mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity
sudo/plugins/sudoers/lookup.c

566 lines
17 KiB
C
Raw Permalink Normal View History

updated version number and took out jeff's email (since it is invalid)
1993-11-27 23:42:49 +00:00
/*
Add SPDX-License-Identifier to files.
2019-04-29 07:21:51 -06:00
* SPDX-License-Identifier: ISC
*
Unifdef parser support for SELinux, AppArmor and Solaris privileges.
2024-05-01 08:04:00 -06:00
* Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <Todd.Miller@sudo.ws>
Initial revision
1993-06-11 22:03:45 +00:00
*
More to a less restrictive, ISC-style license.
2004-02-13 21:36:43 +00:00
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
used indent to "fix" coding style
1993-10-04 19:10:33 +00:00
*/
Convert PVS-Studio comment to ANSI C.
2018-10-26 08:39:09 -06:00
/*
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
*/
Add comments in .c files so PVS-Studio will check them.
2018-10-21 08:46:05 -06:00
Use: #include <config.h> Not: #include "config.h" That way we get the correct config.h when build dir != src dir
2004-11-19 18:39:14 +00:00
#include <config.h>
updated to work with configure + pathnames.h
1994-03-12 18:36:53 +00:00
Initial revision
1993-06-11 22:03:45 +00:00
#include <stdio.h>
We require ANSI C so stop using the obsolete STDC_HEADERS.
2015-06-19 14:29:27 -06:00
#include <stdlib.h>
Include string.h unconditionally and only use strings.h for strn?casecmp() In the pre-POSIX days BSD had strings.h, not string.h. Now strings.h is only used for non-ANSI string functions.
2020-05-18 07:59:24 -06:00
#include <string.h>
There's no need to conditionalize the #include <unistd.h>, we require a POSIX system.
2015-07-02 09:08:28 -06:00
#include <unistd.h>
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
2017-02-18 15:35:48 -07:00
#include <pwd.h>
Initial revision
1993-06-11 22:03:45 +00:00
Use #include <foo.h> instead of #include "foo.h" in most cases. We rely on the include path to find many of these headers. It especially doesn't make sense to use #include "foo.h" for headers in the top-level include directory.
2023-09-25 10:13:28 -06:00
#include <sudoers.h>
Revert 003bdb078a15. We need to #include <gram.h> not "gram.h" and <def_data.h> and not "def_data.h" when generating the parser in a build dir.
2011-11-12 12:18:44 -05:00
#include <gram.h>
Move inclusion of emul/fnmatch.h to be after sudo.h for __P
1999-08-28 10:00:22 +00:00
Fix potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219.
2022-12-07 10:25:00 -07:00
static int
runas_matches_pw(struct sudoers_parse_tree *parse_tree,
const struct cmndspec *cs, const struct passwd *pw)
{
debug_decl(runas_matches_pw, SUDOERS_DEBUG_PARSER);
if (cs->runasuserlist != NULL)
debug_return_int(userlist_matches(parse_tree, pw, cs->runasuserlist));
if (cs->runasgrouplist == NULL) {
/* No explicit runas user or group, use default. */
Make all match functions return ALLOW/DENY not true/false.
2023-09-09 14:07:06 -06:00
if (userpw_matches(def_runas_default, pw->pw_name, pw) == ALLOW)
Fix potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219.
2022-12-07 10:25:00 -07:00
debug_return_int(ALLOW);
}
debug_return_int(UNSPEC);
}
Make sudoers file nsswitch functions static to parse.c since they are self-contained.
2014-09-15 15:11:30 -06:00
/*
Fix a typo.
2019-05-22 08:58:51 -06:00
* Look up the user in the sudoers parse tree for pseudo-commands like
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
* list, verify and kill.
Make sudoers file nsswitch functions static to parse.c since they are self-contained.
2014-09-15 15:11:30 -06:00
*/
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
static unsigned int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct sudoers_context *ctx,
time_t now, sudoers_lookup_callback_fn_t callback, void *cb_data,
int pwflag)
Initial revision
1993-06-11 22:03:45 +00:00
{
Add "list" pseudo-command to allow a user to list another user's privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For "sudo -l [-U otheruser] command", NewArgv[0] is now set to "list" (just like "sudo -l") and the actual command to be checked starts with NewArgv[1].
2022-12-11 13:46:00 -07:00
char *saved_runchroot;
Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134
2022-02-14 13:09:55 -07:00
struct passwd *root_pw = NULL;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
struct sudo_nss *nss;
Rewritten parser that converts sudoers into a set of data structures. This eliminates ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command.
2004-10-26 22:10:55 +00:00
struct cmndspec *cs;
struct privilege *priv;
struct userspec *us;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
struct defaults *def;
sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue(). Otherwise, processing will stop after the first sudoers nsswitch service specification where [SUCCESS=return] is present.
2023-12-15 10:45:22 -07:00
int nopass, match = UNSPEC;
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
unsigned int validated = 0;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
enum def_tuple pwcheck;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER);
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
The fix for bug #869 broke "sudo -v" when verifypw=all (the default)
2019-10-15 07:23:51 -06:00
nopass = (pwcheck == never || pwcheck == all) ? true : false;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->runas.list_pw != NULL) {
Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134
2022-02-14 13:09:55 -07:00
root_pw = sudo_getpwuid(ROOT_UID);
Fix potential NULL deref if getpwuid(0) fails. Coverity CID 249326
2022-02-15 19:41:31 -07:00
if (root_pw == NULL)
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
sudo_warnx(U_("unknown uid %u"), ROOT_UID);
Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134
2022-02-14 13:09:55 -07:00
} else {
SET(validated, FLAG_NO_CHECK);
}
Add "list" pseudo-command to allow a user to list another user's privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For "sudo -l [-U otheruser] command", NewArgv[0] is now set to "list" (just like "sudo -l") and the actual command to be checked starts with NewArgv[1].
2022-12-11 13:46:00 -07:00
/* Don't use chroot setting for pseudo-commands. */
saved_runchroot = def_runchroot;
def_runchroot = NULL;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
TAILQ_FOREACH(nss, snl, entries) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (nss->query(ctx, nss, ctx->user.pw) == -1) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/* The query function should have printed an error message. */
SET(validated, VALIDATE_ERROR);
break;
}
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
/*
* We have to traverse the policy forwards, not in reverse,
* to support the "pwcheck == all" case.
*/
o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. o The parse tree is now passed to the alias, match and defaults functions. o The nss API has been changed so that the nss parse() function returns a pointer to a struct sudoers_parse_tree which will be filled in by the getdefs() and query() functions.
2018-07-26 15:12:33 -06:00
TAILQ_FOREACH(us, &nss->parse_tree->userspecs, entries) {
Make all match functions return ALLOW/DENY not true/false.
2023-09-09 14:07:06 -06:00
const int user_match = userlist_matches(nss->parse_tree,
ctx->user.pw, &us->users);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (user_match != ALLOW) {
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (callback != NULL && user_match == DENY) {
Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments.
2023-08-09 10:16:10 -06:00
callback(nss->parse_tree, us, user_match, NULL, UNSPEC,
NULL, UNSPEC, UNSPEC, UNSPEC, cb_data);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Make matching but negated commands/hosts/runas entries override a previous match as expected. Also reduce some levels of indent by a few placed continue statements.
2007-07-06 00:20:51 +00:00
continue;
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Add "headless" tail queues and use them in place of the semi-circular lists in sudoers. Once the headless tail queue is built up it is converted to a normal TAILQ. This removes the last consumer of list.c and list.h so those can now be removed.
2013-10-22 09:08:38 -06:00
TAILQ_FOREACH(priv, &us->privileges, entries) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
int priv_nopass = UNSPEC;
Make all match functions return ALLOW/DENY not true/false.
2023-09-09 14:07:06 -06:00
const int host_match = hostlist_matches(nss->parse_tree,
ctx->user.pw, &priv->hostlist);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (host_match != ALLOW) {
if (callback != NULL) {
Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments.
2023-08-09 10:16:10 -06:00
callback(nss->parse_tree, us, user_match, priv,
host_match, NULL, UNSPEC, UNSPEC, UNSPEC, cb_data);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Make matching but negated commands/hosts/runas entries override a previous match as expected. Also reduce some levels of indent by a few placed continue statements.
2007-07-06 00:20:51 +00:00
continue;
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
TAILQ_FOREACH(def, &priv->defaults, entries) {
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
if (strcmp(def->var, "authenticate") == 0) {
Fix logic inversion when handing the authenticate Defaults option for "sudo -l" and "sudo -v" in long list mode.
2018-05-16 12:14:14 -06:00
priv_nopass = !def->op;
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
break;
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
}
Add "headless" tail queues and use them in place of the semi-circular lists in sudoers. Once the headless tail queue is built up it is converted to a normal TAILQ. This removes the last consumer of list.c and list.h so those can now be removed.
2013-10-22 09:08:38 -06:00
TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
int cmnd_match = UNSPEC;
int date_match = UNSPEC;
int runas_match = UNSPEC;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (pwcheck == any) {
if (cs->tags.nopasswd == true || priv_nopass == true)
nopass = true;
} else if (pwcheck == all) {
if (cs->tags.nopasswd != true && priv_nopass != true)
nopass = false;
}
Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134
2022-02-14 13:09:55 -07:00
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
if (cs->notbefore != UNSPEC) {
date_match = now < cs->notbefore ? DENY : ALLOW;
}
if (cs->notafter != UNSPEC) {
date_match = now > cs->notafter ? DENY : ALLOW;
}
Add "list" pseudo-command to allow a user to list another user's privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For "sudo -l [-U otheruser] command", NewArgv[0] is now set to "list" (just like "sudo -l") and the actual command to be checked starts with NewArgv[1].
2022-12-11 13:46:00 -07:00
/*
* Root can list any user's privileges.
* A user may always list their own privileges.
*/
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->user.uid == 0 || ctx->runas.list_pw == NULL ||
ctx->user.uid == ctx->runas.list_pw->pw_uid) {
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
cmnd_match = ALLOW;
runas_match = ALLOW;
} else if (date_match != DENY) {
A user with "list" privs for root may not list all users. A user with "sudo ALL" for root _is_ allowed to list any user.
2023-03-03 13:57:27 -07:00
/*
Typographical and Grammatical fixes
2023-11-28 01:55:57 -05:00
* To list another user's privileges, the runas
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
* user must match the list user or root.
A user with "list" privs for root may not list all users. A user with "sudo ALL" for root _is_ allowed to list any user.
2023-03-03 13:57:27 -07:00
*/
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
runas_match = runas_matches_pw(nss->parse_tree, cs,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.list_pw);
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
switch (runas_match) {
case DENY:
break;
case ALLOW:
/*
* RunAs user matches list user.
* Match on command "list" or ALL.
*/
cmnd_match = cmnd_matches(nss->parse_tree,
A user with "list" privs for root may not list all users. A user with "sudo ALL" for root _is_ allowed to list any user.
2023-03-03 13:57:27 -07:00
cs->cmnd, cs->runchroot, NULL);
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
break;
default:
/*
* RunAs user doesn't match list user.
* Only allow listing if the user has
* "sudo ALL" for root.
*/
if (root_pw != NULL &&
runas_matches_pw(nss->parse_tree, cs,
root_pw) == ALLOW) {
runas_match = ALLOW;
cmnd_match = cmnd_matches_all(nss->parse_tree,
cs->cmnd, cs->runchroot, NULL);
A user with "list" privs for root may not list all users. A user with "sudo ALL" for root _is_ allowed to list any user.
2023-03-03 13:57:27 -07:00
}
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
break;
Add "list" pseudo-command to allow a user to list another user's privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For "sudo -l [-U otheruser] command", NewArgv[0] is now set to "list" (just like "sudo -l") and the actual command to be checked starts with NewArgv[1].
2022-12-11 13:46:00 -07:00
}
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
}
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (callback != NULL) {
Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments.
2023-08-09 10:16:10 -06:00
callback(nss->parse_tree, us, user_match, priv,
host_match, cs, date_match, runas_match,
cmnd_match, cb_data);
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
}
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (SPECIFIED(cmnd_match)) {
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
/*
* We take the last match but must process
* the entire policy for pwcheck == all.
*/
match = cmnd_match;
Fix potential NULL deref if getpwuid(0) fails. Coverity CID 249326
2022-02-15 19:41:31 -07:00
}
no longer return VALIDATE_NOT_OK if there was a runas that didn't match. Now we can have runas stuff on more than one line.
1996-07-26 17:23:40 +00:00
}
}
made -v (validate) work
1995-03-28 20:26:55 +00:00
}
sudoers_lookup_pseudo: sync with sudoers_lookup_check This makes sudoers_lookup_pseudo(), which is used for pseudo-command like "list" and "validate" a bit more like sudoers_lookup_check(). Time of day checks are performed, and callbacks are supported. We cannot use the same code for regular commands and pseudo-commands due to the "pwcheck == all" case.
2023-07-25 15:57:20 -06:00
if (!sudo_nss_can_continue(nss, match))
break;
Rewritten parser that converts sudoers into a set of data structures. This eliminates ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command.
2004-10-26 22:10:55 +00:00
}
Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134
2022-02-14 13:09:55 -07:00
if (root_pw != NULL)
sudo_pw_delref(root_pw);
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (match == ALLOW || ctx->user.uid == 0) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/* User has an entry for this host. */
SET(validated, VALIDATE_SUCCESS);
sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue(). Otherwise, processing will stop after the first sudoers nsswitch service specification where [SUCCESS=return] is present.
2023-12-15 10:45:22 -07:00
} else {
/* No entry or user is not allowed to list other users. */
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
SET(validated, VALIDATE_FAILURE);
sudoers_lookup_pseudo: init match to UNSPEC for sudo_nss_can_continue(). Otherwise, processing will stop after the first sudoers nsswitch service specification where [SUCCESS=return] is present.
2023-12-15 10:45:22 -07:00
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (pwcheck == always && def_authenticate)
SET(validated, FLAG_CHECK_USER);
else if (nopass == true)
def_authenticate = false;
Add "list" pseudo-command to allow a user to list another user's privs. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. For "sudo -l [-U otheruser] command", NewArgv[0] is now set to "list" (just like "sudo -l") and the actual command to be checked starts with NewArgv[1].
2022-12-11 13:46:00 -07:00
/* Restore original def_runchroot. */
def_runchroot = saved_runchroot;
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
debug_return_uint(validated);
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
}
now groks command arguments
1995-08-14 04:06:27 +00:00
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
static int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
unsigned int *validated, struct cmnd_info *info, time_t now,
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
sudoers_lookup_callback_fn_t callback, void *cb_data,
struct cmndspec **matching_cs, struct defaults_list **defs)
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
{
struct cmndspec *cs;
struct privilege *priv;
struct userspec *us;
struct member *matching_user;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudoers_lookup_check, SUDOERS_DEBUG_PARSER);
FAST_MATCH is no longer an optino
1998-10-15 03:57:14 +00:00
Move the check for running setid commands in intercept mode to later. Checking for setid commands in intercept mode after command matching allows us to log a proper error message. Previously, we simply ignored setid commands when matching and the only indication of why was in the debug logs.
2023-11-02 13:44:17 -06:00
memset(info, 0, sizeof(*info));
Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings.
2020-09-09 15:26:45 -06:00
o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. o The parse tree is now passed to the alias, match and defaults functions. o The nss API has been changed so that the nss parse() function returns a pointer to a struct sudoers_parse_tree which will be filled in by the getdefs() and query() functions.
2018-07-26 15:12:33 -06:00
TAILQ_FOREACH_REVERSE(us, &nss->parse_tree->userspecs, userspec_list, entries) {
Make all match functions return ALLOW/DENY not true/false.
2023-09-09 14:07:06 -06:00
const int user_match = userlist_matches(nss->parse_tree, ctx->user.pw,
&us->users);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (user_match != ALLOW) {
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (callback != NULL && user_match == DENY) {
Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments.
2023-08-09 10:16:10 -06:00
callback(nss->parse_tree, us, user_match, NULL, UNSPEC, NULL,
UNSPEC, UNSPEC, UNSPEC, cb_data);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Make matching but negated commands/hosts/runas entries override a previous match as expected. Also reduce some levels of indent by a few placed continue statements.
2007-07-06 00:20:51 +00:00
continue;
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
CLR(*validated, FLAG_NO_USER);
Add "headless" tail queues and use them in place of the semi-circular lists in sudoers. Once the headless tail queue is built up it is converted to a normal TAILQ. This removes the last consumer of list.c and list.h so those can now be removed.
2013-10-22 09:08:38 -06:00
TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
Make all match functions return ALLOW/DENY not true/false.
2023-09-09 14:07:06 -06:00
const int host_match = hostlist_matches(nss->parse_tree,
ctx->user.pw, &priv->hostlist);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (host_match == ALLOW) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
CLR(*validated, FLAG_NO_HOST);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
} else {
if (callback != NULL) {
Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments.
2023-08-09 10:16:10 -06:00
callback(nss->parse_tree, us, user_match, priv, host_match,
NULL, UNSPEC, UNSPEC, UNSPEC, cb_data);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Use LH_FOREACH_REV when checking permission and short-circuit on the first non-UNSPEC hit we get for the command. This means that instead of cycling through the all the parsed sudoers entries we start at the end and work backwards and quit after the first positive or negative match.
2007-08-31 01:21:26 +00:00
continue;
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Add "headless" tail queues and use them in place of the semi-circular lists in sudoers. Once the headless tail queue is built up it is converted to a normal TAILQ. This removes the last consumer of list.c and list.h so those can now be removed.
2013-10-22 09:08:38 -06:00
TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
int cmnd_match = UNSPEC;
int date_match = UNSPEC;
int runas_match = UNSPEC;
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
2017-02-18 15:35:48 -07:00
if (cs->notbefore != UNSPEC) {
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
date_match = now < cs->notbefore ? DENY : ALLOW;
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
2017-02-18 15:35:48 -07:00
}
if (cs->notafter != UNSPEC) {
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
date_match = now > cs->notafter ? DENY : ALLOW;
Add NOTBEFORE and NOTAFTER command options similar to what is already available in LDAP.
2017-02-18 15:35:48 -07:00
}
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
if (date_match != DENY) {
matching_user = NULL;
runas_match = runaslist_matches(nss->parse_tree,
cs->runasuserlist, cs->runasgrouplist, &matching_user,
NULL);
if (runas_match == ALLOW) {
cmnd_match = cmnd_matches(nss->parse_tree, cs->cmnd,
cs->runchroot, info);
}
}
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (callback != NULL) {
Add verbose version of "sudo -l command" by using an extra -l. The output of "sudo -ll command" consists of the matching sudoers rule (in long form) with the addition of a "Matched" entry that shows the fully-qualfied path along with any arguments.
2023-08-09 10:16:10 -06:00
callback(nss->parse_tree, us, user_match, priv, host_match,
cs, date_match, runas_match, cmnd_match, cb_data);
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
}
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (SPECIFIED(cmnd_match)) {
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
/*
* If user is running command as themselves,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
* set ctx->runas.pw = ctx->user.pw.
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
* XXX - hack, want more general solution
*/
if (matching_user && matching_user->type == MYSELF) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudo_pw_delref(ctx->runas.pw);
sudo_pw_addref(ctx->user.pw);
ctx->runas.pw = ctx->user.pw;
Use LH_FOREACH_REV when checking permission and short-circuit on the first non-UNSPEC hit we get for the command. This means that instead of cycling through the all the parsed sudoers entries we start at the end and work backwards and quit after the first positive or negative match.
2007-08-31 01:21:26 +00:00
}
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
*matching_cs = cs;
*defs = &priv->defaults;
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"userspec matched @ %s:%d:%d: %s",
us->file ? us->file : "???", us->line, us->column,
cmnd_match ? "allowed" : "denied");
debug_return_int(cmnd_match);
Rewritten parser that converts sudoers into a set of data structures. This eliminates ordering issues and makes it possible to apply sudoers Defaults entries before searching for the command.
2004-10-26 22:10:55 +00:00
}
Add callbacks to sudoers_lookup() so we can use it in testsudoers. Also pass in the time to be used for NOTBEFORE/NOTAFTER checks.
2023-06-29 17:30:39 -06:00
free(info->cmnd_path);
Move the check for running setid commands in intercept mode to later. Checking for setid commands in intercept mode after command matching allows us to log a proper error message. Previously, we simply ignored setid commands when matching and the only indication of why was in the debug logs.
2023-11-02 13:44:17 -06:00
memset(info, 0, sizeof(*info));
Stash the "safe" path (ie: the one listed in sudoers) to the command instead of stashing the struct stat. Should be safer.
1999-04-10 04:10:01 +00:00
}
now uses fnmatch() instead of wildmat a trailing star (*) by itself now matches multiple args added support for wildcards in the pathname in sudoers
1996-05-27 23:38:46 +00:00
}
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
debug_return_int(UNSPEC);
}
/*
Fix some typos
2022-11-21 14:50:22 +08:00
* Apply cmndspec-specific settings including SELinux role/type,
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
* AppArmor profile, Solaris privs, and command tags.
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
*/
static bool
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
apply_cmndspec(struct sudoers_context *ctx, struct cmndspec *cs)
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
{
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER);
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (cs != NULL) {
/* Set role and type if not specified on command line. */
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->runas.role == NULL) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (cs->role != NULL) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.role = strdup(cs->role);
if (ctx->runas.role == NULL) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
Add support for MAIL and NOMAIL command tags to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis.
2015-02-19 10:02:20 -07:00
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
} else {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.role = def_role;
Always dynamically allocate user_role, user_type, user_privs, user_limitprivs
2021-02-14 07:47:48 -07:00
def_role = NULL;
Add support for MAIL and NOMAIL command tags to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis.
2015-02-19 10:02:20 -07:00
}
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->runas.role != NULL) {
Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing.
2021-02-18 06:09:08 -07:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
"ctx->runas.role -> %s", ctx->runas.role);
Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing.
2021-02-18 06:09:08 -07:00
}
Fix CIDR -> in_addr_t conversion.
2001-12-13 01:07:25 +00:00
}
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->runas.type == NULL) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (cs->type != NULL) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.type = strdup(cs->type);
if (ctx->runas.type == NULL) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
Add support for MAIL and NOMAIL command tags to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis.
2015-02-19 10:02:20 -07:00
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
} else {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.type = def_type;
Always dynamically allocate user_role, user_type, user_privs, user_limitprivs
2021-02-14 07:47:48 -07:00
def_type = NULL;
Add support for MAIL and NOMAIL command tags to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis.
2015-02-19 10:02:20 -07:00
}
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->runas.type != NULL) {
Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing.
2021-02-18 06:09:08 -07:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
"ctx->runas.type -> %s", ctx->runas.type);
Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing.
2021-02-18 06:09:08 -07:00
}
Add support for MAIL and NOMAIL command tags to toggle mail sending behavior on a per-command (or Cmnd_Alias) basis.
2015-02-19 10:02:20 -07:00
}
Add an APPARMOR_PROFILE user spec option to sudoers sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g. alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL The line above says "user alice can run any command as any user/group, under confinement by the AppArmor profile 'foo'." Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL allows alice to run any command unconfined (i.e., without an AppArmor profile), while alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL tells sudoers that alice can run any command under the stacked AppArmor profiles 'foo' and 'bar'. The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged subset of users.
2022-05-23 13:16:10 -06:00
/* Set AppArmor profile, if specified */
if (cs->apparmor_profile != NULL) {
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
free(ctx->runas.apparmor_profile);
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.apparmor_profile = strdup(cs->apparmor_profile);
if (ctx->runas.apparmor_profile == NULL) {
Fix a few whitespace issues.
2022-07-09 11:21:17 -06:00
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
Add an APPARMOR_PROFILE user spec option to sudoers sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g. alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL The line above says "user alice can run any command as any user/group, under confinement by the AppArmor profile 'foo'." Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL allows alice to run any command unconfined (i.e., without an AppArmor profile), while alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL tells sudoers that alice can run any command under the stacked AppArmor profiles 'foo' and 'bar'. The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged subset of users.
2022-05-23 13:16:10 -06:00
} else {
apply_cmndspec: plug potential memory leak If apply_cmndspec() is called where the cmndspec defines an apparmor profile or Solaris privileges, and then is called again with a cmndspec that does not have those set we would leak the original value.
2024-05-06 13:04:00 -06:00
free(ctx->runas.apparmor_profile);
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
ctx->runas.apparmor_profile = def_apparmor_profile;
Fix a few whitespace issues.
2022-07-09 11:21:17 -06:00
def_apparmor_profile = NULL;
Add an APPARMOR_PROFILE user spec option to sudoers sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g. alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL The line above says "user alice can run any command as any user/group, under confinement by the AppArmor profile 'foo'." Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL allows alice to run any command unconfined (i.e., without an AppArmor profile), while alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL tells sudoers that alice can run any command under the stacked AppArmor profiles 'foo' and 'bar'. The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged subset of users.
2022-05-23 13:16:10 -06:00
}
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (ctx->runas.apparmor_profile != NULL) {
Fix a few whitespace issues.
2022-07-09 11:21:17 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
"ctx->runas.apparmor_profile -> %s", ctx->runas.apparmor_profile);
Add an APPARMOR_PROFILE user spec option to sudoers sudoers now supports an APPARMOR_PROFILE option, which can be specified as e.g. alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL The line above says "user alice can run any command as any user/group, under confinement by the AppArmor profile 'foo'." Profiles can be specified in any way that complies with the rules of aa_change_profile(2). For instance, the sudoers configuration alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL allows alice to run any command unconfined (i.e., without an AppArmor profile), while alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL tells sudoers that alice can run any command under the stacked AppArmor profiles 'foo' and 'bar'. The intention of this option is to give sysadmins on Linux distros supporting AppArmor better options for fine-grained access control. Among other things, this option can enforce mandatory access control (MAC) over the operations that a privileged user is able to perform to ensure that they cannot privesc past the boundaries of a specified profile. It can also be used to limit which users are able to get unconfined system access, by enforcing a default AppArmor profile on all users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged subset of users.
2022-05-23 13:16:10 -06:00
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/* Set Solaris privilege sets */
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
if (cs->privs != NULL) {
free(ctx->runas.privs);
ctx->runas.privs = strdup(cs->privs);
if (ctx->runas.privs == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing.
2021-02-18 06:09:08 -07:00
}
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
} else {
apply_cmndspec: plug potential memory leak If apply_cmndspec() is called where the cmndspec defines an apparmor profile or Solaris privileges, and then is called again with a cmndspec that does not have those set we would leak the original value.
2024-05-06 13:04:00 -06:00
free(ctx->runas.privs);
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
ctx->runas.privs = def_privs;
def_privs = NULL;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
}
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
if (ctx->runas.privs != NULL) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"ctx->runas.privs -> %s", ctx->runas.privs);
}
if (cs->limitprivs != NULL) {
free(ctx->runas.limitprivs);
ctx->runas.limitprivs = strdup(cs->limitprivs);
if (ctx->runas.limitprivs == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
Don't print a NULL as a string if role/type/privs/limitprivs is not set. We can't rely on printf("%s", NULL) not crashing.
2021-02-18 06:09:08 -07:00
}
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
} else {
apply_cmndspec: plug potential memory leak If apply_cmndspec() is called where the cmndspec defines an apparmor profile or Solaris privileges, and then is called again with a cmndspec that does not have those set we would leak the original value.
2024-05-06 13:04:00 -06:00
free(ctx->runas.limitprivs);
apply_cmndspec: plug apparmor_profile leak Also override existing Solaris privs if specified.
2024-05-03 08:15:19 -06:00
ctx->runas.limitprivs = def_limitprivs;
def_limitprivs = NULL;
}
if (ctx->runas.limitprivs != NULL) {
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"ctx->runas.limitprivs -> %s", ctx->runas.limitprivs);
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
}
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
if (cs->timeout > 0) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_command_timeout = cs->timeout;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_command_timeout -> %d", def_command_timeout);
}
Add CHROOT and CWD sudoers options. Also matching runchroot and runcwd Defaults settings.
2020-09-01 06:26:00 -06:00
if (cs->runcwd != NULL) {
free(def_runcwd);
def_runcwd = strdup(cs->runcwd);
if (def_runcwd == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_runcwd -> %s", def_runcwd);
Add CHROOT and CWD sudoers options. Also matching runchroot and runcwd Defaults settings.
2020-09-01 06:26:00 -06:00
}
if (cs->runchroot != NULL) {
free(def_runchroot);
def_runchroot = strdup(cs->runchroot);
if (def_runchroot == NULL) {
sudo_warnx(U_("%s: %s"), __func__,
U_("unable to allocate memory"));
debug_return_bool(false);
}
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_runchroot -> %s", def_runchroot);
Add CHROOT and CWD sudoers options. Also matching runchroot and runcwd Defaults settings.
2020-09-01 06:26:00 -06:00
}
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
if (cs->tags.nopasswd != UNSPEC) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_authenticate = !cs->tags.nopasswd;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_authenticate -> %s", def_authenticate ? "true" : "false");
}
if (cs->tags.noexec != UNSPEC) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_noexec = cs->tags.noexec;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_noexec -> %s", def_noexec ? "true" : "false");
}
Add "intercept" Defaults setting to allow interception of sub-commands. This causes "intercept" to be set to true in command_info[] which the sudo front-end will use to determine whether or not to intercept attempts to run further commands, such as from a shell. Also add "log_children" which will use the same mechanism but only log (audit) further commands.
2021-08-09 15:50:25 -06:00
if (cs->tags.intercept != UNSPEC) {
def_intercept = cs->tags.intercept;
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_intercept -> %s", def_intercept ? "true" : "false");
}
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
if (cs->tags.setenv != UNSPEC) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_setenv = cs->tags.setenv;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_setenv -> %s", def_setenv ? "true" : "false");
}
if (cs->tags.log_input != UNSPEC) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_log_input = cs->tags.log_input;
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
cb_log_input(ctx, NULL, 0, 0, NULL, cs->tags.log_input);
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_log_input -> %s", def_log_input ? "true" : "false");
}
if (cs->tags.log_output != UNSPEC) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_log_output = cs->tags.log_output;
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
cb_log_output(ctx, NULL, 0, 0, NULL, cs->tags.log_output);
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_log_output -> %s", def_log_output ? "true" : "false");
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (cs->tags.send_mail != UNSPEC) {
if (cs->tags.send_mail) {
def_mail_all_cmnds = true;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_mail_all_cmnds -> true");
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
} else {
def_mail_all_cmnds = false;
def_mail_always = false;
def_mail_no_perms = false;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_mail_all_cmnds -> false, def_mail_always -> false, "
"def_mail_no_perms -> false");
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
}
}
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
if (cs->tags.follow != UNSPEC) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
def_sudoedit_follow = cs->tags.follow;
Take the chroot into account when search for the command. This could a a user-specific chroot via the -R option, a runchroot Defaults value, or a per-command CHROOT spec in the sudoers rule.
2020-09-09 15:26:44 -06:00
sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
"def_sudoedit_follow -> %s", def_sudoedit_follow ? "true" : "false");
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
}
debug_return_bool(true);
}
/*
Fix a typo.
2019-05-22 08:58:51 -06:00
* Look up the user in the sudoers parse tree and check to see if they are
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
* allowed to run the specified command on this host as the target user.
*/
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
unsigned int
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
sudoers_lookup(struct sudo_nss_list *snl, struct sudoers_context *ctx,
time_t now, sudoers_lookup_callback_fn_t callback, void *cb_data,
int *cmnd_status, int pwflag)
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
{
struct defaults_list *defs = NULL;
o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. o The parse tree is now passed to the alias, match and defaults functions. o The nss API has been changed so that the nss parse() function returns a pointer to a struct sudoers_parse_tree which will be filled in by the getdefs() and query() functions.
2018-07-26 15:12:33 -06:00
struct sudoers_parse_tree *parse_tree = NULL;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
struct cmndspec *cs = NULL;
struct sudo_nss *nss;
Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings.
2020-09-09 15:26:45 -06:00
struct cmnd_info info;
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
unsigned int validated = FLAG_NO_USER | FLAG_NO_HOST;
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
int m, match = UNSPEC;
debug_decl and debug_decl_vars now require a semicolon at the end.
2019-12-22 08:48:16 -07:00
debug_decl(sudoers_lookup, SUDOERS_DEBUG_PARSER);
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/*
* Special case checking the "validate", "list" and "kill" pseudo-commands.
*/
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
if (pwflag) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
debug_return_uint(sudoers_lookup_pseudo(snl, ctx, now, callback,
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
cb_data, pwflag));
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/* Need to be runas user while stat'ing things. */
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (!set_perms(ctx, PERM_RUNAS))
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
debug_return_uint(validated);
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/* Query each sudoers source and check the user. */
TAILQ_FOREACH(nss, snl, entries) {
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
if (nss->query(ctx, nss, ctx->user.pw) == -1) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
/* The query function should have printed an error message. */
SET(validated, VALIDATE_ERROR);
break;
}
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
m = sudoers_lookup_check(nss, ctx, &validated, &info, now, callback,
Use a single callback for sudoers_lookup() and add a closure pointer. The single callback now receives all the match info (or UNSPEC if no match was attempted). This makes it possible to use the callback for more than just printing testsudoers output.
2023-08-07 15:06:19 -06:00
cb_data, &cs, &defs);
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (SPECIFIED(m)) {
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
match = m;
o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. o The parse tree is now passed to the alias, match and defaults functions. o The nss API has been changed so that the nss parse() function returns a pointer to a struct sudoers_parse_tree which will be filled in by the getdefs() and query() functions.
2018-07-26 15:12:33 -06:00
parse_tree = nss->parse_tree;
}
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
if (!sudo_nss_can_continue(nss, m))
break;
}
Try to make sudo less vulnerable to ROWHAMMER attacks. We now use ROWHAMMER-resistent values for ALLOW, DENY, AUTH_SUCCESS, AUTH_FAILURE, AUTH_ERROR and AUTH_NONINTERACTIVE. In addition, we explicitly test for expected values instead of using a negated test against an error value. In the parser match functions this means explicitly checking for ALLOW or DENY instead of accepting anything that is not set to UNSPEC. Thanks to Andrew J. Adiletta, M. Caner Tol, Yarkin Doroz, and Berk Sunar, all affiliated with the Vernam Applied Cryptography and Cybersecurity Lab at Worcester Polytechnic Institute, for the report. Paper preprint: https://arxiv.org/abs/2309.02545
2023-09-09 14:07:04 -06:00
if (SPECIFIED(match)) {
Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings.
2020-09-09 15:26:45 -06:00
if (info.cmnd_path != NULL) {
Expand the user_* (and more) macros to user_ctx.foo.
2023-08-12 10:39:59 -06:00
/* Update cmnd, cmnd_stat, cmnd_status from matching entry. */
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
free(ctx->user.cmnd);
ctx->user.cmnd = info.cmnd_path;
if (ctx->user.cmnd_stat != NULL)
*ctx->user.cmnd_stat = info.cmnd_stat;
Pass a struct to the match functions to track the resolved command. This makes it possible to update user_cmnd and cmnd_status modified by per-rule CHROOT settings.
2020-09-09 15:26:45 -06:00
*cmnd_status = info.status;
}
o Move userspecs, defaults and aliases into a new struct sudoers_parse_tree. o The parse tree is now passed to the alias, match and defaults functions. o The nss API has been changed so that the nss parse() function returns a pointer to a struct sudoers_parse_tree which will be filled in by the getdefs() and query() functions.
2018-07-26 15:12:33 -06:00
if (defs != NULL)
Make struct sudoers_context private to sudoers.c. We now pass a pointer to the context where necessary. There are a few cases where we need to request the context from sudoers via sudoers_get_context() for the plugin API functions. If the plugin API was able to pass around a closure pointer this would not be necessary.
2023-08-21 09:21:49 -06:00
(void)update_defaults(ctx, parse_tree, defs, SETDEF_GENERIC, false);
if (!apply_cmndspec(ctx, cs))
Simplify the nss interface such that each sudoers provider fills in a per-nss list of userspecs and defaults instead of using separate lookup and list functions. This makes it possible to have a single implementation of the code for sudoers lookup and listing.
2018-05-14 09:05:03 -06:00
SET(validated, VALIDATE_ERROR);
else if (match == ALLOW)
SET(validated, VALIDATE_SUCCESS);
else
SET(validated, VALIDATE_FAILURE);
If the user specified a uid with the -u flag and the uid exists in the passwd file, set runas_user to the name, not the uid. When comparing usernames in sudoers, if a name is really a uid (starts with '#') compare it numerically to pw_uid.
2004-03-24 23:06:34 +00:00
}
Check restore_perms() return value in all cases, pushing the return value back up the call stack.
2015-06-25 11:12:36 -06:00
if (!restore_perms())
SET(validated, VALIDATE_ERROR);
sudoers plugin: make more bit flags unsigned.
2023-07-10 11:06:23 -06:00
debug_return_uint(validated);
If the user specified a uid with the -u flag and the uid exists in the passwd file, set runas_user to the name, not the uid. When comparing usernames in sudoers, if a name is really a uid (starts with '#') compare it numerically to pw_uid.
2004-03-24 23:06:34 +00:00
}
Reference in New Issue Copy Permalink