From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 10 Mar 2009 20:44:05 +0000 (+0000)
Subject: Add support for AIX netsvc.conf (like nsswitch.conf).
X-Git-Tag: SUDO_1_7_1~23
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=838cb6108680cd46ee742a3abaa7c18b5c5e477d;p=sudo

Add support for AIX netsvc.conf (like nsswitch.conf).
---

diff --git a/configure b/configure
index b185e2d15..8f5ba2764 100755
--- a/configure
+++ b/configure
@@ -865,6 +865,7 @@ path_info
 ldap_conf
 ldap_secret
 nsswitch_conf
+netsvc_conf
 EGREPPROG
 CC
 ac_ct_CC
@@ -1588,6 +1589,7 @@ Optional Packages:
   --with-pic              try to use only PIC/non-PIC objects [default=use
                           both]
   --with-noexec=PATH      fully qualified pathname of sudo_noexec.so
+  --with-netsvc[=PATH]  path to netsvc.conf
 
 Some influential environment variables:
   CC          C compiler command
@@ -2102,6 +2104,7 @@ echo "$as_me: Configuring Sudo version 1.7" >&6;}
 
 
 
+
 
 
 timeout=5
@@ -3598,15 +3601,6 @@ if test "${with_nsswitch+set}" = set; then
 esac
 fi
 
-if test ${with_nsswitch-"yes"} != "no"; then
-    cat >>confdefs.h <<EOF
-#define _PATH_NSSWITCH_CONF "${with_nsswitch-/etc/nsswitch.conf}"
-EOF
-
-    nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
-else
-    nsswitch_conf='/etc/nsswitch.conf'
-fi
 
 
 # Check whether --with-ldap was given.
@@ -6213,7 +6207,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 6216 "configure"' > conftest.$ac_ext
+  echo '#line 6210 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -8072,11 +8066,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8075: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8069: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8079: \$? = $ac_status" >&5
+   echo "$as_me:8073: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8362,11 +8356,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8365: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8359: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:8369: \$? = $ac_status" >&5
+   echo "$as_me:8363: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings other than the usual output.
@@ -8466,11 +8460,11 @@ else
    -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:8469: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:8463: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:8473: \$? = $ac_status" >&5
+   echo "$as_me:8467: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -10826,7 +10820,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10829 "configure"
+#line 10823 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -10926,7 +10920,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 10929 "configure"
+#line 10923 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11953,6 +11947,22 @@ done
 
 		fi
 
+		# AIX analog of nsswitch.conf, enabled by default
+
+# Check whether --with-netsvc was given.
+if test "${with_netsvc+set}" = set; then
+  withval=$with_netsvc; case $with_netsvc in
+		    no)		;;
+		    yes)	with_netsvc="/etc/netsvc.conf"
+				;;
+		    *)		;;
+		esac
+fi
+
+		if test -z "$with_nsswitch" -a -z "$with_netsvc"; then
+		    with_netsvc="/etc/netsvc.conf"
+		fi
+
 		# AIX-specific functions
 
 for ac_func in getuserattr
@@ -19615,6 +19625,22 @@ fi
 done
 
 
+netsvc_conf='/etc/netsvc.conf'
+nsswitch_conf='/etc/nsswitch.conf'
+if test ${with_netsvc-"no"} != "no"; then
+    cat >>confdefs.h <<EOF
+#define _PATH_NETSVC_CONF "${with_netsvc-/etc/netsvc.conf}"
+EOF
+
+    netsvc_conf=${with_netsvc-/etc/netsvc.conf}
+elif test ${with_nsswitch-"yes"} != "no"; then
+    cat >>confdefs.h <<EOF
+#define _PATH_NSSWITCH_CONF "${with_nsswitch-/etc/nsswitch.conf}"
+EOF
+
+    nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
+fi
+
 
 if test -z "${AUTH_EXCL}${AUTH_REG}" -a -n "$AUTH_EXCL_DEF"; then
     for auth in $AUTH_EXCL_DEF; do
@@ -24491,6 +24517,7 @@ path_info!$path_info$ac_delim
 ldap_conf!$ldap_conf$ac_delim
 ldap_secret!$ldap_secret$ac_delim
 nsswitch_conf!$nsswitch_conf$ac_delim
+netsvc_conf!$netsvc_conf$ac_delim
 EGREPPROG!$EGREPPROG$ac_delim
 CC!$CC$ac_delim
 ac_ct_CC!$ac_ct_CC$ac_delim
@@ -24525,7 +24552,7 @@ KRB5CONFIG!$KRB5CONFIG$ac_delim
 LTLIBOBJS!$LTLIBOBJS$ac_delim
 _ACEOF
 
-  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 38; then
+  if test `sed -n "s/.*$ac_delim\$/X/p" conf$$subs.sed | grep -c X` = 39; then
     break
   elif $ac_last_try; then
     { { echo "$as_me:$LINENO: error: could not make $CONFIG_STATUS" >&5
diff --git a/configure.in b/configure.in
index 141804fab..d2ed73455 100644
--- a/configure.in
+++ b/configure.in
@@ -83,6 +83,7 @@ AC_SUBST(path_info)
 AC_SUBST(ldap_conf)
 AC_SUBST(ldap_secret)
 AC_SUBST(nsswitch_conf)
+AC_SUBST(netsvc_conf)
 dnl
 dnl Initial values for above
 dnl
@@ -945,12 +946,6 @@ AC_ARG_WITH(nsswitch, [  --with-nsswitch[[=PATH]]  path to nsswitch.conf],
 		;;
     *)		;;
 esac])
-if test ${with_nsswitch-"yes"} != "no"; then
-    SUDO_DEFINE_UNQUOTED(_PATH_NSSWITCH_CONF, "${with_nsswitch-/etc/nsswitch.conf}")
-    nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
-else
-    nsswitch_conf='/etc/nsswitch.conf'
-fi
 
 AC_ARG_WITH(ldap, [  --with-ldap[[=DIR]]       enable LDAP support],
 [case $with_ldap in
@@ -1363,6 +1358,18 @@ case "$host" in
 		    AC_CHECK_FUNCS(authenticate, [AUTH_EXCL_DEF="AIX_AUTH"])
 		fi
 
+		# AIX analog of nsswitch.conf, enabled by default
+		AC_ARG_WITH(netsvc, [  --with-netsvc[[=PATH]]  path to netsvc.conf],
+		[case $with_netsvc in
+		    no)		;;
+		    yes)	with_netsvc="/etc/netsvc.conf"
+				;;
+		    *)		;;
+		esac])
+		if test -z "$with_nsswitch" -a -z "$with_netsvc"; then
+		    with_netsvc="/etc/netsvc.conf"
+		fi
+
 		# AIX-specific functions
 		AC_CHECK_FUNCS(getuserattr)
 		SUDO_OBJS="$SUDO_OBJS aix.o"
@@ -1888,6 +1895,19 @@ AC_CHECK_FUNCS(getprogname, , [
     AC_MSG_RESULT($sudo_cv___progname)
 ])
 
+dnl
+dnl nsswitch.conf and its equivalents
+dnl
+netsvc_conf='/etc/netsvc.conf'
+nsswitch_conf='/etc/nsswitch.conf'
+if test ${with_netsvc-"no"} != "no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_NETSVC_CONF, "${with_netsvc-/etc/netsvc.conf}")
+    netsvc_conf=${with_netsvc-/etc/netsvc.conf}
+elif test ${with_nsswitch-"yes"} != "no"; then
+    SUDO_DEFINE_UNQUOTED(_PATH_NSSWITCH_CONF, "${with_nsswitch-/etc/nsswitch.conf}")
+    nsswitch_conf=${with_nsswitch-/etc/nsswitch.conf}
+fi
+
 dnl
 dnl Mutually exclusive auth checks come first, followed by
 dnl non-exclusive ones.  Note: passwd must be last of all!
diff --git a/pathnames.h.in b/pathnames.h.in
index f10571756..e10ea4e0d 100644
--- a/pathnames.h.in
+++ b/pathnames.h.in
@@ -127,3 +127,7 @@
 #ifndef _PATH_NSSWITCH_CONF
 #undef	_PATH_NSSWITCH_CONF
 #endif /* _PATH_NSSWITCH_CONF */
+
+#ifndef _PATH_NETSVC_CONF
+#undef	_PATH_NETSVC_CONF
+#endif /* _PATH_NETSVC_CONF */
diff --git a/sudo.c b/sudo.c
index f0c94984a..66e5417b0 100644
--- a/sudo.c
+++ b/sudo.c
@@ -345,9 +345,15 @@ main(argc, argv, envp)
     tq_foreach_fwd(snl, nss) {
 	validated = nss->lookup(nss, validated, pwflag);
 
-	/* Handle [NOTFOUND=return] */
-	if (!ISSET(validated, VALIDATE_OK) && nss->ret_notfound)
-	    break;
+	if (ISSET(validated, VALIDATE_OK)) {
+	    /* Handle "= auth" in netsvc.conf */
+	    if (nss->ret_if_found)
+		break;
+	} else {
+	    /* Handle [NOTFOUND=return] */
+	    if (nss->ret_if_notfound)
+		break;
+	}
     }
     if (safe_cmnd == NULL)
 	safe_cmnd = estrdup(user_cmnd);
diff --git a/sudo_nss.c b/sudo_nss.c
index 62705a524..d538e2a59 100644
--- a/sudo_nss.c
+++ b/sudo_nss.c
@@ -39,6 +39,7 @@
 #endif /* HAVE_UNISTD_H */
 #include <pwd.h>
 #include <grp.h>
+#include <ctype.h>
 
 #include "sudo.h"
 #include "lbuf.h"
@@ -89,7 +90,7 @@ sudo_read_nss()
 		got_match = TRUE;
 	    } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
 		/* NOTFOUND affects the most recent entry */
-		tq_last(&snl)->ret_notfound = TRUE;
+		tq_last(&snl)->ret_if_notfound = TRUE;
 		got_match = FALSE;
 	    } else
 		got_match = FALSE;
@@ -109,6 +110,85 @@ nomatch:
 
 #else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
 
+# if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
+
+/*
+ * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
+ * Returns a tail queue of matches.
+ */
+struct sudo_nss_list *
+sudo_read_nss()
+{
+    FILE *fp;
+    char *cp, *ep;
+    int saw_files = FALSE;
+    int saw_ldap = FALSE;
+    int got_match = FALSE;
+    static struct sudo_nss_list snl;
+
+    if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
+	goto nomatch;
+
+    while ((cp = sudo_parseln(fp)) != NULL) {
+	/* Skip blank or comment lines */
+	if (*cp == '\0')
+	    continue;
+
+	/* Look for a line starting with "sudoers = " */
+	if (strncasecmp(cp, "sudoers", 7) != 0)
+	    continue;
+	cp += 7;
+	while (isspace((unsigned char)*cp))
+	    cp++;
+	if (*cp++ != '=')
+	    continue;
+
+	/* Parse line */
+	for ((cp = strtok(cp, ",")); cp != NULL; (cp = strtok(NULL, ","))) {
+	    /* Trim leading whitespace. */
+	    while (isspace((unsigned char)*cp))
+		cp++;
+
+	    if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
+		(isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
+		tq_append(&snl, &sudo_nss_file);
+		got_match = TRUE;
+		ep = &cp[5];
+	    } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
+		(isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
+		tq_append(&snl, &sudo_nss_ldap);
+		got_match = TRUE;
+		ep = &cp[4];
+	    } else {
+		got_match = FALSE;
+	    }
+
+	    /* check for = auth qualifier */
+	    if (got_match && *ep) {
+		cp = ep;
+		while (isspace((unsigned char)*cp) || *cp == '=')
+		    cp++;
+		if (strncasecmp(cp, "auth", 4) == 0 &&
+		    (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
+		    tq_last(&snl)->ret_if_found = TRUE;
+		}
+	    }
+	}
+	/* Only parse the first "sudoers" line */
+	break;
+    }
+    fclose(fp);
+
+nomatch:
+    /* Default to files only if no matches */
+    if (tq_empty(&snl))
+	tq_append(&snl, &sudo_nss_file);
+
+    return(&snl);
+}
+
+# else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
+
 /*
  * Non-nsswitch.conf version with hard-coded order.
  */
@@ -117,14 +197,16 @@ sudo_read_nss()
 {
     static struct sudo_nss_list snl;
 
-# ifdef HAVE_LDAP
+#  ifdef HAVE_LDAP
     tq_append(&snl, &sudo_nss_ldap);
-# endif
+#  endif
     tq_append(&snl, &sudo_nss_file);
 
     return(&snl);
 }
 
+# endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
+
 #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
 
 /* Reset user_groups based on passwd entry. */
diff --git a/sudo_nss.h b/sudo_nss.h
index 88c7535ff..205d13946 100644
--- a/sudo_nss.h
+++ b/sudo_nss.h
@@ -32,7 +32,8 @@ struct sudo_nss {
     int (*display_bound_defaults) __P((struct sudo_nss *nss, struct passwd *, struct lbuf *));
     int (*display_privs) __P((struct sudo_nss *nss, struct passwd *, struct lbuf *));
     void *handle;
-    int ret_notfound;
+    short ret_if_found;
+    short ret_if_notfound;
 };
 
 TQ_DECLARE(sudo_nss)