Add trace Defaults option and TRACE/NOTRACE tags and set FLAG_TRACE

diff --git a/parse.c b/parse.c
index 54887025e9a1a68ae9ae9699c8abb27a3e4afd6e..a7f214cf5014f1bc320fac5f806ca7fdb899a22d 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -124,7 +124,6 @@ sudoers_lookup(pwflag)
     /* Need to be runas user while stat'ing things in the parser. */
     set_perms(PERM_RUNAS);
     error = yyparse();
-
     if (error || parse_error) {
        set_perms(PERM_ROOT);
        return(VALIDATE_ERROR);
@@ -196,7 +195,8 @@ sudoers_lookup(pwflag)
                    set_perms(PERM_ROOT);
                    return(VALIDATE_OK |
                        (no_passwd == TRUE ? FLAG_NOPASS : 0) |
-                       (no_execve == TRUE ? FLAG_NOEXEC : 0));
+                       (no_execve == TRUE ? FLAG_NOEXEC : 0) |
+                       (trace_cmnd == TRUE ? FLAG_TRACE : 0));
                } else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
                    (runas_matches == FALSE && cmnd_matches == TRUE)) {
                    /*
@@ -205,7 +205,8 @@ sudoers_lookup(pwflag)
                    set_perms(PERM_ROOT);
                    return(VALIDATE_NOT_OK |
                        (no_passwd == TRUE ? FLAG_NOPASS : 0) |
-                       (no_execve == TRUE ? FLAG_NOEXEC : 0));
+                       (no_execve == TRUE ? FLAG_NOEXEC : 0) |
+                       (trace_cmnd == TRUE ? FLAG_TRACE : 0));
                }
            }
            top--;

diff --git a/parse.h b/parse.h
index 5a59ba374b31a755ca1a3a69bc176de93fc83691..aa9cb55a5cc4d50011d465ca4f0d1f5511e17618 100644 (file)
--- a/parse.h
+++ b/parse.h
@@ -33,6 +33,7 @@ struct matchstack {
        int runas;
        int nopass;
        int noexec;
+       int trace;
 };
 
 /*
@@ -50,6 +51,7 @@ struct sudo_command {
 #define runas_matches  (match[top-1].runas)
 #define no_passwd      (match[top-1].nopass)
 #define no_execve      (match[top-1].noexec)
+#define trace_cmnd     (match[top-1].trace)
 
 /*
  * Structure containing command matches if "sudo -l" is used.
@@ -63,6 +65,7 @@ struct command_match {
     size_t cmnd_size;
     int nopasswd;
     int noexecve;
+    int trace;
 };
 
 /*

diff --git a/parse.lex b/parse.lex
index 4b73836fd9fff0bc00a8a13678360aff9299d4a7..1145a57ab95264d6c11316e4a786d5bce847f48a 100644 (file)
--- a/parse.lex
+++ b/parse.lex
@@ -228,6 +228,16 @@ EXEC[[:blank:]]*:  {
                                return(EXEC);
                        }
 
+NOTRACE[[:blank:]]*:   {
+                               LEXTRACE("NOTRACE ");
+                               return(NOTRACE);
+                       }
+
+TRACE[[:blank:]]*:     {
+                               LEXTRACE("TRACE ");
+                               return(TRACE);
+                       }
+
 \+{WORD}               {
                            /* netgroup */
                            fill(yytext, yyleng);

diff --git a/parse.yacc b/parse.yacc
index a171449efdd234b195468909e1e1c39ad3c4ce03..225da15fe950eddbb4ddc98b112c5a1296f9040d 100644 (file)
--- a/parse.yacc
+++ b/parse.yacc
@@ -124,6 +124,7 @@ int top = 0, stacksize = 0;
        match[top].runas  = UNSPEC; \
        match[top].nopass = def_authenticate ? UNSPEC : TRUE; \
        match[top].noexec = def_noexec ? TRUE : UNSPEC; \
+       match[top].trace  = def_trace ? TRUE : UNSPEC; \
        top++; \
     } while (0)
 
@@ -139,6 +140,7 @@ int top = 0, stacksize = 0;
        match[top].runas  = match[top-1].runas; \
        match[top].nopass = match[top-1].nopass; \
        match[top].noexec = match[top-1].noexec; \
+       match[top].trace  = match[top-1].trace; \
        top++; \
     } while (0)
 
@@ -242,6 +244,8 @@ yyerror(s)
 %token <tok>    PASSWD                 /* passwd req for command (default) */
 %token <tok>    NOEXEC                 /* preload dummy execve() for cmnd */
 %token <tok>    EXEC                   /* don't preload dummy execve() */
+%token <tok>    TRACE                  /* trace children of cmnd */
+%token <tok>    NOTRACE                /* disable tracing of children */
 %token <tok>    ALL                    /* ALL keyword */
 %token <tok>    COMMENT                /* comment and/or carriage return */
 %token <tok>    HOSTALIAS              /* Host_Alias keyword */
@@ -374,6 +378,7 @@ privilege   :       hostlist '=' cmndspeclist {
                            runas_matches = UNSPEC;
                            no_passwd = def_authenticate ? UNSPEC : TRUE;
                            no_execve = def_noexec ? TRUE : UNSPEC;
+                           trace_cmnd = def_trace ? TRUE : UNSPEC;
                        }
                ;
 
@@ -625,7 +630,7 @@ runasuser   :       WORD {
                ;
 
 cmndtag                :       /* empty */ {
-                           /* Inherit {NOPASSWD,PASSWD,NOEXEC,EXEC} status. */
+                           /* Inherit tags. */
                            if (printmatches == TRUE && host_matches == TRUE &&
                                user_matches == TRUE) {
                                if (no_passwd == TRUE)
@@ -636,6 +641,10 @@ cmndtag            :       /* empty */ {
                                    cm_list[cm_list_len].noexecve = TRUE;
                                else
                                    cm_list[cm_list_len].noexecve = FALSE;
+                               if (trace_cmnd == TRUE)
+                                   cm_list[cm_list_len].trace = TRUE;
+                               else
+                                   cm_list[cm_list_len].trace = FALSE;
                            }
                        }
                |       cmndtag NOPASSWD {
@@ -662,6 +671,18 @@ cmndtag            :       /* empty */ {
                                user_matches == TRUE)
                                cm_list[cm_list_len].noexecve = FALSE;
                        }
+               |       cmndtag TRACE {
+                           trace_cmnd = TRUE;
+                           if (printmatches == TRUE && host_matches == TRUE &&
+                               user_matches == TRUE)
+                               cm_list[cm_list_len].trace = TRUE;
+                       }
+               |       cmndtag NOTRACE {
+                           trace_cmnd = FALSE;
+                           if (printmatches == TRUE && host_matches == TRUE &&
+                               user_matches == TRUE)
+                               cm_list[cm_list_len].trace = FALSE;
+                       }
                ;
 
 cmnd           :       ALL {
@@ -1082,6 +1103,12 @@ list_matches()
        else if (cm_list[count].noexecve == FALSE && def_noexec)
            (void) fputs("EXEC: ", stdout);
 
+       /* Is tracing enabled? */
+       if (cm_list[count].trace == TRUE && !def_trace)
+           (void) fputs("TRACE: ", stdout);
+       else if (cm_list[count].trace == FALSE && def_trace)
+           (void) fputs("NOTRACE: ", stdout);
+
        /* Is a password required? */
        if (cm_list[count].nopasswd == TRUE && def_authenticate)
            (void) fputs("NOPASSWD: ", stdout);
@@ -1215,6 +1242,7 @@ expand_match_list()
     cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL;
     cm_list[cm_list_len].nopasswd = FALSE;
     cm_list[cm_list_len].noexecve = FALSE;
+    cm_list[cm_list_len].trace    = FALSE;
 }
 
 /*

diff --git a/sudo.h b/sudo.h
index ff2491229d25e0f99a04ed693667d44c96cb4c73..80da4e6d8bba69349846e4ab53f6b6ae67819f62 100644 (file)
--- a/sudo.h
+++ b/sudo.h
@@ -65,6 +65,7 @@ struct sudo_user {
 #define FLAG_NO_HOST           0x080
 #define FLAG_NO_CHECK          0x100
 #define FLAG_NOEXEC            0x200
+#define FLAG_TRACE             0x400
 
 /*
  * Pseudo-boolean values