2 * Copyright (c) 2004-2005, 2007-2013 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
16 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
21 #include <sys/types.h>
30 #endif /* STDC_HEADERS */
33 #endif /* HAVE_STRING_H */
36 #endif /* HAVE_STRINGS_H */
39 #endif /* HAVE_UNISTD_H */
49 /* Characters that must be quoted in sudoers */
50 #define SUDOERS_QUOTED ":\\,=#\""
52 /* sudoers nsswitch routines */
53 struct sudo_nss sudo_nss_file = {
61 sudo_file_display_cmnd,
62 sudo_file_display_defaults,
63 sudo_file_display_bound_defaults,
64 sudo_file_display_privs
70 extern FILE *sudoersin;
71 extern char *errorfile;
72 extern int errorlineno;
73 extern bool parse_error;
78 static int display_bound_defaults(int dtype, struct lbuf *lbuf);
79 static void print_member(struct lbuf *lbuf, struct member *m, int alias_type);
80 static void print_member2(struct lbuf *lbuf, struct member *m,
81 const char *separator, int alias_type);
84 sudo_file_open(struct sudo_nss *nss)
86 debug_decl(sudo_file_open, SUDO_DEBUG_NSS)
88 if (def_ignore_local_sudoers)
90 nss->handle = open_sudoers(sudoers_file, false, NULL);
91 debug_return_int(nss->handle ? 0 : -1);
95 sudo_file_close(struct sudo_nss *nss)
97 debug_decl(sudo_file_close, SUDO_DEBUG_NSS)
99 /* Free parser data structures and close sudoers file. */
100 init_parser(NULL, false);
101 if (nss->handle != NULL) {
110 * Parse the specified sudoers file.
113 sudo_file_parse(struct sudo_nss *nss)
115 debug_decl(sudo_file_close, SUDO_DEBUG_NSS)
117 if (nss->handle == NULL)
118 debug_return_int(-1);
120 init_parser(sudoers_file, false);
121 sudoersin = nss->handle;
122 if (sudoersparse() != 0 || parse_error) {
123 if (errorlineno != -1) {
124 log_warning(0, N_("parse error in %s near line %d"),
125 errorfile, errorlineno);
127 log_warning(0, N_("parse error in %s"), errorfile);
129 debug_return_int(-1);
135 * Wrapper around update_defaults() for nsswitch code.
138 sudo_file_setdefs(struct sudo_nss *nss)
140 debug_decl(sudo_file_setdefs, SUDO_DEBUG_NSS)
142 if (nss->handle == NULL)
143 debug_return_int(-1);
145 if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER))
146 debug_return_int(-1);
151 * Look up the user in the parsed sudoers file and check to see if they are
152 * allowed to run the specified command on this host as the target user.
155 sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
157 int match, host_match, runas_match, cmnd_match;
159 struct cmndtag *tags = NULL;
160 struct privilege *priv;
162 struct member *matching_user;
163 debug_decl(sudo_file_lookup, SUDO_DEBUG_NSS)
165 if (nss->handle == NULL)
166 debug_return_int(validated);
169 * Only check the actual command if pwflag is not set.
170 * It is set for the "validate", "list" and "kill" pseudo-commands.
171 * Always check the host and user.
175 enum def_tuple pwcheck;
177 pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
178 nopass = (pwcheck == all) ? true : false;
181 SET(validated, FLAG_NO_CHECK);
182 CLR(validated, FLAG_NO_USER);
183 CLR(validated, FLAG_NO_HOST);
185 tq_foreach_fwd(&userspecs, us) {
186 if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
188 tq_foreach_fwd(&us->privileges, priv) {
189 if (hostlist_matches(&priv->hostlist) != ALLOW)
191 tq_foreach_fwd(&priv->cmndlist, cs) {
192 /* Only check the command when listing another user. */
193 if (user_uid == 0 || list_pw == NULL ||
194 user_uid == list_pw->pw_uid ||
195 cmnd_matches(cs->cmnd) == ALLOW)
197 if ((pwcheck == any && cs->tags.nopasswd == true) ||
198 (pwcheck == all && cs->tags.nopasswd != true))
199 nopass = cs->tags.nopasswd;
203 if (match == ALLOW || user_uid == 0) {
204 /* User has an entry for this host. */
205 SET(validated, VALIDATE_OK);
206 } else if (match == DENY)
207 SET(validated, VALIDATE_NOT_OK);
208 if (pwcheck == always && def_authenticate)
209 SET(validated, FLAG_CHECK_USER);
210 else if (pwcheck == never || nopass == true)
211 def_authenticate = false;
212 debug_return_int(validated);
215 /* Need to be runas user while stat'ing things. */
216 set_perms(PERM_RUNAS);
219 tq_foreach_rev(&userspecs, us) {
220 if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
222 CLR(validated, FLAG_NO_USER);
223 tq_foreach_rev(&us->privileges, priv) {
224 host_match = hostlist_matches(&priv->hostlist);
225 if (host_match == ALLOW)
226 CLR(validated, FLAG_NO_HOST);
229 tq_foreach_rev(&priv->cmndlist, cs) {
230 matching_user = NULL;
231 runas_match = runaslist_matches(&cs->runasuserlist,
232 &cs->runasgrouplist, &matching_user, NULL);
233 if (runas_match == ALLOW) {
234 cmnd_match = cmnd_matches(cs->cmnd);
235 if (cmnd_match != UNSPEC) {
239 /* Set role and type if not specified on command line. */
240 if (user_role == NULL)
241 user_role = cs->role ? estrdup(cs->role) : def_role;
242 if (user_type == NULL)
243 user_type = cs->type ? estrdup(cs->type) : def_type;
244 #endif /* HAVE_SELINUX */
246 /* Set Solaris privilege sets */
247 if (runas_privs == NULL)
248 runas_privs = cs->privs ? estrdup(cs->privs) : def_privs;
249 if (runas_limitprivs == NULL)
250 runas_limitprivs = cs->limitprivs ? estrdup(cs->limitprivs) : def_limitprivs;
251 #endif /* HAVE_PRIV_SET */
253 * If user is running command as himself,
254 * set runas_pw = sudo_user.pw.
255 * XXX - hack, want more general solution
257 if (matching_user && matching_user->type == MYSELF) {
258 sudo_pw_delref(runas_pw);
259 sudo_pw_addref(sudo_user.pw);
260 runas_pw = sudo_user.pw;
269 if (match == ALLOW) {
270 SET(validated, VALIDATE_OK);
271 CLR(validated, VALIDATE_NOT_OK);
273 if (tags->nopasswd != UNSPEC)
274 def_authenticate = !tags->nopasswd;
275 if (tags->noexec != UNSPEC)
276 def_noexec = tags->noexec;
277 if (tags->setenv != UNSPEC)
278 def_setenv = tags->setenv;
279 if (tags->log_input != UNSPEC)
280 def_log_input = tags->log_input;
281 if (tags->log_output != UNSPEC)
282 def_log_output = tags->log_output;
284 } else if (match == DENY) {
285 SET(validated, VALIDATE_NOT_OK);
286 CLR(validated, VALIDATE_OK);
287 if (tags != NULL && tags->nopasswd != UNSPEC)
288 def_authenticate = !tags->nopasswd;
291 debug_return_int(validated);
294 #define TAG_SET(tt) \
295 ((tt) != UNSPEC && (tt) != IMPLIED)
297 #define TAG_CHANGED(t) \
298 (TAG_SET(cs->tags.t) && cs->tags.t != tags->t)
301 sudo_file_append_cmnd(struct cmndspec *cs, struct cmndtag *tags,
304 debug_decl(sudo_file_append_cmnd, SUDO_DEBUG_NSS)
308 lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
310 lbuf_append(lbuf, "LIMITPRIVS=\"%s\" ", cs->limitprivs);
311 #endif /* HAVE_PRIV_SET */
314 lbuf_append(lbuf, "ROLE=%s ", cs->role);
316 lbuf_append(lbuf, "TYPE=%s ", cs->type);
317 #endif /* HAVE_SELINUX */
318 if (TAG_CHANGED(setenv)) {
319 lbuf_append(lbuf, cs->tags.setenv ? "SETENV: " : "NOSETENV: ");
320 tags->setenv = cs->tags.setenv;
322 if (TAG_CHANGED(noexec)) {
323 lbuf_append(lbuf, cs->tags.noexec ? "NOEXEC: " : "EXEC: ");
324 tags->noexec = cs->tags.noexec;
326 if (TAG_CHANGED(nopasswd)) {
327 lbuf_append(lbuf, cs->tags.nopasswd ? "NOPASSWD: " : "PASSWD: ");
328 tags->nopasswd = cs->tags.nopasswd;
330 if (TAG_CHANGED(log_input)) {
331 lbuf_append(lbuf, cs->tags.log_input ? "LOG_INPUT: " : "NOLOG_INPUT: ");
332 tags->log_input = cs->tags.log_input;
334 if (TAG_CHANGED(log_output)) {
335 lbuf_append(lbuf, cs->tags.log_output ? "LOG_OUTPUT: " : "NOLOG_OUTPUT: ");
336 tags->log_output = cs->tags.log_output;
338 print_member(lbuf, cs->cmnd, CMNDALIAS);
342 #define RUNAS_CHANGED(cs1, cs2) \
343 (cs1 == NULL || cs2 == NULL || \
344 cs1->runasuserlist.first != cs2->runasuserlist.first || \
345 cs1->runasuserlist.last != cs2->runasuserlist.last || \
346 cs1->runasgrouplist.first != cs2->runasgrouplist.first || \
347 cs1->runasgrouplist.last != cs2->runasgrouplist.last)
350 sudo_file_display_priv_short(struct passwd *pw, struct userspec *us,
353 struct cmndspec *cs, *prev_cs;
355 struct privilege *priv;
358 debug_decl(sudo_file_display_priv_short, SUDO_DEBUG_NSS)
360 /* gcc -Wuninitialized false positive */
361 tags.noexec = UNSPEC;
362 tags.setenv = UNSPEC;
363 tags.nopasswd = UNSPEC;
364 tags.log_input = UNSPEC;
365 tags.log_output = UNSPEC;
366 tq_foreach_fwd(&us->privileges, priv) {
367 if (hostlist_matches(&priv->hostlist) != ALLOW)
370 tq_foreach_fwd(&priv->cmndlist, cs) {
371 if (RUNAS_CHANGED(cs, prev_cs)) {
372 if (cs != tq_first(&priv->cmndlist))
373 lbuf_append(lbuf, "\n");
374 lbuf_append(lbuf, " (");
375 if (!tq_empty(&cs->runasuserlist)) {
376 tq_foreach_fwd(&cs->runasuserlist, m) {
377 if (m != tq_first(&cs->runasuserlist))
378 lbuf_append(lbuf, ", ");
379 print_member(lbuf, m, RUNASALIAS);
381 } else if (tq_empty(&cs->runasgrouplist)) {
382 lbuf_append(lbuf, "%s", def_runas_default);
384 lbuf_append(lbuf, "%s", pw->pw_name);
386 if (!tq_empty(&cs->runasgrouplist)) {
387 lbuf_append(lbuf, " : ");
388 tq_foreach_fwd(&cs->runasgrouplist, m) {
389 if (m != tq_first(&cs->runasgrouplist))
390 lbuf_append(lbuf, ", ");
391 print_member(lbuf, m, RUNASALIAS);
394 lbuf_append(lbuf, ") ");
395 tags.noexec = UNSPEC;
396 tags.setenv = UNSPEC;
397 tags.nopasswd = UNSPEC;
398 tags.log_input = UNSPEC;
399 tags.log_output = UNSPEC;
400 } else if (cs != tq_first(&priv->cmndlist)) {
401 lbuf_append(lbuf, ", ");
403 sudo_file_append_cmnd(cs, &tags, lbuf);
407 lbuf_append(lbuf, "\n");
409 debug_return_int(nfound);
412 #define TAGS_CHANGED(ot, nt) \
413 ((TAG_SET((nt).setenv) && (nt).setenv != (ot).setenv) || \
414 (TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \
415 (TAG_SET((nt).nopasswd) && (nt).nopasswd != (ot).nopasswd) || \
416 (TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \
417 (TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output))
420 * Compare the current cmndspec with the previous one to determine
421 * whether we need to start a new long entry for "sudo -ll".
422 * Returns true if we should start a new long entry, else false.
425 new_long_entry(struct cmndspec *cs, struct cmndspec *prev_cs)
429 if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(cs->tags, prev_cs->tags))
432 if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
434 if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
436 #endif /* HAVE_PRIV_SET */
438 if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
440 if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
442 #endif /* HAVE_SELINUX */
447 sudo_file_display_priv_long(struct passwd *pw, struct userspec *us,
450 struct cmndspec *cs, *prev_cs;
452 struct privilege *priv;
453 int nfound = 0, olen;
454 debug_decl(sudo_file_display_priv_long, SUDO_DEBUG_NSS)
456 tq_foreach_fwd(&us->privileges, priv) {
457 if (hostlist_matches(&priv->hostlist) != ALLOW)
460 tq_foreach_fwd(&priv->cmndlist, cs) {
461 if (new_long_entry(cs, prev_cs)) {
462 lbuf_append(lbuf, _("\nSudoers entry:\n"));
463 lbuf_append(lbuf, _(" RunAsUsers: "));
464 if (!tq_empty(&cs->runasuserlist)) {
465 tq_foreach_fwd(&cs->runasuserlist, m) {
466 if (m != tq_first(&cs->runasuserlist))
467 lbuf_append(lbuf, ", ");
468 print_member(lbuf, m, RUNASALIAS);
470 } else if (tq_empty(&cs->runasgrouplist)) {
471 lbuf_append(lbuf, "%s", def_runas_default);
473 lbuf_append(lbuf, "%s", pw->pw_name);
475 lbuf_append(lbuf, "\n");
476 if (!tq_empty(&cs->runasgrouplist)) {
477 lbuf_append(lbuf, _(" RunAsGroups: "));
478 tq_foreach_fwd(&cs->runasgrouplist, m) {
479 if (m != tq_first(&cs->runasgrouplist))
480 lbuf_append(lbuf, ", ");
481 print_member(lbuf, m, RUNASALIAS);
483 lbuf_append(lbuf, "\n");
486 lbuf_append(lbuf, _(" Options: "));
487 if (TAG_SET(cs->tags.setenv))
488 lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!");
489 if (TAG_SET(cs->tags.noexec))
490 lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!");
491 if (TAG_SET(cs->tags.nopasswd))
492 lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : "");
493 if (TAG_SET(cs->tags.log_input))
494 lbuf_append(lbuf, "%slog_input, ", cs->tags.log_input ? "" : "!");
495 if (TAG_SET(cs->tags.log_output))
496 lbuf_append(lbuf, "%slog_output, ", cs->tags.log_output ? "" : "!");
497 if (lbuf->buf[lbuf->len - 2] == ',') {
498 lbuf->len -= 2; /* remove trailing ", " */
499 lbuf_append(lbuf, "\n");
501 lbuf->len = olen; /* no options */
505 lbuf_append(lbuf, " Privs: %s\n", cs->privs);
507 lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs);
508 #endif /* HAVE_PRIV_SET */
511 lbuf_append(lbuf, " Role: %s\n", cs->role);
513 lbuf_append(lbuf, " Type: %s\n", cs->type);
514 #endif /* HAVE_SELINUX */
515 lbuf_append(lbuf, _(" Commands:\n"));
517 lbuf_append(lbuf, "\t");
518 print_member2(lbuf, cs->cmnd, "\n\t", CMNDALIAS);
519 lbuf_append(lbuf, "\n");
524 debug_return_int(nfound);
528 sudo_file_display_privs(struct sudo_nss *nss, struct passwd *pw,
533 debug_decl(sudo_file_display_priv, SUDO_DEBUG_NSS)
535 if (nss->handle == NULL)
538 tq_foreach_fwd(&userspecs, us) {
539 if (userlist_matches(pw, &us->users) != ALLOW)
543 nfound += sudo_file_display_priv_long(pw, us, lbuf);
545 nfound += sudo_file_display_priv_short(pw, us, lbuf);
548 debug_return_int(nfound);
552 * Display matching Defaults entries for the given user on this host.
555 sudo_file_display_defaults(struct sudo_nss *nss, struct passwd *pw,
561 debug_decl(sudo_file_display_defaults, SUDO_DEBUG_NSS)
563 if (nss->handle == NULL)
566 if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
571 tq_foreach_fwd(&defaults, d) {
574 if (hostlist_matches(&d->binding) != ALLOW)
578 if (userlist_matches(pw, &d->binding) != ALLOW)
585 if (d->val != NULL) {
586 lbuf_append(lbuf, "%s%s%s", prefix, d->var,
587 d->op == '+' ? "+=" : d->op == '-' ? "-=" : "=");
588 if (strpbrk(d->val, " \t") != NULL) {
589 lbuf_append(lbuf, "\"");
590 lbuf_append_quoted(lbuf, "\"", "%s", d->val);
591 lbuf_append(lbuf, "\"");
593 lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", d->val);
595 lbuf_append(lbuf, "%s%s%s", prefix,
596 d->op == false ? "!" : "", d->var);
601 debug_return_int(nfound);
605 * Display Defaults entries that are per-runas or per-command
608 sudo_file_display_bound_defaults(struct sudo_nss *nss, struct passwd *pw,
612 debug_decl(sudo_file_display_bound_defaults, SUDO_DEBUG_NSS)
614 /* XXX - should only print ones that match what the user can do. */
615 nfound += display_bound_defaults(DEFAULTS_RUNAS, lbuf);
616 nfound += display_bound_defaults(DEFAULTS_CMND, lbuf);
618 debug_return_int(nfound);
622 * Display Defaults entries of the given type.
625 display_bound_defaults(int dtype, struct lbuf *lbuf)
628 struct member *m, *binding = NULL;
630 int atype, nfound = 0;
631 debug_decl(display_bound_defaults, SUDO_DEBUG_NSS)
651 debug_return_int(-1);
653 tq_foreach_fwd(&defaults, d) {
654 if (d->type != dtype)
658 if (binding != tq_first(&d->binding)) {
659 binding = tq_first(&d->binding);
661 lbuf_append(lbuf, "\n");
662 lbuf_append(lbuf, " Defaults%s", dsep);
663 for (m = binding; m != NULL; m = m->next) {
665 lbuf_append(lbuf, ",");
666 print_member(lbuf, m, atype);
667 lbuf_append(lbuf, " ");
670 lbuf_append(lbuf, ", ");
671 if (d->val != NULL) {
672 lbuf_append(lbuf, "%s%s%s", d->var, d->op == '+' ? "+=" :
673 d->op == '-' ? "-=" : "=", d->val);
675 lbuf_append(lbuf, "%s%s", d->op == false ? "!" : "", d->var);
678 debug_return_int(nfound);
682 sudo_file_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
685 struct member *match;
686 struct privilege *priv;
689 int host_match, runas_match, cmnd_match;
690 debug_decl(sudo_file_display_cmnd, SUDO_DEBUG_NSS)
692 if (nss->handle == NULL)
696 tq_foreach_rev(&userspecs, us) {
697 if (userlist_matches(pw, &us->users) != ALLOW)
700 tq_foreach_rev(&us->privileges, priv) {
701 host_match = hostlist_matches(&priv->hostlist);
702 if (host_match != ALLOW)
704 tq_foreach_rev(&priv->cmndlist, cs) {
705 runas_match = runaslist_matches(&cs->runasuserlist,
706 &cs->runasgrouplist, NULL, NULL);
707 if (runas_match == ALLOW) {
708 cmnd_match = cmnd_matches(cs->cmnd);
709 if (cmnd_match != UNSPEC) {
710 match = host_match && runas_match ? cs->cmnd : NULL;
718 if (match != NULL && !match->negated) {
719 sudo_printf(SUDO_CONV_INFO_MSG, "%s%s%s\n",
720 safe_cmnd, user_args ? " " : "", user_args ? user_args : "");
724 debug_return_int(rval);
728 * Print the contents of a struct member to stdout
731 _print_member(struct lbuf *lbuf, char *name, int type, int negated,
732 const char *separator, int alias_type)
736 struct sudo_command *c;
737 debug_decl(_print_member, SUDO_DEBUG_NSS)
741 lbuf_append(lbuf, "%sALL", negated ? "!" : "");
744 lbuf_append(lbuf, "%s%s", negated ? "!" : "", user_name);
747 c = (struct sudo_command *) name;
749 lbuf_append(lbuf, "!");
750 lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", c->cmnd);
752 lbuf_append(lbuf, " ");
753 lbuf_append_quoted(lbuf, SUDOERS_QUOTED, "%s", c->args);
757 if ((a = alias_get(name, alias_type)) != NULL) {
758 tq_foreach_fwd(&a->members, m) {
759 if (m != tq_first(&a->members))
760 lbuf_append(lbuf, "%s", separator);
761 _print_member(lbuf, m->name, m->type,
762 negated ? !m->negated : m->negated, separator,
770 lbuf_append(lbuf, "%s%s", negated ? "!" : "", name);
777 print_member(struct lbuf *lbuf, struct member *m, int alias_type)
779 _print_member(lbuf, m->name, m->type, m->negated, ", ", alias_type);
783 print_member2(struct lbuf *lbuf, struct member *m, const char *separator,
786 _print_member(lbuf, m->name, m->type, m->negated, separator, alias_type);