mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-04 16:25:25 +00:00
Code Issues Releases Wiki Activity

Correctly handle multiple privileges per userspec and runas inheritence.

Browse Source
This commit is contained in:
Todd C. Miller
2004-11-23 23:18:15 +00:00
parent f2bdbda17f
commit 9c526bdc30
2 changed files with 68 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
parse.c
View File

@@ -90,6 +90,7 @@ sudoers_lookup(pwflag)
enum def_tupple pwcheck = 0; enum def_tupple pwcheck = 0;
struct cmndspec *cs; struct cmndspec *cs;
struct cmndtag *tags = NULL; struct cmndtag *tags = NULL;
struct member *runas;
struct privilege *priv; struct privilege *priv;
struct userspec *us; struct userspec *us;
@@ -118,7 +119,7 @@ sudoers_lookup(pwflag)
matched = FALSE; matched = FALSE;
for (us = userspecs; us != NULL; us = us->next) { for (us = userspecs; us != NULL; us = us->next) {
if (user_matches(sudo_user.pw, us->user) == TRUE) { if (user_matches(sudo_user.pw, us->user) == TRUE) {
priv = us->privileges; for (priv = us->privileges; priv != NULL; priv = priv->next) {
if (host_matches(priv->hostlist) == TRUE) { if (host_matches(priv->hostlist) == TRUE) {
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
/* Only check the command when listing another user. */ /* Only check the command when listing another user. */
@@ -133,6 +134,7 @@ sudoers_lookup(pwflag)
} }
} }
} }
}
if (matched == TRUE) { if (matched == TRUE) {
/* User has an entry for this host. */ /* User has an entry for this host. */
CLR(validated, VALIDATE_NOT_OK); CLR(validated, VALIDATE_NOT_OK);
@@ -152,11 +154,14 @@ sudoers_lookup(pwflag)
for (us = userspecs; us != NULL; us = us->next) { for (us = userspecs; us != NULL; us = us->next) {
if (user_matches(sudo_user.pw, us->user) == TRUE) { if (user_matches(sudo_user.pw, us->user) == TRUE) {
CLR(validated, FLAG_NO_USER); CLR(validated, FLAG_NO_USER);
priv = us->privileges; for (priv = us->privileges; priv != NULL; priv = priv->next) {
if (host_matches(priv->hostlist) == TRUE) { if (host_matches(priv->hostlist) == TRUE) {
CLR(validated, FLAG_NO_HOST); CLR(validated, FLAG_NO_HOST);
runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (runas_matches(cs->runaslist) == TRUE) { if (cs->runaslist != NULL)
runas = cs->runaslist;
if (runas_matches(runas) == TRUE) {
rval = cmnd_matches(cs->cmnd); rval = cmnd_matches(cs->cmnd);
if (rval != UNSPEC) { if (rval != UNSPEC) {
matched = rval; matched = rval;
@@ -167,6 +172,7 @@ sudoers_lookup(pwflag)
} }
} }
} }
}
if (matched == TRUE) { if (matched == TRUE) {
CLR(validated, VALIDATE_NOT_OK); CLR(validated, VALIDATE_NOT_OK);
SET(validated, VALIDATE_OK); SET(validated, VALIDATE_OK);
@@ -203,12 +209,12 @@ display_privs(pw)
host_matches(us->privileges->hostlist) != TRUE) host_matches(us->privileges->hostlist) != TRUE)
continue; continue;
priv = us->privileges; for (priv = us->privileges; priv != NULL; priv = priv->next) {
runas = NULL; runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
fputs(" ", stdout);
if (cs->runaslist != NULL) if (cs->runaslist != NULL)
runas = cs->runaslist; runas = cs->runaslist;
fputs(" ", stdout);
if (runas != NULL) { if (runas != NULL) {
fputs("(", stdout); fputs("(", stdout);
for (m = runas; m != NULL; m = m->next) { for (m = runas; m != NULL; m = m->next) {
@@ -229,6 +235,7 @@ display_privs(pw)
putchar('\n'); putchar('\n');
} }
} }
}
} }
/* /*

9
testsudoers.c
View File

@@ -105,6 +105,7 @@ main(argc, argv)
{ {
struct cmndspec *cs; struct cmndspec *cs;
struct passwd pw, rpw; struct passwd pw, rpw;
struct member *runas;
struct privilege *priv; struct privilege *priv;
struct userspec *us; struct userspec *us;
char *p, hbuf[MAXHOSTNAMELEN]; char *p, hbuf[MAXHOSTNAMELEN];
@@ -220,14 +221,17 @@ main(argc, argv)
matched = UNSPEC; matched = UNSPEC;
for (us = userspecs; us != NULL; us = us->next) { for (us = userspecs; us != NULL; us = us->next) {
if (user_matches(sudo_user.pw, us->user) == TRUE) { if (user_matches(sudo_user.pw, us->user) == TRUE) {
priv = us->privileges; for (priv = us->privileges; priv != NULL; priv = priv->next) {
putchar('\n'); putchar('\n');
print_privilege(priv); print_privilege(priv);
putchar('\n'); putchar('\n');
if (host_matches(priv->hostlist) == TRUE) { if (host_matches(priv->hostlist) == TRUE) {
puts("\thost matched"); puts("\thost matched");
runas = NULL;
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
if (runas_matches(cs->runaslist) == TRUE) { if (cs->runaslist != NULL)
runas = cs->runaslist;
if (runas_matches(runas) == TRUE) {
puts("\trunas matched"); puts("\trunas matched");
rval = cmnd_matches(cs->cmnd); rval = cmnd_matches(cs->cmnd);
if (rval != UNSPEC) if (rval != UNSPEC)
@@ -239,6 +243,7 @@ main(argc, argv)
} }
} }
} }
}
printf("\nCommand %s\n", matched == TRUE ? "allowed" : printf("\nCommand %s\n", matched == TRUE ? "allowed" :
matched == FALSE ? "denied" : "unmatched"); matched == FALSE ? "denied" : "unmatched");