1993-11-27 23:42:49 +00:00
|
|
|
/*
|
2019-04-29 07:21:51 -06:00
|
|
|
* SPDX-License-Identifier: ISC
|
|
|
|
|
*
|
2018-01-17 09:52:15 -07:00
|
|
|
* Copyright (c) 1993-1996,1998-2005, 2007-2018
|
2017-12-03 17:53:40 -07:00
|
|
|
* Todd C. Miller <Todd.Miller@sudo.ws>
|
1993-11-27 23:42:49 +00:00
|
|
|
*
|
2004-02-13 21:36:43 +00:00
|
|
|
* Permission to use, copy, modify, and distribute this software for any
|
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
1999-07-31 16:19:45 +00:00
|
|
|
*
|
2004-02-13 21:36:43 +00:00
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
2003-04-16 00:42:09 +00:00
|
|
|
*
|
|
|
|
|
* Sponsored in part by the Defense Advanced Research Projects
|
|
|
|
|
* Agency (DARPA) and Air Force Research Laboratory, Air Force
|
|
|
|
|
* Materiel Command, USAF, under agreement number F39502-99-1-0512.
|
1993-06-11 22:03:45 +00:00
|
|
|
*/
|
|
|
|
|
|
2018-10-26 08:39:09 -06:00
|
|
|
/*
|
|
|
|
|
* This is an open source non-commercial project. Dear PVS-Studio, please check it.
|
|
|
|
|
* PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
|
|
|
|
|
*/
|
2018-10-21 08:46:05 -06:00
|
|
|
|
2004-11-19 18:39:14 +00:00
|
|
|
#include <config.h>
|
1994-03-12 18:36:53 +00:00
|
|
|
|
2020-05-18 06:47:04 -06:00
|
|
|
#include <sys/types.h> /* for ssize_t */
|
1993-06-11 22:03:45 +00:00
|
|
|
#include <stdio.h>
|
2015-06-19 14:29:27 -06:00
|
|
|
#include <stdlib.h>
|
2020-05-18 07:59:24 -06:00
|
|
|
#include <string.h>
|
2015-07-02 09:08:28 -06:00
|
|
|
#include <unistd.h>
|
2021-01-03 14:29:38 -07:00
|
|
|
#include <fcntl.h>
|
2018-01-17 09:52:15 -07:00
|
|
|
#include <time.h>
|
1999-07-22 12:19:11 +00:00
|
|
|
#include <errno.h>
|
1993-06-11 22:03:45 +00:00
|
|
|
#include <pwd.h>
|
1995-11-13 05:15:37 +00:00
|
|
|
#include <grp.h>
|
1994-05-29 22:35:53 +00:00
|
|
|
|
2010-03-14 19:58:47 -04:00
|
|
|
#include "sudoers.h"
|
2012-10-23 14:16:57 -04:00
|
|
|
#include "check.h"
|
1998-10-25 03:52:18 +00:00
|
|
|
|
2015-09-07 06:06:08 -06:00
|
|
|
struct getpass_closure {
|
2019-12-04 12:38:22 -07:00
|
|
|
int tstat;
|
2022-02-21 19:34:06 -07:00
|
|
|
int lectured;
|
2015-09-07 06:06:08 -06:00
|
|
|
void *cookie;
|
|
|
|
|
struct passwd *auth_pw;
|
|
|
|
|
};
|
|
|
|
|
|
2022-02-21 19:34:06 -07:00
|
|
|
static struct passwd *get_authpw(int);
|
|
|
|
|
|
2015-09-07 06:06:08 -06:00
|
|
|
/*
|
|
|
|
|
* Called when getpass is suspended so we can drop the lock.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
getpass_suspend(int signo, void *vclosure)
|
|
|
|
|
{
|
|
|
|
|
struct getpass_closure *closure = vclosure;
|
|
|
|
|
|
|
|
|
|
timestamp_close(closure->cookie);
|
|
|
|
|
closure->cookie = NULL;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Called when getpass is resumed so we can reacquire the lock.
|
|
|
|
|
*/
|
|
|
|
|
static int
|
|
|
|
|
getpass_resume(int signo, void *vclosure)
|
|
|
|
|
{
|
|
|
|
|
struct getpass_closure *closure = vclosure;
|
|
|
|
|
|
|
|
|
|
closure->cookie = timestamp_open(user_name, user_sid);
|
|
|
|
|
if (closure->cookie == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
if (!timestamp_lock(closure->cookie, closure->auth_pw))
|
|
|
|
|
return -1;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
1994-05-28 19:13:27 +00:00
|
|
|
/*
|
2012-08-22 12:52:07 -04:00
|
|
|
* Returns true if the user successfully authenticates, false if not
|
2015-09-07 06:06:08 -06:00
|
|
|
* or -1 on fatal error.
|
1994-05-28 19:13:27 +00:00
|
|
|
*/
|
2013-04-04 10:04:22 -04:00
|
|
|
static int
|
2019-12-04 12:38:22 -07:00
|
|
|
check_user_interactive(int validated, int mode, struct getpass_closure *closure)
|
1993-06-11 22:03:45 +00:00
|
|
|
{
|
2022-02-21 19:34:06 -07:00
|
|
|
struct sudo_conv_callback callback;
|
2016-09-08 16:38:08 -06:00
|
|
|
int ret = -1;
|
2015-06-25 11:12:36 -06:00
|
|
|
char *prompt;
|
2019-12-22 08:48:16 -07:00
|
|
|
debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH);
|
2011-10-25 10:08:26 -04:00
|
|
|
|
2022-02-21 19:34:06 -07:00
|
|
|
/* Construct callback for getpass function. */
|
|
|
|
|
memset(&callback, 0, sizeof(callback));
|
|
|
|
|
callback.version = SUDO_CONV_CALLBACK_VERSION;
|
|
|
|
|
callback.closure = closure;
|
|
|
|
|
callback.on_suspend = getpass_suspend;
|
|
|
|
|
callback.on_resume = getpass_resume;
|
|
|
|
|
|
2015-09-07 06:06:08 -06:00
|
|
|
/* Open, lock and read time stamp file if we are using it. */
|
|
|
|
|
if (!ISSET(mode, MODE_IGNORE_TICKET)) {
|
|
|
|
|
/* Open time stamp file and check its status. */
|
2019-12-04 12:38:22 -07:00
|
|
|
closure->cookie = timestamp_open(user_name, user_sid);
|
2022-02-21 19:34:06 -07:00
|
|
|
if (closure->cookie != NULL) {
|
|
|
|
|
if (timestamp_lock(closure->cookie, closure->auth_pw)) {
|
|
|
|
|
closure->tstat = timestamp_status(closure->cookie,
|
|
|
|
|
closure->auth_pw);
|
|
|
|
|
}
|
|
|
|
|
callback.on_suspend = getpass_suspend;
|
|
|
|
|
callback.on_resume = getpass_resume;
|
|
|
|
|
}
|
2015-09-07 06:06:08 -06:00
|
|
|
}
|
2010-03-14 19:58:47 -04:00
|
|
|
|
2019-12-04 12:38:22 -07:00
|
|
|
switch (closure->tstat) {
|
2015-06-25 11:12:36 -06:00
|
|
|
case TS_FATAL:
|
|
|
|
|
/* Fatal error (usually setuid failure), unsafe to proceed. */
|
|
|
|
|
goto done;
|
2009-12-19 23:04:58 +00:00
|
|
|
|
2015-06-25 11:12:36 -06:00
|
|
|
case TS_CURRENT:
|
|
|
|
|
/* Time stamp file is valid and current. */
|
|
|
|
|
if (!ISSET(validated, FLAG_CHECK_USER)) {
|
2016-09-08 16:38:08 -06:00
|
|
|
ret = true;
|
2015-06-25 11:12:36 -06:00
|
|
|
break;
|
|
|
|
|
}
|
2017-09-01 09:22:31 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_INFO,
|
|
|
|
|
"%s: check user flag overrides time stamp", __func__);
|
2020-08-01 13:10:50 -06:00
|
|
|
FALLTHROUGH;
|
2012-10-23 14:16:57 -04:00
|
|
|
|
2015-06-25 11:12:36 -06:00
|
|
|
default:
|
2022-02-01 20:08:26 -07:00
|
|
|
if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {
|
|
|
|
|
validated |= FLAG_NO_USER_INPUT;
|
|
|
|
|
log_auth_failure(validated, 0);
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
|
1999-07-22 12:19:11 +00:00
|
|
|
/* Expand any escapes in the prompt. */
|
2003-12-30 22:20:21 +00:00
|
|
|
prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt,
|
2019-12-04 12:38:22 -07:00
|
|
|
closure->auth_pw->pw_name);
|
2015-06-25 11:12:36 -06:00
|
|
|
if (prompt == NULL)
|
2014-04-07 19:52:28 -06:00
|
|
|
goto done;
|
1999-07-22 12:19:11 +00:00
|
|
|
|
2022-02-21 19:34:06 -07:00
|
|
|
ret = verify_user(closure->auth_pw, prompt, validated, &callback);
|
|
|
|
|
if (ret == true && closure->lectured)
|
2015-09-07 06:06:08 -06:00
|
|
|
(void)set_lectured(); /* lecture error not fatal */
|
2015-06-17 06:49:59 -06:00
|
|
|
free(prompt);
|
2015-06-25 11:12:36 -06:00
|
|
|
break;
|
1999-07-22 12:19:11 +00:00
|
|
|
}
|
2015-06-25 11:12:36 -06:00
|
|
|
|
2013-04-04 10:04:22 -04:00
|
|
|
done:
|
2016-09-08 16:38:08 -06:00
|
|
|
debug_return_int(ret);
|
2013-04-04 10:04:22 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns true if the user successfully authenticates, false if not
|
|
|
|
|
* or -1 on error.
|
|
|
|
|
*/
|
|
|
|
|
int
|
|
|
|
|
check_user(int validated, int mode)
|
|
|
|
|
{
|
2019-12-04 12:38:22 -07:00
|
|
|
struct getpass_closure closure = { TS_ERROR };
|
2016-09-08 16:38:08 -06:00
|
|
|
int ret = -1;
|
2018-07-26 12:31:29 -06:00
|
|
|
bool exempt = false;
|
2019-12-22 08:48:16 -07:00
|
|
|
debug_decl(check_user, SUDOERS_DEBUG_AUTH);
|
2013-04-04 10:04:22 -04:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Init authentication system regardless of whether we need a password.
|
|
|
|
|
* Required for proper PAM session support.
|
|
|
|
|
*/
|
2019-12-04 12:38:22 -07:00
|
|
|
if ((closure.auth_pw = get_authpw(mode)) == NULL)
|
2014-04-07 19:52:28 -06:00
|
|
|
goto done;
|
2022-01-04 18:57:36 -07:00
|
|
|
if (sudo_auth_init(closure.auth_pw, mode) == -1)
|
2013-04-04 10:04:22 -04:00
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Don't prompt for the root passwd or if the user is exempt.
|
|
|
|
|
* If the user is not changing uid/gid, no need for a password.
|
|
|
|
|
*/
|
2014-04-07 19:52:28 -06:00
|
|
|
if (!def_authenticate || user_is_exempt()) {
|
2017-09-01 09:22:31 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
|
|
|
|
|
!def_authenticate ? "authentication disabled" :
|
|
|
|
|
"user exempt from authentication");
|
2018-07-26 12:31:29 -06:00
|
|
|
exempt = true;
|
2016-09-08 16:38:08 -06:00
|
|
|
ret = true;
|
2013-04-04 10:04:22 -04:00
|
|
|
goto done;
|
2014-04-07 19:52:28 -06:00
|
|
|
}
|
2013-08-26 07:04:19 -06:00
|
|
|
if (user_uid == 0 || (user_uid == runas_pw->pw_uid &&
|
|
|
|
|
(!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name)))) {
|
2013-04-04 10:04:22 -04:00
|
|
|
#ifdef HAVE_SELINUX
|
|
|
|
|
if (user_role == NULL && user_type == NULL)
|
|
|
|
|
#endif
|
2022-05-23 13:16:10 -06:00
|
|
|
#ifdef HAVE_APPARMOR
|
|
|
|
|
if (user_apparmor_profile == NULL)
|
|
|
|
|
#endif
|
2013-04-04 10:04:22 -04:00
|
|
|
#ifdef HAVE_PRIV_SET
|
|
|
|
|
if (runas_privs == NULL && runas_limitprivs == NULL)
|
|
|
|
|
#endif
|
2014-04-07 19:52:28 -06:00
|
|
|
{
|
2017-09-01 09:22:31 -06:00
|
|
|
sudo_debug_printf(SUDO_DEBUG_INFO,
|
|
|
|
|
"%s: user running command as self", __func__);
|
2016-09-08 16:38:08 -06:00
|
|
|
ret = true;
|
2013-04-04 10:04:22 -04:00
|
|
|
goto done;
|
2014-04-07 19:52:28 -06:00
|
|
|
}
|
2013-04-04 10:04:22 -04:00
|
|
|
}
|
|
|
|
|
|
2019-12-04 12:38:22 -07:00
|
|
|
ret = check_user_interactive(validated, mode, &closure);
|
2010-03-14 19:58:47 -04:00
|
|
|
|
2011-09-27 13:18:46 -04:00
|
|
|
done:
|
2018-01-16 10:27:58 -07:00
|
|
|
if (ret == true) {
|
|
|
|
|
/* The approval function may disallow a user post-authentication. */
|
2019-12-04 12:38:22 -07:00
|
|
|
ret = sudo_auth_approval(closure.auth_pw, validated, exempt);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Only update time stamp if user validated and was approved.
|
|
|
|
|
* Failure to update the time stamp is not a fatal error.
|
|
|
|
|
*/
|
2022-08-02 14:28:28 -06:00
|
|
|
if (ret == true && ISSET(validated, VALIDATE_SUCCESS)) {
|
|
|
|
|
if (ISSET(mode, MODE_UPDATE_TICKET) && closure.tstat != TS_ERROR)
|
2019-12-04 12:38:22 -07:00
|
|
|
(void)timestamp_update(closure.cookie, closure.auth_pw);
|
|
|
|
|
}
|
2018-01-16 10:27:58 -07:00
|
|
|
}
|
2019-12-04 12:38:22 -07:00
|
|
|
timestamp_close(closure.cookie);
|
2020-04-01 14:41:38 -06:00
|
|
|
sudo_auth_cleanup(closure.auth_pw, !ISSET(validated, VALIDATE_SUCCESS));
|
2019-12-04 12:38:22 -07:00
|
|
|
if (closure.auth_pw != NULL)
|
|
|
|
|
sudo_pw_delref(closure.auth_pw);
|
2011-09-27 13:18:46 -04:00
|
|
|
|
2016-09-08 16:38:08 -06:00
|
|
|
debug_return_int(ret);
|
1999-07-22 12:19:11 +00:00
|
|
|
}
|
1993-06-11 22:03:45 +00:00
|
|
|
|
1999-07-22 12:19:11 +00:00
|
|
|
/*
|
2012-09-27 10:21:13 -04:00
|
|
|
* Display sudo lecture (standard or custom).
|
|
|
|
|
* Returns true if the user was lectured, else false.
|
1999-07-22 12:19:11 +00:00
|
|
|
*/
|
2022-02-21 19:34:06 -07:00
|
|
|
void
|
|
|
|
|
display_lecture(struct sudo_conv_callback *callback)
|
1999-07-22 12:19:11 +00:00
|
|
|
{
|
2022-02-23 21:09:33 -07:00
|
|
|
struct getpass_closure *closure;
|
2010-03-16 07:41:41 -04:00
|
|
|
struct sudo_conv_message msg;
|
|
|
|
|
struct sudo_conv_reply repl;
|
2021-01-03 14:29:38 -07:00
|
|
|
char buf[BUFSIZ];
|
|
|
|
|
struct stat sb;
|
|
|
|
|
ssize_t nread;
|
|
|
|
|
int fd;
|
2019-12-22 08:48:16 -07:00
|
|
|
debug_decl(lecture, SUDOERS_DEBUG_AUTH);
|
1999-09-08 08:06:28 +00:00
|
|
|
|
2022-02-23 21:09:33 -07:00
|
|
|
if (callback == NULL || (closure = callback->closure) == NULL)
|
|
|
|
|
debug_return;
|
|
|
|
|
|
2022-02-21 19:34:06 -07:00
|
|
|
if (closure->lectured)
|
|
|
|
|
debug_return;
|
|
|
|
|
|
|
|
|
|
if (def_lecture == never || (def_lecture == once && already_lectured()))
|
|
|
|
|
debug_return;
|
2003-12-30 22:31:30 +00:00
|
|
|
|
2010-03-16 07:41:41 -04:00
|
|
|
memset(&msg, 0, sizeof(msg));
|
|
|
|
|
memset(&repl, 0, sizeof(repl));
|
|
|
|
|
|
2021-01-03 14:29:38 -07:00
|
|
|
if (def_lecture_file) {
|
|
|
|
|
fd = open(def_lecture_file, O_RDONLY|O_NONBLOCK);
|
|
|
|
|
if (fd != -1 && fstat(fd, &sb) == 0) {
|
|
|
|
|
if (S_ISREG(sb.st_mode)) {
|
|
|
|
|
(void) fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
|
|
|
|
while ((nread = read(fd, buf, sizeof(buf) - 1)) > 0) {
|
|
|
|
|
buf[nread] = '\0';
|
|
|
|
|
msg.msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;
|
|
|
|
|
msg.msg = buf;
|
|
|
|
|
sudo_conv(1, &msg, &repl, NULL);
|
|
|
|
|
}
|
2022-02-21 19:34:06 -07:00
|
|
|
if (nread == 0) {
|
|
|
|
|
close(fd);
|
|
|
|
|
goto done;
|
2021-01-03 14:29:38 -07:00
|
|
|
}
|
2022-02-21 19:34:06 -07:00
|
|
|
log_warning(SLOG_RAW_MSG,
|
|
|
|
|
N_("error reading lecture file %s"), def_lecture_file);
|
2021-01-03 14:29:38 -07:00
|
|
|
} else {
|
|
|
|
|
log_warningx(SLOG_RAW_MSG,
|
|
|
|
|
N_("ignoring lecture file %s: not a regular file"),
|
|
|
|
|
def_lecture_file);
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
log_warning(SLOG_RAW_MSG|SLOG_NO_STDERR, N_("unable to open %s"),
|
|
|
|
|
def_lecture_file);
|
2010-03-16 07:41:41 -04:00
|
|
|
}
|
2021-01-03 14:29:38 -07:00
|
|
|
if (fd != -1)
|
|
|
|
|
close(fd);
|
2004-01-05 01:12:22 +00:00
|
|
|
}
|
2021-01-03 14:29:38 -07:00
|
|
|
|
|
|
|
|
/* Default sudo lecture. */
|
|
|
|
|
msg.msg_type = SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY;
|
|
|
|
|
msg.msg = _("\n"
|
|
|
|
|
"We trust you have received the usual lecture from the local System\n"
|
|
|
|
|
"Administrator. It usually boils down to these three things:\n\n"
|
|
|
|
|
" #1) Respect the privacy of others.\n"
|
|
|
|
|
" #2) Think before you type.\n"
|
|
|
|
|
" #3) With great power comes great responsibility.\n\n");
|
|
|
|
|
sudo_conv(1, &msg, &repl, NULL);
|
2022-02-21 19:34:06 -07:00
|
|
|
|
|
|
|
|
done:
|
|
|
|
|
closure->lectured = true;
|
|
|
|
|
debug_return;
|
1999-07-22 12:19:11 +00:00
|
|
|
}
|
1993-06-11 22:03:45 +00:00
|
|
|
|
1999-07-22 12:19:11 +00:00
|
|
|
/*
|
|
|
|
|
* Checks if the user is exempt from supplying a password.
|
|
|
|
|
*/
|
2011-12-02 11:27:33 -05:00
|
|
|
bool
|
2010-04-22 18:09:53 -04:00
|
|
|
user_is_exempt(void)
|
1994-11-10 00:48:55 +00:00
|
|
|
{
|
2016-09-08 16:38:08 -06:00
|
|
|
bool ret = false;
|
2019-12-22 08:48:16 -07:00
|
|
|
debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH);
|
2011-10-22 14:40:21 -04:00
|
|
|
|
2021-08-09 15:50:26 -06:00
|
|
|
if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED)) {
|
|
|
|
|
if (!def_intercept_authenticate)
|
|
|
|
|
ret = true;
|
|
|
|
|
}
|
|
|
|
|
if (def_exempt_group) {
|
|
|
|
|
if (user_in_group(sudo_user.pw, def_exempt_group))
|
|
|
|
|
ret = true;
|
|
|
|
|
}
|
2016-09-08 16:38:08 -06:00
|
|
|
debug_return_bool(ret);
|
1994-11-10 00:48:55 +00:00
|
|
|
}
|
|
|
|
|
|
2010-08-21 08:48:35 -04:00
|
|
|
/*
|
|
|
|
|
* Get passwd entry for the user we are going to authenticate as.
|
|
|
|
|
* By default, this is the user invoking sudo. In the most common
|
|
|
|
|
* case, this matches sudo_user.pw or runas_pw.
|
|
|
|
|
*/
|
|
|
|
|
static struct passwd *
|
2014-01-29 15:19:45 -07:00
|
|
|
get_authpw(int mode)
|
2010-08-21 08:48:35 -04:00
|
|
|
{
|
2014-04-07 19:52:28 -06:00
|
|
|
struct passwd *pw = NULL;
|
2019-12-22 08:48:16 -07:00
|
|
|
debug_decl(get_authpw, SUDOERS_DEBUG_AUTH);
|
2010-08-21 08:48:35 -04:00
|
|
|
|
2014-01-29 15:19:45 -07:00
|
|
|
if (ISSET(mode, (MODE_CHECK|MODE_LIST))) {
|
|
|
|
|
/* In list mode we always prompt for the user's password. */
|
2012-06-13 16:21:45 -04:00
|
|
|
sudo_pw_addref(sudo_user.pw);
|
2010-08-21 08:48:35 -04:00
|
|
|
pw = sudo_user.pw;
|
2014-01-29 15:19:45 -07:00
|
|
|
} else {
|
|
|
|
|
if (def_rootpw) {
|
2014-05-02 20:54:01 -06:00
|
|
|
if ((pw = sudo_getpwuid(ROOT_UID)) == NULL) {
|
2021-08-19 09:44:11 -06:00
|
|
|
log_warningx(SLOG_SEND_MAIL, N_("unknown uid %u"), ROOT_UID);
|
2014-05-02 20:54:01 -06:00
|
|
|
}
|
2014-01-29 15:19:45 -07:00
|
|
|
} else if (def_runaspw) {
|
2014-05-02 20:54:01 -06:00
|
|
|
if ((pw = sudo_getpwnam(def_runas_default)) == NULL) {
|
|
|
|
|
log_warningx(SLOG_SEND_MAIL,
|
2021-08-19 09:44:11 -06:00
|
|
|
N_("unknown user %s"), def_runas_default);
|
2014-05-02 20:54:01 -06:00
|
|
|
}
|
2014-01-29 15:19:45 -07:00
|
|
|
} else if (def_targetpw) {
|
2014-04-07 19:52:28 -06:00
|
|
|
if (runas_pw->pw_name == NULL) {
|
|
|
|
|
/* This should never be NULL as we fake up the passwd struct */
|
2021-08-19 09:44:11 -06:00
|
|
|
log_warningx(SLOG_RAW_MSG, N_("unknown uid %u"),
|
2014-01-29 15:19:45 -07:00
|
|
|
(unsigned int) runas_pw->pw_uid);
|
2014-04-07 19:52:28 -06:00
|
|
|
} else {
|
|
|
|
|
sudo_pw_addref(runas_pw);
|
|
|
|
|
pw = runas_pw;
|
|
|
|
|
}
|
2014-01-29 15:19:45 -07:00
|
|
|
} else {
|
|
|
|
|
sudo_pw_addref(sudo_user.pw);
|
|
|
|
|
pw = sudo_user.pw;
|
|
|
|
|
}
|
2010-08-21 08:48:35 -04:00
|
|
|
}
|
|
|
|
|
|
2011-10-22 14:40:21 -04:00
|
|
|
debug_return_ptr(pw);
|
2010-08-21 08:48:35 -04:00
|
|
|
}
|
2019-12-09 19:29:45 -07:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Returns true if the specified shell is allowed by /etc/shells, else false.
|
|
|
|
|
*/
|
|
|
|
|
bool
|
|
|
|
|
check_user_shell(const struct passwd *pw)
|
|
|
|
|
{
|
|
|
|
|
const char *shell;
|
2019-12-22 08:48:16 -07:00
|
|
|
debug_decl(check_user_shell, SUDOERS_DEBUG_AUTH);
|
2019-12-09 19:29:45 -07:00
|
|
|
|
|
|
|
|
if (!def_runas_check_shell)
|
|
|
|
|
debug_return_bool(true);
|
|
|
|
|
|
|
|
|
|
sudo_debug_printf(SUDO_DEBUG_INFO,
|
|
|
|
|
"%s: checking /etc/shells for %s", __func__, pw->pw_shell);
|
|
|
|
|
|
|
|
|
|
setusershell();
|
|
|
|
|
while ((shell = getusershell()) != NULL) {
|
|
|
|
|
if (strcmp(shell, pw->pw_shell) == 0)
|
|
|
|
|
debug_return_bool(true);
|
|
|
|
|
}
|
|
|
|
|
endusershell();
|
|
|
|
|
|
|
|
|
|
debug_return_bool(false);
|
|
|
|
|
}
|
