2 * Copyright (c) 1996, 1998-2000, 2004, 2007-2013
3 * Todd C. Miller <Todd.Miller@courtesan.com>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 #ifndef _SUDOERS_PARSE_H
19 #define _SUDOERS_PARSE_H
30 #define SUDO_DIGEST_SHA224 0
31 #define SUDO_DIGEST_SHA256 1
32 #define SUDO_DIGEST_SHA384 2
33 #define SUDO_DIGEST_SHA512 3
34 #define SUDO_DIGEST_INVALID 4
42 * A command with option args and digest.
43 * XXX - merge into struct member
48 struct sudo_digest *digest;
52 * Tags associated with a command.
53 * Possible values: true, false, IMPLIED, UNSPEC.
56 __signed int nopasswd: 3;
57 __signed int noexec: 3;
58 __signed int setenv: 3;
59 __signed int log_input: 3;
60 __signed int log_output: 3;
64 * SELinux-specific container struct.
65 * Currently just contains a role and type.
73 * Solaris privileges container struct
74 * Currently just contains permitted and limit privileges.
75 * It could have PFEXEC and PRIV_AWARE flags added in the future.
77 struct solaris_privs_info {
83 * The parsed sudoers file is stored as a collection of linked lists,
84 * modelled after the yacc grammar.
86 * Other than the alias struct, which is stored in a red-black tree,
87 * the data structure used is basically a doubly-linked tail queue without
88 * a separate head struct--the first entry acts as the head where the prev
89 * pointer does double duty as the tail pointer. This makes it possible
90 * to trivally append sub-lists. In addition, the prev pointer is always
91 * valid (even if it points to itself). Unlike a circle queue, the next
92 * pointer of the last entry is NULL and does not point back to the head.
94 * Note that each list struct must contain a "prev" and "next" pointer as
95 * the first two members of the struct (in that order).
99 * Tail queue list head structure.
104 TQ_DECLARE(privilege)
108 * Structure describing a user specification and list thereof.
111 struct userspec *prev, *next;
112 struct member_list users; /* list of users */
113 struct privilege_list privileges; /* list of privileges */
117 * Structure describing a privilege specification.
120 struct privilege *prev, *next;
121 struct member_list hostlist; /* list of hosts */
122 struct cmndspec_list cmndlist; /* list of Cmnd_Specs */
126 * Structure describing a linked list of Cmnd_Specs.
129 struct cmndspec *prev, *next;
130 struct member_list runasuserlist; /* list of runas users */
131 struct member_list runasgrouplist; /* list of runas groups */
132 struct member *cmnd; /* command to allow/deny */
133 char *digest; /* optional command digest */
134 struct cmndtag tags; /* tag specificaion */
136 char *role, *type; /* SELinux role and type */
139 char *privs, *limitprivs; /* Solaris privilege sets */
144 * Generic structure to hold users, hosts, commands.
147 struct member *prev, *next;
148 char *name; /* member name */
149 short type; /* type (see gram.h) */
150 short negated; /* negated via '!'? */
153 struct runascontainer {
154 struct member *runasusers;
155 struct member *runasgroups;
159 * Generic structure to hold {User,Host,Runas,Cmnd}_Alias
160 * Aliases are stored in a red-black tree, sorted by name and type.
163 char *name; /* alias name */
164 unsigned short type; /* {USER,HOST,RUNAS,CMND}ALIAS */
165 bool used; /* "used" flag for cycle detection */
166 struct member_list members; /* list of alias members */
170 * Structure describing a Defaults entry and a list thereof.
173 struct defaults *prev, *next;
174 char *var; /* variable name */
175 char *val; /* variable value */
176 struct member_list binding; /* user/host/runas binding */
177 int type; /* DEFAULTS{,_USER,_RUNAS,_HOST} */
178 int op; /* true, false, '+', '-' */
182 * Parsed sudoers info.
184 extern struct userspec_list userspecs;
185 extern struct defaults_list defaults;
188 bool no_aliases(void);
189 char *alias_add(char *name, int type, struct member *members);
190 int alias_compare(const void *a1, const void *a2);
191 struct alias *alias_get(char *name, int type);
192 struct alias *alias_remove(char *name, int type);
193 void alias_apply(int (*func)(void *, void *), void *cookie);
194 void alias_free(void *a);
195 void alias_put(struct alias *a);
196 void init_aliases(void);
199 void init_parser(const char *, bool);
202 bool addr_matches(char *n);
205 bool command_matches(char *sudoers_cmnd, char *sudoers_args, struct sudo_digest *digest);
206 bool group_matches(char *sudoers_group, struct group *gr);
207 bool hostname_matches(char *shost, char *lhost, char *pattern);
208 bool netgr_matches(char *netgr, char *lhost, char *shost, char *user);
209 bool usergr_matches(char *group, char *user, struct passwd *pw);
210 bool userpw_matches(char *sudoers_user, char *user, struct passwd *pw);
211 int cmnd_matches(struct member *m);
212 int cmndlist_matches(struct member_list *list);
213 int hostlist_matches(struct member_list *list);
214 int runaslist_matches(struct member_list *user_list, struct member_list *group_list, struct member **matching_user, struct member **matching_group);
215 int userlist_matches(struct passwd *pw, struct member_list *list);
218 void init_lexer(void);
221 int hexchar(const char *s);
224 size_t base64_decode(const char *str, unsigned char *dst, size_t dsize);
226 #endif /* _SUDOERS_PARSE_H */