEC) {
if (cs->tags.send_mail) {
def_mail_all_cmnds = true;
} else {
def_mail_all_cmnds = false;
def_mail_always = false;
def_mail_no_perms = false;
}
}
if (cs->tags.follow != UNSPEC)
def_sudoedit_follow = cs->tags.follow;
}
debug_return_bool(true);
}
/*
* Look up the user in the sudoers prase tree and check to see if they are
* allowed to run the specified command on this host as the target user.
*/
int
sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int validated,
int pwflag)
{
struct defaults_list *defs = NULL;
struct cmndspec *cs = NULL;
struct sudo_nss *nss;
int m, match = UNSPEC;
time_t now;
debug_decl(sudoers_lookup, SUDOERS_DEBUG_PARSER)
/*
* Special case checking the "validate", "list" and "kill" pseudo-commands.
*/
if (pwflag)
debug_return_int(sudoers_lookup_pseudo(snl, pw, validated, pwflag));
/* Need to be runas user while stat'ing things. */
if (!set_perms(PERM_RUNAS))
debug_return_int(validated);
/* Query each sudoers source and check the user. */
time(&now);
TAILQ_FOREACH(nss, snl, entries) {
if (nss->query(nss, pw) == -1) {
/* The query function should have printed an error message. */
SET(validated, VALIDATE_ERROR);
break;
}
m = sudoers_lookup_check(nss, pw, &validated, &cs, &defs, now);
if (m != UNSPEC)
match = m;
if (!sudo_nss_can_continue(nss, m))
break;
}
if (defs != NULL)
update_defaults(defs, SETDEF_GENERIC, false);
if (match != UNSPEC) {
if (!apply_cmndspec(cs))
SET(validated, VALIDATE_ERROR);
else if (match == ALLOW)
SET(validated, VALIDATE_SUCCESS);
else
SET(validated, VALIDATE_FAILURE);
}
#if defined(HAVE_SELINUX) || defined(HAVE_PRIV_SET)
done:
#endif
if (!restore_perms())
SET(validated, VALIDATE_ERROR);
debug_return_int(validated);
}
static int
sudo_file_display_priv_short(struct passwd *pw, struct userspec *us,
display_priv_short(struct passwd *pw, struct userspec *us,
struct sudo_lbuf *lbuf)
{
struct cmndspec *cs, *prev_cs;
struct member *m;
struct privilege *priv;
int nfound = 0;
debug_decl(sudo_file_display_priv_short, SUDOERS_DEBUG_NSS)
debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER)
TAILQ_FOREACH(priv, &us->privileges, entries) {
if (hostlist_matches(pw, &priv->hostlist) != ALLOW)
@@ -421,39 +378,41 @@ sudo_file_display_priv_short(struct passwd *pw, struct userspec *us,
static bool
new_long_entry(struct cmndspec *cs, struct cmndspec *prev_cs)
{
debug_decl(new_long_entry, SUDOERS_DEBUG_PARSER)
if (prev_cs == NULL)
return true;
debug_return_bool(true);
if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
return true;
debug_return_bool(true);
#ifdef HAVE_PRIV_SET
if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
return true;
debug_return_bool(true);
if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
return true;
debug_return_bool(true);
#endif /* HAVE_PRIV_SET */
#ifdef HAVE_SELINUX
if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
return true;
debug_return_bool(true);
if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
return true;
debug_return_bool(true);
#endif /* HAVE_SELINUX */
if (cs->timeout != prev_cs->timeout)
return true;
debug_return_bool(true);
if (cs->notbefore != prev_cs->notbefore)
return true;
debug_return_bool(true);
if (cs->notafter != prev_cs->notafter)
return true;
return false;
debug_return_bool(true);
debug_return_bool(false);
}
static int
sudo_file_display_priv_long(struct passwd *pw, struct userspec *us,
display_priv_long(struct passwd *pw, struct userspec *us,
struct sudo_lbuf *lbuf)
{
struct cmndspec *cs, *prev_cs;
struct privilege *priv;
int nfound = 0, olen;
debug_decl(sudo_file_display_priv_long, SUDOERS_DEBUG_NSS)
debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER)
TAILQ_FOREACH(priv, &us->privileges, entries) {
if (hostlist_matches(pw, &priv->hostlist) != ALLOW)
@@ -559,65 +518,46 @@ sudo_file_display_priv_long(struct passwd *pw, struct userspec *us,
debug_return_int(nfound);
}
/* XXX - better naming */
int
static int
sudo_display_userspecs(struct userspec_list *usl, struct passwd *pw,
struct sudo_lbuf *lbuf)
{
struct userspec *us;
int nfound = 0;
debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_NSS)
debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_PARSER)
TAILQ_FOREACH(us, usl, entries) {
if (userlist_matches(pw, &us->users) != ALLOW)
continue;
if (long_list)
nfound += sudo_file_display_priv_long(pw, us, lbuf);
nfound += display_priv_long(pw, us, lbuf);
else
nfound += sudo_file_display_priv_short(pw, us, lbuf);
nfound += display_priv_short(pw, us, lbuf);
}
if (sudo_lbuf_error(lbuf))
debug_return_int(-1);
debug_return_int(nfound);
}
/*
* Returns the number of matching privileges or -1 on error.
*/
static int
sudo_file_display_privs(struct sudo_nss *nss, struct passwd *pw,
struct sudo_lbuf *lbuf)
{
debug_decl(sudo_file_display_priv, SUDOERS_DEBUG_NSS)
if (nss->handle == NULL)
debug_return_int(0);
debug_return_int(sudo_display_userspecs(&userspecs, pw, lbuf));
}
/*
* Display matching Defaults entries for the given user on this host.
*/
int
sudo_file_display_defaults(struct sudo_nss *nss, struct passwd *pw,
static int
display_defaults(struct defaults_list *defs, struct passwd *pw,
struct sudo_lbuf *lbuf)
{
struct defaults *d;
char *prefix;
int nfound = 0;
debug_decl(sudo_file_display_defaults, SUDOERS_DEBUG_NSS)
if (nss->handle == NULL)
goto done;
debug_decl(display_defaults, SUDOERS_DEBUG_PARSER)
if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
prefix = " ";
else
prefix = ", ";
TAILQ_FOREACH(d, &defaults, entries) {
TAILQ_FOREACH(d, defs, entries) {
switch (d->type) {
case DEFAULTS_HOST:
if (hostlist_matches(pw, d->binding) != ALLOW)
@@ -636,26 +576,6 @@ sudo_file_display_defaults(struct sudo_nss *nss, struct passwd *pw,
prefix = ", ";
nfound++;
}
if (sudo_lbuf_error(lbuf))
debug_return_int(-1);
done:
debug_return_int(nfound);
}
/*
* Display Defaults entries that are per-runas or per-command
*/
int
sudo_file_display_bound_defaults(struct sudo_nss *nss, struct passwd *pw,
struct sudo_lbuf *lbuf)
{
int nfound = 0;
debug_decl(sudo_file_display_bound_defaults, SUDOERS_DEBUG_NSS)
/* XXX - should only print ones that match what the user can do. */
nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf);
nfound += display_bound_defaults(DEFAULTS_CMND, lbuf);
if (sudo_lbuf_error(lbuf))
debug_return_int(-1);
debug_return_int(nfound);
@@ -665,14 +585,15 @@ sudo_file_display_bound_defaults(struct sudo_nss *nss, struct passwd *pw,
* Display Defaults entries of the given type.
*/
static int
display_bound_defaults(int deftype, struct sudo_lbuf *lbuf)
display_bound_defaults_by_type(struct defaults_list *defs, int deftype,
struct sudo_lbuf *lbuf)
{
struct defaults *d;
struct member_list *binding = NULL;
struct member *m;
char *dsep;
int atype, nfound = 0;
debug_decl(display_bound_defaults, SUDOERS_DEBUG_NSS)
debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER)
switch (deftype) {
case DEFAULTS_HOST:
@@ -694,7 +615,7 @@ display_bound_defaults(int deftype, struct sudo_lbuf *lbuf)
default:
debug_return_int(-1);
}
TAILQ_FOREACH(d, &defaults, entries) {
TAILQ_FOREACH(d, defs, entries) {
if (d->type != deftype)
continue;
@@ -721,51 +642,208 @@ display_bound_defaults(int deftype, struct sudo_lbuf *lbuf)
}
/*
* Returns 0 if the command is allowed, 1 if not or -1 on error.
* Display Defaults entries that are per-runas or per-command
*/
static int
display_bound_defaults(struct defaults_list *defs, struct passwd *pw,
struct sudo_lbuf *lbuf)
{
int nfound = 0;
debug_decl(display_bound_defaults, SUDOERS_DEBUG_PARSER)
/* XXX - should only print ones that match what the user can do. */
nfound += display_bound_defaults_by_type(defs, DEFAULTS_RUNAS, lbuf);
nfound += display_bound_defaults_by_type(defs, DEFAULTS_CMND, lbuf);
if (sudo_lbuf_error(lbuf))
debug_return_int(-1);
debug_return_int(nfound);
}
static int
output(const char *buf)
{
struct sudo_conv_message msg;
struct sudo_conv_reply repl;
debug_decl(output, SUDOERS_DEBUG_NSS)
/* Call conversation function */
memset(&msg, 0, sizeof(msg));
msg.msg_type = SUDO_CONV_INFO_MSG;
msg.msg = buf;
memset(&repl, 0, sizeof(repl));
if (sudo_conv(1, &msg, &repl, NULL) == -1)
debug_return_int(0);
debug_return_int(strlen(buf));
}
/*
* Print out privileges for the specified user.
* Returns true on success or -1 on error.
*/
int
sudo_file_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
display_privs(struct sudo_nss_list *snl, struct passwd *pw)
{
struct sudo_nss *nss;
struct sudo_lbuf def_buf, priv_buf;
struct stat sb;
int cols, count, olen, n;
debug_decl(display_privs, SUDOERS_DEBUG_PARSER)
/* Query all sudoers sources first. */
TAILQ_FOREACH(nss, snl, entries) {
if (nss->query(nss, pw) == -1) {
/* The query function should have printed an error message. */
debug_return_int(-1);
}
}
cols = sudo_user.cols;
if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
cols = 0;
sudo_lbuf_init(&def_buf, output, 4, NULL, cols);
sudo_lbuf_init(&priv_buf, output, 8, NULL, cols);
sudo_lbuf_append(&def_buf, _("Matching Defaults entries for %s on %s:\n"),
pw->pw_name, user_srunhost);
count = 0;
TAILQ_FOREACH(nss, snl, entries) {
n = display_defaults(&nss->defaults, pw, &def_buf);
if (n == -1)
goto bad;
count += n;
}
if (count != 0) {
sudo_lbuf_append(&def_buf, "\n\n");
} else {
/* Undo Defaults header. */
def_buf.len = 0;
}
/* Display Runas and Cmnd-specific defaults. */
olen = def_buf.len;
sudo_lbuf_append(&def_buf, _("Runas and Command-specific defaults for %s:\n"),
pw->pw_name);
count = 0;
TAILQ_FOREACH(nss, snl, entries) {
n = display_bound_defaults(&nss->defaults, pw, &def_buf);
if (n == -1)
goto bad;
count += n;
}
if (count != 0) {
sudo_lbuf_append(&def_buf, "\n\n");
} else {
/* Undo Defaults header. */
def_buf.len = olen;
}
/* Display privileges from all sources. */
sudo_lbuf_append(&priv_buf,
_("User %s may run the following commands on %s:\n"),
pw->pw_name, user_srunhost);
count = 0;
TAILQ_FOREACH(nss, snl, entries) {
n = sudo_display_userspecs(&nss->userspecs, pw, &priv_buf);
if (n == -1)
goto bad;
count += n;
}
if (count == 0) {
def_buf.len = 0;
priv_buf.len = 0;
sudo_lbuf_append(&priv_buf,
_("User %s is not allowed to run sudo on %s.\n"),
pw->pw_name, user_shost);
}
if (sudo_lbuf_error(&def_buf) || sudo_lbuf_error(&priv_buf))
goto bad;
sudo_lbuf_print(&def_buf);
sudo_lbuf_print(&priv_buf);
sudo_lbuf_destroy(&def_buf);
sudo_lbuf_destroy(&priv_buf);
debug_return_int(true);
bad:
sudo_lbuf_destroy(&def_buf);
sudo_lbuf_destroy(&priv_buf);
debug_return_int(-1);
}
static int
display_cmnd_check(struct sudo_nss *nss, struct passwd *pw, time_t now)
{
int host_match, runas_match, cmnd_match;
struct cmndspec *cs;
struct member *match;
struct privilege *priv;
struct userspec *us;
int ret = 1;
int host_match, runas_match, cmnd_match;
debug_decl(sudo_file_display_cmnd, SUDOERS_DEBUG_NSS)
debug_decl(display_cmnd_check, SUDOERS_DEBUG_PARSER)
if (nss->handle == NULL)
goto done;
match = NULL;
TAILQ_FOREACH_REVERSE(us, &userspecs, userspec_list, entries) {
TAILQ_FOREACH_REVERSE(us, &nss->userspecs, userspec_list, entries) {
if (userlist_matches(pw, &us->users) != ALLOW)
continue;
TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
host_match = hostlist_matches(pw, &priv->hostlist);
if (host_match != ALLOW)
continue;
TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
if (cs->notbefore != UNSPEC) {
if (now < cs->notbefore)
continue;
}
if (cs->notafter != UNSPEC) {
if (now > cs->notafter)
continue;
}
runas_match = runaslist_matches(cs->runasuserlist,
cs->runasgrouplist, NULL, NULL);
if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(cs->cmnd);
if (cmnd_match != UNSPEC) {
if (cmnd_match == ALLOW)
match = cs->cmnd;
goto matched;
}
if (cmnd_match != UNSPEC)
debug_return_int(cmnd_match);
}
}
}
}
matched:
if (match != NULL && !match->negated) {
debug_return_int(UNSPEC);
}
/*
* Check user_cmnd against sudoers and print the matching entry if the
* command is allowed.
* Returns true if the command is allowed, false if not or -1 on error.
*/
int
display_cmnd(struct sudo_nss_list *snl, struct passwd *pw)
{
struct sudo_nss *nss;
int m, match = UNSPEC;
int ret = false;
time_t now;
debug_decl(display_cmnd, SUDOERS_DEBUG_PARSER)
/* Iterate over each source, checking for the command. */
time(&now);
TAILQ_FOREACH(nss, snl, entries) {
if (nss->query(nss, pw) == -1) {
/* The query function should have printed an error message. */
debug_return_int(-1);
}
m = display_cmnd_check(nss, pw, now);
if (m != UNSPEC)
match = m;
if (!sudo_nss_can_continue(nss, m))
break;
}
if (match == ALLOW) {
const int len = sudo_printf(SUDO_CONV_INFO_MSG, "%s%s%s\n",
safe_cmnd, user_args ? " " : "", user_args ? user_args : "");
ret = len < 0 ? -1 : 0;
ret = len < 0 ? -1 : true;
}
done:
debug_return_int(ret);
}