2 * Copyright (c) 2004-2005, 2007-2009 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
16 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
21 #include <sys/types.h>
22 #include <sys/param.h>
31 #endif /* STDC_HEADERS */
35 # ifdef HAVE_STRINGS_H
38 #endif /* HAVE_STRING_H */
41 #endif /* HAVE_UNISTD_H */
52 __unused static const char rcsid[] = "$Sudo: parse.c,v 1.242 2009/05/25 12:02:41 millert Exp $";
55 /* Characters that must be quoted in sudoers */
56 #define SUDOERS_QUOTED ":\\,=#\""
58 /* sudoers nsswitch routines */
59 struct sudo_nss sudo_nss_file = {
67 sudo_file_display_cmnd,
68 sudo_file_display_defaults,
69 sudo_file_display_bound_defaults,
70 sudo_file_display_privs
77 extern char *errorfile;
78 extern int errorlineno, parse_error;
83 static void print_member __P((struct lbuf *, char *, int, int, int));
84 static int display_bound_defaults __P((int, struct lbuf *));
90 if (def_ignore_local_sudoers)
92 nss->handle = open_sudoers(_PATH_SUDOERS, FALSE, NULL);
93 return(nss->handle ? 0 : -1);
100 /* Free parser data structures and close sudoers file. */
101 init_parser(NULL, 0);
102 if (nss->handle != NULL) {
111 * Parse the specified sudoers file.
115 struct sudo_nss *nss;
117 if (nss->handle == NULL)
120 init_parser(_PATH_SUDOERS, 0);
122 if (yyparse() != 0 || parse_error) {
123 log_error(NO_EXIT, "parse error in %s near line %d",
124 errorfile, errorlineno);
131 * Wrapper around update_defaults() for nsswitch code.
134 sudo_file_setdefs(nss)
135 struct sudo_nss *nss;
137 if (nss->handle == NULL)
140 if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER))
146 * Look up the user in the parsed sudoers file and check to see if they are
147 * allowed to run the specified command on this host as the target user.
150 sudo_file_lookup(nss, validated, pwflag)
151 struct sudo_nss *nss;
155 int match, host_match, runas_match, cmnd_match;
157 struct cmndtag *tags = NULL;
158 struct privilege *priv;
161 if (nss->handle == NULL)
165 * Only check the actual command if pwflag is not set.
166 * It is set for the "validate", "list" and "kill" pseudo-commands.
167 * Always check the host and user.
171 enum def_tupple pwcheck;
173 pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
174 nopass = (pwcheck == all) ? TRUE : FALSE;
177 SET(validated, FLAG_NO_CHECK);
178 CLR(validated, FLAG_NO_USER);
179 CLR(validated, FLAG_NO_HOST);
181 tq_foreach_fwd(&userspecs, us) {
182 if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
184 tq_foreach_fwd(&us->privileges, priv) {
185 if (hostlist_matches(&priv->hostlist) != ALLOW)
187 tq_foreach_fwd(&priv->cmndlist, cs) {
188 /* Only check the command when listing another user. */
189 if (user_uid == 0 || list_pw == NULL ||
190 user_uid == list_pw->pw_uid ||
191 cmnd_matches(cs->cmnd) == ALLOW)
193 if ((pwcheck == any && cs->tags.nopasswd == TRUE) ||
194 (pwcheck == all && cs->tags.nopasswd != TRUE))
195 nopass = cs->tags.nopasswd;
199 if (match == ALLOW || user_uid == 0) {
200 /* User has an entry for this host. */
201 SET(validated, VALIDATE_OK);
202 } else if (match == DENY)
203 SET(validated, VALIDATE_NOT_OK);
204 if (pwcheck == always && def_authenticate)
205 SET(validated, FLAG_CHECK_USER);
206 else if (pwcheck == never || nopass == TRUE)
207 def_authenticate = FALSE;
211 /* Need to be runas user while stat'ing things. */
212 set_perms(PERM_RUNAS);
215 tq_foreach_rev(&userspecs, us) {
216 if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
218 CLR(validated, FLAG_NO_USER);
219 tq_foreach_rev(&us->privileges, priv) {
220 host_match = hostlist_matches(&priv->hostlist);
221 if (host_match == ALLOW)
222 CLR(validated, FLAG_NO_HOST);
225 tq_foreach_rev(&priv->cmndlist, cs) {
226 runas_match = runaslist_matches(&cs->runasuserlist,
227 &cs->runasgrouplist);
228 if (runas_match == ALLOW) {
229 cmnd_match = cmnd_matches(cs->cmnd);
230 if (cmnd_match != UNSPEC) {
234 /* Set role and type if not specified on command line. */
235 if (user_role == NULL)
236 user_role = cs->role ? estrdup(cs->role) : def_role;
237 if (user_type == NULL)
238 user_type = cs->type ? estrdup(cs->type) : def_type;
239 #endif /* HAVE_SELINUX */
247 if (match == ALLOW) {
248 SET(validated, VALIDATE_OK);
249 CLR(validated, VALIDATE_NOT_OK);
251 if (tags->nopasswd != UNSPEC)
252 def_authenticate = !tags->nopasswd;
253 if (tags->noexec != UNSPEC)
254 def_noexec = tags->noexec;
255 if (tags->setenv != UNSPEC)
256 def_setenv = tags->setenv;
258 } else if (match == DENY) {
259 SET(validated, VALIDATE_NOT_OK);
260 CLR(validated, VALIDATE_OK);
262 set_perms(PERM_ROOT);
266 #define TAG_CHANGED(t) \
267 (cs->tags.t != UNSPEC && cs->tags.t != IMPLIED && cs->tags.t != tags->t)
270 sudo_file_append_cmnd(cs, tags, lbuf)
272 struct cmndtag *tags;
279 lbuf_append(lbuf, "ROLE=", cs->role, " ", NULL);
281 lbuf_append(lbuf, "TYPE=", cs->type, " ", NULL);
282 #endif /* HAVE_SELINUX */
283 if (TAG_CHANGED(setenv)) {
284 lbuf_append(lbuf, cs->tags.setenv ? "SETENV: " :
286 tags->setenv = cs->tags.setenv;
288 if (TAG_CHANGED(noexec)) {
289 lbuf_append(lbuf, cs->tags.noexec ? "NOEXEC: " :
291 tags->noexec = cs->tags.noexec;
293 if (TAG_CHANGED(nopasswd)) {
294 lbuf_append(lbuf, cs->tags.nopasswd ? "NOPASSWD: " :
296 tags->nopasswd = cs->tags.nopasswd;
299 print_member(lbuf, m->name, m->type, m->negated,
304 sudo_file_display_priv_short(pw, us, lbuf)
311 struct privilege *priv;
315 tq_foreach_fwd(&us->privileges, priv) {
316 tags.noexec = UNSPEC;
317 tags.setenv = UNSPEC;
318 tags.nopasswd = UNSPEC;
319 lbuf_append(lbuf, " ", NULL);
320 tq_foreach_fwd(&priv->cmndlist, cs) {
321 if (cs != tq_first(&priv->cmndlist))
322 lbuf_append(lbuf, ", ", NULL);
323 lbuf_append(lbuf, "(", NULL);
324 if (!tq_empty(&cs->runasuserlist)) {
325 tq_foreach_fwd(&cs->runasuserlist, m) {
326 if (m != tq_first(&cs->runasuserlist))
327 lbuf_append(lbuf, ", ", NULL);
328 print_member(lbuf, m->name, m->type, m->negated,
331 } else if (tq_empty(&cs->runasgrouplist)) {
332 lbuf_append(lbuf, def_runas_default, NULL);
334 lbuf_append(lbuf, pw->pw_name, NULL);
336 if (!tq_empty(&cs->runasgrouplist)) {
337 lbuf_append(lbuf, " : ", NULL);
338 tq_foreach_fwd(&cs->runasgrouplist, m) {
339 if (m != tq_first(&cs->runasgrouplist))
340 lbuf_append(lbuf, ", ", NULL);
341 print_member(lbuf, m->name, m->type, m->negated,
345 lbuf_append(lbuf, ") ", NULL);
346 sudo_file_append_cmnd(cs, &tags, lbuf);
349 lbuf_print(lbuf); /* forces a newline */
355 sudo_file_display_priv_long(pw, us, lbuf)
362 struct privilege *priv;
366 tq_foreach_fwd(&us->privileges, priv) {
367 tags.noexec = UNSPEC;
368 tags.setenv = UNSPEC;
369 tags.nopasswd = UNSPEC;
370 lbuf_print(lbuf); /* force a newline */
371 lbuf_append(lbuf, "Sudoers entry:", NULL);
373 tq_foreach_fwd(&priv->cmndlist, cs) {
374 lbuf_append(lbuf, " RunAsUsers: ", NULL);
375 if (!tq_empty(&cs->runasuserlist)) {
376 tq_foreach_fwd(&cs->runasuserlist, m) {
377 if (m != tq_first(&cs->runasuserlist))
378 lbuf_append(lbuf, ", ", NULL);
379 print_member(lbuf, m->name, m->type, m->negated,
382 } else if (tq_empty(&cs->runasgrouplist)) {
383 lbuf_append(lbuf, def_runas_default, NULL);
385 lbuf_append(lbuf, pw->pw_name, NULL);
388 if (!tq_empty(&cs->runasgrouplist)) {
389 lbuf_append(lbuf, " RunAsGroups: ", NULL);
390 tq_foreach_fwd(&cs->runasgrouplist, m) {
391 if (m != tq_first(&cs->runasgrouplist))
392 lbuf_append(lbuf, ", ", NULL);
393 print_member(lbuf, m->name, m->type, m->negated,
398 lbuf_append(lbuf, " Commands: ", NULL);
400 lbuf_append(lbuf, "\t", NULL);
401 sudo_file_append_cmnd(cs, &tags, lbuf);
410 sudo_file_display_privs(nss, pw, lbuf)
411 struct sudo_nss *nss;
418 if (nss->handle == NULL)
421 tq_foreach_fwd(&userspecs, us) {
422 /* XXX - why only check the first privilege here? */
423 if (userlist_matches(pw, &us->users) != ALLOW ||
424 hostlist_matches(&us->privileges.first->hostlist) != ALLOW)
428 nfound += sudo_file_display_priv_long(pw, us, lbuf);
430 nfound += sudo_file_display_priv_short(pw, us, lbuf);
436 * Display matching Defaults entries for the given user on this host.
439 sudo_file_display_defaults(nss, pw, lbuf)
440 struct sudo_nss *nss;
448 if (nss->handle == NULL)
456 tq_foreach_fwd(&defaults, d) {
459 if (hostlist_matches(&d->binding) != ALLOW)
463 if (userlist_matches(pw, &d->binding) != ALLOW)
470 lbuf_append(lbuf, prefix, NULL);
471 if (d->val != NULL) {
472 lbuf_append(lbuf, d->var, d->op == '+' ? "+=" :
473 d->op == '-' ? "-=" : "=", NULL);
474 if (strpbrk(d->val, " \t") != NULL) {
475 lbuf_append(lbuf, "\"", NULL);
476 lbuf_append_quoted(lbuf, "\"", d->val, NULL);
477 lbuf_append(lbuf, "\"", NULL);
479 lbuf_append_quoted(lbuf, SUDOERS_QUOTED, d->val, NULL);
481 lbuf_append(lbuf, d->op == FALSE ? "!" : "", d->var, NULL);
490 * Display Defaults entries that are per-runas or per-command
493 sudo_file_display_bound_defaults(nss, pw, lbuf)
494 struct sudo_nss *nss;
500 /* XXX - should only print ones that match what the user can do. */
501 nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf);
502 nfound += display_bound_defaults(DEFAULTS_CMND, lbuf);
508 * Display Defaults entries of the given type.
511 display_bound_defaults(dtype, lbuf)
516 struct member *m, *binding = NULL;
518 int atype, nfound = 0;
544 /* printf("Per-%s Defaults entries:\n", dname); */
545 tq_foreach_fwd(&defaults, d) {
546 if (d->type != dtype)
550 if (binding != tq_first(&d->binding)) {
551 binding = tq_first(&d->binding);
552 lbuf_append(lbuf, " Defaults", dsep, NULL);
553 for (m = binding; m != NULL; m = m->next) {
555 lbuf_append(lbuf, ",", NULL);
556 print_member(lbuf, m->name, m->type, m->negated, atype);
557 lbuf_append(lbuf, " ", NULL);
560 lbuf_append(lbuf, ", ", NULL);
561 if (d->val != NULL) {
562 lbuf_append(lbuf, d->var, d->op == '+' ? "+=" :
563 d->op == '-' ? "-=" : "=", d->val, NULL);
565 lbuf_append(lbuf, d->op == FALSE ? "!" : "", d->var, NULL);
572 sudo_file_display_cmnd(nss, pw)
573 struct sudo_nss *nss;
577 struct member *match;
578 struct privilege *priv;
581 int host_match, runas_match, cmnd_match;
583 if (nss->handle == NULL)
587 tq_foreach_rev(&userspecs, us) {
588 if (userlist_matches(pw, &us->users) != ALLOW)
591 tq_foreach_rev(&us->privileges, priv) {
592 host_match = hostlist_matches(&priv->hostlist);
593 if (host_match != ALLOW)
595 tq_foreach_rev(&priv->cmndlist, cs) {
596 runas_match = runaslist_matches(&cs->runasuserlist,
597 &cs->runasgrouplist);
598 if (runas_match == ALLOW) {
599 cmnd_match = cmnd_matches(cs->cmnd);
600 if (cmnd_match != UNSPEC) {
601 match = host_match && runas_match ?
610 if (match != NULL && !match->negated) {
611 printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
612 user_args ? user_args : "");
619 * Print the contents of a struct member to stdout
622 _print_member(lbuf, name, type, negated, alias_type)
625 int type, negated, alias_type;
629 struct sudo_command *c;
633 lbuf_append(lbuf, negated ? "!ALL" : "ALL", NULL);
636 c = (struct sudo_command *) name;
638 lbuf_append(lbuf, "!", NULL);
639 lbuf_append_quoted(lbuf, SUDOERS_QUOTED, c->cmnd, NULL);
641 lbuf_append(lbuf, " ", NULL);
642 lbuf_append_quoted(lbuf, SUDOERS_QUOTED, c->args, NULL);
646 if ((a = alias_find(name, alias_type)) != NULL) {
647 tq_foreach_fwd(&a->members, m) {
648 if (m != tq_first(&a->members))
649 lbuf_append(lbuf, ", ", NULL);
650 _print_member(lbuf, m->name, m->type,
651 negated ? !m->negated : m->negated, alias_type);
657 lbuf_append(lbuf, negated ? "!" : "", name, NULL);
663 print_member(lbuf, name, type, negated, alias_type)
666 int type, negated, alias_type;
669 _print_member(lbuf, name, type, negated, alias_type);
projects / debian / sudo / blob