diff options
Diffstat (limited to 'plugins/sudoers/visudo.c')
-rw-r--r-- | plugins/sudoers/visudo.c | 1313 |
1 files changed, 1313 insertions, 0 deletions
diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c new file mode 100644 index 0000000..6fd3c83 --- /dev/null +++ b/plugins/sudoers/visudo.c @@ -0,0 +1,1313 @@ +/* + * SPDX-License-Identifier: ISC + * + * Copyright (c) 1996, 1998-2005, 2007-2018 + * Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Sponsored in part by the Defense Advanced Research Projects + * Agency (DARPA) and Air Force Research Laboratory, Air Force + * Materiel Command, USAF, under agreement number F39502-99-1-0512. + */ + +/* + * This is an open source non-commercial project. Dear PVS-Studio, please check it. + * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com + */ + +/* + * Lock the sudoers file for safe editing (ala vipw) and check for parse errors. + */ + +#ifdef __TANDEM +# include <floss.h> +#endif + +#include <config.h> + +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/uio.h> +#ifndef __TANDEM +# include <sys/file.h> +#endif +#include <sys/wait.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <stdarg.h> +#include <ctype.h> +#include <pwd.h> +#include <grp.h> +#include <signal.h> +#include <errno.h> +#include <fcntl.h> +#include <time.h> +#include <netinet/in.h> +#include <arpa/inet.h> +#ifdef HAVE_GETOPT_LONG +# include <getopt.h> +# else +# include "compat/getopt.h" +#endif /* HAVE_GETOPT_LONG */ + +#include "sudoers.h" +#include "interfaces.h" +#include "redblack.h" +#include "sudoers_version.h" +#include "sudo_conf.h" +#include <gram.h> + +struct sudoersfile { + TAILQ_ENTRY(sudoersfile) entries; + char *path; + char *tpath; + bool modified; + bool doedit; + int fd; +}; +TAILQ_HEAD(sudoersfile_list, sudoersfile); + +/* + * Function prototypes + */ +static void quit(int); +static int whatnow(void); +static int check_aliases(bool strict, bool quiet); +static char *get_editor(int *editor_argc, char ***editor_argv); +static bool check_syntax(const char *, bool, bool, bool); +static bool edit_sudoers(struct sudoersfile *, char *, int, char **, int); +static bool install_sudoers(struct sudoersfile *, bool); +static int print_unused(struct sudoers_parse_tree *, struct alias *, void *); +static bool reparse_sudoers(char *, int, char **, bool, bool); +static int run_command(char *, char **); +static void parse_sudoers_options(void); +static void setup_signals(void); +static void help(void) __attribute__((__noreturn__)); +static void usage(int); +static void visudo_cleanup(void); + +extern void get_hostname(void); +extern void sudoersrestart(FILE *); + +/* + * Globals + */ +struct sudo_user sudo_user; +struct passwd *list_pw; +static struct sudoersfile_list sudoerslist = TAILQ_HEAD_INITIALIZER(sudoerslist); +static bool checkonly; +static const char short_opts[] = "cf:hqsVx:"; +static struct option long_opts[] = { + { "check", no_argument, NULL, 'c' }, + { "export", required_argument, NULL, 'x' }, + { "file", required_argument, NULL, 'f' }, + { "help", no_argument, NULL, 'h' }, + { "quiet", no_argument, NULL, 'q' }, + { "strict", no_argument, NULL, 's' }, + { "version", no_argument, NULL, 'V' }, + { NULL, no_argument, NULL, '\0' }, +}; + +sudo_dso_public int main(int argc, char *argv[]); + +int +main(int argc, char *argv[]) +{ + struct sudoersfile *sp; + char *editor, **editor_argv; + const char *export_path = NULL; + int ch, oldlocale, editor_argc, exitcode = 0; + bool quiet, strict, fflag; + debug_decl(main, SUDOERS_DEBUG_MAIN); + +#if defined(SUDO_DEVEL) && defined(__OpenBSD__) + { + extern char *malloc_options; + malloc_options = "S"; + } +#endif + + initprogname(argc > 0 ? argv[0] : "visudo"); + if (!sudoers_initlocale(setlocale(LC_ALL, ""), def_sudoers_locale)) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + sudo_warn_set_locale_func(sudoers_warn_setlocale); + bindtextdomain("sudoers", LOCALEDIR); /* XXX - should have visudo domain */ + textdomain("sudoers"); + + if (argc < 1) + usage(1); + + /* Register fatal/fatalx callback. */ + sudo_fatal_callback_register(visudo_cleanup); + + /* Set sudoers locale callback. */ + sudo_defs_table[I_SUDOERS_LOCALE].callback = sudoers_locale_callback; + + /* Read debug and plugin sections of sudo.conf. */ + if (sudo_conf_read(NULL, SUDO_CONF_DEBUG|SUDO_CONF_PLUGINS) == -1) + exit(EXIT_FAILURE); + + /* Initialize the debug subsystem. */ + if (!sudoers_debug_register(getprogname(), sudo_conf_debug_files(getprogname()))) + exit(EXIT_FAILURE); + + /* Parse sudoers plugin options, if any. */ + parse_sudoers_options(); + + /* + * Arg handling. + */ + checkonly = fflag = quiet = strict = false; + while ((ch = getopt_long(argc, argv, short_opts, long_opts, NULL)) != -1) { + switch (ch) { + case 'V': + (void) printf(_("%s version %s\n"), getprogname(), + PACKAGE_VERSION); + (void) printf(_("%s grammar version %d\n"), getprogname(), + SUDOERS_GRAMMAR_VERSION); + goto done; + case 'c': + checkonly = true; /* check mode */ + break; + case 'f': + sudoers_file = optarg; /* sudoers file path */ + fflag = true; + break; + case 'h': + help(); + break; + case 's': + strict = true; /* strict mode */ + break; + case 'q': + quiet = true; /* quiet mode */ + break; + case 'x': + export_path = optarg; + break; + default: + usage(1); + } + } + argc -= optind; + argv += optind; + + /* Check for optional sudoers file argument. */ + switch (argc) { + case 0: + break; + case 1: + /* Only accept sudoers file if no -f was specified. */ + if (!fflag) { + sudoers_file = *argv; + fflag = true; + } + break; + default: + usage(1); + } + + if (export_path != NULL) { + /* Backward compatibility for the time being. */ + sudo_warnx("%s", + U_("the -x option will be removed in a future release")); + sudo_warnx("%s", + U_("please consider using the cvtsudoers utility instead")); + execlp("cvtsudoers", "cvtsudoers", "-f", "json", "-o", export_path, + sudoers_file, (char *)0); + sudo_fatal(U_("unable to execute %s"), "cvtsudoers"); + } + + /* Mock up a fake sudo_user struct. */ + user_cmnd = user_base = ""; + if (geteuid() == 0) { + const char *user = getenv("SUDO_USER"); + if (user != NULL && *user != '\0') + sudo_user.pw = sudo_getpwnam(user); + } + if (sudo_user.pw == NULL) { + if ((sudo_user.pw = sudo_getpwuid(getuid())) == NULL) + sudo_fatalx(U_("you do not exist in the %s database"), "passwd"); + } + get_hostname(); + + /* Setup defaults data structures. */ + if (!init_defaults()) + sudo_fatalx("%s", U_("unable to initialize sudoers default values")); + + if (checkonly) { + exitcode = check_syntax(sudoers_file, quiet, strict, fflag) ? 0 : 1; + goto done; + } + + /* + * Parse the existing sudoers file(s) to highlight any existing + * errors and to pull in editor and env_editor conf values. + */ + if ((sudoersin = open_sudoers(sudoers_file, true, NULL)) == NULL) + exit(EXIT_FAILURE); + init_parser(sudoers_file, quiet, true); + sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); + (void) sudoersparse(); + (void) update_defaults(&parsed_policy, NULL, + SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, quiet); + sudoers_setlocale(oldlocale, NULL); + + editor = get_editor(&editor_argc, &editor_argv); + + /* Install signal handlers to clean up temp files if we are killed. */ + setup_signals(); + + /* Edit the sudoers file(s) */ + TAILQ_FOREACH(sp, &sudoerslist, entries) { + if (!sp->doedit) + continue; + if (sp != TAILQ_FIRST(&sudoerslist)) { + printf(_("press return to edit %s: "), sp->path); + while ((ch = getchar()) != EOF && ch != '\n') + continue; + } + edit_sudoers(sp, editor, editor_argc, editor_argv, -1); + } + + /* + * Check edited files for a parse error, re-edit any that fail + * and install the edited files as needed. + */ + if (reparse_sudoers(editor, editor_argc, editor_argv, strict, quiet)) { + TAILQ_FOREACH(sp, &sudoerslist, entries) { + (void) install_sudoers(sp, fflag); + } + } + free(editor); + +done: + sudo_debug_exit_int(__func__, __FILE__, __LINE__, sudo_debug_subsys, exitcode); + exit(exitcode); +} + +static char * +get_editor(int *editor_argc, char ***editor_argv) +{ + char *editor_path = NULL, **allowlist = NULL; + const char *env_editor; + static char *files[] = { "+1", "sudoers" }; + unsigned int allowlist_len = 0; + debug_decl(get_editor, SUDOERS_DEBUG_UTIL); + + /* Build up editor allowlist from def_editor unless env_editor is set. */ + if (!def_env_editor) { + const char *cp, *ep; + const char *def_editor_end = def_editor + strlen(def_editor); + + /* Count number of entries in allowlist and split into a list. */ + for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep); + cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) { + allowlist_len++; + } + allowlist = reallocarray(NULL, allowlist_len + 1, sizeof(char *)); + if (allowlist == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + allowlist_len = 0; + for (cp = sudo_strsplit(def_editor, def_editor_end, ":", &ep); + cp != NULL; cp = sudo_strsplit(NULL, def_editor_end, ":", &ep)) { + allowlist[allowlist_len] = strndup(cp, (size_t)(ep - cp)); + if (allowlist[allowlist_len] == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + allowlist_len++; + } + allowlist[allowlist_len] = NULL; + } + + editor_path = find_editor(2, files, editor_argc, editor_argv, allowlist, + &env_editor, true); + if (editor_path == NULL) { + if (def_env_editor && env_editor != NULL) { + /* We are honoring $EDITOR so this is a fatal error. */ + sudo_fatalx(U_("specified editor (%s) doesn't exist"), env_editor); + } + sudo_fatalx(U_("no editor found (editor path = %s)"), def_editor); + } + + if (allowlist != NULL) { + while (allowlist_len--) + free(allowlist[allowlist_len]); + free(allowlist); + } + + debug_return_str(editor_path); +} + +/* + * List of editors that support the "+lineno" command line syntax. + * If an entry starts with '*' the tail end of the string is matched. + * No other wild cards are supported. + */ +static char *lineno_editors[] = { + "ex", + "nex", + "vi", + "nvi", + "vim", + "elvis", + "*macs", + "mg", + "vile", + "jove", + "pico", + "nano", + "ee", + "joe", + "zile", + NULL +}; + +/* + * Check whether or not the specified editor matched lineno_editors[]. + * Returns true if yes, false if no. + */ +static bool +editor_supports_plus(const char *editor) +{ + const char *editor_base = strrchr(editor, '/'); + const char *cp; + char **av; + debug_decl(editor_supports_plus, SUDOERS_DEBUG_UTIL); + + if (editor_base != NULL) + editor_base++; + else + editor_base = editor; + if (*editor_base == 'r') + editor_base++; + + for (av = lineno_editors; (cp = *av) != NULL; av++) { + /* We only handle a leading '*' wildcard. */ + if (*cp == '*') { + size_t blen = strlen(editor_base); + size_t clen = strlen(++cp); + if (blen >= clen) { + if (strcmp(cp, editor_base + blen - clen) == 0) + break; + } + } else if (strcmp(cp, editor_base) == 0) + break; + } + debug_return_bool(cp != NULL); +} + +/* + * Edit each sudoers file. + * Returns true on success, else false. + */ +static bool +edit_sudoers(struct sudoersfile *sp, char *editor, int editor_argc, + char **editor_argv, int lineno) +{ + int tfd; /* sudoers temp file descriptor */ + bool modified; /* was the file modified? */ + int ac; /* argument count */ + char linestr[64]; /* string version of lineno */ + struct timespec ts, times[2]; /* time before and after edit */ + struct timespec orig_mtim; /* starting mtime of sudoers file */ + off_t orig_size; /* starting size of sudoers file */ + struct stat sb; /* stat buffer */ + bool ret = false; /* return value */ + debug_decl(edit_sudoers, SUDOERS_DEBUG_UTIL); + + if (fstat(sp->fd, &sb) == -1) + sudo_fatal(U_("unable to stat %s"), sp->path); + orig_size = sb.st_size; + mtim_get(&sb, orig_mtim); + + /* Create the temp file if needed and set timestamp. */ + if (sp->tpath == NULL) { + if (asprintf(&sp->tpath, "%s.tmp", sp->path) == -1) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + tfd = open(sp->tpath, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU|S_IRUSR); + if (tfd < 0) + sudo_fatal("%s", sp->tpath); + + /* Copy sp->path -> sp->tpath and reset the mtime. */ + if (orig_size != 0) { + char buf[4096], lastch = '\0'; + ssize_t nread; + + (void) lseek(sp->fd, (off_t)0, SEEK_SET); + while ((nread = read(sp->fd, buf, sizeof(buf))) > 0) { + if (write(tfd, buf, nread) != nread) + sudo_fatal("%s", U_("write error")); + lastch = buf[nread - 1]; + } + + /* Add missing newline at EOF if needed. */ + if (lastch != '\n') { + lastch = '\n'; + if (write(tfd, &lastch, 1) != 1) + sudo_fatal("%s", U_("write error")); + } + } + (void) close(tfd); + } + times[0].tv_sec = times[1].tv_sec = orig_mtim.tv_sec; + times[0].tv_nsec = times[1].tv_nsec = orig_mtim.tv_nsec; + (void) utimensat(AT_FDCWD, sp->tpath, times, 0); + + /* Disable +lineno if editor doesn't support it. */ + if (lineno > 0 && !editor_supports_plus(editor)) + lineno = -1; + + /* + * The last 3 slots in the editor argv are: "-- +1 sudoers" + * Replace those placeholders with the real values. + */ + ac = editor_argc - 3; + if (lineno > 0) { + (void)snprintf(linestr, sizeof(linestr), "+%d", lineno); + editor_argv[ac++] = linestr; // -V507 + } + editor_argv[ac++] = "--"; + editor_argv[ac++] = sp->tpath; + editor_argv[ac++] = NULL; + + /* + * Do the edit: + * We cannot check the editor's exit value against 0 since + * XPG4 specifies that vi's exit value is a function of the + * number of errors during editing (?!?!). + */ + if (sudo_gettime_real(×[0]) == -1) { + sudo_warn("%s", U_("unable to read the clock")); + goto done; + } + + if (run_command(editor, editor_argv) != -1) { + if (sudo_gettime_real(×[1]) == -1) { + sudo_warn("%s", U_("unable to read the clock")); + goto done; + } + /* + * Check for zero length sudoers file. + */ + if (stat(sp->tpath, &sb) < 0) { + sudo_warnx(U_("unable to stat temporary file (%s), %s unchanged"), + sp->tpath, sp->path); + goto done; + } + if (sb.st_size == 0 && orig_size != 0) { + /* Avoid accidental zeroing of main sudoers file. */ + if (sp == TAILQ_FIRST(&sudoerslist)) { + sudo_warnx(U_("zero length temporary file (%s), %s unchanged"), + sp->tpath, sp->path); + goto done; + } + } + } else { + sudo_warnx(U_("editor (%s) failed, %s unchanged"), editor, sp->path); + goto done; + } + + /* Set modified bit if the user changed the file. */ + modified = true; + mtim_get(&sb, ts); + if (orig_size == sb.st_size && sudo_timespeccmp(&orig_mtim, &ts, ==)) { + /* + * If mtime and size match but the user spent no measurable + * time in the editor we can't tell if the file was changed. + */ + if (sudo_timespeccmp(×[0], ×[1], !=)) + modified = false; + } + + /* + * If modified in this edit session, mark as modified. + */ + if (modified) + sp->modified = modified; + else + sudo_warnx(U_("%s unchanged"), sp->tpath); + + ret = true; +done: + debug_return_bool(ret); +} + +/* + * Check Defaults and Alias entries. + * Sets parse_error on error and errorfile/errorlineno if possible. + */ +static void +check_defaults_and_aliases(bool strict, bool quiet) +{ + debug_decl(check_defaults_and_aliases, SUDOERS_DEBUG_UTIL); + + if (!check_defaults(&parsed_policy, quiet)) { + struct defaults *d; + rcstr_delref(errorfile); + errorfile = NULL; + errorlineno = -1; + /* XXX - should edit all files with errors */ + TAILQ_FOREACH(d, &parsed_policy.defaults, entries) { + if (d->error) { + /* Defaults parse error, set errorfile/errorlineno. */ + errorfile = rcstr_addref(d->file); + errorlineno = d->line; + break; + } + } + parse_error = true; + } + if (check_aliases(strict, quiet) != 0) { + parse_error = true; + } + debug_return; +} + +/* + * Parse sudoers after editing and re-edit any ones that caused a parse error. + */ +static bool +reparse_sudoers(char *editor, int editor_argc, char **editor_argv, + bool strict, bool quiet) +{ + struct sudoersfile *sp, *last; + FILE *fp; + int ch, oldlocale; + debug_decl(reparse_sudoers, SUDOERS_DEBUG_UTIL); + + /* + * Parse the edited sudoers files. + */ + while ((sp = TAILQ_FIRST(&sudoerslist)) != NULL) { + last = TAILQ_LAST(&sudoerslist, sudoersfile_list); + fp = fopen(sp->tpath, "r+"); + if (fp == NULL) + sudo_fatalx(U_("unable to re-open temporary file (%s), %s unchanged."), + sp->tpath, sp->path); + + /* Clean slate for each parse */ + if (!init_defaults()) + sudo_fatalx("%s", U_("unable to initialize sudoers default values")); + init_parser(sp->path, quiet, true); + + /* Parse the sudoers temp file(s) */ + sudoersrestart(fp); + sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); + if (sudoersparse() && !parse_error) { + sudo_warnx(U_("unable to parse temporary file (%s), unknown error"), + sp->tpath); + parse_error = true; + rcstr_delref(errorfile); + if ((errorfile = rcstr_dup(sp->path)) == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + } + fclose(sudoersin); + if (!parse_error) { + (void) update_defaults(&parsed_policy, NULL, + SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, true); + check_defaults_and_aliases(strict, quiet); + } + sudoers_setlocale(oldlocale, NULL); + + /* + * Got an error, prompt the user for what to do now. + */ + if (parse_error) { + switch (whatnow()) { + case 'Q': + parse_error = false; /* ignore parse error */ + break; + case 'x': + visudo_cleanup(); /* discard changes */ + debug_return_bool(false); + case 'e': + default: + /* Edit file with the parse error */ + TAILQ_FOREACH(sp, &sudoerslist, entries) { + if (errorfile == NULL || strcmp(sp->path, errorfile) == 0) { + edit_sudoers(sp, editor, editor_argc, editor_argv, + errorlineno); + if (errorfile != NULL) + break; + } + } + if (errorfile != NULL && sp == NULL) { + sudo_fatalx(U_("internal error, unable to find %s in list!"), + sudoers); + } + break; + } + } + + /* If any new #include directives were added, edit them too. */ + if ((sp = TAILQ_NEXT(last, entries)) != NULL) { + bool modified = false; + do { + printf(_("press return to edit %s: "), sp->path); + while ((ch = getchar()) != EOF && ch != '\n') + continue; + edit_sudoers(sp, editor, editor_argc, editor_argv, -1); + if (sp->modified) + modified = true; + } while ((sp = TAILQ_NEXT(sp, entries)) != NULL); + + /* Reparse sudoers if newly added includes were modified. */ + if (modified) + continue; + } + + /* If all sudoers files parsed OK we are done. */ + if (!parse_error) + break; + } + + debug_return_bool(true); +} + +/* + * Set the owner and mode on a sudoers temp file and + * move it into place. Returns true on success, else false. + */ +static bool +install_sudoers(struct sudoersfile *sp, bool oldperms) +{ + struct stat sb; + bool ret = false; + debug_decl(install_sudoers, SUDOERS_DEBUG_UTIL); + + if (sp->tpath == NULL) + goto done; + + if (!sp->modified) { + /* + * No changes but fix owner/mode if needed. + */ + (void) unlink(sp->tpath); + if (!oldperms && fstat(sp->fd, &sb) != -1) { + if (sb.st_uid != sudoers_uid || sb.st_gid != sudoers_gid) { + if (chown(sp->path, sudoers_uid, sudoers_gid) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "%s: unable to chown %d:%d %s", __func__, + (int)sudoers_uid, (int)sudoers_gid, sp->path); + } + } + if ((sb.st_mode & ACCESSPERMS) != sudoers_mode) { + if (chmod(sp->path, sudoers_mode) != 0) { + sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO, + "%s: unable to chmod 0%o %s", __func__, + (int)sudoers_mode, sp->path); + } + } + } + ret = true; + goto done; + } + + /* + * Change mode and ownership of temp file so when + * we move it to sp->path things are kosher. + */ + if (oldperms) { + /* Use perms of the existing file. */ + if (fstat(sp->fd, &sb) == -1) + sudo_fatal(U_("unable to stat %s"), sp->path); + if (chown(sp->tpath, sb.st_uid, sb.st_gid) != 0) { + sudo_warn(U_("unable to set (uid, gid) of %s to (%u, %u)"), + sp->tpath, (unsigned int)sb.st_uid, (unsigned int)sb.st_gid); + } + if (chmod(sp->tpath, sb.st_mode & ACCESSPERMS) != 0) { + sudo_warn(U_("unable to change mode of %s to 0%o"), sp->tpath, + (unsigned int)(sb.st_mode & ACCESSPERMS)); + } + } else { + if (chown(sp->tpath, sudoers_uid, sudoers_gid) != 0) { + sudo_warn(U_("unable to set (uid, gid) of %s to (%u, %u)"), + sp->tpath, (unsigned int)sudoers_uid, + (unsigned int)sudoers_gid); + goto done; + } + if (chmod(sp->tpath, sudoers_mode) != 0) { + sudo_warn(U_("unable to change mode of %s to 0%o"), sp->tpath, + (unsigned int)sudoers_mode); + goto done; + } + } + + /* + * Now that we know sp->tpath parses correctly, it needs to be + * rename(2)'d to sp->path. If the rename(2) fails we try using + * mv(1) in case sp->tpath and sp->path are on different file systems. + */ + if (rename(sp->tpath, sp->path) == 0) { + free(sp->tpath); + sp->tpath = NULL; + } else { + if (errno == EXDEV) { + char *av[4]; + sudo_warnx(U_("%s and %s not on the same file system, using mv to rename"), + sp->tpath, sp->path); + + /* Build up argument vector for the command */ + if ((av[0] = strrchr(_PATH_MV, '/')) != NULL) + av[0]++; + else + av[0] = _PATH_MV; + av[1] = sp->tpath; + av[2] = sp->path; + av[3] = NULL; + + /* And run it... */ + if (run_command(_PATH_MV, av)) { + sudo_warnx(U_("command failed: '%s %s %s', %s unchanged"), + _PATH_MV, sp->tpath, sp->path, sp->path); + (void) unlink(sp->tpath); + free(sp->tpath); + sp->tpath = NULL; + goto done; + } + free(sp->tpath); + sp->tpath = NULL; + } else { + sudo_warn(U_("error renaming %s, %s unchanged"), sp->tpath, sp->path); + (void) unlink(sp->tpath); + goto done; + } + } + ret = true; +done: + debug_return_bool(ret); +} + +/* + * Assuming a parse error occurred, prompt the user for what they want + * to do now. Returns the first letter of their choice. + */ +static int +whatnow(void) +{ + int choice, c; + debug_decl(whatnow, SUDOERS_DEBUG_UTIL); + + for (;;) { + (void) fputs(_("What now? "), stdout); + choice = getchar(); + for (c = choice; c != '\n' && c != EOF;) + c = getchar(); + + switch (choice) { + case EOF: + choice = 'x'; + FALLTHROUGH; + case 'e': + case 'x': + case 'Q': + debug_return_int(choice); + default: + (void) puts(_("Options are:\n" + " (e)dit sudoers file again\n" + " e(x)it without saving changes to sudoers file\n" + " (Q)uit and save changes to sudoers file (DANGER!)\n")); + } + } +} + +/* + * Install signal handlers for visudo. + */ +static void +setup_signals(void) +{ + struct sigaction sa; + debug_decl(setup_signals, SUDOERS_DEBUG_UTIL); + + /* + * Setup signal handlers to cleanup nicely. + */ + memset(&sa, 0, sizeof(sa)); + sigemptyset(&sa.sa_mask); + sa.sa_flags = SA_RESTART; + sa.sa_handler = quit; + (void) sigaction(SIGTERM, &sa, NULL); + (void) sigaction(SIGHUP, &sa, NULL); + (void) sigaction(SIGINT, &sa, NULL); + (void) sigaction(SIGQUIT, &sa, NULL); + + debug_return; +} + +static int +run_command(char *path, char **argv) +{ + int status; + pid_t pid, rv; + debug_decl(run_command, SUDOERS_DEBUG_UTIL); + + switch (pid = sudo_debug_fork()) { + case -1: + sudo_fatal(U_("unable to execute %s"), path); + break; /* NOTREACHED */ + case 0: + closefrom(STDERR_FILENO + 1); + execv(path, argv); + sudo_warn(U_("unable to run %s"), path); + _exit(127); + break; /* NOTREACHED */ + } + + for (;;) { + rv = waitpid(pid, &status, 0); + if (rv == -1 && errno != EINTR) + break; + if (rv != -1 && !WIFSTOPPED(status)) + break; + } + + if (rv != -1) + rv = WIFEXITED(status) ? WEXITSTATUS(status) : -1; + debug_return_int(rv); +} + +static bool +check_owner(const char *path, bool quiet) +{ + struct stat sb; + bool ok = true; + debug_decl(check_owner, SUDOERS_DEBUG_UTIL); + + if (stat(path, &sb) == 0) { + if (sb.st_uid != sudoers_uid || sb.st_gid != sudoers_gid) { + ok = false; + if (!quiet) { + fprintf(stderr, + _("%s: wrong owner (uid, gid) should be (%u, %u)\n"), + path, (unsigned int)sudoers_uid, (unsigned int)sudoers_gid); + } + } + if ((sb.st_mode & ALLPERMS) != sudoers_mode) { + ok = false; + if (!quiet) { + fprintf(stderr, _("%s: bad permissions, should be mode 0%o\n"), + path, (unsigned int)sudoers_mode); + } + } + } + debug_return_bool(ok); +} + +static bool +check_syntax(const char *file, bool quiet, bool strict, bool oldperms) +{ + bool ok = false; + int oldlocale; + debug_decl(check_syntax, SUDOERS_DEBUG_UTIL); + + if (strcmp(file, "-") == 0) { + sudoersin = stdin; + file = "stdin"; + } else if ((sudoersin = fopen(file, "r")) == NULL) { + if (!quiet) + sudo_warn(U_("unable to open %s"), file); + goto done; + } + if (!init_defaults()) + sudo_fatalx("%s", U_("unable to initialize sudoers default values")); + init_parser(file, quiet, true); + sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); + if (sudoersparse() && !parse_error) { + if (!quiet) + sudo_warnx(U_("failed to parse %s file, unknown error"), file); + parse_error = true; + rcstr_delref(errorfile); + if ((errorfile = rcstr_dup(file)) == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + } + if (!parse_error) { + (void) update_defaults(&parsed_policy, NULL, + SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, true); + check_defaults_and_aliases(strict, quiet); + } + sudoers_setlocale(oldlocale, NULL); + ok = !parse_error; + + if (!parse_error) { + struct sudoersfile *sp; + + /* Parsed OK, check mode and owner. */ + if (oldperms || check_owner(file, quiet)) { + if (!quiet) + (void) printf(_("%s: parsed OK\n"), file); + } else { + ok = false; + } + TAILQ_FOREACH(sp, &sudoerslist, entries) { + if (oldperms || check_owner(sp->path, quiet)) { + if (!quiet) + (void) printf(_("%s: parsed OK\n"), sp->path); + } else { + ok = false; + } + } + } + +done: + debug_return_bool(ok); +} + +static bool +lock_sudoers(struct sudoersfile *entry) +{ + int ch; + debug_decl(lock_sudoers, SUDOERS_DEBUG_UTIL); + + if (!sudo_lock_file(entry->fd, SUDO_TLOCK)) { + if (errno == EAGAIN || errno == EWOULDBLOCK) { + sudo_warnx(U_("%s busy, try again later"), entry->path); + debug_return_bool(false); + } + sudo_warn(U_("unable to lock %s"), entry->path); + (void) fputs(_("Edit anyway? [y/N]"), stdout); + ch = getchar(); + if (tolower(ch) != 'y') + debug_return_bool(false); + } + debug_return_bool(true); +} + +/* + * Open (and lock) a new sudoers file. + * Returns a new struct sudoersfile on success or NULL on failure. + */ +static struct sudoersfile * +new_sudoers(const char *path, bool doedit) +{ + struct sudoersfile *entry; + struct stat sb; + int open_flags; + debug_decl(new_sudoersfile, SUDOERS_DEBUG_UTIL); + + if (checkonly) + open_flags = O_RDONLY; + else + open_flags = O_RDWR | O_CREAT; + + entry = calloc(1, sizeof(*entry)); + if (entry == NULL || (entry->path = strdup(path)) == NULL) + sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + /* entry->tpath = NULL; */ + /* entry->modified = false; */ + entry->doedit = doedit; + entry->fd = open(entry->path, open_flags, sudoers_mode); + if (entry->fd == -1 || fstat(entry->fd, &sb) == -1) { + sudo_warn("%s", entry->path); + goto bad; + } + if (!S_ISREG(sb.st_mode)) { + sudo_warnx(U_("%s is not a regular file"), entry->path); + goto bad; + } + if (!checkonly && !lock_sudoers(entry)) + goto bad; + debug_return_ptr(entry); +bad: + if (entry->fd != -1) + close(entry->fd); + free(entry); + debug_return_ptr(NULL); +} + +/* + * Used to open (and lock) the initial sudoers file and to also open + * any subsequent files #included via a callback from the parser. + */ +FILE * +open_sudoers(const char *path, bool doedit, bool *keepopen) +{ + struct sudoersfile *entry; + FILE *fp; + debug_decl(open_sudoers, SUDOERS_DEBUG_UTIL); + + /* Check for existing entry */ + TAILQ_FOREACH(entry, &sudoerslist, entries) { + if (strcmp(path, entry->path) == 0) + break; + } + if (entry == NULL) { + if ((entry = new_sudoers(path, doedit)) == NULL) + debug_return_ptr(NULL); + if ((fp = fdopen(entry->fd, "r")) == NULL) + sudo_fatal("%s", entry->path); + TAILQ_INSERT_TAIL(&sudoerslist, entry, entries); + } else { + /* Already exists, open .tmp version if there is one. */ + if (entry->tpath != NULL) { + if ((fp = fopen(entry->tpath, "r")) == NULL) + sudo_fatal("%s", entry->tpath); + } else { + if ((fp = fdopen(entry->fd, "r")) == NULL) + sudo_fatal("%s", entry->path); + rewind(fp); + } + } + if (keepopen != NULL) + *keepopen = true; + debug_return_ptr(fp); +} + +static int +check_alias(char *name, int type, char *file, int line, int column, + bool strict, bool quiet) +{ + struct member *m; + struct alias *a; + int errors = 0; + debug_decl(check_alias, SUDOERS_DEBUG_ALIAS); + + if ((a = alias_get(&parsed_policy, name, type)) != NULL) { + /* check alias contents */ + TAILQ_FOREACH(m, &a->members, entries) { + if (m->type != ALIAS) + continue; + errors += check_alias(m->name, type, a->file, a->line, a->column, + strict, quiet); + } + alias_put(a); + } else { + if (!quiet) { + if (errno == ELOOP) { + fprintf(stderr, strict ? + U_("Error: %s:%d:%d: cycle in %s \"%s\"") : + U_("Warning: %s:%d:%d: cycle in %s \"%s\""), + file, line, column, alias_type_to_string(type), name); + } else { + fprintf(stderr, strict ? + U_("Error: %s:%d:%d: %s \"%s\" referenced but not defined") : + U_("Warning: %s:%d:%d: %s \"%s\" referenced but not defined"), + file, line, column, alias_type_to_string(type), name); + } + fputc('\n', stderr); + if (strict && errorfile == NULL) { + errorfile = rcstr_addref(file); + errorlineno = line; + } + } + errors++; + } + + debug_return_int(errors); +} + +/* + * Iterate through the sudoers datastructures looking for undefined + * aliases or unused aliases. + */ +static int +check_aliases(bool strict, bool quiet) +{ + struct rbtree *used_aliases; + struct cmndspec *cs; + struct member *m; + struct privilege *priv; + struct userspec *us; + int errors = 0; + debug_decl(check_aliases, SUDOERS_DEBUG_ALIAS); + + used_aliases = alloc_aliases(); + if (used_aliases == NULL) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + debug_return_int(-1); + } + + /* Forward check. */ + TAILQ_FOREACH(us, &parsed_policy.userspecs, entries) { + TAILQ_FOREACH(m, &us->users, entries) { + if (m->type == ALIAS) { + errors += check_alias(m->name, USERALIAS, + us->file, us->line, us->column, strict, quiet); + } + } + TAILQ_FOREACH(priv, &us->privileges, entries) { + TAILQ_FOREACH(m, &priv->hostlist, entries) { + if (m->type == ALIAS) { + errors += check_alias(m->name, HOSTALIAS, + us->file, us->line, us->column, strict, quiet); + } + } + TAILQ_FOREACH(cs, &priv->cmndlist, entries) { + if (cs->runasuserlist != NULL) { + TAILQ_FOREACH(m, cs->runasuserlist, entries) { + if (m->type == ALIAS) { + errors += check_alias(m->name, RUNASALIAS, + us->file, us->line, us->column, strict, quiet); + } + } + } + if (cs->runasgrouplist != NULL) { + TAILQ_FOREACH(m, cs->runasgrouplist, entries) { + if (m->type == ALIAS) { + errors += check_alias(m->name, RUNASALIAS, + us->file, us->line, us->column, strict, quiet); + } + } + } + if ((m = cs->cmnd)->type == ALIAS) { + errors += check_alias(m->name, CMNDALIAS, + us->file, us->line, us->column, strict, quiet); + } + } + } + } + + /* Reverse check (destructive) */ + if (!alias_find_used(&parsed_policy, used_aliases)) + errors++; + free_aliases(used_aliases); + + /* If all aliases were referenced we will have an empty tree. */ + if (!no_aliases(&parsed_policy) && !quiet) + alias_apply(&parsed_policy, print_unused, NULL); + + debug_return_int(strict ? errors : 0); +} + +static int +print_unused(struct sudoers_parse_tree *parse_tree, struct alias *a, void *v) +{ + fprintf(stderr, U_("Warning: %s:%d:%d: unused %s \"%s\""), + a->file, a->line, a->column, alias_type_to_string(a->type), a->name); + fputc('\n', stderr); + return 0; +} + +static void +parse_sudoers_options(void) +{ + struct plugin_info_list *plugins; + debug_decl(parse_sudoers_options, SUDOERS_DEBUG_UTIL); + + plugins = sudo_conf_plugins(); + if (plugins) { + struct plugin_info *info; + + TAILQ_FOREACH(info, plugins, entries) { + if (strcmp(info->symbol_name, "sudoers_policy") == 0) + break; + } + if (info != NULL && info->options != NULL) { + char * const *cur; + +#define MATCHES(s, v) \ + (strncmp((s), (v), sizeof(v) - 1) == 0 && (s)[sizeof(v) - 1] != '\0') + + for (cur = info->options; *cur != NULL; cur++) { + const char *errstr, *p; + id_t id; + + if (MATCHES(*cur, "sudoers_file=")) { + sudoers_file = *cur + sizeof("sudoers_file=") - 1; + continue; + } + if (MATCHES(*cur, "sudoers_uid=")) { + p = *cur + sizeof("sudoers_uid=") - 1; + id = sudo_strtoid(p, &errstr); + if (errstr == NULL) + sudoers_uid = (uid_t) id; + continue; + } + if (MATCHES(*cur, "sudoers_gid=")) { + p = *cur + sizeof("sudoers_gid=") - 1; + id = sudo_strtoid(p, &errstr); + if (errstr == NULL) + sudoers_gid = (gid_t) id; + continue; + } + if (MATCHES(*cur, "sudoers_mode=")) { + p = *cur + sizeof("sudoers_mode=") - 1; + id = (id_t) sudo_strtomode(p, &errstr); + if (errstr == NULL) + sudoers_mode = (mode_t) id; + continue; + } + } +#undef MATCHES + } + } + debug_return; +} + +/* + * Unlink any sudoers temp files that remain. + */ +static void +visudo_cleanup(void) +{ + struct sudoersfile *sp; + + TAILQ_FOREACH(sp, &sudoerslist, entries) { + if (sp->tpath != NULL) + (void) unlink(sp->tpath); + } +} + +/* + * Unlink sudoers temp files (if any) and exit. + */ +static void +quit(int signo) +{ + struct sudoersfile *sp; + struct iovec iov[4]; + + TAILQ_FOREACH(sp, &sudoerslist, entries) { + if (sp->tpath != NULL) + (void) unlink(sp->tpath); + } + +#define emsg " exiting due to signal: " + iov[0].iov_base = (char *)getprogname(); + iov[0].iov_len = strlen(iov[0].iov_base); + iov[1].iov_base = emsg; + iov[1].iov_len = sizeof(emsg) - 1; + iov[2].iov_base = strsignal(signo); + iov[2].iov_len = strlen(iov[2].iov_base); + iov[3].iov_base = "\n"; + iov[3].iov_len = 1; + ignore_result(writev(STDERR_FILENO, iov, 4)); + _exit(signo); +} + +static void +usage(int fatal) +{ + (void) fprintf(fatal ? stderr : stdout, + "usage: %s [-chqsV] [[-f] sudoers ]\n", getprogname()); + if (fatal) + exit(EXIT_FAILURE); +} + +static void +help(void) +{ + (void) printf(_("%s - safely edit the sudoers file\n\n"), getprogname()); + usage(0); + (void) puts(_("\nOptions:\n" + " -c, --check check-only mode\n" + " -f, --file=sudoers specify sudoers file location\n" + " -h, --help display help message and exit\n" + " -q, --quiet less verbose (quiet) syntax error messages\n" + " -s, --strict strict syntax checking\n" + " -V, --version display version information and exit\n")); + exit(EXIT_SUCCESS); +} |