output for "sudo -l".
Remove the short_list (was long_list) global in favor of a verbose
argument.
m->negated, separator, alias_type);
}
+/*
+ * Store a defaults entry as a command tag.
+ */
+bool
+sudoers_defaults_to_tags(const char *var, const char *val, int op,
+ struct cmndtag *tags)
+{
+ bool ret = true;
+ debug_decl(sudoers_defaults_to_tags, SUDOERS_DEBUG_UTIL)
+
+ if (op == true || op == false) {
+ if (strcmp(var, "authenticate") == 0) {
+ tags->nopasswd = op == false;
+ } else if (strcmp(var, "sudoedit_follow") == 0) {
+ tags->follow = op == true;
+ } else if (strcmp(var, "log_input") == 0) {
+ tags->log_input = op == true;
+ } else if (strcmp(var, "log_output") == 0) {
+ tags->log_output = op == true;
+ } else if (strcmp(var, "noexec") == 0) {
+ tags->noexec = op == true;
+ } else if (strcmp(var, "setenv") == 0) {
+ tags->setenv = op == true;
+ } else if (strcmp(var, "mail_all_cmnds") == 0 ||
+ strcmp(var, "mail_always") == 0 ||
+ strcmp(var, "mail_no_perms") == 0) {
+ tags->send_mail = op == true;
+ } else {
+ ret = false;
+ }
+ } else {
+ ret = false;
+ }
+ debug_return_bool(ret);
+}
+
+/*
+ * Convert a defaults list to command tags.
+ */
+bool
+sudoers_defaults_list_to_tags(struct defaults_list *defs, struct cmndtag *tags)
+{
+ bool ret = true;
+ struct defaults *d;
+ debug_decl(sudoers_defaults_list_to_tags, SUDOERS_DEBUG_UTIL)
+
+ TAGS_INIT(*tags);
+ if (defs != NULL) {
+ TAILQ_FOREACH(d, defs, entries) {
+ if (!sudoers_defaults_to_tags(d->var, d->val, d->op, tags)) {
+ if (d->val != NULL) {
+ sudo_debug_printf(SUDO_DEBUG_WARN,
+ "unable to convert defaults to tag: %s%s%s", d->var,
+ d->op == '+' ? "+=" : d->op == '-' ? "-=" : "=", d->val);
+ } else {
+ sudo_debug_printf(SUDO_DEBUG_WARN,
+ "unable to convert defaults to tag: %s%s%s",
+ d->op == false ? "!" : "", d->var, "");
+ }
+ ret = false;
+ }
+ }
+ }
+ debug_return_bool(ret);
+}
+
#define FIELD_CHANGED(ocs, ncs, fld) \
((ocs) == NULL || (ncs)->fld != (ocs)->fld)
-#define TAG_CHANGED(ocs, ncs, tt) \
- (TAG_SET((ncs)->tags.tt) && FIELD_CHANGED(ocs, ncs, tags.tt))
+#define TAG_CHANGED(ocs, ncs, t, tt) \
+ (TAG_SET((t).tt) && FIELD_CHANGED(ocs, ncs, tags.tt))
/*
* Write a cmndspec to lbuf in sudoers format.
bool
sudoers_format_cmndspec(struct sudo_lbuf *lbuf,
struct sudoers_parse_tree *parse_tree, struct cmndspec *cs,
- struct cmndspec *prev_cs, bool expand_aliases)
+ struct cmndspec *prev_cs, struct cmndtag tags, bool expand_aliases)
{
debug_decl(sudoers_format_cmndspec, SUDOERS_DEBUG_UTIL)
+ /* Merge privilege-level tags with cmndspec tags. */
+ TAGS_MERGE(tags, cs->tags);
+
#ifdef HAVE_PRIV_SET
if (cs->privs != NULL && FIELD_CHANGED(prev_cs, cs, privs))
sudo_lbuf_append(lbuf, "PRIVS=\"%s\" ", cs->privs);
tm->tm_hour, tm->tm_min, tm->tm_sec);
sudo_lbuf_append(lbuf, "NOTAFTER=%s ", buf);
}
- if (TAG_CHANGED(prev_cs, cs, setenv))
- sudo_lbuf_append(lbuf, cs->tags.setenv ? "SETENV: " : "NOSETENV: ");
- if (TAG_CHANGED(prev_cs, cs, noexec))
- sudo_lbuf_append(lbuf, cs->tags.noexec ? "NOEXEC: " : "EXEC: ");
- if (TAG_CHANGED(prev_cs, cs, nopasswd))
- sudo_lbuf_append(lbuf, cs->tags.nopasswd ? "NOPASSWD: " : "PASSWD: ");
- if (TAG_CHANGED(prev_cs, cs, log_input))
- sudo_lbuf_append(lbuf, cs->tags.log_input ? "LOG_INPUT: " : "NOLOG_INPUT: ");
- if (TAG_CHANGED(prev_cs, cs, log_output))
- sudo_lbuf_append(lbuf, cs->tags.log_output ? "LOG_OUTPUT: " : "NOLOG_OUTPUT: ");
- if (TAG_CHANGED(prev_cs, cs, send_mail))
- sudo_lbuf_append(lbuf, cs->tags.send_mail ? "MAIL: " : "NOMAIL: ");
- if (TAG_CHANGED(prev_cs, cs, follow))
- sudo_lbuf_append(lbuf, cs->tags.follow ? "FOLLOW: " : "NOFOLLOW: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, setenv))
+ sudo_lbuf_append(lbuf, tags.setenv ? "SETENV: " : "NOSETENV: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, noexec))
+ sudo_lbuf_append(lbuf, tags.noexec ? "NOEXEC: " : "EXEC: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, nopasswd))
+ sudo_lbuf_append(lbuf, tags.nopasswd ? "NOPASSWD: " : "PASSWD: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, log_input))
+ sudo_lbuf_append(lbuf, tags.log_input ? "LOG_INPUT: " : "NOLOG_INPUT: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, log_output))
+ sudo_lbuf_append(lbuf, tags.log_output ? "LOG_OUTPUT: " : "NOLOG_OUTPUT: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, send_mail))
+ sudo_lbuf_append(lbuf, tags.send_mail ? "MAIL: " : "NOMAIL: ");
+ if (TAG_CHANGED(prev_cs, cs, tags, follow))
+ sudo_lbuf_append(lbuf, tags.follow ? "FOLLOW: " : "NOFOLLOW: ");
sudoers_format_member(lbuf, parse_tree, cs->cmnd, ", ",
expand_aliases ? CMNDALIAS : UNSPEC);
debug_return_bool(!sudo_lbuf_error(lbuf));
bool expand_aliases)
{
struct cmndspec *cs, *prev_cs;
+ struct cmndtag tags;
struct member *m;
debug_decl(sudoers_format_privilege, SUDOERS_DEBUG_UTIL)
+ /* Convert per-privilege defaults to tags. */
+ sudoers_defaults_list_to_tags(&priv->defaults, &tags);
+
/* Print hosts list. */
TAILQ_FOREACH(m, &priv->hostlist, entries) {
if (m != TAILQ_FIRST(&priv->hostlist))
} else if (cs != TAILQ_FIRST(&priv->cmndlist)) {
sudo_lbuf_append(lbuf, ", ");
}
- sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, expand_aliases);
+ sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, tags,
+ expand_aliases);
prev_cs = cs;
}
priv = sudo_ldap_role_to_priv(cn, hosts, runasusers, runasgroups,
cmnds, opts, notbefore ? notbefore[0]->bv_val : NULL,
- notafter ? notafter[0]->bv_val : NULL, false, !short_list,
- berval_iter);
+ notafter ? notafter[0]->bv_val : NULL, false, true, berval_iter);
cleanup:
if (cn != NULL)
}
} else {
/* Convert to tags. */
- bool handled = true;
-
- if (op == true || op == false) {
- if (strcmp(var, "authenticate") == 0) {
- cmndspec->tags.nopasswd = op == false;
- } else if (strcmp(var, "sudoedit_follow") == 0) {
- cmndspec->tags.follow = op == true;
- } else if (strcmp(var, "log_input") == 0) {
- cmndspec->tags.log_input = op == true;
- } else if (strcmp(var, "log_output") == 0) {
- cmndspec->tags.log_output = op == true;
- } else if (strcmp(var, "noexec") == 0) {
- cmndspec->tags.noexec = op == true;
- } else if (strcmp(var, "setenv") == 0) {
- cmndspec->tags.setenv = op == true;
- } else if (strcmp(var, "mail_all_cmnds") == 0 ||
- strcmp(var, "mail_always") == 0 ||
- strcmp(var, "mail_no_perms") == 0) {
- cmndspec->tags.send_mail = op == true;
- } else {
- handled = false;
- }
- } else {
- handled = false;
- }
- if (!handled && warnings) {
- /* XXX - callback to process unsupported options. */
- if (val != NULL) {
- sudo_warnx(U_("unable to convert sudoOption: %s%s%s"), var, op == '+' ? "+=" : op == '-' ? "-=" : "=", val);
- } else {
- sudo_warnx(U_("unable to convert sudoOption: %s%s%s"), op == false ? "!" : "", var, "");
+ bool converted = sudoers_defaults_to_tags(var, val, op,
+ &cmndspec->tags);
+ if (!converted) {
+ if (warnings) {
+ /* XXX - callback to process unsupported options. */
+ if (val != NULL) {
+ sudo_warnx(U_("unable to convert sudoOption: %s%s%s"), var, op == '+' ? "+=" : op == '-' ? "-=" : "=", val);
+ } else {
+ sudo_warnx(U_("unable to convert sudoOption: %s%s%s"), op == false ? "!" : "", var, "");
+ }
}
continue;
}
display_priv_short(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
struct userspec *us, struct sudo_lbuf *lbuf)
{
- struct cmndspec *cs, *prev_cs;
- struct member *m;
struct privilege *priv;
int nfound = 0;
debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER)
TAILQ_FOREACH(priv, &us->privileges, entries) {
+ struct cmndspec *cs, *prev_cs = NULL;
+ struct cmndtag tags;
+
if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
continue;
- prev_cs = NULL;
+
+ sudoers_defaults_list_to_tags(&priv->defaults, &tags);
TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
/* Start a new line if RunAs changes. */
if (prev_cs == NULL || RUNAS_CHANGED(cs, prev_cs)) {
+ struct member *m;
+
if (cs != TAILQ_FIRST(&priv->cmndlist))
sudo_lbuf_append(lbuf, "\n");
sudo_lbuf_append(lbuf, " (");
} else if (cs != TAILQ_FIRST(&priv->cmndlist)) {
sudo_lbuf_append(lbuf, ", ");
}
- sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, true);
+ sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs, tags, true);
prev_cs = cs;
nfound++;
}
display_priv_long(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
struct userspec *us, struct sudo_lbuf *lbuf)
{
- struct cmndspec *cs, *prev_cs;
struct privilege *priv;
- int nfound = 0, olen;
+ int nfound = 0;
debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER)
TAILQ_FOREACH(priv, &us->privileges, entries) {
+ struct cmndspec *cs, *prev_cs;
+
if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
continue;
prev_cs = NULL;
struct member *m;
if (new_long_entry(cs, prev_cs)) {
+ int olen;
+
if (priv->ldap_role != NULL) {
sudo_lbuf_append(lbuf, _("\nLDAP Role: %s\n"),
priv->ldap_role);
static int
sudo_display_userspecs(struct sudoers_parse_tree *parse_tree, struct passwd *pw,
- struct sudo_lbuf *lbuf)
+ struct sudo_lbuf *lbuf, bool verbose)
{
struct userspec *us;
int nfound = 0;
if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
continue;
- if (short_list)
- nfound += display_priv_short(parse_tree, pw, us, lbuf);
- else
+ if (verbose)
nfound += display_priv_long(parse_tree, pw, us, lbuf);
+ else
+ nfound += display_priv_short(parse_tree, pw, us, lbuf);
}
if (sudo_lbuf_error(lbuf))
debug_return_int(-1);
* Returns true on success or -1 on error.
*/
int
-display_privs(struct sudo_nss_list *snl, struct passwd *pw)
+display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose)
{
struct sudo_nss *nss;
struct sudo_lbuf def_buf, priv_buf;
count = 0;
TAILQ_FOREACH(nss, snl, entries) {
if (nss->query(nss, pw) != -1) {
- n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf);
+ n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf, verbose);
if (n == -1)
goto bad;
count += n;
(t).setenv = UNSPEC; \
} while (0)
+/*
+ * Copy any tags set in t2 into t, overriding the value in t.
+ */
+#define TAGS_MERGE(t, t2) do { \
+ if ((t2).follow != UNSPEC) \
+ (t).follow = (t2).follow; \
+ if ((t2).log_input != UNSPEC) \
+ (t).log_input = (t2).log_input; \
+ if ((t2).log_output != UNSPEC) \
+ (t).log_output = (t2).log_output; \
+ if ((t2).noexec != UNSPEC) \
+ (t).noexec = (t2).noexec; \
+ if ((t2).nopasswd != UNSPEC) \
+ (t).nopasswd = (t2).nopasswd; \
+ if ((t2).send_mail != UNSPEC) \
+ (t).send_mail = (t2).send_mail; \
+ if ((t2).setenv != UNSPEC) \
+ (t).setenv = (t2).setenv; \
+} while (0)
+
/*
* Returns true if any tag are not UNSPEC, else false.
*/
/* parse.c */
struct sudo_nss_list;
int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int validated, int pwflag);
-int display_privs(struct sudo_nss_list *snl, struct passwd *pw);
+int display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose);
int display_cmnd(struct sudo_nss_list *snl, struct passwd *pw);
/* fmtsudoers.c */
struct sudo_lbuf;
-bool sudoers_format_cmndspec(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct cmndspec *cs, struct cmndspec *prev_cs, bool expand_aliases);
+bool sudoers_format_cmndspec(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct cmndspec *cs, struct cmndspec *prev_cs, struct cmndtag tags, bool expand_aliases);
bool sudoers_format_default(struct sudo_lbuf *lbuf, struct defaults *d);
bool sudoers_format_default_line(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct defaults *d, struct defaults **next, bool expand_aliases);
bool sudoers_format_member(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct member *m, const char *separator, int alias_type);
bool sudoers_format_privilege(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct privilege *priv, bool expand_aliases);
bool sudoers_format_userspec(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct userspec *us, bool expand_aliases);
bool sudoers_format_userspecs(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, const char *separator, bool expand_aliases, bool flush);
+bool sudoers_defaults_to_tags(const char *var, const char *val, int op, struct cmndtag *tags);
+bool sudoers_defaults_list_to_tags(struct defaults_list *defs, struct cmndtag *tags);
#endif /* SUDOERS_PARSE_H */
exec_args.envp = user_env_out;
exec_args.info = command_infop;
- ret = sudoers_policy_main(argc, argv, 0, env_add, &exec_args);
+ ret = sudoers_policy_main(argc, argv, 0, env_add, false, &exec_args);
if (ret == true && sudo_version >= SUDO_API_MKVERSION(1, 3)) {
/* Unset close function if we don't need it to avoid extra process. */
if (!def_log_input && !def_log_output && !def_use_pty &&
user_cmnd = "validate";
SET(sudo_mode, MODE_VALIDATE);
- debug_return_int(sudoers_policy_main(0, NULL, I_VERIFYPW, NULL, NULL));
+ debug_return_int(sudoers_policy_main(0, NULL, I_VERIFYPW, NULL, false, NULL));
}
static void
SET(sudo_mode, MODE_CHECK);
else
SET(sudo_mode, MODE_LIST);
- if (!verbose)
- short_list = true;
if (list_user) {
list_pw = sudo_getpwnam(list_user);
if (list_pw == NULL) {
debug_return_int(-1);
}
}
- ret = sudoers_policy_main(argc, argv, I_LISTPW, NULL, NULL);
+ ret = sudoers_policy_main(argc, argv, I_LISTPW, NULL, verbose, NULL);
if (list_user) {
sudo_pw_delref(list_pw);
list_pw = NULL;
priv = sudo_ldap_role_to_priv(cn, hosts, runasusers, runasgroups,
cmnds, opts, notbefore ? notbefore[0] : NULL,
- notafter ? notafter[0] : NULL, false, !short_list, val_array_iter);
+ notafter ? notafter[0] : NULL, false, true, val_array_iter);
cleanup:
if (cn_array != NULL)
*/
struct sudo_user sudo_user;
struct passwd *list_pw;
-bool short_list;
uid_t timestamp_uid;
gid_t timestamp_gid;
#ifdef HAVE_BSD_AUTH_H
int
sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
- void *closure)
+ bool verbose, void *closure)
{
char **edit_argv = NULL;
char *iolog_path = NULL;
ret = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);
break;
case MODE_LIST:
- ret = display_privs(snl, list_pw ? list_pw : sudo_user.pw);
+ ret = display_privs(snl, list_pw ? list_pw : sudo_user.pw, verbose);
break;
case MODE_VALIDATE:
/* Nothing to do. */
/* sudoers.c */
FILE *open_sudoers(const char *, bool, bool *);
int sudoers_policy_init(void *info, char * const envp[]);
-int sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], void *closure);
+int sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], bool verbose, void *closure);
void sudoers_cleanup(void);
extern struct sudo_user sudo_user;
extern struct passwd *list_pw;
-extern bool short_list;
extern int sudo_mode;
extern uid_t timestamp_uid;
extern gid_t timestamp_gid;