2 * Copyright (c) 2004-2008, 2010 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #if defined(HAVE_SETRESUID) || defined(HAVE_SETREUID) || defined(HAVE_SETEUID)
21 #include <sys/types.h>
22 #include <sys/param.h>
26 #include <sys/socket.h>
35 #endif /* STDC_HEADERS */
38 #endif /* HAVE_STRING_H */
41 #endif /* HAVE_STRINGS_H */
44 #endif /* HAVE_UNISTD_H */
51 #if TIME_WITH_SYS_TIME
57 static char *find_editor __P((int *argc_out, char ***argv_out));
59 extern char **NewArgv; /* XXX */
62 * Wrapper to allow users to edit privileged files with their own uid.
65 sudo_edit(argc, argv, envp)
70 ssize_t nread, nwritten;
72 char *cp, *suff, **nargv, *editor, **files;
73 char **editor_argv = NULL;
75 int rc, i, j, ac, ofd, tfd, nargc, rval, nfiles, tmplen;
78 struct timeval tv, tv1, tv2;
86 /* Determine user's editor. */
87 editor = find_editor(&editor_argc, &editor_argv);
92 * Find our temporary directory, one of /var/tmp, /usr/tmp, or /tmp
94 if (stat(_PATH_VARTMP, &sb) == 0 && S_ISDIR(sb.st_mode))
95 tmpdir = _PATH_VARTMP;
97 else if (stat(_PATH_USRTMP, &sb) == 0 && S_ISDIR(sb.st_mode))
98 tmpdir = _PATH_USRTMP;
102 tmplen = strlen(tmpdir);
103 while (tmplen > 0 && tmpdir[tmplen - 1] == '/')
107 * For each file specified by the user, make a temporary version
108 * and copy the contents of the original to it.
112 tf = emalloc2(nfiles, sizeof(*tf));
113 zero_bytes(tf, nfiles * sizeof(*tf));
114 for (i = 0, j = 0; i < nfiles; i++) {
116 set_perms(PERM_RUNAS);
117 if ((ofd = open(files[i], O_RDONLY, 0644)) != -1 || errno == ENOENT) {
119 zero_bytes(&sb, sizeof(sb)); /* new file */
123 rc = fstat(ofd, &sb);
125 rc = stat(tf[j].ofile, &sb);
129 set_perms(PERM_ROOT);
130 if (rc || (ofd != -1 && !S_ISREG(sb.st_mode))) {
132 warning("%s", files[i]);
134 warningx("%s: not a regular file", files[i]);
139 tf[j].ofile = files[i];
140 tf[j].osize = sb.st_size;
141 mtim_get(&sb, &tf[j].omtim);
142 if ((cp = strrchr(tf[j].ofile, '/')) != NULL)
146 suff = strrchr(cp, '.');
148 easprintf(&tf[j].tfile, "%.*s/%.*sXXXXXXXX%s", tmplen, tmpdir, (int)(size_t)(suff - cp), cp, suff);
150 easprintf(&tf[j].tfile, "%.*s/%s.XXXXXXXX", tmplen, tmpdir, cp);
152 set_perms(PERM_USER);
153 tfd = mkstemps(tf[j].tfile, suff ? strlen(suff) : 0);
154 set_perms(PERM_ROOT);
160 while ((nread = read(ofd, buf, sizeof(buf))) != 0) {
161 if ((nwritten = write(tfd, buf, nread)) != nread) {
163 warning("%s", tf[j].tfile);
165 warningx("%s: short write", tf[j].tfile);
172 * We always update the stashed mtime because the time
173 * resolution of the filesystem the temporary file is on may
174 * not match that of the filesystem where the file to be edited
175 * resides. It is OK if touch() fails since we only use the info
176 * to determine whether or not a file has been modified.
178 (void) touch(tfd, NULL, &tf[j].omtim);
180 rc = fstat(tfd, &sb);
182 rc = stat(tf[j].tfile, &sb);
185 mtim_get(&sb, &tf[j].omtim);
189 if ((nfiles = j) == 0)
190 return 1; /* no files readable, you lose */
193 * Allocate space for the new argument vector and fill it in.
194 * We concatenate the editor with its args and the file list
195 * to create a new argv.
196 * We allocate an extra slot to be used if execve() fails.
198 nargc = editor_argc + nfiles;
199 nargv = (char **) emalloc2(1 + nargc + 1, sizeof(char *));
201 for (ac = 0; ac < editor_argc; ac++)
202 nargv[ac] = editor_argv[ac];
203 for (i = 0; i < nfiles && ac < nargc; )
204 nargv[ac++] = tf[i++].tfile;
208 * Run the editor with the invoking user's creds,
209 * keeping track of the time spent in the editor.
212 rval = run_command(editor, nargv, envp, user_uid, TRUE);
215 /* Copy contents of temp files to real ones */
216 for (i = 0; i < nfiles; i++) {
218 set_perms(PERM_USER);
219 if ((tfd = open(tf[i].tfile, O_RDONLY, 0644)) != -1) {
221 rc = fstat(tfd, &sb);
223 rc = stat(tf[i].tfile, &sb);
226 set_perms(PERM_ROOT);
227 if (rc || !S_ISREG(sb.st_mode)) {
229 warning("%s", tf[i].tfile);
231 warningx("%s: not a regular file", tf[i].tfile);
232 warningx("%s left unmodified", tf[i].ofile);
238 if (tf[i].osize == sb.st_size && timevalcmp(&tf[i].omtim, &tv, ==)) {
240 * If mtime and size match but the user spent no measurable
241 * time in the editor we can't tell if the file was changed.
243 timevalsub(&tv1, &tv2);
244 if (timevalisset(&tv2)) {
245 warningx("%s unchanged", tf[i].ofile);
251 set_perms(PERM_RUNAS);
252 ofd = open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644);
253 set_perms(PERM_ROOT);
255 warning("unable to write to %s", tf[i].ofile);
256 warningx("contents of edit session left in %s", tf[i].tfile);
260 while ((nread = read(tfd, buf, sizeof(buf))) > 0) {
261 if ((nwritten = write(ofd, buf, nread)) != nread) {
263 warning("%s", tf[i].ofile);
265 warningx("%s: short write", tf[i].ofile);
270 /* success, got EOF */
272 } else if (nread < 0) {
273 warning("unable to read temporary file");
274 warningx("contents of edit session left in %s", tf[i].tfile);
276 warning("unable to write to %s", tf[i].ofile);
277 warningx("contents of edit session left in %s", tf[i].tfile);
284 /* Clean up temp files and return. */
285 for (i = 0; i < nfiles; i++) {
286 if (tf[i].tfile != NULL)
293 resolve_editor(editor, argc_out, argv_out)
298 char *cp, **nargv, *editor_path = NULL;
299 int ac, nargc, wasblank;
301 editor = estrdup(editor); /* becomes part of argv_out */
304 * Split editor into an argument vector; editor is reused (do not free).
305 * The EDITOR and VISUAL environment variables may contain command
306 * line args so look for those and alloc space for them too.
309 for (wasblank = FALSE, cp = editor; *cp != '\0'; cp++) {
310 if (isblank((unsigned char) *cp))
317 /* If we can't find the editor in the user's PATH, give up. */
318 cp = strtok(editor, " \t");
320 find_path(cp, &editor_path, NULL, getenv("PATH"), 0) != FOUND) {
324 nargv = (char **) emalloc2(nargc + 1, sizeof(char *));
325 for (ac = 0; cp != NULL && ac < nargc; ac++) {
327 cp = strtok(NULL, " \t");
337 * Determine which editor to use. We don't need to worry about restricting
338 * this to a "safe" editor since it runs with the uid of the invoking user,
339 * not the runas (privileged) user.
340 * Fills in argv_out with an argument vector suitable for execve() that
341 * includes the editor with the specified files.
344 find_editor(argc_out, argv_out)
348 char *cp, *editor, *editor_path = NULL, **ev, *ev0[4];
351 * If any of SUDO_EDITOR, VISUAL or EDITOR are set, choose the first one.
353 ev0[0] = "SUDO_EDITOR";
357 for (ev = ev0; *ev != NULL; ev++) {
358 if ((editor = getenv(*ev)) != NULL && *editor != '\0') {
359 editor_path = resolve_editor(editor, argc_out, argv_out);
360 if (editor_path != NULL)
364 if (editor_path == NULL) {
365 /* def_editor could be a path, split it up */
366 editor = estrdup(def_editor);
367 cp = strtok(editor, ":");
368 while (cp != NULL && editor_path == NULL) {
369 editor_path = resolve_editor(cp, argc_out, argv_out);
370 cp = strtok(NULL, ":");
376 audit_failure(NewArgv, "%s: command not found", editor);
377 warningx("%s: command not found", editor);
382 #else /* HAVE_SETRESUID || HAVE_SETREUID || HAVE_SETEUID */
385 * Must have the ability to change the effective uid to use sudoedit.
388 sudo_edit(argc, argv, envp)
396 #endif /* HAVE_SETRESUID || HAVE_SETREUID || HAVE_SETEUID */