/* A lexical scanner generated by flex */
/* Scanner skeleton version:
- * $Header: /home/cvs/openbsd/src/usr.bin/lex/flex.skl,v 1.11 2010/08/04 18:24:50 millert Exp $
+ * $Header: /cvs/src/usr.bin/lex/flex.skl,v 1.11 2010/08/04 18:24:50 millert Exp $
*/
#define FLEX_SCANNER
#define INITIAL 0
#line 2 "toke.l"
/*
- * Copyright (c) 1996, 1998-2005, 2007-2011
+ * Copyright (c) 1996, 1998-2005, 2007-2012
* Todd C. Miller <Todd.Miller@courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
#include "toke.h"
#include <gram.h>
#include "lbuf.h"
+#include "secure_path.h"
extern YYSTYPE yylval;
extern bool parse_error;
+extern bool sudoers_warnings;
int sudolineno;
int last_token;
char *sudoers;
+/* Default sudoers path, mode and owner (may be set via sudo.conf) */
+const char *sudoers_file = _PATH_SUDOERS;
+mode_t sudoers_mode = SUDOERS_MODE;
+uid_t sudoers_uid = SUDOERS_UID;
+gid_t sudoers_gid = SUDOERS_GID;
+
static bool continued, sawspace;
static int prev_state;
return (n); \
} while (0)
+#define ECHO ignore_result(fwrite(yytext, yyleng, 1, yyout))
+
#define push_include(_p) (_push_include((_p), false))
#define push_includedir(_p) (_push_include((_p), true))
#define YY_NO_INPUT 1
#define INSTR 5
-#line 1515 "lex.yy.c"
+#line 1525 "lex.yy.c"
/* Macros after this point can all be overridden by user definitions in
* section 1.
register char *yy_cp, *yy_bp;
register int yy_act;
-#line 123 "toke.l"
+#line 133 "toke.l"
-#line 1671 "lex.yy.c"
+#line 1681 "lex.yy.c"
if ( yy_init )
{
case 1:
YY_RULE_SETUP
-#line 124 "toke.l"
+#line 134 "toke.l"
{
LEXTRACE(", ");
LEXRETURN(',');
YY_BREAK
case 2:
YY_RULE_SETUP
-#line 129 "toke.l"
+#line 139 "toke.l"
BEGIN STARTDEFS;
YY_BREAK
case 3:
YY_RULE_SETUP
-#line 131 "toke.l"
+#line 141 "toke.l"
{
BEGIN INDEFS;
LEXTRACE("DEFVAR ");
case 4:
YY_RULE_SETUP
-#line 140 "toke.l"
+#line 150 "toke.l"
{
BEGIN STARTDEFS;
LEXTRACE(", ");
YY_BREAK
case 5:
YY_RULE_SETUP
-#line 146 "toke.l"
+#line 156 "toke.l"
{
LEXTRACE("= ");
LEXRETURN('=');
YY_BREAK
case 6:
YY_RULE_SETUP
-#line 151 "toke.l"
+#line 161 "toke.l"
{
LEXTRACE("+= ");
LEXRETURN('+');
YY_BREAK
case 7:
YY_RULE_SETUP
-#line 156 "toke.l"
+#line 166 "toke.l"
{
LEXTRACE("-= ");
LEXRETURN('-');
YY_BREAK
case 8:
YY_RULE_SETUP
-#line 161 "toke.l"
+#line 171 "toke.l"
{
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
YY_BREAK
case 9:
YY_RULE_SETUP
-#line 168 "toke.l"
+#line 178 "toke.l"
{
LEXTRACE("WORD(2) ");
if (!fill(yytext, yyleng))
case 10:
YY_RULE_SETUP
-#line 177 "toke.l"
+#line 187 "toke.l"
{
/* Line continuation char followed by newline. */
sudolineno++;
YY_BREAK
case 11:
YY_RULE_SETUP
-#line 183 "toke.l"
+#line 193 "toke.l"
{
LEXTRACE("ENDSTR ");
BEGIN prev_state;
YY_BREAK
case 12:
YY_RULE_SETUP
-#line 215 "toke.l"
+#line 225 "toke.l"
{
LEXTRACE("BACKSLASH ");
if (!append(yytext, yyleng))
YY_BREAK
case 13:
YY_RULE_SETUP
-#line 221 "toke.l"
+#line 231 "toke.l"
{
LEXTRACE("STRBODY ");
if (!append(yytext, yyleng))
case 14:
YY_RULE_SETUP
-#line 229 "toke.l"
+#line 239 "toke.l"
{
/* quoted fnmatch glob char, pass verbatim */
LEXTRACE("QUOTEDCHAR ");
YY_BREAK
case 15:
YY_RULE_SETUP
-#line 237 "toke.l"
+#line 247 "toke.l"
{
/* quoted sudoers special char, strip backslash */
LEXTRACE("QUOTEDCHAR ");
YY_BREAK
case 16:
YY_RULE_SETUP
-#line 245 "toke.l"
+#line 255 "toke.l"
{
BEGIN INITIAL;
yyless(0);
YY_BREAK
case 17:
YY_RULE_SETUP
-#line 251 "toke.l"
+#line 261 "toke.l"
{
LEXTRACE("ARG ");
if (!fill_args(yytext, yyleng, sawspace))
case 18:
YY_RULE_SETUP
-#line 259 "toke.l"
+#line 269 "toke.l"
{
char *path;
YY_BREAK
case 19:
YY_RULE_SETUP
-#line 277 "toke.l"
+#line 287 "toke.l"
{
char *path;
YY_BREAK
case 20:
YY_RULE_SETUP
-#line 298 "toke.l"
+#line 308 "toke.l"
{
char deftype;
int n;
YY_BREAK
case 21:
YY_RULE_SETUP
-#line 338 "toke.l"
+#line 348 "toke.l"
{
int n;
YY_BREAK
case 22:
YY_RULE_SETUP
-#line 364 "toke.l"
+#line 374 "toke.l"
{
/* cmnd does not require passwd for this user */
LEXTRACE("NOPASSWD ");
YY_BREAK
case 23:
YY_RULE_SETUP
-#line 370 "toke.l"
+#line 380 "toke.l"
{
/* cmnd requires passwd for this user */
LEXTRACE("PASSWD ");
YY_BREAK
case 24:
YY_RULE_SETUP
-#line 376 "toke.l"
+#line 386 "toke.l"
{
LEXTRACE("NOEXEC ");
LEXRETURN(NOEXEC);
YY_BREAK
case 25:
YY_RULE_SETUP
-#line 381 "toke.l"
+#line 391 "toke.l"
{
LEXTRACE("EXEC ");
LEXRETURN(EXEC);
YY_BREAK
case 26:
YY_RULE_SETUP
-#line 386 "toke.l"
+#line 396 "toke.l"
{
LEXTRACE("SETENV ");
LEXRETURN(SETENV);
YY_BREAK
case 27:
YY_RULE_SETUP
-#line 391 "toke.l"
+#line 401 "toke.l"
{
LEXTRACE("NOSETENV ");
LEXRETURN(NOSETENV);
YY_BREAK
case 28:
YY_RULE_SETUP
-#line 396 "toke.l"
+#line 406 "toke.l"
{
LEXTRACE("LOG_OUTPUT ");
LEXRETURN(LOG_OUTPUT);
YY_BREAK
case 29:
YY_RULE_SETUP
-#line 401 "toke.l"
+#line 411 "toke.l"
{
LEXTRACE("NOLOG_OUTPUT ");
LEXRETURN(NOLOG_OUTPUT);
YY_BREAK
case 30:
YY_RULE_SETUP
-#line 406 "toke.l"
+#line 416 "toke.l"
{
LEXTRACE("LOG_INPUT ");
LEXRETURN(LOG_INPUT);
YY_BREAK
case 31:
YY_RULE_SETUP
-#line 411 "toke.l"
+#line 421 "toke.l"
{
LEXTRACE("NOLOG_INPUT ");
LEXRETURN(NOLOG_INPUT);
YY_BREAK
case 32:
YY_RULE_SETUP
-#line 416 "toke.l"
+#line 426 "toke.l"
{
/* empty group or netgroup */
LEXTRACE("ERROR ");
YY_BREAK
case 33:
YY_RULE_SETUP
-#line 422 "toke.l"
+#line 432 "toke.l"
{
/* netgroup */
if (!fill(yytext, yyleng))
YY_BREAK
case 34:
YY_RULE_SETUP
-#line 430 "toke.l"
+#line 440 "toke.l"
{
/* group */
if (!fill(yytext, yyleng))
YY_BREAK
case 35:
YY_RULE_SETUP
-#line 438 "toke.l"
+#line 448 "toke.l"
{
if (!fill(yytext, yyleng))
yyterminate();
YY_BREAK
case 36:
YY_RULE_SETUP
-#line 445 "toke.l"
+#line 455 "toke.l"
{
if (!fill(yytext, yyleng))
yyterminate();
YY_BREAK
case 37:
YY_RULE_SETUP
-#line 452 "toke.l"
+#line 462 "toke.l"
{
if (!ipv6_valid(yytext)) {
LEXTRACE("ERROR ");
YY_BREAK
case 38:
YY_RULE_SETUP
-#line 463 "toke.l"
+#line 473 "toke.l"
{
if (!ipv6_valid(yytext)) {
LEXTRACE("ERROR ");
YY_BREAK
case 39:
YY_RULE_SETUP
-#line 474 "toke.l"
+#line 484 "toke.l"
{
LEXTRACE("ALL ");
LEXRETURN(ALL);
YY_BREAK
case 40:
YY_RULE_SETUP
-#line 480 "toke.l"
+#line 490 "toke.l"
{
#ifdef HAVE_SELINUX
LEXTRACE("ROLE ");
YY_BREAK
case 41:
YY_RULE_SETUP
-#line 489 "toke.l"
+#line 499 "toke.l"
{
#ifdef HAVE_SELINUX
LEXTRACE("TYPE ");
YY_BREAK
case 42:
YY_RULE_SETUP
-#line 498 "toke.l"
+#line 508 "toke.l"
{
#ifndef HAVE_SELINUX
got_alias:
YY_BREAK
case 43:
YY_RULE_SETUP
-#line 508 "toke.l"
+#line 518 "toke.l"
{
/* no command args allowed for Defaults!/path */
if (!fill_cmnd(yytext, yyleng))
YY_BREAK
case 44:
YY_RULE_SETUP
-#line 516 "toke.l"
+#line 526 "toke.l"
{
BEGIN GOTCMND;
LEXTRACE("COMMAND ");
YY_BREAK
case 45:
YY_RULE_SETUP
-#line 523 "toke.l"
+#line 533 "toke.l"
{
/* directories can't have args... */
if (yytext[yyleng - 1] == '/') {
YY_BREAK
case 46:
YY_RULE_SETUP
-#line 538 "toke.l"
+#line 548 "toke.l"
{
LEXTRACE("BEGINSTR ");
yylval.string = NULL;
YY_BREAK
case 47:
YY_RULE_SETUP
-#line 545 "toke.l"
+#line 555 "toke.l"
{
/* a word */
if (!fill(yytext, yyleng))
YY_BREAK
case 48:
YY_RULE_SETUP
-#line 553 "toke.l"
+#line 563 "toke.l"
{
LEXTRACE("( ");
LEXRETURN('(');
YY_BREAK
case 49:
YY_RULE_SETUP
-#line 558 "toke.l"
+#line 568 "toke.l"
{
LEXTRACE(") ");
LEXRETURN(')');
YY_BREAK
case 50:
YY_RULE_SETUP
-#line 563 "toke.l"
+#line 573 "toke.l"
{
LEXTRACE(", ");
LEXRETURN(',');
YY_BREAK
case 51:
YY_RULE_SETUP
-#line 568 "toke.l"
+#line 578 "toke.l"
{
LEXTRACE("= ");
LEXRETURN('=');
YY_BREAK
case 52:
YY_RULE_SETUP
-#line 573 "toke.l"
+#line 583 "toke.l"
{
LEXTRACE(": ");
LEXRETURN(':');
YY_BREAK
case 53:
YY_RULE_SETUP
-#line 578 "toke.l"
+#line 588 "toke.l"
{
if (yyleng & 1) {
LEXTRACE("!");
YY_BREAK
case 54:
YY_RULE_SETUP
-#line 585 "toke.l"
+#line 595 "toke.l"
{
if (YY_START == INSTR) {
LEXTRACE("ERROR ");
YY_BREAK
case 55:
YY_RULE_SETUP
-#line 597 "toke.l"
+#line 607 "toke.l"
{ /* throw away space/tabs */
sawspace = true; /* but remember for fill_args */
}
YY_BREAK
case 56:
YY_RULE_SETUP
-#line 601 "toke.l"
+#line 611 "toke.l"
{
sawspace = true; /* remember for fill_args */
sudolineno++;
YY_BREAK
case 57:
YY_RULE_SETUP
-#line 607 "toke.l"
+#line 617 "toke.l"
{
BEGIN INITIAL;
sudolineno++;
YY_BREAK
case 58:
YY_RULE_SETUP
-#line 615 "toke.l"
+#line 625 "toke.l"
{
LEXTRACE("ERROR ");
LEXRETURN(ERROR);
case YY_STATE_EOF(STARTDEFS):
case YY_STATE_EOF(INDEFS):
case YY_STATE_EOF(INSTR):
-#line 620 "toke.l"
+#line 630 "toke.l"
{
if (YY_START != INITIAL) {
BEGIN INITIAL;
YY_BREAK
case 59:
YY_RULE_SETUP
-#line 630 "toke.l"
+#line 640 "toke.l"
ECHO;
YY_BREAK
-#line 2447 "lex.yy.c"
+#line 2457 "lex.yy.c"
case YY_END_OF_BUFFER:
{
return 0;
}
#endif
-#line 630 "toke.l"
+#line 640 "toke.l"
struct path_list {
char *path;
}
}
if (isdir) {
+ struct stat sb;
+ switch (sudo_secure_dir(path, sudoers_uid, sudoers_gid, &sb)) {
+ case SUDO_PATH_MISSING:
+ debug_return_bool(false);
+ case SUDO_PATH_BAD_TYPE:
+ errno = ENOTDIR;
+ if (sudoers_warnings) {
+ warning("%s", path);
+ }
+ debug_return_bool(false);
+ case SUDO_PATH_WRONG_OWNER:
+ if (sudoers_warnings) {
+ warningx(_("%s is owned by uid %u, should be %u"),
+ path, (unsigned int) sb.st_uid,
+ (unsigned int) sudoers_uid);
+ }
+ debug_return_bool(false);
+ case SUDO_PATH_WORLD_WRITABLE:
+ if (sudoers_warnings) {
+ warningx(_("%s is world writable"), path);
+ }
+ debug_return_bool(false);
+ case SUDO_PATH_GROUP_WRITABLE:
+ if (sudoers_warnings) {
+ warningx(_("%s is owned by gid %u, should be %u"),
+ path, (unsigned int) sb.st_gid,
+ (unsigned int) sudoers_gid);
+ }
+ debug_return_bool(false);
+ default:
+ /* NOTREACHED */
+ debug_return_bool(false);
+ }
if (!(path = switch_dir(&istack[idepth], path))) {
/* switch_dir() called yyerror() for us */
debug_return_bool(false);
/* XXX - assumes a final newline */
if (strchr(msg, '\n') != NULL)
{
- sudo_debug_printf2(SUDO_DEBUG_PARSER|SUDO_DEBUG_DEBUG, "%s:%d %s",
- sudoers, sudolineno, lbuf.buf);
+ sudo_debug_printf2(NULL, NULL, 0, SUDO_DEBUG_PARSER|SUDO_DEBUG_DEBUG,
+ "%s:%d %s", sudoers, sudolineno, lbuf.buf);
lbuf.len = 0;
}
return 0;