3 * Copyright (c) 1996, 1998-2005, 2007-2010
4 * Todd C. Miller <Todd.Miller@courtesan.com>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 * Sponsored in part by the Defense Advanced Research Projects
21 * Agency (DARPA) and Air Force Research Laboratory, Air Force
22 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
27 #include <sys/types.h>
28 #include <sys/param.h>
37 #endif /* STDC_HEADERS */
40 #endif /* HAVE_STRING_H */
43 #endif /* HAVE_STRINGS_H */
46 #endif /* HAVE_UNISTD_H */
47 #if defined(YYBISON) && defined(HAVE_ALLOCA_H) && !defined(__GNUC__)
49 #endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
56 * We must define SIZE_MAX for yacc's skeleton.c.
57 * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
58 * could be signed (as it is on SunOS 4.x).
62 # define SIZE_MAX SIZE_T_MAX
64 # define SIZE_MAX INT_MAX
65 # endif /* SIZE_T_MAX */
71 extern int sudolineno;
77 char *errorfile = NULL;
79 struct defaults_list defaults;
80 struct userspec_list userspecs;
85 static void add_defaults __P((int, struct member *, struct defaults *));
86 static void add_userspec __P((struct member *, struct privilege *));
87 static struct defaults *new_default __P((char *, char *, int));
88 static struct member *new_member __P((char *, int));
89 void yyerror __P((const char *));
95 /* Save the line the first error occurred on. */
96 if (errorlineno == -1) {
97 errorlineno = sudolineno ? sudolineno - 1 : 0;
98 errorfile = estrdup(sudoers);
100 if (verbose && s != NULL) {
102 (void) fprintf(stderr, ">>> %s: %s near line %d <<<\n", sudoers, s,
103 sudolineno ? sudolineno - 1 : 0);
105 (void) fprintf(stderr, "<*> ");
113 struct cmndspec *cmndspec;
114 struct defaults *defaults;
115 struct member *member;
116 struct runascontainer *runas;
117 struct privilege *privilege;
118 struct sudo_command command;
120 struct selinux_info seinfo;
125 %start file /* special start symbol */
126 %token <command> COMMAND /* absolute pathname w/ optional args */
127 %token <string> ALIAS /* an UPPERCASE alias name */
128 %token <string> DEFVAR /* a Defaults variable name */
129 %token <string> NTWKADDR /* ipv4 or ipv6 address */
130 %token <string> NETGROUP /* a netgroup (+NAME) */
131 %token <string> USERGROUP /* a usergroup (%NAME) */
132 %token <string> WORD /* a word */
133 %token <tok> DEFAULTS /* Defaults entry */
134 %token <tok> DEFAULTS_HOST /* Host-specific defaults entry */
135 %token <tok> DEFAULTS_USER /* User-specific defaults entry */
136 %token <tok> DEFAULTS_RUNAS /* Runas-specific defaults entry */
137 %token <tok> DEFAULTS_CMND /* Command-specific defaults entry */
138 %token <tok> NOPASSWD /* no passwd req for command */
139 %token <tok> PASSWD /* passwd req for command (default) */
140 %token <tok> NOEXEC /* preload dummy execve() for cmnd */
141 %token <tok> EXEC /* don't preload dummy execve() */
142 %token <tok> SETENV /* user may set environment for cmnd */
143 %token <tok> NOSETENV /* user may not set environment */
144 %token <tok> LOG_INPUT /* log user's cmnd input */
145 %token <tok> NOLOG_INPUT /* don't log user's cmnd input */
146 %token <tok> LOG_OUTPUT /* log cmnd output */
147 %token <tok> NOLOG_OUTPUT /* don't log cmnd output */
148 %token <tok> ALL /* ALL keyword */
149 %token <tok> COMMENT /* comment and/or carriage return */
150 %token <tok> HOSTALIAS /* Host_Alias keyword */
151 %token <tok> CMNDALIAS /* Cmnd_Alias keyword */
152 %token <tok> USERALIAS /* User_Alias keyword */
153 %token <tok> RUNASALIAS /* Runas_Alias keyword */
154 %token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */
155 %token <tok> '(' ')' /* runas tokens */
157 %token <tok> TYPE /* SELinux type */
158 %token <tok> ROLE /* SELinux role */
160 %type <cmndspec> cmndspec
161 %type <cmndspec> cmndspeclist
162 %type <defaults> defaults_entry
163 %type <defaults> defaults_list
165 %type <member> opcmnd
166 %type <member> cmndlist
168 %type <member> hostlist
169 %type <member> ophost
170 %type <member> opuser
172 %type <member> userlist
173 %type <member> opgroup
175 %type <member> grouplist
176 %type <runas> runasspec
177 %type <runas> runaslist
178 %type <privilege> privilege
179 %type <privilege> privileges
181 %type <seinfo> selinux
182 %type <string> rolespec
183 %type <string> typespec
201 | userlist privileges {
202 add_userspec($1, $2);
204 | USERALIAS useraliases {
207 | HOSTALIAS hostaliases {
210 | CMNDALIAS cmndaliases {
213 | RUNASALIAS runasaliases {
216 | DEFAULTS defaults_list {
217 add_defaults(DEFAULTS, NULL, $2);
219 | DEFAULTS_USER userlist defaults_list {
220 add_defaults(DEFAULTS_USER, $2, $3);
222 | DEFAULTS_RUNAS userlist defaults_list {
223 add_defaults(DEFAULTS_RUNAS, $2, $3);
225 | DEFAULTS_HOST hostlist defaults_list {
226 add_defaults(DEFAULTS_HOST, $2, $3);
228 | DEFAULTS_CMND cmndlist defaults_list {
229 add_defaults(DEFAULTS_CMND, $2, $3);
233 defaults_list : defaults_entry
234 | defaults_list ',' defaults_entry {
240 defaults_entry : DEFVAR {
241 $$ = new_default($1, NULL, TRUE);
244 $$ = new_default($2, NULL, FALSE);
247 $$ = new_default($1, $3, TRUE);
250 $$ = new_default($1, $3, '+');
253 $$ = new_default($1, $3, '-');
257 privileges : privilege
258 | privileges ':' privilege {
264 privilege : hostlist '=' cmndspeclist {
265 struct privilege *p = emalloc(sizeof(*p));
266 list2tq(&p->hostlist, $1);
267 list2tq(&p->cmndlist, $3);
285 $$ = new_member($1, ALIAS);
288 $$ = new_member(NULL, ALL);
291 $$ = new_member($1, NETGROUP);
294 $$ = new_member($1, NTWKADDR);
297 $$ = new_member($1, WORD);
301 cmndspeclist : cmndspec
302 | cmndspeclist ',' cmndspec {
305 /* propagate role and type */
306 if ($3->role == NULL)
307 $3->role = $3->prev->role;
308 if ($3->type == NULL)
309 $3->type = $3->prev->type;
310 #endif /* HAVE_SELINUX */
311 /* propagate tags and runas list */
312 if ($3->tags.nopasswd == UNSPEC)
313 $3->tags.nopasswd = $3->prev->tags.nopasswd;
314 if ($3->tags.noexec == UNSPEC)
315 $3->tags.noexec = $3->prev->tags.noexec;
316 if ($3->tags.setenv == UNSPEC &&
317 $3->prev->tags.setenv != IMPLIED)
318 $3->tags.setenv = $3->prev->tags.setenv;
319 if ($3->tags.log_input == UNSPEC)
320 $3->tags.log_input = $3->prev->tags.log_input;
321 if ($3->tags.log_output == UNSPEC)
322 $3->tags.log_output = $3->prev->tags.log_output;
323 if ((tq_empty(&$3->runasuserlist) &&
324 tq_empty(&$3->runasgrouplist)) &&
325 (!tq_empty(&$3->prev->runasuserlist) ||
326 !tq_empty(&$3->prev->runasgrouplist))) {
327 $3->runasuserlist = $3->prev->runasuserlist;
328 $3->runasgrouplist = $3->prev->runasgrouplist;
334 cmndspec : runasspec selinux cmndtag opcmnd {
335 struct cmndspec *cs = emalloc(sizeof(*cs));
337 list2tq(&cs->runasuserlist, $1->runasusers);
338 list2tq(&cs->runasgrouplist, $1->runasgroups);
341 tq_init(&cs->runasuserlist);
342 tq_init(&cs->runasgrouplist);
352 /* sudo "ALL" implies the SETENV tag */
353 if (cs->cmnd->type == ALL && !cs->cmnd->negated &&
354 cs->tags.setenv == UNSPEC)
355 cs->tags.setenv = IMPLIED;
370 rolespec : ROLE '=' WORD {
375 typespec : TYPE '=' WORD {
380 selinux : /* empty */ {
392 | rolespec typespec {
396 | typespec rolespec {
402 runasspec : /* empty */ {
405 | '(' runaslist ')' {
410 runaslist : userlist {
411 $$ = emalloc(sizeof(struct runascontainer));
413 $$->runasgroups = NULL;
415 | userlist ':' grouplist {
416 $$ = emalloc(sizeof(struct runascontainer));
418 $$->runasgroups = $3;
421 $$ = emalloc(sizeof(struct runascontainer));
422 $$->runasusers = NULL;
423 $$->runasgroups = $2;
427 cmndtag : /* empty */ {
428 $$.nopasswd = $$.noexec = $$.setenv =
429 $$.log_input = $$.log_output = UNSPEC;
449 | cmndtag LOG_INPUT {
452 | cmndtag NOLOG_INPUT {
453 $$.log_input = FALSE;
455 | cmndtag LOG_OUTPUT {
456 $$.log_output = TRUE;
458 | cmndtag NOLOG_OUTPUT {
459 $$.log_output = FALSE;
464 $$ = new_member(NULL, ALL);
467 $$ = new_member($1, ALIAS);
470 struct sudo_command *c = emalloc(sizeof(*c));
473 $$ = new_member((char *)c, COMMAND);
477 hostaliases : hostalias
478 | hostaliases ':' hostalias
481 hostalias : ALIAS '=' hostlist {
483 if ((s = alias_add($1, HOSTALIAS, $3)) != NULL) {
491 | hostlist ',' ophost {
497 cmndaliases : cmndalias
498 | cmndaliases ':' cmndalias
501 cmndalias : ALIAS '=' cmndlist {
503 if ((s = alias_add($1, CMNDALIAS, $3)) != NULL) {
511 | cmndlist ',' opcmnd {
517 runasaliases : runasalias
518 | runasaliases ':' runasalias
521 runasalias : ALIAS '=' userlist {
523 if ((s = alias_add($1, RUNASALIAS, $3)) != NULL) {
530 useraliases : useralias
531 | useraliases ':' useralias
534 useralias : ALIAS '=' userlist {
536 if ((s = alias_add($1, USERALIAS, $3)) != NULL) {
544 | userlist ',' opuser {
561 $$ = new_member($1, ALIAS);
564 $$ = new_member(NULL, ALL);
567 $$ = new_member($1, NETGROUP);
570 $$ = new_member($1, USERGROUP);
573 $$ = new_member($1, WORD);
578 | grouplist ',' opgroup {
595 $$ = new_member($1, ALIAS);
598 $$ = new_member(NULL, ALL);
601 $$ = new_member($1, WORD);
606 static struct defaults *
607 new_default(var, val, op)
614 d = emalloc(sizeof(struct defaults));
617 tq_init(&d->binding);
626 static struct member *
627 new_member(name, type)
633 m = emalloc(sizeof(struct member));
643 * Add a list of defaults structures to the defaults list.
644 * The binding, if non-NULL, specifies a list of hosts, users, or
645 * runas users the entries apply to (specified by the type).
648 add_defaults(type, bmem, defs)
651 struct defaults *defs;
654 struct member_list binding;
657 * We can only call list2tq once on bmem as it will zero
658 * out the prev pointer when it consumes bmem.
660 list2tq(&binding, bmem);
663 * Set type and binding (who it applies to) for new entries.
665 for (d = defs; d != NULL; d = d->next) {
667 d->binding = binding;
669 tq_append(&defaults, defs);
673 * Allocate a new struct userspec, populate it, and insert it at the
674 * and of the userspecs list.
677 add_userspec(members, privs)
678 struct member *members;
679 struct privilege *privs;
683 u = emalloc(sizeof(*u));
684 list2tq(&u->users, members);
685 list2tq(&u->privileges, privs);
688 tq_append(&userspecs, u);
692 * Free up space used by data structures from a previous parser run and sets
693 * the current sudoers file to path.
696 init_parser(path, quiet)
701 struct member *m, *binding;
703 struct privilege *priv;
705 struct sudo_command *c;
707 while ((us = tq_pop(&userspecs)) != NULL) {
708 while ((m = tq_pop(&us->users)) != NULL) {
712 while ((priv = tq_pop(&us->privileges)) != NULL) {
713 struct member *runasuser = NULL, *runasgroup = NULL;
715 char *role = NULL, *type = NULL;
716 #endif /* HAVE_SELINUX */
718 while ((m = tq_pop(&priv->hostlist)) != NULL) {
722 while ((cs = tq_pop(&priv->cmndlist)) != NULL) {
724 /* Only free the first instance of a role/type. */
725 if (cs->role != role) {
729 if (cs->type != type) {
733 #endif /* HAVE_SELINUX */
734 if (tq_last(&cs->runasuserlist) != runasuser) {
735 runasuser = tq_last(&cs->runasuserlist);
736 while ((m = tq_pop(&cs->runasuserlist)) != NULL) {
741 if (tq_last(&cs->runasgrouplist) != runasgroup) {
742 runasgroup = tq_last(&cs->runasgrouplist);
743 while ((m = tq_pop(&cs->runasgrouplist)) != NULL) {
748 if (cs->cmnd->type == COMMAND) {
749 c = (struct sudo_command *) cs->cmnd->name;
753 efree(cs->cmnd->name);
764 while ((d = tq_pop(&defaults)) != NULL) {
765 if (tq_last(&d->binding) != binding) {
766 binding = tq_last(&d->binding);
767 while ((m = tq_pop(&d->binding)) != NULL) {
768 if (m->type == COMMAND) {
769 c = (struct sudo_command *) m->name;
788 sudoers = path ? estrdup(path) : NULL;
projects / debian / sudo / blob