mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

testsudoers: add support for NOTBEFORE and NOTAFTER

Browse Source 
Also adds -T option to set the value of "now".
This commit is contained in:
Todd C. Miller 2023-06-29 11:13:01 -06:00
parent e7d4c05ace
commit 2c1a473ddc
4 changed files with 107 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MANIFEST
View File

@ -1088,6 +1088,8 @@ plugins/sudoers/regress/testsudoers/test22.out.ok
plugins/sudoers/regress/testsudoers/test22.sh plugins/sudoers/regress/testsudoers/test22.sh
plugins/sudoers/regress/testsudoers/test23.out.ok plugins/sudoers/regress/testsudoers/test23.out.ok
plugins/sudoers/regress/testsudoers/test23.sh plugins/sudoers/regress/testsudoers/test23.sh
plugins/sudoers/regress/testsudoers/test24.out.ok
plugins/sudoers/regress/testsudoers/test24.sh
plugins/sudoers/regress/testsudoers/test3.out.ok plugins/sudoers/regress/testsudoers/test3.out.ok
plugins/sudoers/regress/testsudoers/test3.sh plugins/sudoers/regress/testsudoers/test3.sh
plugins/sudoers/regress/testsudoers/test4.out.ok plugins/sudoers/regress/testsudoers/test4.out.ok

40
plugins/sudoers/regress/testsudoers/test24.out.ok Normal file
View File

@ -0,0 +1,40 @@
Parses OK
Entries for user root:
ALL = NOTBEFORE=20170214083000Z /bin/ls
host matched
time matched
runas matched
cmnd allowed
Command allowed
Parses OK
Entries for user root:
ALL = NOTBEFORE=20170214083001Z /bin/ls
host matched
time unmatched
Command unmatched
Parses OK
Entries for user root:
ALL = NOTAFTER=20170214083000Z /bin/ls
host matched
time matched
runas matched
cmnd allowed
Command allowed
Parses OK
Entries for user root:
ALL = NOTAFTER=20170214083000Z /bin/ls
host matched
time unmatched
Command unmatched

42
plugins/sudoers/regress/testsudoers/test24.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/sh
#
# Verify that NOTBEFORE and NOTAFTER work as expected.
#
: ${TESTSUDOERS=testsudoers}
exec 2>&1
retval=0
$TESTSUDOERS -T 20170214083000Z root /bin/ls <<'EOF'
root ALL = NOTBEFORE=20170214083000Z /bin/ls
EOF
if [ $? -ne 0 ]; then
retval=$?
fi
# expect failure
$TESTSUDOERS -T 20170214083000Z root /bin/ls <<'EOF'
root ALL = NOTBEFORE=20170214083001Z /bin/ls
EOF
if [ $? -eq 0 ]; then
retval=1
fi
$TESTSUDOERS -T 20170214083000Z root /bin/ls <<'EOF'
root ALL = NOTAFTER=20170214083000Z /bin/ls
EOF
if [ $? -ne 0 ]; then
retval=$?
fi
# expect failure
$TESTSUDOERS -T 20170214083001Z root /bin/ls <<'EOF'
root ALL = NOTAFTER=20170214083000Z /bin/ls
EOF
if [ $? -eq 0 ]; then
retval=1
fi
exit $retval

25
plugins/sudoers/testsudoers.c
View File

@ -1,7 +1,7 @@
/* /*
* SPDX-License-Identifier: ISC * SPDX-License-Identifier: ISC
* *
* Copyright (c) 1996, 1998-2005, 2007-2022 * Copyright (c) 1996, 1998-2005, 2007-2023
* Todd C. Miller <Todd.Miller@sudo.ws> * Todd C. Miller <Todd.Miller@sudo.ws>
* *
* Permission to use, copy, modify, and distribute this software for any * Permission to use, copy, modify, and distribute this software for any
@ -107,6 +107,7 @@ main(int argc, char *argv[])
int match, host_match, runas_match, cmnd_match; int match, host_match, runas_match, cmnd_match;
int ch, dflag, exitcode = EXIT_FAILURE; int ch, dflag, exitcode = EXIT_FAILURE;
struct sudo_lbuf lbuf; struct sudo_lbuf lbuf;
time_t now;
id_t id; id_t id;
debug_decl(main, SUDOERS_DEBUG_MAIN); debug_decl(main, SUDOERS_DEBUG_MAIN);
@ -124,6 +125,7 @@ main(int argc, char *argv[])
sudo_warn_set_locale_func(sudoers_warn_setlocale); sudo_warn_set_locale_func(sudoers_warn_setlocale);
bindtextdomain("sudoers", LOCALEDIR); /* XXX - should have own domain */ bindtextdomain("sudoers", LOCALEDIR); /* XXX - should have own domain */
textdomain("sudoers"); textdomain("sudoers");
time(&now);
/* No word wrap on output. */ /* No word wrap on output. */
sudo_lbuf_init(&lbuf, testsudoers_output, 0, NULL, 0); sudo_lbuf_init(&lbuf, testsudoers_output, 0, NULL, 0);
@ -136,7 +138,7 @@ main(int argc, char *argv[])
dflag = 0; dflag = 0;
grfile = pwfile = NULL; grfile = pwfile = NULL;
while ((ch = getopt(argc, argv, "+dg:G:h:i:P:p:tu:U:")) != -1) { while ((ch = getopt(argc, argv, "+dg:G:h:i:P:p:T:tu:U:")) != -1) {
switch (ch) { switch (ch) {
case 'd': case 'd':
dflag = 1; dflag = 1;
@ -170,6 +172,11 @@ main(int argc, char *argv[])
case 'P': case 'P':
grfile = optarg; grfile = optarg;
break; break;
case 'T':
now = parse_gentime(optarg);
if (now == -1)
sudo_fatalx("invalid time: %s", optarg);
break;
case 't': case 't':
trace_print = testsudoers_error; trace_print = testsudoers_error;
break; break;
@ -339,6 +346,20 @@ main(int argc, char *argv[])
if (host_match == ALLOW) { if (host_match == ALLOW) {
puts("\thost matched"); puts("\thost matched");
TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) { TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
if (cs->notbefore != UNSPEC) {
if (now < cs->notbefore) {
puts(U_("\ttime unmatched"));
continue;
}
puts(U_("\ttime matched"));
}
if (cs->notafter != UNSPEC) {
if (now > cs->notafter) {
puts(U_("\ttime unmatched"));
continue;
}
puts(U_("\ttime matched"));
}
runas_match = runaslist_matches(&parsed_policy, runas_match = runaslist_matches(&parsed_policy,
cs->runasuserlist, cs->runasgrouplist, NULL, NULL); cs->runasuserlist, cs->runasgrouplist, NULL, NULL);
if (runas_match == ALLOW) { if (runas_match == ALLOW) {