diff --git a/MANIFEST b/MANIFEST index c843995e0..c4c144a3b 100644 --- a/MANIFEST +++ b/MANIFEST @@ -649,6 +649,7 @@ plugins/sudoers/iolog.c plugins/sudoers/iolog_path_escapes.c plugins/sudoers/ldap.c plugins/sudoers/ldap_conf.c +plugins/sudoers/ldap_innetgr.c plugins/sudoers/ldap_util.c plugins/sudoers/linux_audit.c plugins/sudoers/linux_audit.h diff --git a/configure b/configure index 4c50613dc..2b1808c4d 100755 --- a/configure +++ b/configure @@ -30941,7 +30941,7 @@ fi with_ldap=yes fi - SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo" + SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo" case "$SUDOERS_OBJS" in *ldap_util.lo*) ;; *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";; diff --git a/m4/ldap.m4 b/m4/ldap.m4 index 78c21e0bc..68aca3922 100644 --- a/m4/ldap.m4 +++ b/m4/ldap.m4 @@ -11,7 +11,7 @@ AC_DEFUN([SUDO_CHECK_LDAP], [ AX_APPEND_FLAG([-I${with_ldap}/include], [CPPFLAGS]) with_ldap=yes fi - SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo" + SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo" case "$SUDOERS_OBJS" in *ldap_util.lo*) ;; *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";; diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index 5971b144c..5e2fef27a 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -2075,6 +2075,32 @@ ldap_conf.i: $(srcdir)/ldap_conf.c $(devdir)/def_data.h \ $(CC) -E -o $@ $(CPPFLAGS) $< ldap_conf.plog: ldap_conf.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_conf.c --i-file $< --output-file $@ +ldap_innetgr.lo: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_innetgr.c +ldap_innetgr.i: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -E -o $@ $(CPPFLAGS) $< +ldap_innetgr.plog: ldap_innetgr.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_innetgr.c --i-file $< --output-file $@ ldap_util.lo: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 1e224dc11..c7a6a8049 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -1955,6 +1955,14 @@ sudo_ldap_parse(struct sudo_nss *nss) debug_return_ptr(&handle->parse_tree); } +static int +sudo_ldap_innetgr(struct sudo_nss *nss, const char *netgr, const char *host, + const char *user, const char *domain) +{ + const struct sudo_ldap_handle *handle = nss->handle; + return sudo_ldap_innetgr_int(handle->ld, netgr, host, user, domain); +} + #if 0 /* * Create an ldap_result from an LDAP search result. @@ -2013,5 +2021,6 @@ struct sudo_nss sudo_nss_ldap = { sudo_ldap_close, sudo_ldap_parse, sudo_ldap_query, - sudo_ldap_getdefs + sudo_ldap_getdefs, + sudo_ldap_innetgr }; diff --git a/plugins/sudoers/ldap_innetgr.c b/plugins/sudoers/ldap_innetgr.c new file mode 100644 index 000000000..d0005b8c8 --- /dev/null +++ b/plugins/sudoers/ldap_innetgr.c @@ -0,0 +1,264 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2023 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include + +#include +#include +#include +#include +#include +#ifdef HAVE_STRINGS_H +# include +#endif /* HAVE_STRINGS_H */ +#include +#include +#ifdef HAVE_LBER_H +# include +#endif +#include + +#include "sudoers.h" +#include "sudo_ldap.h" +#include "sudo_ldap_conf.h" + +/* + * Compare str to netgroup string ngstr of length nglen where str is a + * NUL-terminated string and ngstr is part of a netgroup triple string. + * Uses innetgr(3)-style matching rules. + * Returns true if the strings match, else false. + */ +static bool +sudo_ldap_netgroup_match_str(const char *str, const char *ngstr, size_t nglen, + bool ignore_case) +{ + debug_decl(sudo_ldap_netgroup_match_str, SUDOERS_DEBUG_LDAP); + + /* Skip leading whitespace. */ + while (isspace((unsigned char)*ngstr) && nglen > 0) { + ngstr++; + nglen--; + } + /* Skip trailing whitespace. */ + while (nglen > 0 && isspace((unsigned char)ngstr[nglen - 1])) { + nglen--; + } + + sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: compare \"%s\" to \"%.*s\"", + __func__, str ? str : "", (int)nglen, ngstr); + + if (nglen == 0 || str == NULL) { + /* An empty string is a wildcard. */ + debug_return_bool(true); + } + if (*ngstr == '-' && nglen == 1) { + /* '-' means no valid value. */ + debug_return_bool(str == NULL); + } + if (ignore_case) { + if (strncasecmp(str, ngstr, nglen) == 0 && str[nglen] == '\0') + debug_return_bool(true); + } else { + if (strncmp(str, ngstr, nglen) == 0 && str[nglen] == '\0') + debug_return_bool(true); + } + debug_return_bool(false); +} + +/* + * Match the specified netgroup triple using the given host, + * user and domain. Matching rules as per innetgr(3). + * Returns 1 on match, else 0. + */ +static int +sudo_ldap_match_netgroup(const char *triple, const char *host, + const char *user, const char *domain) +{ + const char *cp, *ep; + debug_decl(sudo_ldap_match_netgroup, SUDOERS_DEBUG_LDAP); + + /* Trim leading space, check for opening paren. */ + while (isspace((unsigned char)*triple)) + triple++; + if (*triple != '(') { + sudo_debug_printf(SUDO_DEBUG_ERROR, "%s: invalid triple: %s", + __func__, triple); + debug_return_int(0); + } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: matching (%s,%s,%s) against %s", + __func__, host ? host : "", user ? user : "", domain ? domain : "", + triple); + + /* Parse host. */ + cp = triple + 1; + ep = strchr(cp, ','); + if (ep == NULL || !sudo_ldap_netgroup_match_str(host, cp, ep - cp, true)) + debug_return_int(0); + + /* Parse user. */ + cp = ep + 1; + ep = strchr(cp, ','); + if (ep == NULL || !sudo_ldap_netgroup_match_str(user, cp, ep - cp, def_case_insensitive_user)) + debug_return_int(0); + + /* Parse domain. */ + cp = ep + 1; + ep = strchr(cp, ')'); + if (ep == NULL || !sudo_ldap_netgroup_match_str(domain, cp, ep - cp, true)) + debug_return_int(0); + + debug_return_int(1); +} + +#define MAX_NETGROUP_DEPTH 128 +struct netgroups_seen { + const char *groups[MAX_NETGROUP_DEPTH]; + size_t len; +}; + +static int +sudo_ldap_innetgr_base(LDAP *ld, const char *base, + struct timeval *timeout, const char *netgr, const char *host, + const char *user, const char *domain, struct netgroups_seen *seen) +{ + char *escaped_netgr = NULL, *filt = NULL; + LDAPMessage *entry, *result = NULL; + int rc, ret = 0; + size_t n; + debug_decl(sudo_ldap_innetgr_base, SUDOERS_DEBUG_LDAP); + + /* Cycle detection. */ + for (n = 0; n < seen->len; n++) { + if (strcmp(netgr, seen->groups[n]) == 0) { + DPRINTF1("%s: cycle in netgroups", netgr); + goto done; + } + } + if (seen->len + 1 > MAX_NETGROUP_DEPTH) { + DPRINTF1("%s: too many nested netgroups", netgr); + goto done; + } + seen->groups[seen->len++] = netgr; + + /* Escape the netgroup name per RFC 4515. */ + if ((escaped_netgr = sudo_ldap_value_dup(netgr)) == NULL) + goto done; + + /* Build nisNetgroup query. */ + rc = asprintf(&filt, "(&%s(cn=%s))", + ldap_conf.netgroup_search_filter, escaped_netgr); + if (rc == -1) + goto done; + DPRINTF1("ldap netgroup search filter: '%s'", filt); + + /* Perform an LDAP query for nisNetgroup. */ + DPRINTF1("searching from netgroup_base '%s'", base); + rc = ldap_search_ext_s(ld, base, LDAP_SCOPE_SUBTREE, filt, + NULL, 0, NULL, NULL, timeout, 0, &result); + free(filt); + if (rc != LDAP_SUCCESS) { + DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc)); + goto done; + } + + LDAP_FOREACH(entry, ld, result) { + struct berval **bv, **p; + + /* Check all nisNetgroupTriple entries. */ + bv = ldap_get_values_len(ld, entry, "nisNetgroupTriple"); + if (bv == NULL) { + const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc); + if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY) + debug_return_int(-1); + } else { + for (p = bv; *p != NULL && !ret; p++) { + char *val = (*p)->bv_val; + if (sudo_ldap_match_netgroup(val, host, user, domain)) { + ret = 1; + break; + } + } + ldap_value_free_len(bv); + if (ret == 1) + break; + } + + /* Handle nested netgroups. */ + bv = ldap_get_values_len(ld, entry, "memberNisNetgroup"); + if (bv == NULL) { + const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc); + if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY) + debug_return_int(-1); + } else { + for (p = bv; *p != NULL && !ret; p++) { + const char *val = (*p)->bv_val; + const size_t saved_len = seen->len; + ret = sudo_ldap_innetgr_base(ld, base, timeout, val, host, + user, domain, seen); + /* Restore seen state to avoid use-after-free. */ + seen->len = saved_len; + } + ldap_value_free_len(bv); + } + } + +done: + ldap_msgfree(result); + free(escaped_netgr); + + debug_return_int(ret); +} + +int +sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host, + const char *user, const char *domain) +{ + LDAP *ld = v; + struct timeval tv, *tvp = NULL; + struct ldap_config_str *base; + struct netgroups_seen seen; + int ret = 0; + debug_decl(sudo_ldap_innetgr, SUDOERS_DEBUG_LDAP); + + if (STAILQ_EMPTY(&ldap_conf.netgroup_base)) { + /* LDAP netgroups not configured. */ + debug_return_int(-1); + } + + if (ldap_conf.timeout > 0) { + tv.tv_sec = ldap_conf.timeout; + tv.tv_usec = 0; + tvp = &tv; + } + + /* Perform an LDAP query for nisNetgroup. */ + STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) { + seen.len = 0; + ret = sudo_ldap_innetgr_base(ld, base->val, tvp, netgr, host, + user, domain, &seen); + if (ret != 0) + break; + } + + debug_return_int(ret); +} diff --git a/plugins/sudoers/sudo_ldap.h b/plugins/sudoers/sudo_ldap.h index 0fc839b35..53538e168 100644 --- a/plugins/sudoers/sudo_ldap.h +++ b/plugins/sudoers/sudo_ldap.h @@ -49,6 +49,9 @@ /* Iterators used by sudo_ldap_role_to_priv() to handle bervar ** or char ** */ typedef char * (*sudo_ldap_iter_t)(void **); +/* ldap_innetgr.c */ +int sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host, const char *user, const char *domain); + /* ldap_util.c */ bool sudo_ldap_is_negated(char **valp); size_t sudo_ldap_value_len(const char *value); diff --git a/scripts/mkdep.pl b/scripts/mkdep.pl index d6a483fea..df4f39fb1 100755 --- a/scripts/mkdep.pl +++ b/scripts/mkdep.pl @@ -116,7 +116,7 @@ sub mkdep { $makefile =~ s:\@DEV\@::g; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o apparmor.o selinux.o sesh.o solaris.o:; - $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:; + $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo ldap_innetgr.lo solaris_audit.lo sssd.lo:; # XXX - fill in AUTH_OBJS from contents of the auth dir instead $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;