/*
- * Copyright (c) 1996, 1998-2000, 2004, 2007
+ * Copyright (c) 1996, 1998-2000, 2004, 2007-2009
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- *
- * $Sudo: parse.h,v 1.14.2.1 2007/06/23 21:36:48 millert Exp $
*/
#ifndef _SUDO_PARSE_H
#define _SUDO_PARSE_H
-/*
- * Data structure used in parsing sudoers;
- * top of stack values are the ones that
- * apply when parsing is done & can be
- * accessed by *_matches macros
- */
-#define STACKINCREMENT (32)
-struct matchstack {
- int user;
- int cmnd;
- int host;
- int runas;
- int nopass;
- int noexec;
- int setenv;
-};
+#undef UNSPEC
+#define UNSPEC -1
+#undef DENY
+#define DENY 0
+#undef ALLOW
+#define ALLOW 1
+#undef IMPLIED
+#define IMPLIED 2
/*
- * Data structure describing a command in the
- * sudoers file.
+ * A command with args. XXX - merge into struct member.
*/
struct sudo_command {
char *cmnd;
char *args;
};
-#define user_matches (match[top-1].user)
-#define cmnd_matches (match[top-1].cmnd)
-#define host_matches (match[top-1].host)
-#define runas_matches (match[top-1].runas)
-#define no_passwd (match[top-1].nopass)
-#define no_execve (match[top-1].noexec)
-#define setenv_ok (match[top-1].setenv)
+/*
+ * Tags associated with a command.
+ * Possible valus: TRUE, FALSE, UNSPEC.
+ */
+struct cmndtag {
+ __signed char nopasswd;
+ __signed char noexec;
+ __signed char setenv;
+ __signed char extra;
+};
/*
- * Structure containing command matches if "sudo -l" is used.
+ * SELinux-specific container struct.
+ * Currently just contains a role and type.
*/
-struct command_match {
- char *runas;
- size_t runas_len;
- size_t runas_size;
- char *cmnd;
- size_t cmnd_len;
- size_t cmnd_size;
- int nopasswd;
- int noexecve;
- int setenv;
+struct selinux_info {
+ char *role;
+ char *type;
+};
+
+/*
+ * The parses sudoers file is stored as a collection of linked lists,
+ * modelled after the yacc grammar.
+ *
+ * Other than the alias struct, which is stored in a red-black tree,
+ * the data structure used is basically a doubly-linked tail queue without
+ * a separate head struct--the first entry acts as the head where the prev
+ * pointer does double duty as the tail pointer. This makes it possible
+ * to trivally append sub-lists. In addition, the prev pointer is always
+ * valid (even if it points to itself). Unlike a circle queue, the next
+ * pointer of the last entry is NULL and does not point back to the head.
+ *
+ * Note that each list struct must contain a "prev" and "next" pointer as
+ * the first two members of the struct (in that order).
+ */
+
+/*
+ * Tail queue list head structure.
+ */
+TQ_DECLARE(defaults)
+TQ_DECLARE(userspec)
+TQ_DECLARE(member)
+TQ_DECLARE(privilege)
+TQ_DECLARE(cmndspec)
+
+/*
+ * Structure describing a user specification and list thereof.
+ */
+struct userspec {
+ struct userspec *prev, *next;
+ struct member_list users; /* list of users */
+ struct privilege_list privileges; /* list of privileges */
+};
+
+/*
+ * Structure describing a privilege specification.
+ */
+struct privilege {
+ struct privilege *prev, *next;
+ struct member_list hostlist; /* list of hosts */
+ struct cmndspec_list cmndlist; /* list of Cmnd_Specs */
};
/*
- * Structure describing an alias match in parser.
+ * Structure describing a linked list of Cmnd_Specs.
*/
-typedef struct {
- int type;
- char *name;
- int val;
-} aliasinfo;
+struct cmndspec {
+ struct cmndspec *prev, *next;
+ struct member_list runasuserlist; /* list of runas users */
+ struct member_list runasgrouplist; /* list of runas groups */
+ struct member *cmnd; /* command to allow/deny */
+ struct cmndtag tags; /* tag specificaion */
+#ifdef HAVE_SELINUX
+ char *role, *type; /* SELinux role and type */
+#endif
+};
/*
- * Structure containing Cmnd_Alias's if "sudo -l" is used.
+ * Generic structure to hold users, hosts, commands.
*/
-struct generic_alias {
- int type;
- char *alias;
- char *entries;
- size_t entries_size;
- size_t entries_len;
+struct member {
+ struct member *prev, *next;
+ char *name; /* member name */
+ short type; /* type (see gram.h) */
+ short negated; /* negated via '!'? */
};
-/* The matching stack and number of entries on it. */
-extern struct matchstack *match;
-extern int top;
+struct runascontainer {
+ struct member *runasusers;
+ struct member *runasgroups;
+};
+
+/*
+ * Generic structure to hold {User,Host,Runas,Cmnd}_Alias
+ * Aliases are stored in a red-black tree, sorted by name and type.
+ */
+struct alias {
+ char *name; /* alias name */
+ unsigned short type; /* {USER,HOST,RUNAS,CMND}ALIAS */
+ unsigned short seqno; /* sequence number */
+ struct member_list members; /* list of alias members */
+};
+
+/*
+ * Structure describing a Defaults entry and a list thereof.
+ */
+struct defaults {
+ struct defaults *prev, *next;
+ char *var; /* variable name */
+ char *val; /* variable value */
+ struct member_list binding; /* user/host/runas binding */
+ int type; /* DEFAULTS{,_USER,_RUNAS,_HOST} */
+ int op; /* TRUE, FALSE, '+', '-' */
+};
+
+/*
+ * Parsed sudoers info.
+ */
+extern struct userspec_list userspecs;
+extern struct defaults_list defaults;
+
+/*
+ * Alias sequence number to avoid loops.
+ */
+extern unsigned int alias_seqno;
/*
* Prototypes
*/
+char *alias_add __P((char *, int, struct member *));
int addr_matches __P((char *));
+int cmnd_matches __P((struct member *));
+int cmndlist_matches __P((struct member_list *));
int command_matches __P((char *, char *));
+int hostlist_matches __P((struct member_list *));
int hostname_matches __P((char *, char *, char *));
int netgr_matches __P((char *, char *, char *, char *));
-int userpw_matches __P((char *, char *, struct passwd *));
+int no_aliases __P((void));
+int runaslist_matches __P((struct member_list *, struct member_list *));
+int userlist_matches __P((struct passwd *, struct member_list *));
int usergr_matches __P((char *, char *, struct passwd *));
+int userpw_matches __P((char *, char *, struct passwd *));
+int group_matches __P((char *, struct group *));
+struct alias *alias_find __P((char *, int));
+struct alias *alias_remove __P((char *, int));
+void alias_free __P((void *));
+void alias_apply __P((int (*)(void *, void *), void *));
+void init_aliases __P((void));
+void init_lexer __P((void));
+void init_parser __P((char *, int));
+int alias_compare __P((const void *, const void *));
#endif /* _SUDO_PARSE_H */