2 * SPDX-License-Identifier: ISC
4 * Copyright (c) 1993-1996, 1998-2019 Todd C. Miller <Todd.Miller@sudo.ws>
6 * Permission to use, copy, modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 * Sponsored in part by the Defense Advanced Research Projects
19 * Agency (DARPA) and Air Force Research Laboratory, Air Force
20 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24 * This is an open source non-commercial project. Dear PVS-Studio, please check it.
25 * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
34 #include <sys/types.h>
35 #include <sys/resource.h>
37 #include <sys/socket.h>
42 #endif /* HAVE_STRING_H */
45 #endif /* HAVE_STRINGS_H */
54 #ifdef HAVE_LOGIN_CAP_H
55 # include <login_cap.h>
56 # ifndef LOGIN_DEFROOTCLASS
57 # define LOGIN_DEFROOTCLASS "daemon"
60 # define LOGIN_SETENV 0
64 # include <selinux/selinux.h>
70 #include "auth/sudo_auth.h"
72 #ifndef HAVE_GETADDRINFO
73 # include "compat/getaddrinfo.h"
79 static bool cb_fqdn(const union sudo_defs_val *);
80 static bool cb_runas_default(const union sudo_defs_val *);
81 static bool cb_tty_tickets(const union sudo_defs_val *);
82 static int set_cmnd(void);
83 static int create_admin_success_flag(void);
84 static bool init_vars(char * const *);
85 static bool set_loginclass(struct passwd *);
86 static bool set_runasgr(const char *, bool);
87 static bool set_runaspw(const char *, bool);
88 static bool tty_present(void);
93 struct sudo_user sudo_user;
94 struct passwd *list_pw;
97 #ifdef HAVE_BSD_AUTH_H
99 #endif /* HAVE_BSD_AUTH_H */
102 static char *prev_user;
103 static char *runas_user;
104 static char *runas_group;
105 static struct sudo_nss_list *snl;
108 static struct rlimit nproclimit;
111 /* XXX - must be extern for audit bits of sudo_auth.c */
116 * Unlimit the number of processes since Linux's setuid() will
117 * apply resource limits when changing uid and return EAGAIN if
118 * nproc would be exceeded by the uid switch.
125 debug_decl(unlimit_nproc, SUDOERS_DEBUG_UTIL)
127 if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
128 sudo_warn("getrlimit");
129 rl.rlim_cur = rl.rlim_max = RLIM_INFINITY;
130 if (setrlimit(RLIMIT_NPROC, &rl) != 0) {
131 rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
132 if (setrlimit(RLIMIT_NPROC, &rl) != 0)
133 sudo_warn("setrlimit");
136 #endif /* __linux__ */
140 * Restore saved value of RLIMIT_NPROC.
146 debug_decl(restore_nproc, SUDOERS_DEBUG_UTIL)
148 if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
149 sudo_warn("setrlimit");
152 #endif /* __linux__ */
156 sudoers_policy_init(void *info, char * const envp[])
158 struct sudo_nss *nss, *nss_next;
159 int oldlocale, sources = 0;
161 debug_decl(sudoers_policy_init, SUDOERS_DEBUG_PLUGIN)
163 bindtextdomain("sudoers", LOCALEDIR);
165 /* Register fatal/fatalx callback. */
166 sudo_fatal_callback_register(sudoers_cleanup);
168 /* Initialize environment functions (including replacements). */
170 debug_return_int(-1);
172 /* Setup defaults data structures. */
173 if (!init_defaults()) {
174 sudo_warnx(U_("unable to initialize sudoers default values"));
175 debug_return_int(-1);
178 /* Parse info from front-end. */
179 sudo_mode = sudoers_policy_deserialize_info(info, &runas_user, &runas_group);
180 if (ISSET(sudo_mode, MODE_ERROR))
181 debug_return_int(-1);
183 if (!init_vars(envp))
184 debug_return_int(-1);
186 /* Parse nsswitch.conf for sudoers order. */
187 snl = sudo_read_nss();
189 /* LDAP or NSS may modify the euid so we need to be root for the open. */
190 if (!set_perms(PERM_ROOT))
191 debug_return_int(-1);
194 * Open and parse sudoers, set global defaults.
195 * Uses the C locale unless another is specified in sudoers.
197 sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
198 sudo_warn_set_locale_func(sudoers_warn_setlocale);
199 init_parser(sudoers_file, false);
200 TAILQ_FOREACH_SAFE(nss, snl, entries, nss_next) {
201 if (nss->open(nss) == -1 || (nss->parse_tree = nss->parse(nss)) == NULL) {
202 TAILQ_REMOVE(snl, nss, entries);
207 if (nss->getdefs(nss) == -1 || !update_defaults(nss->parse_tree, NULL,
208 SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS, false)) {
209 log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
210 N_("problem with defaults entries"));
214 sudo_warnx(U_("no valid sudoers sources found, quitting"));
218 /* Set login class if applicable (after sudoers is parsed). */
219 if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
223 if (!restore_perms())
226 /* Restore user's locale. */
227 sudo_warn_set_locale_func(NULL);
228 sudoers_setlocale(oldlocale, NULL);
230 debug_return_int(ret);
234 sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
235 bool verbose, void *closure)
237 char **edit_argv = NULL;
238 char *iolog_path = NULL;
239 mode_t cmnd_umask = ACCESSPERMS;
240 struct sudo_nss *nss;
241 int cmnd_status = -1, oldlocale, validated;
243 debug_decl(sudoers_policy_main, SUDOERS_DEBUG_PLUGIN)
245 sudo_warn_set_locale_func(sudoers_warn_setlocale);
249 /* Is root even allowed to run sudo? */
250 if (user_uid == 0 && !def_root_sudo) {
251 /* Not an audit event. */
252 sudo_warnx(U_("sudoers specifies that root is not allowed to sudo"));
256 if (!set_perms(PERM_INITIAL))
259 /* Environment variables specified on the command line. */
260 if (env_add != NULL && env_add[0] != NULL)
261 sudo_user.env_vars = env_add;
264 * Make a local copy of argc/argv, with special handling
265 * for pseudo-commands and the '-i' option.
269 NewArgv = reallocarray(NULL, NewArgc + 1, sizeof(char *));
270 if (NewArgv == NULL) {
271 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
274 NewArgv[0] = user_cmnd;
277 /* Must leave an extra slot before NewArgv for bash's --login */
279 NewArgv = reallocarray(NULL, NewArgc + 2, sizeof(char *));
280 if (NewArgv == NULL) {
281 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
284 NewArgv++; /* reserve an extra slot for --login */
285 memcpy(NewArgv, argv, argc * sizeof(char *));
286 NewArgv[NewArgc] = NULL;
287 if (ISSET(sudo_mode, MODE_LOGIN_SHELL) && runas_pw != NULL) {
288 NewArgv[0] = strdup(runas_pw->pw_shell);
289 if (NewArgv[0] == NULL) {
290 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
297 /* If given the -P option, set the "preserve_groups" flag. */
298 if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))
299 def_preserve_groups = true;
301 /* Find command in path and apply per-command Defaults. */
302 cmnd_status = set_cmnd();
303 if (cmnd_status == NOT_FOUND_ERROR)
306 /* Check for -C overriding def_closefrom. */
307 if (user_closefrom >= 0 && user_closefrom != def_closefrom) {
308 if (!def_closefrom_override) {
310 sudo_warnx(U_("you are not permitted to use the -C option"));
313 def_closefrom = user_closefrom;
317 * Check sudoers sources, using the locale specified in sudoers.
319 sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale);
320 validated = sudoers_lookup(snl, sudo_user.pw, FLAG_NO_USER | FLAG_NO_HOST,
322 if (ISSET(validated, VALIDATE_ERROR)) {
323 /* The lookup function should have printed an error. */
327 /* Restore user's locale. */
328 sudoers_setlocale(oldlocale, NULL);
330 if (safe_cmnd == NULL) {
331 if ((safe_cmnd = strdup(user_cmnd)) == NULL) {
332 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
338 * Look up the timestamp dir owner if one is specified.
340 if (def_timestampowner) {
341 struct passwd *pw = NULL;
343 if (*def_timestampowner == '#') {
345 uid_t uid = sudo_strtoid(def_timestampowner + 1, NULL, NULL, &errstr);
347 pw = sudo_getpwuid(uid);
350 pw = sudo_getpwnam(def_timestampowner);
352 timestamp_uid = pw->pw_uid;
353 timestamp_gid = pw->pw_gid;
356 log_warningx(SLOG_SEND_MAIL,
357 N_("timestamp owner (%s): No such user"), def_timestampowner);
358 timestamp_uid = ROOT_UID;
359 timestamp_gid = ROOT_GID;
363 /* If no command line args and "shell_noargs" is not set, error out. */
364 if (ISSET(sudo_mode, MODE_IMPLIED_SHELL) && !def_shell_noargs) {
365 /* Not an audit event. */
366 ret = -2; /* usage error */
370 /* Bail if a tty is required and we don't have one. */
371 if (def_requiretty && !tty_present()) {
372 audit_failure(NewArgc, NewArgv, N_("no tty"));
373 sudo_warnx(U_("sorry, you must have a tty to run sudo"));
378 * We don't reset the environment for sudoedit or if the user
379 * specified the -E command line flag and they have setenv privs.
381 if (ISSET(sudo_mode, MODE_EDIT) ||
382 (ISSET(sudo_mode, MODE_PRESERVE_ENV) && def_setenv))
383 def_env_reset = false;
385 /* Build a new environment that avoids any nasty bits. */
389 /* Require a password if sudoers says so. */
390 switch (check_user(validated, sudo_mode)) {
392 /* user authenticated successfully. */
395 /* Note: log_denial() calls audit for us. */
396 if (!ISSET(validated, VALIDATE_SUCCESS)) {
397 /* Only display a denial message if no password was read. */
398 if (!log_denial(validated, def_passwd_tries <= 0))
403 /* some other error, ret is -1. */
407 /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
408 /* XXX - causes confusion when root is not listed in sudoers */
409 if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {
410 if (user_uid == 0 && strcmp(prev_user, "root") != 0) {
413 if ((pw = sudo_getpwnam(prev_user)) != NULL) {
414 if (sudo_user.pw != NULL)
415 sudo_pw_delref(sudo_user.pw);
421 /* If the user was not allowed to run the command we are done. */
422 if (!ISSET(validated, VALIDATE_SUCCESS)) {
423 /* Note: log_failure() calls audit for us. */
424 if (!log_failure(validated, cmnd_status))
429 /* Create Ubuntu-style dot file to indicate sudo was successful. */
430 if (create_admin_success_flag() == -1)
433 /* Finally tell the user if the command did not exist. */
434 if (cmnd_status == NOT_FOUND_DOT) {
435 audit_failure(NewArgc, NewArgv, N_("command in current directory"));
436 sudo_warnx(U_("ignoring \"%s\" found in '.'\nUse \"sudo ./%s\" if this is the \"%s\" you wish to run."), user_cmnd, user_cmnd, user_cmnd);
438 } else if (cmnd_status == NOT_FOUND) {
439 if (ISSET(sudo_mode, MODE_CHECK)) {
440 audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
442 sudo_warnx(U_("%s: command not found"), NewArgv[0]);
444 audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
446 sudo_warnx(U_("%s: command not found"), user_cmnd);
451 /* If user specified a timeout make sure sudoers allows it. */
452 if (!def_user_command_timeouts && user_timeout > 0) {
453 /* XXX - audit/log? */
454 sudo_warnx(U_("sorry, you are not allowed set a command timeout"));
458 /* If user specified env vars make sure sudoers allows it. */
459 if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {
460 if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) {
461 /* XXX - audit/log? */
462 sudo_warnx(U_("sorry, you are not allowed to preserve the environment"));
465 if (!validate_env_vars(sudo_user.env_vars))
470 if (ISSET(sudo_mode, (MODE_RUN | MODE_EDIT))) {
471 if ((def_log_input || def_log_output) && def_iolog_file && def_iolog_dir) {
472 const char prefix[] = "iolog_path=";
473 iolog_path = expand_iolog_path(prefix, def_iolog_dir,
474 def_iolog_file, &sudo_user.iolog_file);
475 if (iolog_path == NULL) {
476 if (!def_ignore_iolog_errors)
478 /* Unable to expand I/O log path, disable I/O logging. */
479 def_log_input = false;
480 def_log_output = false;
482 sudo_user.iolog_file++;
487 if (!log_allowed(validated) && !def_ignore_logfile_errors)
490 switch (sudo_mode & MODE_MASK) {
492 ret = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);
495 ret = display_privs(snl, list_pw ? list_pw : sudo_user.pw, verbose);
503 /* ret set by sudoers_policy_exec_setup() below. */
506 /* Should not happen. */
507 sudo_warnx("internal error, unexpected sudo mode 0x%x", sudo_mode);
511 /* Cleanup sudoers sources */
512 TAILQ_FOREACH(nss, snl, entries) {
515 if (def_group_plugin)
516 group_plugin_unload();
517 init_parser(NULL, false);
519 if (ISSET(sudo_mode, (MODE_VALIDATE|MODE_CHECK|MODE_LIST))) {
520 /* ret already set appropriately */
525 * Set umask based on sudoers.
526 * If user's umask is more restrictive, OR in those bits too
527 * unless umask_override is set.
529 if (def_umask != ACCESSPERMS) {
530 cmnd_umask = def_umask;
531 if (!def_umask_override)
532 cmnd_umask |= user_umask;
535 if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {
538 /* Convert /bin/sh -> -sh so shell knows it is a login shell */
539 if ((p = strrchr(NewArgv[0], '/')) == NULL)
545 * Newer versions of bash require the --login option to be used
546 * in conjunction with the -c option even if the shell name starts
547 * with a '-'. Unfortunately, bash 1.x uses -login, not --login
548 * so this will cause an error for that.
550 if (NewArgc > 1 && strcmp(NewArgv[0], "-bash") == 0 &&
551 strcmp(NewArgv[1], "-c") == 0) {
552 /* Use the extra slot before NewArgv so we can store --login. */
555 NewArgv[0] = NewArgv[1];
556 NewArgv[1] = "--login";
559 #if defined(_AIX) || (defined(__linux__) && !defined(HAVE_PAM))
560 /* Insert system-wide environment variables. */
561 if (!read_env_file(_PATH_ENVIRONMENT, true, false))
562 sudo_warn("%s", _PATH_ENVIRONMENT);
564 #ifdef HAVE_LOGIN_CAP_H
565 /* Set environment based on login class. */
567 login_cap_t *lc = login_getclass(login_class);
569 setusercontext(lc, runas_pw, runas_pw->pw_uid, LOGIN_SETPATH|LOGIN_SETENV);
573 #endif /* HAVE_LOGIN_CAP_H */
576 /* Insert system-wide environment variables. */
577 if (def_restricted_env_file) {
578 if (!read_env_file(def_restricted_env_file, false, true))
579 sudo_warn("%s", def_restricted_env_file);
582 if (!read_env_file(def_env_file, false, false))
583 sudo_warn("%s", def_env_file);
586 /* Insert user-specified environment variables. */
587 if (!insert_env_vars(sudo_user.env_vars))
590 /* Note: must call audit before uid change. */
591 if (ISSET(sudo_mode, MODE_EDIT)) {
593 const char *env_editor;
596 safe_cmnd = find_editor(NewArgc - 1, NewArgv + 1, &edit_argc,
597 &edit_argv, NULL, &env_editor, false);
598 if (safe_cmnd == NULL) {
601 audit_failure(NewArgc, NewArgv, N_("%s: command not found"),
602 env_editor ? env_editor : def_editor);
603 sudo_warnx(U_("%s: command not found"),
604 env_editor ? env_editor : def_editor);
607 if (audit_success(edit_argc, edit_argv) != 0 && !def_ignore_audit_errors)
610 /* We want to run the editor with the unmodified environment. */
613 if (audit_success(NewArgc, NewArgv) != 0 && !def_ignore_audit_errors)
617 /* Setup execution environment to pass back to front-end. */
618 ret = sudoers_policy_exec_setup(edit_argv ? edit_argv : NewArgv,
619 env_get(), cmnd_umask, iolog_path, closure);
621 /* Zero out stashed copy of environment, it is owned by the front-end. */
622 (void)env_init(NULL);
635 /* Destroy the password and group caches and free the contents. */
639 sudo_warn_set_locale_func(NULL);
641 debug_return_int(ret);
645 * Initialize timezone and fill in sudo_user struct.
648 init_vars(char * const envp[])
651 bool unknown_user = false;
652 debug_decl(init_vars, SUDOERS_DEBUG_PLUGIN)
654 if (!sudoers_initlocale(setlocale(LC_ALL, NULL), def_sudoers_locale)) {
655 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
656 debug_return_bool(false);
659 #define MATCHES(s, v) \
660 (strncmp((s), (v), sizeof(v) - 1) == 0 && (s)[sizeof(v) - 1] != '\0')
662 for (ep = envp; *ep; ep++) {
665 if (MATCHES(*ep, "KRB5CCNAME="))
666 user_ccname = *ep + sizeof("KRB5CCNAME=") - 1;
669 if (MATCHES(*ep, "PATH="))
670 user_path = *ep + sizeof("PATH=") - 1;
673 if (MATCHES(*ep, "SUDO_PROMPT=")) {
674 /* Don't override "sudo -p prompt" */
675 if (user_prompt == NULL)
676 user_prompt = *ep + sizeof("SUDO_PROMPT=") - 1;
679 if (MATCHES(*ep, "SUDO_USER="))
680 prev_user = *ep + sizeof("SUDO_USER=") - 1;
687 * Get a local copy of the user's passwd struct and group list if we
688 * don't already have them.
690 if (sudo_user.pw == NULL) {
691 if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL) {
693 * It is not unusual for users to place "sudo -k" in a .logout
694 * file which can cause sudo to be run during reboot after the
695 * YP/NIS/NIS+/LDAP/etc daemon has died.
697 if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {
698 sudo_warnx(U_("unknown uid: %u"), (unsigned int) user_uid);
699 debug_return_bool(false);
702 /* Need to make a fake struct passwd for the call to log_warningx(). */
703 sudo_user.pw = sudo_mkpwent(user_name, user_uid, user_gid, NULL, NULL);
707 if (user_gid_list == NULL)
708 user_gid_list = sudo_get_gidlist(sudo_user.pw, ENTRY_TYPE_ANY);
710 /* Store initialize permissions so we can restore them later. */
711 if (!set_perms(PERM_INITIAL))
712 debug_return_bool(false);
714 /* Set fqdn callback. */
715 sudo_defs_table[I_FQDN].callback = cb_fqdn;
717 /* Set group_plugin callback. */
718 sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin;
720 /* Set runas callback. */
721 sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default;
723 /* Set locale callback. */
724 sudo_defs_table[I_SUDOERS_LOCALE].callback = sudoers_locale_callback;
726 /* Set maxseq callback. */
727 sudo_defs_table[I_MAXSEQ].callback = cb_maxseq;
729 /* Set iolog_user callback. */
730 sudo_defs_table[I_IOLOG_USER].callback = cb_iolog_user;
732 /* Set iolog_group callback. */
733 sudo_defs_table[I_IOLOG_GROUP].callback = cb_iolog_group;
735 /* Set iolog_mode callback. */
736 sudo_defs_table[I_IOLOG_MODE].callback = cb_iolog_mode;
738 /* Set tty_tickets callback. */
739 sudo_defs_table[I_TTY_TICKETS].callback = cb_tty_tickets;
741 /* It is now safe to use log_warningx() and set_perms() */
743 log_warningx(SLOG_SEND_MAIL, N_("unknown uid: %u"),
744 (unsigned int) user_uid);
745 debug_return_bool(false);
749 * Set runas passwd/group entries based on command line or sudoers.
750 * Note that if runas_group was specified without runas_user we
751 * run the command as the invoking user.
753 if (runas_group != NULL) {
754 if (!set_runasgr(runas_group, false))
755 debug_return_bool(false);
756 if (!set_runaspw(runas_user ? runas_user : user_name, false))
757 debug_return_bool(false);
759 if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
760 debug_return_bool(false);
763 debug_return_bool(true);
767 * Fill in user_cmnd, user_args, user_base and user_stat variables
768 * and apply any command-specific defaults entries.
773 struct sudo_nss *nss;
774 char *path = user_path;
776 debug_decl(set_cmnd, SUDOERS_DEBUG_PLUGIN)
778 /* Allocate user_stat for find_path() and match functions. */
779 user_stat = calloc(1, sizeof(struct stat));
780 if (user_stat == NULL) {
781 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
782 debug_return_int(NOT_FOUND_ERROR);
785 /* Default value for cmnd, overridden below. */
786 if (user_cmnd == NULL)
787 user_cmnd = NewArgv[0];
789 if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {
790 if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {
791 if (def_secure_path && !user_is_exempt())
792 path = def_secure_path;
793 if (!set_perms(PERM_RUNAS))
794 debug_return_int(-1);
795 ret = find_path(NewArgv[0], &user_cmnd, user_stat, path,
796 def_ignore_dot, NULL);
797 if (!restore_perms())
798 debug_return_int(-1);
799 if (ret == NOT_FOUND) {
800 /* Failed as root, try as invoking user. */
801 if (!set_perms(PERM_USER))
802 debug_return_int(-1);
803 ret = find_path(NewArgv[0], &user_cmnd, user_stat, path,
804 def_ignore_dot, NULL);
805 if (!restore_perms())
806 debug_return_int(-1);
808 if (ret == NOT_FOUND_ERROR) {
809 if (errno == ENAMETOOLONG)
810 audit_failure(NewArgc, NewArgv, N_("command too long"));
811 log_warning(0, "%s", NewArgv[0]);
812 debug_return_int(ret);
818 char *to, *from, **av;
821 /* Alloc and build up user_args. */
822 for (size = 0, av = NewArgv + 1; *av; av++)
823 size += strlen(*av) + 1;
824 if (size == 0 || (user_args = malloc(size)) == NULL) {
825 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
826 debug_return_int(-1);
828 if (ISSET(sudo_mode, MODE_SHELL|MODE_LOGIN_SHELL)) {
830 * When running a command via a shell, the sudo front-end
831 * escapes potential meta chars. We unescape non-spaces
832 * for sudoers matching and logging purposes.
834 for (to = user_args, av = NewArgv + 1; (from = *av); av++) {
836 if (from[0] == '\\' && !isspace((unsigned char)from[1]))
844 for (to = user_args, av = NewArgv + 1; *av; av++) {
845 n = strlcpy(to, *av, size - (to - user_args));
846 if (n >= size - (to - user_args)) {
847 sudo_warnx(U_("internal error, %s overflow"), __func__);
848 debug_return_int(-1);
858 if ((user_base = strrchr(user_cmnd, '/')) != NULL)
861 user_base = user_cmnd;
863 TAILQ_FOREACH(nss, snl, entries) {
864 if (!update_defaults(nss->parse_tree, NULL, SETDEF_CMND, false)) {
865 log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
866 N_("problem with defaults entries"));
870 debug_return_int(ret);
874 * Open sudoers and sanity check mode/owner/type.
875 * Returns a handle to the sudoers file or NULL on error.
878 open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
882 debug_decl(open_sudoers, SUDOERS_DEBUG_PLUGIN)
884 if (!set_perms(PERM_SUDOERS))
885 debug_return_ptr(NULL);
887 switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {
888 case SUDO_PATH_SECURE:
890 * If we are expecting sudoers to be group readable by
891 * SUDOERS_GID but it is not, we must open the file as root,
894 if (sudoers_uid == ROOT_UID && ISSET(sudoers_mode, S_IRGRP)) {
895 if (!ISSET(sb.st_mode, S_IRGRP) || sb.st_gid != SUDOERS_GID) {
896 if (!restore_perms() || !set_perms(PERM_ROOT))
897 debug_return_ptr(NULL);
901 * Open sudoers and make sure we can read it so we can present
902 * the user with a reasonable error message (unlike the lexer).
904 if ((fp = fopen(sudoers, "r")) == NULL) {
905 log_warning(SLOG_SEND_MAIL, N_("unable to open %s"), sudoers);
907 if (sb.st_size != 0 && fgetc(fp) == EOF) {
908 log_warning(SLOG_SEND_MAIL,
909 N_("unable to read %s"), sudoers);
913 /* Rewind fp and set close on exec flag. */
915 (void) fcntl(fileno(fp), F_SETFD, 1);
919 case SUDO_PATH_MISSING:
920 log_warning(SLOG_SEND_MAIL, N_("unable to stat %s"), sudoers);
922 case SUDO_PATH_BAD_TYPE:
923 log_warningx(SLOG_SEND_MAIL,
924 N_("%s is not a regular file"), sudoers);
926 case SUDO_PATH_WRONG_OWNER:
927 log_warningx(SLOG_SEND_MAIL,
928 N_("%s is owned by uid %u, should be %u"), sudoers,
929 (unsigned int) sb.st_uid, (unsigned int) sudoers_uid);
931 case SUDO_PATH_WORLD_WRITABLE:
932 log_warningx(SLOG_SEND_MAIL, N_("%s is world writable"), sudoers);
934 case SUDO_PATH_GROUP_WRITABLE:
935 log_warningx(SLOG_SEND_MAIL,
936 N_("%s is owned by gid %u, should be %u"), sudoers,
937 (unsigned int) sb.st_gid, (unsigned int) sudoers_gid);
944 if (!restore_perms()) {
945 /* unable to change back to root */
952 debug_return_ptr(fp);
955 #ifdef HAVE_LOGIN_CAP_H
957 set_loginclass(struct passwd *pw)
959 const int errflags = SLOG_RAW_MSG;
962 debug_decl(set_loginclass, SUDOERS_DEBUG_PLUGIN)
964 if (!def_use_loginclass)
967 if (login_class && strcmp(login_class, "-") != 0) {
968 if (user_uid != 0 && pw->pw_uid != 0) {
969 sudo_warnx(U_("only root can use \"-c %s\""), login_class);
974 login_class = pw->pw_class;
975 if (!login_class || !*login_class)
977 (pw->pw_uid == 0) ? LOGIN_DEFROOTCLASS : LOGIN_DEFCLASS;
980 /* Make sure specified login class is valid. */
981 lc = login_getclass(login_class);
982 if (!lc || !lc->lc_class || strcmp(lc->lc_class, login_class) != 0) {
984 * Don't make it an error if the user didn't specify the login
985 * class themselves. We do this because if login.conf gets
986 * corrupted we want the admin to be able to use sudo to fix it.
988 log_warningx(errflags, N_("unknown login class: %s"), login_class);
989 def_use_loginclass = false;
995 debug_return_bool(ret);
999 set_loginclass(struct passwd *pw)
1003 #endif /* HAVE_LOGIN_CAP_H */
1006 # define AI_FQDN AI_CANONNAME
1010 * Look up the fully qualified domain name of host.
1011 * Use AI_FQDN if available since "canonical" is not always the same as fqdn.
1012 * Returns true on success, setting longp and shortp.
1013 * Returns false on failure, longp and shortp are unchanged.
1016 resolve_host(const char *host, char **longp, char **shortp)
1018 struct addrinfo *res0, hint;
1019 char *cp, *lname, *sname;
1021 debug_decl(resolve_host, SUDOERS_DEBUG_PLUGIN)
1023 memset(&hint, 0, sizeof(hint));
1024 hint.ai_family = PF_UNSPEC;
1025 hint.ai_flags = AI_FQDN;
1027 if ((ret = getaddrinfo(host, NULL, &hint, &res0)) != 0)
1028 debug_return_int(ret);
1029 if ((lname = strdup(res0->ai_canonname)) == NULL) {
1031 debug_return_int(EAI_MEMORY);
1033 if ((cp = strchr(lname, '.')) != NULL) {
1034 sname = strndup(lname, (size_t)(cp - lname));
1035 if (sname == NULL) {
1038 debug_return_int(EAI_MEMORY);
1047 debug_return_int(0);
1051 * Look up the fully qualified domain name of user_host and user_runhost.
1052 * Sets user_host, user_shost, user_runhost and user_srunhost.
1055 cb_fqdn(const union sudo_defs_val *sd_un)
1058 char *lhost, *shost;
1059 debug_decl(cb_fqdn, SUDOERS_DEBUG_PLUGIN)
1061 /* Nothing to do if fqdn flag is disabled. */
1062 if (sd_un != NULL && !sd_un->flag)
1063 debug_return_bool(true);
1065 /* If the -h flag was given we need to resolve both host and runhost. */
1066 remote = strcmp(user_runhost, user_host) != 0;
1068 /* First resolve user_host, setting user_host and user_shost. */
1069 if (resolve_host(user_host, &lhost, &shost) != 0) {
1070 int rc = resolve_host(user_runhost, &lhost, &shost);
1072 gai_log_warning(SLOG_SEND_MAIL|SLOG_RAW_MSG, rc,
1073 N_("unable to resolve host %s"), user_host);
1074 debug_return_bool(false);
1077 if (user_shost != user_host)
1083 /* Next resolve user_runhost, setting user_runhost and user_srunhost. */
1084 lhost = shost = NULL;
1086 if (!resolve_host(user_runhost, &lhost, &shost)) {
1087 sudo_warnx(U_("unable to resolve host %s"), user_runhost);
1090 /* Not remote, just use user_host. */
1091 if ((lhost = strdup(user_host)) != NULL) {
1092 if (user_shost != user_host)
1093 shost = strdup(user_shost);
1097 if (lhost == NULL || shost == NULL) {
1101 sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
1102 debug_return_bool(false);
1105 if (lhost != NULL && shost != NULL) {
1106 if (user_srunhost != user_runhost)
1107 free(user_srunhost);
1109 user_runhost = lhost;
1110 user_srunhost = shost;
1113 sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
1114 "host %s, shost %s, runhost %s, srunhost %s",
1115 user_host, user_shost, user_runhost, user_srunhost);
1116 debug_return_bool(true);
1120 * Get passwd entry for the user we are going to run commands as
1121 * and store it in runas_pw. By default, commands run as "root".
1124 set_runaspw(const char *user, bool quiet)
1126 struct passwd *pw = NULL;
1127 debug_decl(set_runaspw, SUDOERS_DEBUG_PLUGIN)
1131 uid_t uid = sudo_strtoid(user + 1, NULL, NULL, &errstr);
1132 if (errstr == NULL) {
1133 if ((pw = sudo_getpwuid(uid)) == NULL)
1134 pw = sudo_fakepwnam(user, user_gid);
1138 if ((pw = sudo_getpwnam(user)) == NULL) {
1140 log_warningx(SLOG_RAW_MSG, N_("unknown user: %s"), user);
1141 debug_return_bool(false);
1144 if (runas_pw != NULL)
1145 sudo_pw_delref(runas_pw);
1147 debug_return_bool(true);
1151 * Get group entry for the group we are going to run commands as
1152 * and store it in runas_gr.
1155 set_runasgr(const char *group, bool quiet)
1157 struct group *gr = NULL;
1158 debug_decl(set_runasgr, SUDOERS_DEBUG_PLUGIN)
1160 if (*group == '#') {
1162 gid_t gid = sudo_strtoid(group + 1, NULL, NULL, &errstr);
1163 if (errstr == NULL) {
1164 if ((gr = sudo_getgrgid(gid)) == NULL)
1165 gr = sudo_fakegrnam(group);
1169 if ((gr = sudo_getgrnam(group)) == NULL) {
1171 log_warningx(SLOG_RAW_MSG, N_("unknown group: %s"), group);
1172 debug_return_bool(false);
1175 if (runas_gr != NULL)
1176 sudo_gr_delref(runas_gr);
1178 debug_return_bool(true);
1182 * Callback for runas_default sudoers setting.
1185 cb_runas_default(const union sudo_defs_val *sd_un)
1187 debug_decl(cb_runas_default, SUDOERS_DEBUG_PLUGIN)
1189 /* Only reset runaspw if user didn't specify one. */
1190 if (!runas_user && !runas_group)
1191 debug_return_bool(set_runaspw(sd_un->str, true));
1192 debug_return_bool(true);
1196 * Callback for runas_default sudoers setting.
1199 cb_tty_tickets(const union sudo_defs_val *sd_un)
1201 debug_decl(cb_tty_tickets, SUDOERS_DEBUG_PLUGIN)
1203 /* Convert tty_tickets -> timestamp_type */
1205 def_timestamp_type = tty;
1207 def_timestamp_type = global;
1208 debug_return_bool(true);
1212 * Cleanup hook for sudo_fatal()/sudo_fatalx()
1215 sudoers_cleanup(void)
1217 struct sudo_nss *nss;
1218 debug_decl(sudoers_cleanup, SUDOERS_DEBUG_PLUGIN)
1221 TAILQ_FOREACH(nss, snl, entries) {
1225 if (def_group_plugin)
1226 group_plugin_unload();
1233 #ifdef USE_ADMIN_FLAG
1235 create_admin_success_flag(void)
1237 char flagfile[PATH_MAX];
1239 debug_decl(create_admin_success_flag, SUDOERS_DEBUG_PLUGIN)
1241 /* Check whether the user is in the sudo or admin group. */
1242 if (!user_in_group(sudo_user.pw, "sudo") &&
1243 !user_in_group(sudo_user.pw, "admin"))
1244 debug_return_int(true);
1246 /* Build path to flag file. */
1247 len = snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful",
1249 if (len <= 0 || len >= (int)sizeof(flagfile))
1250 debug_return_int(false);
1252 /* Create admin flag file if it doesn't already exist. */
1253 if (set_perms(PERM_USER)) {
1254 int fd = open(flagfile, O_CREAT|O_WRONLY|O_NONBLOCK|O_EXCL, 0644);
1255 ret = fd != -1 || errno == EEXIST;
1258 if (!restore_perms())
1261 debug_return_int(ret);
1263 #else /* !USE_ADMIN_FLAG */
1265 create_admin_success_flag(void)
1270 #endif /* USE_ADMIN_FLAG */
1275 #if defined(HAVE_KINFO_PROC2_NETBSD) || defined(HAVE_KINFO_PROC_OPENBSD) || defined(HAVE_KINFO_PROC_FREEBSD) || defined(HAVE_KINFO_PROC_44BSD) || defined(HAVE_STRUCT_PSINFO_PR_TTYDEV) || defined(HAVE_PSTAT_GETPROC) || defined(__linux__)
1276 return user_ttypath != NULL;
1278 int fd = open(_PATH_TTY, O_RDWR);