mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-01 06:45:10 +00:00
Code Issues Releases Wiki Activity

Add support for mbr_check_membership() as present in darwin.

Browse Source
This commit is contained in:
Todd C. Miller
2009-12-12 15:37:52 +00:00
parent 02ae5fd96f
commit b8239bb34c
7 changed files with 62 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
check.c
View File

@@ -336,8 +336,13 @@ oflow:
int int
user_is_exempt() user_is_exempt()
{ {
struct group *grp; #ifdef HAVE_MBR_CHECK_MEMBERSHIP
uuid_t gu;
int ismember;
#else
char **gr_mem; char **gr_mem;
#endif
struct group *grp;
if (!def_exempt_group) if (!def_exempt_group)
return(FALSE); return(FALSE);
@@ -348,10 +353,17 @@ user_is_exempt()
if (user_gid == grp->gr_gid) if (user_gid == grp->gr_gid)
return(TRUE); return(TRUE);
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
if (mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(user_uuid, gu, &ismember) == 0 && ismember)
return(TRUE);
#else
/* XXX - should check stashed group vector */
for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) { for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) {
if (strcmp(user_name, *gr_mem) == 0) if (strcmp(user_name, *gr_mem) == 0)
return(TRUE); return(TRUE);
} }
#endif
return(FALSE); return(FALSE);
} }

3
config.h.in
View File

@@ -309,6 +309,9 @@
/* Define to 1 if you have the <malloc.h> header file. */ /* Define to 1 if you have the <malloc.h> header file. */
#undef HAVE_MALLOC_H #undef HAVE_MALLOC_H
/* Define to 1 if you have the `mbr_check_membership' function. */
#undef HAVE_MBR_CHECK_MEMBERSHIP
/* Define to 1 if you have the `memchr' function. */ /* Define to 1 if you have the `memchr' function. */
#undef HAVE_MEMCHR #undef HAVE_MEMCHR

4
configure vendored
View File

@@ -16036,11 +16036,13 @@ LIBS=$ac_save_LIBS
for ac_func in dup2 strchr strrchr memchr memcpy memset sysconf tzset \ for ac_func in dup2 strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \ strftime setrlimit initgroups getgroups fstat gettimeofday \
regcomp setlocale getaddrinfo setsid setenv vhangup regcomp setlocale getaddrinfo setsid setenv vhangup \
mbr_check_membership
do do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5 { echo "$as_me:$LINENO: checking for $ac_func" >&5

3
configure.in
View File

@@ -1848,7 +1848,8 @@ dnl
AC_FUNC_GETGROUPS AC_FUNC_GETGROUPS
AC_CHECK_FUNCS(dup2 strchr strrchr memchr memcpy memset sysconf tzset \ AC_CHECK_FUNCS(dup2 strchr strrchr memchr memcpy memset sysconf tzset \
strftime setrlimit initgroups getgroups fstat gettimeofday \ strftime setrlimit initgroups getgroups fstat gettimeofday \
regcomp setlocale getaddrinfo setsid setenv vhangup) regcomp setlocale getaddrinfo setsid setenv vhangup \
mbr_check_membership)
AC_CHECK_FUNCS(getline, [], [ AC_CHECK_FUNCS(getline, [], [
AC_LIBOBJ(getline) AC_LIBOBJ(getline)
AC_CHECK_FUNCS(fgetln) AC_CHECK_FUNCS(fgetln)

26
match.c
View File

@@ -819,9 +819,14 @@ usergr_matches(group, user, pw)
char *user; char *user;
struct passwd *pw; struct passwd *pw;
{ {
struct group *grp = NULL; #ifdef HAVE_MBR_CHECK_MEMBERSHIP
char **cur; uuid_t gu, uu;
int ismember;
#else
char **gr_mem;
int i; int i;
#endif
struct group *grp = NULL;
/* make sure we have a valid usergroup, sudo style */ /* make sure we have a valid usergroup, sudo style */
if (*group++ != '%') if (*group++ != '%')
@@ -847,17 +852,30 @@ usergr_matches(group, user, pw)
* supplementary group vector, check it first. * supplementary group vector, check it first.
*/ */
if (strcmp(user, list_pw ? list_pw->pw_name : user_name) == 0) { if (strcmp(user, list_pw ? list_pw->pw_name : user_name) == 0) {
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
if (mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(user_uuid, gu, &ismember) == 0 && ismember)
return(TRUE);
#else
for (i = 0; i < user_ngroups; i++) for (i = 0; i < user_ngroups; i++)
if (grp->gr_gid == user_groups[i]) if (grp->gr_gid == user_groups[i])
return(TRUE); return(TRUE);
#endif
} }
check_membership: check_membership:
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
if (mbr_uid_to_uuid(pw->pw_uid, uu) == 0 &&
mbr_gid_to_uuid(grp->gr_gid, gu) == 0 &&
mbr_check_membership(uu, gu, &ismember) == 0 && ismember)
return(TRUE);
#else
if (grp != NULL && grp->gr_mem != NULL) { if (grp != NULL && grp->gr_mem != NULL) {
for (cur = grp->gr_mem; *cur; cur++) for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++)
if (strcmp(*cur, user) == 0) if (strcmp(*gr_mem, user) == 0)
return(TRUE); return(TRUE);
} }
#endif
#ifdef USING_NONUNIX_GROUPS #ifdef USING_NONUNIX_GROUPS
/* not a Unix group, could be an AD group */ /* not a Unix group, could be an AD group */

12
sudo.c
View File

@@ -94,6 +94,9 @@
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
# include <selinux/selinux.h> # include <selinux/selinux.h>
#endif #endif
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
# include <membership.h>
#endif
#include <sudo_usage.h> #include <sudo_usage.h>
#include "sudo.h" #include "sudo.h"
@@ -436,8 +439,12 @@ main(argc, argv, envp)
if (user_uid == 0 && strcmp(prev_user, "root") != 0) { if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
struct passwd *pw; struct passwd *pw;
if ((pw = sudo_getpwnam(prev_user)) != NULL) if ((pw = sudo_getpwnam(prev_user)) != NULL) {
sudo_user.pw = pw; sudo_user.pw = pw;
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
mbr_uid_to_uuid(user_uid, user_uuid);
#endif
}
} }
} }
@@ -730,6 +737,9 @@ init_vars(sudo_mode, envp)
errorx(1, "unknown uid: %s", pw_name); errorx(1, "unknown uid: %s", pw_name);
log_error(0, "unknown uid: %s", pw_name); log_error(0, "unknown uid: %s", pw_name);
} }
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
mbr_uid_to_uuid(user_uid, user_uuid);
#endif
if (user_shell == NULL || *user_shell == '\0') if (user_shell == NULL || *user_shell == '\0')
user_shell = estrdup(sudo_user.pw->pw_shell); user_shell = estrdup(sudo_user.pw->pw_shell);

8
sudo.h
View File

@@ -35,6 +35,10 @@
#include "missing.h" #include "missing.h"
#include "sudo_nss.h" #include "sudo_nss.h"
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
# include <membership.h>
#endif
/* /*
* Info pertaining to the invoking user. * Info pertaining to the invoking user.
*/ */
@@ -67,6 +71,9 @@ struct sudo_user {
#endif #endif
char cwd[PATH_MAX]; char cwd[PATH_MAX];
char sessid[7]; char sessid[7];
#ifdef HAVE_MBR_CHECK_MEMBERSHIP
uuid_t uuid;
#endif
}; };
/* /*
@@ -141,6 +148,7 @@ struct sudo_user {
#define user_name (sudo_user.pw->pw_name) #define user_name (sudo_user.pw->pw_name)
#define user_passwd (sudo_user.pw->pw_passwd) #define user_passwd (sudo_user.pw->pw_passwd)
#define user_uid (sudo_user.pw->pw_uid) #define user_uid (sudo_user.pw->pw_uid)
#define user_uuid (sudo_user.uuid)
#define user_gid (sudo_user.pw->pw_gid) #define user_gid (sudo_user.pw->pw_gid)
#define user_dir (sudo_user.pw->pw_dir) #define user_dir (sudo_user.pw->pw_dir)
#define user_shell (sudo_user.shell) #define user_shell (sudo_user.shell)