we just set the approriate defaults variable.
* is "never". (example verifypw=never or listpw=never)
*
*/
- if (pwflag<0) { /* -k */
- ret=VALIDATE_OK; SET(ret,FLAG_NOPASS);
- } else if (sudo_defs_table[pwflag].sd_un.tuple == never){ /* see note above */
- ret=VALIDATE_OK; SET(ret,FLAG_NOPASS);
- } else {
- ret=VALIDATE_OK; /* extra paranoid */
+ ret=VALIDATE_OK;
+ if (pwflag != -1) {
+ switch (sudo_defs_table[pwflag].sd_un.tuple) {
+ case never:
+ def_authenticate = FALSE;
+ break;
+ case always:
+ if (def_authenticate)
+ SET(ret, FLAG_CHECK_USER);
+ break;
+ default:
+ break;
+ }
}
}
- if (ISSET(ret,VALIDATE_OK)) {
- /* We have a match. Should we check the password? */
- /* Note: This could be the global or a rule specific option */
- if (!def_authenticate) SET(ret,FLAG_NOPASS);
- /* Same logic with noexec and monitor */
- if (def_noexec) SET(ret,FLAG_NOEXEC);
- if (def_monitor) SET(ret,FLAG_MONITOR);
- } else {
+ if (!ISSET(ret,VALIDATE_OK)) {
/* we do not have a match */
ret=VALIDATE_NOT_OK;
if (pwflag) SET(ret,FLAG_NO_CHECK);
validated = VALIDATE_NOT_OK | FLAG_NO_HOST | FLAG_NO_USER;
if (pwflag && list_pw == NULL)
SET(validated, FLAG_NO_CHECK);
- else if (!def_authenticate)
- validated |= FLAG_NOPASS;
/*
* Only check the actual command if pwflag is not set.
SET(validated, VALIDATE_OK);
if (pwcheck == always && def_authenticate)
SET(validated, FLAG_CHECK_USER);
- else if (pwcheck == never || !def_authenticate || nopass == TRUE)
- SET(validated, FLAG_NOPASS);
+ else if (pwcheck == never || nopass == TRUE)
+ def_authenticate = FALSE;
}
return(validated);
}
CLR(validated, VALIDATE_NOT_OK);
SET(validated, VALIDATE_OK);
if (tags != NULL) {
- if (tags->nopasswd == TRUE ||
- (tags->nopasswd == UNSPEC && !def_authenticate))
- SET(validated, FLAG_NOPASS);
- if (tags->noexec == TRUE ||
- (tags->noexec == UNSPEC && def_noexec))
- SET(validated, FLAG_NOEXEC);
- if (tags->monitor == TRUE ||
- (tags->monitor == UNSPEC && def_monitor))
- SET(validated, FLAG_MONITOR);
+ if (tags->nopasswd != UNSPEC)
+ def_authenticate = !tags->nopasswd;
+ if (tags->noexec != UNSPEC)
+ def_noexec = tags->noexec;
+ if (tags->monitor != UNSPEC)
+ def_monitor = tags->monitor;
}
}
set_perms(PERM_ROOT);
auth_pw = get_authpw();
/* Require a password if sudoers says so. */
- if (!ISSET(validated, FLAG_NOPASS))
+ if (def_authenticate)
check_user(ISSET(validated, FLAG_CHECK_USER));
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
/* Build a new environment that avoids any nasty bits if we have a cmnd. */
if (ISSET(sudo_mode, MODE_RUN))
- new_environ = rebuild_env(envp, sudo_mode, ISSET(validated, FLAG_NOEXEC));
+ new_environ = rebuild_env(envp, sudo_mode, def_noexec);
else
new_environ = envp;
}
#ifdef HAVE_SYSTRACE
- if (ISSET(validated, FLAG_MONITOR))
+ if (def_monitor)
systrace_attach(getpid());
#endif
#define VALIDATE_OK 0x002
#define VALIDATE_NOT_OK 0x004
#define FLAG_CHECK_USER 0x010
-#define FLAG_NOPASS 0x020
-#define FLAG_NO_USER 0x040
-#define FLAG_NO_HOST 0x080
-#define FLAG_NO_CHECK 0x100
-#define FLAG_NOEXEC 0x200
-#define FLAG_MONITOR 0x400
+#define FLAG_NO_USER 0x020
+#define FLAG_NO_HOST 0x040
+#define FLAG_NO_CHECK 0x080
/*
* Pseudo-boolean values
projects / sudo / commitdiff