summaryrefslogtreecommitdiffstats
path: root/plugins/sudoers/pwutil.c
diff options
context:
space:
mode:
Diffstat (limited to 'plugins/sudoers/pwutil.c')
-rw-r--r--plugins/sudoers/pwutil.c1224
1 files changed, 1224 insertions, 0 deletions
diff --git a/plugins/sudoers/pwutil.c b/plugins/sudoers/pwutil.c
new file mode 100644
index 0000000..79033a6
--- /dev/null
+++ b/plugins/sudoers/pwutil.c
@@ -0,0 +1,1224 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 1996, 1998-2005, 2007-2018
+ * Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
+ * Sponsored in part by the Defense Advanced Research Projects
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
+ * Materiel Command, USAF, under agreement number F39502-99-1-0512.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_STRINGS_H
+# include <strings.h> /* strcasecmp */
+#endif
+#ifdef HAVE_SETAUTHDB
+# include <usersec.h>
+#endif /* HAVE_SETAUTHDB */
+#include <errno.h>
+#include <pwd.h>
+#include <grp.h>
+
+#include <sudoers.h>
+#include <redblack.h>
+#include <pwutil.h>
+
+/*
+ * The passwd and group caches.
+ */
+static struct rbtree *pwcache_byuid, *pwcache_byname;
+static struct rbtree *grcache_bygid, *grcache_byname;
+static struct rbtree *gidlist_cache, *grlist_cache;
+
+static int cmp_pwuid(const void *, const void *);
+static int cmp_pwnam(const void *, const void *);
+static int cmp_grgid(const void *, const void *);
+
+static int max_groups;
+
+/*
+ * Default functions for building cache items.
+ */
+static sudo_make_pwitem_t make_pwitem = sudo_make_pwitem;
+static sudo_make_gritem_t make_gritem = sudo_make_gritem;
+static sudo_make_gidlist_item_t make_gidlist_item = sudo_make_gidlist_item;
+static sudo_make_grlist_item_t make_grlist_item = sudo_make_grlist_item;
+static sudo_valid_shell_t valid_shell = sudo_valid_shell;
+
+#define cmp_grnam cmp_pwnam
+
+/*
+ * AIX has the concept of authentication registries (files, NIS, LDAP, etc).
+ * This allows you to have separate ID <-> name mappings based on which
+ * authentication registries the user was looked up in.
+ * We store the registry as part of the key and use it when matching.
+ */
+#ifdef HAVE_SETAUTHDB
+# define getauthregistry(u, r) aix_getauthregistry((u), (r))
+#else
+# define getauthregistry(u, r) ((r)[0] = '\0')
+#endif
+
+/*
+ * Change the default pwutil backend functions.
+ * The default functions query the password and group databases.
+ */
+void
+sudo_pwutil_set_backend(sudo_make_pwitem_t pwitem, sudo_make_gritem_t gritem,
+ sudo_make_gidlist_item_t gidlist_item, sudo_make_grlist_item_t grlist_item,
+ sudo_valid_shell_t check_shell)
+{
+ debug_decl(sudo_pwutil_set_backend, SUDOERS_DEBUG_NSS);
+
+ if (pwitem != NULL)
+ make_pwitem = pwitem;
+ if (gritem != NULL)
+ make_gritem = gritem;
+ if (gidlist_item != NULL)
+ make_gidlist_item = gidlist_item;
+ if (grlist_item != NULL)
+ make_grlist_item = grlist_item;
+ if (check_shell != NULL)
+ valid_shell = check_shell;
+
+ debug_return;
+}
+
+/* Get the max number of user groups if set, or 0 if not set. */
+int
+sudo_pwutil_get_max_groups(void)
+{
+ return max_groups;
+}
+
+/* Set the max number of user groups (negative values ignored). */
+void
+sudo_pwutil_set_max_groups(int n)
+{
+ max_groups = n > 0 ? n : 0;
+}
+
+/*
+ * Compare by user-ID.
+ * v1 is the key to find or data to insert, v2 is in-tree data.
+ */
+static int
+cmp_pwuid(const void *v1, const void *v2)
+{
+ const struct cache_item *ci1 = (const struct cache_item *) v1;
+ const struct cache_item *ci2 = (const struct cache_item *) v2;
+ if (ci1->k.uid == ci2->k.uid)
+ return strcmp(ci1->registry, ci2->registry);
+ if (ci1->k.uid < ci2->k.uid)
+ return -1;
+ return 1;
+}
+
+/*
+ * Compare by user/group name.
+ * v1 is the key to find or data to insert, v2 is in-tree data.
+ */
+static int
+cmp_pwnam(const void *v1, const void *v2)
+{
+ const struct cache_item *ci1 = (const struct cache_item *) v1;
+ const struct cache_item *ci2 = (const struct cache_item *) v2;
+ int ret = strcmp(ci1->k.name, ci2->k.name);
+ if (ret == 0)
+ ret = strcmp(ci1->registry, ci2->registry);
+ return ret;
+}
+
+/*
+ * Compare by user name, taking into account the source type.
+ * Need to differentiate between group-IDs received from the front-end
+ * (via getgroups()) and groups IDs queried from the group database.
+ * v1 is the key to find or data to insert, v2 is in-tree data.
+ */
+static int
+cmp_gidlist(const void *v1, const void *v2)
+{
+ const struct cache_item *ci1 = (const struct cache_item *) v1;
+ const struct cache_item *ci2 = (const struct cache_item *) v2;
+ int ret = strcmp(ci1->k.name, ci2->k.name);
+ if (ret == 0) {
+ if (ci1->type == ENTRY_TYPE_ANY || ci1->type == ci2->type)
+ return strcmp(ci1->registry, ci2->registry);
+ if (ci1->type < ci2->type)
+ return -1;
+ return 1;
+ }
+ return ret;
+}
+
+void
+sudo_pw_addref(struct passwd *pw)
+{
+ debug_decl(sudo_pw_addref, SUDOERS_DEBUG_NSS);
+ ptr_to_item(pw)->refcnt++;
+ debug_return;
+}
+
+static void
+sudo_pw_delref_item(void *v)
+{
+ struct cache_item *item = v;
+ debug_decl(sudo_pw_delref_item, SUDOERS_DEBUG_NSS);
+
+ if (--item->refcnt == 0)
+ free(item);
+
+ debug_return;
+}
+
+void
+sudo_pw_delref(struct passwd *pw)
+{
+ debug_decl(sudo_pw_delref, SUDOERS_DEBUG_NSS);
+ sudo_pw_delref_item(ptr_to_item(pw));
+ debug_return;
+}
+
+/*
+ * Get a password entry by uid and allocate space for it.
+ */
+struct passwd *
+sudo_getpwuid(uid_t uid)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_getpwuid, SUDOERS_DEBUG_NSS);
+
+ if (pwcache_byuid == NULL) {
+ pwcache_byuid = rbcreate(cmp_pwuid);
+ if (pwcache_byuid == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+ }
+
+ key.k.uid = uid;
+ getauthregistry(IDtouser(uid), key.registry);
+ if ((node = rbfind(pwcache_byuid, &key)) != NULL) {
+ item = node->data;
+ goto done;
+ }
+ /*
+ * Cache passwd db entry if it exists or a negative response if not.
+ */
+#ifdef HAVE_SETAUTHDB
+ aix_setauthdb(IDtouser(uid), key.registry);
+#endif
+ item = make_pwitem(uid, NULL);
+#ifdef HAVE_SETAUTHDB
+ aix_restoreauthdb();
+#endif
+ if (item == NULL) {
+ if (errno != ENOENT || (item = calloc(1, sizeof(*item))) == NULL) {
+ sudo_warn(U_("unable to cache uid %u"), (unsigned int) uid);
+ /* cppcheck-suppress memleak */
+ debug_return_ptr(NULL);
+ }
+ item->refcnt = 1;
+ item->k.uid = uid;
+ /* item->d.pw = NULL; */
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(pwcache_byuid, item, NULL)) {
+ case 1:
+ /* should not happen */
+ sudo_warnx(U_("unable to cache uid %u, already exists"),
+ (unsigned int) uid);
+ item->refcnt = 0;
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache uid %u"), (unsigned int) uid);
+ item->refcnt = 0;
+ break;
+ }
+done:
+ if (item->refcnt != 0) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: uid %u [%s] -> user %s [%s] (%s)", __func__,
+ (unsigned int)uid, key.registry,
+ item->d.pw ? item->d.pw->pw_name : "unknown",
+ item->registry, node ? "cache hit" : "cached");
+ }
+ if (item->d.pw != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.pw);
+}
+
+/*
+ * Get a password entry by name and allocate space for it.
+ */
+struct passwd *
+sudo_getpwnam(const char *name)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_getpwnam, SUDOERS_DEBUG_NSS);
+
+ if (pwcache_byname == NULL) {
+ pwcache_byname = rbcreate(cmp_pwnam);
+ if (pwcache_byname == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+ }
+
+ key.k.name = (char *) name;
+ getauthregistry((char *) name, key.registry);
+ if ((node = rbfind(pwcache_byname, &key)) != NULL) {
+ item = node->data;
+ goto done;
+ }
+ /*
+ * Cache passwd db entry if it exists or a negative response if not.
+ */
+#ifdef HAVE_SETAUTHDB
+ aix_setauthdb((char *) name, key.registry);
+#endif
+ item = make_pwitem((uid_t)-1, name);
+#ifdef HAVE_SETAUTHDB
+ aix_restoreauthdb();
+#endif
+ if (item == NULL) {
+ const size_t len = strlen(name) + 1;
+ if (errno != ENOENT || (item = calloc(1, sizeof(*item) + len)) == NULL) {
+ sudo_warn(U_("unable to cache user %s"), name);
+ /* cppcheck-suppress memleak */
+ debug_return_ptr(NULL);
+ }
+ item->refcnt = 1;
+ item->k.name = (char *) item + sizeof(*item);
+ memcpy(item->k.name, name, len);
+ /* item->d.pw = NULL; */
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(pwcache_byname, item, NULL)) {
+ case 1:
+ /* should not happen */
+ sudo_warnx(U_("unable to cache user %s, already exists"), name);
+ item->refcnt = 0;
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache user %s"), name);
+ item->refcnt = 0;
+ break;
+ }
+done:
+ if (item->refcnt != 0) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: user %s [%s] -> uid %d [%s] (%s)", __func__, name,
+ key.registry, item->d.pw ? (int)item->d.pw->pw_uid : -1,
+ item->registry, node ? "cache hit" : "cached");
+ }
+ if (item->d.pw != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.pw);
+}
+
+/*
+ * Take a user, uid, gid, home and shell and return a faked up passwd struct.
+ * If home or shell are NULL default values will be used.
+ */
+struct passwd *
+sudo_mkpwent(const char *user, uid_t uid, gid_t gid, const char *home,
+ const char *shell)
+{
+ struct cache_item_pw *pwitem;
+ struct cache_item *item;
+ struct passwd *pw;
+ size_t len, name_len, home_len, shell_len;
+ unsigned int i;
+ debug_decl(sudo_mkpwent, SUDOERS_DEBUG_NSS);
+
+ if (pwcache_byuid == NULL)
+ pwcache_byuid = rbcreate(cmp_pwuid);
+ if (pwcache_byname == NULL)
+ pwcache_byname = rbcreate(cmp_pwnam);
+ if (pwcache_byuid == NULL || pwcache_byname == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+
+ /* Optional arguments. */
+ if (home == NULL)
+ home = "/";
+ if (shell == NULL)
+ shell = _PATH_BSHELL;
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: creating and caching passwd struct for %s:%u:%u:%s:%s", __func__,
+ user, (unsigned int)uid, (unsigned int)gid, home, shell);
+
+ name_len = strlen(user);
+ home_len = strlen(home);
+ shell_len = strlen(shell);
+ len = sizeof(*pwitem) + name_len + 1 /* pw_name */ +
+ sizeof("*") /* pw_passwd */ + sizeof("") /* pw_gecos */ +
+ home_len + 1 /* pw_dir */ + shell_len + 1 /* pw_shell */;
+
+ for (i = 0; i < 2; i++) {
+ struct rbtree *pwcache;
+ struct rbnode *node;
+
+ pwitem = calloc(1, len);
+ if (pwitem == NULL) {
+ sudo_warn(U_("unable to cache user %s"), user);
+ debug_return_ptr(NULL);
+ }
+ pw = &pwitem->pw;
+ pw->pw_uid = uid;
+ pw->pw_gid = gid;
+ pw->pw_name = (char *)(pwitem + 1);
+ memcpy(pw->pw_name, user, name_len + 1);
+ pw->pw_passwd = pw->pw_name + name_len + 1;
+ memcpy(pw->pw_passwd, "*", 2);
+ pw->pw_gecos = pw->pw_passwd + 2;
+ pw->pw_gecos[0] = '\0';
+ pw->pw_dir = pw->pw_gecos + 1;
+ memcpy(pw->pw_dir, home, home_len + 1);
+ pw->pw_shell = pw->pw_dir + home_len + 1;
+ memcpy(pw->pw_shell, shell, shell_len + 1);
+
+ item = &pwitem->cache;
+ item->refcnt = 1;
+ item->d.pw = pw;
+ if (i == 0) {
+ /* Store by uid. */
+ item->k.uid = pw->pw_uid;
+ pwcache = pwcache_byuid;
+ } else {
+ /* Store by name. */
+ item->k.name = pw->pw_name;
+ pwcache = pwcache_byname;
+ }
+ getauthregistry(NULL, item->registry);
+ switch (rbinsert(pwcache, item, &node)) {
+ case 1:
+ /* Already exists. */
+ item = node->data;
+ if (item->d.pw == NULL) {
+ /* Negative cache entry, replace with ours. */
+ sudo_pw_delref_item(item);
+ item = node->data = &pwitem->cache;
+ } else {
+ /* Good entry, discard our fake one. */
+ free(pwitem);
+ }
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache user %s"), user);
+ item->refcnt = 0;
+ break;
+ }
+ }
+ item->refcnt++;
+ debug_return_ptr(item->d.pw);
+}
+
+/*
+ * Take a uid in string form "#123" and return a faked up passwd struct.
+ */
+struct passwd *
+sudo_fakepwnam(const char *user, gid_t gid)
+{
+ const char *errstr;
+ uid_t uid;
+ debug_decl(sudo_fakepwnam, SUDOERS_DEBUG_NSS);
+
+ uid = (uid_t) sudo_strtoid(user + 1, &errstr);
+ if (errstr != NULL) {
+ sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
+ "uid %s %s", user, errstr);
+ debug_return_ptr(NULL);
+ }
+ debug_return_ptr(sudo_mkpwent(user, uid, gid, NULL, NULL));
+}
+
+void
+sudo_freepwcache(void)
+{
+ debug_decl(sudo_freepwcache, SUDOERS_DEBUG_NSS);
+
+ if (pwcache_byuid != NULL) {
+ rbdestroy(pwcache_byuid, sudo_pw_delref_item);
+ pwcache_byuid = NULL;
+ }
+ if (pwcache_byname != NULL) {
+ rbdestroy(pwcache_byname, sudo_pw_delref_item);
+ pwcache_byname = NULL;
+ }
+
+ debug_return;
+}
+
+/*
+ * Compare by group-ID.
+ * v1 is the key to find or data to insert, v2 is in-tree data.
+ */
+static int
+cmp_grgid(const void *v1, const void *v2)
+{
+ const struct cache_item *ci1 = (const struct cache_item *) v1;
+ const struct cache_item *ci2 = (const struct cache_item *) v2;
+ if (ci1->k.gid == ci2->k.gid)
+ return strcmp(ci1->registry, ci2->registry);
+ if (ci1->k.gid < ci2->k.gid)
+ return -1;
+ return 1;
+}
+
+void
+sudo_gr_addref(struct group *gr)
+{
+ debug_decl(sudo_gr_addref, SUDOERS_DEBUG_NSS);
+ ptr_to_item(gr)->refcnt++;
+ debug_return;
+}
+
+static void
+sudo_gr_delref_item(void *v)
+{
+ struct cache_item *item = v;
+ debug_decl(sudo_gr_delref_item, SUDOERS_DEBUG_NSS);
+
+ if (--item->refcnt == 0)
+ free(item);
+
+ debug_return;
+}
+
+void
+sudo_gr_delref(struct group *gr)
+{
+ debug_decl(sudo_gr_delref, SUDOERS_DEBUG_NSS);
+ sudo_gr_delref_item(ptr_to_item(gr));
+ debug_return;
+}
+
+/*
+ * Get a group entry by gid and allocate space for it.
+ */
+struct group *
+sudo_getgrgid(gid_t gid)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_getgrgid, SUDOERS_DEBUG_NSS);
+
+ if (grcache_bygid == NULL) {
+ grcache_bygid = rbcreate(cmp_grgid);
+ if (grcache_bygid == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+ }
+
+ key.k.gid = gid;
+ getauthregistry(NULL, key.registry);
+ if ((node = rbfind(grcache_bygid, &key)) != NULL) {
+ item = node->data;
+ goto done;
+ }
+ /*
+ * Cache group db entry if it exists or a negative response if not.
+ */
+ item = make_gritem(gid, NULL);
+ if (item == NULL) {
+ if (errno != ENOENT || (item = calloc(1, sizeof(*item))) == NULL) {
+ sudo_warn(U_("unable to cache gid %u"), (unsigned int) gid);
+ /* cppcheck-suppress memleak */
+ debug_return_ptr(NULL);
+ }
+ item->refcnt = 1;
+ item->k.gid = gid;
+ /* item->d.gr = NULL; */
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(grcache_bygid, item, NULL)) {
+ case 1:
+ /* should not happen */
+ sudo_warnx(U_("unable to cache gid %u, already exists"),
+ (unsigned int) gid);
+ item->refcnt = 0;
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache gid %u"), (unsigned int) gid);
+ item->refcnt = 0;
+ break;
+ }
+done:
+ if (item->refcnt != 0) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: gid %u [%s] -> group %s [%s] (%s)", __func__,
+ (unsigned int)gid, key.registry,
+ item->d.gr ? item->d.gr->gr_name : "unknown",
+ item->registry, node ? "cache hit" : "cached");
+ }
+ if (item->d.gr != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.gr);
+}
+
+/*
+ * Get a group entry by name and allocate space for it.
+ */
+struct group *
+sudo_getgrnam(const char *name)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_getgrnam, SUDOERS_DEBUG_NSS);
+
+ if (grcache_byname == NULL) {
+ grcache_byname = rbcreate(cmp_grnam);
+ if (grcache_byname == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+ }
+
+ key.k.name = (char *) name;
+ getauthregistry(NULL, key.registry);
+ if ((node = rbfind(grcache_byname, &key)) != NULL) {
+ item = node->data;
+ goto done;
+ }
+ /*
+ * Cache group db entry if it exists or a negative response if not.
+ */
+ item = make_gritem((gid_t)-1, name);
+ if (item == NULL) {
+ const size_t len = strlen(name) + 1;
+ if (errno != ENOENT || (item = calloc(1, sizeof(*item) + len)) == NULL) {
+ sudo_warn(U_("unable to cache group %s"), name);
+ /* cppcheck-suppress memleak */
+ debug_return_ptr(NULL);
+ }
+ item->refcnt = 1;
+ item->k.name = (char *) item + sizeof(*item);
+ memcpy(item->k.name, name, len);
+ /* item->d.gr = NULL; */
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(grcache_byname, item, NULL)) {
+ case 1:
+ /* should not happen */
+ sudo_warnx(U_("unable to cache group %s, already exists"), name);
+ item->refcnt = 0;
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache group %s"), name);
+ item->refcnt = 0;
+ break;
+ }
+done:
+ if (item->refcnt != 0) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: group %s [%s] -> gid %d [%s] (%s)", __func__, name,
+ key.registry, item->d.gr ? (int)item->d.gr->gr_gid : -1,
+ item->registry, node ? "cache hit" : "cached");
+ }
+ if (item->d.gr != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.gr);
+}
+
+/*
+ * Take a group name, ID, members and return a faked up group struct.
+ */
+struct group *
+sudo_mkgrent(const char *group, gid_t gid, ...)
+{
+ struct cache_item_gr *gritem;
+ struct cache_item *item;
+ struct group *gr;
+ size_t nmem, nsize, total;
+ char *cp, *mem;
+ va_list ap;
+ unsigned int i;
+ debug_decl(sudo_mkgrent, SUDOERS_DEBUG_NSS);
+
+ if (grcache_bygid == NULL)
+ grcache_bygid = rbcreate(cmp_grgid);
+ if (grcache_byname == NULL)
+ grcache_byname = rbcreate(cmp_grnam);
+ if (grcache_bygid == NULL || grcache_byname == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+
+ /* Allocate in one big chunk for easy freeing. */
+ nsize = strlen(group) + 1;
+ total = sizeof(*gritem) + nsize;
+ va_start(ap, gid);
+ for (nmem = 1; (mem = va_arg(ap, char *)) != NULL; nmem++) {
+ total += strlen(mem) + 1;
+ }
+ va_end(ap);
+ total += sizeof(char *) * nmem;
+
+ for (i = 0; i < 2; i++) {
+ struct rbtree *grcache;
+ struct rbnode *node;
+
+ /*
+ * Fill in group contents and make strings relative to space
+ * at the end of the buffer. Note that gr_mem must come
+ * immediately after struct group to guarantee proper alignment.
+ */
+ gritem = calloc(1, total);
+ if (gritem == NULL) {
+ sudo_warn(U_("unable to cache group %s"), group);
+ debug_return_ptr(NULL);
+ }
+ gr = &gritem->gr;
+ gr->gr_gid = gid;
+ gr->gr_passwd = (char *)"*";
+ cp = (char *)(gritem + 1);
+ gr->gr_mem = (char **)cp;
+ cp += sizeof(char *) * nmem;
+ va_start(ap, gid);
+ for (nmem = 0; (mem = va_arg(ap, char *)) != NULL; nmem++) {
+ size_t len = strlen(mem) + 1;
+ memcpy(cp, mem, len);
+ gr->gr_mem[nmem] = cp;
+ cp += len;
+ }
+ va_end(ap);
+ gr->gr_mem[nmem] = NULL;
+ gr->gr_name = cp;
+ memcpy(gr->gr_name, group, nsize);
+
+ item = &gritem->cache;
+ item->refcnt = 1;
+ item->d.gr = gr;
+ if (i == 0) {
+ /* Store by gid if it doesn't already exist. */
+ item->k.gid = gr->gr_gid;
+ grcache = grcache_bygid;
+ } else {
+ /* Store by name, overwriting cached version. */
+ gritem->cache.k.name = gr->gr_name;
+ grcache = grcache_byname;
+ }
+ getauthregistry(NULL, item->registry);
+ switch (rbinsert(grcache, item, &node)) {
+ case 1:
+ /* Already exists. */
+ item = node->data;
+ if (item->d.gr == NULL) {
+ /* Negative cache entry, replace with ours. */
+ sudo_gr_delref_item(item);
+ item = node->data = &gritem->cache;
+ } else {
+ /* Good entry, discard our fake one. */
+ free(gritem);
+ }
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache group %s"), group);
+ item->refcnt = 0;
+ break;
+ }
+ }
+ if (item->d.gr != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.gr);
+}
+
+/*
+ * Take a gid in string form "#123" and return a faked up group struct.
+ */
+struct group *
+sudo_fakegrnam(const char *group)
+{
+ const char *errstr;
+ gid_t gid;
+ debug_decl(sudo_fakegrnam, SUDOERS_DEBUG_NSS);
+
+ gid = (gid_t) sudo_strtoid(group + 1, &errstr);
+ if (errstr != NULL) {
+ sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
+ "gid %s %s", group, errstr);
+ debug_return_ptr(NULL);
+ }
+
+ debug_return_ptr(sudo_mkgrent(group, gid, (char *)NULL));
+}
+
+void
+sudo_gidlist_addref(struct gid_list *gidlist)
+{
+ debug_decl(sudo_gidlist_addref, SUDOERS_DEBUG_NSS);
+ ptr_to_item(gidlist)->refcnt++;
+ debug_return;
+}
+
+static void
+sudo_gidlist_delref_item(void *v)
+{
+ struct cache_item *item = v;
+ debug_decl(sudo_gidlist_delref_item, SUDOERS_DEBUG_NSS);
+
+ if (--item->refcnt == 0)
+ free(item);
+
+ debug_return;
+}
+
+void
+sudo_gidlist_delref(struct gid_list *gidlist)
+{
+ debug_decl(sudo_gidlist_delref, SUDOERS_DEBUG_NSS);
+ sudo_gidlist_delref_item(ptr_to_item(gidlist));
+ debug_return;
+}
+
+void
+sudo_grlist_addref(struct group_list *grlist)
+{
+ debug_decl(sudo_grlist_addref, SUDOERS_DEBUG_NSS);
+ ptr_to_item(grlist)->refcnt++;
+ debug_return;
+}
+
+static void
+sudo_grlist_delref_item(void *v)
+{
+ struct cache_item *item = v;
+ debug_decl(sudo_grlist_delref_item, SUDOERS_DEBUG_NSS);
+
+ if (--item->refcnt == 0)
+ free(item);
+
+ debug_return;
+}
+
+void
+sudo_grlist_delref(struct group_list *grlist)
+{
+ debug_decl(sudo_grlist_delref, SUDOERS_DEBUG_NSS);
+ sudo_grlist_delref_item(ptr_to_item(grlist));
+ debug_return;
+}
+
+void
+sudo_freegrcache(void)
+{
+ debug_decl(sudo_freegrcache, SUDOERS_DEBUG_NSS);
+
+ if (grcache_bygid != NULL) {
+ rbdestroy(grcache_bygid, sudo_gr_delref_item);
+ grcache_bygid = NULL;
+ }
+ if (grcache_byname != NULL) {
+ rbdestroy(grcache_byname, sudo_gr_delref_item);
+ grcache_byname = NULL;
+ }
+ if (grlist_cache != NULL) {
+ rbdestroy(grlist_cache, sudo_grlist_delref_item);
+ grlist_cache = NULL;
+ }
+ if (gidlist_cache != NULL) {
+ rbdestroy(gidlist_cache, sudo_gidlist_delref_item);
+ gidlist_cache = NULL;
+ }
+
+ debug_return;
+}
+
+struct group_list *
+sudo_get_grlist(const struct passwd *pw)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_get_grlist, SUDOERS_DEBUG_NSS);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: looking up group names for %s",
+ __func__, pw->pw_name);
+
+ if (grlist_cache == NULL) {
+ grlist_cache = rbcreate(cmp_pwnam);
+ if (grlist_cache == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+ }
+
+ key.k.name = pw->pw_name;
+ getauthregistry(pw->pw_name, key.registry);
+ if ((node = rbfind(grlist_cache, &key)) != NULL) {
+ item = node->data;
+ goto done;
+ }
+ /*
+ * Cache group db entry if it exists or a negative response if not.
+ */
+ item = make_grlist_item(pw, NULL);
+ if (item == NULL) {
+ /* Out of memory? */
+ debug_return_ptr(NULL);
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(grlist_cache, item, NULL)) {
+ case 1:
+ /* should not happen */
+ sudo_warnx(U_("unable to cache group list for %s, already exists"),
+ pw->pw_name);
+ item->refcnt = 0;
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache group list for %s"), pw->pw_name);
+ item->refcnt = 0;
+ break;
+ }
+ if (item->d.grlist != NULL) {
+ int i;
+ for (i = 0; i < item->d.grlist->ngroups; i++) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: user %s is a member of group %s", __func__,
+ pw->pw_name, item->d.grlist->groups[i]);
+ }
+ }
+done:
+ if (item->d.grlist != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.grlist);
+}
+
+static void
+sudo_debug_group_list(const char *user, char * const *groups,
+ unsigned int level)
+{
+ size_t i, len = 0;
+ debug_decl(sudo_debug_group_list, SUDOERS_DEBUG_NSS);
+
+ if (groups == NULL || !sudo_debug_needed(level))
+ debug_return;
+
+ for (i = 0; groups[i] != NULL; i++) {
+ len += strlen(groups[i]) + 1;
+ }
+ if (len != 0) {
+ char *groupstr = malloc(len);
+ if (groupstr != NULL) {
+ char *cp = groupstr;
+ for (i = 0; groups[i] != NULL; i++) {
+ size_t n = (size_t)snprintf(cp, len, "%s%s", i ? "," : "",
+ groups[i]);
+ if (n >= len)
+ break;
+ cp += n;
+ len -= n;
+ }
+ sudo_debug_printf(level, "%s: %s", user, groupstr);
+ free(groupstr);
+ }
+ }
+ debug_return;
+}
+
+int
+sudo_set_grlist(struct passwd *pw, char * const *groups)
+{
+ struct cache_item key, *item;
+ debug_decl(sudo_set_grlist, SUDOERS_DEBUG_NSS);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: setting group names for %s",
+ __func__, pw->pw_name);
+
+ sudo_debug_group_list(pw->pw_name, groups, SUDO_DEBUG_DEBUG);
+
+ if (grlist_cache == NULL) {
+ grlist_cache = rbcreate(cmp_pwnam);
+ if (grlist_cache == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_int(-1);
+ }
+ }
+
+ /*
+ * Cache group db entry if it doesn't already exist
+ */
+ key.k.name = pw->pw_name;
+ getauthregistry(pw->pw_name, key.registry);
+ if (rbfind(grlist_cache, &key) == NULL) {
+ if ((item = make_grlist_item(pw, groups)) == NULL) {
+ sudo_warnx(U_("unable to parse groups for %s"), pw->pw_name);
+ debug_return_int(-1);
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(grlist_cache, item, NULL)) {
+ case 1:
+ sudo_warnx(U_("unable to cache group list for %s, already exists"),
+ pw->pw_name);
+ sudo_grlist_delref_item(item);
+ break;
+ case -1:
+ sudo_warn(U_("unable to cache group list for %s"), pw->pw_name);
+ sudo_grlist_delref_item(item);
+ debug_return_int(-1);
+ }
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+ "groups for user %s are already cached", pw->pw_name);
+ }
+
+ debug_return_int(0);
+}
+
+struct gid_list *
+sudo_get_gidlist(const struct passwd *pw, unsigned int type)
+{
+ struct cache_item key, *item;
+ struct rbnode *node;
+ debug_decl(sudo_get_gidlist, SUDOERS_DEBUG_NSS);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: looking up group-IDs for %s",
+ __func__, pw->pw_name);
+
+ if (gidlist_cache == NULL) {
+ gidlist_cache = rbcreate(cmp_gidlist);
+ if (gidlist_cache == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_ptr(NULL);
+ }
+ }
+
+ key.k.name = pw->pw_name;
+ key.type = type;
+ getauthregistry(pw->pw_name, key.registry);
+ if ((node = rbfind(gidlist_cache, &key)) != NULL) {
+ item = node->data;
+ goto done;
+ }
+ /*
+ * Cache group db entry if it exists or a negative response if not.
+ */
+ item = make_gidlist_item(pw, -1, NULL, NULL, type);
+ if (item == NULL) {
+ /* Out of memory? */
+ debug_return_ptr(NULL);
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(gidlist_cache, item, NULL)) {
+ case 1:
+ /* should not happen */
+ sudo_warnx(U_("unable to cache group list for %s, already exists"),
+ pw->pw_name);
+ item->refcnt = 0;
+ break;
+ case -1:
+ /* can't cache item, just return it */
+ sudo_warn(U_("unable to cache group list for %s"), pw->pw_name);
+ item->refcnt = 0;
+ break;
+ }
+ if (item->d.gidlist != NULL) {
+ int i;
+ for (i = 0; i < item->d.gidlist->ngids; i++) {
+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
+ "%s: user %s has supplementary gid %u", __func__,
+ pw->pw_name, (unsigned int)item->d.gidlist->gids[i]);
+ }
+ }
+done:
+ if (item->d.gidlist != NULL)
+ item->refcnt++;
+ debug_return_ptr(item->d.gidlist);
+}
+
+int
+sudo_set_gidlist(struct passwd *pw, int ngids, GETGROUPS_T *gids,
+ char * const *gidstrs, unsigned int type)
+{
+ struct cache_item key, *item;
+ debug_decl(sudo_set_gidlist, SUDOERS_DEBUG_NSS);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: setting group-IDs for %s",
+ __func__, pw->pw_name);
+
+ /* XXX - ngids/gids too */
+ sudo_debug_group_list(pw->pw_name, gidstrs, SUDO_DEBUG_DEBUG);
+
+ if (gidlist_cache == NULL) {
+ gidlist_cache = rbcreate(cmp_gidlist);
+ if (gidlist_cache == NULL) {
+ sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+ debug_return_int(-1);
+ }
+ }
+
+ /*
+ * Cache group db entry if it doesn't already exist
+ */
+ key.k.name = pw->pw_name;
+ key.type = type;
+ getauthregistry(pw->pw_name, key.registry);
+ if (rbfind(gidlist_cache, &key) == NULL) {
+ if ((item = make_gidlist_item(pw, ngids, gids, gidstrs, type)) == NULL) {
+ sudo_warnx(U_("unable to parse gids for %s"), pw->pw_name);
+ debug_return_int(-1);
+ }
+ strlcpy(item->registry, key.registry, sizeof(item->registry));
+ switch (rbinsert(gidlist_cache, item, NULL)) {
+ case 1:
+ sudo_warnx(U_("unable to cache group list for %s, already exists"),
+ pw->pw_name);
+ sudo_gidlist_delref_item(item);
+ break;
+ case -1:
+ sudo_warn(U_("unable to cache group list for %s"), pw->pw_name);
+ sudo_gidlist_delref_item(item);
+ debug_return_int(-1);
+ }
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO,
+ "gids for user %s are already cached", pw->pw_name);
+ }
+
+ debug_return_int(0);
+}
+
+bool
+user_in_group(const struct passwd *pw, const char *group)
+{
+ struct group_list *grlist = NULL;
+ struct gid_list *gidlist = NULL;
+ struct group *grp = NULL;
+ bool matched = false;
+ int i;
+ debug_decl(user_in_group, SUDOERS_DEBUG_NSS);
+
+ /*
+ * If it could be a sudo-style group-ID check gids first.
+ */
+ if (group[0] == '#') {
+ const char *errstr;
+ gid_t gid = (gid_t) sudo_strtoid(group + 1, &errstr);
+ if (errstr != NULL) {
+ sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO,
+ "gid %s %s", group, errstr);
+ } else {
+ if (gid == pw->pw_gid) {
+ matched = true;
+ goto done;
+ }
+ if ((gidlist = sudo_get_gidlist(pw, ENTRY_TYPE_ANY)) != NULL) {
+ for (i = 0; i < gidlist->ngids; i++) {
+ if (gid == gidlist->gids[i]) {
+ matched = true;
+ goto done;
+ }
+ }
+ }
+ }
+ }
+
+ /*
+ * Next match the group name. By default, sudoers resolves all the user's
+ * group-IDs to names and matches by name. If match_group_by_gid is
+ * set, each group is sudoers is resolved and matching is by group-ID.
+ */
+ if (def_match_group_by_gid) {
+ gid_t gid;
+
+ /* Look up the ID of the group in sudoers. */
+ if ((grp = sudo_getgrnam(group)) == NULL)
+ goto done;
+ gid = grp->gr_gid;
+
+ /* Check against user's primary (passwd file) group-ID. */
+ if (gid == pw->pw_gid) {
+ matched = true;
+ goto done;
+ }
+
+ /* Check the supplementary group vector. */
+ if (gidlist == NULL) {
+ if ((gidlist = sudo_get_gidlist(pw, ENTRY_TYPE_ANY)) != NULL) {
+ for (i = 0; i < gidlist->ngids; i++) {
+ if (gid == gidlist->gids[i]) {
+ matched = true;
+ goto done;
+ }
+ }
+ }
+ }
+ } else if ((grlist = sudo_get_grlist(pw)) != NULL) {
+ int (*compare)(const char *, const char *);
+ if (def_case_insensitive_group)
+ compare = strcasecmp;
+ else
+ compare = strcmp;
+
+ /* Check the user's group vector, which includes the primary group. */
+ for (i = 0; i < grlist->ngroups; i++) {
+ if (compare(group, grlist->groups[i]) == 0) {
+ matched = true;
+ goto done;
+ }
+ }
+ }
+
+done:
+ if (grp != NULL)
+ sudo_gr_delref(grp);
+ if (grlist != NULL)
+ sudo_grlist_delref(grlist);
+ if (gidlist != NULL)
+ sudo_gidlist_delref(gidlist);
+
+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s %sin group %s",
+ __func__, pw->pw_name, matched ? "" : "NOT ", group);
+ debug_return_bool(matched);
+}
+
+/*
+ * Returns true if the user's shell is considered to be valid.
+ */
+bool
+user_shell_valid(const struct passwd *pw)
+{
+ debug_decl(user_shell_valid, SUDOERS_DEBUG_NSS);
+
+ if (!def_runas_check_shell)
+ debug_return_bool(true);
+
+ debug_return_bool(valid_shell(pw->pw_shell));
+}