mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 01:49:11 +00:00
Code Issues Releases Wiki Activity

Treat unresolvable User_Alias/Host_Alias as non-aliases in JSON output.

Browse Source 
This matches the behavior of the sudoers parser.  There is no way
to tell for sure if an upper case word is an alias or a user or
host name.  An unresolvable command alias is never a command since
it doesn't start with a '/'.  GitHub issue #381
This commit is contained in:
Todd C. Miller 2024-06-07 10:54:35 -06:00
parent 4e1c587535
commit e9d65e67aa
3 changed files with 87 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
plugins/sudoers/cvtsudoers_json.c
View File

@ -192,8 +192,9 @@ print_member_json_int(struct json_container *jsonc,
{ {
struct json_value value; struct json_value value;
const char *typestr = NULL; const char *typestr = NULL;
const char *errstr;
short alias_type = UNSPEC; short alias_type = UNSPEC;
struct alias *a = NULL;
const char *errstr;
id_t id; id_t id;
debug_decl(print_member_json_int, SUDOERS_DEBUG_UTIL); debug_decl(print_member_json_int, SUDOERS_DEBUG_UTIL);
@ -217,6 +218,37 @@ print_member_json_int(struct json_container *jsonc,
value.u.string = name; value.u.string = name;
} }
/* Special handling for ALIAS, which might actually be a WORD. */
if (type == ALIAS) {
switch (word_type) {
case TYPE_COMMAND:
alias_type = CMNDALIAS;
typestr = "cmndalias";
break;
case TYPE_HOSTNAME:
alias_type = HOSTALIAS;
typestr = "hostalias";
break;
case TYPE_RUNASGROUP:
case TYPE_RUNASUSER:
alias_type = RUNASALIAS;
typestr = "runasalias";
break;
case TYPE_USERNAME:
alias_type = USERALIAS;
typestr = "useralias";
break;
default:
sudo_fatalx("unexpected word type %d", word_type);
}
a = alias_get(parse_tree, value.u.string, alias_type);
if (a == NULL && alias_type != CMNDALIAS) {
/* Alias does not resolve, treat as WORD instead. */
type = WORD;
}
}
switch (type) { switch (type) {
case USERGROUP: case USERGROUP:
value.u.string++; /* skip leading '%' */ value.u.string++; /* skip leading '%' */
@ -293,57 +325,22 @@ print_member_json_int(struct json_container *jsonc,
} }
break; break;
case ALIAS: case ALIAS:
switch (word_type) { /* handled earlier */
case TYPE_COMMAND:
if (expand_aliases) {
alias_type = CMNDALIAS;
} else {
typestr = "cmndalias";
}
break;
case TYPE_HOSTNAME:
if (expand_aliases) {
alias_type = HOSTALIAS;
} else {
typestr = "hostalias";
}
break;
case TYPE_RUNASGROUP:
case TYPE_RUNASUSER:
if (expand_aliases) {
alias_type = RUNASALIAS;
} else {
typestr = "runasalias";
}
break;
case TYPE_USERNAME:
if (expand_aliases) {
alias_type = USERALIAS;
} else {
typestr = "useralias";
}
break;
default:
sudo_fatalx("unexpected word type %d", word_type);
}
break; break;
default: default:
sudo_fatalx("unexpected member type %d", type); sudo_fatalx("unexpected member type %d", type);
} }
if (expand_aliases && type == ALIAS) { if (expand_aliases && type == ALIAS) {
struct alias *a;
struct member *m;
/* Print each member of the alias. */ /* Print each member of the alias. */
if ((a = alias_get(parse_tree, value.u.string, alias_type)) != NULL) { if (a != NULL) {
struct member *m;
TAILQ_FOREACH(m, &a->members, entries) { TAILQ_FOREACH(m, &a->members, entries) {
if (!print_member_json_int(jsonc, parse_tree, m->name, m->type, if (!print_member_json_int(jsonc, parse_tree, m->name, m->type,
negated ? !m->negated : m->negated, negated ? !m->negated : m->negated, word_type, true))
alias_to_word_type(alias_type), true))
goto oom; goto oom;
} }
alias_put(a);
} }
} else { } else {
if (negated) { if (negated) {
@ -363,9 +360,13 @@ print_member_json_int(struct json_container *jsonc,
} }
} }
if (a != NULL)
alias_put(a);
debug_return_bool(true); debug_return_bool(true);
oom: oom:
/* warning printed by caller */ /* warning printed by caller */
if (a != NULL)
alias_put(a);
debug_return_bool(false); debug_return_bool(false);
} }

27
plugins/sudoers/regress/cvtsudoers/test41.out.ok Normal file
View File

@ -0,0 +1,27 @@
{
"Defaults": [
{
"Binding": [
{ "username": "CLI_USR" }
],
"Options": [
{ "lecture": false }
]
},
{
"Binding": [
{ "hostname": "SUN_HST" }
],
"Options": [
{ "log_year": true }
]
},
{
"Binding": [
],
"Options": [
{ "use_pty": false }
]
}
]
}

18
plugins/sudoers/regress/cvtsudoers/test41.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/sh
#
# Test behavior of undefined aliases using --expand-aliases in JSON output.
# https://github.com/sudo-project/sudo/issues/381
#
: ${CVTSUDOERS=cvtsudoers}
$CVTSUDOERS -c "" -f json -e <<EOF
User_Alias CLI_USER = cli
Defaults:CLI_USR !lecture
Host_Alias SUN_HOST = sparc5
Defaults@SUN_HST log_year
Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
Defaults!REBOT !use_pty
EOF