/*
- * Copyright (c) 2007-2011 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
#include <config.h>
#include <sys/types.h>
-#include <sys/param.h>
+#include <sys/stat.h>
+
#include <stdio.h>
#ifdef STDC_HEADERS
# include <stdlib.h>
#ifdef HAVE_LDAP
extern struct sudo_nss sudo_nss_ldap;
#endif
+#ifdef HAVE_SSSD
+extern struct sudo_nss sudo_nss_sss;
+#endif
-#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF)
+#if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF)
/*
* Read in /etc/nsswitch.conf
* Returns a tail queue of matches.
sudo_read_nss(void)
{
FILE *fp;
- char *cp;
- int saw_files = FALSE;
- int saw_ldap = FALSE;
- int got_match = FALSE;
+ char *cp, *line = NULL;
+ size_t linesize = 0;
+#ifdef HAVE_SSSD
+ bool saw_sss = false;
+#endif
+ bool saw_files = false;
+ bool saw_ldap = false;
+ bool got_match = false;
static struct sudo_nss_list snl;
+ debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL)
goto nomatch;
- while ((cp = sudo_parseln(fp)) != NULL) {
+ while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
/* Skip blank or comment lines */
- if (*cp == '\0')
+ if (*line == '\0')
continue;
/* Look for a line starting with "sudoers:" */
- if (strncasecmp(cp, "sudoers:", 8) != 0)
+ if (strncasecmp(line, "sudoers:", 8) != 0)
continue;
/* Parse line */
- for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
+ for ((cp = strtok(line + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
if (strcasecmp(cp, "files") == 0 && !saw_files) {
tq_append(&snl, &sudo_nss_file);
- got_match = TRUE;
+ got_match = true;
+#ifdef HAVE_LDAP
} else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
tq_append(&snl, &sudo_nss_ldap);
- got_match = TRUE;
+ got_match = true;
+#endif
+#ifdef HAVE_SSSD
+ } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) {
+ tq_append(&snl, &sudo_nss_sss);
+ got_match = true;
+#endif
} else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
/* NOTFOUND affects the most recent entry */
- tq_last(&snl)->ret_if_notfound = TRUE;
- got_match = FALSE;
+ tq_last(&snl)->ret_if_notfound = true;
+ got_match = false;
+ } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) {
+ /* SUCCESS affects the most recent entry */
+ tq_last(&snl)->ret_if_found = true;
+ got_match = false;
} else
- got_match = FALSE;
+ got_match = false;
}
/* Only parse the first "sudoers:" line */
break;
}
+ free(line);
fclose(fp);
nomatch:
if (tq_empty(&snl))
tq_append(&snl, &sudo_nss_file);
- return &snl;
+ debug_return_ptr(&snl);
}
-#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
+#else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */
-# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
+# if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF)
/*
* Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
sudo_read_nss(void)
{
FILE *fp;
- char *cp, *ep;
- int saw_files = FALSE;
- int saw_ldap = FALSE;
- int got_match = FALSE;
+ char *cp, *ep, *line = NULL;
+ ssize_t linesize = 0;
+#ifdef HAVE_SSSD
+ bool saw_sss = false;
+#endif
+ bool saw_files = false;
+ bool saw_ldap = false;
+ bool got_match = false;
static struct sudo_nss_list snl;
+ debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
goto nomatch;
- while ((cp = sudo_parseln(fp)) != NULL) {
+ while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
/* Skip blank or comment lines */
- if (*cp == '\0')
+ if (*(cp = line) == '\0')
continue;
/* Look for a line starting with "sudoers = " */
if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
(isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
tq_append(&snl, &sudo_nss_file);
- got_match = TRUE;
+ got_match = true;
ep = &cp[5];
+#ifdef HAVE_LDAP
} else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
tq_append(&snl, &sudo_nss_ldap);
- got_match = TRUE;
+ got_match = true;
ep = &cp[4];
+#endif
+#ifdef HAVE_SSSD
+ } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 &&
+ (isspace((unsigned char)cp[3]) || cp[3] == '\0')) {
+ tq_append(&snl, &sudo_nss_sss);
+ got_match = true;
+ ep = &cp[3];
+#endif
} else {
- got_match = FALSE;
+ got_match = false;
}
/* check for = auth qualifier */
cp++;
if (strncasecmp(cp, "auth", 4) == 0 &&
(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
- tq_last(&snl)->ret_if_found = TRUE;
+ tq_last(&snl)->ret_if_found = true;
}
}
}
if (tq_empty(&snl))
tq_append(&snl, &sudo_nss_file);
- return &snl;
+ debug_return_ptr(&snl);
}
# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
sudo_read_nss(void)
{
static struct sudo_nss_list snl;
+ debug_decl(sudo_read_nss, SUDO_DEBUG_NSS)
+# ifdef HAVE_SSSD
+ tq_append(&snl, &sudo_nss_sss);
+# endif
# ifdef HAVE_LDAP
tq_append(&snl, &sudo_nss_ldap);
# endif
tq_append(&snl, &sudo_nss_file);
- return &snl;
+ debug_return_ptr(&snl);
}
# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
{
struct sudo_conv_message msg;
struct sudo_conv_reply repl;
+ debug_decl(output, SUDO_DEBUG_NSS)
/* Call conversation function */
memset(&msg, 0, sizeof(msg));
msg.msg = buf;
memset(&repl, 0, sizeof(repl));
if (sudo_conv(1, &msg, &repl) == -1)
- return 0;
- return (int)strlen(buf);
+ debug_return_int(0);
+ debug_return_int(strlen(buf));
}
/*
{
struct sudo_nss *nss;
struct lbuf defs, privs;
- int count, olen;
+ struct stat sb;
+ int cols, count, olen;
+ debug_decl(display_privs, SUDO_DEBUG_NSS)
- lbuf_init(&defs, output, 4, NULL, sudo_user.cols);
- lbuf_init(&privs, output, 4, NULL, sudo_user.cols);
+ cols = sudo_user.cols;
+ if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
+ cols = 0;
+ lbuf_init(&defs, output, 4, NULL, cols);
+ lbuf_init(&privs, output, 8, NULL, cols);
/* Display defaults from all sources. */
lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"),
tq_foreach_fwd(snl, nss) {
count += nss->display_privs(nss, pw, &privs);
}
- if (count) {
- lbuf_print(&defs);
- lbuf_print(&privs);
- } else {
- printf(_("User %s is not allowed to run sudo on %s.\n"), pw->pw_name,
- user_shost);
+ if (count == 0) {
+ defs.len = 0;
+ privs.len = 0;
+ lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"),
+ pw->pw_name, user_shost);
}
+ lbuf_print(&defs);
+ lbuf_print(&privs);
lbuf_destroy(&defs);
lbuf_destroy(&privs);
+
+ debug_return;
}
/*
* Check user_cmnd against sudoers and print the matching entry if the
* command is allowed.
- * Returns TRUE if the command is allowed, else FALSE.
+ * Returns true if the command is allowed, else false.
*/
-int
+bool
display_cmnd(struct sudo_nss_list *snl, struct passwd *pw)
{
struct sudo_nss *nss;
+ debug_decl(display_cmnd, SUDO_DEBUG_NSS)
tq_foreach_fwd(snl, nss) {
if (nss->display_cmnd(nss, pw) == 0)
- return TRUE;
+ debug_return_bool(true);
}
- return FALSE;
+ debug_return_bool(false);
}