From: Todd C. Miller Date: Thu, 14 Feb 2013 18:34:33 +0000 (-0500) Subject: Add max_groups setting to sudo.conf (currently unused) and remove X-Git-Tag: SUDO_1_8_7~1^2~232 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=67fed118b6e80d99bf01de786931ab05c91b470e;p=sudo Add max_groups setting to sudo.conf (currently unused) and remove unused return value from setters. --- diff --git a/common/sudo_conf.c b/common/sudo_conf.c index 4f4e9cdd1..8bd5853bf 100644 --- a/common/sudo_conf.c +++ b/common/sudo_conf.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009-2012 Todd C. Miller + * Copyright (c) 2009-2013 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -43,6 +43,7 @@ #endif /* HAVE_UNISTD_H */ #include #include +#include #define SUDO_ERROR_WRAP 0 @@ -74,7 +75,7 @@ extern bool atobool(const char *str); /* atobool.c */ struct sudo_conf_table { const char *name; unsigned int namelen; - bool (*setter)(const char *entry); + void (*setter)(const char *entry); }; struct sudo_conf_paths { @@ -83,10 +84,13 @@ struct sudo_conf_paths { const char *pval; }; -static bool set_debug(const char *entry); -static bool set_path(const char *entry); -static bool set_plugin(const char *entry); -static bool set_variable(const char *entry); +static void set_debug(const char *entry); +static void set_path(const char *entry); +static void set_plugin(const char *entry); +static void set_variable(const char *entry); +static void set_var_disable_coredump(const char *entry); +static void set_var_group_source(const char *entry); +static void set_var_max_groups(const char *entry); static unsigned int lineno; @@ -98,15 +102,24 @@ static struct sudo_conf_table sudo_conf_table[] = { { NULL } }; +static struct sudo_conf_table sudo_conf_table_vars[] = { + { "disable_coredump", sizeof("disable_coredump") - 1, set_var_disable_coredump }, + { "group_source", sizeof("group_source") - 1, set_var_group_source }, + { "max_groups", sizeof("max_groups") - 1, set_var_max_groups }, + { NULL } +}; + static struct sudo_conf_data { bool disable_coredump; int group_source; + int max_groups; const char *debug_flags; struct sudo_conf_paths paths[3]; struct plugin_info_list plugins; } sudo_conf_data = { true, GROUP_SOURCE_ADAPTIVE, + -1, NULL, { #define SUDO_CONF_ASKPASS_IDX 0 @@ -122,44 +135,64 @@ static struct sudo_conf_data { /* * "Set variable_name value" */ -static bool +static void set_variable(const char *entry) { -#undef DC_LEN -#define DC_LEN (sizeof("disable_coredump") - 1) - if (strncmp(entry, "disable_coredump", DC_LEN) == 0 && - isblank((unsigned char)entry[DC_LEN])) { - entry += DC_LEN + 1; - while (isblank((unsigned char)*entry)) - entry++; - sudo_conf_data.disable_coredump = atobool(entry); - } -#undef DC_LEN -#undef GS_LEN -#define GS_LEN (sizeof("group_source") - 1) - if (strncmp(entry, "group_source", GS_LEN) == 0 && - isblank((unsigned char)entry[GS_LEN])) { - entry += GS_LEN + 1; - while (isblank((unsigned char)*entry)) - entry++; - if (strcasecmp(entry, "adaptive") == 0) { - sudo_conf_data.group_source = GROUP_SOURCE_ADAPTIVE; - } else if (strcasecmp(entry, "static") == 0) { - sudo_conf_data.group_source = GROUP_SOURCE_STATIC; - } else if (strcasecmp(entry, "dynamic") == 0) { - sudo_conf_data.group_source = GROUP_SOURCE_DYNAMIC; - } else { - warningx(_("unsupported group source `%s' in %s, line %d"), entry, - _PATH_SUDO_CONF, lineno); + struct sudo_conf_table *var; + + for (var = sudo_conf_table_vars; var->name != NULL; var++) { + if (strncmp(entry, var->name, var->namelen) == 0 && + isblank((unsigned char)entry[var->namelen])) { + entry += var->namelen + 1; + while (isblank((unsigned char)*entry)) + entry++; + var->setter(entry); + break; } } - return true; +} + +static void +set_var_disable_coredump(const char *entry) +{ + sudo_conf_data.disable_coredump = atobool(entry); +} + +static void +set_var_group_source(const char *entry) +{ + if (strcasecmp(entry, "adaptive") == 0) { + sudo_conf_data.group_source = GROUP_SOURCE_ADAPTIVE; + } else if (strcasecmp(entry, "static") == 0) { + sudo_conf_data.group_source = GROUP_SOURCE_STATIC; + } else if (strcasecmp(entry, "dynamic") == 0) { + sudo_conf_data.group_source = GROUP_SOURCE_DYNAMIC; + } else { + warningx(_("unsupported group source `%s' in %s, line %d"), entry, + _PATH_SUDO_CONF, lineno); + } +} + +static void +set_var_max_groups(const char *entry) +{ + long lval; + char *ep; + + lval = strtol(entry, &ep, 10); + if (*entry == '\0' || *ep != '\0' || lval < 0 || lval > INT_MAX || + (errno == ERANGE && lval == LONG_MAX)) { + warningx(_("invalid max groups `%s' in %s, line %d"), entry, + _PATH_SUDO_CONF, lineno); + } else { + sudo_conf_data.max_groups = (int)lval; + } } /* * "Debug progname debug_file debug_flags" */ -static bool +static void set_debug(const char *entry) { size_t filelen, proglen; @@ -173,14 +206,14 @@ set_debug(const char *entry) proglen = strlen(progname); if (strncmp(entry, progname, proglen) != 0 || !isblank((unsigned char)entry[proglen])) - return false; + return; entry += proglen + 1; while (isblank((unsigned char)*entry)) entry++; debug_flags = strpbrk(entry, " \t"); if (debug_flags == NULL) - return false; + return; filelen = (size_t)(debug_flags - entry); while (isblank((unsigned char)*debug_flags)) debug_flags++; @@ -192,11 +225,9 @@ set_debug(const char *entry) efree(debug_file); sudo_conf_data.debug_flags = debug_flags; - - return true; } -static bool +static void set_path(const char *entry) { const char *name, *path; @@ -206,7 +237,7 @@ set_path(const char *entry) name = entry; path = strpbrk(entry, " \t"); if (path == NULL) - return false; + return; while (isblank((unsigned char)*path)) path++; @@ -218,11 +249,9 @@ set_path(const char *entry) break; } } - - return true; } -static bool +static void set_plugin(const char *entry) { struct plugin_info *info; @@ -235,7 +264,7 @@ set_plugin(const char *entry) name = entry; path = strpbrk(entry, " \t"); if (path == NULL) - return false; + return; namelen = (size_t)(path - name); while (isblank((unsigned char)*path)) path++; @@ -272,8 +301,6 @@ set_plugin(const char *entry) /* info->next = NULL; */ info->lineno = lineno; tq_append(&sudo_conf_data.plugins, info); - - return true; } const char * @@ -302,6 +329,12 @@ sudo_conf_group_source(void) return sudo_conf_data.group_source; } +int +sudo_conf_max_groups(void) +{ + return sudo_conf_data.max_groups; +} + struct plugin_info_list * sudo_conf_plugins(void) { @@ -374,8 +407,8 @@ sudo_conf_read(void) cp += cur->namelen; while (isblank((unsigned char)*cp)) cp++; - if (cur->setter(cp)) - break; + cur->setter(cp); + break; } } } @@ -386,5 +419,4 @@ done: if (prev_locale[0] != 'C' || prev_locale[1] != '\0') setlocale(LC_ALL, prev_locale); efree(prev_locale); - return; } diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat index c71b33ac2..2a1e3d1da 100644 --- a/doc/sudo.conf.cat +++ b/doc/sudo.conf.cat @@ -172,6 +172,21 @@ DDEESSCCRRIIPPTTIIOONN This setting is only available in ssuuddoo version 1.8.7 and higher. + max_groups + The maximum number of user groups to retrieve from the group + database. This setting is only used when querying the group + database directly. It is intended to be used on systems where + it is not possible to detect when the array to be populated + with group entries is not sufficiently large. By default, ssuuddoo + will allocate four times the system's maximum number of groups + (see above) and retry with double that number if the group + database query fails. However, some systems just return as + many entries as will fit and do not indicate an error when + there is a lack of space. + + This setting is only available in ssuuddoo version 1.8.7 and + higher. + DDeebbuugg ffllaaggss ssuuddoo versions 1.8.4 and higher support a flexible debugging framework that can help track down what ssuuddoo is doing internally if there is a @@ -236,26 +251,16 @@ FFIILLEESS _/_e_t_c_/_s_u_d_o_._c_o_n_f ssuuddoo front end configuration EEXXAAMMPPLLEESS - # - # Default /etc/sudo.conf file - # - # Format: - # Plugin plugin_name plugin_path plugin_options ... - # Path askpass /path/to/askpass - # Path noexec /path/to/sudo_noexec.so - # Debug sudo /var/log/sudo_debug all@warn - # Set disable_coredump true - # - # The plugin_path is relative to /usr/local/libexec/sudo unless - # fully qualified. - # The plugin_name corresponds to a global symbol in the plugin - # that contains the plugin interface structure. - # The plugin_options are optional. - # - # The sudoers plugin is used by default if no Plugin lines are - # present. - Plugin policy_plugin sudoers.so - Plugin io_plugin sudoers.so + # # Default /etc/sudo.conf file # # Format: # Plugin + plugin_name plugin_path plugin_options ... # Path askpass + /path/to/askpass # Path noexec /path/to/sudo_noexec.so # Debug + sudo /var/log/sudo_debug all@warn # Set disable_coredump true # + # The plugin_path is relative to /usr/local/libexec/sudo unless # fully + qualified. # The plugin_name corresponds to a global symbol in the + plugin # that contains the plugin interface structure. # The + plugin_options are optional. # # The sudoers plugin is used by + default if no Plugin lines are # present. Plugin policy_plugin + sudoers.so Plugin io_plugin sudoers.so # # Sudo askpass: @@ -342,4 +347,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for complete details. -Sudo 1.8.7 February 7, 2013 Sudo 1.8.7 +Sudo 1.8.7 February 14, 2013 Sudo 1.8.7 diff --git a/doc/sudo.conf.man.in b/doc/sudo.conf.man.in index ac76e7cbb..c9b2e7acc 100644 --- a/doc/sudo.conf.man.in +++ b/doc/sudo.conf.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDO" "5" "February 7, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" +.TH "SUDO" "5" "February 14, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual" .nh .if n .ad l .SH "NAME" @@ -351,7 +351,26 @@ Set group_source static This setting is only available in \fBsudo\fR version 1.8.7 and higher. +.PP .RE +.PD 0 +.TP 10n +max_groups +The maximum number of user groups to retrieve from the group database. +This setting is only used when querying the group database directly. +It is intended to be used on systems where it is not possible to detect +when the array to be populated with group entries is not sufficiently large. +By default, +\fBsudo\fR +will allocate four times the system's maximum number of groups (see above) +and retry with double that number if the group database query fails. +However, some systems just return as many entries as will fit and +do not indicate an error when there is a lack of space. +.sp +This setting is only available in +\fBsudo\fR +version 1.8.7 and higher. +.PD .SS "Debug flags" \fBsudo\fR versions 1.8.4 and higher support a flexible debugging framework @@ -365,8 +384,8 @@ line consists of the \fRDebug\fR keyword, followed by the name of the program (or plugin) to debug (\fBsudo\fR, \fBvisudo\fR, \fBsudoreplay\fR, \fBsudoers\fR), -the debug file name and a comma-separated list of debug flags. -The debug flag syntax used by +the debug file name and a comma-separated list of debug flags. The +debug flag syntax used by \fBsudo\fR and the \fBsudoers\fR @@ -392,16 +411,14 @@ level for the plugin subsystem. .PP Currently, only one \fRDebug\fR -entry per program is supported. -The +entry per program is supported. The \fBsudo\fR \fRDebug\fR entry is shared by the \fBsudo\fR front end, \fBsudoedit\fR -and the plugins. -A future release may add support for per-plugin +and the plugins. A future release may add support for per-plugin \fRDebug\fR lines and/or support for multiple debugging files for a single program. @@ -413,8 +430,7 @@ front end, in order of decreasing severity, are: and \fIdebug\fR. Each priority, when specified, also includes all priorities higher -than it. -For example, a priority of +than it. For example, a priority of \fInotice\fR would include debug messages logged at \fInotice\fR @@ -475,26 +491,16 @@ front end configuration .SH "EXAMPLES" .nf .RS 0n -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are -# present. -Plugin policy_plugin sudoers.so -Plugin io_plugin sudoers.so +# # Default @sysconfdir@/sudo.conf file # # Format: # Plugin +plugin_name plugin_path plugin_options ... # Path askpass +/path/to/askpass # Path noexec /path/to/sudo_noexec.so # Debug +sudo /var/log/sudo_debug all@warn # Set disable_coredump true # +# The plugin_path is relative to @PLUGINDIR@ unless # fully +qualified. # The plugin_name corresponds to a global symbol in the +plugin # that contains the plugin interface structure. # The +plugin_options are optional. # # The sudoers plugin is used by +default if no Plugin lines are # present. Plugin policy_plugin +sudoers.so Plugin io_plugin sudoers.so # # Sudo askpass: diff --git a/doc/sudo.conf.mdoc.in b/doc/sudo.conf.mdoc.in index 6e536f90e..bd7c785ef 100644 --- a/doc/sudo.conf.mdoc.in +++ b/doc/sudo.conf.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd February 7, 2013 +.Dd February 14, 2013 .Dt SUDO @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -316,6 +316,21 @@ Set group_source static This setting is only available in .Nm sudo version 1.8.7 and higher. +.It max_groups +The maximum number of user groups to retrieve from the group database. +This setting is only used when querying the group database directly. +It is intended to be used on systems where it is not possible to detect +when the array to be populated with group entries is not sufficiently large. +By default, +.Nm sudo +will allocate four times the system's maximum number of groups (see above) +and retry with double that number if the group database query fails. +However, some systems just return as many entries as will fit and +do not indicate an error when there is a lack of space. +.Pp +This setting is only available in +.Nm sudo +version 1.8.7 and higher. .El .Ss Debug flags .Nm sudo @@ -330,8 +345,8 @@ line consists of the .Li Debug keyword, followed by the name of the program (or plugin) to debug .Pq Nm sudo , Nm visudo , Nm sudoreplay , Nm sudoers , -the debug file name and a comma-separated list of debug flags. -The debug flag syntax used by +the debug file name and a comma-separated list of debug flags. The +debug flag syntax used by .Nm sudo and the .Nm sudoers @@ -354,16 +369,14 @@ level for the plugin subsystem. .Pp Currently, only one .Li Debug -entry per program is supported. -The +entry per program is supported. The .Nm sudo .Li Debug entry is shared by the .Nm sudo front end, .Nm sudoedit -and the plugins. -A future release may add support for per-plugin +and the plugins. A future release may add support for per-plugin .Li Debug lines and/or support for multiple debugging files for a single program. @@ -375,8 +388,7 @@ front end, in order of decreasing severity, are: and .Em debug . Each priority, when specified, also includes all priorities higher -than it. -For example, a priority of +than it. For example, a priority of .Em notice would include debug messages logged at .Em notice @@ -426,26 +438,16 @@ front end configuration .El .Sh EXAMPLES .Bd -literal -# -# Default @sysconfdir@/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# The plugin_path is relative to @PLUGINDIR@ unless -# fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are -# present. -Plugin policy_plugin sudoers.so -Plugin io_plugin sudoers.so +# # Default @sysconfdir@/sudo.conf file # # Format: # Plugin +plugin_name plugin_path plugin_options ... # Path askpass +/path/to/askpass # Path noexec /path/to/sudo_noexec.so # Debug +sudo /var/log/sudo_debug all@warn # Set disable_coredump true # +# The plugin_path is relative to @PLUGINDIR@ unless # fully +qualified. # The plugin_name corresponds to a global symbol in the +plugin # that contains the plugin interface structure. # The +plugin_options are optional. # # The sudoers plugin is used by +default if no Plugin lines are # present. Plugin policy_plugin +sudoers.so Plugin io_plugin sudoers.so # # Sudo askpass: diff --git a/include/sudo_conf.h b/include/sudo_conf.h index 974e28020..a855e2091 100644 --- a/include/sudo_conf.h +++ b/include/sudo_conf.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011 Todd C. Miller + * Copyright (c) 2011-2013 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -43,5 +43,6 @@ const char *sudo_conf_debug_flags(void); struct plugin_info_list *sudo_conf_plugins(void); bool sudo_conf_disable_coredump(void); int sudo_conf_group_source(void); +int sudo_conf_max_groups(void); #endif /* _SUDO_CONF_H */