mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

check_user: refactor the "running as self" check into its own function

Browse Source
This commit is contained in:
Todd C. Miller 2025-04-30 13:54:36 -06:00
parent 28837b2af1
commit a294a8be00
1 changed files with 27 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
plugins/sudoers/check.c
View File

@ -86,6 +86,21 @@ get_authpw(struct sudoers_context *ctx, unsigned int mode)
debug_return_ptr(pw); debug_return_ptr(pw);
} }
/*
* Returns true if the user is running the command as themselves
* and no SELinux type/role, AppArmor profile or Solaris privilege
* was specified.
*/
static bool
running_as_user(struct sudoers_context *ctx)
{
return ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL ||
user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)) &&
ctx->runas.role == NULL && ctx->runas.type == NULL &&
ctx->runas.apparmor_profile == NULL &&
ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL;
}
/* /*
* Returns AUTH_SUCCESS if the user successfully authenticates, * Returns AUTH_SUCCESS if the user successfully authenticates,
* AUTH_FAILURE if not or AUTH_ERROR on error. * AUTH_FAILURE if not or AUTH_ERROR on error.
@ -124,29 +139,22 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
} }
closure.ctx = ctx; closure.ctx = ctx;
/*
* Don't prompt for the root passwd or if the user is exempt.
* If the user is not changing uid/gid, no need for a password.
*/
if (!def_authenticate || user_is_exempt(ctx)) { if (!def_authenticate || user_is_exempt(ctx)) {
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__, sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__,
!def_authenticate ? "authentication disabled" : !def_authenticate ? "authentication disabled" :
"user exempt from authentication"); "user exempt from authentication");
exempt = true; exempt = true;
ret = AUTH_SUCCESS; goto success;
goto done;
} }
if (ctx->user.uid == 0 || (ISSET(mode, MODE_RUN|MODE_EDIT) && if (ctx->user.uid == ROOT_UID) {
ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL || /* Do not prompt for the root password. */
user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) { goto success;
if (ctx->runas.role == NULL && ctx->runas.type == NULL && }
ctx->runas.apparmor_profile == NULL && if ((ISSET(mode, MODE_RUN|MODE_EDIT) && running_as_user(ctx))) {
ctx->runas.privs == NULL && ctx->runas.limitprivs == NULL) { /* If the user is not changing uid/gid, no need for a password. */
sudo_debug_printf(SUDO_DEBUG_INFO, sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: user running command as self", __func__); "%s: user running command as self", __func__);
ret = AUTH_SUCCESS; goto success;
goto done;
}
} }
/* Construct callback for getpass function. */ /* Construct callback for getpass function. */
@ -201,8 +209,8 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
break; break;
} }
done:
if (ret == AUTH_SUCCESS) { if (ret == AUTH_SUCCESS) {
success:
/* The approval function may disallow a user post-authentication. */ /* The approval function may disallow a user post-authentication. */
ret = sudo_auth_approval(ctx, closure.auth_pw, validated, exempt); ret = sudo_auth_approval(ctx, closure.auth_pw, validated, exempt);
@ -215,6 +223,7 @@ done:
(void)timestamp_update(closure.cookie, closure.auth_pw); (void)timestamp_update(closure.cookie, closure.auth_pw);
} }
} }
done:
timestamp_close(closure.cookie); timestamp_close(closure.cookie);
sudo_auth_cleanup(ctx, closure.auth_pw, !ISSET(validated, VALIDATE_SUCCESS)); sudo_auth_cleanup(ctx, closure.auth_pw, !ISSET(validated, VALIDATE_SUCCESS));
sudo_pw_delref(closure.auth_pw); sudo_pw_delref(closure.auth_pw);