2 * Copyright (c) 1999-2005, 2007-2013
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * Sponsored in part by the Defense Advanced Research Projects
18 * Agency (DARPA) and Air Force Research Laboratory, Air Force
19 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 #include <sys/types.h>
33 #endif /* STDC_HEADERS */
36 #endif /* HAVE_STRING_H */
39 #endif /* HAVE_STRINGS_H */
42 #endif /* HAVE_UNISTD_H */
51 * For converting between syslog numbers and strings.
58 #ifdef LOG_NFACILITIES
59 static struct strmap facilities[] = {
61 { "authpriv", LOG_AUTHPRIV },
64 { "daemon", LOG_DAEMON },
66 { "local0", LOG_LOCAL0 },
67 { "local1", LOG_LOCAL1 },
68 { "local2", LOG_LOCAL2 },
69 { "local3", LOG_LOCAL3 },
70 { "local4", LOG_LOCAL4 },
71 { "local5", LOG_LOCAL5 },
72 { "local6", LOG_LOCAL6 },
73 { "local7", LOG_LOCAL7 },
76 #endif /* LOG_NFACILITIES */
78 static struct strmap priorities[] = {
79 { "alert", LOG_ALERT },
81 { "debug", LOG_DEBUG },
82 { "emerg", LOG_EMERG },
85 { "notice", LOG_NOTICE },
86 { "warning", LOG_WARNING },
93 static bool store_int(char *, struct sudo_defs_types *, int);
94 static bool store_list(char *, struct sudo_defs_types *, int);
95 static bool store_mode(char *, struct sudo_defs_types *, int);
96 static bool store_str(char *, struct sudo_defs_types *, int);
97 static bool store_syslogfac(char *, struct sudo_defs_types *, int);
98 static bool store_syslogpri(char *, struct sudo_defs_types *, int);
99 static bool store_tuple(char *, struct sudo_defs_types *, int);
100 static bool store_uint(char *, struct sudo_defs_types *, int);
101 static bool store_float(char *, struct sudo_defs_types *, int);
102 static void list_op(char *, size_t, struct sudo_defs_types *, enum list_ops);
103 static const char *logfac2str(int);
104 static const char *logpri2str(int);
107 * Table describing compile-time and run-time options.
109 #include <def_data.c>
112 * Print version and configure info.
117 struct sudo_defs_types *cur;
118 struct list_member *item;
119 struct def_values *def;
121 debug_decl(dump_defaults, SUDO_DEBUG_DEFAULTS)
123 for (cur = sudo_defs_table; cur->name; cur++) {
126 switch (cur->type & T_MASK) {
129 sudo_printf(SUDO_CONV_INFO_MSG, "%s\n", desc);
132 if (cur->sd_un.str) {
133 sudo_printf(SUDO_CONV_INFO_MSG, desc, cur->sd_un.str);
134 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
138 if (cur->sd_un.ival) {
139 sudo_printf(SUDO_CONV_INFO_MSG, desc,
140 logfac2str(cur->sd_un.ival));
141 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
145 if (cur->sd_un.ival) {
146 sudo_printf(SUDO_CONV_INFO_MSG, desc,
147 logpri2str(cur->sd_un.ival));
148 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
153 sudo_printf(SUDO_CONV_INFO_MSG, desc, cur->sd_un.ival);
154 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
157 sudo_printf(SUDO_CONV_INFO_MSG, desc, cur->sd_un.fval);
158 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
161 sudo_printf(SUDO_CONV_INFO_MSG, desc, cur->sd_un.mode);
162 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
165 if (cur->sd_un.list) {
166 sudo_printf(SUDO_CONV_INFO_MSG, "%s\n", desc);
167 for (item = cur->sd_un.list; item; item = item->next) {
168 sudo_printf(SUDO_CONV_INFO_MSG,
169 "\t%s\n", item->value);
174 for (def = cur->values; def->sval; def++) {
175 if (cur->sd_un.ival == def->ival) {
176 sudo_printf(SUDO_CONV_INFO_MSG, desc, def->sval);
180 sudo_printf(SUDO_CONV_INFO_MSG, "\n");
189 * Sets/clears an entry in the defaults structure
190 * If a variable that takes a value is used in a boolean
191 * context with op == 0, disable that variable.
192 * Eg. you may want to turn off logging to a file for some hosts.
193 * This is only meaningful for variables that are *optional*.
196 set_default(char *var, char *val, int op)
198 struct sudo_defs_types *cur;
200 debug_decl(set_default, SUDO_DEBUG_DEFAULTS)
202 for (cur = sudo_defs_table, num = 0; cur->name; cur++, num++) {
203 if (strcmp(var, cur->name) == 0)
207 warningx(_("unknown defaults entry `%s'"), var);
208 debug_return_bool(false);
211 switch (cur->type & T_MASK) {
213 if (!store_syslogfac(val, cur, op)) {
215 warningx(_("value `%s' is invalid for option `%s'"),
218 warningx(_("no value specified for `%s'"), var);
219 debug_return_bool(false);
223 if (!store_syslogpri(val, cur, op)) {
225 warningx(_("value `%s' is invalid for option `%s'"),
228 warningx(_("no value specified for `%s'"), var);
229 debug_return_bool(false);
234 /* Check for bogus boolean usage or lack of a value. */
235 if (!ISSET(cur->type, T_BOOL) || op != false) {
236 warningx(_("no value specified for `%s'"), var);
237 debug_return_bool(false);
240 if (ISSET(cur->type, T_PATH) && val && *val != '/') {
241 warningx(_("values for `%s' must start with a '/'"), var);
242 debug_return_bool(false);
244 if (!store_str(val, cur, op)) {
245 warningx(_("value `%s' is invalid for option `%s'"), val, var);
246 debug_return_bool(false);
251 /* Check for bogus boolean usage or lack of a value. */
252 if (!ISSET(cur->type, T_BOOL) || op != false) {
253 warningx(_("no value specified for `%s'"), var);
254 debug_return_bool(false);
257 if (!store_int(val, cur, op)) {
258 warningx(_("value `%s' is invalid for option `%s'"), val, var);
259 debug_return_bool(false);
264 /* Check for bogus boolean usage or lack of a value. */
265 if (!ISSET(cur->type, T_BOOL) || op != false) {
266 warningx(_("no value specified for `%s'"), var);
267 debug_return_bool(false);
270 if (!store_uint(val, cur, op)) {
271 warningx(_("value `%s' is invalid for option `%s'"), val, var);
272 debug_return_bool(false);
277 /* Check for bogus boolean usage or lack of a value. */
278 if (!ISSET(cur->type, T_BOOL) || op != false) {
279 warningx(_("no value specified for `%s'"), var);
280 debug_return_bool(false);
283 if (!store_float(val, cur, op)) {
284 warningx(_("value `%s' is invalid for option `%s'"), val, var);
285 debug_return_bool(false);
290 /* Check for bogus boolean usage or lack of a value. */
291 if (!ISSET(cur->type, T_BOOL) || op != false) {
292 warningx(_("no value specified for `%s'"), var);
293 debug_return_bool(false);
296 if (!store_mode(val, cur, op)) {
297 warningx(_("value `%s' is invalid for option `%s'"), val, var);
298 debug_return_bool(false);
303 warningx(_("option `%s' does not take a value"), var);
304 debug_return_bool(false);
306 cur->sd_un.flag = op;
310 /* Check for bogus boolean usage or lack of a value. */
311 if (!ISSET(cur->type, T_BOOL) || op != false) {
312 warningx(_("no value specified for `%s'"), var);
313 debug_return_bool(false);
316 if (!store_list(val, cur, op)) {
317 warningx(_("value `%s' is invalid for option `%s'"), val, var);
318 debug_return_bool(false);
322 if (!val && !ISSET(cur->type, T_BOOL)) {
323 warningx(_("no value specified for `%s'"), var);
324 debug_return_bool(false);
326 if (!store_tuple(val, cur, op)) {
327 warningx(_("value `%s' is invalid for option `%s'"), val, var);
328 debug_return_bool(false);
333 debug_return_bool(true);
337 * Set default options to compiled-in values.
338 * Any of these may be overridden at runtime by a "Defaults" file.
343 static int firsttime = 1;
344 struct sudo_defs_types *def;
345 debug_decl(init_defaults, SUDO_DEBUG_DEFAULTS)
347 /* Clear any old settings. */
349 for (def = sudo_defs_table; def->name; def++) {
350 switch (def->type & T_MASK) {
352 efree(def->sd_un.str);
353 def->sd_un.str = NULL;
356 list_op(NULL, 0, def, freeall);
359 zero_bytes(&def->sd_un, sizeof(def->sd_un));
363 /* First initialize the flags. */
364 #ifdef LONG_OTP_PROMPT
365 def_long_otp_prompt = true;
367 #ifdef IGNORE_DOT_PATH
368 def_ignore_dot = true;
370 #ifdef ALWAYS_SEND_MAIL
371 def_mail_always = true;
373 #ifdef SEND_MAIL_WHEN_NO_USER
374 def_mail_no_user = true;
376 #ifdef SEND_MAIL_WHEN_NO_HOST
377 def_mail_no_host = true;
379 #ifdef SEND_MAIL_WHEN_NOT_OK
380 def_mail_no_perms = true;
382 #ifndef NO_TTY_TICKETS
383 def_tty_tickets = true;
388 #ifndef NO_AUTHENTICATION
389 def_authenticate = true;
392 def_root_sudo = true;
397 #ifdef SHELL_IF_NO_ARGS
398 def_shell_noargs = true;
400 #ifdef SHELL_SETS_HOME
403 #ifndef DONT_LEAK_PATH_INFO
404 def_path_info = true;
413 def_env_editor = true;
415 #ifdef UMASK_OVERRIDE
416 def_umask_override = true;
418 def_iolog_file = estrdup("%{seq}");
419 def_iolog_dir = estrdup(_PATH_SUDO_IO_LOGDIR);
420 def_sudoers_locale = estrdup("C");
421 def_env_reset = ENV_RESET;
422 def_set_logname = true;
423 def_closefrom = STDERR_FILENO + 1;
424 #ifdef NO_PAM_SESSION
425 def_pam_session = false;
427 def_pam_session = true;
430 /* Syslog options need special care since they both strings and ints */
431 #if (LOGGING & SLOG_SYSLOG)
432 (void) store_syslogfac(LOGFAC, &sudo_defs_table[I_SYSLOG], true);
433 (void) store_syslogpri(PRI_SUCCESS, &sudo_defs_table[I_SYSLOG_GOODPRI],
435 (void) store_syslogpri(PRI_FAILURE, &sudo_defs_table[I_SYSLOG_BADPRI],
439 /* Password flags also have a string and integer component. */
440 (void) store_tuple("any", &sudo_defs_table[I_LISTPW], true);
441 (void) store_tuple("all", &sudo_defs_table[I_VERIFYPW], true);
443 /* Then initialize the int-like things. */
445 def_umask = SUDO_UMASK;
449 def_loglinelen = MAXLOGFILELEN;
450 def_timestamp_timeout = TIMEOUT;
451 def_passwd_timeout = PASSWORD_TIMEOUT;
452 def_passwd_tries = TRIES_FOR_PASSWORD;
454 def_compress_io = true;
457 /* Now do the strings */
458 def_mailto = estrdup(MAILTO);
459 def_mailsub = estrdup(N_(MAILSUBJECT));
460 def_badpass_message = estrdup(_(INCORRECT_PASSWORD));
461 def_timestampdir = estrdup(_PATH_SUDO_TIMEDIR);
462 def_passprompt = estrdup(_(PASSPROMPT));
463 def_runas_default = estrdup(RUNAS_DEFAULT);
464 #ifdef _PATH_SUDO_SENDMAIL
465 def_mailerpath = estrdup(_PATH_SUDO_SENDMAIL);
466 def_mailerflags = estrdup("-t");
468 #if (LOGGING & SLOG_FILE)
469 def_logfile = estrdup(_PATH_SUDO_LOGFILE);
472 def_exempt_group = estrdup(EXEMPTGROUP);
475 def_secure_path = estrdup(SECURE_PATH);
477 def_editor = estrdup(EDITOR);
480 /* Finally do the lists (currently just environment tables). */
489 * Update the defaults based on what was set by sudoers.
490 * Pass in an OR'd list of which default types to update.
493 update_defaults(int what)
495 struct defaults *def;
497 debug_decl(update_defaults, SUDO_DEBUG_DEFAULTS)
499 tq_foreach_fwd(&defaults, def) {
502 if (ISSET(what, SETDEF_GENERIC) &&
503 !set_default(def->var, def->val, def->op))
508 if (ISSET(what, SETDEF_USER)) {
510 m = userlist_matches(sudo_user.pw, &def->binding);
512 if (!set_default(def->var, def->val, def->op))
517 if (ISSET(what, SETDEF_USER) &&
518 userlist_matches(sudo_user.pw, &def->binding) == ALLOW &&
519 !set_default(def->var, def->val, def->op))
524 if (ISSET(what, SETDEF_RUNAS) &&
525 runaslist_matches(&def->binding, NULL, NULL, NULL) == ALLOW &&
526 !set_default(def->var, def->val, def->op))
530 if (ISSET(what, SETDEF_HOST) &&
531 hostlist_matches(&def->binding) == ALLOW &&
532 !set_default(def->var, def->val, def->op))
536 if (ISSET(what, SETDEF_CMND) &&
537 cmndlist_matches(&def->binding) == ALLOW &&
538 !set_default(def->var, def->val, def->op))
543 debug_return_bool(rc);
547 * Check the defaults entries without actually setting them.
548 * Pass in an OR'd list of which default types to check.
551 check_defaults(int what, bool quiet)
553 struct sudo_defs_types *cur;
554 struct defaults *def;
556 debug_decl(check_defaults, SUDO_DEBUG_DEFAULTS)
558 tq_foreach_fwd(&defaults, def) {
561 if (!ISSET(what, SETDEF_GENERIC))
565 if (!ISSET(what, SETDEF_USER))
569 if (!ISSET(what, SETDEF_RUNAS))
573 if (!ISSET(what, SETDEF_HOST))
577 if (!ISSET(what, SETDEF_CMND))
581 for (cur = sudo_defs_table; cur->name != NULL; cur++) {
582 if (strcmp(def->var, cur->name) == 0)
585 if (cur->name == NULL) {
587 warningx(_("unknown defaults entry `%s'"), def->var);
591 debug_return_bool(rc);
595 store_int(char *val, struct sudo_defs_types *def, int op)
599 debug_decl(store_int, SUDO_DEBUG_DEFAULTS)
604 l = strtol(val, &endp, 10);
606 debug_return_bool(false);
607 /* XXX - should check against INT_MAX */
608 def->sd_un.ival = (int)l;
611 debug_return_bool(def->callback(val));
612 debug_return_bool(true);
616 store_uint(char *val, struct sudo_defs_types *def, int op)
620 debug_decl(store_uint, SUDO_DEBUG_DEFAULTS)
625 l = strtol(val, &endp, 10);
626 if (*endp != '\0' || l < 0)
627 debug_return_bool(false);
628 /* XXX - should check against INT_MAX */
629 def->sd_un.ival = (unsigned int)l;
632 debug_return_bool(def->callback(val));
633 debug_return_bool(true);
637 store_float(char *val, struct sudo_defs_types *def, int op)
641 debug_decl(store_float, SUDO_DEBUG_DEFAULTS)
644 def->sd_un.fval = 0.0;
646 d = strtod(val, &endp);
648 debug_return_bool(false);
649 /* XXX - should check against HUGE_VAL */
653 debug_return_bool(def->callback(val));
654 debug_return_bool(true);
658 store_tuple(char *val, struct sudo_defs_types *def, int op)
660 struct def_values *v;
661 debug_decl(store_tuple, SUDO_DEBUG_DEFAULTS)
664 * Since enums are really just ints we store the value as an ival.
665 * In the future, there may be multiple enums for different tuple
666 * types we want to avoid and special knowledge of the tuple type.
667 * This does assume that the first entry in the tuple enum will
668 * be the equivalent to a boolean "false".
671 def->sd_un.ival = (op == false) ? 0 : 1;
673 for (v = def->values; v->sval != NULL; v++) {
674 if (strcmp(v->sval, val) == 0) {
675 def->sd_un.ival = v->ival;
680 debug_return_bool(false);
683 debug_return_bool(def->callback(val));
684 debug_return_bool(true);
688 store_str(char *val, struct sudo_defs_types *def, int op)
690 debug_decl(store_str, SUDO_DEBUG_DEFAULTS)
692 efree(def->sd_un.str);
694 def->sd_un.str = NULL;
696 def->sd_un.str = estrdup(val);
698 debug_return_bool(def->callback(val));
699 debug_return_bool(true);
703 store_list(char *str, struct sudo_defs_types *def, int op)
706 debug_decl(store_list, SUDO_DEBUG_DEFAULTS)
708 /* Remove all old members. */
709 if (op == false || op == true)
710 list_op(NULL, 0, def, freeall);
712 /* Split str into multiple space-separated words and act on each one. */
716 /* Remove leading blanks, if nothing but blanks we are done. */
717 for (start = end; isblank((unsigned char)*start); start++)
722 /* Find end position and perform operation. */
723 for (end = start; *end && !isblank((unsigned char)*end); end++)
725 list_op(start, end - start, def, op == '-' ? delete : add);
726 } while (*end++ != '\0');
728 debug_return_bool(true);
732 store_syslogfac(char *val, struct sudo_defs_types *def, int op)
735 debug_decl(store_syslogfac, SUDO_DEBUG_DEFAULTS)
738 def->sd_un.ival = false;
739 debug_return_bool(true);
741 #ifdef LOG_NFACILITIES
743 debug_return_bool(false);
744 for (fac = facilities; fac->name && strcmp(val, fac->name); fac++)
746 if (fac->name == NULL)
747 debug_return_bool(false); /* not found */
749 def->sd_un.ival = fac->num;
751 def->sd_un.ival = -1;
752 #endif /* LOG_NFACILITIES */
753 debug_return_bool(true);
759 #ifdef LOG_NFACILITIES
761 debug_decl(logfac2str, SUDO_DEBUG_DEFAULTS)
763 for (fac = facilities; fac->name && fac->num != n; fac++)
765 debug_return_str(fac->name);
768 #endif /* LOG_NFACILITIES */
772 store_syslogpri(char *val, struct sudo_defs_types *def, int op)
775 debug_decl(store_syslogpri, SUDO_DEBUG_DEFAULTS)
777 if (op == false || !val)
778 debug_return_bool(false);
780 for (pri = priorities; pri->name && strcmp(val, pri->name); pri++)
782 if (pri->name == NULL)
783 debug_return_bool(false); /* not found */
785 def->sd_un.ival = pri->num;
786 debug_return_bool(true);
793 debug_decl(logpri2str, SUDO_DEBUG_DEFAULTS)
795 for (pri = priorities; pri->name && pri->num != n; pri++)
797 debug_return_str(pri->name);
801 store_mode(char *val, struct sudo_defs_types *def, int op)
805 debug_decl(store_mode, SUDO_DEBUG_DEFAULTS)
808 def->sd_un.mode = (mode_t)0777;
810 l = strtol(val, &endp, 8);
811 if (*endp != '\0' || l < 0 || l > 0777)
812 debug_return_bool(false);
813 def->sd_un.mode = (mode_t)l;
816 debug_return_bool(def->callback(val));
817 debug_return_bool(true);
821 list_op(char *val, size_t len, struct sudo_defs_types *def, enum list_ops op)
823 struct list_member *cur, *prev, *tmp;
824 debug_decl(list_op, SUDO_DEBUG_DEFAULTS)
827 for (cur = def->sd_un.list; cur; ) {
833 def->sd_un.list = NULL;
837 for (cur = def->sd_un.list, prev = NULL; cur; prev = cur, cur = cur->next) {
838 if ((strncmp(cur->value, val, len) == 0 && cur->value[len] == '\0')) {
841 debug_return; /* already exists */
845 prev->next = cur->next;
847 def->sd_un.list = cur->next;
854 /* Add new node to the head of the list. */
856 cur = ecalloc(1, sizeof(struct list_member));
857 cur->value = estrndup(val, len);
858 cur->next = def->sd_un.list;
859 def->sd_un.list = cur;