From 0495afac57f5bd783dd90bfaa25733f802b0f66f Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sat, 9 Sep 2023 14:07:07 -0600 Subject: [PATCH] Make most sudo_auth functions return AUTH_{SUCCESS,FAILURE,FATAL}. --- plugins/sudoers/Makefile.in | 162 +++++++++++++++++-------------- plugins/sudoers/auth/sudo_auth.c | 81 +++++++++------- plugins/sudoers/auth/sudo_auth.h | 1 + plugins/sudoers/check.c | 31 +++--- plugins/sudoers/timestamp.h | 2 + 5 files changed, 156 insertions(+), 121 deletions(-) diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index e36f413dc..a5e01296b 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -719,20 +719,20 @@ afs.lo: $(authdir)/afs.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ - $(srcdir)/timestamp.h $(top_builddir)/config.h \ - $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/afs.c afs.i: $(authdir)/afs.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ - $(srcdir)/timestamp.h $(top_builddir)/config.h \ - $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< afs.plog: afs.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/afs.c --i-file $< --output-file $@ @@ -929,10 +929,11 @@ callbacks.lo: $(srcdir)/callbacks.c $(devdir)/def_data.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/callbacks.c callbacks.i: $(srcdir)/callbacks.c $(devdir)/def_data.h \ $(incdir)/compat/getaddrinfo.h $(incdir)/compat/stdbool.h \ @@ -941,10 +942,11 @@ callbacks.i: $(srcdir)/callbacks.c $(devdir)/def_data.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< callbacks.plog: callbacks.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/callbacks.c --i-file $< --output-file $@ @@ -976,18 +978,20 @@ check.lo: $(srcdir)/check.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ - $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/check.c check.i: $(srcdir)/check.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ - $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< check.plog: check.i @@ -1227,14 +1231,14 @@ check_serialize_list.plog: check_serialize_list.i check_starttime.o: $(srcdir)/regress/starttime/check_starttime.c \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_util.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h + $(incdir)/sudo_util.h $(srcdir)/auth/sudo_auth.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/starttime/check_starttime.c check_starttime.i: $(srcdir)/regress/starttime/check_starttime.c \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_util.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h + $(incdir)/sudo_util.h $(srcdir)/auth/sudo_auth.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h $(CC) -E -o $@ $(CPPFLAGS) $< check_starttime.plog: check_starttime.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/regress/starttime/check_starttime.c --i-file $< --output-file $@ @@ -1473,20 +1477,20 @@ dce.lo: $(authdir)/dce.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ - $(srcdir)/timestamp.h $(top_builddir)/config.h \ - $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(authdir)/dce.c dce.i: $(authdir)/dce.c $(authdir)/sudo_auth.h $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ - $(srcdir)/timestamp.h $(top_builddir)/config.h \ - $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< dce.plog: dce.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(authdir)/dce.c --i-file $< --output-file $@ @@ -1796,8 +1800,9 @@ fuzz_stubs.o: $(srcdir)/regress/fuzz/fuzz_stubs.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ - $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/regress/fuzz/fuzz_stubs.c @@ -1807,8 +1812,9 @@ fuzz_stubs.i: $(srcdir)/regress/fuzz/fuzz_stubs.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/interfaces.h $(srcdir)/logging.h \ - $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/interfaces.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< @@ -2754,10 +2760,11 @@ set_perms.lo: $(srcdir)/set_perms.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/set_perms.c set_perms.i: $(srcdir)/set_perms.c $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ @@ -2765,10 +2772,11 @@ set_perms.i: $(srcdir)/set_perms.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< set_perms.plog: set_perms.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/set_perms.c --i-file $< --output-file $@ @@ -2866,10 +2874,11 @@ starttime.lo: $(srcdir)/starttime.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/starttime.c starttime.i: $(srcdir)/starttime.c $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ @@ -2877,10 +2886,11 @@ starttime.i: $(srcdir)/starttime.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< starttime.plog: starttime.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/starttime.c --i-file $< --output-file $@ @@ -2972,7 +2982,8 @@ sudo_auth.lo: $(authdir)/sudo_auth.c $(authdir)/sudo_auth.h \ $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ - $(incdir)/sudo_rand.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(incdir)/sudo_rand.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h \ $(srcdir)/ins_csops.h $(srcdir)/ins_goons.h \ $(srcdir)/ins_python.h $(srcdir)/insults.h $(srcdir)/logging.h \ @@ -2986,7 +2997,8 @@ sudo_auth.i: $(authdir)/sudo_auth.c $(authdir)/sudo_auth.h \ $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_plugin.h $(incdir)/sudo_queue.h \ - $(incdir)/sudo_rand.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(incdir)/sudo_rand.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h \ $(srcdir)/ins_csops.h $(srcdir)/ins_goons.h \ $(srcdir)/ins_python.h $(srcdir)/insults.h $(srcdir)/logging.h \ @@ -3036,7 +3048,8 @@ sudoers.lo: $(srcdir)/sudoers.c $(devdir)/def_data.h \ $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ $(srcdir)/timestamp.h $(top_builddir)/config.h \ @@ -3048,7 +3061,8 @@ sudoers.i: $(srcdir)/sudoers.c $(devdir)/def_data.h \ $(incdir)/sudo_debug.h $(incdir)/sudo_eventlog.h \ $(incdir)/sudo_fatal.h $(incdir)/sudo_gettext.h \ $(incdir)/sudo_iolog.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ $(srcdir)/timestamp.h $(top_builddir)/config.h \ @@ -3224,10 +3238,11 @@ timestamp.lo: $(srcdir)/timestamp.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/timestamp.c timestamp.i: $(srcdir)/timestamp.c $(devdir)/def_data.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ @@ -3235,10 +3250,11 @@ timestamp.i: $(srcdir)/timestamp.c $(devdir)/def_data.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ - $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ - $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ - $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ - $(top_builddir)/config.h $(top_builddir)/pathnames.h + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h \ + $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ + $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h \ + $(srcdir)/timestamp.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< timestamp.plog: timestamp.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/timestamp.c --i-file $< --output-file $@ @@ -3314,18 +3330,20 @@ tsdump.o: $(srcdir)/tsdump.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ - $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/tsdump.c tsdump.i: $(srcdir)/tsdump.c $(devdir)/def_data.h $(incdir)/compat/stdbool.h \ $(incdir)/sudo_compat.h $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ - $(incdir)/sudo_queue.h $(incdir)/sudo_util.h $(srcdir)/defaults.h \ - $(srcdir)/logging.h $(srcdir)/parse.h $(srcdir)/sudo_nss.h \ - $(srcdir)/sudoers.h $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/auth/sudo_auth.h $(srcdir)/defaults.h $(srcdir)/logging.h \ + $(srcdir)/parse.h $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(srcdir)/timestamp.h \ $(top_builddir)/config.h $(top_builddir)/pathnames.h $(CC) -E -o $@ $(CPPFLAGS) $< tsdump.plog: tsdump.i diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index d1b168a8f..dbed92088 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -96,18 +96,17 @@ static bool standalone; /* * Initialize sudoers authentication method(s). - * Returns 0 on success and -1 on error. + * Returns AUTH_SUCCESS on success and AUTH_ERROR on error. */ int sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, unsigned int mode) { sudo_auth *auth; - int status = AUTH_SUCCESS; debug_decl(sudo_auth_init, SUDOERS_DEBUG_AUTH); if (auth_switch[0].name == NULL) - debug_return_int(0); + debug_return_int(AUTH_SUCCESS); /* Initialize auth methods and unconfigure the method if necessary. */ for (auth = auth_switch; auth->name; auth++) { @@ -115,8 +114,7 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, SET(auth->flags, FLAG_NONINTERACTIVE); if (auth->init && !IS_DISABLED(auth)) { /* Disable if it failed to init unless there was a fatal error. */ - status = (auth->init)(ctx, pw, auth); - switch (status) { + switch ((auth->init)(ctx, pw, auth)) { case AUTH_SUCCESS: break; case AUTH_FAILURE: @@ -124,7 +122,7 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, break; default: /* Assume error msg already printed. */ - debug_return_int(-1); + debug_return_int(AUTH_ERROR); } } } @@ -144,7 +142,7 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, log_warningx(ctx, SLOG_SEND_MAIL, N_("Invalid authentication methods compiled into sudo! " "You may not mix standalone and non-standalone authentication.")); - debug_return_int(-1); + debug_return_int(AUTH_ERROR); } if (!found) { /* Found first standalone method. */ @@ -172,37 +170,38 @@ sudo_auth_init(const struct sudoers_context *ctx, struct passwd *pw, } } - debug_return_int(0); + debug_return_int(AUTH_SUCCESS); } /* - * Cleanup all authentication approval methods. - * Returns true on success, false on failure and -1 on error. + * Call all authentication approval methods, if any. + * Returns AUTH_SUCCESS, AUTH_FAILURE or AUTH_ERROR. */ int sudo_auth_approval(const struct sudoers_context *ctx, struct passwd *pw, unsigned int validated, bool exempt) { + int ret = AUTH_SUCCESS; sudo_auth *auth; debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH); /* Call approval routines. */ for (auth = auth_switch; auth->name; auth++) { if (auth->approval && !IS_DISABLED(auth)) { - int status = (auth->approval)(ctx, pw, auth, exempt); - if (status != AUTH_SUCCESS) { + ret = (auth->approval)(ctx, pw, auth, exempt); + if (ret != AUTH_SUCCESS) { /* Assume error msg already printed. */ log_auth_failure(ctx, validated, 0); - debug_return_int(status == AUTH_FAILURE ? false : -1); + break; } } } - debug_return_int(true); + debug_return_int(ret); } /* * Cleanup all authentication methods. - * Returns 0 on success and -1 on error. + * Returns AUTH_SUCCESS on success and AUTH_ERROR on error. */ int sudo_auth_cleanup(const struct sudoers_context *ctx, struct passwd *pw, @@ -217,11 +216,11 @@ sudo_auth_cleanup(const struct sudoers_context *ctx, struct passwd *pw, int status = (auth->cleanup)(ctx, pw, auth, force); if (status != AUTH_SUCCESS) { /* Assume error msg already printed. */ - debug_return_int(-1); + debug_return_int(AUTH_ERROR); } } } - debug_return_int(0); + debug_return_int(AUTH_SUCCESS); } static void @@ -250,17 +249,17 @@ user_interrupted(void) /* * Verify the specified user. - * Returns true if verified, false if not or -1 on error. + * Returns AUTH_SUCCESS, AUTH_FAILURE or AUTH_ERROR. */ int verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt, unsigned int validated, struct sudo_conv_callback *callback) { - unsigned int ntries; - int ret, status, success = AUTH_FAILURE; - sudo_auth *auth; - sigset_t mask, omask; struct sigaction sa, saved_sigtstp; + int ret = AUTH_FAILURE; + unsigned int ntries; + sigset_t mask, omask; + sudo_auth *auth; debug_decl(verify_user, SUDOERS_DEBUG_AUTH); /* Make sure we have at least one auth method. */ @@ -270,7 +269,7 @@ verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt, N_("There are no authentication methods compiled into sudo! " "If you want to turn off authentication, use the " "--disable-authentication configure option.")); - debug_return_int(-1); + debug_return_int(AUTH_ERROR); } /* Enable suspend during password entry. */ @@ -307,13 +306,21 @@ verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt, continue; num_methods++; if (auth->setup != NULL) { - status = (auth->setup)(ctx, pw, &prompt, auth); - if (status == AUTH_FAILURE) + switch ((auth->setup)(ctx, pw, &prompt, auth)) { + case AUTH_SUCCESS: + if (user_interrupted()) + goto done; /* assume error msg already printed */ + break; + case AUTH_FAILURE: SET(auth->flags, FLAG_DISABLED); - else if (status == AUTH_NONINTERACTIVE) + break; + case AUTH_NONINTERACTIVE: + /* Non-interactive mode, cannot prompt user. */ goto done; - else if (status != AUTH_SUCCESS || user_interrupted()) - goto done; /* assume error msg already printed */ + default: + ret = AUTH_ERROR; + goto done; + } } } if (num_methods == 0) { @@ -321,13 +328,13 @@ verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt, N_("no authentication methods")); log_warningx(ctx, SLOG_SEND_MAIL, N_("Unable to initialize authentication methods.")); - debug_return_int(-1); + debug_return_int(AUTH_ERROR); } /* Get the password unless the auth function will do it for us */ if (!standalone) { if (IS_NONINTERACTIVE(&auth_switch[0])) { - success = AUTH_NONINTERACTIVE; + ret = AUTH_NONINTERACTIVE; goto done; } pass = auth_getpass(prompt, SUDO_CONV_PROMPT_ECHO_OFF, callback); @@ -340,15 +347,15 @@ verify_user(const struct sudoers_context *ctx, struct passwd *pw, char *prompt, if (IS_DISABLED(auth)) continue; - success = auth->status = (auth->verify)(ctx, pw, + ret = auth->status = (auth->verify)(ctx, pw, standalone ? prompt : pass, auth, callback); - if (success != AUTH_FAILURE) + if (ret != AUTH_FAILURE) break; } if (pass != NULL) freezero(pass, strlen(pass)); - if (success != AUTH_FAILURE) + if (ret != AUTH_FAILURE) goto done; } @@ -357,23 +364,23 @@ done: (void) sigaction(SIGTSTP, &saved_sigtstp, NULL); (void) sigprocmask(SIG_SETMASK, &omask, NULL); - switch (success) { + switch (ret) { case AUTH_SUCCESS: - ret = true; break; case AUTH_INTR: + ret = AUTH_FAILURE; + FALLTHROUGH; case AUTH_FAILURE: if (ntries != 0) SET(validated, FLAG_BAD_PASSWORD); log_auth_failure(ctx, validated, ntries); - ret = false; break; case AUTH_NONINTERACTIVE: SET(validated, FLAG_NO_USER_INPUT); FALLTHROUGH; default: log_auth_failure(ctx, validated, 0); - ret = -1; + ret = AUTH_ERROR; break; } diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index 1db4f58cd..e9a1763de 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -26,6 +26,7 @@ #define AUTH_ERROR 0x1629e037 /* 0010110001010011110000000110111 */ #define AUTH_NONINTERACTIVE 0x1fc8d3ac /* 11111110010001101001110101100 */ +struct sudoers_context; typedef struct sudo_auth { unsigned int flags; /* various flags, see below */ int status; /* status from verify routine */ diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 6ee5c5d8c..9284b168b 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -82,8 +82,8 @@ getpass_resume(int signo, void *vclosure) } /* - * Returns true if the user successfully authenticates, false if not - * or -1 on fatal error. + * Returns AUTH_SUCCESS if the user successfully authenticates, AUTH_FAILURE + * if not or AUTH_ERROR on fatal error. */ static int check_user_interactive(unsigned int validated, unsigned int mode, @@ -91,7 +91,7 @@ check_user_interactive(unsigned int validated, unsigned int mode, { const struct sudoers_context *ctx = closure->ctx; struct sudo_conv_callback callback; - int ret = -1; + int ret = AUTH_ERROR; char *prompt; debug_decl(check_user_interactive, SUDOERS_DEBUG_AUTH); @@ -122,7 +122,7 @@ check_user_interactive(unsigned int validated, unsigned int mode, case TS_CURRENT: /* Time stamp file is valid and current. */ if (!ISSET(validated, FLAG_CHECK_USER)) { - ret = true; + ret = AUTH_SUCCESS; break; } sudo_debug_printf(SUDO_DEBUG_INFO, @@ -144,7 +144,7 @@ check_user_interactive(unsigned int validated, unsigned int mode, goto done; ret = verify_user(ctx, closure->auth_pw, prompt, validated, &callback); - if (ret == true && closure->lectured) + if (ret == AUTH_SUCCESS && closure->lectured) (void)set_lectured(ctx->user.name); /* lecture error not fatal */ free(prompt); break; @@ -163,7 +163,7 @@ check_user(struct sudoers_context *ctx, unsigned int validated, unsigned int mode) { struct getpass_closure closure = { TS_ERROR }; - int ret = -1; + int ret = AUTH_ERROR; bool exempt = false; debug_decl(check_user, SUDOERS_DEBUG_AUTH); @@ -183,7 +183,7 @@ check_user(struct sudoers_context *ctx, unsigned int validated, */ if ((closure.auth_pw = get_authpw(ctx, mode)) == NULL) goto done; - if (sudo_auth_init(ctx, closure.auth_pw, mode) == -1) + if (sudo_auth_init(ctx, closure.auth_pw, mode) != AUTH_SUCCESS) goto done; closure.ctx = ctx; @@ -196,7 +196,7 @@ check_user(struct sudoers_context *ctx, unsigned int validated, !def_authenticate ? "authentication disabled" : "user exempt from authentication"); exempt = true; - ret = true; + ret = AUTH_SUCCESS; goto done; } if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid && @@ -214,7 +214,7 @@ check_user(struct sudoers_context *ctx, unsigned int validated, { sudo_debug_printf(SUDO_DEBUG_INFO, "%s: user running command as self", __func__); - ret = true; + ret = AUTH_SUCCESS; goto done; } } @@ -222,7 +222,7 @@ check_user(struct sudoers_context *ctx, unsigned int validated, ret = check_user_interactive(validated, mode, &closure); done: - if (ret == true) { + if (ret == AUTH_SUCCESS) { /* The approval function may disallow a user post-authentication. */ ret = sudo_auth_approval(ctx, closure.auth_pw, validated, exempt); @@ -230,7 +230,7 @@ done: * Only update time stamp if user validated and was approved. * Failure to update the time stamp is not a fatal error. */ - if (ret == true && ISSET(validated, VALIDATE_SUCCESS)) { + if (ret == AUTH_SUCCESS && ISSET(validated, VALIDATE_SUCCESS)) { if (ISSET(mode, MODE_UPDATE_TICKET) && closure.tstat != TS_ERROR) (void)timestamp_update(closure.cookie, closure.auth_pw); } @@ -240,7 +240,14 @@ done: if (closure.auth_pw != NULL) sudo_pw_delref(closure.auth_pw); - debug_return_int(ret); + switch (ret) { + case AUTH_SUCCESS: + debug_return_int(true); + case AUTH_FAILURE: + debug_return_int(false); + default: + debug_return_int(-1); + } } /* diff --git a/plugins/sudoers/timestamp.h b/plugins/sudoers/timestamp.h index 35bf9d4c1..43e014df1 100644 --- a/plugins/sudoers/timestamp.h +++ b/plugins/sudoers/timestamp.h @@ -24,6 +24,8 @@ #ifndef SUDOERS_TIMESTAMP_H #define SUDOERS_TIMESTAMP_H +#include "auth/sudo_auth.h" + /* Status codes for timestamp_status() */ #define TS_CURRENT 0 #define TS_OLD 1