mirror of
https://github.com/sudo-project/sudo.git
synced 2025-09-04 16:25:25 +00:00
Correctly handle multiple privileges per userspec and runas inheritence.
This commit is contained in:
Todd C. Miller
17
parse.c
17
parse.c
@@ -90,6 +90,7 @@ sudoers_lookup(pwflag)
|
||||
enum def_tupple pwcheck = 0;
|
||||
struct cmndspec *cs;
|
||||
struct cmndtag *tags = NULL;
|
||||
struct member *runas;
|
||||
struct privilege *priv;
|
||||
struct userspec *us;
|
||||
|
||||
@@ -118,7 +119,7 @@ sudoers_lookup(pwflag)
|
||||
matched = FALSE;
|
||||
for (us = userspecs; us != NULL; us = us->next) {
|
||||
if (user_matches(sudo_user.pw, us->user) == TRUE) {
|
||||
priv = us->privileges;
|
||||
for (priv = us->privileges; priv != NULL; priv = priv->next) {
|
||||
if (host_matches(priv->hostlist) == TRUE) {
|
||||
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
|
||||
/* Only check the command when listing another user. */
|
||||
@@ -133,6 +134,7 @@ sudoers_lookup(pwflag)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (matched == TRUE) {
|
||||
/* User has an entry for this host. */
|
||||
CLR(validated, VALIDATE_NOT_OK);
|
||||
@@ -152,11 +154,14 @@ sudoers_lookup(pwflag)
|
||||
for (us = userspecs; us != NULL; us = us->next) {
|
||||
if (user_matches(sudo_user.pw, us->user) == TRUE) {
|
||||
CLR(validated, FLAG_NO_USER);
|
||||
priv = us->privileges;
|
||||
for (priv = us->privileges; priv != NULL; priv = priv->next) {
|
||||
if (host_matches(priv->hostlist) == TRUE) {
|
||||
CLR(validated, FLAG_NO_HOST);
|
||||
runas = NULL;
|
||||
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
|
||||
if (runas_matches(cs->runaslist) == TRUE) {
|
||||
if (cs->runaslist != NULL)
|
||||
runas = cs->runaslist;
|
||||
if (runas_matches(runas) == TRUE) {
|
||||
rval = cmnd_matches(cs->cmnd);
|
||||
if (rval != UNSPEC) {
|
||||
matched = rval;
|
||||
@@ -167,6 +172,7 @@ sudoers_lookup(pwflag)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (matched == TRUE) {
|
||||
CLR(validated, VALIDATE_NOT_OK);
|
||||
SET(validated, VALIDATE_OK);
|
||||
@@ -203,12 +209,12 @@ display_privs(pw)
|
||||
host_matches(us->privileges->hostlist) != TRUE)
|
||||
continue;
|
||||
|
||||
priv = us->privileges;
|
||||
for (priv = us->privileges; priv != NULL; priv = priv->next) {
|
||||
runas = NULL;
|
||||
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
|
||||
fputs(" ", stdout);
|
||||
if (cs->runaslist != NULL)
|
||||
runas = cs->runaslist;
|
||||
fputs(" ", stdout);
|
||||
if (runas != NULL) {
|
||||
fputs("(", stdout);
|
||||
for (m = runas; m != NULL; m = m->next) {
|
||||
@@ -229,6 +235,7 @@ display_privs(pw)
|
||||
putchar('\n');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
||||
@@ -105,6 +105,7 @@ main(argc, argv)
|
||||
{
|
||||
struct cmndspec *cs;
|
||||
struct passwd pw, rpw;
|
||||
struct member *runas;
|
||||
struct privilege *priv;
|
||||
struct userspec *us;
|
||||
char *p, hbuf[MAXHOSTNAMELEN];
|
||||
@@ -220,14 +221,17 @@ main(argc, argv)
|
||||
matched = UNSPEC;
|
||||
for (us = userspecs; us != NULL; us = us->next) {
|
||||
if (user_matches(sudo_user.pw, us->user) == TRUE) {
|
||||
priv = us->privileges;
|
||||
for (priv = us->privileges; priv != NULL; priv = priv->next) {
|
||||
putchar('\n');
|
||||
print_privilege(priv);
|
||||
putchar('\n');
|
||||
if (host_matches(priv->hostlist) == TRUE) {
|
||||
puts("\thost matched");
|
||||
runas = NULL;
|
||||
for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
|
||||
if (runas_matches(cs->runaslist) == TRUE) {
|
||||
if (cs->runaslist != NULL)
|
||||
runas = cs->runaslist;
|
||||
if (runas_matches(runas) == TRUE) {
|
||||
puts("\trunas matched");
|
||||
rval = cmnd_matches(cs->cmnd);
|
||||
if (rval != UNSPEC)
|
||||
@@ -239,6 +243,7 @@ main(argc, argv)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
printf("\nCommand %s\n", matched == TRUE ? "allowed" :
|
||||
matched == FALSE ? "denied" : "unmatched");
|
||||
|
||||
|
||||
Reference in New Issue
Block a user