#ifdef HAVE_UNISTD_H
# include <unistd.h>
#endif /* HAVE_UNISTD_H */
+#ifdef HAVE_INTTYPES_H
+# include <inttypes.h>
+#endif
#if defined(YYBISON) && defined(HAVE_ALLOCA_H) && !defined(__GNUC__)
# include <alloca.h>
#endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */
errorlineno = sudolineno;
errorfile = estrdup(sudoers);
}
- if (trace_print != NULL) {
+ if (sudoers_warnings && s != NULL) {
LEXTRACE("<*> ");
- } else if (sudoers_warnings && s != NULL) {
- warningx(_(">>> %s: %s near line %d <<<"), sudoers, s, sudolineno);
+#ifndef TRACELEXER
+ if (trace_print == NULL || trace_print == sudoers_trace_print)
+ warningx(_(">>> %s: %s near line %d <<<"), sudoers, s, sudolineno);
+#endif
}
parse_error = true;
debug_return;
struct sudo_command command;
struct cmndtag tag;
struct selinux_info seinfo;
+ struct solaris_privs_info privinfo;
char *string;
int tok;
}
%token <tok> ERROR
%token <tok> TYPE /* SELinux type */
%token <tok> ROLE /* SELinux role */
+%token <tok> PRIVS /* Solaris privileges */
+%token <tok> LIMITPRIVS /* Solaris limit privileges */
+%token <tok> MYSELF /* run as myself, not another user */
%type <cmndspec> cmndspec
%type <cmndspec> cmndspeclist
%type <seinfo> selinux
%type <string> rolespec
%type <string> typespec
+%type <privinfo> solarisprivs
+%type <string> privsspec
+%type <string> limitprivsspec
%%
if ($3->type == NULL)
$3->type = $3->prev->type;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* propagate privs & limitprivs */
+ if ($3->privs == NULL)
+ $3->privs = $3->prev->privs;
+ if ($3->limitprivs == NULL)
+ $3->limitprivs = $3->prev->limitprivs;
+#endif /* HAVE_PRIV_SET */
/* propagate tags and runas list */
if ($3->tags.nopasswd == UNSPEC)
$3->tags.nopasswd = $3->prev->tags.nopasswd;
}
;
-cmndspec : runasspec selinux cmndtag opcmnd {
+cmndspec : runasspec selinux solarisprivs cmndtag opcmnd {
struct cmndspec *cs = ecalloc(1, sizeof(*cs));
if ($1 != NULL) {
list2tq(&cs->runasuserlist, $1->runasusers);
cs->role = $2.role;
cs->type = $2.type;
#endif
- cs->tags = $3;
- cs->cmnd = $4;
+#ifdef HAVE_PRIV_SET
+ cs->privs = $3.privs;
+ cs->limitprivs = $3.limitprivs;
+#endif
+ cs->tags = $4;
+ cs->cmnd = $5;
cs->prev = cs;
cs->next = NULL;
/* sudo "ALL" implies the SETENV tag */
}
;
+privsspec : PRIVS '=' WORD {
+ $$ = $3;
+ }
+ ;
+limitprivsspec : LIMITPRIVS '=' WORD {
+ $$ = $3;
+ }
+ ;
+
+solarisprivs : /* empty */ {
+ $$.privs = NULL;
+ $$.limitprivs = NULL;
+ }
+ | privsspec {
+ $$.privs = $1;
+ $$.limitprivs = NULL;
+ }
+ | limitprivsspec {
+ $$.privs = NULL;
+ $$.limitprivs = $1;
+ }
+ | privsspec limitprivsspec {
+ $$.privs = $1;
+ $$.limitprivs = $2;
+ }
+ | limitprivsspec privsspec {
+ $$.limitprivs = $1;
+ $$.privs = $2;
+ }
+
runasspec : /* empty */ {
$$ = NULL;
}
}
;
-runaslist : userlist {
+runaslist : /* empty */ {
+ $$ = ecalloc(1, sizeof(struct runascontainer));
+ $$->runasusers = new_member(NULL, MYSELF);
+ /* $$->runasgroups = NULL; */
+ }
+ | userlist {
$$ = ecalloc(1, sizeof(struct runascontainer));
$$->runasusers = $1;
/* $$->runasgroups = NULL; */
/* $$->runasusers = NULL; */
$$->runasgroups = $2;
}
+ | ':' {
+ $$ = ecalloc(1, sizeof(struct runascontainer));
+ $$->runasusers = new_member(NULL, MYSELF);
+ /* $$->runasgroups = NULL; */
+ }
;
cmndtag : /* empty */ {
* the current sudoers file to path.
*/
void
-init_parser(const char *path, int quiet)
+init_parser(const char *path, bool quiet)
{
struct defaults *d;
struct member *m, *binding;
#ifdef HAVE_SELINUX
char *role = NULL, *type = NULL;
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ char *privs = NULL, *limitprivs = NULL;
+#endif /* HAVE_PRIV_SET */
while ((m = tq_pop(&priv->hostlist)) != NULL) {
efree(m->name);
efree(cs->type);
}
#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* Only free the first instance of privs/limitprivs. */
+ if (cs->privs != privs) {
+ privs = cs->privs;
+ efree(cs->privs);
+ }
+ if (cs->limitprivs != limitprivs) {
+ limitprivs = cs->limitprivs;
+ efree(cs->limitprivs);
+ }
+#endif /* HAVE_PRIV_SET */
if (tq_last(&cs->runasuserlist) != runasuser) {
runasuser = tq_last(&cs->runasuserlist);
while ((m = tq_pop(&cs->runasuserlist)) != NULL) {