isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,103 Commits 1 Branch 0 Tags
c7a2ef7a1e80e5e99b442bd30ab0f044fca4bfda
Commit Graph

228 Commits

Author SHA1 Message Date
Todd C. Miller
f2b70188b6 Add support for SELinux RBAC. Sudoers entries may specify a role and type. 
There are also role and type defaults that may be used.  To make sure a
transition occurs, when using RBAC commands are executed via the new sesh
binary.  Based on initial changes from Dan Walsh.
 2008-02-09 14:30:06 +00:00
Todd C. Miller
5d20923c2f Add long list (sudo -ll) support for printing verbose LDAP and sudoers 
file entries.  Still need to update manual.
 2008-02-08 13:18:12 +00:00
Todd C. Miller
3c7b76bb54 Unify the -l output for file and ldap based sudoers and use lbufs for both. 
The ldap output does not currently include options that cannot be represented
as tags.  This will be remedied in a long list output mode to come.
 2008-02-03 15:43:38 +00:00
Todd C. Miller
fb01648878 Move display_privs() and display_cmnd() from parse.c to sudo_nss.c. 
This should make it possible to build an LDAP-only sudo binary.
 2008-01-05 21:25:28 +00:00
Todd C. Miller
28ed51b441 Improve chaining of multiple sudoers sources by passing in the previous return value to the next in the chain 2008-01-05 18:27:18 +00:00
Todd C. Miller
53aec6601e Free up parser data structures in sudo_file_close(). 2008-01-05 13:13:06 +00:00
Todd C. Miller
d2de8d5fed Honor def_ignore_local_sudoers 2008-01-01 18:12:00 +00:00
Todd C. Miller
4d8f37f4bd Refactor group vector resetting into a function and also call it 
from display_cmnd.
Stop after the first sucessful match in display_cmnd.
Print a newline between each display_privs method.
 2007-12-31 21:36:53 +00:00
Todd C. Miller
36b221af26 fix double free introduced in rev 1.218 2007-12-31 21:23:46 +00:00
Todd C. Miller
0a2166272c Make the inability to read the sudoers file a non-fatal error if 
there are other sudoers sources available.
sudoers_file_lookup now returns "not OK" if sudoers was not present
 2007-12-31 19:26:52 +00:00
Todd C. Miller
adfaebdb4d nss-ify display_privs and display_cmnd. 2007-12-31 15:08:30 +00:00
Todd C. Miller
3008bb494a move update_defaults() to parse.c 2007-12-31 12:54:47 +00:00
Todd C. Miller
ae2ae34528 Use nsswitch to hide some sudoers vs. ldap implementation details 
and reduce the number of #ifdef LDAP
TODO: fix display routines and error handling
 2007-12-31 12:39:52 +00:00
Todd C. Miller
908b8f64e6 Use AC_FUNC_GETGROUPS instead of a home-grown attempt that was insufficient. 2007-11-27 23:40:50 +00:00
Todd C. Miller
f9f4aca556 Add support for runas groups. This allows the user to run a command 
with a different effective group.  If the -g option is specified
without -u the command will be run as the current user (only the
group will change).  the -g and -u options may be used together.
TODO: implement runas group for ldap
      improve runas group documentation
      add testsudoers support
 2007-11-21 20:12:00 +00:00
Todd C. Miller
52b2861bb9 sudo "ALL" now implies the SETENV tag but, unlike an explicit tag, it 
is not passed on to other commands in the list.
 2007-11-21 16:05:31 +00:00
Todd C. Miller
7cd59baada Don't quote *?[]! on output since the lexer does not strip off the 
backslash when reading those in.
 2007-11-08 12:24:41 +00:00
Todd C. Miller
76e5eb434b Add a sequence number in the aliases for loop detection. If we find 
an alias with the seqno already set to the current (global) value we
know we've visited it before so ignore it.
 2007-09-15 11:24:54 +00:00
Todd C. Miller
a0f80d6581 rename lh_ -> tq_ 2007-09-11 19:42:48 +00:00
Todd C. Miller
21f0ea4d68 Each entry in a cmndlist now has an associated runaslist 
so no need to keep track of the most recent non-NULL one.
 2007-09-05 18:45:26 +00:00
Todd C. Miller
19fa259480 Remove support for compilers that don't support void * 2007-08-31 23:30:07 +00:00
Todd C. Miller
d72778832c Move list manipulation macros to list.h and create C versions of 
the more complex ones in list.c.  The names have been down-cased
so they appear more like normal functions.
 2007-08-31 23:13:26 +00:00
Todd C. Miller
10e5d4e708 Use LH_FOREACH_REV when checking permission and short-circuit on 
the first non-UNSPEC hit we get for the command.  This means that
instead of cycling through the all the parsed sudoers entries we
start at the end and work backwards and quit after the first positive
or negative match.
 2007-08-31 01:21:26 +00:00
Todd C. Miller
d1dbe2ecee Change list head macros to take a pointer, not a struct. 2007-08-31 01:12:50 +00:00
Todd C. Miller
8cdea0b941 Use a list head struct when storing the semi-circular lists and 
convert to tail queues in the process.  This will allow us to
reverse foreach loops more easily and it makes it clearer which
functions expect a list as opposed to a single member.

Add macros for manipulating lists.  Some of these should become functions.

When freeing up a list, just pop off the last item in the queue instead
of going from head to tail.  This is simpler since we don't have to
stash a pointer to the next member, we always just use the last one
in the queue until the queue is empty.

Rename match functions that take a list to have list in the name.
Break cmnd_matches() into cmnd_matches() and cmndlist_matches.
 2007-08-30 17:26:35 +00:00
Todd C. Miller
a05abf5c88 Fix pasto, append "!" not negated (which is an int) for sudo -l output. 2007-08-30 17:12:00 +00:00
Todd C. Miller
340831499a Use lbuf_append_quoted() for sudo -l output to quote characters that 
would require quoting in sudoers.
 2007-08-22 22:32:00 +00:00
Todd C. Miller
c6cf39cdfd If a Defaults value contains a blank, double-quote the string. 2007-08-20 23:24:31 +00:00
Todd C. Miller
2315b317e2 Add new linebuf code to do appends of dynamically allocated strings 
and word-wrapped output.  Currently used for sudo's usage() and
sudo -l output.  Sudo usage strings are now in sudo_usage.h which
is generated at configure time.
 2007-08-19 20:48:09 +00:00
Todd C. Miller
d28030c9fd Fix line wrapping in usage() and use the actual tty width instead of 
assuming 80.
 2007-08-18 12:22:16 +00:00
Todd C. Miller
994036cf0d Fix some spacing in "sudo -l" and add a comment about some bogosity 
in the line wrapping.
 2007-08-15 17:49:52 +00:00
Todd C. Miller
317e600f41 Remove monitor support until there is a versino of systrace that 
uses a lookaside buffer (or we have a better mechanism to use).
 2007-08-15 15:20:01 +00:00
Todd C. Miller
c939690786 Deal with OSes where sizeof(gid_t) < sizeof(int). 2007-08-14 19:27:27 +00:00
Todd C. Miller
888540a7be Use ALLOW/DENY instead of TRUE/FALSE when dealing with the return 
value from {user,host,runas,cmnd}_matches().
Rename *matches variables -> *match.
Purely cosmetic.
 2007-07-08 13:43:07 +00:00
Todd C. Miller
1e9030d951 Move setting of FLAG_NO_CHECK into the if(pwflag) block. 
No change in behavior.
 2007-07-08 13:30:07 +00:00
Todd C. Miller
a26c783bea Make pwcheck local to the pwflag block. 
Use pwcheck even if user didn't match since Defaults options may still apply.
 2007-07-06 19:51:03 +00:00
Todd C. Miller
7f0bb4b1a8 Make matching but negated commands/hosts/runas entries override a 
previous match as expected.  Also reduce some levels of indent by
a few placed continue statements.
 2007-07-06 00:20:51 +00:00
Todd C. Miller
bdd5b43f75 Print default runas in "sudo -l" if sudoers don't specify one. 2007-07-05 20:34:00 +00:00
Todd C. Miller
879c46e4dd Add support for setting environment variables on the command line. 
This is only allowed if the setenv sudoers options is enabled or if
the command is prefixed with the SETENV tag.
 2007-06-23 23:58:54 +00:00
Todd C. Miller
98931e0f8f don't call sudo_ldap_display_cmnd if ldap not setup 2005-06-23 03:19:00 +00:00
Todd C. Miller
7ce5994d6c include grp.h to silence a warning on Solaris 2005-04-24 23:22:19 +00:00
Todd C. Miller
f1a0953085 Fix printing of += and -= defaults. 2005-04-23 19:10:16 +00:00
Todd C. Miller
f261a99f22 In -l mode, only check local sudoers file if def_ignore_sudoers is not set 
and call LDAP versions from display_privs() and display_cmnd() instead
of directly from main().  Because of this we need to defer closing
the ldap connection until after -l processing has ocurred and we
must pass in the ldap pointer to display_privs() and display_cmnd().
 2005-04-12 01:37:08 +00:00
Todd C. Miller
d0df82a93a Add macro to test if the tag changed to improve readability. 2005-04-10 21:44:27 +00:00
Todd C. Miller
ce7708e09a Avoid printing defaults header if there are no defaults to print... 2005-04-10 21:40:41 +00:00
Todd C. Miller
9efe91fa1e Move initgroups() for -U option into display_privs() so group matching 
in sudoers works correctly.
 2005-03-29 03:33:05 +00:00
Todd C. Miller
61413ca509 Add missing space in Defaults printing 2005-03-27 01:01:02 +00:00
Todd C. Miller
f35ff3e327 make this build in K&R land 2005-03-10 14:51:48 +00:00
Todd C. Miller
778d587063 Update copyright years. 2005-02-12 22:56:07 +00:00
Todd C. Miller
3b8b88407f Add __unused to rcsids 2005-01-27 15:42:30 +00:00