3 * Copyright (c) 1996, 1998-2005, 2007-2011
4 * Todd C. Miller <Todd.Miller@courtesan.com>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
18 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
19 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
21 * Sponsored in part by the Defense Advanced Research Projects
22 * Agency (DARPA) and Air Force Research Laboratory, Air Force
23 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
28 #include <sys/types.h>
29 #include <sys/param.h>
39 #endif /* STDC_HEADERS */
42 #endif /* HAVE_STRING_H */
45 #endif /* HAVE_STRINGS_H */
48 #endif /* HAVE_UNISTD_H */
49 #if defined(HAVE_MALLOC_H) && !defined(STDC_HEADERS)
51 #endif /* HAVE_MALLOC_H && !STDC_HEADERS */
54 # define NAMLEN(dirent) strlen((dirent)->d_name)
56 # define dirent direct
57 # define NAMLEN(dirent) (dirent)->d_namlen
58 # ifdef HAVE_SYS_NDIR_H
59 # include <sys/ndir.h>
61 # ifdef HAVE_SYS_DIR_H
75 extern YYSTYPE yylval;
76 extern int parse_error;
80 static int continued, prev_state, sawspace;
82 static int _push_include(char *, int);
83 static int pop_include(void);
84 static char *parse_include(char *);
87 static int sudoers_trace_print(const char *msg);
89 # define sudoers_trace_print NULL
91 int (*trace_print)(const char *msg) = sudoers_trace_print;
93 #define push_include(_p) (_push_include((_p), FALSE))
94 #define push_includedir(_p) (_push_include((_p), TRUE))
97 HEX16 [0-9A-Fa-f]{1,4}
98 OCTET (1?[0-9]{1,2})|(2[0-4][0-9])|(25[0-5])
99 IPV4ADDR {OCTET}(\.{OCTET}){3}
100 IPV6ADDR ({HEX16}?:){2,7}{HEX16}?|({HEX16}?:){2,6}:{IPV4ADDR}
102 HOSTNAME [[:alnum:]_-]+
103 WORD ([^#>!=:,\(\) \t\n\\\"]|\\[^\n])+
105 PATH \/(\\[\,:= \t#]|[^\,:=\\ \t\n#])+
106 ENVAR ([^#!=, \t\n\\\"]|\\[^\n])([^#=, \t\n\\\"]|\\[^\n])*
120 <GOTDEFS>[[:blank:]]*,[[:blank:]]* {
125 <GOTDEFS>[[:blank:]]+ BEGIN STARTDEFS;
127 <STARTDEFS>{DEFVAR} {
130 if (!fill(yytext, yyleng))
158 LEXTRACE("BEGINSTR ");
159 yylval.string = NULL;
160 prev_state = YY_START;
165 LEXTRACE("WORD(2) ");
166 if (!fill(yytext, yyleng))
173 \\[[:blank:]]*\n[[:blank:]]* {
174 /* Line continuation char followed by newline. */
183 if (yylval.string == NULL) {
184 LEXTRACE("ERROR "); /* empty string */
187 if (prev_state == INITIAL) {
188 switch (yylval.string[0]) {
190 if (yylval.string[1] == '\0' ||
191 (yylval.string[1] == ':' &&
192 yylval.string[2] == '\0')) {
193 LEXTRACE("ERROR "); /* empty group */
196 LEXTRACE("USERGROUP ");
199 if (yylval.string[1] == '\0') {
200 LEXTRACE("ERROR "); /* empty netgroup */
203 LEXTRACE("NETGROUP ");
207 LEXTRACE("WORD(4) ");
212 LEXTRACE("BACKSLASH ");
213 if (!append(yytext, yyleng))
218 LEXTRACE("STRBODY ");
219 if (!append(yytext, yyleng))
226 /* quoted fnmatch glob char, pass verbatim */
227 LEXTRACE("QUOTEDCHAR ");
228 if (!fill_args(yytext, 2, sawspace))
234 /* quoted sudoers special char, strip backslash */
235 LEXTRACE("QUOTEDCHAR ");
236 if (!fill_args(yytext + 1, 1, sawspace))
245 } /* end of command line args */
249 if (!fill_args(yytext, yyleng, sawspace))
252 } /* a command line arg */
255 <INITIAL>^#include[[:blank:]]+\/.*\n {
263 if ((path = parse_include(yytext)) == NULL)
266 LEXTRACE("INCLUDE\n");
268 /* Push current buffer and switch to include file */
269 if (!push_include(path))
273 <INITIAL>^#includedir[[:blank:]]+\/.*\n {
281 if ((path = parse_include(yytext)) == NULL)
284 LEXTRACE("INCLUDEDIR\n");
287 * Push current buffer and switch to include file.
288 * We simply ignore empty directories.
290 if (!push_includedir(path) && parse_error)
294 <INITIAL>^[[:blank:]]*Defaults([:@>\!][[:blank:]]*\!*\"?({ID}|{WORD}))? {
303 for (n = 0; isblank((unsigned char)yytext[n]); n++)
305 n += sizeof("Defaults") - 1;
306 if ((deftype = yytext[n++]) != '\0') {
307 while (isblank((unsigned char)yytext[n]))
314 LEXTRACE("DEFAULTS_USER ");
315 return DEFAULTS_USER;
318 LEXTRACE("DEFAULTS_RUNAS ");
319 return DEFAULTS_RUNAS;
322 LEXTRACE("DEFAULTS_HOST ");
323 return DEFAULTS_HOST;
326 LEXTRACE("DEFAULTS_CMND ");
327 return DEFAULTS_CMND;
329 LEXTRACE("DEFAULTS ");
334 <INITIAL>^[[:blank:]]*(Host|Cmnd|User|Runas)_Alias {
342 for (n = 0; isblank((unsigned char)yytext[n]); n++)
346 LEXTRACE("HOSTALIAS ");
349 LEXTRACE("CMNDALIAS ");
352 LEXTRACE("USERALIAS ");
355 LEXTRACE("RUNASALIAS ");
360 NOPASSWD[[:blank:]]*: {
361 /* cmnd does not require passwd for this user */
362 LEXTRACE("NOPASSWD ");
366 PASSWD[[:blank:]]*: {
367 /* cmnd requires passwd for this user */
372 NOEXEC[[:blank:]]*: {
382 SETENV[[:blank:]]*: {
387 NOSETENV[[:blank:]]*: {
388 LEXTRACE("NOSETENV ");
392 LOG_OUTPUT[[:blank:]]*: {
393 LEXTRACE("LOG_OUTPUT ");
397 NOLOG_OUTPUT[[:blank:]]*: {
398 LEXTRACE("NOLOG_OUTPUT ");
402 LOG_INPUT[[:blank:]]*: {
403 LEXTRACE("LOG_INPUT ");
407 NOLOG_INPUT[[:blank:]]*: {
408 LEXTRACE("NOLOG_INPUT ");
412 <INITIAL,GOTDEFS>(\+|\%|\%:) {
413 /* empty group or netgroup */
420 if (!fill(yytext, yyleng))
422 LEXTRACE("NETGROUP ");
428 if (!fill(yytext, yyleng))
430 LEXTRACE("USERGROUP ");
434 {IPV4ADDR}(\/{IPV4ADDR})? {
435 if (!fill(yytext, yyleng))
437 LEXTRACE("NTWKADDR ");
441 {IPV4ADDR}\/([12]?[0-9]|3[0-2]) {
442 if (!fill(yytext, yyleng))
444 LEXTRACE("NTWKADDR ");
448 {IPV6ADDR}(\/{IPV6ADDR})? {
449 if (!ipv6_valid(yytext)) {
453 if (!fill(yytext, yyleng))
455 LEXTRACE("NTWKADDR ");
459 {IPV6ADDR}\/([0-9]|[1-9][0-9]|1[01][0-9]|12[0-8]) {
460 if (!ipv6_valid(yytext)) {
464 if (!fill(yytext, yyleng))
466 LEXTRACE("NTWKADDR ");
494 [[:upper:]][[:upper:][:digit:]_]* {
498 if (!fill(yytext, yyleng))
504 <GOTDEFS>({PATH}|sudoedit) {
505 /* no command args allowed for Defaults!/path */
506 if (!fill_cmnd(yytext, yyleng))
508 LEXTRACE("COMMAND ");
514 LEXTRACE("COMMAND ");
515 if (!fill_cmnd(yytext, yyleng))
520 /* directories can't have args... */
521 if (yytext[yyleng - 1] == '/') {
522 LEXTRACE("COMMAND ");
523 if (!fill_cmnd(yytext, yyleng))
528 LEXTRACE("COMMAND ");
529 if (!fill_cmnd(yytext, yyleng))
534 <INITIAL,GOTDEFS>\" {
535 LEXTRACE("BEGINSTR ");
536 yylval.string = NULL;
537 prev_state = YY_START;
541 <INITIAL,GOTDEFS>({ID}|{WORD}) {
543 if (!fill(yytext, yyleng))
545 LEXTRACE("WORD(5) ");
577 return '!'; /* return '!' */
582 if (YY_START == INSTR) {
584 return ERROR; /* line break in string */
591 } /* return newline */
593 <*>[[:blank:]]+ { /* throw away space/tabs */
594 sawspace = TRUE; /* but remember for fill_args */
597 <*>\\[[:blank:]]*\n {
598 sawspace = TRUE; /* remember for fill_args */
601 } /* throw away EOL after \ */
603 <INITIAL,STARTDEFS,INDEFS>#(-[^\n0-9].*|[^\n0-9-].*)?\n {
609 } /* comment, not uid/gid */
617 if (YY_START != INITIAL) {
629 struct path_list *next;
632 struct include_stack {
635 struct path_list *more; /* more files in case of includedir */
641 pl_compare(const void *v1, const void *v2)
643 const struct path_list * const *p1 = v1;
644 const struct path_list * const *p2 = v2;
646 return strcmp((*p1)->path, (*p2)->path);
650 switch_dir(struct include_stack *stack, char *dirpath)
657 struct path_list *pl, *first = NULL;
658 struct path_list **sorted = NULL;
660 if (!(dir = opendir(dirpath))) {
661 if (errno != ENOENT) {
663 if (asprintf(&errbuf, _("%s: %s"), dirpath, strerror(errno)) != -1) {
667 yyerror(_("unable to allocate memory"));
672 while ((dent = readdir(dir))) {
673 /* Ignore files that end in '~' or have a '.' in them. */
674 if (dent->d_name[0] == '\0' || dent->d_name[NAMLEN(dent) - 1] == '~'
675 || strchr(dent->d_name, '.') != NULL) {
678 if (asprintf(&path, "%s/%s", dirpath, dent->d_name) == -1) {
682 if (stat(path, &sb) != 0 || !S_ISREG(sb.st_mode)) {
687 pl = malloc(sizeof(*pl));
700 /* Sort the list as an array. */
701 sorted = malloc(sizeof(*sorted) * count);
705 for (i = 0; i < count; i++) {
709 qsort(sorted, count, sizeof(*sorted), pl_compare);
711 /* Apply sorting to the list. */
713 sorted[count - 1]->next = NULL;
714 for (i = 1; i < count; i++)
715 sorted[i - 1]->next = sorted[i];
718 /* Pull out the first element for parsing, leave the rest for later. */
731 while (first != NULL) {
743 #define MAX_SUDOERS_DEPTH 128
744 #define SUDOERS_STACK_INCREMENT 16
746 static size_t istacksize, idepth;
747 static struct include_stack *istack;
753 struct path_list *pl;
757 while ((pl = istack[idepth].more) != NULL) {
758 istack[idepth].more = pl->next;
762 efree(istack[idepth].path);
763 if (idepth && !istack[idepth].keepopen)
764 fclose(istack[idepth].bs->yy_input_file);
765 yy_delete_buffer(istack[idepth].bs);
769 istacksize = idepth = 0;
774 prev_state = INITIAL;
778 _push_include(char *path, int isdir)
780 struct path_list *pl;
783 /* push current state onto stack */
784 if (idepth >= istacksize) {
785 if (idepth > MAX_SUDOERS_DEPTH) {
786 yyerror(_("too many levels of includes"));
789 istacksize += SUDOERS_STACK_INCREMENT;
790 istack = (struct include_stack *) realloc(istack,
791 sizeof(*istack) * istacksize);
792 if (istack == NULL) {
793 yyerror(_("unable to allocate memory"));
798 if (!(path = switch_dir(&istack[idepth], path))) {
799 /* switch_dir() called yyerror() for us */
802 while ((fp = open_sudoers(path, FALSE, &keepopen)) == NULL) {
803 /* Unable to open path in includedir, go to next one, if any. */
805 if ((pl = istack[idepth].more) == NULL)
808 istack[idepth].more = pl->next;
812 if ((fp = open_sudoers(path, TRUE, &keepopen)) == NULL) {
814 if (asprintf(&errbuf, _("%s: %s"), path, strerror(errno)) != -1) {
818 yyerror(_("unable to allocate memory"));
822 istack[idepth].more = NULL;
824 /* Push the old (current) file and open the new one. */
825 istack[idepth].path = sudoers; /* push old path */
826 istack[idepth].bs = YY_CURRENT_BUFFER;
827 istack[idepth].lineno = sudolineno;
828 istack[idepth].keepopen = keepopen;
832 yy_switch_to_buffer(yy_create_buffer(fp, YY_BUF_SIZE));
840 struct path_list *pl;
847 fclose(YY_CURRENT_BUFFER->yy_input_file);
848 yy_delete_buffer(YY_CURRENT_BUFFER);
849 /* If we are in an include dir, move to the next file. */
850 while ((pl = istack[idepth - 1].more) != NULL) {
851 fp = open_sudoers(pl->path, FALSE, &keepopen);
853 istack[idepth - 1].more = pl->next;
857 yy_switch_to_buffer(yy_create_buffer(fp, YY_BUF_SIZE));
861 /* Unable to open path in include dir, go to next one. */
862 istack[idepth - 1].more = pl->next;
866 /* If no path list, just pop the last dir on the stack. */
869 yy_switch_to_buffer(istack[idepth].bs);
871 sudoers = istack[idepth].path;
872 sudolineno = istack[idepth].lineno;
873 keepopen = istack[idepth].keepopen;
879 parse_include(char *base)
881 char *cp, *ep, *path;
882 int len = 0, subst = 0;
883 size_t shost_len = 0;
885 /* Pull out path from #include line. */
886 cp = base + sizeof("#include");
888 cp += 3; /* includedir */
889 while (isblank((unsigned char) *cp))
892 while (*ep != '\0' && !isspace((unsigned char) *ep)) {
893 if (ep[0] == '%' && ep[1] == 'h') {
894 shost_len = strlen(user_shost);
895 len += shost_len - 2;
901 /* Make a copy of path and return it. */
902 len += (int)(ep - cp);
903 if ((path = malloc(len + 1)) == NULL) {
904 yyerror(_("unable to allocate memory"));
908 /* substitute for %h */
911 if (cp[0] == '%' && cp[1] == 'h') {
912 memcpy(pp, user_shost, shost_len);
921 memcpy(path, cp, len);
925 /* Push any excess characters (e.g. comment, newline) back to the lexer */
927 yyless((int)(ep - base));
934 sudoers_trace_print(const char *msg)
936 return fputs(msg, stderr);
938 #endif /* TRACELEXER */
projects / debian / sudo / blob