2 * Copyright (c) 1996, 1998-2005, 2007-2013
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
17 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
19 * Sponsored in part by the Defense Advanced Research Projects
20 * Agency (DARPA) and Air Force Research Laboratory, Air Force
21 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
26 #include <sys/types.h>
36 #endif /* STDC_HEADERS */
39 #endif /* HAVE_STRING_H */
42 #endif /* HAVE_STRINGS_H */
43 #if defined(HAVE_STDINT_H)
45 #elif defined(HAVE_INTTYPES_H)
46 # include <inttypes.h>
50 #endif /* HAVE_UNISTD_H */
54 # include "compat/fnmatch.h"
55 #endif /* HAVE_FNMATCH */
56 #ifndef SUDOERS_NAME_MATCH
60 # include "compat/glob.h"
61 # endif /* HAVE_GLOB */
62 #endif /* SUDOERS_NAME_MATCH */
63 #ifdef HAVE_NETGROUP_H
64 # include <netgroup.h>
67 #endif /* HAVE_NETGROUP_H */
70 # define NAMLEN(dirent) strlen((dirent)->d_name)
72 # define dirent direct
73 # define NAMLEN(dirent) (dirent)->d_namlen
74 # ifdef HAVE_SYS_NDIR_H
75 # include <sys/ndir.h>
77 # ifdef HAVE_SYS_DIR_H
94 static struct member_list empty;
96 static bool command_matches_dir(char *, size_t);
97 #ifndef SUDOERS_NAME_MATCH
98 static bool command_matches_glob(char *, char *);
100 static bool command_matches_fnmatch(char *, char *);
101 static bool command_matches_normal(char *, char *, struct sudo_digest *);
104 * Returns true if string 's' contains meta characters.
106 #define has_meta(s) (strpbrk(s, "\\?*[]") != NULL)
109 * Check for user described by pw in a list of members.
110 * Returns ALLOW, DENY or UNSPEC.
113 userlist_matches(struct passwd *pw, struct member_list *list)
117 int rval, matched = UNSPEC;
118 debug_decl(userlist_matches, SUDO_DEBUG_MATCH)
120 tq_foreach_rev(list, m) {
123 matched = !m->negated;
126 if (netgr_matches(m->name, NULL, NULL, pw->pw_name))
127 matched = !m->negated;
130 if (usergr_matches(m->name, pw->pw_name, pw))
131 matched = !m->negated;
134 if ((a = alias_get(m->name, USERALIAS)) != NULL) {
135 rval = userlist_matches(pw, &a->members);
137 matched = m->negated ? !rval : rval;
143 if (userpw_matches(m->name, pw->pw_name, pw))
144 matched = !m->negated;
147 if (matched != UNSPEC)
150 debug_return_bool(matched);
154 * Check for user described by pw in a list of members.
155 * If both lists are empty compare against def_runas_default.
156 * Returns ALLOW, DENY or UNSPEC.
159 runaslist_matches(struct member_list *user_list,
160 struct member_list *group_list, struct member **matching_user,
161 struct member **matching_group)
166 int user_matched = UNSPEC;
167 int group_matched = UNSPEC;
168 debug_decl(runaslist_matches, SUDO_DEBUG_MATCH)
170 if (runas_pw != NULL) {
171 /* If no runas user or runas group listed in sudoers, use default. */
172 if (tq_empty(user_list) && tq_empty(group_list))
173 debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw));
175 tq_foreach_rev(user_list, m) {
178 user_matched = !m->negated;
181 if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
182 user_matched = !m->negated;
185 if (usergr_matches(m->name, runas_pw->pw_name, runas_pw))
186 user_matched = !m->negated;
189 if ((a = alias_get(m->name, RUNASALIAS)) != NULL) {
190 rval = runaslist_matches(&a->members, &empty,
191 matching_user, NULL);
193 user_matched = m->negated ? !rval : rval;
199 if (userpw_matches(m->name, runas_pw->pw_name, runas_pw))
200 user_matched = !m->negated;
203 if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) ||
204 strcmp(user_name, runas_pw->pw_name) == 0)
205 user_matched = !m->negated;
208 if (user_matched != UNSPEC) {
209 if (matching_user != NULL && m->type != ALIAS)
216 if (runas_gr != NULL) {
217 if (user_matched == UNSPEC) {
218 if (runas_pw == NULL || strcmp(runas_pw->pw_name, user_name) == 0)
219 user_matched = ALLOW; /* only changing group */
221 tq_foreach_rev(group_list, m) {
224 group_matched = !m->negated;
227 if ((a = alias_get(m->name, RUNASALIAS)) != NULL) {
228 rval = runaslist_matches(&empty, &a->members,
229 NULL, matching_group);
231 group_matched = m->negated ? !rval : rval;
237 if (group_matches(m->name, runas_gr))
238 group_matched = !m->negated;
241 if (group_matched != UNSPEC) {
242 if (matching_group != NULL && m->type != ALIAS)
247 if (group_matched == UNSPEC) {
248 if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid)
249 group_matched = ALLOW; /* runas group matches passwd db */
253 if (user_matched == DENY || group_matched == DENY)
254 debug_return_int(DENY);
255 if (user_matched == group_matched || runas_gr == NULL)
256 debug_return_int(user_matched);
257 debug_return_int(UNSPEC);
261 * Check for host and shost in a list of members.
262 * Returns ALLOW, DENY or UNSPEC.
265 hostlist_matches(struct member_list *list)
269 int rval, matched = UNSPEC;
270 debug_decl(hostlist_matches, SUDO_DEBUG_MATCH)
272 tq_foreach_rev(list, m) {
275 matched = !m->negated;
278 if (netgr_matches(m->name, user_host, user_shost, NULL))
279 matched = !m->negated;
282 if (addr_matches(m->name))
283 matched = !m->negated;
286 if ((a = alias_get(m->name, HOSTALIAS)) != NULL) {
287 rval = hostlist_matches(&a->members);
289 matched = m->negated ? !rval : rval;
295 if (hostname_matches(user_shost, user_host, m->name))
296 matched = !m->negated;
299 if (matched != UNSPEC)
302 debug_return_bool(matched);
306 * Check for cmnd and args in a list of members.
307 * Returns ALLOW, DENY or UNSPEC.
310 cmndlist_matches(struct member_list *list)
313 int matched = UNSPEC;
314 debug_decl(cmndlist_matches, SUDO_DEBUG_MATCH)
316 tq_foreach_rev(list, m) {
317 matched = cmnd_matches(m);
318 if (matched != UNSPEC)
321 debug_return_bool(matched);
325 * Check cmnd and args.
326 * Returns ALLOW, DENY or UNSPEC.
329 cmnd_matches(struct member *m)
332 struct sudo_command *c;
333 int rval, matched = UNSPEC;
334 debug_decl(cmnd_matches, SUDO_DEBUG_MATCH)
338 matched = !m->negated;
341 if ((a = alias_get(m->name, CMNDALIAS)) != NULL) {
342 rval = cmndlist_matches(&a->members);
344 matched = m->negated ? !rval : rval;
349 c = (struct sudo_command *)m->name;
350 if (command_matches(c->cmnd, c->args, c->digest))
351 matched = !m->negated;
354 debug_return_bool(matched);
358 command_args_match(char *sudoers_cmnd, char *sudoers_args)
361 debug_decl(command_args_match, SUDO_DEBUG_MATCH)
364 * If no args specified in sudoers, any user args are allowed.
365 * If the empty string is specified in sudoers, no user args are allowed.
368 (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args)))
369 debug_return_bool(true);
371 * If args are specified in sudoers, they must match the user args.
372 * If running as sudoedit, all args are assumed to be paths.
375 /* For sudoedit, all args are assumed to be pathnames. */
376 if (strcmp(sudoers_cmnd, "sudoedit") == 0)
377 flags = FNM_PATHNAME;
378 if (fnmatch(sudoers_args, user_args ? user_args : "", flags) == 0)
379 debug_return_bool(true);
381 debug_return_bool(false);
385 * If path doesn't end in /, return true iff cmnd & path name the same inode;
386 * otherwise, return true if user_cmnd names one of the inodes in path.
389 command_matches(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest)
391 debug_decl(command_matches, SUDO_DEBUG_MATCH)
393 /* Check for pseudo-commands */
394 if (sudoers_cmnd[0] != '/') {
396 * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND
397 * a) there are no args in sudoers OR
398 * b) there are no args on command line and none req by sudoers OR
399 * c) there are args in sudoers and on command line and they match
401 if (strcmp(sudoers_cmnd, "sudoedit") != 0 ||
402 strcmp(user_cmnd, "sudoedit") != 0)
403 debug_return_bool(false);
404 if (command_args_match(sudoers_cmnd, sudoers_args)) {
406 safe_cmnd = estrdup(sudoers_cmnd);
407 debug_return_bool(true);
409 debug_return_bool(false);
412 if (has_meta(sudoers_cmnd)) {
414 * If sudoers_cmnd has meta characters in it, we need to
415 * use glob(3) and/or fnmatch(3) to do the matching.
417 #ifdef SUDOERS_NAME_MATCH
418 debug_return_bool(command_matches_fnmatch(sudoers_cmnd, sudoers_args));
421 debug_return_bool(command_matches_fnmatch(sudoers_cmnd, sudoers_args));
422 debug_return_bool(command_matches_glob(sudoers_cmnd, sudoers_args));
425 debug_return_bool(command_matches_normal(sudoers_cmnd, sudoers_args, digest));
429 command_matches_fnmatch(char *sudoers_cmnd, char *sudoers_args)
431 debug_decl(command_matches_fnmatch, SUDO_DEBUG_MATCH)
434 * Return true if fnmatch(3) succeeds AND
435 * a) there are no args in sudoers OR
436 * b) there are no args on command line and none required by sudoers OR
437 * c) there are args in sudoers and on command line and they match
440 if (fnmatch(sudoers_cmnd, user_cmnd, FNM_PATHNAME) != 0)
441 debug_return_bool(false);
442 if (command_args_match(sudoers_cmnd, sudoers_args)) {
445 safe_cmnd = estrdup(user_cmnd);
446 debug_return_bool(true);
448 debug_return_bool(false);
451 #ifndef SUDOERS_NAME_MATCH
453 command_matches_glob(char *sudoers_cmnd, char *sudoers_args)
455 struct stat sudoers_stat;
457 char **ap, *base, *cp;
459 debug_decl(command_matches_glob, SUDO_DEBUG_MATCH)
462 * First check to see if we can avoid the call to glob(3).
463 * Short circuit if there are no meta chars in the command itself
464 * and user_base and basename(sudoers_cmnd) don't match.
466 dlen = strlen(sudoers_cmnd);
467 if (sudoers_cmnd[dlen - 1] != '/') {
468 if ((base = strrchr(sudoers_cmnd, '/')) != NULL) {
470 if (!has_meta(base) && strcmp(user_base, base) != 0)
471 debug_return_bool(false);
475 * Return true if we find a match in the glob(3) results AND
476 * a) there are no args in sudoers OR
477 * b) there are no args on command line and none required by sudoers OR
478 * c) there are args in sudoers and on command line and they match
481 if (glob(sudoers_cmnd, GLOB_NOSORT, NULL, &gl) != 0 || gl.gl_pathc == 0) {
483 debug_return_bool(false);
485 /* For each glob match, compare basename, st_dev and st_ino. */
486 for (ap = gl.gl_pathv; (cp = *ap) != NULL; ap++) {
487 /* If it ends in '/' it is a directory spec. */
489 if (cp[dlen - 1] == '/') {
490 if (command_matches_dir(cp, dlen))
491 debug_return_bool(true);
495 /* Only proceed if user_base and basename(cp) match */
496 if ((base = strrchr(cp, '/')) != NULL)
500 if (strcmp(user_base, base) != 0 ||
501 stat(cp, &sudoers_stat) == -1)
503 if (user_stat == NULL ||
504 (user_stat->st_dev == sudoers_stat.st_dev &&
505 user_stat->st_ino == sudoers_stat.st_ino)) {
507 safe_cmnd = estrdup(cp);
513 debug_return_bool(false);
515 if (command_args_match(sudoers_cmnd, sudoers_args)) {
517 safe_cmnd = estrdup(user_cmnd);
518 debug_return_bool(true);
520 debug_return_bool(false);
522 #endif /* SUDOERS_NAME_MATCH */
524 #ifdef SUDOERS_NAME_MATCH
526 command_matches_normal(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest)
529 debug_decl(command_matches_normal, SUDO_DEBUG_MATCH)
531 dlen = strlen(sudoers_cmnd);
533 /* If it ends in '/' it is a directory spec. */
534 if (sudoers_cmnd[dlen - 1] == '/')
535 debug_return_bool(command_matches_dir(sudoers_cmnd, dlen));
537 if (strcmp(user_cmnd, sudoers_cmnd) == 0) {
538 if (command_args_match(sudoers_cmnd, sudoers_args)) {
540 safe_cmnd = estrdup(sudoers_cmnd);
541 debug_return_bool(true);
544 debug_return_bool(false);
546 #else /* !SUDOERS_NAME_MATCH */
548 static struct digest_function {
549 const char *digest_name;
550 const unsigned int digest_len;
551 void (*init)(SHA2_CTX *);
552 void (*update)(SHA2_CTX *, const unsigned char *, size_t);
553 void (*final)(unsigned char *, SHA2_CTX *);
554 } digest_functions[] = {
557 SHA224_DIGEST_LENGTH,
563 SHA256_DIGEST_LENGTH,
569 SHA384_DIGEST_LENGTH,
575 SHA512_DIGEST_LENGTH,
585 digest_matches(char *file, struct sudo_digest *sd)
587 unsigned char file_digest[SHA512_DIGEST_LENGTH];
588 unsigned char sudoers_digest[SHA512_DIGEST_LENGTH];
589 unsigned char buf[32 * 1024];
590 struct digest_function *func = NULL;
595 debug_decl(digest_matches, SUDO_DEBUG_MATCH)
597 for (i = 0; digest_functions[i].digest_name != NULL; i++) {
598 if (sd->digest_type == i) {
599 func = &digest_functions[i];
604 warningx(_("unsupported digest type %d for %s"), sd->digest_type, file);
605 debug_return_bool(false);
607 if (strlen(sd->digest_str) == func->digest_len * 2) {
608 /* Convert the command digest from ascii hex to binary. */
609 for (i = 0; i < func->digest_len; i++) {
610 if (!isxdigit((unsigned char)sd->digest_str[i + i]) ||
611 !isxdigit((unsigned char)sd->digest_str[i + i + 1])) {
614 sudoers_digest[i] = hexchar(&sd->digest_str[i + i]);
617 size_t len = base64_decode(sd->digest_str, sudoers_digest,
618 sizeof(sudoers_digest));
619 if (len != func->digest_len)
623 if ((fp = fopen(file, "r")) == NULL) {
624 sudo_debug_printf(SUDO_DEBUG_INFO, "unable to open %s: %s",
625 file, strerror(errno));
626 debug_return_bool(false);
630 while ((nread = fread(buf, 1, sizeof(buf), fp)) != 0) {
631 func->update(&ctx, buf, nread);
634 warningx(_("%s: read error"), file);
636 debug_return_bool(false);
639 func->final(file_digest, &ctx);
641 debug_return_bool(memcmp(file_digest, sudoers_digest, func->digest_len) == 0);
643 warningx(_("digest for %s (%s) is not in %s form"), file,
644 sd->digest_str, func->digest_name);
645 debug_return_bool(false);
649 command_matches_normal(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest)
651 struct stat sudoers_stat;
654 debug_decl(command_matches_normal, SUDO_DEBUG_MATCH)
656 /* If it ends in '/' it is a directory spec. */
657 dlen = strlen(sudoers_cmnd);
658 if (sudoers_cmnd[dlen - 1] == '/')
659 debug_return_bool(command_matches_dir(sudoers_cmnd, dlen));
661 /* Only proceed if user_base and basename(sudoers_cmnd) match */
662 if ((base = strrchr(sudoers_cmnd, '/')) == NULL)
666 if (strcmp(user_base, base) != 0 ||
667 stat(sudoers_cmnd, &sudoers_stat) == -1)
668 debug_return_bool(false);
671 * Return true if inode/device matches AND
672 * a) there are no args in sudoers OR
673 * b) there are no args on command line and none req by sudoers OR
674 * c) there are args in sudoers and on command line and they match
675 * d) there is a digest and it matches
677 if (user_stat != NULL &&
678 (user_stat->st_dev != sudoers_stat.st_dev ||
679 user_stat->st_ino != sudoers_stat.st_ino))
680 debug_return_bool(false);
681 if (!command_args_match(sudoers_cmnd, sudoers_args))
682 debug_return_bool(false);
683 if (digest != NULL && !digest_matches(sudoers_cmnd, digest)) {
684 /* XXX - log functions not available but we should log very loudly */
685 debug_return_bool(false);
688 safe_cmnd = estrdup(sudoers_cmnd);
689 debug_return_bool(true);
691 #endif /* SUDOERS_NAME_MATCH */
693 #ifdef SUDOERS_NAME_MATCH
695 * Return true if user_cmnd begins with sudoers_dir, else false.
696 * Note that sudoers_dir include the trailing '/'
699 command_matches_dir(char *sudoers_dir, size_t dlen)
701 debug_decl(command_matches_dir, SUDO_DEBUG_MATCH)
702 debug_return_bool(strncmp(user_cmnd, sudoers_dir, dlen) == 0);
704 #else /* !SUDOERS_NAME_MATCH */
706 * Return true if user_cmnd names one of the inodes in dir, else false.
709 command_matches_dir(char *sudoers_dir, size_t dlen)
711 struct stat sudoers_stat;
715 debug_decl(command_matches_dir, SUDO_DEBUG_MATCH)
718 * Grot through directory entries, looking for user_base.
720 dirp = opendir(sudoers_dir);
722 debug_return_bool(false);
724 if (strlcpy(buf, sudoers_dir, sizeof(buf)) >= sizeof(buf)) {
726 debug_return_bool(false);
728 while ((dent = readdir(dirp)) != NULL) {
729 /* ignore paths > PATH_MAX (XXX - log) */
731 if (strlcat(buf, dent->d_name, sizeof(buf)) >= sizeof(buf))
734 /* only stat if basenames are the same */
735 if (strcmp(user_base, dent->d_name) != 0 ||
736 stat(buf, &sudoers_stat) == -1)
738 if (user_stat == NULL ||
739 (user_stat->st_dev == sudoers_stat.st_dev &&
740 user_stat->st_ino == sudoers_stat.st_ino)) {
742 safe_cmnd = estrdup(buf);
748 debug_return_bool(dent != NULL);
750 #endif /* SUDOERS_NAME_MATCH */
753 * Returns true if the hostname matches the pattern, else false
756 hostname_matches(char *shost, char *lhost, char *pattern)
758 debug_decl(hostname_matches, SUDO_DEBUG_MATCH)
760 if (has_meta(pattern)) {
761 if (strchr(pattern, '.'))
762 debug_return_bool(!fnmatch(pattern, lhost, FNM_CASEFOLD));
764 debug_return_bool(!fnmatch(pattern, shost, FNM_CASEFOLD));
766 if (strchr(pattern, '.'))
767 debug_return_bool(!strcasecmp(lhost, pattern));
769 debug_return_bool(!strcasecmp(shost, pattern));
774 * Returns true if the user/uid from sudoers matches the specified user/uid,
775 * else returns false.
778 userpw_matches(char *sudoers_user, char *user, struct passwd *pw)
780 debug_decl(userpw_matches, SUDO_DEBUG_MATCH)
782 if (pw != NULL && *sudoers_user == '#') {
783 uid_t uid = (uid_t) atoi(sudoers_user + 1);
784 if (uid == pw->pw_uid)
785 debug_return_bool(true);
787 debug_return_bool(strcmp(sudoers_user, user) == 0);
791 * Returns true if the group/gid from sudoers matches the specified group/gid,
792 * else returns false.
795 group_matches(char *sudoers_group, struct group *gr)
797 debug_decl(group_matches, SUDO_DEBUG_MATCH)
799 if (*sudoers_group == '#') {
800 gid_t gid = (gid_t) atoi(sudoers_group + 1);
801 if (gid == gr->gr_gid)
802 debug_return_bool(true);
804 debug_return_bool(strcmp(gr->gr_name, sudoers_group) == 0);
808 * Returns true if the given user belongs to the named group,
809 * else returns false.
812 usergr_matches(char *group, char *user, struct passwd *pw)
815 struct passwd *pw0 = NULL;
816 debug_decl(usergr_matches, SUDO_DEBUG_MATCH)
818 /* make sure we have a valid usergroup, sudo style */
822 if (*group == ':' && def_group_plugin) {
823 matched = group_plugin_query(user, group + 1, pw);
827 /* look up user's primary gid in the passwd file */
829 if ((pw0 = sudo_getpwnam(user)) == NULL)
834 if (user_in_group(pw, group)) {
839 /* not a Unix group, could be an external group */
840 if (def_group_plugin && group_plugin_query(user, group, pw)) {
849 debug_return_bool(matched);
854 * Get NIS-style domain name and return a malloc()ed copy or NULL if none.
857 sudo_getdomainname(void)
860 #ifdef HAVE_GETDOMAINNAME
863 buf = emalloc(HOST_NAME_MAX + 1);
864 if (getdomainname(buf, HOST_NAME_MAX + 1) == 0 && *buf != '\0') {
866 for (cp = buf; *cp != '\0'; cp++) {
867 /* Check for illegal characters, Linux may use "(none)". */
868 if (*cp == '(' || *cp == ')' || *cp == ',' || *cp == ' ') {
876 #endif /* HAVE_GETDOMAINNAME */
879 #endif /* HAVE_INNETGR */
882 * Returns true if "host" and "user" belong to the netgroup "netgr",
883 * else return false. Either of "host", "shost" or "user" may be NULL
884 * in which case that argument is not checked...
886 * XXX - swap order of host & shost
889 netgr_matches(char *netgr, char *lhost, char *shost, char *user)
893 static int initialized;
895 debug_decl(netgr_matches, SUDO_DEBUG_MATCH)
898 /* make sure we have a valid netgroup, sudo style */
900 debug_return_bool(false);
902 /* get the domain name (if any) */
904 domain = sudo_getdomainname();
908 if (innetgr(netgr, lhost, user, domain))
909 debug_return_bool(true);
910 else if (lhost != shost && innetgr(netgr, shost, user, domain))
911 debug_return_bool(true);
912 #endif /* HAVE_INNETGR */
914 debug_return_bool(false);