2 * Copyright (c) 2004-2008 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include <sys/types.h>
20 #include <sys/param.h>
24 #include <sys/socket.h>
33 #endif /* STDC_HEADERS */
37 # ifdef HAVE_STRINGS_H
40 #endif /* HAVE_STRING_H */
43 #endif /* HAVE_UNISTD_H */
49 #if TIME_WITH_SYS_TIME
53 # include <emul/timespec.h>
59 __unused static const char rcsid[] = "$Sudo: sudo_edit.c,v 1.37 2008/11/09 14:13:12 millert Exp $";
62 extern sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;
63 extern char **environ;
65 static char *find_editor();
68 * Wrapper to allow users to edit privileged files with their own uid.
71 sudo_edit(argc, argv, envp)
76 ssize_t nread, nwritten;
79 char **nargv, **ap, *editor, *cp;
81 int error, i, ac, ofd, tfd, nargc, rval, tmplen, wasblank;
83 struct timespec ts1, ts2;
87 struct timespec omtim;
92 * Find our temporary directory, one of /var/tmp, /usr/tmp, or /tmp
94 if (stat(_PATH_VARTMP, &sb) == 0 && S_ISDIR(sb.st_mode))
95 tmpdir = _PATH_VARTMP;
97 else if (stat(_PATH_USRTMP, &sb) == 0 && S_ISDIR(sb.st_mode))
98 tmpdir = _PATH_USRTMP;
102 tmplen = strlen(tmpdir);
103 while (tmplen > 0 && tmpdir[tmplen - 1] == '/')
107 * Close password, shadow, and group files before we try to open
108 * user-specified files to prevent the opening of things like /dev/fd/4
114 * For each file specified by the user, make a temporary version
115 * and copy the contents of the original to it.
117 tf = emalloc2(argc - 1, sizeof(*tf));
118 zero_bytes(tf, (argc - 1) * sizeof(*tf));
119 for (i = 0, ap = argv + 1; i < argc - 1 && *ap != NULL; i++, ap++) {
121 set_perms(PERM_RUNAS);
122 if ((ofd = open(*ap, O_RDONLY, 0644)) != -1 || errno == ENOENT) {
124 zero_bytes(&sb, sizeof(sb)); /* new file */
128 error = fstat(ofd, &sb);
130 error = stat(tf[i].ofile, &sb);
134 set_perms(PERM_ROOT);
135 if (error || (ofd != -1 && !S_ISREG(sb.st_mode))) {
139 warningx("%s: not a regular file", *ap);
147 tf[i].omtim.tv_sec = mtim_getsec(sb);
148 tf[i].omtim.tv_nsec = mtim_getnsec(sb);
149 tf[i].osize = sb.st_size;
150 if ((cp = strrchr(tf[i].ofile, '/')) != NULL)
154 easprintf(&tf[i].tfile, "%.*s/%s.XXXXXXXX", tmplen, tmpdir, cp);
155 set_perms(PERM_USER);
156 tfd = mkstemp(tf[i].tfile);
157 set_perms(PERM_ROOT);
163 while ((nread = read(ofd, buf, sizeof(buf))) != 0) {
164 if ((nwritten = write(tfd, buf, nread)) != nread) {
166 warning("%s", tf[i].tfile);
168 warningx("%s: short write", tf[i].tfile);
176 * If we are unable to set the mtime on the temp file to the value
177 * of the original file just make the stashed mtime match the temp
178 * file's mtime. It is better than nothing and we only use the info
179 * to determine whether or not a file has been modified.
181 if (touch(tfd, NULL, &tf[i].omtim) == -1) {
182 if (fstat(tfd, &sb) == 0) {
183 tf[i].omtim.tv_sec = mtim_getsec(sb);
184 tf[i].omtim.tv_nsec = mtim_getnsec(sb);
186 /* XXX - else error? */
192 return(1); /* no files readable, you lose */
195 editor = find_editor();
198 * Allocate space for the new argument vector and fill it in.
199 * The EDITOR and VISUAL environment variables may contain command
200 * line args so look for those and alloc space for them too.
203 for (wasblank = FALSE, cp = editor; *cp != '\0'; cp++) {
204 if (isblank((unsigned char) *cp))
211 nargv = (char **) emalloc2(nargc + 1, sizeof(char *));
213 for ((cp = strtok(editor, " \t")); cp != NULL; (cp = strtok(NULL, " \t")))
215 for (i = 0; i < argc - 1 && ac < nargc; )
216 nargv[ac++] = tf[i++].tfile;
219 /* Allow the editor to be suspended. */
220 (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
223 * Fork and exec the editor with the invoking user's creds,
224 * keeping track of the time spent in the editor.
231 } else if (kidpid == 0) {
233 (void) sigaction(SIGINT, &saved_sa_int, NULL);
234 (void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
235 set_perms(PERM_FULL_USER);
236 closefrom(def_closefrom + 1);
237 execvp(nargv[0], nargv);
238 warning("unable to execute %s", nargv[0]);
243 * Wait for status from the child. Most modern kernels
244 * will not let an unprivileged child process send a
245 * signal to its privileged parent so we have to request
246 * status when the child is stopped and then send the
247 * same signal to our own pid.
251 pid = sudo_waitpid(kidpid, &i, WUNTRACED);
257 kill(getpid(), WSTOPSIG(i));
261 } while (pid != -1 || errno == EINTR);
263 if (pid == -1 || !WIFEXITED(i))
266 rval = WEXITSTATUS(i);
268 /* Copy contents of temp files to real ones */
269 for (i = 0; i < argc - 1; i++) {
271 set_perms(PERM_USER);
272 if ((tfd = open(tf[i].tfile, O_RDONLY, 0644)) != -1) {
274 error = fstat(tfd, &sb);
276 error = stat(tf[i].tfile, &sb);
279 set_perms(PERM_ROOT);
280 if (error || !S_ISREG(sb.st_mode)) {
282 warning("%s", tf[i].tfile);
284 warningx("%s: not a regular file", tf[i].tfile);
285 warningx("%s left unmodified", tf[i].ofile);
290 if (tf[i].osize == sb.st_size && tf[i].omtim.tv_sec == mtim_getsec(sb)
291 && tf[i].omtim.tv_nsec == mtim_getnsec(sb)) {
293 * If mtime and size match but the user spent no measurable
294 * time in the editor we can't tell if the file was changed.
296 #ifdef HAVE_TIMESPECSUB2
297 timespecsub(&ts1, &ts2);
299 timespecsub(&ts1, &ts2, &ts2);
301 if (timespecisset(&ts2)) {
302 warningx("%s unchanged", tf[i].ofile);
308 set_perms(PERM_RUNAS);
309 ofd = open(tf[i].ofile, O_WRONLY|O_TRUNC|O_CREAT, 0644);
310 set_perms(PERM_ROOT);
312 warning("unable to write to %s", tf[i].ofile);
313 warningx("contents of edit session left in %s", tf[i].tfile);
317 while ((nread = read(tfd, buf, sizeof(buf))) > 0) {
318 if ((nwritten = write(ofd, buf, nread)) != nread) {
320 warning("%s", tf[i].ofile);
322 warningx("%s: short write", tf[i].ofile);
327 /* success, got EOF */
329 } else if (nread < 0) {
330 warning("unable to read temporary file");
331 warningx("contents of edit session left in %s", tf[i].tfile);
333 warning("unable to write to %s", tf[i].ofile);
334 warningx("contents of edit session left in %s", tf[i].tfile);
341 /* Clean up temp files and return. */
342 for (i = 0; i < argc - 1; i++) {
343 if (tf[i].tfile != NULL)
350 * Determine which editor to use. We don't bother restricting this
351 * based on def_env_editor or def_editor since the editor runs with
352 * the uid of the invoking user, not the runas (privileged) user.
357 char *cp, *editor = NULL, **ev, *ev0[4];
359 ev0[0] = "SUDO_EDITOR";
363 for (ev = ev0; *ev != NULL; ev++) {
364 if ((editor = getenv(*ev)) != NULL && *editor != '\0') {
365 if ((cp = strrchr(editor, '/')) != NULL)
369 /* Ignore "sudoedit" and "sudo" to avoid an endless loop. */
370 if (strncmp(cp, "sudo", 4) != 0 ||
371 (cp[4] != ' ' && cp[4] != '\0' && strcmp(cp + 4, "edit") != 0)) {
372 editor = estrdup(editor);
378 if (editor == NULL) {
379 editor = estrdup(def_editor);
380 if ((cp = strchr(editor, ':')) != NULL)
381 *cp = '\0'; /* def_editor could be a path */
projects / debian / sudo / blob