X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=plugins%2Fsudoers%2Fsudo_nss.c;h=bf216fa3dc0765a6e1410de0e4366260e5f5b066;hb=e8db7f6eea9b35527ddd4532affabd18a30549b5;hp=2f77d894741354ad924d693b31df78832494bab1;hpb=7a01b10fee894dea7ecb3252886912eab41e9693;p=debian%2Fsudo diff --git a/plugins/sudoers/sudo_nss.c b/plugins/sudoers/sudo_nss.c index 2f77d89..bf216fa 100644 --- a/plugins/sudoers/sudo_nss.c +++ b/plugins/sudoers/sudo_nss.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2007-2011 Todd C. Miller + * Copyright (c) 2007-2013 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,8 @@ #include #include -#include +#include + #include #ifdef STDC_HEADERS # include @@ -47,8 +48,11 @@ extern struct sudo_nss sudo_nss_file; #ifdef HAVE_LDAP extern struct sudo_nss sudo_nss_ldap; #endif +#ifdef HAVE_SSSD +extern struct sudo_nss sudo_nss_sss; +#endif -#if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF) +#if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NSSWITCH_CONF) /* * Read in /etc/nsswitch.conf * Returns a tail queue of matches. @@ -57,42 +61,59 @@ struct sudo_nss_list * sudo_read_nss(void) { FILE *fp; - char *cp; - int saw_files = FALSE; - int saw_ldap = FALSE; - int got_match = FALSE; + char *cp, *line = NULL; + size_t linesize = 0; +#ifdef HAVE_SSSD + bool saw_sss = false; +#endif + bool saw_files = false; + bool saw_ldap = false; + bool got_match = false; static struct sudo_nss_list snl; + debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL) goto nomatch; - while ((cp = sudo_parseln(fp)) != NULL) { + while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { /* Skip blank or comment lines */ - if (*cp == '\0') + if (*line == '\0') continue; /* Look for a line starting with "sudoers:" */ - if (strncasecmp(cp, "sudoers:", 8) != 0) + if (strncasecmp(line, "sudoers:", 8) != 0) continue; /* Parse line */ - for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { + for ((cp = strtok(line + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) { if (strcasecmp(cp, "files") == 0 && !saw_files) { tq_append(&snl, &sudo_nss_file); - got_match = TRUE; + got_match = true; +#ifdef HAVE_LDAP } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) { tq_append(&snl, &sudo_nss_ldap); - got_match = TRUE; + got_match = true; +#endif +#ifdef HAVE_SSSD + } else if (strcasecmp(cp, "sss") == 0 && !saw_sss) { + tq_append(&snl, &sudo_nss_sss); + got_match = true; +#endif } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) { /* NOTFOUND affects the most recent entry */ - tq_last(&snl)->ret_if_notfound = TRUE; - got_match = FALSE; + tq_last(&snl)->ret_if_notfound = true; + got_match = false; + } else if (strcasecmp(cp, "[SUCCESS=return]") == 0 && got_match) { + /* SUCCESS affects the most recent entry */ + tq_last(&snl)->ret_if_found = true; + got_match = false; } else - got_match = FALSE; + got_match = false; } /* Only parse the first "sudoers:" line */ break; } + free(line); fclose(fp); nomatch: @@ -100,12 +121,12 @@ nomatch: if (tq_empty(&snl)) tq_append(&snl, &sudo_nss_file); - return &snl; + debug_return_ptr(&snl); } -#else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ +#else /* (HAVE_LDAP || HAVE_SSSD) && _PATH_NSSWITCH_CONF */ -# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF) +# if (defined(HAVE_LDAP) || defined(HAVE_SSSD)) && defined(_PATH_NETSVC_CONF) /* * Read in /etc/netsvc.conf (like nsswitch.conf on AIX) @@ -115,18 +136,23 @@ struct sudo_nss_list * sudo_read_nss(void) { FILE *fp; - char *cp, *ep; - int saw_files = FALSE; - int saw_ldap = FALSE; - int got_match = FALSE; + char *cp, *ep, *line = NULL; + ssize_t linesize = 0; +#ifdef HAVE_SSSD + bool saw_sss = false; +#endif + bool saw_files = false; + bool saw_ldap = false; + bool got_match = false; static struct sudo_nss_list snl; + debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL) goto nomatch; - while ((cp = sudo_parseln(fp)) != NULL) { + while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { /* Skip blank or comment lines */ - if (*cp == '\0') + if (*(cp = line) == '\0') continue; /* Look for a line starting with "sudoers = " */ @@ -147,15 +173,24 @@ sudo_read_nss(void) if (!saw_files && strncasecmp(cp, "files", 5) == 0 && (isspace((unsigned char)cp[5]) || cp[5] == '\0')) { tq_append(&snl, &sudo_nss_file); - got_match = TRUE; + got_match = true; ep = &cp[5]; +#ifdef HAVE_LDAP } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 && (isspace((unsigned char)cp[4]) || cp[4] == '\0')) { tq_append(&snl, &sudo_nss_ldap); - got_match = TRUE; + got_match = true; ep = &cp[4]; +#endif +#ifdef HAVE_SSSD + } else if (!saw_sss && strncasecmp(cp, "sss", 3) == 0 && + (isspace((unsigned char)cp[3]) || cp[3] == '\0')) { + tq_append(&snl, &sudo_nss_sss); + got_match = true; + ep = &cp[3]; +#endif } else { - got_match = FALSE; + got_match = false; } /* check for = auth qualifier */ @@ -165,7 +200,7 @@ sudo_read_nss(void) cp++; if (strncasecmp(cp, "auth", 4) == 0 && (isspace((unsigned char)cp[4]) || cp[4] == '\0')) { - tq_last(&snl)->ret_if_found = TRUE; + tq_last(&snl)->ret_if_found = true; } } } @@ -179,7 +214,7 @@ nomatch: if (tq_empty(&snl)) tq_append(&snl, &sudo_nss_file); - return &snl; + debug_return_ptr(&snl); } # else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */ @@ -191,49 +226,29 @@ struct sudo_nss_list * sudo_read_nss(void) { static struct sudo_nss_list snl; + debug_decl(sudo_read_nss, SUDO_DEBUG_NSS) +# ifdef HAVE_SSSD + tq_append(&snl, &sudo_nss_sss); +# endif # ifdef HAVE_LDAP tq_append(&snl, &sudo_nss_ldap); # endif tq_append(&snl, &sudo_nss_file); - return &snl; + debug_return_ptr(&snl); } # endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */ #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */ -/* Reset user_groups based on passwd entry. */ -static void -reset_groups(struct passwd *pw) -{ -#if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS) - if (pw != sudo_user.pw) { -# ifdef HAVE_SETAUTHDB - aix_setauthdb(pw->pw_name); -# endif - if (initgroups(pw->pw_name, pw->pw_gid) == -1) - log_error(USE_ERRNO|MSG_ONLY, "can't reset group vector"); - efree(user_groups); - user_groups = NULL; - if ((user_ngroups = getgroups(0, NULL)) > 0) { - user_groups = emalloc2(user_ngroups, sizeof(GETGROUPS_T)); - if (getgroups(user_ngroups, user_groups) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); - } -# ifdef HAVE_SETAUTHDB - aix_restoreauthdb(); -# endif - } -#endif -} - static int output(const char *buf) { struct sudo_conv_message msg; struct sudo_conv_reply repl; + debug_decl(output, SUDO_DEBUG_NSS) /* Call conversation function */ memset(&msg, 0, sizeof(msg)); @@ -241,8 +256,8 @@ output(const char *buf) msg.msg = buf; memset(&repl, 0, sizeof(repl)); if (sudo_conv(1, &msg, &repl) == -1) - return 0; - return (int)strlen(buf); + debug_return_int(0); + debug_return_int(strlen(buf)); } /* @@ -254,74 +269,78 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw) { struct sudo_nss *nss; struct lbuf defs, privs; - int count, olen; - - /* Reset group vector so group matching works correctly. */ - reset_groups(pw); + struct stat sb; + int cols, count, olen; + debug_decl(display_privs, SUDO_DEBUG_NSS) - lbuf_init(&defs, output, 4, NULL, sudo_user.cols); - lbuf_init(&privs, output, 4, NULL, sudo_user.cols); + cols = sudo_user.cols; + if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode)) + cols = 0; + lbuf_init(&defs, output, 4, NULL, cols); + lbuf_init(&privs, output, 8, NULL, cols); /* Display defaults from all sources. */ - lbuf_append(&defs, "Matching Defaults entries for ", pw->pw_name, - " on this host:\n", NULL); + lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), + pw->pw_name); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_defaults(nss, pw, &defs); } if (count) - lbuf_append(&defs, "\n\n", NULL); + lbuf_append(&defs, "\n\n"); else defs.len = 0; /* Display Runas and Cmnd-specific defaults from all sources. */ olen = defs.len; - lbuf_append(&defs, "Runas and Command-specific defaults for ", pw->pw_name, - ":\n", NULL); + lbuf_append(&defs, _("Runas and Command-specific defaults for %s:\n"), + pw->pw_name); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_bound_defaults(nss, pw, &defs); } if (count) - lbuf_append(&defs, "\n\n", NULL); + lbuf_append(&defs, "\n\n"); else defs.len = olen; /* Display privileges from all sources. */ - lbuf_append(&privs, "User ", pw->pw_name, - " may run the following commands on this host:\n", NULL); + lbuf_append(&privs, + _("User %s may run the following commands on this host:\n"), + pw->pw_name); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_privs(nss, pw, &privs); } - if (count) { - lbuf_print(&defs); - lbuf_print(&privs); - } else { - printf("User %s is not allowed to run sudo on %s.\n", pw->pw_name, - user_shost); + if (count == 0) { + defs.len = 0; + privs.len = 0; + lbuf_append(&privs, _("User %s is not allowed to run sudo on %s.\n"), + pw->pw_name, user_shost); } + lbuf_print(&defs); + lbuf_print(&privs); lbuf_destroy(&defs); lbuf_destroy(&privs); + + debug_return; } /* * Check user_cmnd against sudoers and print the matching entry if the * command is allowed. - * Returns TRUE if the command is allowed, else FALSE. + * Returns true if the command is allowed, else false. */ -int +bool display_cmnd(struct sudo_nss_list *snl, struct passwd *pw) { struct sudo_nss *nss; - - /* Reset group vector so group matching works correctly. */ - reset_groups(pw); + debug_decl(display_cmnd, SUDO_DEBUG_NSS) tq_foreach_fwd(snl, nss) { if (nss->display_cmnd(nss, pw) == 0) - return TRUE; + debug_return_bool(true); } - return FALSE; + debug_return_bool(false); }