Add new check_defaults() function to check (but not update) the

Defaults entries. Visudo can now use this instead of update_defaults to check all the defaults regardless instead of just the global Defaults entries.
2025-09-04 16:25:25 +00:00 · 2012-08-14 10:45:55 -04:00
parent d764db707a
commit 7aeadbd5b3
3 changed files with 64 additions and 11 deletions
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -485,7 +485,7 @@ init_defaults(void)
 * Update the defaults based on what was set by sudoers.
 * Pass in an OR'd list of which default types to update.
 */
-int
+bool
 update_defaults(int what)
 {
    struct defaults *def;
@@ -528,6 +528,54 @@ update_defaults(int what)
    debug_return_bool(rc);
 }

+/*
+ * Check the defaults entries without actually setting them.
+ * Pass in an OR'd list of which default types to check.
+ */
+bool
+check_defaults(int what, bool quiet)
+{
+    struct sudo_defs_types *cur;
+    struct defaults *def;
+    bool rc = true;
+    debug_decl(check_defaults, SUDO_DEBUG_DEFAULTS)
+
+    tq_foreach_fwd(&defaults, def) {
+	switch (def->type) {
+	    case DEFAULTS:
+		if (!ISSET(what, SETDEF_GENERIC))
+		    continue;
+		break;
+	    case DEFAULTS_USER:
+		if (!ISSET(what, SETDEF_USER))
+		    continue;
+		break;
+	    case DEFAULTS_RUNAS:
+		if (!ISSET(what, SETDEF_RUNAS))
+		    continue;
+		break;
+	    case DEFAULTS_HOST:
+		if (!ISSET(what, SETDEF_HOST))
+		    continue;
+		break;
+	    case DEFAULTS_CMND:
+		if (!ISSET(what, SETDEF_CMND))
+		    continue;
+		break;
+	}
+	for (cur = sudo_defs_table; cur->name != NULL; cur++) {
+	    if (strcmp(def->var, cur->name) == 0)
+		break;
+	}
+	if (cur->name == NULL) {
+	    if (!quiet)
+		warningx(_("unknown defaults entry `%s'"), def->var);
+	    rc = false;
+	}
+    }
+    debug_return_bool(rc);
+}
+
 static bool
 store_int(char *val, struct sudo_defs_types *def, int op)
 {
--- a/plugins/sudoers/defaults.h
+++ b/plugins/sudoers/defaults.h
@@ -93,7 +93,7 @@ struct sudo_defs_types {
 #define T_PATH		0x200

 /*
- * Argument to update_defaults()
+ * Argument to update_defaults() and check_defaults()
 */
 #define SETDEF_GENERIC	0x01
 #define	SETDEF_HOST	0x02
@@ -107,8 +107,9 @@ struct sudo_defs_types {
 */
 void dump_default(void);
 void init_defaults(void);
-bool set_default(char *, char *, int);
-int  update_defaults(int);
+bool set_default(char *var, char *val, int op);
+bool update_defaults(int what);
+bool check_defaults(int what, bool quiet);

 extern struct sudo_defs_types sudo_defs_table[];

--- a/plugins/sudoers/visudo.c
+++ b/plugins/sudoers/visudo.c
@@ -500,10 +500,10 @@ reparse_sudoers(char *editor, char *args, bool strict, bool quiet)
 	}
 	fclose(yyin);
 	if (!parse_error) {
-	    if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER) ||
+	    if (!check_defaults(SETDEF_ALL, quiet) ||
 		check_aliases(strict, quiet) != 0) {
 		parse_error = true;
-		errorfile = sp->path;
+		errorfile = NULL;
 	    }
 	}

@@ -527,10 +527,11 @@ reparse_sudoers(char *editor, char *args, bool strict, bool quiet)
 	    tq_foreach_fwd(&sudoerslist, sp) {
 		if (errorfile == NULL || strcmp(sp->path, errorfile) == 0) {
 		    edit_sudoers(sp, editor, args, errorlineno);
+		    if (errorfile != NULL)
 			break;
 		}
 	    }
-	    if (sp == NULL) {
+	    if (errorfile != NULL && sp == NULL) {
 		errorx(1, _("internal error, unable to find %s in list!"),
 		    sudoers);
 	    }
@@ -825,9 +826,12 @@ check_syntax(char *sudoers_path, bool quiet, bool strict, bool oldperms)
 	parse_error = true;
 	errorfile = sudoers_path;
    }
-    if (!parse_error && check_aliases(strict, quiet) != 0) {
+    if (!parse_error) {
+	if (!check_defaults(SETDEF_ALL, quiet) ||
+	    check_aliases(strict, quiet) != 0) {
 	    parse_error = true;
-	errorfile = sudoers_path;
+	    errorfile = NULL;
+	}
    }
    ok = !parse_error;