2 * Copyright (c) 2007-2011 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
20 #include <sys/param.h>
29 #endif /* STDC_HEADERS */
32 #endif /* HAVE_STRING_H */
35 #endif /* HAVE_STRINGS_H */
38 #endif /* HAVE_UNISTD_H */
46 extern struct sudo_nss sudo_nss_file;
48 extern struct sudo_nss sudo_nss_ldap;
51 #if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF)
53 * Read in /etc/nsswitch.conf
54 * Returns a tail queue of matches.
56 struct sudo_nss_list *
61 bool saw_files = false;
62 bool saw_ldap = false;
63 bool got_match = false;
64 static struct sudo_nss_list snl;
65 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
67 if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL)
70 while ((cp = sudo_parseln(fp)) != NULL) {
71 /* Skip blank or comment lines */
75 /* Look for a line starting with "sudoers:" */
76 if (strncasecmp(cp, "sudoers:", 8) != 0)
80 for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
81 if (strcasecmp(cp, "files") == 0 && !saw_files) {
82 tq_append(&snl, &sudo_nss_file);
84 } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
85 tq_append(&snl, &sudo_nss_ldap);
87 } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
88 /* NOTFOUND affects the most recent entry */
89 tq_last(&snl)->ret_if_notfound = true;
94 /* Only parse the first "sudoers:" line */
100 /* Default to files only if no matches */
102 tq_append(&snl, &sudo_nss_file);
104 debug_return_ptr(&snl);
107 #else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
109 # if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
112 * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
113 * Returns a tail queue of matches.
115 struct sudo_nss_list *
120 bool saw_files = false;
121 bool saw_ldap = false;
122 bool got_match = false;
123 static struct sudo_nss_list snl;
124 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
126 if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
129 while ((cp = sudo_parseln(fp)) != NULL) {
130 /* Skip blank or comment lines */
134 /* Look for a line starting with "sudoers = " */
135 if (strncasecmp(cp, "sudoers", 7) != 0)
138 while (isspace((unsigned char)*cp))
144 for ((cp = strtok(cp, ",")); cp != NULL; (cp = strtok(NULL, ","))) {
145 /* Trim leading whitespace. */
146 while (isspace((unsigned char)*cp))
149 if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
150 (isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
151 tq_append(&snl, &sudo_nss_file);
154 } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
155 (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
156 tq_append(&snl, &sudo_nss_ldap);
163 /* check for = auth qualifier */
164 if (got_match && *ep) {
166 while (isspace((unsigned char)*cp) || *cp == '=')
168 if (strncasecmp(cp, "auth", 4) == 0 &&
169 (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
170 tq_last(&snl)->ret_if_found = true;
174 /* Only parse the first "sudoers" line */
180 /* Default to files only if no matches */
182 tq_append(&snl, &sudo_nss_file);
184 debug_return_ptr(&snl);
187 # else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
190 * Non-nsswitch.conf version with hard-coded order.
192 struct sudo_nss_list *
195 static struct sudo_nss_list snl;
196 debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
199 tq_append(&snl, &sudo_nss_ldap);
201 tq_append(&snl, &sudo_nss_file);
203 debug_return_ptr(&snl);
206 # endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
208 #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
211 output(const char *buf)
213 struct sudo_conv_message msg;
214 struct sudo_conv_reply repl;
215 debug_decl(output, SUDO_DEBUG_NSS)
217 /* Call conversation function */
218 memset(&msg, 0, sizeof(msg));
219 msg.msg_type = SUDO_CONV_INFO_MSG;
221 memset(&repl, 0, sizeof(repl));
222 if (sudo_conv(1, &msg, &repl) == -1)
224 debug_return_int(strlen(buf));
228 * Print out privileges for the specified user.
229 * We only get here if the user is allowed to run something on this host.
232 display_privs(struct sudo_nss_list *snl, struct passwd *pw)
234 struct sudo_nss *nss;
235 struct lbuf defs, privs;
237 debug_decl(display_privs, SUDO_DEBUG_NSS)
239 lbuf_init(&defs, output, 4, NULL, sudo_user.cols);
240 lbuf_init(&privs, output, 4, NULL, sudo_user.cols);
242 /* Display defaults from all sources. */
243 lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
246 tq_foreach_fwd(snl, nss) {
247 count += nss->display_defaults(nss, pw, &defs);
250 lbuf_append(&defs, "\n\n");
254 /* Display Runas and Cmnd-specific defaults from all sources. */
256 lbuf_append(&defs, _("Runas and Command-specific defaults for %s:\n"),
259 tq_foreach_fwd(snl, nss) {
260 count += nss->display_bound_defaults(nss, pw, &defs);
263 lbuf_append(&defs, "\n\n");
267 /* Display privileges from all sources. */
269 _("User %s may run the following commands on this host:\n"),
272 tq_foreach_fwd(snl, nss) {
273 count += nss->display_privs(nss, pw, &privs);
279 printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name,
284 lbuf_destroy(&privs);
290 * Check user_cmnd against sudoers and print the matching entry if the
291 * command is allowed.
292 * Returns true if the command is allowed, else false.
295 display_cmnd(struct sudo_nss_list *snl, struct passwd *pw)
297 struct sudo_nss *nss;
298 debug_decl(display_cmnd, SUDO_DEBUG_NSS)
300 tq_foreach_fwd(snl, nss) {
301 if (nss->display_cmnd(nss, pw) == 0)
302 debug_return_bool(true);
304 debug_return_bool(false);