mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Add support for AIX netsvc.conf (like nsswitch.conf).

Browse Source
This commit is contained in:
Todd C. Miller 2009-03-10 20:44:05 +00:00
parent 91f04dc3b4
commit 838cb61086
6 changed files with 172 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
configure vendored
View File

@ -865,6 +865,7 @@ path_info
ldap_conf ldap_conf
ldap_secret ldap_secret
nsswitch_conf nsswitch_conf
netsvc_conf
EGREPPROG EGREPPROG
CC CC
ac_ct_CC ac_ct_CC
@ -1588,6 +1589,7 @@ Optional Packages:
--with-pic try to use only PIC/non-PIC objects [default=use --with-pic try to use only PIC/non-PIC objects [default=use
both] both]
--with-noexec=PATH fully qualified pathname of sudo_noexec.so --with-noexec=PATH fully qualified pathname of sudo_noexec.so
--with-netsvc[=PATH] path to netsvc.conf
Some influential environment variables: Some influential environment variables:
CC C compiler command CC C compiler command
@ -2102,6 +2104,7 @@ echo "$as_me: Configuring Sudo version 1.7" >&6;}
timeout=5 timeout=5
@ -3598,15 +3601,6 @@ if test "${with_nsswitch+set}" = set; then
esac esac
fi fi
if test ${with_nsswitch-"yes"} != "no"; then
cat >>confdefs.h <<EOF
#define _PATH_NSSWITCH_CONF "${with_nsswitch-/etc/nsswitch.conf}"
EOF
nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
else
nsswitch_conf='/etc/nsswitch.conf'
fi
# Check whether --with-ldap was given. # Check whether --with-ldap was given.
@ -6213,7 +6207,7 @@ ia64-*-hpux*)
;; ;;
*-*-irix6*) *-*-irix6*)
# Find out which ABI we are using. # Find out which ABI we are using.
echo '#line 6216 "configure"' > conftest.$ac_ext echo '#line 6210 "configure"' > conftest.$ac_ext
if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5 if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
(eval $ac_compile) 2>&5 (eval $ac_compile) 2>&5
ac_status=$? ac_status=$?
@ -8072,11 +8066,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8075: $lt_compile\"" >&5) (eval echo "\"\$as_me:8069: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:8079: \$? = $ac_status" >&5 echo "$as_me:8073: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -8362,11 +8356,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8365: $lt_compile\"" >&5) (eval echo "\"\$as_me:8359: $lt_compile\"" >&5)
(eval "$lt_compile" 2>conftest.err) (eval "$lt_compile" 2>conftest.err)
ac_status=$? ac_status=$?
cat conftest.err >&5 cat conftest.err >&5
echo "$as_me:8369: \$? = $ac_status" >&5 echo "$as_me:8363: \$? = $ac_status" >&5
if (exit $ac_status) && test -s "$ac_outfile"; then if (exit $ac_status) && test -s "$ac_outfile"; then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
# So say no if there are warnings other than the usual output. # So say no if there are warnings other than the usual output.
@ -8466,11 +8460,11 @@ else
-e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
-e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
-e 's:$: $lt_compiler_flag:'` -e 's:$: $lt_compiler_flag:'`
(eval echo "\"\$as_me:8469: $lt_compile\"" >&5) (eval echo "\"\$as_me:8463: $lt_compile\"" >&5)
(eval "$lt_compile" 2>out/conftest.err) (eval "$lt_compile" 2>out/conftest.err)
ac_status=$? ac_status=$?
cat out/conftest.err >&5 cat out/conftest.err >&5
echo "$as_me:8473: \$? = $ac_status" >&5 echo "$as_me:8467: \$? = $ac_status" >&5
if (exit $ac_status) && test -s out/conftest2.$ac_objext if (exit $ac_status) && test -s out/conftest2.$ac_objext
then then
# The compiler can only warn and ignore the option if not recognized # The compiler can only warn and ignore the option if not recognized
@ -10826,7 +10820,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 10829 "configure" #line 10823 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -10926,7 +10920,7 @@ else
lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
lt_status=$lt_dlunknown lt_status=$lt_dlunknown
cat > conftest.$ac_ext <<EOF cat > conftest.$ac_ext <<EOF
#line 10929 "configure" #line 10923 "configure"
#include "confdefs.h" #include "confdefs.h"
#if HAVE_DLFCN_H #if HAVE_DLFCN_H
@ -11953,6 +11947,22 @@ done
fi fi
# AIX analog of nsswitch.conf, enabled by default
# Check whether --with-netsvc was given.
if test "${with_netsvc+set}" = set; then
withval=$with_netsvc; case $with_netsvc in
no) ;;
yes) with_netsvc="/etc/netsvc.conf"
;;
*) ;;
esac
fi
if test -z "$with_nsswitch" -a -z "$with_netsvc"; then
with_netsvc="/etc/netsvc.conf"
fi
# AIX-specific functions # AIX-specific functions
for ac_func in getuserattr for ac_func in getuserattr
@ -19615,6 +19625,22 @@ fi
done done
netsvc_conf='/etc/netsvc.conf'
nsswitch_conf='/etc/nsswitch.conf'
if test ${with_netsvc-"no"} != "no"; then
cat >>confdefs.h <<EOF
#define _PATH_NETSVC_CONF "${with_netsvc-/etc/netsvc.conf}"
EOF
netsvc_conf=${with_netsvc-/etc/netsvc.conf}
elif test ${with_nsswitch-"yes"} != "no"; then
cat >>confdefs.h <<EOF
#define _PATH_NSSWITCH_CONF "${with_nsswitch-/etc/nsswitch.conf}"
EOF
nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
fi
if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then
for auth in $AUTH_EXCL_DEF; do for auth in $AUTH_EXCL_DEF; do
@ -24491,6 +24517,7 @@ path_info!$path_info$ac_delim
ldap_conf!$ldap_conf$ac_delim ldap_conf!$ldap_conf$ac_delim
ldap_secret!$ldap_secret$ac_delim ldap_secret!$ldap_secret$ac_delim
nsswitch_conf!$nsswitch_conf$ac_delim nsswitch_conf!$nsswitch_conf$ac_delim
netsvc_conf!$netsvc_conf$ac_delim
EGREPPROG!$EGREPPROG$ac_delim EGREPPROG!$EGREPPROG$ac_delim
CC!$CC$ac_delim CC!$CC$ac_delim
ac_ct_CC!$ac_ct_CC$ac_delim ac_ct_CC!$ac_ct_CC$ac_delim
@ -24525,7 +24552,7 @@ KRB5CONFIG!$KRB5CONFIG$ac_delim
LTLIBOBJS!$LTLIBOBJS$ac_delim LTLIBOBJS!$LTLIBOBJS$ac_delim
_ACEOF _ACEOF
if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 38; then if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 39; then
break break
elif $ac_last_try; then elif $ac_last_try; then
{ { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5 { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5

32
configure.in
View File

@ -83,6 +83,7 @@ AC_SUBST(path_info)
AC_SUBST(ldap_conf) AC_SUBST(ldap_conf)
AC_SUBST(ldap_secret) AC_SUBST(ldap_secret)
AC_SUBST(nsswitch_conf) AC_SUBST(nsswitch_conf)
AC_SUBST(netsvc_conf)
dnl dnl
dnl Initial values for above dnl Initial values for above
dnl dnl
@ -945,12 +946,6 @@ AC_ARG_WITH(nsswitch, [ --with-nsswitch[[=PATH]] path to nsswitch.conf],
;; ;;
*) ;; *) ;;
esac]) esac])
if test ${with_nsswitch-"yes"} != "no"; then
SUDO_DEFINE_UNQUOTED(_PATH_NSSWITCH_CONF, "${with_nsswitch-/etc/nsswitch.conf}")
nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
else
nsswitch_conf='/etc/nsswitch.conf'
fi
AC_ARG_WITH(ldap, [ --with-ldap[[=DIR]] enable LDAP support], AC_ARG_WITH(ldap, [ --with-ldap[[=DIR]] enable LDAP support],
[case $with_ldap in [case $with_ldap in
@ -1363,6 +1358,18 @@ case "$host" in
AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"]) AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
fi fi
# AIX analog of nsswitch.conf, enabled by default
AC_ARG_WITH(netsvc, [ --with-netsvc[[=PATH]] path to netsvc.conf],
[case $with_netsvc in
no) ;;
yes) with_netsvc="/etc/netsvc.conf"
;;
*) ;;
esac])
if test -z "$with_nsswitch" -a -z "$with_netsvc"; then
with_netsvc="/etc/netsvc.conf"
fi
# AIX-specific functions # AIX-specific functions
AC_CHECK_FUNCS(getuserattr) AC_CHECK_FUNCS(getuserattr)
SUDO_OBJS="$SUDO_OBJS aix.o" SUDO_OBJS="$SUDO_OBJS aix.o"
@ -1888,6 +1895,19 @@ AC_CHECK_FUNCS(getprogname, , [
AC_MSG_RESULT($sudo_cv___progname) AC_MSG_RESULT($sudo_cv___progname)
]) ])
dnl
dnl nsswitch.conf and its equivalents
dnl
netsvc_conf='/etc/netsvc.conf'
nsswitch_conf='/etc/nsswitch.conf'
if test ${with_netsvc-"no"} != "no"; then
SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
netsvc_conf=${with_netsvc-/etc/netsvc.conf}
elif test ${with_nsswitch-"yes"} != "no"; then
SUDO_DEFINE_UNQUOTED(_PATH_NSSWITCH_CONF, "${with_nsswitch-/etc/nsswitch.conf}")
nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
fi
dnl dnl
dnl Mutually exclusive auth checks come first, followed by dnl Mutually exclusive auth checks come first, followed by
dnl non-exclusive ones. Note: passwd must be last of all! dnl non-exclusive ones. Note: passwd must be last of all!

4
pathnames.h.in
View File

@ -127,3 +127,7 @@
#ifndef _PATH_NSSWITCH_CONF #ifndef _PATH_NSSWITCH_CONF
#undef _PATH_NSSWITCH_CONF #undef _PATH_NSSWITCH_CONF
#endif /* _PATH_NSSWITCH_CONF */ #endif /* _PATH_NSSWITCH_CONF */
#ifndef _PATH_NETSVC_CONF
#undef _PATH_NETSVC_CONF
#endif /* _PATH_NETSVC_CONF */

12
sudo.c
View File

@ -345,9 +345,15 @@ main(argc, argv, envp)
tq_foreach_fwd(snl, nss) { tq_foreach_fwd(snl, nss) {
validated = nss->lookup(nss, validated, pwflag); validated = nss->lookup(nss, validated, pwflag);
/* Handle [NOTFOUND=return] */ if (ISSET(validated, VALIDATE_OK)) {
if (!ISSET(validated, VALIDATE_OK) && nss->ret_notfound) /* Handle "= auth" in netsvc.conf */
break; if (nss->ret_if_found)
break;
} else {
/* Handle [NOTFOUND=return] */
if (nss->ret_if_notfound)
break;
}
} }
if (safe_cmnd == NULL) if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd); safe_cmnd = estrdup(user_cmnd);

88
sudo_nss.c
View File

@ -39,6 +39,7 @@
#endif /* HAVE_UNISTD_H */ #endif /* HAVE_UNISTD_H */
#include <pwd.h> #include <pwd.h>
#include <grp.h> #include <grp.h>
#include <ctype.h>
#include "sudo.h" #include "sudo.h"
#include "lbuf.h" #include "lbuf.h"
@ -89,7 +90,7 @@ sudo_read_nss()
got_match = TRUE; got_match = TRUE;
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
/* NOTFOUND affects the most recent entry */ /* NOTFOUND affects the most recent entry */
tq_last(&snl)->ret_notfound = TRUE; tq_last(&snl)->ret_if_notfound = TRUE;
got_match = FALSE; got_match = FALSE;
} else } else
got_match = FALSE; got_match = FALSE;
@ -109,6 +110,85 @@ nomatch:
#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ #else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
/*
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
* Returns a tail queue of matches.
*/
struct sudo_nss_list *
sudo_read_nss()
{
FILE *fp;
char *cp, *ep;
int saw_files = FALSE;
int saw_ldap = FALSE;
int got_match = FALSE;
static struct sudo_nss_list snl;
if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
goto nomatch;
while ((cp = sudo_parseln(fp)) != NULL) {
/* Skip blank or comment lines */
if (*cp == '\0')
continue;
/* Look for a line starting with "sudoers = " */
if (strncasecmp(cp, "sudoers", 7) != 0)
continue;
cp += 7;
while (isspace((unsigned char)*cp))
cp++;
if (*cp++ != '=')
continue;
/* Parse line */
for ((cp = strtok(cp, ",")); cp != NULL; (cp = strtok(NULL, ","))) {
/* Trim leading whitespace. */
while (isspace((unsigned char)*cp))
cp++;
if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
(isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
tq_append(&snl, &sudo_nss_file);
got_match = TRUE;
ep = &cp[5];
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
tq_append(&snl, &sudo_nss_ldap);
got_match = TRUE;
ep = &cp[4];
} else {
got_match = FALSE;
}
/* check for = auth qualifier */
if (got_match && *ep) {
cp = ep;
while (isspace((unsigned char)*cp) || *cp == '=')
cp++;
if (strncasecmp(cp, "auth", 4) == 0 &&
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
tq_last(&snl)->ret_if_found = TRUE;
}
}
}
/* Only parse the first "sudoers" line */
break;
}
fclose(fp);
nomatch:
/* Default to files only if no matches */
if (tq_empty(&snl))
tq_append(&snl, &sudo_nss_file);
return(&snl);
}
# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
/* /*
* Non-nsswitch.conf version with hard-coded order. * Non-nsswitch.conf version with hard-coded order.
*/ */
@ -117,14 +197,16 @@ sudo_read_nss()
{ {
static struct sudo_nss_list snl; static struct sudo_nss_list snl;
# ifdef HAVE_LDAP # ifdef HAVE_LDAP
tq_append(&snl, &sudo_nss_ldap); tq_append(&snl, &sudo_nss_ldap);
# endif # endif
tq_append(&snl, &sudo_nss_file); tq_append(&snl, &sudo_nss_file);
return(&snl); return(&snl);
} }
# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
#endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
/* Reset user_groups based on passwd entry. */ /* Reset user_groups based on passwd entry. */

3
sudo_nss.h
View File

@ -32,7 +32,8 @@ struct sudo_nss {
int (*display_bound_defaults) __P((struct sudo_nss *nss, struct passwd *, struct lbuf *)); int (*display_bound_defaults) __P((struct sudo_nss *nss, struct passwd *, struct lbuf *));
int (*display_privs) __P((struct sudo_nss *nss, struct passwd *, struct lbuf *)); int (*display_privs) __P((struct sudo_nss *nss, struct passwd *, struct lbuf *));
void *handle; void *handle;
int ret_notfound; short ret_if_found;
short ret_if_notfound;
}; };
TQ_DECLARE(sudo_nss) TQ_DECLARE(sudo_nss)