In -l mode, only check local sudoers file if def_ignore_sudoers is not set

and call LDAP versions from display_privs() and display_cmnd() instead
of directly from main().  Because of this we need to defer closing
the ldap connection until after -l processing has ocurred and we
must pass in the ldap pointer to display_privs() and display_cmnd().

diff --git a/parse.c b/parse.c
index b44bec5a014e2ae835ce67f627f61de240437bec..d0e0a0ccd9cedb9ae3fa23facf3b5a6e906c6f81 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -206,7 +206,8 @@ sudoers_lookup(pwflag)
  * Print out privileges for the specified user.
  */
 void
-display_privs(pw)
+display_privs(v, pw)
+    VOID *v;
     struct passwd *pw;
 {
     struct cmndspec *cs;
@@ -218,60 +219,66 @@ display_privs(pw)
 #if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS)
     /* Set group vector so group matching works correctly. */
     if (pw != sudo_user.pw) {
-       (void) initgroups(pw->pw_name, pw->pw_gid);
-       if ((user_ngroups = getgroups(0, NULL)) > 0) {
-          user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t));
-          if (getgroups(user_ngroups, user_groups) < 0)
-              log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
-       } else
-          user_ngroups = 0;
+       (void) initgroups(pw->pw_name, pw->pw_gid);
+       if ((user_ngroups = getgroups(0, NULL)) > 0) {
+           user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t));
+           if (getgroups(user_ngroups, user_groups) < 0)
+               log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
+       } else
+           user_ngroups = 0;
     }
 #endif
 
-    display_defaults(pw);
+    if (!def_ignore_local_sudoers) {
+       display_defaults(pw);
 
-    print_priv3("User ", pw->pw_name,
-       " may run the following commands on this host:\n");
+       print_priv3("User ", pw->pw_name,
+           " may run the following commands on this host:\n");
 
-    for (us = userspecs; us != NULL; us = us->next) {
-       if (user_matches(pw, us->user) != TRUE ||
-         host_matches(us->privileges->hostlist) != TRUE)
-           continue;
+       for (us = userspecs; us != NULL; us = us->next) {
+           if (user_matches(pw, us->user) != TRUE ||
+             host_matches(us->privileges->hostlist) != TRUE)
+               continue;
 
-       for (priv = us->privileges; priv != NULL; priv = priv->next) {
-           tags.monitor = def_monitor;
-           tags.noexec = def_noexec;
-           tags.nopasswd = !def_authenticate;
-           for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
-               if (cs != priv->cmndlist)
-                   print_priv(", ");
-               if (cs->runaslist != NULL) {
-                   print_priv("    (");
-                   for (m = cs->runaslist; m != NULL; m = m->next) {
-                       if (m != cs->runaslist)
-                           print_priv(", ");
-                       print_member(m->name, m->type, m->negated, RUNASALIAS);
+           for (priv = us->privileges; priv != NULL; priv = priv->next) {
+               tags.monitor = def_monitor;
+               tags.noexec = def_noexec;
+               tags.nopasswd = !def_authenticate;
+               for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
+                   if (cs != priv->cmndlist)
+                       print_priv(", ");
+                   if (cs->runaslist != NULL) {
+                       print_priv("    (");
+                       for (m = cs->runaslist; m != NULL; m = m->next) {
+                           if (m != cs->runaslist)
+                               print_priv(", ");
+                           print_member(m->name, m->type, m->negated, RUNASALIAS);
+                       }
+                       print_priv(") ");
                    }
-                   print_priv(") ");
-               }
-               if (TAG_CHANGED(monitor)) {
-                   print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
-                   tags.monitor = cs->tags.monitor;
-               }
-               if (TAG_CHANGED(noexec)) {
-                   print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: ");
-                   tags.noexec = cs->tags.noexec;
-               }
-               if (TAG_CHANGED(nopasswd)) {
-                   print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: ");
-                   tags.nopasswd = cs->tags.nopasswd;
+                   if (TAG_CHANGED(monitor)) {
+                       print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: ");
+                       tags.monitor = cs->tags.monitor;
+                   }
+                   if (TAG_CHANGED(noexec)) {
+                       print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: ");
+                       tags.noexec = cs->tags.noexec;
+                   }
+                   if (TAG_CHANGED(nopasswd)) {
+                       print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: ");
+                       tags.nopasswd = cs->tags.nopasswd;
+                   }
+                   m = cs->cmnd;
+                   print_member(m->name, m->type, m->negated, CMNDALIAS);
                }
-               m = cs->cmnd;
-               print_member(m->name, m->type, m->negated, CMNDALIAS);
+               print_priv("\n");
            }
-           print_priv("\n");
        }
     }
+#ifdef HAVE_LDAP
+    if (v != NULL)
+       sudo_ldap_display_privs(v, pw);
+#endif
 }
 
 /*
@@ -392,35 +399,43 @@ display_bound_defaults(dtype)
  * command is allowed.
  */
 int
-display_cmnd(pw)
+display_cmnd(v, pw)
+    VOID *v;
     struct passwd *pw;
 {
     struct cmndspec *cs;
     struct member *match, *runas;
     struct privilege *priv;
     struct userspec *us;
+    int rval = 1;
 
-    for (match = NULL, us = userspecs; us != NULL; us = us->next) {
-       if (user_matches(pw, us->user) != TRUE ||
-         host_matches(us->privileges->hostlist) != TRUE)
-           continue;
+#ifdef HAVE_LDAP
+    rval = sudo_ldap_display_cmnd(v, pw);
+#endif
+    if (rval != 0 && !def_ignore_local_sudoers) {
+       for (match = NULL, us = userspecs; us != NULL; us = us->next) {
+           if (user_matches(pw, us->user) != TRUE ||
+             host_matches(us->privileges->hostlist) != TRUE)
+               continue;
 
-       for (priv = us->privileges; priv != NULL; priv = priv->next) {
-           runas = NULL;
-           for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
-               if (cs->runaslist != NULL)
-                   runas = cs->runaslist;
-               if (runas_matches(runas) == TRUE &&
-                 cmnd_matches(cs->cmnd) != UNSPEC) 
-                   match = cs->cmnd;
+           for (priv = us->privileges; priv != NULL; priv = priv->next) {
+               runas = NULL;
+               for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
+                   if (cs->runaslist != NULL)
+                       runas = cs->runaslist;
+                   if (runas_matches(runas) == TRUE &&
+                     cmnd_matches(cs->cmnd) != UNSPEC) 
+                       match = cs->cmnd;
+               }
            }
        }
+       if (match != NULL && !match->negated) {
+           printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
+               user_args ? user_args : "");
+           rval = 0;
+       }
     }
-    if (match == NULL || match->negated)
-       return(1);
-    printf("%s%s%s\n", safe_cmnd, user_args ? " " : "",
-       user_args ? user_args : "");
-    return(0);
+    return(rval);
 }
 
 /*

diff --git a/sudo.c b/sudo.c
index 0664e44276c4c4d0adcbf10713eff92e409eef4f..48a76c9e8efec69c4c6ee93ffcb1041a6d7e9be7 100644 (file)
--- a/sudo.c
+++ b/sudo.c
@@ -152,9 +152,7 @@ main(argc, argv)
     int sudo_mode;
     int pwflag;
     sigaction_t sa;
-#ifdef HAVE_LDAP
-    VOID *ld;
-#endif
+    VOID *ld = NULL;
     extern char **environ;
 
 #ifdef HAVE_SETLOCALE
@@ -294,10 +292,8 @@ main(argc, argv)
     cmnd_status = set_cmnd(sudo_mode);
 
 #ifdef HAVE_LDAP
-    if (ld != NULL) {
+    if (ld != NULL)
        validated = sudo_ldap_check(ld, pwflag);
-       sudo_ldap_close(ld);
-    }
     /* Fallback to sudoers if we are allowed to and we aren't validated. */
     if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK))
 #endif
@@ -373,15 +369,19 @@ main(argc, argv)
        if (sudo_mode == MODE_VALIDATE)
            exit(0);
        else if (sudo_mode == MODE_CHECK)
-           exit(display_cmnd(list_pw ? list_pw : sudo_user.pw));
+           exit(display_cmnd(ld, list_pw ? list_pw : sudo_user.pw));
        else if (sudo_mode == MODE_LIST) {
-           display_privs(list_pw ? list_pw : sudo_user.pw);
-#ifdef HAVE_LDAP
-           sudo_ldap_display_privs();  /* XXX - use list_pw */
-#endif
+           display_privs(ld, list_pw ? list_pw : sudo_user.pw);
            exit(0);
        }
 
+#ifdef HAVE_LDAP
+       if (ld != NULL) {
+           sudo_ldap_close(ld);
+           ld = NULL;
+       }
+#endif
+
 #ifdef HAVE_SYSTRACE 
        if (def_monitor)
            systrace_attach(getpid());

diff --git a/sudo.h b/sudo.h
index 4769c4da61395a2a1336e622e3144af9f527e0ff..9b9f30a323e329bc0c831365a761838cc860a795 100644 (file)
--- a/sudo.h
+++ b/sudo.h
@@ -216,7 +216,8 @@ int sudoers_lookup  __P((int));
 int parse_sudoers      __P((const char *));
 #ifdef HAVE_LDAP
 int sudo_ldap_check    __P((VOID *, int));
-void sudo_ldap_display_privs __P((void));
+void sudo_ldap_display_privs __P((VOID *, struct passwd *));
+int sudo_ldap_display_cmnd __P((VOID *, struct passwd *));
 void sudo_ldap_update_defaults __P((VOID *));
 VOID *sudo_ldap_open   __P((void));
 void sudo_ldap_close   __P((VOID *));
@@ -251,8 +252,8 @@ int pam_prep_user   __P((struct passwd *));
 void zero_bytes                __P((volatile VOID *, size_t));
 int gettime            __P((struct timespec *));
 FILE *open_sudoers     __P((const char *, int *));
-void display_privs     __P((struct passwd *));
-int display_cmnd       __P((struct passwd *));
+void display_privs     __P((VOID *, struct passwd *));
+int display_cmnd       __P((VOID *, struct passwd *));
 void sudo_setgrent     __P((void));
 void sudo_endgrent     __P((void));
 void sudo_setpwent     __P((void));