Adding upstream version 1.9.15p5.upstream/1.9.15p5upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 264 insertions, 0 deletions

diff --git a/plugins/sudoers/ldap_innetgr.c b/plugins/sudoers/ldap_innetgr.c
new file mode 100644
index 0000000..2309485
--- /dev/null
+++ b/plugins/sudoers/ldap_innetgr.c
@@ -0,0 +1,264 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <time.h>
+#include <ctype.h>
+#ifdef HAVE_LBER_H
+# include <lber.h>
+#endif
+#include <ldap.h>
+
+#include <sudoers.h>
+#include <sudo_ldap.h>
+#include <sudo_ldap_conf.h>
+
+/*
+ * Compare str to netgroup string ngstr of length nglen where str is a
+ * NUL-terminated string and ngstr is part of a netgroup triple string.
+ * Uses innetgr(3)-style matching rules.
+ * Returns true if the strings match, else false.
+ */
+static bool
+sudo_ldap_netgroup_match_str(const char *str, const char *ngstr, size_t nglen,
+    bool ignore_case)
+{
+    debug_decl(sudo_ldap_netgroup_match_str, SUDOERS_DEBUG_LDAP);
+
+    /* Skip leading whitespace. */
+    while (isspace((unsigned char)*ngstr) && nglen > 0) {
+	ngstr++;
+	nglen--;
+    }
+    /* Skip trailing whitespace. */
+    while (nglen > 0 && isspace((unsigned char)ngstr[nglen - 1])) {
+	nglen--;
+    }
+
+    sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: compare \"%s\" to \"%.*s\"",
+	__func__, str ? str : "", (int)nglen, ngstr);
+
+    if (nglen == 0 || str == NULL) {
+	/* An empty string is a wildcard. */
+	debug_return_bool(true);
+    }
+    if (*ngstr == '-' && nglen == 1) {
+	/* '-' means no valid value. */
+	debug_return_bool(false);
+    }
+    if (ignore_case) {
+	if (strncasecmp(str, ngstr, nglen) == 0 && str[nglen] == '\0')
+	    debug_return_bool(true);
+    } else {
+	if (strncmp(str, ngstr, nglen) == 0 && str[nglen] == '\0')
+	    debug_return_bool(true);
+    }
+    debug_return_bool(false);
+}
+
+/*
+ * Match the specified netgroup triple using the given host,
+ * user and domain.  Matching rules as per innetgr(3).
+ * Returns 1 on match, else 0.
+ */
+static int
+sudo_ldap_match_netgroup(const char *triple, const char *host,
+    const char *user, const char *domain)
+{
+    const char *cp, *ep;
+    debug_decl(sudo_ldap_match_netgroup, SUDOERS_DEBUG_LDAP);
+
+    /* Trim leading space, check for opening paren. */
+    while (isspace((unsigned char)*triple))
+	triple++;
+    if (*triple != '(') {
+	sudo_debug_printf(SUDO_DEBUG_ERROR, "%s: invalid triple: %s",
+	    __func__, triple);
+	debug_return_int(0);
+    }
+    sudo_debug_printf(SUDO_DEBUG_INFO, "%s: matching (%s,%s,%s) against %s",
+	__func__, host ? host : "", user ? user : "", domain ? domain : "",
+	triple);
+
+    /* Parse host. */
+    cp = triple + 1;
+    ep = strchr(cp, ',');
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(host, cp, (size_t)(ep - cp), true))
+	debug_return_int(0);
+
+    /* Parse user. */
+    cp = ep + 1;
+    ep = strchr(cp, ',');
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(user, cp, (size_t)(ep - cp), def_case_insensitive_user))
+	debug_return_int(0);
+
+    /* Parse domain. */
+    cp = ep + 1;
+    ep = strchr(cp, ')');
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(domain, cp, (size_t)(ep - cp), true))
+	debug_return_int(0);
+
+    debug_return_int(1);
+}
+
+#define MAX_NETGROUP_DEPTH 128
+struct netgroups_seen {
+    const char *groups[MAX_NETGROUP_DEPTH];
+    size_t len;
+};
+
+static int
+sudo_ldap_innetgr_base(LDAP *ld, const char *base,
+    struct timeval *timeout, const char *netgr, const char *host,
+    const char *user, const char *domain, struct netgroups_seen *seen)
+{
+    char *escaped_netgr = NULL, *filt = NULL;
+    LDAPMessage *entry, *result = NULL;
+    int rc, ret = 0;
+    size_t n;
+    debug_decl(sudo_ldap_innetgr_base, SUDOERS_DEBUG_LDAP);
+
+    /* Cycle detection. */
+    for (n = 0; n < seen->len; n++) {
+	if (strcmp(netgr, seen->groups[n]) == 0) {
+	    DPRINTF1("%s: cycle in netgroups", netgr);
+	    goto done;
+	}
+    }
+    if (seen->len + 1 > MAX_NETGROUP_DEPTH) {
+	DPRINTF1("%s: too many nested netgroups", netgr);
+	goto done;
+    }
+    seen->groups[seen->len++] = netgr;
+
+    /* Escape the netgroup name per RFC 4515. */
+    if ((escaped_netgr = sudo_ldap_value_dup(netgr)) == NULL)
+	goto done;
+
+    /* Build nisNetgroup query. */
+    rc = asprintf(&filt, "(&%s(cn=%s))",
+	ldap_conf.netgroup_search_filter, escaped_netgr);
+    if (rc == -1)
+	goto done;
+    DPRINTF1("ldap netgroup search filter: '%s'", filt);
+
+    /* Perform an LDAP query for nisNetgroup. */
+    DPRINTF1("searching from netgroup_base '%s'", base);
+    rc = ldap_search_ext_s(ld, base, LDAP_SCOPE_SUBTREE, filt,
+	NULL, 0, NULL, NULL, timeout, 0, &result);
+    free(filt);
+    if (rc != LDAP_SUCCESS) {
+	DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc));
+	goto done;
+    }
+
+    LDAP_FOREACH(entry, ld, result) {
+	struct berval **bv, **p;
+
+	/* Check all nisNetgroupTriple entries. */
+	bv = ldap_get_values_len(ld, entry, "nisNetgroupTriple");
+	if (bv == NULL) {
+	    const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc);
+	    if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY)
+		goto done;
+	} else {
+	    for (p = bv; *p != NULL && !ret; p++) {
+		char *val = (*p)->bv_val;
+		if (sudo_ldap_match_netgroup(val, host, user, domain)) {
+		    ret = 1;
+		    break;
+		}
+	    }
+	    ldap_value_free_len(bv);
+	    if (ret == 1)
+		break;
+	}
+
+	/* Handle nested netgroups. */
+	bv = ldap_get_values_len(ld, entry, "memberNisNetgroup");
+	if (bv == NULL) {
+	    const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc);
+	    if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY)
+		goto done;
+	} else {
+	    for (p = bv; *p != NULL && !ret; p++) {
+		const char *val = (*p)->bv_val;
+		const size_t saved_len = seen->len;
+		ret = sudo_ldap_innetgr_base(ld, base, timeout, val, host,
+		    user, domain, seen);
+		/* Restore seen state to avoid use-after-free. */
+		seen->len = saved_len;
+	    }
+	    ldap_value_free_len(bv);
+	}
+    }
+
+done:
+    ldap_msgfree(result);
+    free(escaped_netgr);
+
+    debug_return_int(ret);
+}
+
+int
+sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host,
+    const char *user, const char *domain)
+{
+    LDAP *ld = v;
+    struct timeval tv, *tvp = NULL;
+    struct ldap_config_str *base;
+    struct netgroups_seen seen;
+    int ret = 0;
+    debug_decl(sudo_ldap_innetgr, SUDOERS_DEBUG_LDAP);
+
+    if (STAILQ_EMPTY(&ldap_conf.netgroup_base)) {
+	/* LDAP netgroups not configured. */
+	debug_return_int(-1);
+    }
+
+    if (ldap_conf.timeout > 0) {
+	tv.tv_sec = ldap_conf.timeout;
+	tv.tv_usec = 0;
+	tvp = &tv;
+    }
+
+    /* Perform an LDAP query for nisNetgroup. */
+    STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) {
+	seen.len = 0;
+	ret = sudo_ldap_innetgr_base(ld, base->val, tvp, netgr, host,
+	    user, domain, &seen);
+	if (ret != 0)
+	    break;
+    }
+
+    debug_return_int(ret);
+}