summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/parse.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sudoers/parse.c')
-rw-r--r--plugins/sudoers/parse.c864
1 files changed, 864 insertions, 0 deletions
diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
new file mode 100644
index 0000000..fb781f5
--- /dev/null
+++ b/plugins/sudoers/parse.c
@@ -0,0 +1,864 @@
+/*
+ * Copyright (c) 2004-2005, 2007-2018 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#ifdef HAVE_STRING_H
+# include <string.h>
+#endif /* HAVE_STRING_H */
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <unistd.h>
+#include <ctype.h>
+#include <grp.h>
+#include <pwd.h>
+#include <time.h>
+
+#include "sudoers.h"
+#include "sudo_lbuf.h"
+#include <gram.h>
+
+/*
+ * Look up the user in the sudoers prase tree for pseudo-commands like
+ * list, verify and kill.
+ */
+static int
+sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw,
+ int validated, int pwflag)
+{
+ int match;
+ struct sudo_nss *nss;
+ struct cmndspec *cs;
+ struct privilege *priv;
+ struct userspec *us;
+ struct defaults *def;
+ int nopass;
+ enum def_tuple pwcheck;
+ debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER)
+
+ pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
+ nopass = (pwcheck == all) ? true : false;
+
+ if (list_pw == NULL)
+ SET(validated, FLAG_NO_CHECK);
+ CLR(validated, FLAG_NO_USER);
+ CLR(validated, FLAG_NO_HOST);
+ match = DENY;
+ TAILQ_FOREACH(nss, snl, entries) {
+ if (nss->query(nss, pw) == -1) {
+ /* The query function should have printed an error message. */
+ SET(validated, VALIDATE_ERROR);
+ break;
+ }
+ TAILQ_FOREACH(us, &nss->parse_tree->userspecs, entries) {
+ if (userlist_matches(nss->parse_tree, pw, &us->users) != ALLOW)
+ continue;
+ TAILQ_FOREACH(priv, &us->privileges, entries) {
+ int priv_nopass = UNSPEC;
+
+ if (hostlist_matches(nss->parse_tree, pw, &priv->hostlist) != ALLOW)
+ continue;
+ TAILQ_FOREACH(def, &priv->defaults, entries) {
+ if (strcmp(def->var, "authenticate") == 0)
+ priv_nopass = !def->op;
+ }
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
+ if (pwcheck == any) {
+ if (cs->tags.nopasswd == true || priv_nopass == true)
+ nopass = true;
+ } else if (pwcheck == all) {
+ if (cs->tags.nopasswd != true && priv_nopass != true)
+ nopass = false;
+ }
+ if (match == ALLOW)
+ continue;
+ /* Only check the command when listing another user. */
+ if (user_uid == 0 || list_pw == NULL ||
+ user_uid == list_pw->pw_uid ||
+ cmnd_matches(nss->parse_tree, cs->cmnd) == ALLOW)
+ match = ALLOW;
+ }
+ }
+ }
+ }
+ if (match == ALLOW || user_uid == 0) {
+ /* User has an entry for this host. */
+ SET(validated, VALIDATE_SUCCESS);
+ } else if (match == DENY)
+ SET(validated, VALIDATE_FAILURE);
+ if (pwcheck == always && def_authenticate)
+ SET(validated, FLAG_CHECK_USER);
+ else if (nopass == true)
+ def_authenticate = false;
+ debug_return_int(validated);
+}
+
+static int
+sudoers_lookup_check(struct sudo_nss *nss, struct passwd *pw,
+ int *validated, struct cmndspec **matching_cs,
+ struct defaults_list **defs, time_t now)
+{
+ int host_match, runas_match, cmnd_match;
+ struct cmndspec *cs;
+ struct privilege *priv;
+ struct userspec *us;
+ struct member *matching_user;
+ debug_decl(sudoers_lookup_check, SUDOERS_DEBUG_PARSER)
+
+ TAILQ_FOREACH_REVERSE(us, &nss->parse_tree->userspecs, userspec_list, entries) {
+ if (userlist_matches(nss->parse_tree, pw, &us->users) != ALLOW)
+ continue;
+ CLR(*validated, FLAG_NO_USER);
+ TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
+ host_match = hostlist_matches(nss->parse_tree, pw, &priv->hostlist);
+ if (host_match == ALLOW)
+ CLR(*validated, FLAG_NO_HOST);
+ else
+ continue;
+ TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
+ if (cs->notbefore != UNSPEC) {
+ if (now < cs->notbefore)
+ continue;
+ }
+ if (cs->notafter != UNSPEC) {
+ if (now > cs->notafter)
+ continue;
+ }
+ matching_user = NULL;
+ runas_match = runaslist_matches(nss->parse_tree,
+ cs->runasuserlist, cs->runasgrouplist, &matching_user,
+ NULL);
+ if (runas_match == ALLOW) {
+ cmnd_match = cmnd_matches(nss->parse_tree, cs->cmnd);
+ if (cmnd_match != UNSPEC) {
+ /*
+ * If user is running command as himself,
+ * set runas_pw = sudo_user.pw.
+ * XXX - hack, want more general solution
+ */
+ if (matching_user && matching_user->type == MYSELF) {
+ sudo_pw_delref(runas_pw);
+ sudo_pw_addref(sudo_user.pw);
+ runas_pw = sudo_user.pw;
+ }
+ *matching_cs = cs;
+ *defs = &priv->defaults;
+ debug_return_int(cmnd_match);
+ }
+ }
+ }
+ }
+ }
+ debug_return_int(UNSPEC);
+}
+
+/*
+ * Apply cmndspec-specific settngs including SELinux role/type,
+ * Solaris privs, and command tags.
+ */
+static bool
+apply_cmndspec(struct cmndspec *cs)
+{
+ debug_decl(apply_cmndspec, SUDOERS_DEBUG_PARSER)
+
+ if (cs != NULL) {
+#ifdef HAVE_SELINUX
+ /* Set role and type if not specified on command line. */
+ if (user_role == NULL) {
+ if (cs->role != NULL) {
+ user_role = strdup(cs->role);
+ if (user_role == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__,
+ U_("unable to allocate memory"));
+ debug_return_bool(false);
+ }
+ } else {
+ user_role = def_role;
+ }
+ }
+ if (user_type == NULL) {
+ if (cs->type != NULL) {
+ user_type = strdup(cs->type);
+ if (user_type == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__,
+ U_("unable to allocate memory"));
+ debug_return_bool(false);
+ }
+ } else {
+ user_type = def_type;
+ }
+ }
+#endif /* HAVE_SELINUX */
+#ifdef HAVE_PRIV_SET
+ /* Set Solaris privilege sets */
+ if (runas_privs == NULL) {
+ if (cs->privs != NULL) {
+ runas_privs = strdup(cs->privs);
+ if (runas_privs == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__,
+ U_("unable to allocate memory"));
+ debug_return_bool(false);
+ }
+ } else {
+ runas_privs = def_privs;
+ }
+ }
+ if (runas_limitprivs == NULL) {
+ if (cs->limitprivs != NULL) {
+ runas_limitprivs = strdup(cs->limitprivs);
+ if (runas_limitprivs == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__,
+ U_("unable to allocate memory"));
+ debug_return_bool(false);
+ }
+ } else {
+ runas_limitprivs = def_limitprivs;
+ }
+ }
+#endif /* HAVE_PRIV_SET */
+ if (cs->timeout > 0)
+ def_command_timeout = cs->timeout;
+ if (cs->tags.nopasswd != UNSPEC)
+ def_authenticate = !cs->tags.nopasswd;
+ if (cs->tags.noexec != UNSPEC)
+ def_noexec = cs->tags.noexec;
+ if (cs->tags.setenv != UNSPEC)
+ def_setenv = cs->tags.setenv;
+ if (cs->tags.log_input != UNSPEC)
+ def_log_input = cs->tags.log_input;
+ if (cs->tags.log_output != UNSPEC)
+ def_log_output = cs->tags.log_output;
+ if (cs->tags.send_mail != UNSPEC) {
+ if (cs->tags.send_mail) {
+ def_mail_all_cmnds = true;
+ } else {
+ def_mail_all_cmnds = false;
+ def_mail_always = false;
+ def_mail_no_perms = false;
+ }
+ }
+ if (cs->tags.follow != UNSPEC)
+ def_sudoedit_follow = cs->tags.follow;
+ }
+
+ debug_return_bool(true);
+}
+
+/*
+ * Look up the user in the sudoers prase tree and check to see if they are
+ * allowed to run the specified command on this host as the target user.
+ */
+int
+sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int validated,
+ int pwflag)
+{
+ struct defaults_list *defs = NULL;
+ struct sudoers_parse_tree *parse_tree = NULL;
+ struct cmndspec *cs = NULL;
+ struct sudo_nss *nss;
+ int m, match = UNSPEC;
+ time_t now;
+ debug_decl(sudoers_lookup, SUDOERS_DEBUG_PARSER)
+
+ /*
+ * Special case checking the "validate", "list" and "kill" pseudo-commands.
+ */
+ if (pwflag)
+ debug_return_int(sudoers_lookup_pseudo(snl, pw, validated, pwflag));
+
+ /* Need to be runas user while stat'ing things. */
+ if (!set_perms(PERM_RUNAS))
+ debug_return_int(validated);
+
+ /* Query each sudoers source and check the user. */
+ time(&now);
+ TAILQ_FOREACH(nss, snl, entries) {
+ if (nss->query(nss, pw) == -1) {
+ /* The query function should have printed an error message. */
+ SET(validated, VALIDATE_ERROR);
+ break;
+ }
+
+ m = sudoers_lookup_check(nss, pw, &validated, &cs, &defs, now);
+ if (m != UNSPEC) {
+ match = m;
+ parse_tree = nss->parse_tree;
+ }
+
+ if (!sudo_nss_can_continue(nss, m))
+ break;
+ }
+ if (match != UNSPEC) {
+ if (defs != NULL)
+ update_defaults(parse_tree, defs, SETDEF_GENERIC, false);
+ if (!apply_cmndspec(cs))
+ SET(validated, VALIDATE_ERROR);
+ else if (match == ALLOW)
+ SET(validated, VALIDATE_SUCCESS);
+ else
+ SET(validated, VALIDATE_FAILURE);
+ }
+ if (!restore_perms())
+ SET(validated, VALIDATE_ERROR);
+ debug_return_int(validated);
+}
+
+static int
+display_priv_short(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
+ struct userspec *us, struct sudo_lbuf *lbuf)
+{
+ struct privilege *priv;
+ int nfound = 0;
+ debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER)
+
+ TAILQ_FOREACH(priv, &us->privileges, entries) {
+ struct cmndspec *cs, *prev_cs = NULL;
+ struct cmndtag tags;
+
+ if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
+ continue;
+
+ sudoers_defaults_list_to_tags(&priv->defaults, &tags);
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
+ /* Start a new line if RunAs changes. */
+ if (prev_cs == NULL || RUNAS_CHANGED(cs, prev_cs)) {
+ struct member *m;
+
+ if (cs != TAILQ_FIRST(&priv->cmndlist))
+ sudo_lbuf_append(lbuf, "\n");
+ sudo_lbuf_append(lbuf, " (");
+ if (cs->runasuserlist != NULL) {
+ TAILQ_FOREACH(m, cs->runasuserlist, entries) {
+ if (m != TAILQ_FIRST(cs->runasuserlist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ } else if (cs->runasgrouplist == NULL) {
+ sudo_lbuf_append(lbuf, "%s", def_runas_default);
+ } else {
+ sudo_lbuf_append(lbuf, "%s", pw->pw_name);
+ }
+ if (cs->runasgrouplist != NULL) {
+ sudo_lbuf_append(lbuf, " : ");
+ TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
+ if (m != TAILQ_FIRST(cs->runasgrouplist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ }
+ sudo_lbuf_append(lbuf, ") ");
+ } else if (cs != TAILQ_FIRST(&priv->cmndlist)) {
+ sudo_lbuf_append(lbuf, ", ");
+ }
+ sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, tags, true);
+ prev_cs = cs;
+ nfound++;
+ }
+ sudo_lbuf_append(lbuf, "\n");
+ }
+ debug_return_int(nfound);
+}
+
+/*
+ * Compare the current cmndspec with the previous one to determine
+ * whether we need to start a new long entry for "sudo -ll".
+ * Returns true if we should start a new long entry, else false.
+ */
+static bool
+new_long_entry(struct cmndspec *cs, struct cmndspec *prev_cs)
+{
+ debug_decl(new_long_entry, SUDOERS_DEBUG_PARSER)
+
+ if (prev_cs == NULL)
+ debug_return_bool(true);
+ if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
+ debug_return_bool(true);
+#ifdef HAVE_PRIV_SET
+ if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
+ debug_return_bool(true);
+ if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
+ debug_return_bool(true);
+#endif /* HAVE_PRIV_SET */
+#ifdef HAVE_SELINUX
+ if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
+ debug_return_bool(true);
+ if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
+ debug_return_bool(true);
+#endif /* HAVE_SELINUX */
+ if (cs->timeout != prev_cs->timeout)
+ debug_return_bool(true);
+ if (cs->notbefore != prev_cs->notbefore)
+ debug_return_bool(true);
+ if (cs->notafter != prev_cs->notafter)
+ debug_return_bool(true);
+ debug_return_bool(false);
+}
+
+static int
+display_priv_long(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
+ struct userspec *us, struct sudo_lbuf *lbuf)
+{
+ struct privilege *priv;
+ int nfound = 0;
+ debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER)
+
+ TAILQ_FOREACH(priv, &us->privileges, entries) {
+ struct cmndspec *cs, *prev_cs;
+
+ if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
+ continue;
+ prev_cs = NULL;
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
+ struct defaults *d;
+ struct member *m;
+
+ if (new_long_entry(cs, prev_cs)) {
+ int olen;
+
+ if (priv->ldap_role != NULL) {
+ sudo_lbuf_append(lbuf, _("\nLDAP Role: %s\n"),
+ priv->ldap_role);
+ } else {
+ sudo_lbuf_append(lbuf, _("\nSudoers entry:\n"));
+ }
+ sudo_lbuf_append(lbuf, _(" RunAsUsers: "));
+ if (cs->runasuserlist != NULL) {
+ TAILQ_FOREACH(m, cs->runasuserlist, entries) {
+ if (m != TAILQ_FIRST(cs->runasuserlist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ } else if (cs->runasgrouplist == NULL) {
+ sudo_lbuf_append(lbuf, "%s", def_runas_default);
+ } else {
+ sudo_lbuf_append(lbuf, "%s", pw->pw_name);
+ }
+ sudo_lbuf_append(lbuf, "\n");
+ if (cs->runasgrouplist != NULL) {
+ sudo_lbuf_append(lbuf, _(" RunAsGroups: "));
+ TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
+ if (m != TAILQ_FIRST(cs->runasgrouplist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ sudo_lbuf_append(lbuf, "\n");
+ }
+ olen = lbuf->len;
+ sudo_lbuf_append(lbuf, _(" Options: "));
+ TAILQ_FOREACH(d, &priv->defaults, entries) {
+ sudoers_format_default(lbuf, d);
+ sudo_lbuf_append(lbuf, ", ");
+ }
+ if (TAG_SET(cs->tags.setenv))
+ sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!");
+ if (TAG_SET(cs->tags.noexec))
+ sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!");
+ if (TAG_SET(cs->tags.nopasswd))
+ sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : "");
+ if (TAG_SET(cs->tags.log_input))
+ sudo_lbuf_append(lbuf, "%slog_input, ", cs->tags.log_input ? "" : "!");
+ if (TAG_SET(cs->tags.log_output))
+ sudo_lbuf_append(lbuf, "%slog_output, ", cs->tags.log_output ? "" : "!");
+ if (lbuf->buf[lbuf->len - 2] == ',') {
+ lbuf->len -= 2; /* remove trailing ", " */
+ sudo_lbuf_append(lbuf, "\n");
+ } else {
+ lbuf->len = olen; /* no options */
+ }
+#ifdef HAVE_PRIV_SET
+ if (cs->privs)
+ sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs);
+ if (cs->limitprivs)
+ sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs);
+#endif /* HAVE_PRIV_SET */
+#ifdef HAVE_SELINUX
+ if (cs->role)
+ sudo_lbuf_append(lbuf, " Role: %s\n", cs->role);
+ if (cs->type)
+ sudo_lbuf_append(lbuf, " Type: %s\n", cs->type);
+#endif /* HAVE_SELINUX */
+ if (cs->timeout > 0) {
+ char numbuf[(((sizeof(int) * 8) + 2) / 3) + 2];
+ snprintf(numbuf, sizeof(numbuf), "%d", cs->timeout);
+ sudo_lbuf_append(lbuf, " Timeout: %s\n", numbuf);
+ }
+ if (cs->notbefore != UNSPEC) {
+ char buf[sizeof("CCYYMMDDHHMMSSZ")];
+ struct tm *tm = gmtime(&cs->notbefore);
+ snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02dZ",
+ tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
+ tm->tm_hour, tm->tm_min, tm->tm_sec);
+ sudo_lbuf_append(lbuf, " NotBefore: %s\n", buf);
+ }
+ if (cs->notafter != UNSPEC) {
+ char buf[sizeof("CCYYMMDDHHMMSSZ")];
+ struct tm *tm = gmtime(&cs->notafter);
+ snprintf(buf, sizeof(buf), "%04d%02d%02d%02d%02d%02dZ",
+ tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
+ tm->tm_hour, tm->tm_min, tm->tm_sec);
+ sudo_lbuf_append(lbuf, " NotAfter: %s\n", buf);
+ }
+ sudo_lbuf_append(lbuf, _(" Commands:\n"));
+ }
+ sudo_lbuf_append(lbuf, "\t");
+ sudoers_format_member(lbuf, parse_tree, cs->cmnd, "\n\t",
+ CMNDALIAS);
+ sudo_lbuf_append(lbuf, "\n");
+ prev_cs = cs;
+ nfound++;
+ }
+ }
+ debug_return_int(nfound);
+}
+
+static int
+sudo_display_userspecs(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
+ struct sudo_lbuf *lbuf, bool verbose)
+{
+ struct userspec *us;
+ int nfound = 0;
+ debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_PARSER)
+
+ TAILQ_FOREACH(us, &parse_tree->userspecs, entries) {
+ if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
+ continue;
+
+ if (verbose)
+ nfound += display_priv_long(parse_tree, pw, us, lbuf);
+ else
+ nfound += display_priv_short(parse_tree, pw, us, lbuf);
+ }
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+/*
+ * Display matching Defaults entries for the given user on this host.
+ */
+static int
+display_defaults(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
+ struct sudo_lbuf *lbuf)
+{
+ struct defaults *d;
+ char *prefix;
+ int nfound = 0;
+ debug_decl(display_defaults, SUDOERS_DEBUG_PARSER)
+
+ if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
+ prefix = " ";
+ else
+ prefix = ", ";
+
+ TAILQ_FOREACH(d, &parse_tree->defaults, entries) {
+ switch (d->type) {
+ case DEFAULTS_HOST:
+ if (hostlist_matches(parse_tree, pw, d->binding) != ALLOW)
+ continue;
+ break;
+ case DEFAULTS_USER:
+ if (userlist_matches(parse_tree, pw, d->binding) != ALLOW)
+ continue;
+ break;
+ case DEFAULTS_RUNAS:
+ case DEFAULTS_CMND:
+ continue;
+ }
+ sudo_lbuf_append(lbuf, "%s", prefix);
+ sudoers_format_default(lbuf, d);
+ prefix = ", ";
+ nfound++;
+ }
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+/*
+ * Display Defaults entries of the given type.
+ */
+static int
+display_bound_defaults_by_type(struct sudoers_parse_tree *parse_tree,
+ int deftype, struct sudo_lbuf *lbuf)
+{
+ struct defaults *d;
+ struct member_list *binding = NULL;
+ struct member *m;
+ char *dsep;
+ int atype, nfound = 0;
+ debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER)
+
+ switch (deftype) {
+ case DEFAULTS_HOST:
+ atype = HOSTALIAS;
+ dsep = "@";
+ break;
+ case DEFAULTS_USER:
+ atype = USERALIAS;
+ dsep = ":";
+ break;
+ case DEFAULTS_RUNAS:
+ atype = RUNASALIAS;
+ dsep = ">";
+ break;
+ case DEFAULTS_CMND:
+ atype = CMNDALIAS;
+ dsep = "!";
+ break;
+ default:
+ debug_return_int(-1);
+ }
+ TAILQ_FOREACH(d, &parse_tree->defaults, entries) {
+ if (d->type != deftype)
+ continue;
+
+ nfound++;
+ if (binding != d->binding) {
+ binding = d->binding;
+ if (nfound != 1)
+ sudo_lbuf_append(lbuf, "\n");
+ sudo_lbuf_append(lbuf, " Defaults%s", dsep);
+ TAILQ_FOREACH(m, binding, entries) {
+ if (m != TAILQ_FIRST(binding))
+ sudo_lbuf_append(lbuf, ",");
+ sudoers_format_member(lbuf, parse_tree, m, ", ", atype);
+ sudo_lbuf_append(lbuf, " ");
+ }
+ } else
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_default(lbuf, d);
+ }
+
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+/*
+ * Display Defaults entries that are per-runas or per-command
+ */
+static int
+display_bound_defaults(struct sudoers_parse_tree *parse_tree,
+ struct passwd *pw, struct sudo_lbuf *lbuf)
+{
+ int nfound = 0;
+ debug_decl(display_bound_defaults, SUDOERS_DEBUG_PARSER)
+
+ /* XXX - should only print ones that match what the user can do. */
+ nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_RUNAS, lbuf);
+ nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_CMND, lbuf);
+
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+static int
+output(const char *buf)
+{
+ struct sudo_conv_message msg;
+ struct sudo_conv_reply repl;
+ debug_decl(output, SUDOERS_DEBUG_NSS)
+
+ /* Call conversation function */
+ memset(&msg, 0, sizeof(msg));
+ msg.msg_type = SUDO_CONV_INFO_MSG;
+ msg.msg = buf;
+ memset(&repl, 0, sizeof(repl));
+ if (sudo_conv(1, &msg, &repl, NULL) == -1)
+ debug_return_int(0);
+ debug_return_int(strlen(buf));
+}
+
+/*
+ * Print out privileges for the specified user.
+ * Returns true on success or -1 on error.
+ */
+int
+display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose)
+{
+ struct sudo_nss *nss;
+ struct sudo_lbuf def_buf, priv_buf;
+ struct stat sb;
+ int cols, count, olen, n;
+ debug_decl(display_privs, SUDOERS_DEBUG_PARSER)
+
+ cols = sudo_user.cols;
+ if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
+ cols = 0;
+ sudo_lbuf_init(&def_buf, output, 4, NULL, cols);
+ sudo_lbuf_init(&priv_buf, output, 8, NULL, cols);
+
+ sudo_lbuf_append(&def_buf, _("Matching Defaults entries for %s on %s:\n"),
+ pw->pw_name, user_srunhost);
+ count = 0;
+ TAILQ_FOREACH(nss, snl, entries) {
+ n = display_defaults(nss->parse_tree, pw, &def_buf);
+ if (n == -1)
+ goto bad;
+ count += n;
+ }
+ if (count != 0) {
+ sudo_lbuf_append(&def_buf, "\n\n");
+ } else {
+ /* Undo Defaults header. */
+ def_buf.len = 0;
+ }
+
+ /* Display Runas and Cmnd-specific defaults. */
+ olen = def_buf.len;
+ sudo_lbuf_append(&def_buf, _("Runas and Command-specific defaults for %s:\n"),
+ pw->pw_name);
+ count = 0;
+ TAILQ_FOREACH(nss, snl, entries) {
+ n = display_bound_defaults(nss->parse_tree, pw, &def_buf);
+ if (n == -1)
+ goto bad;
+ count += n;
+ }
+ if (count != 0) {
+ sudo_lbuf_append(&def_buf, "\n\n");
+ } else {
+ /* Undo Defaults header. */
+ def_buf.len = olen;
+ }
+
+ /* Display privileges from all sources. */
+ sudo_lbuf_append(&priv_buf,
+ _("User %s may run the following commands on %s:\n"),
+ pw->pw_name, user_srunhost);
+ count = 0;
+ TAILQ_FOREACH(nss, snl, entries) {
+ if (nss->query(nss, pw) != -1) {
+ n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf, verbose);
+ if (n == -1)
+ goto bad;
+ count += n;
+ }
+ }
+ if (count == 0) {
+ def_buf.len = 0;
+ priv_buf.len = 0;
+ sudo_lbuf_append(&priv_buf,
+ _("User %s is not allowed to run sudo on %s.\n"),
+ pw->pw_name, user_shost);
+ }
+ if (sudo_lbuf_error(&def_buf) || sudo_lbuf_error(&priv_buf))
+ goto bad;
+
+ sudo_lbuf_print(&def_buf);
+ sudo_lbuf_print(&priv_buf);
+
+ sudo_lbuf_destroy(&def_buf);
+ sudo_lbuf_destroy(&priv_buf);
+
+ debug_return_int(true);
+bad:
+ sudo_lbuf_destroy(&def_buf);
+ sudo_lbuf_destroy(&priv_buf);
+
+ debug_return_int(-1);
+}
+
+static int
+display_cmnd_check(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
+ time_t now)
+{
+ int host_match, runas_match, cmnd_match;
+ struct cmndspec *cs;
+ struct privilege *priv;
+ struct userspec *us;
+ debug_decl(display_cmnd_check, SUDOERS_DEBUG_PARSER)
+
+ TAILQ_FOREACH_REVERSE(us, &parse_tree->userspecs, userspec_list, entries) {
+ if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
+ continue;
+ TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
+ host_match = hostlist_matches(parse_tree, pw, &priv->hostlist);
+ if (host_match != ALLOW)
+ continue;
+ TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
+ if (cs->notbefore != UNSPEC) {
+ if (now < cs->notbefore)
+ continue;
+ }
+ if (cs->notafter != UNSPEC) {
+ if (now > cs->notafter)
+ continue;
+ }
+ runas_match = runaslist_matches(parse_tree, cs->runasuserlist,
+ cs->runasgrouplist, NULL, NULL);
+ if (runas_match == ALLOW) {
+ cmnd_match = cmnd_matches(parse_tree, cs->cmnd);
+ if (cmnd_match != UNSPEC)
+ debug_return_int(cmnd_match);
+ }
+ }
+ }
+ }
+ debug_return_int(UNSPEC);
+}
+
+/*
+ * Check user_cmnd against sudoers and print the matching entry if the
+ * command is allowed.
+ * Returns true if the command is allowed, false if not or -1 on error.
+ */
+int
+display_cmnd(struct sudo_nss_list *snl, struct passwd *pw)
+{
+ struct sudo_nss *nss;
+ int m, match = UNSPEC;
+ int ret = false;
+ time_t now;
+ debug_decl(display_cmnd, SUDOERS_DEBUG_PARSER)
+
+ /* Iterate over each source, checking for the command. */
+ time(&now);
+ TAILQ_FOREACH(nss, snl, entries) {
+ if (nss->query(nss, pw) == -1) {
+ /* The query function should have printed an error message. */
+ debug_return_int(-1);
+ }
+
+ m = display_cmnd_check(nss->parse_tree, pw, now);
+ if (m != UNSPEC)
+ match = m;
+
+ if (!sudo_nss_can_continue(nss, m))
+ break;
+ }
+ if (match == ALLOW) {
+ const int len = sudo_printf(SUDO_CONV_INFO_MSG, "%s%s%s\n",
+ safe_cmnd, user_args ? " " : "", user_args ? user_args : "");
+ ret = len < 0 ? -1 : true;
+ }
+ debug_return_int(ret);
+}