debug_return_bool(ret);
}
+/*
+ * Returns true if the string pointed to by valp begins with an
+ * odd number of '!' characters. Intervening blanks are ignored.
+ * Stores the address of the string after '!' removal in valp.
+ */
+static bool
+sudo_ldap_is_negated(char **valp)
+{
+ char *val = *valp;
+ bool ret = false;
+ debug_decl(sudo_ldap_is_negated, SUDOERS_DEBUG_LDAP)
+
+ while (*val == '!') {
+ ret = !ret;
+ do {
+ val++;
+ } while (isblank((unsigned char)*val));
+ }
+ *valp = val;
+ debug_return_bool(ret);
+}
+
/*
* Walk through search results and return true if we have a
* host match, else false.
{
struct berval **bv, **p;
char *val;
+ bool negated;
int matched = UNSPEC;
debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
/* walk through values */
for (p = bv; *p != NULL && matched != false; p++) {
- bool foundbang = false;
-
val = (*p)->bv_val;
-
- if (*val == '!') {
- val++;
- foundbang = true;
- }
+ negated = sudo_ldap_is_negated(&val);
/* match any or address or netgroup or hostname */
if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
def_netgroup_tuple ? pw->pw_name : NULL) ||
hostname_matches(user_srunhost, user_runhost, val)) {
- matched = foundbang ? false : true;
+ matched = negated ? false : true;
}
DPRINTF2("ldap sudoHost '%s' ... %s",
val, matched == true ? "MATCH!" : "not");
struct sudo_digest digest, *allowed_digest = NULL;
struct berval **bv, **p;
char *allowed_cmnd, *allowed_args, *val;
- bool foundbang;
int ret = UNSPEC;
+ bool negated;
debug_decl(sudo_ldap_check_command, SUDOERS_DEBUG_LDAP)
if (!entry)
for (p = bv; *p != NULL && ret != false; p++) {
val = (*p)->bv_val;
+
/* Match against ALL ? */
if (strcmp(val, "ALL") == 0) {
ret = true;
allowed_digest = sudo_ldap_extract_digest(&val, &digest);
/* check for !command */
- if (*val == '!') {
- foundbang = true;
- allowed_cmnd = val + 1; /* !command */
- } else {
- foundbang = false;
- allowed_cmnd = val; /* command */
- }
+ allowed_cmnd = val;
+ negated = sudo_ldap_is_negated(&allowed_cmnd);
/* split optional args away from command */
allowed_args = strchr(allowed_cmnd, ' ');
* If allowed (no bang) set ret but keep on checking.
* If disallowed (bang), exit loop.
*/
- ret = foundbang ? false : true;
+ ret = negated ? false : true;
}
if (allowed_args != NULL)
allowed_args[-1] = ' '; /* restore val */
sudo_ldap_check_bool(LDAP *ld, LDAPMessage *entry, char *option)
{
struct berval **bv, **p;
- char ch, *var;
+ char *var;
+ bool negated;
int ret = UNSPEC;
debug_decl(sudo_ldap_check_bool, SUDOERS_DEBUG_LDAP)
/* walk through options */
for (p = bv; *p != NULL; p++) {
- var = (*p)->bv_val;;
+ var = (*p)->bv_val;
DPRINTF2("ldap sudoOption: '%s'", var);
- if ((ch = *var) == '!')
- var++;
+ negated = sudo_ldap_is_negated(&var);
if (strcmp(var, option) == 0)
- ret = (ch != '!');
+ ret = negated ? false : true;
}
ldap_value_free_len(bv);
}
} else {
/* Boolean value, either true or false. */
- op = true;
- while (*var == '!') {
- op = !op;
- do {
- var++;
- } while (isblank((unsigned char)*var));
- }
+ op = sudo_ldap_is_negated(&var) ? false : true;
}
*varp = var;
*valp = val;
bv = ldap_get_values_len(ld, entry, "sudoOption");
if (bv != NULL) {
for (p = bv; *p != NULL; p++) {
- char *cp = (*p)->bv_val;
- if (*cp == '!')
- cp++;
- if (strcmp(cp, "authenticate") == 0)
- sudo_lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
- "NOPASSWD: " : "PASSWD: ");
- else if (strcmp(cp, "sudoedit_follow") == 0)
- sudo_lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
- "NOFOLLOW: " : "FOLLOW: ");
- else if (strcmp(cp, "noexec") == 0)
- sudo_lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
- "EXEC: " : "NOEXEC: ");
- else if (strcmp(cp, "setenv") == 0)
- sudo_lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
- "NOSETENV: " : "SETENV: ");
- else if (strcmp(cp, "mail_all_cmnds") == 0 || strcmp(cp, "mail_always") == 0)
- sudo_lbuf_append(lbuf, (*p)->bv_val[0] == '!' ?
- "NOMAIL: " : "MAIL: ");
+ char *val = (*p)->bv_val;
+ bool negated = sudo_ldap_is_negated(&val);
+ if (strcmp(val, "authenticate") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOPASSWD: " : "PASSWD: ");
+ else if (strcmp(val, "sudoedit_follow") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOFOLLOW: " : "FOLLOW: ");
+ else if (strcmp(val, "noexec") == 0)
+ sudo_lbuf_append(lbuf, negated ? "EXEC: " : "NOEXEC: ");
+ else if (strcmp(val, "setenv") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOSETENV: " : "SETENV: ");
+ else if (strcmp(val, "mail_all_cmnds") == 0 || strcmp(val, "mail_always") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOMAIL: " : "MAIL: ");
}
ldap_value_free_len(bv);
}
debug_return_int(-1);
}
+/*
+ * Returns true if the string pointed to by valp begins with an
+ * odd number of '!' characters. Intervening blanks are ignored.
+ * Stores the address of the string after '!' removal in valp.
+ */
+static bool
+sudo_sss_is_negated(char **valp)
+{
+ char *val = *valp;
+ bool ret = false;
+ debug_decl(sudo_sss_is_negated, SUDOERS_DEBUG_SSSD)
+
+ while (*val == '!') {
+ ret = !ret;
+ do {
+ val++;
+ } while (isblank((unsigned char)*val));
+ }
+ *valp = val;
+ debug_return_bool(ret);
+}
+
static int
sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw)
{
{
char **val_array, *val;
int matched = UNSPEC;
+ bool negated;
int i;
debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
/* walk through values */
for (i = 0; val_array[i] != NULL && matched != false; ++i) {
- bool foundbang = false;
-
val = val_array[i];
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
- if (*val == '!') {
- val++;
- foundbang = true;
- }
+ negated = sudo_sss_is_negated(&val);
/* match any or address or netgroup or hostname */
if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
hostname_matches(handle->shost, handle->host, val)) {
- matched = foundbang ? false : true;
+ matched = negated ? false : true;
}
sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s",
sudo_sss_check_bool(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule,
char *option)
{
- char ch, *var, **val_array = NULL;
+ char *var, **val_array = NULL;
int i, ret = UNSPEC;
+ bool negated;
debug_decl(sudo_sss_check_bool, SUDOERS_DEBUG_SSSD);
if (rule == NULL)
var = val_array[i];
sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoOption: '%s'", var);
- if ((ch = *var) == '!')
- var++;
+ negated = sudo_sss_is_negated(&var);
if (strcmp(var, option) == 0)
- ret = (ch != '!');
+ ret = negated ? false : true;
}
handle->fn_free_values(val_array);
char **val_array = NULL, *val;
char *allowed_cmnd, *allowed_args;
int ret = UNSPEC;
- bool foundbang;
+ bool negated;
unsigned int i;
struct sudo_digest digest, *allowed_digest = NULL;
debug_decl(sudo_sss_check_command, SUDOERS_DEBUG_SSSD);
allowed_digest = sudo_sss_extract_digest(&val, &digest);
/* check for !command */
- if (*val == '!') {
- foundbang = true;
- allowed_cmnd = val + 1; /* !command */
- } else {
- foundbang = false;
- allowed_cmnd = val; /* command */
- }
+ allowed_cmnd = val;
+ negated = sudo_sss_is_negated(&allowed_cmnd);
/* split optional args away from command */
allowed_args = strchr(allowed_cmnd, ' ');
* If allowed (no bang) set ret but keep on checking.
* If disallowed (bang), exit loop.
*/
- ret = foundbang ? false : true;
+ ret = negated ? false : true;
}
if (allowed_args != NULL)
allowed_args[-1] = ' '; /* restore val */
}
} else {
/* Boolean value, either true or false. */
- op = true;
- while (*var == '!') {
- op = !op;
- do {
- var++;
- } while (isblank((unsigned char)*var));
- }
+ op = sudo_sss_is_negated(&var) ? false : true;
}
*varp = var;
*valp = val;
switch (handle->fn_get_values(rule, "sudoOption", &val_array)) {
case 0:
for (i = 0; val_array[i] != NULL; ++i) {
- char *cp = val_array[i];
- if (*cp == '!')
- cp++;
- if (strcmp(cp, "authenticate") == 0)
- sudo_lbuf_append(lbuf, val_array[i][0] == '!' ?
- "NOPASSWD: " : "PASSWD: ");
- else if (strcmp(cp, "sudoedit_follow") == 0)
- sudo_lbuf_append(lbuf, val_array[i][0] == '!' ?
- "NOFOLLOW: " : "FOLLOW: ");
- else if (strcmp(cp, "noexec") == 0)
- sudo_lbuf_append(lbuf, val_array[i][0] == '!' ?
- "EXEC: " : "NOEXEC: ");
- else if (strcmp(cp, "setenv") == 0)
- sudo_lbuf_append(lbuf, val_array[i][0] == '!' ?
- "NOSETENV: " : "SETENV: ");
- else if (strcmp(cp, "mail_all_cmnds") == 0 || strcmp(cp, "mail_always") == 0)
- sudo_lbuf_append(lbuf, val_array[i][0] == '!' ?
- "NOMAIL: " : "MAIL: ");
+ char *val = val_array[i];
+ bool negated = sudo_sss_is_negated(&val);
+ if (strcmp(val, "authenticate") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOPASSWD: " : "PASSWD: ");
+ else if (strcmp(val, "sudoedit_follow") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOFOLLOW: " : "FOLLOW: ");
+ else if (strcmp(val, "noexec") == 0)
+ sudo_lbuf_append(lbuf, negated ? "EXEC: " : "NOEXEC: ");
+ else if (strcmp(val, "setenv") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOSETENV: " : "SETENV: ");
+ else if (strcmp(val, "mail_all_cmnds") == 0 || strcmp(val, "mail_always") == 0)
+ sudo_lbuf_append(lbuf, negated ? "NOMAIL: " : "MAIL: ");
}
handle->fn_free_values(val_array);
break;
projects / sudo / commitdiff