/* * sudo version 1.1 allows users to execute commands as root * Copyright (C) 1991 The Root Group, Inc. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 1, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * If you make modifications to the source, we would be happy to have * them to include in future releases. Feel free to send them to: * Jeff Nieusma nieusma@rootgroup.com * 3959 Arbol CT (303) 447-8093 * Boulder, CO 80301-1752 */ /* The following macros can be defined when compiling FQDN - if you have fully qualified hostnames in your SUDOERS files SYSLOG - if you want to use syslog instead of a log file ( This is a nice feature. You can collect all you sudo logs at a central host. The default is for sudo to log at the local2 facility. ) SEND_MAIL_WHEN_NOT_OK - if you want a message sent to ALERTMAIL when the user is in the SUDOERS but does not have permission to execute the command entered ( This can be used at paranoid sites ) SEND_MAIL_WHEN_NO_USER - if you want a message sent to ALERTMAIL when the user is not in the SUDOERS file ( This is generally the case ) BROKEN_GETPASS - if your os has a broken version of getpass() sysV and variants are suspect. Test by doing an rsh host "sudo echo hi" when the timestamp has expired and if it doesn't prompt for a passwd you need to defined this. HP-UX, AIX, and IRIX need this defined. You'll probably want it if you are a sysV based unix. To test, compile w/o it and try: rsh hostname "sudo whoami" and see if getpass will read from stdin as well as /dev/tty. If not, define BROKEN_GETPASS. USE_CWD - if your os has getcwd() and not getwd() you should define this (done automatically for hpux) NEED_STRDUP - if your os lacks strdup(3) you need to define this SHORT_MESSAGE - if you don't want a copyright notice when someone runs sudo for the first time */ #ifndef TIMEDIR #define TIMEDIR "/tmp/.odus" #endif #ifndef TIMEOUT #define TIMEOUT 5 #endif #ifndef TRIES_FOR_PASSWORD #define TRIES_FOR_PASSWORD 3 #endif #ifndef INCORRECT_PASSWORD #define INCORRECT_PASSWORD "Sorry, try again." #endif /* * If the MAILER macro is changed make sure it will work in * logging.c -- there is some sendmail mail specific stuff in * the send_mail() routine ( e.g. the argv for the execv() ) * MAILER should ALWAYS be fully quallified. */ #ifndef MAILER #define MAILER "/usr/lib/sendmail" #endif #ifndef MAILSUBJECT #define MAILSUBJECT "*** SECURITY information ***" #endif #ifndef ALERTMAIL #define ALERTMAIL "root" #endif #ifndef SUDOERS #define SUDOERS "/etc/sudoers" #endif #ifndef TMPSUDOERS #define TMPSUDOERS "/etc/stmp" #endif #ifndef EDITOR #define EDITOR "/usr/ucb/vi" #endif #ifndef MAXHOSTNAMELEN #define MAXHOSTNAMELEN 64 #endif /* 48 chars is not enough */ #define MAXCOMMANDLENGTH MAXPATHLEN typedef union { int int_val; char char_val[MAXCOMMANDLENGTH]; } YYSTYPE; typedef struct list { int type; char op; char *data; struct list *next; } LIST, *LINK; #ifndef hpux YYSTYPE yylval, yyval; #else YYSTYPE yylval; #endif #ifdef SYSLOG /* SYSLOG should be defined in the makefile */ #include #ifndef Syslog_ident #define Syslog_ident "sudo" #endif #ifndef Syslog_options #define Syslog_options LOG_PID #endif #ifndef Syslog_facility #define Syslog_facility LOG_LOCAL2 #endif #ifndef Syslog_priority_OK #define Syslog_priority_OK LOG_NOTICE #endif #ifndef Syslog_priority_NO #define Syslog_priority_NO LOG_ALERT #endif #else #ifndef LOGFILE #if defined(ultrix) || defined(sun) #define LOGFILE "/var/adm/sudo.log" #else #define LOGFILE "/usr/adm/sudo.log" #endif /* /var vs. /usr */ #endif /* LOGFILE */ #endif /* SYSLOG */ /* Maximum number of characters to log per entry. */ #ifndef MAXLOGLEN /* The syslogger will log this much, after that, */ #define MAXLOGLEN 990 /* it truncates the log line. We need this here */ #endif /* to make sure that we get ellipses when the log */ /* line is longer than 990 characters. */ #define VALIDATE_OK 0x00 #define VALIDATE_NO_USER 0x01 #define VALIDATE_NOT_OK 0x02 #define VALIDATE_ERROR -1 /* * the arguments passed to log_error() are ANDed with GLOBAL_PROBLEM * If the result is TRUE, the argv is NOT logged with the error message */ #define GLOBAL_PROBLEM 0x20 #define GLOBAL_NO_PW_ENT ( 0x01 | GLOBAL_PROBLEM ) #define GLOBAL_NO_HOSTNAME ( 0x02 | GLOBAL_PROBLEM ) #define GLOBAL_HOST_UNREGISTERED ( 0x03 | GLOBAL_PROBLEM ) #define PASSWORD_NOT_CORRECT 0x04 #define ALL_SYSTEMS_GO 0x00 #define NO_SUDOERS_FILE ( 0x05 | GLOBAL_PROBLEM ) #undef TRUE #define TRUE 0x01 #undef FALSE #define FALSE 0x00 #define TYPE1 0x11 #define TYPE2 0x12 #define TYPE3 0x13 #define FOUND_USER 0x14 #define NOT_FOUND_USER 0x15 #define MATCH 0x16 #define NO_MATCH 0x17 #define QUIT_NOW 0x18 #define PARSE_ERROR 0x19 #define USER_LIST 0x00 #define HOST_LIST 0x01 #define CMND_LIST 0x02 #define EXTRA_LIST 0x03 /* These are the functions that are called in sudo */ #ifndef NEED_STRDUP char *strdup(); #endif char *find_path(); void load_globals(); void log_error(); void inform_user(); void check_user(); int validate(); /* Most of these variables are declared in main() so they don't need * to be extern'ed here if this is main... */ #ifndef MAIN #ifdef MULTIMAX extern unsigned short uid; #else extern uid_t uid; #endif extern char *host; extern char *user; extern char *cmnd; extern char **Argv; extern int Argc; #endif extern int errno; /* This is to placate hpux */ #ifdef hpux #define setruid(__RUID) (setresuid((uid_t)(__RUID), (uid_t) -1, (uid_t) -1)) #define getdtablesize() (sysconf(_SC_OPEN_MAX)) #ifndef USE_CWD #define USE_CWD #endif #endif