mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-31 22:35:10 +00:00
Code Issues Releases Wiki Activity

check sudoers owner and mode in strict mode

Browse Source
This commit is contained in:
Todd C. Miller
2008-11-09 20:19:19 +00:00
parent a33e988df6
commit 235dc7ad0e
2 changed files with 35 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
WHATSNEW
View File

@@ -74,3 +74,6 @@ What's new in Sudo 1.7.0?
would exit sudo. In sudo 1.7.0 and beyond, this is treated as would exit sudo. In sudo 1.7.0 and beyond, this is treated as
an empty password. To exit sudo, the user must press ^C or ^D an empty password. To exit sudo, the user must press ^C or ^D
at the prompt. at the prompt.
* visudo will now check the sudoers file owner and mode in -c (check)
mode when the -s (strict) flag is specified.

38
visudo.c
View File

@@ -107,7 +107,7 @@ static char *get_args __P((char *));
static char *get_editor __P((char **)); static char *get_editor __P((char **));
static char whatnow __P((void)); static char whatnow __P((void));
static int check_aliases __P((int)); static int check_aliases __P((int));
static int check_syntax __P((char *, int)); static int check_syntax __P((char *, int, int));
static int edit_sudoers __P((struct sudoersfile *, char *, char *, int)); static int edit_sudoers __P((struct sudoersfile *, char *, char *, int));
static int install_sudoers __P((struct sudoersfile *, int)); static int install_sudoers __P((struct sudoersfile *, int));
static int print_unused __P((void *, void *)); static int print_unused __P((void *, void *));
@@ -199,7 +199,7 @@ main(argc, argv)
init_defaults(); init_defaults();
if (checkonly) if (checkonly)
exit(check_syntax(sudoers_path, quiet)); exit(check_syntax(sudoers_path, quiet, strict));
/* /*
* Parse the existing sudoers file(s) in quiet mode to highlight any * Parse the existing sudoers file(s) in quiet mode to highlight any
@@ -675,10 +675,13 @@ run_command(path, argv)
} }
static int static int
check_syntax(sudoers_path, quiet) check_syntax(sudoers_path, quiet, strict)
char *sudoers_path; char *sudoers_path;
int quiet; int quiet;
int strict;
{ {
struct stat sb;
int error;
if ((yyin = fopen(sudoers_path, "r")) == NULL) { if ((yyin = fopen(sudoers_path, "r")) == NULL) {
if (!quiet) if (!quiet)
@@ -691,15 +694,38 @@ check_syntax(sudoers_path, quiet)
warningx("failed to parse %s file, unknown error", sudoers_path); warningx("failed to parse %s file, unknown error", sudoers_path);
parse_error = TRUE; parse_error = TRUE;
} }
if (!quiet){ error = parse_error;
if (!quiet) {
if (parse_error) if (parse_error)
(void) printf("parse error in %s near line %d\n", sudoers_path, (void) printf("parse error in %s near line %d\n", sudoers_path,
errorlineno); errorlineno);
else else
(void) printf("%s file parsed OK\n", sudoers_path); (void) printf("%s: parsed OK\n", sudoers_path);
}
/* Check mode and owner in strict mode. */
#ifdef HAVE_FSTAT
if (strict && fstat(fileno(yyin), &sb) == 0)
#else
if (strict && stat(sudoers_path, &sb) == 0)
#endif
{
if (sb.st_uid != SUDOERS_UID || sb.st_gid != SUDOERS_GID) {
error = TRUE;
if (!quiet) {
fprintf(stderr, "%s: wrong owner (uid, gid) should be (%d, %d)\n",
sudoers_path, SUDOERS_UID, SUDOERS_GID);
}
}
if ((sb.st_mode & 07777) != SUDOERS_MODE) {
error = TRUE;
if (!quiet) {
fprintf(stderr, "%s: bad permissions, should be mode 0%o\n",
sudoers_path, SUDOERS_MODE);
}
}
} }
return(parse_error == TRUE); return(error);
} }
/* /*