mirror of
https://github.com/sudo-project/sudo.git
synced 2025-08-31 22:35:10 +00:00
Add "listpw" and "verifypw" options.
This commit is contained in:
Todd C. Miller
79
defaults.c
79
defaults.c
@@ -106,6 +106,7 @@ static int store_str __P((char *, struct sudo_defs_types *, int));
|
||||
static int store_syslogfac __P((char *, struct sudo_defs_types *, int));
|
||||
static int store_syslogpri __P((char *, struct sudo_defs_types *, int));
|
||||
static int store_mode __P((char *, struct sudo_defs_types *, int));
|
||||
static int store_pwflag __P((char *, struct sudo_defs_types *, int));
|
||||
|
||||
/*
|
||||
* Table describing compile-time and run-time options.
|
||||
@@ -225,6 +226,16 @@ struct sudo_defs_types sudo_defs_table[] = {
|
||||
}, {
|
||||
"secure_path", T_STR|T_BOOL,
|
||||
"Value to override user's $PATH with: %s"
|
||||
}, {
|
||||
"listpw_i", T_INT, NULL
|
||||
}, {
|
||||
"verifypw_i", T_INT, NULL
|
||||
}, {
|
||||
"listpw", T_PWFLAG,
|
||||
"When to require a password for 'list' pseudocommand: %s"
|
||||
}, {
|
||||
"verifypw", T_PWFLAG,
|
||||
"When to require a password for 'verify' pseudocommand: %s"
|
||||
}, {
|
||||
NULL, 0, NULL
|
||||
}
|
||||
@@ -248,6 +259,7 @@ dump_defaults()
|
||||
case T_STR:
|
||||
case T_LOGFAC:
|
||||
case T_LOGPRI:
|
||||
case T_PWFLAG:
|
||||
if (cur->sd_un.str) {
|
||||
(void) printf(cur->desc, cur->sd_un.str);
|
||||
putchar('\n');
|
||||
@@ -355,6 +367,19 @@ set_default(var, val, op)
|
||||
return(FALSE);
|
||||
}
|
||||
break;
|
||||
case T_PWFLAG:
|
||||
if (!store_pwflag(val, cur, op)) {
|
||||
if (val)
|
||||
(void) fprintf(stderr,
|
||||
"%s: value '%s' is invalid for option '%s'\n", Argv[0],
|
||||
val, var);
|
||||
else
|
||||
(void) fprintf(stderr,
|
||||
"%s: no value specified for `%s' on line %d\n", Argv[0],
|
||||
var, sudolineno);
|
||||
return(FALSE);
|
||||
}
|
||||
break;
|
||||
case T_STR:
|
||||
if (!val) {
|
||||
/* Check for bogus boolean usage or lack of a value. */
|
||||
@@ -447,6 +472,7 @@ init_defaults()
|
||||
case T_STR:
|
||||
case T_LOGFAC:
|
||||
case T_LOGPRI:
|
||||
case T_PWFLAG:
|
||||
if (def->sd_un.str) {
|
||||
free(def->sd_un.str);
|
||||
def->sd_un.str = NULL;
|
||||
@@ -509,6 +535,10 @@ init_defaults()
|
||||
(void) store_syslogpri(PRI_FAILURE, &sudo_defs_table[I_BADPRISTR], TRUE);
|
||||
#endif
|
||||
|
||||
/* Password flags also have a string and integer component. */
|
||||
(void) store_pwflag("any", &sudo_defs_table[I_LISTPWSTR], TRUE);
|
||||
(void) store_pwflag("all", &sudo_defs_table[I_VERIFYPWSTR], TRUE);
|
||||
|
||||
/* Then initialize the int-like things. */
|
||||
#ifdef SUDO_UMASK
|
||||
def_mode(I_UMASK) = SUDO_UMASK;
|
||||
@@ -598,8 +628,10 @@ store_syslogfac(val, def, op)
|
||||
struct strmap *fac;
|
||||
|
||||
if (op == FALSE) {
|
||||
if (def->sd_un.str) {
|
||||
free(def->sd_un.str);
|
||||
def->sd_un.str = NULL;
|
||||
}
|
||||
return(TRUE);
|
||||
}
|
||||
#ifdef LOG_NFACILITIES
|
||||
@@ -679,3 +711,50 @@ store_mode(val, def, op)
|
||||
}
|
||||
return(TRUE);
|
||||
}
|
||||
|
||||
static int
|
||||
store_pwflag(val, def, op)
|
||||
char *val;
|
||||
struct sudo_defs_types *def;
|
||||
int op;
|
||||
{
|
||||
int isub, flags;
|
||||
|
||||
if (strcmp(def->name, "verifypw") == 0)
|
||||
isub = I_VERIFYPW;
|
||||
else
|
||||
isub = I_LISTPW;
|
||||
|
||||
/* Handle !foo. */
|
||||
if (op == FALSE) {
|
||||
if (def->sd_un.str) {
|
||||
free(def->sd_un.str);
|
||||
def->sd_un.str = NULL;
|
||||
}
|
||||
def->sd_un.str = estrdup("never");
|
||||
sudo_defs_table[isub].sd_un.ival = PWCHECK_NEVER;
|
||||
return(TRUE);
|
||||
}
|
||||
if (!val)
|
||||
return(FALSE);
|
||||
|
||||
/* Convert strings to integer values. */
|
||||
if (strcmp(val, "all") == 0)
|
||||
flags = PWCHECK_ALL;
|
||||
else if (strcmp(val, "any") == 0)
|
||||
flags = PWCHECK_ANY;
|
||||
else if (strcmp(val, "never") == 0)
|
||||
flags = PWCHECK_NEVER;
|
||||
else if (strcmp(val, "always") == 0)
|
||||
flags = PWCHECK_ALWAYS;
|
||||
else
|
||||
return(FALSE);
|
||||
|
||||
/* Store both name and number. */
|
||||
if (def->sd_un.str)
|
||||
free(def->sd_un.str);
|
||||
def->sd_un.str = estrdup(val);
|
||||
sudo_defs_table[isub].sd_un.ival = flags;
|
||||
|
||||
return(TRUE);
|
||||
}
|
||||
|
||||
10
defaults.h
10
defaults.h
@@ -69,6 +69,8 @@ struct sudo_defs_types {
|
||||
#define T_LOGFAC 0x005
|
||||
#undef T_LOGPRI
|
||||
#define T_LOGPRI 0x006
|
||||
#undef T_PWFLAG
|
||||
#define T_PWFLAG 0x007
|
||||
#undef T_MASK
|
||||
#define T_MASK 0x0FF
|
||||
#undef T_BOOL
|
||||
@@ -129,6 +131,14 @@ struct sudo_defs_types {
|
||||
#define I_RUNAS_DEF 37 /* default user to run commands as */
|
||||
#define I_SECURE_PATH 38 /* set $PATH to this if not NULL */
|
||||
|
||||
/* Integer versions of list/verify options */
|
||||
#define I_LISTPW 39
|
||||
#define I_VERIFYPW 40
|
||||
|
||||
/* String versions of list/verify options */
|
||||
#define I_LISTPWSTR 41
|
||||
#define I_VERIFYPWSTR 42
|
||||
|
||||
/*
|
||||
* Macros for accessing sudo_defs_table.
|
||||
*/
|
||||
|
||||
10
parse.c
10
parse.c
@@ -129,7 +129,7 @@ sudoers_lookup(pwflags)
|
||||
init_parser();
|
||||
|
||||
/* For most pwflags to be useful we need to keep more state around. */
|
||||
if (pwflags && !(pwflags & PWCHECK_NEVER))
|
||||
if (pwflags && pwflags != PWCHECK_NEVER && pwflags != PWCHECK_ALWAYS)
|
||||
keepall = TRUE;
|
||||
|
||||
/* Need to be root while stat'ing things in the parser. */
|
||||
@@ -167,7 +167,7 @@ sudoers_lookup(pwflags)
|
||||
if (pwflags) {
|
||||
int nopass, found;
|
||||
|
||||
if ((pwflags & PWCHECK_NEVER) || !def_flag(I_AUTHENTICATE))
|
||||
if (pwflags == PWCHECK_NEVER || !def_flag(I_AUTHENTICATE))
|
||||
nopass = FLAG_NOPASS;
|
||||
else
|
||||
nopass = -1;
|
||||
@@ -175,13 +175,11 @@ sudoers_lookup(pwflags)
|
||||
while (top) {
|
||||
if (host_matches == TRUE) {
|
||||
found = 1;
|
||||
if (!(pwflags & PWCHECK_RUNAS) || runas_matches == TRUE) {
|
||||
if ((pwflags & PWCHECK_ANY) && no_passwd == TRUE)
|
||||
if (pwflags == PWCHECK_ANY && no_passwd == TRUE)
|
||||
nopass = FLAG_NOPASS;
|
||||
else if ((pwflags & PWCHECK_ALL) && nopass != 0)
|
||||
else if (pwflags == PWCHECK_ALL && nopass != 0)
|
||||
nopass = (no_passwd == TRUE) ? FLAG_NOPASS : 0;
|
||||
}
|
||||
}
|
||||
top--;
|
||||
}
|
||||
if (found) {
|
||||
|
||||
4
sudo.c
4
sudo.c
@@ -237,7 +237,7 @@ main(argc, argv)
|
||||
break;
|
||||
case MODE_VALIDATE:
|
||||
user_cmnd = "validate";
|
||||
sudoers_flags = PWCHECK_ALL | PWCHECK_RUNAS;
|
||||
sudoers_flags = def_ival(I_VERIFYPW);
|
||||
break;
|
||||
case MODE_KILL:
|
||||
case MODE_INVALIDATE:
|
||||
@@ -251,7 +251,7 @@ main(argc, argv)
|
||||
case MODE_LIST:
|
||||
user_cmnd = "list";
|
||||
printmatches = 1;
|
||||
sudoers_flags = PWCHECK_ANY;
|
||||
sudoers_flags = def_ival(I_LISTPW);
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
10
sudo.h
10
sudo.h
@@ -149,12 +149,12 @@ struct sudo_user {
|
||||
* PASSWD_NEVER: user never has to give a passwd
|
||||
* PASSWD_ALL: no passwd needed if all entries for host have NOPASSWD flag
|
||||
* PASSWD_ANY: no passwd needed if any entry for host has a NOPASSWD flag
|
||||
* PWCHECK_RUNAS: require that runas_matches be TRUE
|
||||
* PASSWD_ALWAYS: passwd always needed
|
||||
*/
|
||||
#define PWCHECK_NEVER 001
|
||||
#define PWCHECK_ALL 002
|
||||
#define PWCHECK_ANY 004
|
||||
#define PWCHECK_RUNAS 010
|
||||
#define PWCHECK_NEVER 0x01
|
||||
#define PWCHECK_ALL 0x02
|
||||
#define PWCHECK_ANY 0x04
|
||||
#define PWCHECK_ALWAYS 0x08
|
||||
|
||||
/*
|
||||
* Function prototypes
|
||||
|
||||
Reference in New Issue
Block a user