isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
02f37dc2dae4e96c4892f33767ca42e9033ad302
sudo/sudo.c
Todd C. Miller 02f37dc2da Add support for tuples in def_data.in; these are implemented as an 
enum type.  Currently there is only a single tuple enum but in the
future we may have one tuple enum per T_TUPLE entry in def_data.in.
Currently listpw, verifypw and lecture are tuples.  This avoids the
need to have two entries (one ival, one str) for pwflags and syslog
values.

lecture is now a tuple with the following values: never, once, always

We no longer use both an int and string entry for syslog facilities
and priorities.  Instead, there are logfac2str() and logpri2str()
functions that get used when we need to print the string values.
2003-12-30 22:31:30 +00:00

1049 lines
28 KiB
C
Raw Blame History

/*
* Copyright (c) 1993-1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. The name of the author may not be used to endorse or promote products
* derived from this software without specific prior written permission.
*
* 4. Products derived from this software may not be called "Sudo" nor
* may "Sudo" appear in their names without specific prior written
* permission from the author.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
* THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
* Sponsored in part by the Defense Advanced Research Projects
* Agency (DARPA) and Air Force Research Laboratory, Air Force
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
*
* For a brief history of sudo, please see the HISTORY file included
* with this distribution.
*/
#define _SUDO_MAIN
#include "config.h"
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/param.h>
#include <sys/socket.h>
#ifdef HAVE_SETRLIMIT
# include <sys/time.h>
# include <sys/resource.h>
#endif
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
# include <stddef.h>
#else
# ifdef HAVE_STDLIB_H
# include <stdlib.h>
# endif
#endif /* STDC_HEADERS */
#ifdef HAVE_STRING_H
# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
# include <memory.h>
# endif
# include <string.h>
#else
# ifdef HAVE_STRINGS_H
# include <strings.h>
# endif
#endif /* HAVE_STRING_H */
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
#ifdef HAVE_ERR_H
# include <err.h>
#else
# include "emul/err.h"
#endif /* HAVE_ERR_H */
#include <pwd.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <grp.h>
#include <time.h>
#include <netinet/in.h>
#include <netdb.h>
#if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS)
# ifdef __hpux
# undef MAXINT
# include <hpsecurity.h>
# else
# include <sys/security.h>
# endif /* __hpux */
# include <prot.h>
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
#ifdef HAVE_LOGIN_CAP_H
# include <login_cap.h>
# ifndef LOGIN_DEFROOTCLASS
# define LOGIN_DEFROOTCLASS "daemon"
# endif
#endif
#include "sudo.h"
#include "interfaces.h"
#include "version.h"
#ifndef lint
static const char rcsid[] = "$Sudo$";
#endif /* lint */
/*
* Prototypes
*/
static int init_vars __P((int));
static int parse_args __P((int, char **));
static void check_sudoers __P((void));
static void initial_setup __P((void));
static void set_loginclass __P((struct passwd *));
static void usage __P((int));
static void usage_excl __P((int));
static struct passwd *get_authpw __P((void));
extern void list_matches __P((void));
extern char **rebuild_env __P((int, char **));
extern char **zero_env __P((char **));
extern struct passwd *sudo_getpwnam __P((const char *));
extern struct passwd *sudo_getpwuid __P((uid_t));
/*
* Globals
*/
int Argc, NewArgc;
char **Argv, **NewArgv;
struct sudo_user sudo_user;
struct passwd *auth_pw;
FILE *sudoers_fp;
struct interface *interfaces;
int num_interfaces;
int tgetpass_flags;
uid_t timestamp_uid;
extern int errorlineno;
#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
static struct rlimit corelimit;
#endif /* RLIMIT_CORE && !SUDO_DEVEL */
#ifdef HAVE_LOGIN_CAP_H
login_cap_t *lc;
#endif /* HAVE_LOGIN_CAP_H */
#ifdef HAVE_BSD_AUTH_H
char *login_style;
#endif /* HAVE_BSD_AUTH_H */
void (*set_perms) __P((int));
int
main(argc, argv, envp)
int argc;
char **argv;
char **envp;
{
int validated;
int fd;
int cmnd_status;
int sudo_mode;
int pwflag;
char **new_environ;
sigaction_t sa, saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
extern int printmatches;
extern char **environ;
Argc = argc;
Argv = argv;
/* Must be done as the first thing... */
#if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS)
(void) set_auth_parameters(Argc, Argv);
# ifdef HAVE_INITPRIVS
initprivs();
# endif
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
/* Zero out the environment. */
environ = zero_env(envp);
if (geteuid() != 0)
errx(1, "must be setuid root");
/*
* Signal setup:
* Ignore keyboard-generated signals so the user cannot interrupt
* us at some point and avoid the logging.
* Install handler to wait for children when they exit.
*/
sigemptyset(&sa.sa_mask);
sa.sa_flags = SA_RESTART;
sa.sa_handler = SIG_IGN;
(void) sigaction(SIGINT, &sa, &saved_sa_int);
(void) sigaction(SIGQUIT, &sa, &saved_sa_quit);
(void) sigaction(SIGTSTP, &sa, &saved_sa_tstp);
sa.sa_handler = reapchild;
(void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
/*
* Turn off core dumps, close open files and setup set_perms().
*/
initial_setup();
setpwent();
/* Parse our arguments. */
sudo_mode = parse_args(Argc, Argv);
/* Setup defaults data structures. */
init_defaults();
/* Load the list of local ip addresses and netmasks. */
load_interfaces();
pwflag = 0;
if (sudo_mode & MODE_SHELL)
user_cmnd = "shell";
else
switch (sudo_mode) {
case MODE_VERSION:
(void) printf("Sudo version %s\n", version);
if (getuid() == 0) {
putchar('\n');
dump_auth_methods();
dump_defaults();
dump_interfaces();
}
exit(0);
break;
case MODE_HELP:
usage(0);
break;
case MODE_VALIDATE:
user_cmnd = "validate";
pwflag = I_VERIFYPW;
break;
case MODE_KILL:
case MODE_INVALIDATE:
user_cmnd = "kill";
pwflag = -1;
break;
case MODE_LISTDEFS:
list_options();
exit(0);
break;
case MODE_LIST:
user_cmnd = "list";
pwflag = I_LISTPW;
printmatches = 1;
break;
}
/* Must have a command to run... */
if (user_cmnd == NULL && NewArgc == 0)
usage(1);
cmnd_status = init_vars(sudo_mode);
check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
/* Validate the user but don't search for pseudo-commands. */
validated = sudoers_lookup(pwflag);
/*
* If we are using set_perms_posix() and the stay_setuid flag was not set,
* set the real, effective and saved uids to 0 and use set_perms_nosuid()
* instead of set_perms_posix().
*/
#if !defined(HAVE_SETRESUID) && !defined(HAVE_SETREUID) && \
!defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
if (!def_stay_setuid && set_perms == set_perms_posix) {
if (setuid(0)) {
perror("setuid(0)");
exit(1);
}
set_perms = set_perms_nosuid;
}
#endif
/*
* Look up runas user passwd struct. If we are given a uid then
* there may be no corresponding passwd(5) entry (which is OK).
*/
if (**user_runas == '#') {
runas_pw = sudo_getpwuid(atoi(*user_runas + 1));
if (runas_pw == NULL) {
runas_pw = emalloc(sizeof(struct passwd));
(void) memset((VOID *)runas_pw, 0, sizeof(struct passwd));
runas_pw->pw_uid = atoi(*user_runas + 1);
}
} else {
runas_pw = sudo_getpwnam(*user_runas);
if (runas_pw == NULL)
log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", *user_runas);
}
/*
* Look up the timestamp dir owner if one is specified.
*/
if (def_timestampowner) {
struct passwd *pw;
if (*def_timestampowner == '#')
pw = getpwuid(atoi(def_timestampowner + 1));
else
pw = getpwnam(def_timestampowner);
if (!pw)
log_error(0, "timestamp owner (%s): No such user",
def_timestampowner);
timestamp_uid = pw->pw_uid;
}
/* This goes after the sudoers parse since we honor sudoers options. */
if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {
remove_timestamp((sudo_mode == MODE_KILL));
exit(0);
}
if (validated & VALIDATE_ERROR)
log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,
errorlineno);
/* Is root even allowed to run sudo? */
if (user_uid == 0 && !def_root_sudo) {
(void) fprintf(stderr,
"Sorry, %s has been configured to not allow root to run it.\n",
getprogname());
exit(1);
}
/* If given the -P option, set the "preserve_groups" flag. */
if (sudo_mode & MODE_PRESERVE_GROUPS)
def_preserve_groups = TRUE;
/* If no command line args and "set_home" is not set, error out. */
if ((sudo_mode & MODE_IMPLIED_SHELL) && !def_shell_noargs)
usage(1);
/* May need to set $HOME to target user if we are running a command. */
if ((sudo_mode & MODE_RUN) && (def_always_set_home ||
((sudo_mode & MODE_SHELL) && def_set_home)))
sudo_mode |= MODE_RESET_HOME;
/* Bail if a tty is required and we don't have one. */
if (def_requiretty) {
if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1)
log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
else
(void) close(fd);
}
/* Fill in passwd struct based on user we are authenticating as. */
auth_pw = get_authpw();
/* Require a password if sudoers says so. */
if (!(validated & FLAG_NOPASS))
check_user(validated & FLAG_CHECK_USER);
/* Build up custom environment that avoids any nasty bits. */
new_environ = rebuild_env(sudo_mode, envp);
if (validated & VALIDATE_OK) {
/* Finally tell the user if the command did not exist. */
if (cmnd_status == NOT_FOUND_DOT) {
warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
exit(1);
} else if (cmnd_status == NOT_FOUND) {
warnx("%s: command not found", user_cmnd);
exit(1);
}
log_auth(validated, 1);
if (sudo_mode == MODE_VALIDATE)
exit(0);
else if (sudo_mode == MODE_LIST) {
list_matches();
exit(0);
}
/* This *must* have been set if we got a match but... */
if (safe_cmnd == NULL) {
log_error(MSG_ONLY,
"internal error, safe_cmnd never got set for %s; %s",
user_cmnd,
"please report this error at http://courtesan.com/sudo/bugs/");
}
/* Override user's umask if configured to do so. */
if (def_umask != 0777)
(void) umask(def_umask);
/* Restore coredumpsize resource limit. */
#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
(void) setrlimit(RLIMIT_CORE, &corelimit);
#endif /* RLIMIT_CORE && !SUDO_DEVEL */
/* Become specified user or root. */
set_perms(PERM_RUNAS);
/* Close the password and group files */
endpwent();
endgrent();
/* Install the new environment. */
environ = new_environ;
/* Restore signal handlers before we exec. */
(void) sigaction(SIGINT, &saved_sa_int, NULL);
(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
(void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
#ifndef PROFILING
if ((sudo_mode & MODE_BACKGROUND) && fork() > 0)
exit(0);
else
EXEC(safe_cmnd, NewArgv); /* run the command */
#else
exit(0);
#endif /* PROFILING */
/*
* If we got here then the exec() failed...
*/
warn("unable to execute %s", safe_cmnd);
exit(127);
} else if ((validated & FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
log_auth(validated, 1);
exit(1);
} else if (validated & VALIDATE_NOT_OK) {
if (def_path_info) {
/*
* We'd like to not leak path info at all here, but that can
* *really* confuse the users. To really close the leak we'd
* have to say "not allowed to run foo" even when the problem
* is just "no foo in path" since the user can trivially set
* their path to just contain a single dir.
*/
log_auth(validated,
!(cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND));
if (cmnd_status == NOT_FOUND)
warnx("%s: command not found", user_cmnd);
else if (cmnd_status == NOT_FOUND_DOT)
warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);
} else {
/* Just tell the user they are not allowed to run foo. */
log_auth(validated, 1);
}
exit(1);
} else {
/* should never get here */
log_auth(validated, 1);
exit(1);
}
exit(0); /* not reached */
}
/*
* Initialize timezone, set umask, fill in ``sudo_user'' struct and
* load the ``interfaces'' array.
*/
static int
init_vars(sudo_mode)
int sudo_mode;
{
char *p, thost[MAXHOSTNAMELEN];
int nohostname, rval;
/* Sanity check command from user. */
if (user_cmnd == NULL && strlen(NewArgv[0]) >= MAXPATHLEN)
errx(1, "%s: File name too long", NewArgv[0]);
#ifdef HAVE_TZSET
(void) tzset(); /* set the timezone if applicable */
#endif /* HAVE_TZSET */
/* Default value for cmnd and cwd, overridden later. */
if (user_cmnd == NULL)
user_cmnd = NewArgv[0];
(void) strlcpy(user_cwd, "unknown", sizeof(user_cwd));
/*
* We avoid gethostbyname() if possible since we don't want
* sudo to block if DNS or NIS is hosed.
* "host" is the (possibly fully-qualified) hostname and
* "shost" is the unqualified form of the hostname.
*/
nohostname = gethostname(thost, sizeof(thost));
if (nohostname)
user_host = user_shost = "localhost";
else {
user_host = estrdup(thost);
if (def_fqdn) {
/* Defer call to set_fqdn() until log_error() is safe. */
user_shost = user_host;
} else {
if ((p = strchr(user_host, '.'))) {
*p = '\0';
user_shost = estrdup(user_host);
*p = '.';
} else {
user_shost = user_host;
}
}
}
if ((p = ttyname(STDIN_FILENO)) || (p = ttyname(STDOUT_FILENO))) {
if (strncmp(p, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
p += sizeof(_PATH_DEV) - 1;
user_tty = estrdup(p);
} else
user_tty = "unknown";
/*
* Get a local copy of the user's struct passwd with the shadow password
* if necessary. It is assumed that euid is 0 at this point so we
* can read the shadow passwd file if necessary.
*/
if ((sudo_user.pw = sudo_getpwuid(getuid())) == NULL) {
/* Need to make a fake struct passwd for logging to work. */
struct passwd pw;
char pw_name[MAX_UID_T_LEN + 1];
pw.pw_uid = getuid();
(void) snprintf(pw_name, sizeof(pw_name), "%lu",
(unsigned long) pw.pw_uid);
pw.pw_name = pw_name;
sudo_user.pw = &pw;
/*
* If we are in -k/-K mode, just spew to stderr. It is not unusual for
* users to place "sudo -k" in a .logout file which can cause sudo to
* be run during reboot after the YP/NIS/NIS+/LDAP/etc daemon has died.
*/
if (sudo_mode & (MODE_INVALIDATE|MODE_KILL))
errx(1, "uid %s does not exist in the passwd file!", pw_name);
log_error(0, "uid %s does not exist in the passwd file!", pw_name);
}
if (user_shell == NULL || *user_shell == '\0')
user_shell = sudo_user.pw->pw_shell;
/* It is now safe to use log_error() and set_perms() */
/*
* Must defer set_fqdn() until it is safe to call log_error()
*/
if (def_fqdn)
set_fqdn();
if (nohostname)
log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");
/*
* Get current working directory. Try as user, fall back to root.
*/
set_perms(PERM_USER);
if (!getcwd(user_cwd, sizeof(user_cwd))) {
set_perms(PERM_ROOT);
if (!getcwd(user_cwd, sizeof(user_cwd))) {
warnx("cannot get working directory");
(void) strlcpy(user_cwd, "unknown", sizeof(user_cwd));
}
} else
set_perms(PERM_ROOT);
/*
* If we were given the '-s' option (run shell) we need to redo
* NewArgv and NewArgc.
*/
if ((sudo_mode & MODE_SHELL)) {
char **dst, **src = NewArgv;
NewArgv = (char **) emalloc2((++NewArgc + 1), sizeof(char *));
if (user_shell && *user_shell) {
NewArgv[0] = user_shell;
} else
errx(1, "unable to determine shell");
/* copy the args from NewArgv */
for (dst = NewArgv + 1; (*dst = *src) != NULL; ++src, ++dst)
;
}
/* Set login class if applicable. */
set_loginclass(sudo_user.pw);
/* Resolve the path and return. */
if ((sudo_mode & MODE_RUN)) {
/* XXX - should call this as runas user, not root. */
rval = find_path(NewArgv[0], &user_cmnd, user_path);
if (rval != FOUND) {
/* Failed as root, try as invoking user. */
set_perms(PERM_USER);
rval = find_path(NewArgv[0], &user_cmnd, user_path);
set_perms(PERM_ROOT);
}
/* set user_args */
if (NewArgc > 1) {
char *to, **from;
size_t size, n;
/* If MODE_SHELL not set then NewArgv is contiguous so just count */
if (!(sudo_mode & MODE_SHELL)) {
size = (size_t) (NewArgv[NewArgc-1] - NewArgv[1]) +
strlen(NewArgv[NewArgc-1]) + 1;
} else {
for (size = 0, from = NewArgv + 1; *from; from++)
size += strlen(*from) + 1;
}
/* alloc and copy. */
user_args = (char *) emalloc(size);
for (to = user_args, from = NewArgv + 1; *from; from++) {
n = strlcpy(to, *from, size - (to - user_args));
if (n >= size - (to - user_args))
errx(1, "internal error, init_vars() overflow");
to += n;
*to++ = ' ';
}
*--to = '\0';
}
} else
rval = FOUND;
return(rval);
}
/*
* Command line argument parsing, can't use getopt(3).
*/
static int
parse_args(argc, argv)
int argc;
char **argv;
{
int rval = MODE_RUN; /* what mode is sudo to be run in? */
int excl = 0; /* exclusive arg, no others allowed */
NewArgv = argv + 1;
NewArgc = argc - 1;
if (NewArgc == 0) { /* no options and no command */
rval |= (MODE_IMPLIED_SHELL | MODE_SHELL);
return(rval);
}
while (NewArgc > 0 && NewArgv[0][0] == '-') {
if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0')
warnx("please use single character options");
switch (NewArgv[0][1]) {
case 'p':
/* Must have an associated prompt. */
if (NewArgv[1] == NULL)
usage(1);
user_prompt = NewArgv[1];
NewArgc--;
NewArgv++;
break;
case 'u':
/* Must have an associated runas user. */
if (NewArgv[1] == NULL)
usage(1);
user_runas = &NewArgv[1];
NewArgc--;
NewArgv++;
break;
#ifdef HAVE_BSD_AUTH_H
case 'a':
/* Must have an associated authentication style. */
if (NewArgv[1] == NULL)
usage(1);
login_style = NewArgv[1];
NewArgc--;
NewArgv++;
break;
#endif
#ifdef HAVE_LOGIN_CAP_H
case 'c':
/* Must have an associated login class. */
if (NewArgv[1] == NULL)
usage(1);
login_class = NewArgv[1];
def_use_loginclass = TRUE;
NewArgc--;
NewArgv++;
break;
#endif
case 'b':
rval |= MODE_BACKGROUND;
break;
case 'v':
rval = MODE_VALIDATE;
if (excl && excl != 'v')
usage_excl(1);
excl = 'v';
break;
case 'k':
rval = MODE_INVALIDATE;
if (excl && excl != 'k')
usage_excl(1);
excl = 'k';
break;
case 'K':
rval = MODE_KILL;
if (excl && excl != 'K')
usage_excl(1);
excl = 'K';
break;
case 'L':
rval = MODE_LISTDEFS;
if (excl && excl != 'L')
usage_excl(1);
excl = 'L';
break;
case 'l':
rval = MODE_LIST;
if (excl && excl != 'l')
usage_excl(1);
excl = 'l';
break;
case 'V':
rval = MODE_VERSION;
if (excl && excl != 'V')
usage_excl(1);
excl = 'V';
break;
case 'h':
rval = MODE_HELP;
if (excl && excl != 'h')
usage_excl(1);
excl = 'h';
break;
case 's':
rval |= MODE_SHELL;
if (excl && excl != 's')
usage_excl(1);
excl = 's';
break;
case 'H':
rval |= MODE_RESET_HOME;
break;
case 'P':
rval |= MODE_PRESERVE_GROUPS;
break;
case 'S':
tgetpass_flags |= TGP_STDIN;
break;
case '-':
NewArgc--;
NewArgv++;
if (rval == MODE_RUN)
rval |= (MODE_IMPLIED_SHELL | MODE_SHELL);
return(rval);
case '\0':
warnx("'-' requires an argument");
usage(1);
default:
warnx("illegal option `%s'", NewArgv[0]);
usage(1);
}
NewArgc--;
NewArgv++;
}
if (NewArgc > 0 && !(rval & MODE_RUN))
usage(1);
return(rval);
}
/*
* Sanity check sudoers mode/owner/type.
* Leaves a file pointer to the sudoers file open in ``fp''.
*/
static void
check_sudoers()
{
struct stat statbuf;
int rootstat, i;
char c;
/*
* Fix the mode and group on sudoers file from old default.
* Only works if filesystem is readable/writable by root.
*/
if ((rootstat = stat_sudoers(_PATH_SUDOERS, &statbuf)) == 0 &&
SUDOERS_UID == statbuf.st_uid && SUDOERS_MODE != 0400 &&
(statbuf.st_mode & 0007777) == 0400) {
if (chmod(_PATH_SUDOERS, SUDOERS_MODE) == 0) {
warnx("fixed mode on %s", _PATH_SUDOERS);
statbuf.st_mode |= SUDOERS_MODE;
if (statbuf.st_gid != SUDOERS_GID) {
if (!chown(_PATH_SUDOERS,(uid_t) -1,SUDOERS_GID)) {
warnx("set group on %s", _PATH_SUDOERS);
statbuf.st_gid = SUDOERS_GID;
} else
warn("unable to set group on %s", _PATH_SUDOERS);
}
} else
warn("unable to fix mode on %s", _PATH_SUDOERS);
}
/*
* Sanity checks on sudoers file. Must be done as sudoers
* file owner. We already did a stat as root, so use that
* data if we can't stat as sudoers file owner.
*/
set_perms(PERM_SUDOERS);
if (rootstat != 0 && stat_sudoers(_PATH_SUDOERS, &statbuf) != 0)
log_error(USE_ERRNO, "can't stat %s", _PATH_SUDOERS);
else if (!S_ISREG(statbuf.st_mode))
log_error(0, "%s is not a regular file", _PATH_SUDOERS);
else if (statbuf.st_size == 0)
log_error(0, "%s is zero length", _PATH_SUDOERS);
else if ((statbuf.st_mode & 07777) != SUDOERS_MODE)
log_error(0, "%s is mode 0%o, should be 0%o", _PATH_SUDOERS,
(statbuf.st_mode & 07777), SUDOERS_MODE);
else if (statbuf.st_uid != SUDOERS_UID)
log_error(0, "%s is owned by uid %lu, should be %lu", _PATH_SUDOERS,
(unsigned long) statbuf.st_uid, SUDOERS_UID);
else if (statbuf.st_gid != SUDOERS_GID)
log_error(0, "%s is owned by gid %lu, should be %lu", _PATH_SUDOERS,
(unsigned long) statbuf.st_gid, SUDOERS_GID);
else {
/* Solaris sometimes returns EAGAIN so try 10 times */
for (i = 0; i < 10 ; i++) {
errno = 0;
if ((sudoers_fp = fopen(_PATH_SUDOERS, "r")) == NULL ||
fread(&c, sizeof(c), 1, sudoers_fp) != 1) {
sudoers_fp = NULL;
if (errno != EAGAIN && errno != EWOULDBLOCK)
break;
} else
break;
sleep(1);
}
if (sudoers_fp == NULL)
log_error(USE_ERRNO, "can't open %s", _PATH_SUDOERS);
}
set_perms(PERM_ROOT); /* change back to root */
}
/*
* Close all open files (except std*) and turn off core dumps.
* Also sets the set_perms() pointer to the correct function.
*/
static void
initial_setup()
{
int fd, maxfd;
#ifdef HAVE_SETRLIMIT
struct rlimit rl;
#endif
#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
/*
* Turn off core dumps.
*/
(void) getrlimit(RLIMIT_CORE, &corelimit);
memcpy(&rl, &corelimit, sizeof(struct rlimit));
rl.rlim_cur = 0;
(void) setrlimit(RLIMIT_CORE, &rl);
#endif /* RLIMIT_CORE && !SUDO_DEVEL */
/*
* Close any open fd's other than stdin, stdout and stderr.
*/
#ifdef HAVE_SYSCONF
maxfd = sysconf(_SC_OPEN_MAX) - 1;
#else
maxfd = getdtablesize() - 1;
#endif /* HAVE_SYSCONF */
#ifdef RLIMIT_NOFILE
if (getrlimit(RLIMIT_NOFILE, &rl) == 0) {
if (rl.rlim_max != RLIM_INFINITY && rl.rlim_max <= maxfd)
maxfd = rl.rlim_max - 1;
}
#endif /* RLIMIT_NOFILE */
for (fd = maxfd; fd > STDERR_FILENO; fd--)
(void) close(fd);
/*
* Make set_perms point to the correct function.
* If we are using setresuid() or setreuid() we only need to set this
* once. If we are using POSIX saved uids we will switch to
* set_perms_nosuid after sudoers has been parsed if the "stay_suid"
* option is not set.
*/
#if defined(HAVE_SETRESUID) || defined(HAVE_SETREUID)
set_perms = set_perms_suid;
#else
# if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
if (sysconf(_SC_SAVED_IDS) == 1 && sysconf(_SC_VERSION) >= 199009)
set_perms = set_perms_posix;
else
# endif
set_perms = set_perms_nosuid;
#endif /* HAVE_SETRESUID || HAVE_SETREUID */
}
#ifdef HAVE_LOGIN_CAP_H
static void
set_loginclass(pw)
struct passwd *pw;
{
int errflags;
/*
* Don't make it a fatal error if the user didn't specify the login
* class themselves. We do this because if login.conf gets
* corrupted we want the admin to be able to use sudo to fix it.
*/
if (login_class)
errflags = NO_MAIL|MSG_ONLY;
else
errflags = NO_MAIL|MSG_ONLY|NO_EXIT;
if (login_class && strcmp(login_class, "-") != 0) {
if (strcmp(*user_runas, "root") != 0 && user_uid != 0)
errx(1, "only root can use -c %s", login_class);
} else {
login_class = pw->pw_class;
if (!login_class || !*login_class)
login_class =
(pw->pw_uid == 0) ? LOGIN_DEFROOTCLASS : LOGIN_DEFCLASS;
}
lc = login_getclass(login_class);
if (!lc || !lc->lc_class || strcmp(lc->lc_class, login_class) != 0) {
log_error(errflags, "unknown login class: %s", login_class);
if (!lc)
lc = login_getclass(NULL); /* needed for login_getstyle() later */
}
}
#else
static void
set_loginclass(pw)
struct passwd *pw;
{
}
#endif /* HAVE_LOGIN_CAP_H */
/*
* Look up the fully qualified domain name and set user_host and user_shost.
*/
void
set_fqdn()
{
struct hostent *hp;
char *p;
if (!(hp = gethostbyname(user_host))) {
log_error(MSG_ONLY|NO_EXIT,
"unable to lookup %s via gethostbyname()", user_host);
} else {
if (user_shost != user_host)
free(user_shost);
free(user_host);
user_host = estrdup(hp->h_name);
}
if ((p = strchr(user_host, '.'))) {
*p = '\0';
user_shost = estrdup(user_host);
*p = '.';
} else {
user_shost = user_host;
}
}
/*
* Get passwd entry for the user we are going to authenticate as.
* By default, this is the user invoking sudo...
*/
static struct passwd *
get_authpw()
{
struct passwd *pw;
if (def_rootpw) {
if ((pw = sudo_getpwuid(0)) == NULL)
log_error(0, "uid 0 does not exist in the passwd file!");
} else if (def_runaspw) {
if ((pw = sudo_getpwnam(def_runas_default)) == NULL)
log_error(0, "user %s does not exist in the passwd file!",
def_runas_default);
} else if (def_targetpw) {
if (**user_runas == '#') {
if ((pw = sudo_getpwuid(atoi(*user_runas + 1))) == NULL)
log_error(0, "uid %s does not exist in the passwd file!",
user_runas);
} else {
if ((pw = sudo_getpwnam(*user_runas)) == NULL)
log_error(0, "user %s does not exist in the passwd file!",
user_runas);
}
} else
pw = sudo_user.pw;
return(pw);
}
/*
* Tell which options are mutually exclusive and exit.
*/
static void
usage_excl(exit_val)
int exit_val;
{
(void) fprintf(stderr,
"Only one of the -h, -k, -K, -l, -s, -v or -V options may be used\n");
usage(exit_val);
}
/*
* Give usage message and exit.
*/
static void
usage(exit_val)
int exit_val;
{
(void) fprintf(stderr, "usage: sudo -V | -h | -L | -l | -v | -k | -K | %s",
"[-H] [-P] [-S] [-b] [-p prompt]\n [-u username/#uid] ");
#ifdef HAVE_LOGIN_CAP_H
(void) fprintf(stderr, "[-c class] ");
#endif
#ifdef HAVE_BSD_AUTH_H
(void) fprintf(stderr, "[-a auth_type] ");
#endif
(void) fprintf(stderr, "-s | <command>\n");
exit(exit_val);
}
Reference in New Issue View Git Blame Copy Permalink