2 * Copyright (c) 2007-2011 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
20 #include <sys/param.h>
31 #endif /* STDC_HEADERS */
34 #endif /* HAVE_STRING_H */
37 #endif /* HAVE_STRINGS_H */
40 #endif /* HAVE_UNISTD_H */
48 extern struct sudo_nss sudo_nss_file;
50 extern struct sudo_nss sudo_nss_ldap;
53 extern struct sudo_nss sudo_nss_sss;
56 #if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF)
58 * Read in /etc/nsswitch.conf
59 * Returns a tail queue of matches.
61 struct sudo_nss_list *
69 bool saw_files = false;
70 bool saw_ldap = false;
71 bool got_match = false;
72 static struct sudo_nss_list snl;
73 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
75 if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL)
78 while ((cp = sudo_parseln(fp)) != NULL) {
79 /* Skip blank or comment lines */
83 /* Look for a line starting with "sudoers:" */
84 if (strncasecmp(cp, "sudoers:", 8) != 0)
88 for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
89 if (strcasecmp(cp, "files") == 0 && !saw_files) {
90 tq_append(&snl, &sudo_nss_file);
93 } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
94 tq_append(&snl, &sudo_nss_ldap);
98 } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
99 tq_append(&snl, &sudo_nss_sss);
102 } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
103 /* NOTFOUND affects the most recent entry */
104 tq_last(&snl)->ret_if_notfound = true;
106 } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) {
107 /* SUCCESS affects the most recent entry */
108 tq_last(&snl)->ret_if_found = true;
113 /* Only parse the first "sudoers:" line */
119 /* Default to files only if no matches */
121 tq_append(&snl, &sudo_nss_file);
123 debug_return_ptr(&snl);
126 #else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */
128 # if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF)
131 * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
132 * Returns a tail queue of matches.
134 struct sudo_nss_list *
140 bool saw_sss = false;
142 bool saw_files = false;
143 bool saw_ldap = false;
144 bool got_match = false;
145 static struct sudo_nss_list snl;
146 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
148 if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
151 while ((cp = sudo_parseln(fp)) != NULL) {
152 /* Skip blank or comment lines */
156 /* Look for a line starting with "sudoers = " */
157 if (strncasecmp(cp, "sudoers", 7) != 0)
160 while (isspace((unsigned char)*cp))
166 for ((cp = strtok(cp, ",")); cp != NULL; (cp = strtok(NULL, ","))) {
167 /* Trim leading whitespace. */
168 while (isspace((unsigned char)*cp))
171 if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
172 (isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
173 tq_append(&snl, &sudo_nss_file);
177 } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
178 (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
179 tq_append(&snl, &sudo_nss_ldap);
184 } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
185 (isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
186 tq_append(&snl, &sudo_nss_sss);
194 /* check for = auth qualifier */
195 if (got_match && *ep) {
197 while (isspace((unsigned char)*cp) || *cp == '=')
199 if (strncasecmp(cp, "auth", 4) == 0 &&
200 (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
201 tq_last(&snl)->ret_if_found = true;
205 /* Only parse the first "sudoers" line */
211 /* Default to files only if no matches */
213 tq_append(&snl, &sudo_nss_file);
215 debug_return_ptr(&snl);
218 # else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
221 * Non-nsswitch.conf version with hard-coded order.
223 struct sudo_nss_list *
226 static struct sudo_nss_list snl;
227 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
230 tq_append(&snl, &sudo_nss_sss);
233 tq_append(&snl, &sudo_nss_ldap);
235 tq_append(&snl, &sudo_nss_file);
237 debug_return_ptr(&snl);
240 # endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
242 #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
245 output(const char *buf)
247 struct sudo_conv_message msg;
248 struct sudo_conv_reply repl;
249 debug_decl(output, SUDO_DEBUG_NSS)
251 /* Call conversation function */
252 memset(&msg, 0, sizeof(msg));
253 msg.msg_type = SUDO_CONV_INFO_MSG;
255 memset(&repl, 0, sizeof(repl));
256 if (sudo_conv(1, &msg, &repl) == -1)
258 debug_return_int(strlen(buf));
262 * Print out privileges for the specified user.
263 * We only get here if the user is allowed to run something on this host.
266 display_privs(struct sudo_nss_list *snl, struct passwd *pw)
268 struct sudo_nss *nss;
269 struct lbuf defs, privs;
271 int cols, count, olen;
272 debug_decl(display_privs, SUDO_DEBUG_NSS)
274 cols = sudo_user.cols;
275 if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
277 lbuf_init(&defs, output, 4, NULL, cols);
278 lbuf_init(&privs, output, 4, NULL, cols);
280 /* Display defaults from all sources. */
281 lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
284 tq_foreach_fwd(snl, nss) {
285 count += nss->display_defaults(nss, pw, &defs);
288 lbuf_append(&defs, "\n\n");
292 /* Display Runas and Cmnd-specific defaults from all sources. */
294 lbuf_append(&defs, _("Runas and Command-specific defaults for %s:\n"),
297 tq_foreach_fwd(snl, nss) {
298 count += nss->display_bound_defaults(nss, pw, &defs);
301 lbuf_append(&defs, "\n\n");
305 /* Display privileges from all sources. */
307 _("User %s may run the following commands on this host:\n"),
310 tq_foreach_fwd(snl, nss) {
311 count += nss->display_privs(nss, pw, &privs);
316 lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"),
317 pw->pw_name, user_shost);
323 lbuf_destroy(&privs);
329 * Check user_cmnd against sudoers and print the matching entry if the
330 * command is allowed.
331 * Returns true if the command is allowed, else false.
334 display_cmnd(struct sudo_nss_list *snl, struct passwd *pw)
336 struct sudo_nss *nss;
337 debug_decl(display_cmnd, SUDO_DEBUG_NSS)
339 tq_foreach_fwd(snl, nss) {
340 if (nss->display_cmnd(nss, pw) == 0)
341 debug_return_bool(true);
343 debug_return_bool(false);