mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity

First cut at nsswitch.conf support.

Browse Source 
Further reorganizaton and related changes are forthcoming.
This commit is contained in:
Todd C. Miller 2007-12-28 16:20:45 +00:00
parent f8c52dc928
commit 7f323157a2
6 changed files with 70 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Makefile.in
View File

@ -104,9 +104,9 @@ SRCS = alias.c alloc.c check.c closefrom.c def_data.c defaults.c env.c \
getspwuid.c gettime.c glob.c goodpath.c gram.c gram.y interfaces.c \ getspwuid.c gettime.c glob.c goodpath.c gram.c gram.y interfaces.c \
lbuf.c ldap.c list.c logging.c match.c mkstemp.c memrchr.c parse.c \ lbuf.c ldap.c list.c logging.c match.c mkstemp.c memrchr.c parse.c \
pwutil.c set_perms.c sigaction.c snprintf.c strcasecmp.c strerror.c \ pwutil.c set_perms.c sigaction.c snprintf.c strcasecmp.c strerror.c \
strlcat.c strlcpy.c sudo.c sudo_noexec.c sudo_edit.c testsudoers.c \ strlcat.c strlcpy.c sudo.c sudo_noexec.c sudo_edit.c sudo_nss.c \
tgetpass.c toke.c toke.l tsgetgrpw.c utimes.c visudo.c zero_bytes.c \ testsudoers.c tgetpass.c toke.c toke.l tsgetgrpw.c utimes.c visudo.c \
redblack.c $(AUTH_SRCS) zero_bytes.c redblack.c $(AUTH_SRCS)
AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \
auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \ auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \
@ -127,7 +127,7 @@ COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \
SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ check.o env.o \ SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ check.o env.o \
getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ getspwuid.o gettime.o goodpath.o fileops.o find_path.o \
interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \ interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \
sudo.o sudo_edit.o tgetpass.o sudo.o sudo_edit.o sudo_nss.o tgetpass.o
VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \ VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \
find_path.o pwutil.o find_path.o pwutil.o
@ -265,8 +265,6 @@ memrchr.o: $(srcdir)/memrchr.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/memrchr.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/memrchr.c
mkstemp.o: $(srcdir)/mkstemp.c $(SUDODEP) mkstemp.o: $(srcdir)/mkstemp.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c
mon_solaris.o: $(srcdir)/mon_solaris.c $(SUDODEP) $(srcdir)/mon_solaris.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mon_solaris.c
parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c
pwutil.o: $(srcdir)/pwutil.c $(SUDODEP) pwutil.o: $(srcdir)/pwutil.c $(SUDODEP)
@ -293,6 +291,8 @@ sudo_edit.o: $(srcdir)/sudo_edit.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c
sudo_noexec.o: $(srcdir)/sudo_noexec.c $(srcdir)/compat.h config.h sudo_noexec.o: $(srcdir)/sudo_noexec.c $(srcdir)/compat.h config.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c
sudo_nss.o: $(srcdir)/sudo_nss.c $(SUDODEP)
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c
testsudoers.o: $(srcdir)/testsudoers.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h testsudoers.o: $(srcdir)/testsudoers.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h
$(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/testsudoers.c $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/testsudoers.c
tgetpass.o: $(srcdir)/tgetpass.c $(SUDODEP) tgetpass.o: $(srcdir)/tgetpass.c $(SUDODEP)

16
README.LDAP
View File

@ -366,8 +366,16 @@ seem. If you desperately want this to be changed, contact Aaron Spangler
Configure your /etc/nsswitch.conf Configure your /etc/nsswitch.conf
================================= =================================
At the time of this writing, sudo does not consult nsswitch.conf for the Starting with version 1.7, sudo consults nsswitch.conf for the search order.
search order. But if it did, it would look like this: The following sources are recognized.
This might be implemented in the future. For now just skip this step. files read sudoers from a file (usually /etc/sudoers)
ldap read sudoers from LDAP
compat behave as if no nsswitch.conf was present
sudoers: files ldap I addition, the entry "[NOTFOUND=return]" will short-circuit the
search if the user was not found in the preceding source.
If /etc/nsswitch.conf is not present or there is no sudoers line,
the following default is assumed:
sudoers: ldap files

3
ldap.c
View File

@ -1304,6 +1304,9 @@ sudo_ldap_check(v, pwflag)
int ldap_user_matches = FALSE, ldap_host_matches = FALSE; /* flags */ int ldap_user_matches = FALSE, ldap_host_matches = FALSE; /* flags */
struct passwd *pw = list_pw ? list_pw : sudo_user.pw; struct passwd *pw = list_pw ? list_pw : sudo_user.pw;
if (ld == NULL)
return(0); /* XXX - if only LDAP and we return 0, it will misbehasve */
if (pwflag) { if (pwflag) {
int doauth = UNSPEC; int doauth = UNSPEC;
enum def_tupple pwcheck = enum def_tupple pwcheck =

4
pathnames.h.in
View File

@ -115,3 +115,7 @@
#ifndef _PATH_LDAP_SECRET #ifndef _PATH_LDAP_SECRET
#define _PATH_LDAP_SECRET "/etc/ldap.secret" #define _PATH_LDAP_SECRET "/etc/ldap.secret"
#endif /* _PATH_LDAP_SECRET */ #endif /* _PATH_LDAP_SECRET */
#ifndef _PATH_NSSWITCH_CONF
#define _PATH_NSSWITCH_CONF "/etc/nsswitch.conf"
#endif /* _PATH_NSSWITCH_CONF */

49
sudo.c
View File

@ -165,6 +165,7 @@ main(argc, argv, envp)
extern char *malloc_options; extern char *malloc_options;
malloc_options = "AFGJPR"; malloc_options = "AFGJPR";
#endif #endif
const unsigned char *nss, *nss_base;
#ifdef HAVE_SETLOCALE #ifdef HAVE_SETLOCALE
setlocale(LC_ALL, ""); setlocale(LC_ALL, "");
@ -265,19 +266,33 @@ main(argc, argv, envp)
init_vars(sudo_mode, envp); /* XXX - move this later? */ init_vars(sudo_mode, envp); /* XXX - move this later? */
/* Parse nsswitch.conf for sudoers order. */
nss_base = read_nss(_PATH_NSSWITCH_CONF);
if (*nss_base == SUDO_NSS_LAST)
log_error(0, "No valid sudoers sources in nsswitch.conf");
/* Set global defaults */
/* XXX - error out early if no sources can be opened */
for (nss = nss_base; *nss != SUDO_NSS_LAST; nss++) {
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
/* LDAP defaults must come first due to def_ignore_local_sudoers */
if (ldap_conn == NULL && ISSET(*nss, SUDO_NSS_LDAP)) {
if ((ldap_conn = sudo_ldap_open()) != NULL) if ((ldap_conn = sudo_ldap_open()) != NULL)
sudo_ldap_update_defaults(ldap_conn); sudo_ldap_update_defaults(ldap_conn);
/* XXX - was: break; */
if (!def_ignore_local_sudoers) } else
#endif #endif
{ if (ISSET(*nss, SUDO_NSS_FILES)) {
/* Parse sudoers and set any defaults listed in it. */ if (def_ignore_local_sudoers)
continue;
/* Parse sudoers and upate defaults from it. */
if (parse_sudoers(_PATH_SUDOERS) || parse_error) if (parse_sudoers(_PATH_SUDOERS) || parse_error)
log_error(0, "parse error in %s near line %d", errorfile, errorlineno); log_error(0, "parse error in %s near line %d", errorfile,
errorlineno);
if (!update_defaults(SKIP_CMND)) if (!update_defaults(SKIP_CMND))
log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");
} }
}
/* XXX - collect post-sudoers parse settings into a function */ /* XXX - collect post-sudoers parse settings into a function */
@ -325,13 +340,27 @@ main(argc, argv, envp)
cmnd_status = set_cmnd(sudo_mode); cmnd_status = set_cmnd(sudo_mode);
for (nss = nss_base; *nss != SUDO_NSS_LAST; nss++) {
if (ISSET(*nss, SUDO_NSS_FILES)) {
if (def_ignore_local_sudoers)
continue;
rc = sudoers_lookup(pwflag);
}
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
if (ldap_conn != NULL) else if (ISSET(*nss, SUDO_NSS_LDAP))
validated = sudo_ldap_check(ldap_conn, pwflag); rc = sudo_ldap_check(ldap_conn, pwflag);
/* Fallback to sudoers if we are allowed to and we aren't validated. */
if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK))
#endif #endif
validated = sudoers_lookup(pwflag);
/* XXX - rethink this logic */
if (validated == 0 || ISSET(rc, VALIDATE_OK))
validated = rc;
else if (ISSET(rc, VALIDATE_NOT_OK) && ISSET(validated, VALIDATE_NOT_OK))
validated |= rc;
/* Handle [NOTFOUND=return] */
if (!ISSET(rc, VALIDATE_OK) && ISSET(*nss, SUDO_NSS_RETURN))
break;
}
if (safe_cmnd == NULL) if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd); safe_cmnd = estrdup(user_cmnd);

1
sudo.h
View File

@ -30,6 +30,7 @@
#include "error.h" #include "error.h"
#include "defaults.h" #include "defaults.h"
#include "logging.h" #include "logging.h"
#include "sudo_nss.h"
/* /*
* Info pertaining to the invoking user. * Info pertaining to the invoking user.