Add explicit end-of-line matching in the parser for better error messages.

A valid line in sudoers must end in a newline or EOF. Previously, it was possible (though not documented) to have multiple user specs on a single line. Now, each must be on its own line.
2025-09-04 00:05:11 +00:00 · 2020-08-16 14:59:45 -06:00
parent d72a48dc78
commit 11803027c6
3 changed files with 468 additions and 607 deletions
--- a/plugins/sudoers/gram.c
+++ b/plugins/sudoers/gram.c
--- a/plugins/sudoers/gram.y
+++ b/plugins/sudoers/gram.y
@@ -179,7 +179,9 @@ static struct command_digest *new_digest(int, char *);
 %%
-file		:	{ ; }
+file		:	{
 			    ; /* empty file */
 			}
 		|	line
 		;
@@ -188,12 +190,9 @@ line		:	entry
 		;
 entry		:	'\n' {
-			    ;
+			    ; /* blank line */
 			}
-                |       error '\n' {
+                |       error eol {
 			    yyerrok;
 			}
                |       error END {
 			    yyerrok;
 			}
 		|	include {
@@ -210,73 +209,59 @@ entry		:	'\n' {
 			    }
 			    free($1);
 			}
-		|	userlist privileges {
+		|	userlist privileges eol {
 			    if (!add_userspec($1, $2)) {
 				sudoerserror(N_("unable to allocate memory"));
 				YYERROR;
 			    }
 			}
-		|	USERALIAS useraliases {
+		|	USERALIAS useraliases eol {
 			    ;
 			}
-		|	HOSTALIAS hostaliases {
+		|	HOSTALIAS hostaliases eol {
 			    ;
 			}
-		|	CMNDALIAS cmndaliases {
+		|	CMNDALIAS cmndaliases eol {
 			    ;
 			}
-		|	RUNASALIAS runasaliases {
+		|	RUNASALIAS runasaliases eol {
 			    ;
 			}
-		|	DEFAULTS defaults_list {
+		|	DEFAULTS defaults_list eol {
 			    if (!add_defaults(DEFAULTS, NULL, $2))
 				YYERROR;
 			}
-		|	DEFAULTS_USER userlist defaults_list {
+		|	DEFAULTS_USER userlist defaults_list eol {
 			    if (!add_defaults(DEFAULTS_USER, $2, $3))
 				YYERROR;
 			}
-		|	DEFAULTS_RUNAS userlist defaults_list {
+		|	DEFAULTS_RUNAS userlist defaults_list eol {
 			    if (!add_defaults(DEFAULTS_RUNAS, $2, $3))
 				YYERROR;
 			}
-		|	DEFAULTS_HOST hostlist defaults_list {
+		|	DEFAULTS_HOST hostlist defaults_list eol {
 			    if (!add_defaults(DEFAULTS_HOST, $2, $3))
 				YYERROR;
 			}
-		|	DEFAULTS_CMND cmndlist defaults_list {
+		|	DEFAULTS_CMND cmndlist defaults_list eol {
 			    if (!add_defaults(DEFAULTS_CMND, $2, $3))
 				YYERROR;
 			}
 		;
-include		:	INCLUDE WORD '\n' {
+include		:	INCLUDE WORD eol {
 			    $$ = $2;
 			}
-		|	INCLUDE WORD error '\n' {
+		|	INCLUDE WORD error eol {
 			    yyerrok;
 			    $$ = $2;
 			}
 		|	INCLUDE WORD END {
 			    $$ = $2;
 			}
 		|	INCLUDE WORD error END {
 			    yyerrok;
 			    $$ = $2;
 			}
 		;
-includedir	:	INCLUDEDIR WORD '\n' {
+includedir	:	INCLUDEDIR WORD eol {
 			    $$ = $2;
 			}
-		|	INCLUDEDIR WORD error '\n' {
+		|	INCLUDEDIR WORD error eol {
 			    yyerrok;
 			    $$ = $2;
 			}
 		|	INCLUDEDIR WORD END {
 			    $$ = $2;
 			}
 		|	INCLUDEDIR WORD error END {
 			    yyerrok;
 			    $$ = $2;
 			}
@@ -973,6 +958,14 @@ group		:	ALIAS {
 			}
 		;
 eol		:	'\n' {
 			    ;
 			}
 		|	END {
 			    ; /* EOF */
 			}
 		;
 %%
 void
 sudoerserror(const char *s)
--- a/plugins/sudoers/regress/sudoers/test5.toke.ok
+++ b/plugins/sudoers/regress/sudoers/test5.toke.ok
@@ -1,3 +1,3 @@
 #
 USERALIAS ALIAS = BEGINSTR ENDSTR <*> ERROR 
-BEGINSTR ENDSTR ERROR <*> ALL = ALL 
+BEGINSTR ENDSTR <*> ERROR ALL = ALL