Commit Graph

63 Commits

Author SHA1 Message Date
Todd C. Miller
821e8a07da Silence a false positive from the clang static analyzer. 2018-03-21 14:55:17 -06:00
Todd C. Miller
ff79de8592 Initial support filtering by user, group and host in cvtsudoers.
Currently forces alias expansion when a filter is applied and the
entire matching user or host list is printed, even the non-matching
entries.  This effectively allows you to grep sudoers by user, group
and host.
2018-03-21 12:24:11 -06:00
Todd C. Miller
bc5e2d06a7 Add free_default() to free a struct defaults pointer so we have a
single place where we free the defaults.  A pointer to the previous
Default's binding may be passed in to avoid freeing an already free
binding.
2018-03-21 12:11:19 -06:00
Todd C. Miller
910f288948 fix compilation on Solaris 2018-03-10 20:16:20 -07:00
Todd C. Miller
bb31544fcc In sudoers_format_userspecs make the separator optional and silence
a printf format warning.
2018-03-06 13:42:56 -07:00
Todd C. Miller
5c36f9dec3 Initial support for adding comments that will be emitted when
sudoers is formatted.  Currently adds a comment for the source
sudoRole when converting from ldif -> sudoers.
2018-03-04 07:03:43 -07:00
Todd C. Miller
670d8e6d77 Special case comment lines in lbufs. 2018-03-04 07:03:41 -07:00
Todd C. Miller
c9b70940cf When formatting as sudoers, flush the lbuf after each userspec. 2018-03-03 07:42:10 -07:00
Todd C. Miller
64e99328e3 Move sudoers formatting code into fmtsudoers. 2018-02-09 18:22:04 -07:00
Todd C. Miller
2522229e86 Rename sudo_file_append_default() -> sudo_lbuf_append_default() and
use it for ldap and sssd too.
2018-02-09 18:22:02 -07:00
Todd C. Miller
3226f7e28b Move common bits of ldap to sudoers conversion into ldap_common.c
and use it in sssd.c.
2018-02-09 18:21:40 -07:00
Todd C. Miller
4e2402a8e4 Convert ldap results into a sudoers userspec so we can use the "sudo
-l" output functions in parse.c.
2018-02-09 18:21:01 -07:00
Todd C. Miller
5cca4b6906 Refactor member freeing code into free_member().
Refactor userspec freeing code into free_userspec().
2018-02-05 13:33:29 -07:00
Todd C. Miller
3354cbd021 Add sudoers output format to cvtsudoers. In the future this may
be used with filters to emit a partial sudoers file instead of a
full one.
2018-02-02 14:29:19 -07:00
Todd C. Miller
f4ce2b25fc Move SUDOERS_QUOTED define to parse.h 2018-02-02 06:28:04 -07:00
Todd C. Miller
48fba3c2cc update my email to Todd.Miller@sudo.ws 2017-12-03 17:53:40 -07:00
Todd C. Miller
022ac87d66 avoid padding in struct cmndspec 2017-06-09 08:58:44 -06:00
Todd C. Miller
b5e7b7bd2c Move the file digest code out of match.c and into filedigest.c.
Inspired by RedHat changes that used libgcrypt.
Also add digest_type_to_name() to map a sudo digest type (int)
to a name (string) and use it.
2017-02-20 16:44:12 -07:00
Todd C. Miller
e5dee1557e Add NOTBEFORE and NOTAFTER command options similar to what is
already available in LDAP.
2017-02-18 15:35:48 -07:00
Todd C. Miller
24cdbb8de1 Split out tags again so they must precede the command and not allow
them to be mixed in with options.
2017-02-14 15:56:34 -07:00
Todd C. Miller
3980f1531b Add support for command timeouts in sudoers. After the timeout,
the command will be terminated.
2017-02-14 15:56:34 -07:00
Todd C. Miller
4f9dcd7264 Merge command tags, SELinux type/role and Solaris privs settings
into "command options".  This relaxes the order of things so tags
and other options can be interspersed.
2017-02-14 15:56:34 -07:00
Todd C. Miller
09438e5b42 Include parse.h in timestr.c which is where function prototype lives. 2017-02-13 13:44:11 -07:00
Todd C. Miller
7524c231cc Store the file/lineno for alias and userspec entries so we can
provide that info if there is an error.
2016-11-12 19:22:32 -07:00
Todd C. Miller
79ca752802 Go back to parsing Defaults entries in update_defaults instead of
as sudoers is read.  Otherwise, we cannot properly support early
defaults like sudoers_locale.
2016-11-09 16:00:12 -07:00
Todd C. Miller
df8404dbd4 Instead of parsing sudoers Defaults twice, parse once while reading
sudoers and then just set the parsed value in update_defaults().
2016-11-06 18:59:49 -07:00
Todd C. Miller
f6ce83ea76 Only treat an unknown Defaults entry as a parse error in visudo,
not in sudo itself.
2016-11-01 15:08:11 -06:00
Todd C. Miller
0aa216ed55 Refactor freeing of a member_list into free_members(). 2016-11-01 14:15:07 -06:00
Todd C. Miller
b165a5ff71 Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding
whether to check runas user/group instead of checking runas_pw or
runas_gr.
2016-09-15 13:47:38 -06:00
Todd C. Miller
ef82f792a1 Update check for whether or not the runas user was set in the ldap
and sssd backends to match the sudoers file backend.  Introduces
the runas_user_set() macro to improve readability.  Previously,
runas_pw was set late, now it is set before checking sudoers.
2016-09-15 09:37:53 -06:00
Todd C. Miller
8b4de84049 Remove unnecessary NULL checks in the RUNAS_CHANGED macro. The
only place where the pointers could be NULL is in visudo_json.c but
we already check for "next" being NULL there.  Quiets a cppcheck
warning.
2016-05-10 06:32:55 -06:00
Todd C. Miller
5a77989a33 Add support for matching the entire netgroup tuple (user, host, domain). 2016-01-12 14:59:44 -07:00
Todd C. Miller
3354d27a17 Do not follow symbolic links in sudoedit by default. This behavior
can be controlled by the sudoedit_follow Defaults flag as well as
the FOLLOW/NOFOLLOW tags.
2015-08-06 13:20:01 -06:00
Todd C. Miller
2bf454b74d Use non-exiting allocators in the redblack tree and fix the fallout.
Also switch to non-exiting allocators in affected code blocks.
2015-05-27 09:51:54 -06:00
Todd C. Miller
46770c9588 The error string returned by alias_add should be const. 2015-05-27 09:48:34 -06:00
Todd C. Miller
05a01d4c5d Avoid using a leading underbar in defines as they are reserved in
ISO C.
2015-05-21 11:13:20 -06:00
Todd C. Miller
45548cf049 Add support for MAIL and NOMAIL command tags to toggle mail sending
behavior on a per-command (or Cmnd_Alias) basis.
2015-02-19 10:02:20 -07:00
Todd C. Miller
7ec9cfb493 When querying LDAP netgroups, use the NIS domain if it is sent but
also match nisNetgroupTriple entries that have no domain.
2015-01-30 14:45:22 -07:00
Todd C. Miller
27598bc0ab Update copyright year. 2014-01-07 10:43:31 -07:00
Todd C. Miller
f57beb1afa Go back to making the bit fields in struct cmndtag explicitly signed.
This fixes a problem on gcc 4.8 (at least) which appears to be
treating the value as unsigned by default.
2014-01-07 10:35:56 -07:00
Todd C. Miller
eb44a5ba5c No need to use __signed. 2013-12-17 16:08:18 -07:00
Todd C. Miller
2508da6f68 Better match debugging.
Sprinkle const in match functions.
2013-12-05 14:34:56 -07:00
Todd C. Miller
bba91c008b Remove unused digest field from struct cmndspec, the digest really
lives in struct sudo_command.
2013-11-13 16:17:16 -07:00
Todd C. Miller
07a804caf3 Quiet sign comparision warnings. 2013-10-23 15:03:31 -06:00
Todd C. Miller
b38d253e98 Add "headless" tail queues and use them in place of the semi-circular
lists in sudoers.  Once the headless tail queue is built up it is
converted to a normal TAILQ.  This removes the last consumer of
list.c and list.h so those can now be removed.
2013-10-22 09:08:38 -06:00
Todd C. Miller
923edabe6c Convert sudo to use BSD TAILQ macros instead of home ground tail
queue functions.  This includes a private queue.h header derived
from FreeBSD.  It is simpler to just use our own header rather than
try to deal with macros that may or may not be present in various
queue.h incarnations.
2013-10-22 09:00:37 -06:00
Todd C. Miller
ab61c02546 Replace sequence number-based cycle detection in visudo with a
"used" flag in struct alias.  The caller is required to call
alias_put() when it is done with the alias.  Inspired by a patch
from Daniel Kopecek.
2013-05-22 11:32:08 -04:00
Todd C. Miller
d6282d154a Update copyright years. 2013-04-24 09:35:02 -04:00
Todd C. Miller
9c1ee1fe73 Move base64_decode into its own source file. 2013-04-17 09:32:27 -04:00
Todd C. Miller
cc3c76b85d Add digest support for sudoers in ldap and sss. 2013-04-16 16:03:37 -04:00