Make it possible to call the sudoers policy check function multiple times.

We need to reset the Defaults values to their original state.

plugins/sudoers/sudoers.c

@@ -85,9 +85,6 @@ struct sudo_user sudo_user;
 struct passwd *list_pw;
 uid_t timestamp_uid;
 gid_t timestamp_gid;
-#ifdef HAVE_BSD_AUTH_H
-char *login_style;
-#endif /* HAVE_BSD_AUTH_H */
 bool force_umask;
 int sudo_mode;
 
@@ -96,6 +93,7 @@ static struct sudo_nss_list *snl;
 static bool unknown_runas_uid;
 static bool unknown_runas_gid;
 static int cmnd_status = -1;
+static struct defaults_list initial_defaults = TAILQ_HEAD_INITIALIZER(initial_defaults);
 
 #ifdef __linux__
 static struct rlimit nproclimit;
@@ -151,6 +149,36 @@ restore_nproc(void)
 #endif /* __linux__ */
 }
 
+static bool
+sudoers_reinit_defaults(void)
+{
+    struct sudo_nss *nss, *nss_next;
+    debug_decl(sudoers_reinit_defaults, SUDOERS_DEBUG_PLUGIN);
+
+    if (!init_defaults()) {
+	sudo_warnx("%s", U_("unable to initialize sudoers default values"));
+	debug_return_bool(false);
+    }
+
+    if (!update_defaults(NULL, &initial_defaults,
+	SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS, false)) {
+	log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
+	    N_("problem with defaults entries"));
+	debug_return_bool(false);
+    }
+
+    TAILQ_FOREACH_SAFE(nss, snl, entries, nss_next) {
+	if (nss->getdefs(nss) == -1 || !update_defaults(nss->parse_tree, NULL,
+	    SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS, false)) {
+	    log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
+		N_("problem with defaults entries"));
+	    /* not a fatal error */
+	}
+    }
+
+    debug_return_int(true);
+}
+
 int
 sudoers_init(void *info, char * const envp[])
 {
@@ -179,7 +207,7 @@ sudoers_init(void *info, char * const envp[])
     }
 
     /* Parse info from front-end. */
-    sudo_mode = sudoers_policy_deserialize_info(info);
+    sudo_mode = sudoers_policy_deserialize_info(info, &initial_defaults);
     if (ISSET(sudo_mode, MODE_ERROR))
 	debug_return_int(-1);
 
@@ -193,6 +221,14 @@ sudoers_init(void *info, char * const envp[])
     if (!set_perms(PERM_ROOT))
 	debug_return_int(-1);
 
+    /* Update defaults set by front-end. */
+    if (!update_defaults(NULL, &initial_defaults,
+	SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS, false)) {
+	log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
+	    N_("problem with defaults entries"));
+	debug_return_int(-1);
+    }
+
     /*
      * Open and parse sudoers, set global defaults.
      * Uses the C locale unless another is specified in sudoers.
@@ -329,13 +365,14 @@ check_user_runcwd(void)
     debug_return_bool(true);
 }
 
+static bool need_reinit;
+
 int
 sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
     bool verbose, void *closure)
 {
     char *iolog_path = NULL;
     mode_t cmnd_umask = ACCESSPERMS;
-    struct sudo_nss *nss;
     int oldlocale, validated, ret = -1;
     debug_decl(sudoers_policy_main, SUDOERS_DEBUG_PLUGIN);
 
@@ -346,6 +383,13 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
 	debug_return_int(-1);
     }
 
+    /* Re-initialize defaults if we are called multiple times. */
+    if (need_reinit) {
+	if (!sudoers_reinit_defaults())
+	    debug_return_int(-1);
+    }
+    need_reinit = true;
+
     unlimit_nproc();
 
     /* Is root even allowed to run sudo? */
@@ -740,11 +784,6 @@ bad:
     ret = false;
 
 done:
-    /* Cleanup sudoers sources */
-    TAILQ_FOREACH(nss, snl, entries) {
-	nss->close(nss);
-    }
-    snl = NULL;
     if (def_group_plugin)
 	group_plugin_unload();
     init_parser(NULL, false, false);
@@ -764,10 +803,6 @@ done:
 
     restore_nproc();
 
-    /* Destroy the password and group caches and free the contents. */
-    sudo_freepwcache();
-    sudo_freegrcache();
-
     sudo_warn_set_locale_func(NULL);
 
     debug_return_int(ret);
@@ -884,6 +919,8 @@ set_cmnd_path(const char *runchroot)
     int ret;
     debug_decl(set_cmnd_path, SUDOERS_DEBUG_PLUGIN);
 
+    free(user_cmnd);
+    user_cmnd = NULL;
     if (def_secure_path && !user_is_exempt())
 	path = def_secure_path;
     if (!set_perms(PERM_RUNAS))
@@ -917,12 +954,17 @@ set_cmnd(void)
     debug_decl(set_cmnd, SUDOERS_DEBUG_PLUGIN);
 
     /* Allocate user_stat for find_path() and match functions. */
+    free(user_stat);
     user_stat = calloc(1, sizeof(struct stat));
     if (user_stat == NULL) {
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	debug_return_int(NOT_FOUND_ERROR);
     }
 
+    /* Re-initialize for when we are called multiple times. */
+    free(safe_cmnd);
+    safe_cmnd = NULL;
+
     if (ISSET(sudo_mode, MODE_RUN|MODE_EDIT|MODE_CHECK)) {
 	if (!ISSET(sudo_mode, MODE_EDIT)) {
 	    const char *runchroot = user_runchroot;
@@ -941,6 +983,8 @@ set_cmnd(void)
 	}
 
 	/* set user_args */
+	free(user_args);
+	user_args = NULL;
 	if (NewArgc > 1) {
 	    if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL) &&
 		    ISSET(sudo_mode, MODE_RUN)) {
@@ -1600,11 +1644,13 @@ set_callbacks(void)
 
 /*
  * Cleanup hook for sudo_fatal()/sudo_fatalx()
+ * Also called at policy close time.
  */
 void
 sudoers_cleanup(void)
 {
     struct sudo_nss *nss;
+    struct defaults *def;
     debug_decl(sudoers_cleanup, SUDOERS_DEBUG_PLUGIN);
 
     if (snl != NULL) {
@@ -1614,6 +1660,13 @@ sudoers_cleanup(void)
 	snl = NULL;
 	init_parser(NULL, false, false);
     }
+    while ((def = TAILQ_FIRST(&initial_defaults)) != NULL) {
+	TAILQ_REMOVE(&initial_defaults, def, entries);
+	free(def->var);
+	free(def->val);
+	free(def);
+    }
+    need_reinit = false;
     if (def_group_plugin)
 	group_plugin_unload();
     sudo_user_free();