2 * Copyright (c) 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
30 #endif /* STDC_HEADERS */
33 #endif /* HAVE_STRING_H */
36 #endif /* HAVE_STRINGS_H */
39 #endif /* HAVE_UNISTD_H */
47 extern struct sudo_nss sudo_nss_file;
49 extern struct sudo_nss sudo_nss_ldap;
52 extern struct sudo_nss sudo_nss_sss;
55 #if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF)
57 * Read in /etc/nsswitch.conf
58 * Returns a tail queue of matches.
60 struct sudo_nss_list *
64 char *cp, *line = NULL;
69 bool saw_files = false;
70 bool saw_ldap = false;
71 bool got_match = false;
72 static struct sudo_nss_list snl;
73 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
75 if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL)
78 while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
79 /* Skip blank or comment lines */
83 /* Look for a line starting with "sudoers:" */
84 if (strncasecmp(line, "sudoers:", 8) != 0)
88 for ((cp = strtok(line + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
89 if (strcasecmp(cp, "files") == 0 && !saw_files) {
90 tq_append(&snl, &sudo_nss_file);
93 } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
94 tq_append(&snl, &sudo_nss_ldap);
98 } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
99 tq_append(&snl, &sudo_nss_sss);
102 } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
103 /* NOTFOUND affects the most recent entry */
104 tq_last(&snl)->ret_if_notfound = true;
106 } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) {
107 /* SUCCESS affects the most recent entry */
108 tq_last(&snl)->ret_if_found = true;
113 /* Only parse the first "sudoers:" line */
120 /* Default to files only if no matches */
122 tq_append(&snl, &sudo_nss_file);
124 debug_return_ptr(&snl);
127 #else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */
129 # if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF)
132 * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
133 * Returns a tail queue of matches.
135 struct sudo_nss_list *
139 char *cp, *ep, *line = NULL;
140 ssize_t linesize = 0;
142 bool saw_sss = false;
144 bool saw_files = false;
145 bool saw_ldap = false;
146 bool got_match = false;
147 static struct sudo_nss_list snl;
148 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
150 if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
153 while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
154 /* Skip blank or comment lines */
155 if (*(cp = line) == '\0')
158 /* Look for a line starting with "sudoers = " */
159 if (strncasecmp(cp, "sudoers", 7) != 0)
162 while (isspace((unsigned char)*cp))
168 for ((cp = strtok(cp, ",")); cp != NULL; (cp = strtok(NULL, ","))) {
169 /* Trim leading whitespace. */
170 while (isspace((unsigned char)*cp))
173 if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
174 (isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
175 tq_append(&snl, &sudo_nss_file);
179 } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
180 (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
181 tq_append(&snl, &sudo_nss_ldap);
186 } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
187 (isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
188 tq_append(&snl, &sudo_nss_sss);
196 /* check for = auth qualifier */
197 if (got_match && *ep) {
199 while (isspace((unsigned char)*cp) || *cp == '=')
201 if (strncasecmp(cp, "auth", 4) == 0 &&
202 (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
203 tq_last(&snl)->ret_if_found = true;
207 /* Only parse the first "sudoers" line */
213 /* Default to files only if no matches */
215 tq_append(&snl, &sudo_nss_file);
217 debug_return_ptr(&snl);
220 # else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
223 * Non-nsswitch.conf version with hard-coded order.
225 struct sudo_nss_list *
228 static struct sudo_nss_list snl;
229 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
232 tq_append(&snl, &sudo_nss_sss);
235 tq_append(&snl, &sudo_nss_ldap);
237 tq_append(&snl, &sudo_nss_file);
239 debug_return_ptr(&snl);
242 # endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
244 #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
247 output(const char *buf)
249 struct sudo_conv_message msg;
250 struct sudo_conv_reply repl;
251 debug_decl(output, SUDO_DEBUG_NSS)
253 /* Call conversation function */
254 memset(&msg, 0, sizeof(msg));
255 msg.msg_type = SUDO_CONV_INFO_MSG;
257 memset(&repl, 0, sizeof(repl));
258 if (sudo_conv(1, &msg, &repl) == -1)
260 debug_return_int(strlen(buf));
264 * Print out privileges for the specified user.
265 * We only get here if the user is allowed to run something on this host.
268 display_privs(struct sudo_nss_list *snl, struct passwd *pw)
270 struct sudo_nss *nss;
271 struct lbuf defs, privs;
273 int cols, count, olen;
274 debug_decl(display_privs, SUDO_DEBUG_NSS)
276 cols = sudo_user.cols;
277 if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
279 lbuf_init(&defs, output, 4, NULL, cols);
280 lbuf_init(&privs, output, 8, NULL, cols);
282 /* Display defaults from all sources. */
283 lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
286 tq_foreach_fwd(snl, nss) {
287 count += nss->display_defaults(nss, pw, &defs);
290 lbuf_append(&defs, "\n\n");
294 /* Display Runas and Cmnd-specific defaults from all sources. */
296 lbuf_append(&defs, _("Runas and Command-specific defaults for %s:\n"),
299 tq_foreach_fwd(snl, nss) {
300 count += nss->display_bound_defaults(nss, pw, &defs);
303 lbuf_append(&defs, "\n\n");
307 /* Display privileges from all sources. */
309 _("User %s may run the following commands on this host:\n"),
312 tq_foreach_fwd(snl, nss) {
313 count += nss->display_privs(nss, pw, &privs);
318 lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"),
319 pw->pw_name, user_shost);
325 lbuf_destroy(&privs);
331 * Check user_cmnd against sudoers and print the matching entry if the
332 * command is allowed.
333 * Returns true if the command is allowed, else false.
336 display_cmnd(struct sudo_nss_list *snl, struct passwd *pw)
338 struct sudo_nss *nss;
339 debug_decl(display_cmnd, SUDO_DEBUG_NSS)
341 tq_foreach_fwd(snl, nss) {
342 if (nss->display_cmnd(nss, pw) == 0)
343 debug_return_bool(true);
345 debug_return_bool(false);