2 * Copyright (c) 1999-2005, 2007-2008, 2010
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Sponsored in part by the Defense Advanced Research Projects
18 * Agency (DARPA) and Air Force Research Laboratory, Air Force
19 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 #include <sys/types.h>
25 #include <sys/param.h>
34 #endif /* STDC_HEADERS */
37 #endif /* HAVE_STRING_H */
40 #endif /* HAVE_STRINGS_H */
43 #endif /* HAVE_UNISTD_H */
52 * For converting between syslog numbers and strings.
59 #ifdef LOG_NFACILITIES
60 static struct strmap facilities[] = {
62 { "authpriv", LOG_AUTHPRIV },
65 { "daemon", LOG_DAEMON },
67 { "local0", LOG_LOCAL0 },
68 { "local1", LOG_LOCAL1 },
69 { "local2", LOG_LOCAL2 },
70 { "local3", LOG_LOCAL3 },
71 { "local4", LOG_LOCAL4 },
72 { "local5", LOG_LOCAL5 },
73 { "local6", LOG_LOCAL6 },
74 { "local7", LOG_LOCAL7 },
77 #endif /* LOG_NFACILITIES */
79 static struct strmap priorities[] = {
80 { "alert", LOG_ALERT },
82 { "debug", LOG_DEBUG },
83 { "emerg", LOG_EMERG },
86 { "notice", LOG_NOTICE },
87 { "warning", LOG_WARNING },
94 static int store_int __P((char *, struct sudo_defs_types *, int));
95 static int store_list __P((char *, struct sudo_defs_types *, int));
96 static int store_mode __P((char *, struct sudo_defs_types *, int));
97 static int store_str __P((char *, struct sudo_defs_types *, int));
98 static int store_syslogfac __P((char *, struct sudo_defs_types *, int));
99 static int store_syslogpri __P((char *, struct sudo_defs_types *, int));
100 static int store_tuple __P((char *, struct sudo_defs_types *, int));
101 static int store_uint __P((char *, struct sudo_defs_types *, int));
102 static int store_float __P((char *, struct sudo_defs_types *, int));
103 static void list_op __P((char *, size_t, struct sudo_defs_types *, enum list_ops));
104 static const char *logfac2str __P((int));
105 static const char *logpri2str __P((int));
108 * Table describing compile-time and run-time options.
110 #include <def_data.c>
113 * Print version and configure info.
118 struct sudo_defs_types *cur;
119 struct list_member *item;
120 struct def_values *def;
122 for (cur = sudo_defs_table; cur->name; cur++) {
124 switch (cur->type & T_MASK) {
130 if (cur->sd_un.str) {
131 (void) printf(cur->desc, cur->sd_un.str);
136 if (cur->sd_un.ival) {
137 (void) printf(cur->desc, logfac2str(cur->sd_un.ival));
142 if (cur->sd_un.ival) {
143 (void) printf(cur->desc, logpri2str(cur->sd_un.ival));
149 (void) printf(cur->desc, cur->sd_un.ival);
153 (void) printf(cur->desc, cur->sd_un.fval);
157 (void) printf(cur->desc, cur->sd_un.mode);
161 if (cur->sd_un.list) {
163 for (item = cur->sd_un.list; item; item = item->next)
164 printf("\t%s\n", item->value);
168 for (def = cur->values; def->sval; def++) {
169 if (cur->sd_un.ival == def->ival) {
170 (void) printf(cur->desc, def->sval);
182 * List each option along with its description.
187 struct sudo_defs_types *cur;
190 (void) puts("Available options in a sudoers ``Defaults'' line:\n");
191 for (cur = sudo_defs_table; cur->name; cur++) {
192 if (cur->name && cur->desc) {
193 switch (cur->type & T_MASK) {
195 (void) printf("%s: %s\n", cur->name, cur->desc);
198 p = strrchr(cur->desc, ':');
200 (void) printf("%s: %.*s\n", cur->name,
201 (int) (p - cur->desc), cur->desc);
203 (void) printf("%s: %s\n", cur->name, cur->desc);
211 * Sets/clears an entry in the defaults structure
212 * If a variable that takes a value is used in a boolean
213 * context with op == 0, disable that variable.
214 * Eg. you may want to turn off logging to a file for some hosts.
215 * This is only meaningful for variables that are *optional*.
218 set_default(var, val, op)
221 int op; /* TRUE or FALSE */
223 struct sudo_defs_types *cur;
226 for (cur = sudo_defs_table, num = 0; cur->name; cur++, num++) {
227 if (strcmp(var, cur->name) == 0)
231 warningx("unknown defaults entry `%s'", var);
235 switch (cur->type & T_MASK) {
237 if (!store_syslogfac(val, cur, op)) {
239 warningx("value `%s' is invalid for option `%s'", val, var);
241 warningx("no value specified for `%s'", var);
246 if (!store_syslogpri(val, cur, op)) {
248 warningx("value `%s' is invalid for option `%s'", val, var);
250 warningx("no value specified for `%s'", var);
256 /* Check for bogus boolean usage or lack of a value. */
257 if (!ISSET(cur->type, T_BOOL) || op != FALSE) {
258 warningx("no value specified for `%s'", var);
262 if (ISSET(cur->type, T_PATH) && val && *val != '/') {
263 warningx("values for `%s' must start with a '/'", var);
266 if (!store_str(val, cur, op)) {
267 warningx("value `%s' is invalid for option `%s'", val, var);
273 /* Check for bogus boolean usage or lack of a value. */
274 if (!ISSET(cur->type, T_BOOL) || op != FALSE) {
275 warningx("no value specified for `%s'", var);
279 if (!store_int(val, cur, op)) {
280 warningx("value `%s' is invalid for option `%s'", val, var);
286 /* Check for bogus boolean usage or lack of a value. */
287 if (!ISSET(cur->type, T_BOOL) || op != FALSE) {
288 warningx("no value specified for `%s'", var);
292 if (!store_uint(val, cur, op)) {
293 warningx("value `%s' is invalid for option `%s'", val, var);
299 /* Check for bogus boolean usage or lack of a value. */
300 if (!ISSET(cur->type, T_BOOL) || op != FALSE) {
301 warningx("no value specified for `%s'", var);
305 if (!store_float(val, cur, op)) {
306 warningx("value `%s' is invalid for option `%s'", val, var);
312 /* Check for bogus boolean usage or lack of a value. */
313 if (!ISSET(cur->type, T_BOOL) || op != FALSE) {
314 warningx("no value specified for `%s'", var);
318 if (!store_mode(val, cur, op)) {
319 warningx("value `%s' is invalid for option `%s'", val, var);
325 warningx("option `%s' does not take a value", var);
328 cur->sd_un.flag = op;
332 /* Check for bogus boolean usage or lack of a value. */
333 if (!ISSET(cur->type, T_BOOL) || op != FALSE) {
334 warningx("no value specified for `%s'", var);
338 if (!store_list(val, cur, op)) {
339 warningx("value `%s' is invalid for option `%s'", val, var);
344 if (!val && !ISSET(cur->type, T_BOOL)) {
345 warningx("no value specified for `%s'", var);
348 if (!store_tuple(val, cur, op)) {
349 warningx("value `%s' is invalid for option `%s'", val, var);
359 * Set default options to compiled-in values.
360 * Any of these may be overridden at runtime by a "Defaults" file.
365 static int firsttime = 1;
366 struct sudo_defs_types *def;
368 /* Clear any old settings. */
370 for (def = sudo_defs_table; def->name; def++) {
371 switch (def->type & T_MASK) {
373 efree(def->sd_un.str);
374 def->sd_un.str = NULL;
377 list_op(NULL, 0, def, freeall);
380 zero_bytes(&def->sd_un, sizeof(def->sd_un));
384 /* First initialize the flags. */
385 #ifdef LONG_OTP_PROMPT
386 def_long_otp_prompt = TRUE;
388 #ifdef IGNORE_DOT_PATH
389 def_ignore_dot = TRUE;
391 #ifdef ALWAYS_SEND_MAIL
392 def_mail_always = TRUE;
394 #ifdef SEND_MAIL_WHEN_NO_USER
395 def_mail_no_user = TRUE;
397 #ifdef SEND_MAIL_WHEN_NO_HOST
398 def_mail_no_host = TRUE;
400 #ifdef SEND_MAIL_WHEN_NOT_OK
401 def_mail_no_perms = TRUE;
403 #ifndef NO_TTY_TICKETS
404 def_tty_tickets = TRUE;
409 #ifndef NO_AUTHENTICATION
410 def_authenticate = TRUE;
413 def_root_sudo = TRUE;
418 #ifdef SHELL_IF_NO_ARGS
419 def_shell_noargs = TRUE;
421 #ifdef SHELL_SETS_HOME
424 #ifndef DONT_LEAK_PATH_INFO
425 def_path_info = TRUE;
434 def_env_editor = TRUE;
436 #ifdef UMASK_OVERRIDE
437 def_umask_override = TRUE;
439 #ifdef _PATH_SUDO_ASKPASS
440 def_askpass = estrdup(_PATH_SUDO_ASKPASS);
442 def_iolog_dir = estrdup(_PATH_SUDO_IO_LOGDIR);
443 def_sudoers_locale = estrdup("C");
444 def_env_reset = ENV_RESET;
445 def_set_logname = TRUE;
446 def_closefrom = STDERR_FILENO + 1;
448 /* Syslog options need special care since they both strings and ints */
449 #if (LOGGING & SLOG_SYSLOG)
450 (void) store_syslogfac(LOGFAC, &sudo_defs_table[I_SYSLOG], TRUE);
451 (void) store_syslogpri(PRI_SUCCESS, &sudo_defs_table[I_SYSLOG_GOODPRI],
453 (void) store_syslogpri(PRI_FAILURE, &sudo_defs_table[I_SYSLOG_BADPRI],
457 /* Password flags also have a string and integer component. */
458 (void) store_tuple("any", &sudo_defs_table[I_LISTPW], TRUE);
459 (void) store_tuple("all", &sudo_defs_table[I_VERIFYPW], TRUE);
461 /* Then initialize the int-like things. */
463 def_umask = SUDO_UMASK;
467 def_loglinelen = MAXLOGFILELEN;
468 def_timestamp_timeout = TIMEOUT;
469 def_passwd_timeout = PASSWORD_TIMEOUT;
470 def_passwd_tries = TRIES_FOR_PASSWORD;
472 def_compress_io = TRUE;
475 /* Now do the strings */
476 def_mailto = estrdup(MAILTO);
477 def_mailsub = estrdup(MAILSUBJECT);
478 def_badpass_message = estrdup(INCORRECT_PASSWORD);
479 def_timestampdir = estrdup(_PATH_SUDO_TIMEDIR);
480 def_passprompt = estrdup(PASSPROMPT);
481 def_runas_default = estrdup(RUNAS_DEFAULT);
482 #ifdef _PATH_SUDO_SENDMAIL
483 def_mailerpath = estrdup(_PATH_SUDO_SENDMAIL);
484 def_mailerflags = estrdup("-t");
486 #if (LOGGING & SLOG_FILE)
487 def_logfile = estrdup(_PATH_SUDO_LOGFILE);
490 def_exempt_group = estrdup(EXEMPTGROUP);
493 def_secure_path = estrdup(SECURE_PATH);
495 def_editor = estrdup(EDITOR);
496 #ifdef _PATH_SUDO_NOEXEC
497 def_noexec_file = estrdup(_PATH_SUDO_NOEXEC);
500 /* Finally do the lists (currently just environment tables). */
507 * Update the defaults based on what was set by sudoers.
508 * Pass in an OR'd list of which default types to update.
511 update_defaults(what)
514 struct defaults *def;
517 tq_foreach_fwd(&defaults, def) {
520 if (ISSET(what, SETDEF_GENERIC) &&
521 !set_default(def->var, def->val, def->op))
525 if (ISSET(what, SETDEF_USER) &&
526 userlist_matches(sudo_user.pw, &def->binding) == ALLOW &&
527 !set_default(def->var, def->val, def->op))
531 if (ISSET(what, SETDEF_RUNAS) &&
532 runaslist_matches(&def->binding, NULL) == ALLOW &&
533 !set_default(def->var, def->val, def->op))
537 if (ISSET(what, SETDEF_HOST) &&
538 hostlist_matches(&def->binding) == ALLOW &&
539 !set_default(def->var, def->val, def->op))
543 if (ISSET(what, SETDEF_CMND) &&
544 cmndlist_matches(&def->binding) == ALLOW &&
545 !set_default(def->var, def->val, def->op))
554 store_int(val, def, op)
556 struct sudo_defs_types *def;
565 l = strtol(val, &endp, 10);
568 /* XXX - should check against INT_MAX */
569 def->sd_un.ival = (int)l;
572 return def->callback(val);
577 store_uint(val, def, op)
579 struct sudo_defs_types *def;
588 l = strtol(val, &endp, 10);
589 if (*endp != '\0' || l < 0)
591 /* XXX - should check against INT_MAX */
592 def->sd_un.ival = (unsigned int)l;
595 return def->callback(val);
600 store_float(val, def, op)
602 struct sudo_defs_types *def;
609 def->sd_un.fval = 0.0;
611 d = strtod(val, &endp);
614 /* XXX - should check against HUGE_VAL */
618 return def->callback(val);
623 store_tuple(val, def, op)
625 struct sudo_defs_types *def;
628 struct def_values *v;
631 * Since enums are really just ints we store the value as an ival.
632 * In the future, there may be multiple enums for different tuple
633 * types we want to avoid and special knowledge of the tuple type.
634 * This does assume that the first entry in the tuple enum will
635 * be the equivalent to a boolean "false".
638 def->sd_un.ival = (op == FALSE) ? 0 : 1;
640 for (v = def->values; v->sval != NULL; v++) {
641 if (strcmp(v->sval, val) == 0) {
642 def->sd_un.ival = v->ival;
650 return def->callback(val);
655 store_str(val, def, op)
657 struct sudo_defs_types *def;
661 efree(def->sd_un.str);
663 def->sd_un.str = NULL;
665 def->sd_un.str = estrdup(val);
667 return def->callback(val);
672 store_list(str, def, op)
674 struct sudo_defs_types *def;
679 /* Remove all old members. */
680 if (op == FALSE || op == TRUE)
681 list_op(NULL, 0, def, freeall);
683 /* Split str into multiple space-separated words and act on each one. */
687 /* Remove leading blanks, if nothing but blanks we are done. */
688 for (start = end; isblank((unsigned char)*start); start++)
693 /* Find end position and perform operation. */
694 for (end = start; *end && !isblank((unsigned char)*end); end++)
696 list_op(start, end - start, def, op == '-' ? delete : add);
697 } while (*end++ != '\0');
703 store_syslogfac(val, def, op)
705 struct sudo_defs_types *def;
711 def->sd_un.ival = FALSE;
714 #ifdef LOG_NFACILITIES
717 for (fac = facilities; fac->name && strcmp(val, fac->name); fac++)
719 if (fac->name == NULL)
720 return FALSE; /* not found */
722 def->sd_un.ival = fac->num;
724 def->sd_un.ival = -1;
725 #endif /* LOG_NFACILITIES */
733 #ifdef LOG_NFACILITIES
736 for (fac = facilities; fac->name && fac->num != n; fac++)
741 #endif /* LOG_NFACILITIES */
745 store_syslogpri(val, def, op)
747 struct sudo_defs_types *def;
752 if (op == FALSE || !val)
755 for (pri = priorities; pri->name && strcmp(val, pri->name); pri++)
757 if (pri->name == NULL)
758 return FALSE; /* not found */
760 def->sd_un.ival = pri->num;
770 for (pri = priorities; pri->name && pri->num != n; pri++)
776 store_mode(val, def, op)
778 struct sudo_defs_types *def;
785 def->sd_un.mode = (mode_t)0777;
787 l = strtol(val, &endp, 8);
788 if (*endp != '\0' || l < 0 || l > 0777)
790 def->sd_un.mode = (mode_t)l;
793 return def->callback(val);
798 list_op(val, len, def, op)
801 struct sudo_defs_types *def;
804 struct list_member *cur, *prev, *tmp;
807 for (cur = def->sd_un.list; cur; ) {
813 def->sd_un.list = NULL;
817 for (cur = def->sd_un.list, prev = NULL; cur; prev = cur, cur = cur->next) {
818 if ((strncmp(cur->value, val, len) == 0 && cur->value[len] == '\0')) {
821 return; /* already exists */
825 prev->next = cur->next;
827 def->sd_un.list = cur->next;
834 /* Add new node to the head of the list. */
836 cur = emalloc(sizeof(struct list_member));
837 cur->value = emalloc(len + 1);
838 (void) memcpy(cur->value, val, len);
839 cur->value[len] = '\0';
840 cur->next = def->sd_un.list;
841 def->sd_un.list = cur;