From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Mon, 24 Sep 2012 14:09:41 +0000 (-0400)
Subject: Add rudimentary support for name-based matching as a compile-time
X-Git-Tag: SUDO_1_8_7~1^2~384
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6a25affb474b6ff2ec35e434363c81930f3bbe29;p=sudo

Add rudimentary support for name-based matching as a compile-time
option.  This unsafe when used in conjunction with the '!' operator.
---

diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index aa86135d5..f7b69689e 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -88,7 +88,9 @@
 static struct member_list empty;
 
 static bool command_matches_dir(char *, size_t);
+#ifndef NAME_MATCH
 static bool command_matches_glob(char *, char *);
+#endif
 static bool command_matches_fnmatch(char *, char *);
 static bool command_matches_normal(char *, char *);
 
@@ -435,9 +437,13 @@ command_matches(char *sudoers_cmnd, char *sudoers_args)
 	 * If sudoers_cmnd has meta characters in it, we need to
 	 * use glob(3) and/or fnmatch(3) to do the matching.
 	 */
+#ifdef NAME_MATCH
+	debug_return_bool(command_matches_fnmatch(sudoers_cmnd, sudoers_args));
+#else
 	if (def_fast_glob)
 	    debug_return_bool(command_matches_fnmatch(sudoers_cmnd, sudoers_args));
 	debug_return_bool(command_matches_glob(sudoers_cmnd, sudoers_args));
+#endif
     }
     debug_return_bool(command_matches_normal(sudoers_cmnd, sudoers_args));
 }
@@ -465,6 +471,7 @@ command_matches_fnmatch(char *sudoers_cmnd, char *sudoers_args)
     debug_return_bool(false);
 }
 
+#ifndef NAME_MATCH
 static bool
 command_matches_glob(char *sudoers_cmnd, char *sudoers_args)
 {
@@ -535,7 +542,30 @@ command_matches_glob(char *sudoers_cmnd, char *sudoers_args)
     }
     debug_return_bool(false);
 }
+#endif /* NAME_MATCH */
+
+#ifdef NAME_MATCH
+static int
+command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
+{
+    size_t dlen;
+
+    dlen = strlen(sudoers_cmnd);
+
+    /* If it ends in '/' it is a directory spec. */
+    if (sudoers_cmnd[dlen - 1] == '/')
+	return command_matches_dir(sudoers_cmnd, dlen);
 
+    if (strcmp(user_cmnd, sudoers_cmnd) == 0) {
+	if (command_args_match(sudoers_cmnd, sudoers_args)) {
+	    efree(safe_cmnd);
+	    safe_cmnd = estrdup(sudoers_cmnd);
+	    return true;
+	}
+    }
+    return false;
+}
+#else /* !NAME_MATCH */
 static bool
 command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
 {
@@ -575,7 +605,19 @@ command_matches_normal(char *sudoers_cmnd, char *sudoers_args)
     }
     debug_return_bool(false);
 }
+#endif /* NAME_MATCH */
 
+#ifdef NAME_MATCH
+/*
+ * Return true if user_cmnd begins with sudoers_dir, else false.
+ * Note that sudoers_dir include the trailing '/'
+ */
+static int
+command_matches_dir(char *sudoers_dir, size_t dlen)
+{
+    return strncmp(user_cmnd, sudoers_dir, dlen) == 0;
+}
+#else /* !NAME_MATCH */
 /*
  * Return true if user_cmnd names one of the inodes in dir, else false.
  */
@@ -621,6 +663,7 @@ command_matches_dir(char *sudoers_dir, size_t dlen)
     closedir(dirp);
     debug_return_bool(dent != NULL);
 }
+#endif /* NAME_MATCH */
 
 /*
  * Returns true if the hostname matches the pattern, else false