3 * Copyright (c) 1996, 1998-2005, 2007-2011
4 * Todd C. Miller <Todd.Miller@courtesan.com>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 * Sponsored in part by the Defense Advanced Research Projects
21 * Agency (DARPA) and Air Force Research Laboratory, Air Force
22 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
27 #include <sys/types.h>
28 #include <sys/param.h>
37 #endif /* STDC_HEADERS */
40 #endif /* HAVE_STRING_H */
43 #endif /* HAVE_STRINGS_H */
46 #endif /* HAVE_UNISTD_H */
47 #if defined(YYBISON) && defined(HAVE_ALLOCA_H) && !defined(__GNUC__)
49 #endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
52 #include "sudoers.h" /* XXX */
57 * We must define SIZE_MAX for yacc's skeleton.c.
58 * If there is no SIZE_MAX or SIZE_T_MAX we have to assume that size_t
59 * could be signed (as it is on SunOS 4.x).
63 # define SIZE_MAX SIZE_T_MAX
65 # define SIZE_MAX INT_MAX
66 # endif /* SIZE_T_MAX */
72 extern int sudolineno;
74 static int verbose = FALSE;
75 int parse_error = FALSE;
78 char *errorfile = NULL;
80 struct defaults_list defaults;
81 struct userspec_list userspecs;
86 static void add_defaults(int, struct member *, struct defaults *);
87 static void add_userspec(struct member *, struct privilege *);
88 static struct defaults *new_default(char *, char *, int);
89 static struct member *new_member(char *, int);
90 void yyerror(const char *);
93 yyerror(const char *s)
95 /* Save the line the first error occurred on. */
96 if (errorlineno == -1) {
97 errorlineno = sudolineno ? sudolineno - 1 : 0;
98 errorfile = estrdup(sudoers);
100 if (trace_print != NULL) {
102 } else if (verbose && s != NULL) {
103 warningx(_(">>> %s: %s near line %d <<<"), sudoers, s,
104 sudolineno ? sudolineno - 1 : 0);
111 struct cmndspec *cmndspec;
112 struct defaults *defaults;
113 struct member *member;
114 struct runascontainer *runas;
115 struct privilege *privilege;
116 struct sudo_command command;
118 struct selinux_info seinfo;
123 %start file /* special start symbol */
124 %token <command> COMMAND /* absolute pathname w/ optional args */
125 %token <string> ALIAS /* an UPPERCASE alias name */
126 %token <string> DEFVAR /* a Defaults variable name */
127 %token <string> NTWKADDR /* ipv4 or ipv6 address */
128 %token <string> NETGROUP /* a netgroup (+NAME) */
129 %token <string> USERGROUP /* a usergroup (%NAME) */
130 %token <string> WORD /* a word */
131 %token <tok> DEFAULTS /* Defaults entry */
132 %token <tok> DEFAULTS_HOST /* Host-specific defaults entry */
133 %token <tok> DEFAULTS_USER /* User-specific defaults entry */
134 %token <tok> DEFAULTS_RUNAS /* Runas-specific defaults entry */
135 %token <tok> DEFAULTS_CMND /* Command-specific defaults entry */
136 %token <tok> NOPASSWD /* no passwd req for command */
137 %token <tok> PASSWD /* passwd req for command (default) */
138 %token <tok> NOEXEC /* preload dummy execve() for cmnd */
139 %token <tok> EXEC /* don't preload dummy execve() */
140 %token <tok> SETENV /* user may set environment for cmnd */
141 %token <tok> NOSETENV /* user may not set environment */
142 %token <tok> LOG_INPUT /* log user's cmnd input */
143 %token <tok> NOLOG_INPUT /* don't log user's cmnd input */
144 %token <tok> LOG_OUTPUT /* log cmnd output */
145 %token <tok> NOLOG_OUTPUT /* don't log cmnd output */
146 %token <tok> ALL /* ALL keyword */
147 %token <tok> COMMENT /* comment and/or carriage return */
148 %token <tok> HOSTALIAS /* Host_Alias keyword */
149 %token <tok> CMNDALIAS /* Cmnd_Alias keyword */
150 %token <tok> USERALIAS /* User_Alias keyword */
151 %token <tok> RUNASALIAS /* Runas_Alias keyword */
152 %token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */
153 %token <tok> '(' ')' /* runas tokens */
155 %token <tok> TYPE /* SELinux type */
156 %token <tok> ROLE /* SELinux role */
158 %type <cmndspec> cmndspec
159 %type <cmndspec> cmndspeclist
160 %type <defaults> defaults_entry
161 %type <defaults> defaults_list
163 %type <member> opcmnd
164 %type <member> cmndlist
166 %type <member> hostlist
167 %type <member> ophost
168 %type <member> opuser
170 %type <member> userlist
171 %type <member> opgroup
173 %type <member> grouplist
174 %type <runas> runasspec
175 %type <runas> runaslist
176 %type <privilege> privilege
177 %type <privilege> privileges
179 %type <seinfo> selinux
180 %type <string> rolespec
181 %type <string> typespec
199 | userlist privileges {
200 add_userspec($1, $2);
202 | USERALIAS useraliases {
205 | HOSTALIAS hostaliases {
208 | CMNDALIAS cmndaliases {
211 | RUNASALIAS runasaliases {
214 | DEFAULTS defaults_list {
215 add_defaults(DEFAULTS, NULL, $2);
217 | DEFAULTS_USER userlist defaults_list {
218 add_defaults(DEFAULTS_USER, $2, $3);
220 | DEFAULTS_RUNAS userlist defaults_list {
221 add_defaults(DEFAULTS_RUNAS, $2, $3);
223 | DEFAULTS_HOST hostlist defaults_list {
224 add_defaults(DEFAULTS_HOST, $2, $3);
226 | DEFAULTS_CMND cmndlist defaults_list {
227 add_defaults(DEFAULTS_CMND, $2, $3);
231 defaults_list : defaults_entry
232 | defaults_list ',' defaults_entry {
238 defaults_entry : DEFVAR {
239 $$ = new_default($1, NULL, TRUE);
242 $$ = new_default($2, NULL, FALSE);
245 $$ = new_default($1, $3, TRUE);
248 $$ = new_default($1, $3, '+');
251 $$ = new_default($1, $3, '-');
255 privileges : privilege
256 | privileges ':' privilege {
262 privilege : hostlist '=' cmndspeclist {
263 struct privilege *p = emalloc(sizeof(*p));
264 list2tq(&p->hostlist, $1);
265 list2tq(&p->cmndlist, $3);
283 $$ = new_member($1, ALIAS);
286 $$ = new_member(NULL, ALL);
289 $$ = new_member($1, NETGROUP);
292 $$ = new_member($1, NTWKADDR);
295 $$ = new_member($1, WORD);
299 cmndspeclist : cmndspec
300 | cmndspeclist ',' cmndspec {
303 /* propagate role and type */
304 if ($3->role == NULL)
305 $3->role = $3->prev->role;
306 if ($3->type == NULL)
307 $3->type = $3->prev->type;
308 #endif /* HAVE_SELINUX */
309 /* propagate tags and runas list */
310 if ($3->tags.nopasswd == UNSPEC)
311 $3->tags.nopasswd = $3->prev->tags.nopasswd;
312 if ($3->tags.noexec == UNSPEC)
313 $3->tags.noexec = $3->prev->tags.noexec;
314 if ($3->tags.setenv == UNSPEC &&
315 $3->prev->tags.setenv != IMPLIED)
316 $3->tags.setenv = $3->prev->tags.setenv;
317 if ($3->tags.log_input == UNSPEC)
318 $3->tags.log_input = $3->prev->tags.log_input;
319 if ($3->tags.log_output == UNSPEC)
320 $3->tags.log_output = $3->prev->tags.log_output;
321 if ((tq_empty(&$3->runasuserlist) &&
322 tq_empty(&$3->runasgrouplist)) &&
323 (!tq_empty(&$3->prev->runasuserlist) ||
324 !tq_empty(&$3->prev->runasgrouplist))) {
325 $3->runasuserlist = $3->prev->runasuserlist;
326 $3->runasgrouplist = $3->prev->runasgrouplist;
332 cmndspec : runasspec selinux cmndtag opcmnd {
333 struct cmndspec *cs = emalloc(sizeof(*cs));
335 list2tq(&cs->runasuserlist, $1->runasusers);
336 list2tq(&cs->runasgrouplist, $1->runasgroups);
339 tq_init(&cs->runasuserlist);
340 tq_init(&cs->runasgrouplist);
350 /* sudo "ALL" implies the SETENV tag */
351 if (cs->cmnd->type == ALL && !cs->cmnd->negated &&
352 cs->tags.setenv == UNSPEC)
353 cs->tags.setenv = IMPLIED;
368 rolespec : ROLE '=' WORD {
373 typespec : TYPE '=' WORD {
378 selinux : /* empty */ {
390 | rolespec typespec {
394 | typespec rolespec {
400 runasspec : /* empty */ {
403 | '(' runaslist ')' {
408 runaslist : userlist {
409 $$ = emalloc(sizeof(struct runascontainer));
411 $$->runasgroups = NULL;
413 | userlist ':' grouplist {
414 $$ = emalloc(sizeof(struct runascontainer));
416 $$->runasgroups = $3;
419 $$ = emalloc(sizeof(struct runascontainer));
420 $$->runasusers = NULL;
421 $$->runasgroups = $2;
425 cmndtag : /* empty */ {
426 $$.nopasswd = $$.noexec = $$.setenv =
427 $$.log_input = $$.log_output = UNSPEC;
447 | cmndtag LOG_INPUT {
450 | cmndtag NOLOG_INPUT {
451 $$.log_input = FALSE;
453 | cmndtag LOG_OUTPUT {
454 $$.log_output = TRUE;
456 | cmndtag NOLOG_OUTPUT {
457 $$.log_output = FALSE;
462 $$ = new_member(NULL, ALL);
465 $$ = new_member($1, ALIAS);
468 struct sudo_command *c = emalloc(sizeof(*c));
471 $$ = new_member((char *)c, COMMAND);
475 hostaliases : hostalias
476 | hostaliases ':' hostalias
479 hostalias : ALIAS '=' hostlist {
481 if ((s = alias_add($1, HOSTALIAS, $3)) != NULL) {
489 | hostlist ',' ophost {
495 cmndaliases : cmndalias
496 | cmndaliases ':' cmndalias
499 cmndalias : ALIAS '=' cmndlist {
501 if ((s = alias_add($1, CMNDALIAS, $3)) != NULL) {
509 | cmndlist ',' opcmnd {
515 runasaliases : runasalias
516 | runasaliases ':' runasalias
519 runasalias : ALIAS '=' userlist {
521 if ((s = alias_add($1, RUNASALIAS, $3)) != NULL) {
528 useraliases : useralias
529 | useraliases ':' useralias
532 useralias : ALIAS '=' userlist {
534 if ((s = alias_add($1, USERALIAS, $3)) != NULL) {
542 | userlist ',' opuser {
559 $$ = new_member($1, ALIAS);
562 $$ = new_member(NULL, ALL);
565 $$ = new_member($1, NETGROUP);
568 $$ = new_member($1, USERGROUP);
571 $$ = new_member($1, WORD);
576 | grouplist ',' opgroup {
593 $$ = new_member($1, ALIAS);
596 $$ = new_member(NULL, ALL);
599 $$ = new_member($1, WORD);
604 static struct defaults *
605 new_default(char *var, char *val, int op)
609 d = emalloc(sizeof(struct defaults));
612 tq_init(&d->binding);
621 static struct member *
622 new_member(char *name, int type)
626 m = emalloc(sizeof(struct member));
636 * Add a list of defaults structures to the defaults list.
637 * The binding, if non-NULL, specifies a list of hosts, users, or
638 * runas users the entries apply to (specified by the type).
641 add_defaults(int type, struct member *bmem, struct defaults *defs)
644 struct member_list binding;
647 * We can only call list2tq once on bmem as it will zero
648 * out the prev pointer when it consumes bmem.
650 list2tq(&binding, bmem);
653 * Set type and binding (who it applies to) for new entries.
655 for (d = defs; d != NULL; d = d->next) {
657 d->binding = binding;
659 tq_append(&defaults, defs);
663 * Allocate a new struct userspec, populate it, and insert it at the
664 * and of the userspecs list.
667 add_userspec(struct member *members, struct privilege *privs)
671 u = emalloc(sizeof(*u));
672 list2tq(&u->users, members);
673 list2tq(&u->privileges, privs);
676 tq_append(&userspecs, u);
680 * Free up space used by data structures from a previous parser run and sets
681 * the current sudoers file to path.
684 init_parser(const char *path, int quiet)
687 struct member *m, *binding;
689 struct privilege *priv;
691 struct sudo_command *c;
693 while ((us = tq_pop(&userspecs)) != NULL) {
694 while ((m = tq_pop(&us->users)) != NULL) {
698 while ((priv = tq_pop(&us->privileges)) != NULL) {
699 struct member *runasuser = NULL, *runasgroup = NULL;
701 char *role = NULL, *type = NULL;
702 #endif /* HAVE_SELINUX */
704 while ((m = tq_pop(&priv->hostlist)) != NULL) {
708 while ((cs = tq_pop(&priv->cmndlist)) != NULL) {
710 /* Only free the first instance of a role/type. */
711 if (cs->role != role) {
715 if (cs->type != type) {
719 #endif /* HAVE_SELINUX */
720 if (tq_last(&cs->runasuserlist) != runasuser) {
721 runasuser = tq_last(&cs->runasuserlist);
722 while ((m = tq_pop(&cs->runasuserlist)) != NULL) {
727 if (tq_last(&cs->runasgrouplist) != runasgroup) {
728 runasgroup = tq_last(&cs->runasgrouplist);
729 while ((m = tq_pop(&cs->runasgrouplist)) != NULL) {
734 if (cs->cmnd->type == COMMAND) {
735 c = (struct sudo_command *) cs->cmnd->name;
739 efree(cs->cmnd->name);
750 while ((d = tq_pop(&defaults)) != NULL) {
751 if (tq_last(&d->binding) != binding) {
752 binding = tq_last(&d->binding);
753 while ((m = tq_pop(&d->binding)) != NULL) {
754 if (m->type == COMMAND) {
755 c = (struct sudo_command *) m->name;
774 sudoers = path ? estrdup(path) : NULL;