From fc253048f5bc3f3459830615745c54cc74af250c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 10 Mar 2023 10:05:33 -0700 Subject: [PATCH] Add LDAP-specific innetgr() implementation. Wheh netgroup_base is set we now do out own netgroup lookups using LDAP. Previously, LDAP was queried directly to get a list of the netgroups the user belongs to but other netgroups queries went through innetgr(3). This makes it possible to use netgroups in LDAP sudoers on systems that don't have an innetgr() function. GitHub issue #251. --- MANIFEST | 1 + configure | 2 +- m4/ldap.m4 | 2 +- plugins/sudoers/Makefile.in | 26 ++++ plugins/sudoers/ldap.c | 11 +- plugins/sudoers/ldap_innetgr.c | 264 +++++++++++++++++++++++++++++++++ plugins/sudoers/sudo_ldap.h | 3 + scripts/mkdep.pl | 2 +- 8 files changed, 307 insertions(+), 4 deletions(-) create mode 100644 plugins/sudoers/ldap_innetgr.c diff --git a/MANIFEST b/MANIFEST index c843995e0..c4c144a3b 100644 --- a/MANIFEST +++ b/MANIFEST @@ -649,6 +649,7 @@ plugins/sudoers/iolog.c plugins/sudoers/iolog_path_escapes.c plugins/sudoers/ldap.c plugins/sudoers/ldap_conf.c +plugins/sudoers/ldap_innetgr.c plugins/sudoers/ldap_util.c plugins/sudoers/linux_audit.c plugins/sudoers/linux_audit.h diff --git a/configure b/configure index 4c50613dc..2b1808c4d 100755 --- a/configure +++ b/configure @@ -30941,7 +30941,7 @@ fi with_ldap=yes fi - SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo" + SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo" case "$SUDOERS_OBJS" in *ldap_util.lo*) ;; *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";; diff --git a/m4/ldap.m4 b/m4/ldap.m4 index 78c21e0bc..68aca3922 100644 --- a/m4/ldap.m4 +++ b/m4/ldap.m4 @@ -11,7 +11,7 @@ AC_DEFUN([SUDO_CHECK_LDAP], [ AX_APPEND_FLAG([-I${with_ldap}/include], [CPPFLAGS]) with_ldap=yes fi - SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo" + SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo" case "$SUDOERS_OBJS" in *ldap_util.lo*) ;; *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";; diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index 5971b144c..5e2fef27a 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -2075,6 +2075,32 @@ ldap_conf.i: $(srcdir)/ldap_conf.c $(devdir)/def_data.h \ $(CC) -E -o $@ $(CPPFLAGS) $< ldap_conf.plog: ldap_conf.i rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_conf.c --i-file $< --output-file $@ +ldap_innetgr.lo: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_innetgr.c +ldap_innetgr.i: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \ + $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ + $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ + $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \ + $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \ + $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \ + $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \ + $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \ + $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \ + $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \ + $(top_builddir)/pathnames.h + $(CC) -E -o $@ $(CPPFLAGS) $< +ldap_innetgr.plog: ldap_innetgr.i + rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_innetgr.c --i-file $< --output-file $@ ldap_util.lo: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \ $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \ $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \ diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 1e224dc11..c7a6a8049 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -1955,6 +1955,14 @@ sudo_ldap_parse(struct sudo_nss *nss) debug_return_ptr(&handle->parse_tree); } +static int +sudo_ldap_innetgr(struct sudo_nss *nss, const char *netgr, const char *host, + const char *user, const char *domain) +{ + const struct sudo_ldap_handle *handle = nss->handle; + return sudo_ldap_innetgr_int(handle->ld, netgr, host, user, domain); +} + #if 0 /* * Create an ldap_result from an LDAP search result. @@ -2013,5 +2021,6 @@ struct sudo_nss sudo_nss_ldap = { sudo_ldap_close, sudo_ldap_parse, sudo_ldap_query, - sudo_ldap_getdefs + sudo_ldap_getdefs, + sudo_ldap_innetgr }; diff --git a/plugins/sudoers/ldap_innetgr.c b/plugins/sudoers/ldap_innetgr.c new file mode 100644 index 000000000..d0005b8c8 --- /dev/null +++ b/plugins/sudoers/ldap_innetgr.c @@ -0,0 +1,264 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 2023 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +#include + +#include +#include +#include +#include +#include +#ifdef HAVE_STRINGS_H +# include +#endif /* HAVE_STRINGS_H */ +#include +#include +#ifdef HAVE_LBER_H +# include +#endif +#include + +#include "sudoers.h" +#include "sudo_ldap.h" +#include "sudo_ldap_conf.h" + +/* + * Compare str to netgroup string ngstr of length nglen where str is a + * NUL-terminated string and ngstr is part of a netgroup triple string. + * Uses innetgr(3)-style matching rules. + * Returns true if the strings match, else false. + */ +static bool +sudo_ldap_netgroup_match_str(const char *str, const char *ngstr, size_t nglen, + bool ignore_case) +{ + debug_decl(sudo_ldap_netgroup_match_str, SUDOERS_DEBUG_LDAP); + + /* Skip leading whitespace. */ + while (isspace((unsigned char)*ngstr) && nglen > 0) { + ngstr++; + nglen--; + } + /* Skip trailing whitespace. */ + while (nglen > 0 && isspace((unsigned char)ngstr[nglen - 1])) { + nglen--; + } + + sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: compare \"%s\" to \"%.*s\"", + __func__, str ? str : "", (int)nglen, ngstr); + + if (nglen == 0 || str == NULL) { + /* An empty string is a wildcard. */ + debug_return_bool(true); + } + if (*ngstr == '-' && nglen == 1) { + /* '-' means no valid value. */ + debug_return_bool(str == NULL); + } + if (ignore_case) { + if (strncasecmp(str, ngstr, nglen) == 0 && str[nglen] == '\0') + debug_return_bool(true); + } else { + if (strncmp(str, ngstr, nglen) == 0 && str[nglen] == '\0') + debug_return_bool(true); + } + debug_return_bool(false); +} + +/* + * Match the specified netgroup triple using the given host, + * user and domain. Matching rules as per innetgr(3). + * Returns 1 on match, else 0. + */ +static int +sudo_ldap_match_netgroup(const char *triple, const char *host, + const char *user, const char *domain) +{ + const char *cp, *ep; + debug_decl(sudo_ldap_match_netgroup, SUDOERS_DEBUG_LDAP); + + /* Trim leading space, check for opening paren. */ + while (isspace((unsigned char)*triple)) + triple++; + if (*triple != '(') { + sudo_debug_printf(SUDO_DEBUG_ERROR, "%s: invalid triple: %s", + __func__, triple); + debug_return_int(0); + } + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: matching (%s,%s,%s) against %s", + __func__, host ? host : "", user ? user : "", domain ? domain : "", + triple); + + /* Parse host. */ + cp = triple + 1; + ep = strchr(cp, ','); + if (ep == NULL || !sudo_ldap_netgroup_match_str(host, cp, ep - cp, true)) + debug_return_int(0); + + /* Parse user. */ + cp = ep + 1; + ep = strchr(cp, ','); + if (ep == NULL || !sudo_ldap_netgroup_match_str(user, cp, ep - cp, def_case_insensitive_user)) + debug_return_int(0); + + /* Parse domain. */ + cp = ep + 1; + ep = strchr(cp, ')'); + if (ep == NULL || !sudo_ldap_netgroup_match_str(domain, cp, ep - cp, true)) + debug_return_int(0); + + debug_return_int(1); +} + +#define MAX_NETGROUP_DEPTH 128 +struct netgroups_seen { + const char *groups[MAX_NETGROUP_DEPTH]; + size_t len; +}; + +static int +sudo_ldap_innetgr_base(LDAP *ld, const char *base, + struct timeval *timeout, const char *netgr, const char *host, + const char *user, const char *domain, struct netgroups_seen *seen) +{ + char *escaped_netgr = NULL, *filt = NULL; + LDAPMessage *entry, *result = NULL; + int rc, ret = 0; + size_t n; + debug_decl(sudo_ldap_innetgr_base, SUDOERS_DEBUG_LDAP); + + /* Cycle detection. */ + for (n = 0; n < seen->len; n++) { + if (strcmp(netgr, seen->groups[n]) == 0) { + DPRINTF1("%s: cycle in netgroups", netgr); + goto done; + } + } + if (seen->len + 1 > MAX_NETGROUP_DEPTH) { + DPRINTF1("%s: too many nested netgroups", netgr); + goto done; + } + seen->groups[seen->len++] = netgr; + + /* Escape the netgroup name per RFC 4515. */ + if ((escaped_netgr = sudo_ldap_value_dup(netgr)) == NULL) + goto done; + + /* Build nisNetgroup query. */ + rc = asprintf(&filt, "(&%s(cn=%s))", + ldap_conf.netgroup_search_filter, escaped_netgr); + if (rc == -1) + goto done; + DPRINTF1("ldap netgroup search filter: '%s'", filt); + + /* Perform an LDAP query for nisNetgroup. */ + DPRINTF1("searching from netgroup_base '%s'", base); + rc = ldap_search_ext_s(ld, base, LDAP_SCOPE_SUBTREE, filt, + NULL, 0, NULL, NULL, timeout, 0, &result); + free(filt); + if (rc != LDAP_SUCCESS) { + DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc)); + goto done; + } + + LDAP_FOREACH(entry, ld, result) { + struct berval **bv, **p; + + /* Check all nisNetgroupTriple entries. */ + bv = ldap_get_values_len(ld, entry, "nisNetgroupTriple"); + if (bv == NULL) { + const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc); + if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY) + debug_return_int(-1); + } else { + for (p = bv; *p != NULL && !ret; p++) { + char *val = (*p)->bv_val; + if (sudo_ldap_match_netgroup(val, host, user, domain)) { + ret = 1; + break; + } + } + ldap_value_free_len(bv); + if (ret == 1) + break; + } + + /* Handle nested netgroups. */ + bv = ldap_get_values_len(ld, entry, "memberNisNetgroup"); + if (bv == NULL) { + const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc); + if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY) + debug_return_int(-1); + } else { + for (p = bv; *p != NULL && !ret; p++) { + const char *val = (*p)->bv_val; + const size_t saved_len = seen->len; + ret = sudo_ldap_innetgr_base(ld, base, timeout, val, host, + user, domain, seen); + /* Restore seen state to avoid use-after-free. */ + seen->len = saved_len; + } + ldap_value_free_len(bv); + } + } + +done: + ldap_msgfree(result); + free(escaped_netgr); + + debug_return_int(ret); +} + +int +sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host, + const char *user, const char *domain) +{ + LDAP *ld = v; + struct timeval tv, *tvp = NULL; + struct ldap_config_str *base; + struct netgroups_seen seen; + int ret = 0; + debug_decl(sudo_ldap_innetgr, SUDOERS_DEBUG_LDAP); + + if (STAILQ_EMPTY(&ldap_conf.netgroup_base)) { + /* LDAP netgroups not configured. */ + debug_return_int(-1); + } + + if (ldap_conf.timeout > 0) { + tv.tv_sec = ldap_conf.timeout; + tv.tv_usec = 0; + tvp = &tv; + } + + /* Perform an LDAP query for nisNetgroup. */ + STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) { + seen.len = 0; + ret = sudo_ldap_innetgr_base(ld, base->val, tvp, netgr, host, + user, domain, &seen); + if (ret != 0) + break; + } + + debug_return_int(ret); +} diff --git a/plugins/sudoers/sudo_ldap.h b/plugins/sudoers/sudo_ldap.h index 0fc839b35..53538e168 100644 --- a/plugins/sudoers/sudo_ldap.h +++ b/plugins/sudoers/sudo_ldap.h @@ -49,6 +49,9 @@ /* Iterators used by sudo_ldap_role_to_priv() to handle bervar ** or char ** */ typedef char * (*sudo_ldap_iter_t)(void **); +/* ldap_innetgr.c */ +int sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host, const char *user, const char *domain); + /* ldap_util.c */ bool sudo_ldap_is_negated(char **valp); size_t sudo_ldap_value_len(const char *value); diff --git a/scripts/mkdep.pl b/scripts/mkdep.pl index d6a483fea..df4f39fb1 100755 --- a/scripts/mkdep.pl +++ b/scripts/mkdep.pl @@ -116,7 +116,7 @@ sub mkdep { $makefile =~ s:\@DEV\@::g; $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:; $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o apparmor.o selinux.o sesh.o solaris.o:; - $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:; + $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo ldap_innetgr.lo solaris_audit.lo sssd.lo:; # XXX - fill in AUTH_OBJS from contents of the auth dir instead $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; $makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;