From: Todd C. Miller Date: Fri, 18 Dec 2015 19:31:28 +0000 (-0700) Subject: Allow sudo.conf Path settings to disable path names (by setting the X-Git-Tag: SUDO_1_8_16^2~91 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=55531958de66a522c1d0dedcbdf2c1e984a1a278;p=sudo Allow sudo.conf Path settings to disable path names (by setting the value of NULL). --- diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat index 8f6df85a5..1e70e56b2 100644 --- a/doc/sudo.conf.cat +++ b/doc/sudo.conf.cat @@ -88,6 +88,10 @@ DDEESSCCRRIIPPTTIIOONN Path noexec /usr/local/libexec/sudo/sudo_noexec.so Path askpass /usr/X11R6/bin/ssh-askpass + If no path name is specified, features relying on the specified setting + will be disabled. Disabling Path settings is only supported in ssuuddoo + version 1.8.16 and higher. + The following plugin-agnostic paths may be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f file: diff --git a/doc/sudo.conf.man.in b/doc/sudo.conf.man.in index a9bda770b..85098313d 100644 --- a/doc/sudo.conf.man.in +++ b/doc/sudo.conf.man.in @@ -206,6 +206,14 @@ Path askpass /usr/X11R6/bin/ssh-askpass .RE .fi .PP +If no path name is specified, features relying on the specified +setting will be disabled. +Disabling +\fRPath\fR +settings is only supported in +\fBsudo\fR +version 1.8.16 and higher. +.PP The following plugin-agnostic paths may be set in the \fI@sysconfdir@/sudo.conf\fR file: diff --git a/doc/sudo.conf.mdoc.in b/doc/sudo.conf.mdoc.in index a7330ef5c..8df8249e8 100644 --- a/doc/sudo.conf.mdoc.in +++ b/doc/sudo.conf.mdoc.in @@ -184,6 +184,14 @@ Path noexec @noexec_file@ Path askpass /usr/X11R6/bin/ssh-askpass .Ed .Pp +If no path name is specified, features relying on the specified +setting will be disabled. +Disabling +.Li Path +settings is only supported in +.Nm sudo +version 1.8.16 and higher. +.Pp The following plugin-agnostic paths may be set in the .Pa @sysconfdir@/sudo.conf file: diff --git a/lib/util/sudo_conf.c b/lib/util/sudo_conf.c index edb6724ff..efbedc2ff 100644 --- a/lib/util/sudo_conf.c +++ b/lib/util/sudo_conf.c @@ -64,7 +64,7 @@ struct sudo_conf_table { struct sudo_conf_path_table { const char *pname; unsigned int pnamelen; - const char *pval; + char **pval; }; static int parse_debug(const char *entry, const char *conf_file, unsigned int lineno); @@ -93,7 +93,36 @@ static struct sudo_conf_table sudo_conf_var_table[] = { { NULL } }; -/* XXX - it would be nice to make this local to sudo_conf_read */ +/* + * Using designated struct initializers would be clearer here but + * we want to avoid relying on C99 features for now. + */ +static struct sudo_conf_paths { + char *askpass; + char *sesh; + char *nodump; + char *noexec; + char *plugin_dir; +} sudo_conf_paths = { + _PATH_SUDO_ASKPASS, + _PATH_SUDO_SESH, +#ifdef _PATH_SUDO_NODUMP + _PATH_SUDO_NODUMP, +#else + NULL, +#endif +#ifdef _PATH_SUDO_NOEXEC + _PATH_SUDO_NOEXEC, +#else + NULL, +#endif +#ifdef _PATH_SUDO_PLUGIN_DIR + _PATH_SUDO_PLUGIN_DIR, +#else + NULL, +#endif +}; + static struct sudo_conf_data { bool disable_coredump; bool probe_interfaces; @@ -110,18 +139,10 @@ static struct sudo_conf_data { TAILQ_HEAD_INITIALIZER(sudo_conf_data.debugging), TAILQ_HEAD_INITIALIZER(sudo_conf_data.plugins), { -#define SUDO_CONF_ASKPASS_IDX 0 - { "askpass", sizeof("askpass") - 1, _PATH_SUDO_ASKPASS }, -#define SUDO_CONF_SESH_IDX 1 - { "sesh", sizeof("sesh") - 1, _PATH_SUDO_SESH }, -#ifdef _PATH_SUDO_NOEXEC -#define SUDO_CONF_NOEXEC_IDX 2 - { "noexec", sizeof("noexec") - 1, _PATH_SUDO_NOEXEC }, -#endif -#ifdef _PATH_SUDO_PLUGIN_DIR -#define SUDO_CONF_PLUGIN_IDX 3 - { "plugin", sizeof("plugin") - 1, _PATH_SUDO_PLUGIN_DIR }, -#endif + { "askpass", sizeof("askpass") - 1, &sudo_conf_paths.askpass }, + { "sesh", sizeof("sesh") - 1, &sudo_conf_paths.sesh }, + { "noexec", sizeof("noexec") - 1, &sudo_conf_paths.noexec }, + { "plugin", sizeof("plugin") - 1, &sudo_conf_paths.plugin_dir }, { NULL } } }; @@ -156,6 +177,7 @@ parse_variable(const char *entry, const char *conf_file, unsigned int lineno) /* * "Path name /path/to/file" + * If path is missing it will be set to the NULL pointer. */ static int parse_path(const char *entry, const char *conf_file, unsigned int lineno) @@ -172,22 +194,25 @@ parse_path(const char *entry, const char *conf_file, unsigned int lineno) goto bad; namelen = (size_t)(ep - name); - /* Parse path. */ + /* Parse path (if present). */ path = sudo_strsplit(NULL, entry_end, " \t", &ep); - if (path == NULL) - goto bad; /* Match supported paths, ignoring unknown paths. */ for (cur = sudo_conf_data.path_table; cur->pname != NULL; cur++) { if (namelen == cur->pnamelen && strncasecmp(name, cur->pname, cur->pnamelen) == 0) { - if ((cur->pval = strdup(path)) == NULL) { - sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - debug_return_int(-1); - break; + char *pval = NULL; + if (path != NULL) { + if ((pval = strdup(path)) == NULL) { + sudo_warnx(U_("%s: %s"), __func__, + U_("unable to allocate memory")); + debug_return_int(-1); + } } + *cur->pval = pval; sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s:%u: Path %s %s", - __func__, conf_file, lineno, cur->pname, cur->pval); + __func__, conf_file, lineno, cur->pname, + pval ? pval : "(none)"); debug_return_int(true); } } @@ -425,20 +450,20 @@ set_var_probe_interfaces(const char *strval, const char *conf_file, const char * sudo_conf_askpass_path_v1(void) { - return sudo_conf_data.path_table[SUDO_CONF_ASKPASS_IDX].pval; + return sudo_conf_paths.askpass; } const char * sudo_conf_sesh_path_v1(void) { - return sudo_conf_data.path_table[SUDO_CONF_SESH_IDX].pval; + return sudo_conf_paths.sesh; } #ifdef _PATH_SUDO_NOEXEC const char * sudo_conf_noexec_path_v1(void) { - return sudo_conf_data.path_table[SUDO_CONF_NOEXEC_IDX].pval; + return sudo_conf_paths.noexec; } #endif @@ -446,7 +471,7 @@ sudo_conf_noexec_path_v1(void) const char * sudo_conf_plugin_dir_path_v1(void) { - return sudo_conf_data.path_table[SUDO_CONF_PLUGIN_IDX].pval; + return sudo_conf_paths.plugin_dir; } #endif diff --git a/src/exec_common.c b/src/exec_common.c index 2cdf8dc7d..fefbce899 100644 --- a/src/exec_common.c +++ b/src/exec_common.c @@ -140,7 +140,8 @@ disable_execute(char *envp[]) #endif /* HAVE_PRIV_SET */ #ifdef _PATH_SUDO_NOEXEC - envp = preload_dso(envp, sudo_conf_noexec_path()); + if (sudo_conf_noexec_path() != NULL) + envp = preload_dso(envp, sudo_conf_noexec_path()); #endif /* _PATH_SUDO_NOEXEC */ debug_return_ptr(envp);