summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/display.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 13:14:46 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 13:14:46 +0000
commit025c439e829e0db9ac511cd9c1b8d5fd53475ead (patch)
treefa6986b4690f991613ffb97cea1f6942427baf5d /plugins/sudoers/display.c
parentInitial commit. (diff)
downloadsudo-025c439e829e0db9ac511cd9c1b8d5fd53475ead.tar.xz
sudo-025c439e829e0db9ac511cd9c1b8d5fd53475ead.zip
Adding upstream version 1.9.15p5.upstream/1.9.15p5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--plugins/sudoers/display.c661
1 files changed, 661 insertions, 0 deletions
diff --git a/plugins/sudoers/display.c b/plugins/sudoers/display.c
new file mode 100644
index 0000000..83b4e42
--- /dev/null
+++ b/plugins/sudoers/display.c
@@ -0,0 +1,661 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2004-2005, 2007-2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <pwd.h>
+
+#include <sudoers.h>
+#include <sudo_lbuf.h>
+#include <gram.h>
+
+static int
+display_priv_short(const struct sudoers_parse_tree *parse_tree,
+ const struct passwd *pw, const struct userspec *us, struct sudo_lbuf *lbuf)
+{
+ struct privilege *priv;
+ int nfound = 0;
+ debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER);
+
+ TAILQ_FOREACH(priv, &us->privileges, entries) {
+ struct cmndspec *cs;
+ struct cmndtag tags;
+
+ if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
+ continue;
+
+ sudoers_defaults_list_to_tags(&priv->defaults, &tags);
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
+ struct cmndspec *prev_cs = TAILQ_PREV(cs, cmndspec_list, entries);
+
+ if (prev_cs == NULL || RUNAS_CHANGED(cs, prev_cs)) {
+ struct member *m;
+
+ /* Start new line, first entry or RunAs changed. */
+ if (prev_cs != NULL)
+ sudo_lbuf_append(lbuf, "\n");
+ sudo_lbuf_append(lbuf, " (");
+ if (cs->runasuserlist != NULL) {
+ TAILQ_FOREACH(m, cs->runasuserlist, entries) {
+ if (m != TAILQ_FIRST(cs->runasuserlist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ } else if (cs->runasgrouplist == NULL) {
+ sudo_lbuf_append(lbuf, "%s", def_runas_default);
+ } else {
+ sudo_lbuf_append(lbuf, "%s", pw->pw_name);
+ }
+ if (cs->runasgrouplist != NULL) {
+ sudo_lbuf_append(lbuf, " : ");
+ TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
+ if (m != TAILQ_FIRST(cs->runasgrouplist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ }
+ sudo_lbuf_append(lbuf, ") ");
+ sudoers_format_cmndspec(lbuf, parse_tree, cs, NULL,
+ tags, true);
+ } else {
+ /* Continue existing line. */
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs,
+ tags, true);
+ }
+ nfound++;
+ }
+ sudo_lbuf_append(lbuf, "\n");
+ }
+ debug_return_int(nfound);
+}
+
+/*
+ * Compare the current cmndspec with the previous one to determine
+ * whether we need to start a new long entry for "sudo -ll".
+ * Returns true if we should start a new long entry, else false.
+ */
+static bool
+new_long_entry(const struct cmndspec *cs, const struct cmndspec *prev_cs)
+{
+ debug_decl(new_long_entry, SUDOERS_DEBUG_PARSER);
+
+ if (prev_cs == NULL)
+ debug_return_bool(true);
+ if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
+ debug_return_bool(true);
+#ifdef HAVE_PRIV_SET
+ if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
+ debug_return_bool(true);
+ if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
+ debug_return_bool(true);
+#endif /* HAVE_PRIV_SET */
+#ifdef HAVE_SELINUX
+ if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
+ debug_return_bool(true);
+ if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
+ debug_return_bool(true);
+#endif /* HAVE_SELINUX */
+#ifdef HAVE_APPARMOR
+ if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0))
+ debug_return_bool(true);
+#endif /* HAVE_APPARMOR */
+ if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0))
+ debug_return_bool(true);
+ if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0))
+ debug_return_bool(true);
+ if (cs->timeout != prev_cs->timeout)
+ debug_return_bool(true);
+ if (cs->notbefore != prev_cs->notbefore)
+ debug_return_bool(true);
+ if (cs->notafter != prev_cs->notafter)
+ debug_return_bool(true);
+ debug_return_bool(false);
+}
+
+static void
+display_cmndspec_long(const struct sudoers_parse_tree *parse_tree,
+ const struct passwd *pw, const struct userspec *us,
+ const struct privilege *priv, const struct cmndspec *cs,
+ const struct cmndspec *prev_cs, struct sudo_lbuf *lbuf)
+{
+ const struct defaults *d;
+ const struct member *m;
+ debug_decl(display_cmndspec_long, SUDOERS_DEBUG_PARSER);
+
+ if (new_long_entry(cs, prev_cs)) {
+ unsigned int olen;
+
+ if (prev_cs != NULL)
+ sudo_lbuf_append(lbuf, "\n");
+ if (priv->ldap_role != NULL) {
+ sudo_lbuf_append(lbuf, _("LDAP Role: %s\n"),
+ priv->ldap_role);
+ } else {
+ sudo_lbuf_append(lbuf, _("Sudoers entry: %s\n"),
+ us->file);
+ }
+ sudo_lbuf_append(lbuf, "%s", _(" RunAsUsers: "));
+ if (cs->runasuserlist != NULL) {
+ TAILQ_FOREACH(m, cs->runasuserlist, entries) {
+ if (m != TAILQ_FIRST(cs->runasuserlist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ } else if (cs->runasgrouplist == NULL) {
+ sudo_lbuf_append(lbuf, "%s", def_runas_default);
+ } else {
+ sudo_lbuf_append(lbuf, "%s", pw->pw_name);
+ }
+ sudo_lbuf_append(lbuf, "\n");
+ if (cs->runasgrouplist != NULL) {
+ sudo_lbuf_append(lbuf, "%s", _(" RunAsGroups: "));
+ TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
+ if (m != TAILQ_FIRST(cs->runasgrouplist))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ",
+ RUNASALIAS);
+ }
+ sudo_lbuf_append(lbuf, "\n");
+ }
+ olen = lbuf->len;
+ sudo_lbuf_append(lbuf, "%s", _(" Options: "));
+ TAILQ_FOREACH(d, &priv->defaults, entries) {
+ sudoers_format_default(lbuf, d);
+ sudo_lbuf_append(lbuf, ", ");
+ }
+ if (TAG_SET(cs->tags.setenv))
+ sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!");
+ if (TAG_SET(cs->tags.noexec))
+ sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!");
+ if (TAG_SET(cs->tags.intercept))
+ sudo_lbuf_append(lbuf, "%sintercept, ", cs->tags.intercept ? "" : "!");
+ if (TAG_SET(cs->tags.nopasswd))
+ sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : "");
+ if (TAG_SET(cs->tags.log_input))
+ sudo_lbuf_append(lbuf, "%slog_input, ", cs->tags.log_input ? "" : "!");
+ if (TAG_SET(cs->tags.log_output))
+ sudo_lbuf_append(lbuf, "%slog_output, ", cs->tags.log_output ? "" : "!");
+ if (lbuf->buf[lbuf->len - 2] == ',') {
+ lbuf->len -= 2; /* remove trailing ", " */
+ sudo_lbuf_append(lbuf, "\n");
+ } else {
+ lbuf->len = olen; /* no options */
+ }
+#ifdef HAVE_PRIV_SET
+ if (cs->privs)
+ sudo_lbuf_append(lbuf, " Privs: %s\n", cs->privs);
+ if (cs->limitprivs)
+ sudo_lbuf_append(lbuf, " Limitprivs: %s\n", cs->limitprivs);
+#endif /* HAVE_PRIV_SET */
+#ifdef HAVE_SELINUX
+ if (cs->role)
+ sudo_lbuf_append(lbuf, " Role: %s\n", cs->role);
+ if (cs->type)
+ sudo_lbuf_append(lbuf, " Type: %s\n", cs->type);
+#endif /* HAVE_SELINUX */
+ if (cs->runchroot != NULL)
+ sudo_lbuf_append(lbuf, " Chroot: %s\n", cs->runchroot);
+ if (cs->runcwd != NULL)
+ sudo_lbuf_append(lbuf, " Cwd: %s\n", cs->runcwd);
+ if (cs->timeout > 0) {
+ char numbuf[STRLEN_MAX_SIGNED(int) + 1];
+ (void)snprintf(numbuf, sizeof(numbuf), "%d", cs->timeout);
+ sudo_lbuf_append(lbuf, " Timeout: %s\n", numbuf);
+ }
+ if (cs->notbefore != UNSPEC) {
+ char buf[sizeof("CCYYMMDDHHMMSSZ")] = "";
+ struct tm gmt;
+ size_t len;
+ if (gmtime_r(&cs->notbefore, &gmt) != NULL) {
+ len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt);
+ if (len != 0 && buf[sizeof(buf) - 1] == '\0')
+ sudo_lbuf_append(lbuf, " NotBefore: %s\n", buf);
+ }
+ }
+ if (cs->notafter != UNSPEC) {
+ char buf[sizeof("CCYYMMDDHHMMSSZ")] = "";
+ struct tm gmt;
+ size_t len;
+ if (gmtime_r(&cs->notafter, &gmt) != NULL) {
+ len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt);
+ if (len != 0 && buf[sizeof(buf) - 1] == '\0')
+ sudo_lbuf_append(lbuf, " NotAfter: %s\n", buf);
+ }
+ }
+ sudo_lbuf_append(lbuf, "%s", _(" Commands:\n"));
+ }
+ sudo_lbuf_append(lbuf, "\t");
+ sudoers_format_member(lbuf, parse_tree, cs->cmnd, "\n\t",
+ CMNDALIAS);
+ sudo_lbuf_append(lbuf, "\n");
+
+ debug_return;
+}
+
+static int
+display_priv_long(const struct sudoers_parse_tree *parse_tree,
+ const struct passwd *pw, const struct userspec *us, struct sudo_lbuf *lbuf)
+{
+ const struct privilege *priv;
+ int nfound = 0;
+ debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER);
+
+ TAILQ_FOREACH(priv, &us->privileges, entries) {
+ const struct cmndspec *cs, *prev_cs;
+
+ if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
+ continue;
+ prev_cs = NULL;
+ sudo_lbuf_append(lbuf, "\n");
+ TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
+ display_cmndspec_long(parse_tree, pw, us, priv, cs, prev_cs,
+ lbuf);
+ prev_cs = cs;
+ nfound++;
+ }
+ }
+ debug_return_int(nfound);
+}
+
+static int
+sudo_display_userspecs(struct sudoers_parse_tree *parse_tree,
+ const struct passwd *pw, struct sudo_lbuf *lbuf, bool verbose)
+{
+ const struct userspec *us;
+ int nfound = 0;
+ debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_PARSER);
+
+ TAILQ_FOREACH(us, &parse_tree->userspecs, entries) {
+ if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
+ continue;
+
+ if (verbose)
+ nfound += display_priv_long(parse_tree, pw, us, lbuf);
+ else
+ nfound += display_priv_short(parse_tree, pw, us, lbuf);
+ }
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+/*
+ * Display matching Defaults entries for the given user on this host.
+ */
+static int
+display_defaults(const struct sudoers_parse_tree *parse_tree,
+ const struct passwd *pw, struct sudo_lbuf *lbuf)
+{
+ const struct defaults *d;
+ const char *prefix;
+ int nfound = 0;
+ debug_decl(display_defaults, SUDOERS_DEBUG_PARSER);
+
+ if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
+ prefix = " ";
+ else
+ prefix = ", ";
+
+ TAILQ_FOREACH(d, &parse_tree->defaults, entries) {
+ switch (d->type) {
+ case DEFAULTS_HOST:
+ if (hostlist_matches(parse_tree, pw, &d->binding->members) != ALLOW)
+ continue;
+ break;
+ case DEFAULTS_USER:
+ if (userlist_matches(parse_tree, pw, &d->binding->members) != ALLOW)
+ continue;
+ break;
+ case DEFAULTS_RUNAS:
+ case DEFAULTS_CMND:
+ continue;
+ }
+ sudo_lbuf_append(lbuf, "%s", prefix);
+ sudoers_format_default(lbuf, d);
+ prefix = ", ";
+ nfound++;
+ }
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+/*
+ * Display Defaults entries of the given type.
+ */
+static int
+display_bound_defaults_by_type(const struct sudoers_parse_tree *parse_tree,
+ int deftype, struct sudo_lbuf *lbuf)
+{
+ const struct defaults *d;
+ const struct defaults_binding *binding = NULL;
+ const struct member *m;
+ const char *dsep;
+ short atype;
+ int nfound = 0;
+ debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER);
+
+ switch (deftype) {
+ case DEFAULTS_HOST:
+ atype = HOSTALIAS;
+ dsep = "@";
+ break;
+ case DEFAULTS_USER:
+ atype = USERALIAS;
+ dsep = ":";
+ break;
+ case DEFAULTS_RUNAS:
+ atype = RUNASALIAS;
+ dsep = ">";
+ break;
+ case DEFAULTS_CMND:
+ atype = CMNDALIAS;
+ dsep = "!";
+ break;
+ default:
+ debug_return_int(-1);
+ }
+ TAILQ_FOREACH(d, &parse_tree->defaults, entries) {
+ if (d->type != deftype)
+ continue;
+
+ nfound++;
+ if (binding != d->binding) {
+ binding = d->binding;
+ if (nfound != 1)
+ sudo_lbuf_append(lbuf, "\n");
+ sudo_lbuf_append(lbuf, " Defaults%s", dsep);
+ TAILQ_FOREACH(m, &binding->members, entries) {
+ if (m != TAILQ_FIRST(&binding->members))
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_member(lbuf, parse_tree, m, ", ", atype);
+ }
+ sudo_lbuf_append(lbuf, " ");
+ } else
+ sudo_lbuf_append(lbuf, ", ");
+ sudoers_format_default(lbuf, d);
+ }
+
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+/*
+ * Display Defaults entries that are per-runas or per-command
+ */
+static int
+display_bound_defaults(const struct sudoers_parse_tree *parse_tree,
+ const struct passwd *pw, struct sudo_lbuf *lbuf)
+{
+ int nfound = 0;
+ debug_decl(display_bound_defaults, SUDOERS_DEBUG_PARSER);
+
+ /* XXX - should only print ones that match what the user can do. */
+ nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_RUNAS,
+ lbuf);
+ nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_CMND,
+ lbuf);
+
+ if (sudo_lbuf_error(lbuf))
+ debug_return_int(-1);
+ debug_return_int(nfound);
+}
+
+static int
+output(const char *buf)
+{
+ struct sudo_conv_message msg;
+ struct sudo_conv_reply repl;
+ debug_decl(output, SUDOERS_DEBUG_NSS);
+
+ /* Call conversation function */
+ memset(&msg, 0, sizeof(msg));
+ msg.msg_type = SUDO_CONV_INFO_MSG;
+ msg.msg = buf;
+ memset(&repl, 0, sizeof(repl));
+ if (sudo_conv(1, &msg, &repl, NULL) == -1)
+ debug_return_int(0);
+ debug_return_int((int)strlen(buf));
+}
+
+/*
+ * Print out privileges for the specified user.
+ * Returns true on success or -1 on error.
+ */
+int
+display_privs(struct sudoers_context *ctx, const struct sudo_nss_list *snl,
+ struct passwd *pw, int verbose)
+{
+ const struct sudo_nss *nss;
+ struct sudo_lbuf def_buf, priv_buf;
+ int cols, count, n;
+ unsigned int olen;
+ struct stat sb;
+ debug_decl(display_privs, SUDOERS_DEBUG_PARSER);
+
+ if (verbose < 0) {
+ /* Nothing to display. */
+ debug_return_int(true);
+ }
+
+ cols = ctx->user.cols;
+ if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
+ cols = 0;
+ sudo_lbuf_init(&def_buf, output, 4, NULL, cols);
+ sudo_lbuf_init(&priv_buf, output, 8, NULL, cols);
+
+ sudo_lbuf_append(&def_buf, _("Matching Defaults entries for %s on %s:\n"),
+ pw->pw_name, ctx->runas.shost);
+ count = 0;
+ TAILQ_FOREACH(nss, snl, entries) {
+ n = display_defaults(nss->parse_tree, pw, &def_buf);
+ if (n == -1)
+ goto bad;
+ count += n;
+ }
+ if (count != 0) {
+ sudo_lbuf_append(&def_buf, "\n\n");
+ } else {
+ /* Undo Defaults header. */
+ def_buf.len = 0;
+ }
+
+ /* Display Runas and Cmnd-specific defaults. */
+ olen = def_buf.len;
+ sudo_lbuf_append(&def_buf, _("Runas and Command-specific defaults for %s:\n"),
+ pw->pw_name);
+ count = 0;
+ TAILQ_FOREACH(nss, snl, entries) {
+ n = display_bound_defaults(nss->parse_tree, pw, &def_buf);
+ if (n == -1)
+ goto bad;
+ count += n;
+ }
+ if (count != 0) {
+ sudo_lbuf_append(&def_buf, "\n\n");
+ } else {
+ /* Undo Defaults header. */
+ def_buf.len = olen;
+ }
+
+ /* Display privileges from all sources. */
+ sudo_lbuf_append(&priv_buf,
+ _("User %s may run the following commands on %s:\n"),
+ pw->pw_name, ctx->runas.shost);
+ count = 0;
+ TAILQ_FOREACH(nss, snl, entries) {
+ if (nss->query(ctx, nss, pw) != -1) {
+ n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf,
+ verbose);
+ if (n == -1)
+ goto bad;
+ count += n;
+ }
+ }
+ if (count == 0) {
+ def_buf.len = 0;
+ priv_buf.len = 0;
+ sudo_lbuf_append(&priv_buf,
+ _("User %s is not allowed to run sudo on %s.\n"),
+ pw->pw_name, ctx->runas.shost);
+ }
+ if (sudo_lbuf_error(&def_buf) || sudo_lbuf_error(&priv_buf))
+ goto bad;
+
+ sudo_lbuf_print(&def_buf);
+ sudo_lbuf_print(&priv_buf);
+
+ sudo_lbuf_destroy(&def_buf);
+ sudo_lbuf_destroy(&priv_buf);
+
+ debug_return_int(true);
+bad:
+ sudo_lbuf_destroy(&def_buf);
+ sudo_lbuf_destroy(&priv_buf);
+
+ debug_return_int(-1);
+}
+
+static int
+display_cmnd_check(struct sudoers_context *ctx,
+ const struct sudoers_parse_tree *parse_tree, const struct passwd *pw,
+ time_t now, struct sudoers_match_info *match_info)
+{
+ int host_match, runas_match, cmnd_match = UNSPEC;
+ char *saved_user_cmnd, *saved_user_base;
+ const struct privilege *priv;
+ const struct userspec *us;
+ const struct cmndspec *cs;
+ debug_decl(display_cmnd_check, SUDOERS_DEBUG_PARSER);
+
+ /*
+ * For "sudo -l command", ctx->user.cmnd is "list" and the actual
+ * command we are checking is in ctx->user.cmnd_list.
+ */
+ saved_user_cmnd = ctx->user.cmnd;
+ saved_user_base = ctx->user.cmnd_base;
+ ctx->user.cmnd = ctx->user.cmnd_list;
+ ctx->user.cmnd_base = sudo_basename(ctx->user.cmnd);
+
+ TAILQ_FOREACH_REVERSE(us, &parse_tree->userspecs, userspec_list, entries) {
+ if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
+ continue;
+ TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
+ host_match = hostlist_matches(parse_tree, pw, &priv->hostlist);
+ if (host_match != ALLOW)
+ continue;
+ TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
+ if (cs->notbefore != UNSPEC) {
+ if (now < cs->notbefore)
+ continue;
+ }
+ if (cs->notafter != UNSPEC) {
+ if (now > cs->notafter)
+ continue;
+ }
+ runas_match = runaslist_matches(parse_tree, cs->runasuserlist,
+ cs->runasgrouplist, NULL, NULL);
+ if (runas_match == ALLOW) {
+ cmnd_match = cmnd_matches(parse_tree, cs->cmnd,
+ cs->runchroot, NULL);
+ if (cmnd_match != UNSPEC) {
+ match_info->parse_tree = parse_tree;
+ match_info->us = us;
+ match_info->priv = priv;
+ match_info->cs = cs;
+ goto done;
+ }
+ }
+ }
+ }
+ }
+done:
+ ctx->user.cmnd = saved_user_cmnd;
+ ctx->user.cmnd_base = saved_user_base;
+ debug_return_int(cmnd_match);
+}
+
+/*
+ * Check ctx->user.cmnd against sudoers and print the matching entry if the
+ * command is allowed.
+ * Returns true if the command is allowed, false if not or -1 on error.
+ */
+int
+display_cmnd(struct sudoers_context *ctx, const struct sudo_nss_list *snl,
+ struct passwd *pw, int verbose)
+{
+ struct sudoers_match_info match_info = { NULL };
+ struct sudo_lbuf lbuf;
+ struct sudo_nss *nss;
+ int m, match = UNSPEC;
+ int ret = false;
+ time_t now;
+ debug_decl(display_cmnd, SUDOERS_DEBUG_PARSER);
+
+ /* Iterate over each source, checking for the command. */
+ time(&now);
+ sudo_lbuf_init(&lbuf, output, 0, NULL, 0);
+ TAILQ_FOREACH(nss, snl, entries) {
+ if (nss->query(ctx, nss, pw) == -1) {
+ /* The query function should have printed an error message. */
+ debug_return_int(-1);
+ }
+
+ m = display_cmnd_check(ctx, nss->parse_tree, pw, now, &match_info);
+ if (m != UNSPEC)
+ match = m;
+
+ if (!sudo_nss_can_continue(nss, m))
+ break;
+ }
+ if (match == ALLOW) {
+ if (verbose < 0) {
+ /* Nothing to display. */
+ debug_return_int(true);
+ }
+ if (verbose) {
+ /* Append matching sudoers rule (long form). */
+ display_cmndspec_long(match_info.parse_tree, pw, match_info.us,
+ match_info.priv, match_info.cs, NULL, &lbuf);
+ sudo_lbuf_append(&lbuf, " Matched: ");
+ }
+ sudo_lbuf_append(&lbuf, "%s%s%s\n", ctx->user.cmnd_list,
+ ctx->user.cmnd_args ? " " : "",
+ ctx->user.cmnd_args ? ctx->user.cmnd_args : "");
+ sudo_lbuf_print(&lbuf);
+ ret = sudo_lbuf_error(&lbuf) ? -1 : true;
+ sudo_lbuf_destroy(&lbuf);
+ }
+ debug_return_int(ret);
+}