mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 18:08:23 +00:00
Code Issues Releases Wiki Activity

Add support for command-specific Defaults entries. E.g.

Browse Source 
Defaults!/usr/bin/vi noexec
This commit is contained in:
Todd C. Miller 2004-11-19 21:35:12 +00:00
parent 0cddfc3684
commit fe869025c4
11 changed files with 1063 additions and 947 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
defaults.c
View File

@ -495,14 +495,18 @@ init_defaults()
/* /*
* Update the defaults based on what was set by sudoers. * Update the defaults based on what was set by sudoers.
* If skip_cmnd is 1, skip DEFAULTS_CMND, if it is 0, skip all others.
* Returns TRUE on success and FALSE on failure. * Returns TRUE on success and FALSE on failure.
*/ */
int int
update_defaults() update_defaults(skip_cmnd)
int skip_cmnd;
{ {
struct defaults *def; struct defaults *def;
for (def = defaults; def != NULL; def = def->next) { for (def = defaults; def != NULL; def = def->next) {
if (skip_cmnd == (def->type == DEFAULTS_CMND))
continue;
switch (def->type) { switch (def->type) {
case DEFAULTS: case DEFAULTS:
if (!set_default(def->var, def->val, def->op)) if (!set_default(def->var, def->val, def->op))
@ -522,6 +526,10 @@ update_defaults()
!set_default(def->var, def->val, def->op)) !set_default(def->var, def->val, def->op))
return(FALSE); return(FALSE);
break; break;
case DEFAULTS_CMND:
if (cmnd_matches(def->binding) &&
!set_default(def->var, def->val, def->op))
return(FALSE);
} }
} }
return(TRUE); return(TRUE);

9
defaults.h
View File

@ -90,13 +90,20 @@ struct sudo_defs_types {
#undef T_PATH #undef T_PATH
#define T_PATH 0x200 #define T_PATH 0x200
/*
* Argument to update_defaults()
*/
#define SKIP_CMND 1
#define ONLY_CMND 0
#define SET_ALL -1
/* /*
* Prototypes * Prototypes
*/ */
void dump_default __P((void)); void dump_default __P((void));
int set_default __P((char *, char *, int)); int set_default __P((char *, char *, int));
void init_defaults __P((void)); void init_defaults __P((void));
int update_defaults __P((void)); int update_defaults __P((int));
void list_options __P((void)); void list_options __P((void));
extern struct sudo_defs_types sudo_defs_table[]; extern struct sudo_defs_types sudo_defs_table[];

728
gram.c
View File

File diff suppressed because it is too large Load Diff

29
gram.h
View File

@ -9,20 +9,21 @@
#define DEFAULTS_HOST 265 #define DEFAULTS_HOST 265
#define DEFAULTS_USER 266 #define DEFAULTS_USER 266
#define DEFAULTS_RUNAS 267 #define DEFAULTS_RUNAS 267
#define RUNAS 268 #define DEFAULTS_CMND 268
#define NOPASSWD 269 #define RUNAS 269
#define PASSWD 270 #define NOPASSWD 270
#define NOEXEC 271 #define PASSWD 271
#define EXEC 272 #define NOEXEC 272
#define MONITOR 273 #define EXEC 273
#define NOMONITOR 274 #define MONITOR 274
#define ALL 275 #define NOMONITOR 275
#define COMMENT 276 #define ALL 276
#define HOSTALIAS 277 #define COMMENT 277
#define CMNDALIAS 278 #define HOSTALIAS 278
#define USERALIAS 279 #define CMNDALIAS 279
#define RUNASALIAS 280 #define USERALIAS 280
#define ERROR 281 #define RUNASALIAS 281
#define ERROR 282
#ifndef YYSTYPE_DEFINED #ifndef YYSTYPE_DEFINED
#define YYSTYPE_DEFINED #define YYSTYPE_DEFINED
typedef union { typedef union {

4
gram.y
View File

@ -120,6 +120,7 @@ yyerror(s)
%token <tok> DEFAULTS_HOST /* Host-specific defaults entry */ %token <tok> DEFAULTS_HOST /* Host-specific defaults entry */
%token <tok> DEFAULTS_USER /* User-specific defaults entry */ %token <tok> DEFAULTS_USER /* User-specific defaults entry */
%token <tok> DEFAULTS_RUNAS /* Runas-specific defaults entry */ %token <tok> DEFAULTS_RUNAS /* Runas-specific defaults entry */
%token <tok> DEFAULTS_CMND /* Command-specific defaults entry */
%token <tok> RUNAS /* ( runas_list ) */ %token <tok> RUNAS /* ( runas_list ) */
%token <tok> NOPASSWD /* no passwd req for command */ %token <tok> NOPASSWD /* no passwd req for command */
%token <tok> PASSWD /* passwd req for command (default) */ %token <tok> PASSWD /* passwd req for command (default) */
@ -200,6 +201,9 @@ entry : COMMENT {
| DEFAULTS_HOST hostlist defaults_list { | DEFAULTS_HOST hostlist defaults_list {
add_defaults(DEFAULTS_HOST, $2, $3); add_defaults(DEFAULTS_HOST, $2, $3);
} }
| DEFAULTS_CMND cmndlist defaults_list {
add_defaults(DEFAULTS_CMND, $2, $3);
}
; ;
defaults_list : defaults_entry defaults_list : defaults_entry

2
mon_systrace.c
View File

@ -872,7 +872,7 @@ check_execv(fd, pid, seqnr, askp, cookie, policyp, errorp)
if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK)) if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK))
#endif #endif
{ {
(void) update_defaults(); (void) update_defaults(SET_ALL);
validated = sudoers_lookup(0); validated = sudoers_lookup(0);
} }
if (ISSET(validated, VALIDATE_OK)) { if (ISSET(validated, VALIDATE_OK)) {

8
sudo.c
View File

@ -257,7 +257,7 @@ main(argc, argv, envp)
/* Parse sudoers and set any defaults listed in it. */ /* Parse sudoers and set any defaults listed in it. */
if (parse_sudoers(_PATH_SUDOERS) || parse_error) if (parse_sudoers(_PATH_SUDOERS) || parse_error)
log_error(0, "parse error in %s near line %d", errorfile, errorlineno); log_error(0, "parse error in %s near line %d", errorfile, errorlineno);
if (!update_defaults()) if (!update_defaults(SKIP_CMND))
log_error(NO_STDERR|NO_EXIT, "problem with defaults entries"); log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");
} }
@ -612,7 +612,8 @@ init_vars(sudo_mode)
} }
/* /*
* Fill in user_cmnd, user_args, user_base and user_stat variables. * Fill in user_cmnd, user_args, user_base and user_stat variables
* and apply any command-specific defaults entries.
*/ */
static int static int
set_cmnd(sudo_mode) set_cmnd(sudo_mode)
@ -667,6 +668,9 @@ set_cmnd(sudo_mode)
else else
user_base = user_cmnd; user_base = user_cmnd;
if (!update_defaults(ONLY_CMND))
log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");
return(rval); return(rval);
} }

14
testsudoers.c
View File

@ -204,7 +204,7 @@ main(argc, argv)
else else
(void) fputs("Parses OK", stdout); (void) fputs("Parses OK", stdout);
if (!update_defaults()) if (!update_defaults(SET_ALL))
(void) fputs(" (problem with defaults entries)", stdout); (void) fputs(" (problem with defaults entries)", stdout);
puts("."); puts(".");
@ -350,14 +350,14 @@ print_defaults()
case DEFAULTS_RUNAS: case DEFAULTS_RUNAS:
putchar('>'); putchar('>');
break; break;
case DEFAULTS_CMND:
putchar('!');
break;
} }
for (m = d->binding; m != NULL; m = m->next) { for (m = d->binding; m != NULL; m = m->next) {
if (m->type == COMMAND) if (m != d->binding)
printf("%s\"%s %s\"", m != d->binding ? "," : "", putchar(',');
((struct sudo_command *)m->name)->cmnd, print_member(m);
((struct sudo_command *)m->name)->args);
else
printf("%s%s", m != d->binding ? "," : "", m->name);
} }
printf("\t%s%s", d->op == FALSE ? "!" : "", d->var); printf("\t%s%s", d->op == FALSE ? "!" : "", d->var);
if (d->val != NULL) { if (d->val != NULL) {

1187
toke.c
View File

File diff suppressed because it is too large Load Diff

17
toke.l
View File

@ -87,6 +87,7 @@ OCTET (1?[0-9]{1,2})|(2[0-4][0-9])|(25[0-5])
DOTTEDQUAD {OCTET}(\.{OCTET}){3} DOTTEDQUAD {OCTET}(\.{OCTET}){3}
HOSTNAME [[:alnum:]_-]+ HOSTNAME [[:alnum:]_-]+
WORD ([^#>!=:,\(\) \t\n\\]|\\[^\n])+ WORD ([^#>!=:,\(\) \t\n\\]|\\[^\n])+
PATH \/(\\[\,:= \t#]|[^\,:=\\ \t\n#])+
ENVAR ([^#!=, \t\n\\]|\\[^\n])([^#=, \t\n\\]|\\[^\n])* ENVAR ([^#!=, \t\n\\]|\\[^\n])([^#=, \t\n\\]|\\[^\n])*
DEFVAR [a-z_]+ DEFVAR [a-z_]+
@ -195,7 +196,7 @@ DEFVAR [a-z_]+
return(COMMENT); return(COMMENT);
} }
<INITIAL>^Defaults([:@>]{WORD})? { <INITIAL>^Defaults([:@>\!]{WORD})? {
BEGIN GOTDEFS; BEGIN GOTDEFS;
switch (yytext[8]) { switch (yytext[8]) {
case ':': case ':':
@ -210,6 +211,10 @@ DEFVAR [a-z_]+
yyless(9); yyless(9);
LEXTRACE("DEFAULTS_HOST "); LEXTRACE("DEFAULTS_HOST ");
return(DEFAULTS_HOST); return(DEFAULTS_HOST);
case '!':
yyless(9);
LEXTRACE("DEFAULTS_CMND ");
return(DEFAULTS_CMND);
default: default:
LEXTRACE("DEFAULTS "); LEXTRACE("DEFAULTS ");
return(DEFAULTS); return(DEFAULTS);
@ -335,7 +340,15 @@ sudoedit {
yyterminate(); yyterminate();
} /* sudo -e */ } /* sudo -e */
\/(\\[\,:= \t#]|[^\,:=\\ \t\n#])+ { <GOTDEFS>{PATH} {
/* no command args allowed for Defaults!/path */
if (!fill_cmnd(yytext, yyleng))
yyterminate();
LEXTRACE("COMMAND ");
return(COMMAND);
}
{PATH} {
/* directories can't have args... */ /* directories can't have args... */
if (yytext[yyleng - 1] == '/') { if (yytext[yyleng - 1] == '/') {
LEXTRACE("COMMAND "); LEXTRACE("COMMAND ");

2
visudo.c
View File

@ -203,7 +203,7 @@ main(argc, argv)
errorx(1, "%s busy, try again later", sudoers_path); errorx(1, "%s busy, try again later", sudoers_path);
init_parser(sudoers_path, 0); init_parser(sudoers_path, 0);
yyparse(); yyparse();
(void) update_defaults(); (void) update_defaults(SKIP_CMND);
editor = get_editor(&args); editor = get_editor(&args);