From: Todd C. Miller Date: Sun, 14 Mar 2010 23:58:47 +0000 (-0400) Subject: Initial bits of sudoers plugin; still needs work. X-Git-Tag: SUDO_1_8_0~820 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9b0205846b796aa4dbf562a367962d4d7af21616;p=sudo Initial bits of sudoers plugin; still needs work. --- diff --git a/plugins/sudoers/Makefile.in b/plugins/sudoers/Makefile.in index d422fab0d..bfb9cc5f6 100644 --- a/plugins/sudoers/Makefile.in +++ b/plugins/sudoers/Makefile.in @@ -1,6 +1,5 @@ # -# Copyright (c) 1996, 1998-2005, 2007-2009 -# Todd C. Miller +# Copyright (c) 2010 Todd C. Miller # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above @@ -15,10 +14,6 @@ # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # -# Sponsored in part by the Defense Advanced Research Projects -# Agency (DARPA) and Air Force Research Laboratory, Air Force -# Materiel Command, USAF, under agreement number F39502-99-1-0512. -# # @configure_input@ # @@ -27,34 +22,29 @@ srcdir = @srcdir@ devdir = @devdir@ authdir = $(srcdir)/auth -top_builddir = . +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +incdir = $(top_srcdir)/include +compat = $(top_srcdir)/compat # Compiler & tools to use CC = @CC@ -FLEX = @FLEX@ -YACC = @YACC@ -NROFF = nroff -Tascii LIBTOOL = @LIBTOOL@ -AR=@AR@ -RANLIB=@RANLIB@ # Our install program supports extra flags... -INSTALL = $(SHELL) $(srcdir)/install-sh -c +INSTALL = $(SHELL) $(top_srcdir)/install-sh -c # Libraries -LIBS = @LIBS@ -NET_LIBS = @NET_LIBS@ -SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) +LIBS = # C preprocessor flags -CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@ +CPPFLAGS = -I$(incdir) -I$(top_builddir) -I$(srcdir) @CPPFLAGS@ # Usually -O and/or -g CFLAGS = @CFLAGS@ # Flags to pass to the link stage -LDFLAGS = -L. @LDFLAGS@ -SUDO_LDFLAGS = @SUDO_LDFLAGS@ $(LDFLAGS) +LDFLAGS = # Where to install things... prefix = @prefix@ @@ -64,30 +54,11 @@ sbindir = @sbindir@ sysconfdir = @sysconfdir@ libexecdir = @libexecdir@ datarootdir = @datarootdir@ -mandir = @mandir@ -noexecfile = @NOEXECFILE@ -noexecdir = @NOEXECDIR@ - -# Directory in which to install sudo. -sudodir = $(bindir) - -# Directory in which to install visudo -visudodir = $(sbindir) +plugindir = @PLUGINDIR@ # Directory in which to install the sudoers file sudoersdir = $(sysconfdir) -# Directory in which to install the man page -mantype = @MANTYPE@ -mansectsu = @mansectsu@ -mansectform = @mansectform@ -mandirsu = $(mandir)/$(mantype)$(mansectsu) -mandirform = $(mandir)/$(mantype)$(mansectform) - -# User and group ids the installed files should be "owned" by -install_uid = 0 -install_gid = 0 - # User, group, and mode the sudoers file should be "owned" by (configure) sudoers_uid = @SUDOERS_UID@ sudoers_gid = @SUDOERS_GID@ @@ -100,86 +71,38 @@ DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -DSUDOERS_UID=$(sudoer SHELL = /bin/sh -PROGS = @PROGS@ - -SRCS = aix.c alias.c alloc.c audit.c boottime.c bsm_audit.c check.c \ - closefrom.c def_data.c defaults.c env.c error.c fileops.c find_path.c \ - fnmatch.c getcwd.c getprogname.c getspwuid.c gettime.c glob.c \ - goodpath.c gram.c gram.y interfaces.c isblank.c lbuf.c ldap.c list.c \ - logging.c match.c mkstemp.c memrchr.c nanosleep.c parse.c pwutil.c \ - pty.c script.c set_perms.c sigaction.c snprintf.c strcasecmp.c \ - strerror.c strlcat.c strlcpy.c strsignal.c sudo.c sudo_noexec.c \ - sudo_edit.c sudo_nss.c term.c testsudoers.c tgetpass.c toke.c toke.l \ - tsgetgrpw.c utimes.c vasgroups.c visudo.c zero_bytes.c redblack.c \ - selinux.c sesh.c sudoreplay.c getdate.c getdate.y getline.c \ - timestr.c $(AUTH_SRCS) - -AUTH_SRCS = auth/afs.c auth/aix_auth.c auth/bsdauth.c auth/dce.c auth/fwtk.c \ - auth/kerb4.c auth/kerb5.c auth/pam.c auth/passwd.c auth/rfc1938.c \ - auth/secureware.c auth/securid.c auth/securid5.c auth/sia.c \ - auth/sudo_auth.c - -HDRS = alloc.h bsm_audit.h compat.h def_data.h defaults.h error.h ins_2001.h \ - ins_classic.h ins_csops.h ins_goons.h insults.h interfaces.h lbuf.h \ - list.h logging.h missing.h nonunix.h redblack.h parse.h sudo.h \ - sudo_nss.h gram.h auth/sudo_auth.h emul/charclass.h emul/fnmatch.h \ - emul/glob.h emul/timespec.h emul/utime.h +# XXX - configure will substitute in .o files not .lo files +AUTH_OBJS = sudo_auth.lo @AUTH_OBJS@ -AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ +COMMON_OBJS = alias.lo atobool.lo defaults.lo gram.lo \ + list.lo match.lo pwutil.lo timestr.lo toke.lo redblack.lo \ + zero_bytes.lo @NONUNIX_GROUPS_IMPL@ -COMMON_OBJS = alias.o alloc.o defaults.o error.o getline.o gram.o \ - list.o match.o pwutil.o timestr.o toke.o redblack.o \ - term.o zero_bytes.o @NONUNIX_GROUPS_IMPL@ +# XXX - add @SUDOERS_OBJS@ in configure.in +SUDOERS_OBJS = $(AUTH_OBJS) alloc.lo boottime.lo check.lo fmt_string.lo \ + error.lo env.lo getspwuid.lo gettime.lo goodpath.lo fileops.lo \ + find_path.lo interfaces.lo lbuf.lo logging.lo parse.lo \ + set_perms.lo sudoers.lo sudo_nss.lo @SUDOERS_OBJS@ -SUDO_OBJS = $(AUTH_OBJS) @SUDO_OBJS@ audit.o boottime.o check.o \ - env.o getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ - interfaces.o lbuf.o logging.o parse.o set_perms.o sudo.o \ - sudo_edit.o sudo_nss.o tgetpass.o +LIBOBJDIR = $(top_srcdir)/@ac_config_libobj_dir@/ -VISUDO_OBJS = visudo.o fileops.o gettime.o goodpath.o find_path.o - -REPLAY_OBJS = getdate.o sudoreplay.o - -TEST_OBJS = interfaces.o testsudoers.o tsgetgrpw.o - -LIB_OBJS = @LIBOBJS@ +LTLIBOBJS = $(top_srcdir)/@ac_config_libobj_dir@/libmissing_pic.a VERSION = @PACKAGE_VERSION@ -DISTFILES = $(SRCS) $(HDRS) ChangeLog HISTORY INSTALL INSTALL.configure \ - LICENSE Makefile.in PORTING README README.LDAP TROUBLESHOOTING \ - UPGRADE WHATSNEW aclocal.m4 acsite.m4 aixcrypt.exp config.guess \ - config.h.in config.sub configure configure.in def_data.in \ - indent.pro install-sh ltmain.sh mkdefaults mkinstalldirs \ - pathnames.h.in sample.pam sample.syslog.conf sample.sudoers \ - schema.ActiveDirectory schema.OpenLDAP schema.iPlanet sudo.cat \ - sudo.man.in sudo.pod sudo.psf sudo_usage.h.in sudoers sudoers.cat \ - sudoers.man.in sudoers.pod sudoers.ldap.cat sudoers.ldap.man.in \ - sudoers.ldap.pod sudoers2ldif sudoreplay.cat sudoreplay.man.in \ - sudoreplay.pod visudo.cat visudo.man.in visudo.pod auth/API \ - sudo.man.pl sudoers.man.pl - -BINFILES= ChangeLog HISTORY LICENSE README TROUBLESHOOTING \ - UPGRADE install-sh mkinstalldirs sample.syslog.conf sample.sudoers \ - sudo sudo.cat sudo.man sudo.pod sudoers sudoers.cat sudoers.man \ - sudoers.pod sudoreplay.cat sudoreplay.man sudoreplay.pod \ - visudo visudo.cat visudo.man visudo.pod - -BINSPECIAL= INSTALL.binary Makefile.binary.in libtool - -SUDODEP = $(srcdir)/sudo.h $(srcdir)/alloc.h $(srcdir)/compat.h \ - $(srcdir)/defaults.h $(srcdir)/error.h $(srcdir)/list.h \ - $(srcdir)/logging.h $(srcdir)/missing.h $(srcdir)/sudo_nss.h \ - $(devdir)/def_data.h pathnames.h config.h +SUDODEP = $(srcdir)/sudoers.h $(incdir)/compat.h \ + $(srcdir)/defaults.h $(incdir)/error.h $(incdir)/list.h \ + $(srcdir)/logging.h $(incdir)/missing.h $(srcdir)/sudo_nss.h \ + $(devdir)/def_data.h $(top_builddir)/pathnames.h $(top_builddir)/config.h AUTHDEP = $(SUDODEP) $(authdir)/sudo_auth.h INSDEP = $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h $(srcdir)/ins_csops.h \ $(srcdir)/ins_goons.h $(srcdir)/insults.h -all: $(PROGS) +all: sudoers.la -.SUFFIXES: .o .c .h .l .y .man .cat .lo +.SUFFIXES: .o .c .h .lo .c.o: $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $< @@ -187,316 +110,133 @@ all: $(PROGS) .c.lo: $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $< -.man.cat: - @rm -f $@ - sed '1s/^/.if n .ll 78n/' $< | $(NROFF) -man > $@ - -libsudo.a: $(LIB_OBJS) $(COMMON_OBJS) - $(AR) rv $@ $(LIB_OBJS) $(COMMON_OBJS) - $(RANLIB) $@ - -sudo: libsudo.a $(SUDO_OBJS) - $(CC) -o $@ $(SUDO_OBJS) $(SUDO_LDFLAGS) -lsudo $(SUDO_LIBS) @ZLIB@ - -visudo: libsudo.a $(VISUDO_OBJS) - $(CC) -o $@ $(VISUDO_OBJS) $(LDFLAGS) -lsudo $(LIBS) $(NET_LIBS) - -sudoreplay: libsudo.a $(REPLAY_OBJS) - $(CC) -o $@ $(REPLAY_OBJS) $(LDFLAGS) -lsudo $(LIBS) @ZLIB@ - -testsudoers: $(TEST_OBJS) - $(CC) -o $@ $(TEST_OBJS) $(LDFLAGS) -lsudo $(LIBS) $(NET_LIBS) - -sudo_noexec.lo: $(srcdir)/sudo_noexec.c - $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c - -sudo_noexec.la: sudo_noexec.lo - $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) - -# Uncomment the following if you want "make distclean" to clean the parser -@DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate - -# Uncomment the lines before -@true if you intend to modify gram.y -$(devdir)/gram.c $(devdir)/gram.h: $(srcdir)/gram.y -@DEV@ $(YACC) -d $(srcdir)/gram.y -@DEV@ mv -f y.tab.c gram.c -@DEV@ if cmp -s y.tab.h gram.h; then rm -f y.tab.h; else mv -f y.tab.h gram.h; fi - -@true - -# Uncomment the lines before -@true if you intend to modify toke.l -$(devdir)/toke.c: $(srcdir)/toke.l -@DEV@ $(FLEX) $(srcdir)/toke.l -@DEV@ mv -f lex.yy.c toke.c - -@true - -# Uncomment the lines before -@true if you intend to modify getdate.y -$(devdir)/getdate.c: $(srcdir)/getdate.y -@DEV@ echo "expect 10 shift/reduce conflicts" -@DEV@ $(YACC) $(srcdir)/getdate.y -@DEV@ mv -f y.tab.c getdate.c - -@true - -# Uncomment the following if you intend to modify def_data.in -@DEV@$(devdir)/def_data.h $(devdir)/def_data.c: $(srcdir)/def_data.in -@DEV@ perl $(srcdir)/mkdefaults -o def_data $(srcdir)/def_data.in - -# Dependencies (not counting auth functions) -aix.o: $(srcdir)/aix.c - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/aix.c -alias.o: $(srcdir)/alias.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/redblack.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c -alloc.o: $(srcdir)/alloc.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alloc.c -audit.o: $(srcdir)/audit.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/audit.c -boottime.o: $(srcdir)/boottime.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/boottime.c -bsm_audit.o: $(srcdir)/bsm_audit.c $(SUDODEP) bsm_audit.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/bsm_audit.c -check.o: $(srcdir)/check.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c -closefrom.o: $(srcdir)/closefrom.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/closefrom.c -defaults.o: $(srcdir)/defaults.c $(SUDODEP) $(srcdir)/def_data.c $(authdir)/sudo_auth.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/defaults.c -env.o: $(srcdir)/env.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/env.c -error.o: $(srcdir)/error.c $(srcdir)/compat.h $(srcdir)/error.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/error.c -fileops.o: $(srcdir)/fileops.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fileops.c -find_path.o: $(srcdir)/find_path.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/find_path.c -fnmatch.o: $(srcdir)/fnmatch.c $(srcdir)/emul/fnmatch.h $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/fnmatch.c -getcwd.o: $(srcdir)/getcwd.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getcwd.c -getdate.o: $(srcdir)/getdate.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getdate.c -getline.o: $(srcdir)/getline.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getline.c -getprogname.o: $(srcdir)/getprogname.c config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getprogname.c -getspwuid.o: $(srcdir)/getspwuid.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getspwuid.c -gettime.o: $(srcdir)/gettime.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/gettime.c -glob.o: $(srcdir)/glob.c $(srcdir)/emul/glob.h $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/glob.c -goodpath.o: $(srcdir)/goodpath.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/goodpath.c -gram.o: $(devdir)/gram.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/gram.c -interfaces.o: $(srcdir)/interfaces.c $(SUDODEP) $(srcdir)/interfaces.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/interfaces.c -isblank.o: $(srcdir)/isblank.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/isblank.c -lbuf.o: $(srcdir)/lbuf.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/lbuf.c -ldap.o: $(srcdir)/ldap.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ldap.c -list.o: $(srcdir)/list.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/list.c -logging.o: $(srcdir)/logging.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logging.c -match.o: $(srcdir)/match.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/match.c -memrchr.o: $(srcdir)/memrchr.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/memrchr.c -mkstemp.o: $(srcdir)/mkstemp.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/mkstemp.c -nanosleep.o: $(srcdir)/nanosleep.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/nanosleep.c -parse.o: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c -pwutil.o: $(srcdir)/pwutil.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pwutil.c -pty.o: $(srcdir)/pty.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pty.c -redblack.o: $(srcdir)/redblack.c $(SUDODEP) $(srcdir)/redblack.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/redblack.c -script.o: $(srcdir)/script.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/script.c -set_perms.o: $(srcdir)/set_perms.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/set_perms.c -sigaction.o: $(srcdir)/sigaction.c $(srcdir)/compat.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sigaction.c -snprintf.o: $(srcdir)/snprintf.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/snprintf.c -strcasecmp.o: $(srcdir)/strcasecmp.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strcasecmp.c -strerror.o: $(srcdir)/strerror.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strerror.c -strlcat.o: $(srcdir)/strlcat.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcat.c -strlcpy.o: $(srcdir)/strlcpy.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strlcpy.c -strsignal.o: $(srcdir)/strsignal.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/strsignal.c -selinux.o: $(srcdir)/selinux.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/selinux.c -sudo.o: $(srcdir)/sudo.c $(SUDODEP) sudo_usage.h $(srcdir)/interfaces.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo.c -sudoreplay.o: $(srcdir)/sudoreplay.c $(srcdir)/alloc.h $(srcdir)/compat.h $(srcdir)/error.h $(srcdir)/missing.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudoreplay.c -sudo_edit.o: $(srcdir)/sudo_edit.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_edit.c -sudo_noexec.o: $(srcdir)/sudo_noexec.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_noexec.c -sudo_nss.o: $(srcdir)/sudo_nss.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c -term.o: $(srcdir)/term.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/term.c -testsudoers.o: $(srcdir)/testsudoers.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/testsudoers.c -tgetpass.o: $(srcdir)/tgetpass.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tgetpass.c -timestr.o: $(srcdir)/timestr.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c -toke.o: $(devdir)/toke.c $(SUDODEP) $(srcdir)/parse.h $(srcdir)/list.h $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c -tsgetgrpw.o: $(srcdir)/tsgetgrpw.c $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c -utimes.o: $(srcdir)/utimes.c $(srcdir)/compat.h $(srcdir)/emul/utime.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/utimes.c -vasgroups.o: $(srcdir)/vasgroups.c $(srcdir)/nonunix.h $(SUDODEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c -visudo.o: $(srcdir)/visudo.c $(SUDODEP) $(devdir)/gram.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/visudo.c -zero_bytes.o: $(srcdir)/zero_bytes.c $(srcdir)/compat.h config.h - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/zero_bytes.c -sudo_auth.o: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sudo_auth.c -afs.o: $(authdir)/afs.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/afs.c -aix_auth.o: $(authdir)/aix_auth.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/aix_auth.c -bsdauth.o: $(authdir)/bsdauth.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/bsdauth.c -dce.o: $(authdir)/dce.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/dce.c -fwtk.o: $(authdir)/fwtk.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/fwtk.c -kerb4.o: $(authdir)/kerb4.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb4.c -kerb5.o: $(authdir)/kerb5.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb5.c -pam.o: $(authdir)/pam.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/pam.c -passwd.o: $(authdir)/passwd.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/passwd.c -rfc1938.o: $(authdir)/rfc1938.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/rfc1938.c -secureware.o: $(authdir)/secureware.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/secureware.c -securid.o: $(authdir)/securid.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid.c -securid5.o: $(authdir)/securid5.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid5.c -sia.o: $(authdir)/sia.c $(AUTHDEP) - $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c - -sudo.man.in: $(srcdir)/sudo.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) - -sudo.man: sudo.man.in - CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status - -sudo.cat: sudo.man - -visudo.man.in: $(srcdir)/visudo.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ ) - -visudo.man: visudo.man.in - CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status - -visudo.cat: visudo.man - -sudoers.man.in: $(srcdir)/sudoers.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudoers.man.pl >> $@ ) - -sudoers.man:: sudoers.man.in - CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status - -sudoers.cat: sudoers.man - -sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ ) - -sudoers.ldap.man:: sudoers.ldap.man.in - CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status - -sudoers.ldap.cat: sudoers.ldap.man - -sudoreplay.man.in: $(srcdir)/sudoreplay.pod - @rm -f $(srcdir)/$@ - ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudoreplay.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@ ) - -sudoreplay.man:: sudoreplay.man.in - CONFIG_FILES=$@ CONFIG_HEADERS= sh ./config.status - -sudoers.cat: sudoers.man - -@DEV@HISTORY: history.pod -@DEV@ pod2text -l -i0 $> > $@ -@DEV@ -@DEV@LICENSE: license.pod -@DEV@ pod2text -l -i0 $> | sed '1,2d' > $@ - -ChangeLog: - hg log --style=changelog -b default > $@ - -install: install-dirs install-binaries @INSTALL_NOEXEC@ install-sudoers install-man +sudoers.la: $(SUDOERS_OBJS) $(COMMON_OBJS) $(LTLIBOBJS) + $(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ $(SUDOERS_OBJS) $(COMMON_OBJS) $(LTLIBOBJS) -module -avoid-version -rpath $(plugindir) + +# Sudoers dependencies +sudoers.lo: $(srcdir)/sudoers.c $(SUDODEP) $(srcdir)/interfaces.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudoers.c +alias.lo: $(srcdir)/alias.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(srcdir)/redblack.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/alias.c +boottime.lo: $(srcdir)/boottime.c $(top_builddir)/config.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/boottime.c +check.lo: $(srcdir)/check.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/check.c +defaults.lo: $(srcdir)/defaults.c $(SUDODEP) $(srcdir)/def_data.c $(authdir)/sudo_auth.h $(devdir)/gram.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/defaults.c +env.lo: $(srcdir)/env.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/env.c +find_path.lo: $(srcdir)/find_path.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/find_path.c +getdate.lo: $(srcdir)/getdate.c $(incdir)/compat.h $(top_builddir)/config.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getdate.c +getspwuid.lo: $(srcdir)/getspwuid.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/getspwuid.c +gettime.lo: $(srcdir)/gettime.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/gettime.c +goodpath.lo: $(srcdir)/goodpath.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/goodpath.c +gram.lo: $(devdir)/gram.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(devdir)/gram.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/gram.c +interfaces.lo: $(srcdir)/interfaces.c $(SUDODEP) $(srcdir)/interfaces.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/interfaces.c +ldap.lo: $(srcdir)/ldap.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/ldap.c +logging.lo: $(srcdir)/logging.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/logging.c +match.lo: $(srcdir)/match.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(srcdir)/interfaces.h $(devdir)/gram.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/match.c +parse.lo: $(srcdir)/parse.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(devdir)/gram.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/parse.c +pwutil.lo: $(srcdir)/pwutil.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/pwutil.c +redblack.lo: $(srcdir)/redblack.c $(SUDODEP) $(srcdir)/redblack.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/redblack.c +set_perms.lo: $(srcdir)/set_perms.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/set_perms.c +sudo_nss.lo: $(srcdir)/sudo_nss.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/sudo_nss.c +timestr.lo: $(srcdir)/timestr.c $(incdir)/compat.h $(top_builddir)/config.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/timestr.c +toke.lo: $(devdir)/toke.c $(SUDODEP) $(srcdir)/parse.h $(incdir)/list.h $(devdir)/gram.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(devdir)/toke.c +tsgetgrpw.lo: $(srcdir)/tsgetgrpw.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/tsgetgrpw.c +vasgroups.lo: $(srcdir)/vasgroups.c $(srcdir)/nonunix.h $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/vasgroups.c +error.lo: $(srcdir)/error.c $(incdir)/error.h $(incdir)/compat.h $(top_builddir)/config.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(srcdir)/error.c + +# Upper level sudo dependencies +alloc.lo: $(top_srcdir)/src/alloc.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/alloc.c +atobool.lo: $(top_srcdir)/src/atobool.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/atobool.c +fileops.lo: $(top_srcdir)/src/fileops.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/fileops.c +fmt_string.lo: $(top_srcdir)/src/fmt_string.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/fmt_string.c +list.lo: $(top_srcdir)/src/list.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/list.c +lbuf.lo: $(top_srcdir)/src/lbuf.c $(SUDODEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/lbuf.c +zero_bytes.lo: $(top_srcdir)/src/zero_bytes.c $(incdir)/compat.h $(top_builddir)/config.h + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(top_srcdir)/src/zero_bytes.c + +# Auth dependencies +sudo_auth.lo: $(authdir)/sudo_auth.c $(AUTHDEP) $(INSDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sudo_auth.c +afs.lo: $(authdir)/afs.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/afs.c +aix_auth.lo: $(authdir)/aix_auth.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/aix_auth.c +bsdauth.lo: $(authdir)/bsdauth.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/bsdauth.c +dce.lo: $(authdir)/dce.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/dce.c +fwtk.lo: $(authdir)/fwtk.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/fwtk.c +kerb4.lo: $(authdir)/kerb4.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb4.c +kerb5.lo: $(authdir)/kerb5.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/kerb5.c +pam.lo: $(authdir)/pam.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/pam.c +passwd.lo: $(authdir)/passwd.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/passwd.c +rfc1938.lo: $(authdir)/rfc1938.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/rfc1938.c +secureware.lo: $(authdir)/secureware.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/secureware.c +securid.lo: $(authdir)/securid.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid.c +securid5.lo: $(authdir)/securid5.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/securid5.c +sia.lo: $(authdir)/sia.c $(AUTHDEP) + $(LIBTOOL) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c + +install: install-dirs install-plugin install-dirs: - $(SHELL) $(srcdir)/mkinstalldirs $(DESTDIR)$(sudodir) \ - $(DESTDIR)$(visudodir) $(DESTDIR)$(sudoersdir) \ - $(DESTDIR)$(mandirsu) $(DESTDIR)$(mandirform) \ - $(DESTDIR)$(noexecdir) - -install-binaries: install-dirs $(PROGS) - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo - rm -f $(DESTDIR)$(sudodir)/sudoedit - ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit - if [ -f sudoreplay ]; then $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sudoreplay $(DESTDIR)$(sudodir)/sudoreplay; fi - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo - if [ -f sesh ]; then $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh; fi - -install-noexec: install-dirs sudo_noexec.la - if [ -f .libs/$(noexecfile) ]; then $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir); fi - -install-sudoers: install-dirs - test -f $(DESTDIR)$(sudoersdir)/sudoers || \ - $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \ - $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers - -install-man: install-dirs - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) - @rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) - ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) - @REPLAY@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoreplay.$(mantype) $(DESTDIR)$(mandirsu)/sudoreplay.$(mansectsu) - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/visudo.$(mantype) $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) - $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.$(mantype) $(DESTDIR)$(mandirform)/sudoers.$(mansectform) - @LDAP@$(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudoers.ldap.$(mantype) $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) -@MAN_POSTINSTALL@ + $(SHELL) $(top_srcdir)/mkinstalldirs $(DESTDIR)$(plugindir) + +install-binaries: + +install-man: + +install-plugin: install-dirs sudoers.la + $(LIBTOOL) --mode=install $(INSTALL) sudoers.la $(plugindir) check: @echo nothing to check clean: - -rm -f *.a *.o *.lo stamp-* $(PROGS) testsudoers core *.core core.* + -rm -f *.a *.o *.lo *.la stamp-* core *.core core.* mostlyclean: clean distclean: clean - -rm -rf Makefile pathnames.h config.h config.status config.cache \ - config.log libtool sudo_noexec.lo .libs $(GENERATED) \ - sudo.man sudoers.man sudoers.ldap.man visudo.man sudo_usage.h \ - Makefile.binary + -rm -rf Makefile sudoers.lo .libs clobber: distclean @@ -504,74 +244,3 @@ realclean: distclean rm -f TAGS tags cleandir: realclean - -dist: ChangeLog - pax -w -x ustar -s '/^/sudo-$(VERSION)\//' -f ../sudo-$(VERSION).tar \ - $(DISTFILES) - gzip -9f ../sudo-$(VERSION).tar - ls -l ../sudo-$(VERSION).tar.gz - -bindist: ChangeLog - ( \ - ARCH=`uname -m|sed 's:/:_:g'`+`uname -sr|sed 's/ /_/g'` ; \ - mkdir tmp.$$ARCH ; \ - tdir=tmp.$$ARCH/sudo-$(VERSION) ; \ - mkdir $$tdir ; \ - for i in $(BINFILES) ; do \ - if [ -f $$i ]; then \ - cp $$i $$tdir ; \ - elif [ -f $(srcdir)/$$i ]; then \ - cp $(srcdir)/$$i $$tdir ; \ - else \ - echo cannot find $$i ; \ - exit 1 ; \ - fi ; \ - done ; \ - if [ -f sudo_noexec.la ]; then \ - cp libtool $$tdir ; \ - $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la `pwd`/$$tdir ; \ - ln $$tdir/sudo_noexec.la $$tdir/sudo_noexec.lai ; \ - ln -s . $$tdir/.libs ; \ - fi ; \ - cp $(srcdir)/INSTALL.binary $$tdir/INSTALL ; \ - sh ./config.status --file=Makefile.binary && cp Makefile.binary $$tdir/Makefile ; \ - strip $$tdir/sudo ; \ - strip $$tdir/visudo ; \ - cd tmp.$$ARCH && tar Ocf ../sudo-$(VERSION)-$$ARCH.tar sudo-$(VERSION) && cd .. ; \ - gzip -f --best sudo-$(VERSION)-$$ARCH.tar ; \ - rm -rf tmp.$$ARCH ; \ - ) - -depot: - ( \ - tdir=tmp.depot ; \ - mkdir $$tdir ; \ - for i in sudo visudo sudo.man visudo.man sudoers.man sudoers ChangeLog HISTORY LICENSE README TROUBLESHOOTING UPGRADE sample.syslog.conf sample.sudoers; do \ - if [ -f $$i ]; then \ - cp $$i $$tdir ; \ - elif [ -f $(srcdir)/$$i ]; then \ - cp $(srcdir)/$$i $$tdir ; \ - else \ - echo cannot find $$i ; \ - exit 1 ; \ - fi ; \ - done ; \ - if [ -f sudo_noexec.la ]; then \ - cp libtool $$tdir ; \ - $(LIBTOOL) --mode=install $(INSTALL) sudo_noexec.la `pwd`/$$tdir ; \ - fi ; \ - sed 's/@VERSION@/$(VERSION)/g' <$(srcdir)/sudo.psf >$$tdir/sudo.psf ; \ - printf '#!/sbin/sh\nrm -f /usr/local/bin/sudoedit\nln /usr/local/bin/sudo /usr/local/bin/sudoedit\n' > $$tdir/sudo-exec.postinstall ; \ - printf '#!/sbin/sh\nrm -f /usr/local/man/man1m/sudoedit.1m\nln /usr/local/man/man1m/sudo.1m /usr/local/man/man1m/sudoedit.1m\n' > $$tdir/sudo-man.postinstall ; \ - printf '#!/sbin/sh\nif [ ! -s /etc/sudoers ]; then\n\techo installing /usr/local/doc/sudo/sudoers as /etc/sudoers\n\techo use /usr/local/sbin/visudo to configure sudo\n\tcp /usr/local/doc/sudo/sudoers /etc/sudoers\n\tchmod 440 /etc/sudoers\n\tchown root:root /etc/sudoers\nfi\n' > $$tdir/sudo-config.postinstall ; \ - chmod 755 $$tdir/sudo-exec.postinstall $$tdir/sudo-man.postinstall $$tdir/sudo-config.postinstall ; \ - strip $$tdir/sudo ; \ - strip $$tdir/visudo ; \ - cd $$tdir ; \ - swpackage -x target_type=tape -d ../sudo-$(VERSION).depot -s sudo.psf ; \ - cd .. ; \ - gzip -f --best sudo-$(VERSION).depot; \ - rm -rf tmp.depot ; \ - ) - -.PHONY: ChangeLog diff --git a/plugins/sudoers/alias.c b/plugins/sudoers/alias.c index e389c7113..e7ef24e76 100644 --- a/plugins/sudoers/alias.c +++ b/plugins/sudoers/alias.c @@ -41,7 +41,7 @@ # include #endif /* HAVE_UNISTD_H */ -#include "sudo.h" +#include "sudoers.h" #include "parse.h" #include "redblack.h" #include diff --git a/plugins/sudoers/auth/afs.c b/plugins/sudoers/auth/afs.c index 337cd4d20..58e2281f2 100644 --- a/plugins/sudoers/auth/afs.c +++ b/plugins/sudoers/auth/afs.c @@ -44,7 +44,7 @@ #endif /* HAVE_UNISTD_H */ #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" #include diff --git a/plugins/sudoers/auth/aix_auth.c b/plugins/sudoers/auth/aix_auth.c index 919fa9981..1a94d93fb 100644 --- a/plugins/sudoers/auth/aix_auth.c +++ b/plugins/sudoers/auth/aix_auth.c @@ -43,7 +43,7 @@ #endif /* HAVE_UNISTD_H */ #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" /* @@ -61,7 +61,7 @@ aixauth_verify(pw, prompt, auth) int reenter = 1; int rval = AUTH_FAILURE; - pass = tgetpass(prompt, def_passwd_timeout * 60, tgetpass_flags); + pass = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); if (pass) { /* XXX - should probably print message on failure. */ if (authenticate(pw->pw_name, pass, &reenter, &message) == 0) diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c index f70e90b00..4874ee886 100644 --- a/plugins/sudoers/auth/bsdauth.c +++ b/plugins/sudoers/auth/bsdauth.c @@ -48,7 +48,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" extern char *login_style; /* from sudo.c */ @@ -114,9 +114,9 @@ bsdauth_verify(pw, prompt, auth) * S/Key. */ if ((s = auth_challenge(as)) == NULL) { - pass = tgetpass(prompt, def_passwd_timeout * 60, tgetpass_flags); + pass = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); } else { - pass = tgetpass(s, def_passwd_timeout * 60, tgetpass_flags); + pass = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); if (pass && *pass == '\0') { if ((prompt = strrchr(s, '\n'))) prompt++; @@ -131,8 +131,8 @@ bsdauth_verify(pw, prompt, auth) while (isspace(prompt[len]) || prompt[len] == ':') prompt[len--] = '\0'; easprintf(&s, "%s [echo on]: ", prompt); - pass = tgetpass(s, def_passwd_timeout * 60, - tgetpass_flags | TGP_ECHO); + pass = auth_getpass(prompt, def_passwd_timeout * 60, + SUDO_CONV_PROMPT_ECHO_ON); free(s); } } diff --git a/plugins/sudoers/auth/dce.c b/plugins/sudoers/auth/dce.c index 943e064c8..51e86baf6 100644 --- a/plugins/sudoers/auth/dce.c +++ b/plugins/sudoers/auth/dce.c @@ -61,7 +61,7 @@ #include #include /* required to call dce_error_inq_text routine */ -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" static int check_dce_status __P((error_status_t, char *)); diff --git a/plugins/sudoers/auth/fwtk.c b/plugins/sudoers/auth/fwtk.c index 853fc3ba3..b2443b93e 100644 --- a/plugins/sudoers/auth/fwtk.c +++ b/plugins/sudoers/auth/fwtk.c @@ -46,7 +46,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" int @@ -103,16 +103,17 @@ restart: /* Get the password/response from the user. */ if (strncmp(resp, "challenge ", 10) == 0) { (void) snprintf(buf, sizeof(buf), "%s\nResponse: ", &resp[10]); - pass = tgetpass(buf, def_passwd_timeout * 60, tgetpass_flags); + pass = auth_getpass(buf, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); if (pass && *pass == '\0') { - pass = tgetpass("Response [echo on]: ", - def_passwd_timeout * 60, tgetpass_flags | TGP_ECHO); + pass = auth_getpass("Response [echo on]: ", + def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_ON); } } else if (strncmp(resp, "chalnecho ", 10) == 0) { - pass = tgetpass(&resp[10], def_passwd_timeout * 60, tgetpass_flags); + pass = auth_getpass(&resp[10], def_passwd_timeout * 60, + SUDO_CONV_PROMPT_ECHO_OFF); } else if (strncmp(resp, "password", 8) == 0) { - pass = tgetpass(prompt, def_passwd_timeout * 60, - tgetpass_flags); + pass = auth_getpass(prompt, def_passwd_timeout * 60, + SUDO_CONV_PROMPT_ECHO_OFF); } else if (strncmp(resp, "display ", 8) == 0) { fprintf(stderr, "%s\n", &resp[8]); strlcpy(buf, "response dummy", sizeof(buf)); diff --git a/plugins/sudoers/auth/kerb4.c b/plugins/sudoers/auth/kerb4.c index 4b3e38147..c1be117d8 100644 --- a/plugins/sudoers/auth/kerb4.c +++ b/plugins/sudoers/auth/kerb4.c @@ -44,7 +44,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" int diff --git a/plugins/sudoers/auth/kerb5.c b/plugins/sudoers/auth/kerb5.c index d03bd9a79..611b18a0d 100644 --- a/plugins/sudoers/auth/kerb5.c +++ b/plugins/sudoers/auth/kerb5.c @@ -50,7 +50,7 @@ #include #endif -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" #ifdef HAVE_HEIMDAL diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c index f4269b841..01231d90a 100644 --- a/plugins/sudoers/auth/pam.c +++ b/plugins/sudoers/auth/pam.c @@ -62,7 +62,7 @@ # endif #endif -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" /* Only OpenPAM and Linux PAM use const qualifiers. */ @@ -257,17 +257,17 @@ sudo_conv(num_msg, msg, response, appdata_ptr) PAM_CONST struct pam_message *pm; const char *prompt; char *pass; - int n, flags, std_prompt; + int n, type, std_prompt; if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL) return(PAM_SYSTEM_ERR); zero_bytes(*response, num_msg * sizeof(struct pam_response)); for (pr = *response, pm = *msg, n = num_msg; n--; pr++, pm++) { - flags = tgetpass_flags; + type = SUDO_CONV_PROMPT_ECHO_OFF; switch (pm->msg_style) { case PAM_PROMPT_ECHO_ON: - SET(flags, TGP_ECHO); + type = SUDO_CONV_PROMPT_ECHO_ON; case PAM_PROMPT_ECHO_OFF: prompt = def_prompt; @@ -289,7 +289,7 @@ sudo_conv(num_msg, msg, response, appdata_ptr) prompt = pm->msg; #endif /* Read the password unless interrupted. */ - pass = tgetpass(prompt, def_passwd_timeout * 60, flags); + pass = auth_getpass(prompt, def_passwd_timeout * 60, type); if (pass == NULL) { /* We got ^C instead of a password; abort quickly. */ if (errno == EINTR) diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c index e35130664..f39937210 100644 --- a/plugins/sudoers/auth/passwd.c +++ b/plugins/sudoers/auth/passwd.c @@ -43,7 +43,7 @@ #endif /* HAVE_UNISTD_H */ #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" #define DESLEN 13 diff --git a/plugins/sudoers/auth/rfc1938.c b/plugins/sudoers/auth/rfc1938.c index 1769e6f7f..4cba8158a 100644 --- a/plugins/sudoers/auth/rfc1938.c +++ b/plugins/sudoers/auth/rfc1938.c @@ -60,7 +60,7 @@ # define rfc1938verify(a,b) opieverify((a),(b)) #endif -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" int diff --git a/plugins/sudoers/auth/secureware.c b/plugins/sudoers/auth/secureware.c index d21712706..132eeff08 100644 --- a/plugins/sudoers/auth/secureware.c +++ b/plugins/sudoers/auth/secureware.c @@ -50,7 +50,7 @@ #endif /* __hpux */ #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" int diff --git a/plugins/sudoers/auth/securid.c b/plugins/sudoers/auth/securid.c index 4edddb4e5..edb20fd11 100644 --- a/plugins/sudoers/auth/securid.c +++ b/plugins/sudoers/auth/securid.c @@ -50,7 +50,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" union config_record configure; diff --git a/plugins/sudoers/auth/securid5.c b/plugins/sudoers/auth/securid5.c index b59bf8f5d..b83186788 100644 --- a/plugins/sudoers/auth/securid5.c +++ b/plugins/sudoers/auth/securid5.c @@ -52,7 +52,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" /* @@ -160,8 +160,8 @@ securid_verify(pw, pass, auth) SDI_HANDLE *sd = (SDI_HANDLE *) auth->data; int rval; - pass = (char *) tgetpass("Enter your PASSCODE: ", - def_passwd_timeout * 60, tgetpass_flags); + pass = auth_getpass("Enter your PASSCODE: ", + def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); /* Have ACE verify password */ switch (SD_Check(*sd, pass, pw->pw_name)) { @@ -192,11 +192,11 @@ securid_verify(pw, pass, auth) /* Sometimes (when current token close to expire?) ACE challenges for the next token displayed (entered without the PIN) */ - pass = (char *) tgetpass("\ + pass = auth_getpass("\ !!! ATTENTION !!!\n\ Wait for the token code to change, \n\ then enter the new token code.\n", \ - def_passwd_timeout * 60, tgetpass_flags); + def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); if (SD_Next(*sd, pass) == ACM_OK) { rval = AUTH_SUCCESS; diff --git a/plugins/sudoers/auth/sia.c b/plugins/sudoers/auth/sia.c index 1f919f481..a6e6d8266 100644 --- a/plugins/sudoers/auth/sia.c +++ b/plugins/sudoers/auth/sia.c @@ -46,7 +46,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" static int sudo_collect __P((int, int, uchar_t *, int, prompt_t *)); diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c index 58a079bb0..7e1be42a7 100644 --- a/plugins/sudoers/auth/sudo_auth.c +++ b/plugins/sudoers/auth/sudo_auth.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999-2005, 2008-2009 Todd C. Miller + * Copyright (c) 1999-2005, 2008-2010 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -48,10 +48,12 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "sudo_auth.h" #include "insults.h" +sudo_conv_t sudo_conv; + sudo_auth auth_switch[] = { #ifdef AUTH_STANDALONE AUTH_STANDALONE @@ -84,15 +86,12 @@ sudo_auth auth_switch[] = { AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL) }; -void -verify_user(pw, prompt) - struct passwd *pw; - char *prompt; +int +verify_user(struct passwd *pw, char *prompt) { int counter = def_passwd_tries + 1; int success = AUTH_FAILURE; - int status; - int flags; + int flags, status, rval; char *p; sudo_auth *auth; sigaction_t sa, osa; @@ -115,6 +114,7 @@ verify_user(pw, prompt) "There are no authentication methods compiled into sudo!", "If you want to turn off authentication, use the", "--disable-authentication configure option."); + return -1; } /* Set FLAG_ONEANDONLY if there is only one auth method. */ @@ -134,7 +134,7 @@ verify_user(pw, prompt) #ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); #endif - exit(1); /* assume error msg already printed */ + return -1; /* assume error msg already printed */ } if (NEEDS_USER(auth)) @@ -156,7 +156,7 @@ verify_user(pw, prompt) #ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); #endif - exit(1); /* assume error msg already printed */ + return -1; /* assume error msg already printed */ } if (NEEDS_USER(auth)) @@ -168,8 +168,7 @@ verify_user(pw, prompt) #ifdef AUTH_STANDALONE p = prompt; #else - p = (char *) tgetpass(prompt, def_passwd_timeout * 60, - tgetpass_flags); + p = auth_getpass(prompt, def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF); #endif /* AUTH_STANDALONE */ /* Call authentication functions. */ @@ -189,11 +188,12 @@ verify_user(pw, prompt) goto cleanup; } #ifndef AUTH_STANDALONE - if (p) - zero_bytes(p, strlen(p)); + if (repl.reply) + zero_bytes(p, strlen(repl.reply)); #endif - if (!ISSET(tgetpass_flags, TGP_ASKPASS)) - pass_warn(stderr); + /* XXX - need way to know if askpass was used */ + //if (!ISSET(tgetpass_flags, TGP_ASKPASS)) + pass_warn(); } cleanup: @@ -208,7 +208,7 @@ cleanup: #ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); #endif - exit(1); /* assume error msg already printed */ + return -1; /* assume error msg already printed */ } if (NEEDS_USER(auth)) @@ -219,7 +219,8 @@ cleanup: switch (success) { case AUTH_SUCCESS: (void) sigaction(SIGTSTP, &osa, NULL); - return; + rval = TRUE; + break; case AUTH_INTR: case AUTH_FAILURE: if (counter != def_passwd_tries) { @@ -227,43 +228,73 @@ cleanup: flags = 0; else flags = NO_MAIL; -#ifdef HAVE_BSM_AUDIT - audit_failure(NewArgv, "authentication failure"); -#endif log_error(flags, "%d incorrect password attempt%s", def_passwd_tries - counter, (def_passwd_tries - counter == 1) ? "" : "s"); } - /* FALLTHROUGH */ +#ifdef HAVE_BSM_AUDIT + audit_failure(NewArgv, "authentication failure"); +#endif + rval = FALSE; + break; case AUTH_FATAL: + default: #ifdef HAVE_BSM_AUDIT audit_failure(NewArgv, "authentication failure"); #endif - exit(1); + rval = -1; + break; } - /* NOTREACHED */ + + return rval; } void -pass_warn(fp) - FILE *fp; +pass_warn(void) { + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + /* Call conversation function */ + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_ERROR_MSG; #ifdef INSULT if (def_insults) - (void) fprintf(fp, "%s\n", INSULT); + msg.msg = INSULT; else #endif - (void) fprintf(fp, "%s\n", def_badpass_message); + msg.msg = def_badpass_message; + memset(&repl, 0, sizeof(repl)); + sudo_conv(1, &msg, &repl); } +char * +auth_getpass(const char *prompt, int timeout, int type) +{ + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + + /* Call conversation function */ + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_PROMPT_ECHO_OFF; + msg.timeout = def_passwd_timeout * 60; + msg.msg = prompt; + memset(&repl, 0, sizeof(repl)); + sudo_conv(1, &msg, &repl); + /* XXX - check for ENOTTY? */ + return repl.reply; +} + +#ifdef notyet void -dump_auth_methods() +dump_auth_methods(void) { sudo_auth *auth; + /* XXX - conversation function */ (void) fputs("Authentication methods:", stdout); for (auth = auth_switch; auth->name; auth++) (void) printf(" '%s'", auth->name); (void) putchar('\n'); } +#endif diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h index a4efe1412..e78851cf2 100644 --- a/plugins/sudoers/auth/sudo_auth.h +++ b/plugins/sudoers/auth/sudo_auth.h @@ -45,6 +45,12 @@ typedef struct sudo_auth { #define IS_CONFIGURED(x) ((x)->flags & FLAG_CONFIGURED) #define IS_ONEANDONLY(x) ((x)->flags & FLAG_ONEANDONLY) +/* Like tgetpass() but uses conversation function */ +char *auth_getpass(const char *prompt, int timeout, int type); + +/* Pointer to conversation function to use with auth_getpass(). */ +extern sudo_conv_t sudo_conv; + /* Prototypes for standalone methods */ int fwtk_init __P((struct passwd *pw, char **prompt, sudo_auth *auth)); int fwtk_verify __P((struct passwd *pw, char *prompt, sudo_auth *auth)); diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 7657816ba..b380d5346 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -56,7 +56,7 @@ # include #endif -#include "sudo.h" +#include "sudoers.h" /* Status codes for timestamp_status() */ #define TS_CURRENT 0 @@ -69,7 +69,7 @@ #define TS_MAKE_DIRS 1 #define TS_REMOVE 2 -static void build_timestamp __P((char **, char **)); +static int build_timestamp __P((char **, char **)); static int timestamp_status __P((char *, char *, char *, int)); static char *expand_prompt __P((char *, char *, char *)); static void lecture __P((int)); @@ -78,8 +78,9 @@ static void update_timestamp __P((char *, char *)); /* * This function only returns if the user can successfully * verify who he/she is. + * XXX - check return values */ -void +int check_user(validated, mode) int validated; int mode; @@ -87,25 +88,30 @@ check_user(validated, mode) char *timestampdir = NULL; char *timestampfile = NULL; char *prompt; - int status; + int status, rval = TRUE; /* Always prompt for a password when -k was specified with the command. */ if (ISSET(mode, MODE_INVALIDATE)) { SET(validated, FLAG_CHECK_USER); } else { if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) - return; + return TRUE; } - build_timestamp(×tampdir, ×tampfile); + if (build_timestamp(×tampdir, ×tampfile) == -1) + return -1; + status = timestamp_status(timestampdir, timestampfile, user_name, TS_MAKE_DIRS); if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) { /* Bail out if we are non-interactive and a password is required */ - if (ISSET(mode, MODE_NONINTERACTIVE)) - errorx(1, "sorry, a password is required to run %s", getprogname()); + if (ISSET(mode, MODE_NONINTERACTIVE)) { + warningx("sorry, a password is required to run %s", getprogname()); + return -1; + } +#if 0 /* XXX - checks need to be done in main driver */ /* If user specified -A, make sure we have an askpass helper. */ if (ISSET(tgetpass_flags, TGP_ASKPASS)) { if (user_askpass == NULL) @@ -124,19 +130,22 @@ check_user(validated, mode) } if (!ISSET(tgetpass_flags, TGP_ASKPASS)) +#endif lecture(status); /* Expand any escapes in the prompt. */ prompt = expand_prompt(user_prompt ? user_prompt : def_passprompt, user_name, user_shost); - verify_user(auth_pw, prompt); + rval = verify_user(auth_pw, prompt); } /* Only update timestamp if user was validated. */ if (ISSET(validated, VALIDATE_OK) && !ISSET(mode, MODE_INVALIDATE) && status != TS_ERROR) update_timestamp(timestampdir, timestampfile); efree(timestampdir); efree(timestampfile); + + return rval; } /* @@ -258,7 +267,7 @@ expand_prompt(old_prompt, user, host) } if (subst) { - new_prompt = (char *) emalloc(++len); + new_prompt = emalloc(++len); endp = new_prompt + len; for (p = old_prompt, np = new_prompt; *p; p++) { if (p[0] =='%') { @@ -341,7 +350,7 @@ user_is_exempt() /* * Fills in timestampdir as well as timestampfile if using tty tickets. */ -static void +static int build_timestamp(timestampdir, timestampfile) char **timestampdir; char **timestampfile; @@ -351,8 +360,10 @@ build_timestamp(timestampdir, timestampfile) dirparent = def_timestampdir; len = easprintf(timestampdir, "%s/%s", dirparent, user_name); - if (len >= PATH_MAX) + if (len >= PATH_MAX) { log_error(0, "timestamp path too long: %s", *timestampdir); + return -1; + } /* * Timestamp file may be a file in the directory or NUL to use @@ -370,15 +381,21 @@ build_timestamp(timestampdir, timestampfile) p, runas_pw->pw_name); else len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, p); - if (len >= PATH_MAX) + if (len >= PATH_MAX) { log_error(0, "timestamp path too long: %s", *timestampfile); + return -1; + } } else if (def_targetpw) { len = easprintf(timestampfile, "%s/%s/%s", dirparent, user_name, runas_pw->pw_name); - if (len >= PATH_MAX) + if (len >= PATH_MAX) { log_error(0, "timestamp path too long: %s", *timestampfile); + return -1; + } } else *timestampfile = NULL; + + return len; } /* @@ -578,7 +595,9 @@ remove_timestamp(remove) char *timestampdir, *timestampfile, *path; int status; - build_timestamp(×tampdir, ×tampfile); + if (build_timestamp(×tampdir, ×tampfile) == -1) + return; + status = timestamp_status(timestampdir, timestampfile, user_name, TS_REMOVE); if (status == TS_OLD || status == TS_CURRENT) { diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 081cf725f..93ba5a416 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -45,7 +45,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "parse.h" #include diff --git a/plugins/sudoers/env.c b/plugins/sudoers/env.c index 88e6553ea..b57b8bc46 100644 --- a/plugins/sudoers/env.c +++ b/plugins/sudoers/env.c @@ -47,7 +47,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" /* * Flags used in rebuild_env() @@ -209,6 +209,31 @@ static const char *initial_keepenv_table[] = { NULL }; +/* + * Initialize env based on envp. + */ +int +env_init(char * const envp[]) +{ + char * const *ep; + size_t len; + int rval = -1; + + for (ep = envp; *ep != NULL; ep++) + continue; + len = (size_t)(ep - envp); + + env.env_size = len + 1 + 128; + env.envp = emalloc2(env.env_size, sizeof(char *)); +#ifdef ENV_DEBUG + memset(env.envp, 0, env.env_size * sizeof(char *)); +#endif + memcpy(env.envp, envp, len * sizeof(char *)); + env.envp[len] = '\0'; + rval = 0; + return rval; +} + /* * Similar to setenv(3) but operates on sudo's private copy of the environment * (not environ) and it always overwrites. The dupcheck param determines @@ -250,8 +275,10 @@ setenv(var, val, overwrite) const char *cp; size_t esize; - if (!var || *var == '\0') - return(EINVAL); + if (!var || *var == '\0') { + errno = EINVAL; + return -1; + } /* * POSIX says a var name with '=' is an error but BSD @@ -302,7 +329,7 @@ setenv(var, val, overwrite) #endif } sudo_putenv(estring, TRUE, overwrite); - return(0); + return 0; } /* @@ -325,7 +352,7 @@ unsetenv(var) #ifdef UNSETENV_VOID return; #else - return(-1); + return -1; #endif } @@ -365,7 +392,7 @@ unsetenv(var) } } #ifndef UNSETENV_VOID - return(0); + return 0; #endif } @@ -383,7 +410,7 @@ putenv(string) { if (strchr(string, '=') == NULL) { errno = EINVAL; - return(-1); + return -1; } /* Sync env.envp with environ as needed. */ if (env.envp != environ) { @@ -412,7 +439,7 @@ putenv(string) #endif } sudo_putenv((char *)string, TRUE, TRUE); - return(0); + return 0; } /* @@ -490,7 +517,7 @@ matches_env_delete(var) break; } } - return(match); + return match; } /* @@ -520,7 +547,7 @@ matches_env_check(var) break; } } - return(keepit); + return keepit; } /* @@ -549,7 +576,7 @@ matches_env_keep(var) break; } } - return(keepit); + return keepit; } /* @@ -760,8 +787,9 @@ rebuild_env(sudo_mode, noexec) easprintf(&cp, "%s %s", user_cmnd, user_args); sudo_setenv("SUDO_COMMAND", cp, TRUE); efree(cp); - } else + } else { sudo_setenv("SUDO_COMMAND", user_cmnd, TRUE); + } /* Add the SUDO_USER, SUDO_UID, SUDO_GID environment variables. */ sudo_setenv("SUDO_USER", user_name, TRUE); diff --git a/plugins/sudoers/error.c b/plugins/sudoers/error.c new file mode 100644 index 000000000..629d4cce0 --- /dev/null +++ b/plugins/sudoers/error.c @@ -0,0 +1,93 @@ +/* + * Copyright (c) 2004-2005 Todd C. Miller + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include + +#include +#include +#include "error.h" + +static void _warning(int, const char *, va_list); + void cleanup(int); + +sigjmp_buf error_jmp; + +void +error(int eval, const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + _warning(1, fmt, ap); + va_end(ap); + cleanup(0); + if (error_jmp) + siglongjmp(error_jmp, 1); + else + exit(eval); +} + +void +errorx(int eval, const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + _warning(0, fmt, ap); + va_end(ap); + cleanup(0); + if (error_jmp) + siglongjmp(error_jmp, 1); + else + exit(eval); +} + +void +warning(const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + _warning(1, fmt, ap); + va_end(ap); +} + +void +warningx(const char *fmt, ...) +{ + va_list ap; + va_start(ap, fmt); + _warning(0, fmt, ap); + va_end(ap); +} + +static void +_warning(int use_errno, const char *fmt, va_list ap) +{ + int serrno = errno; + + fputs(getprogname(), stderr); + if (fmt != NULL) { + fputs(": ", stderr); + vfprintf(stderr, fmt, ap); + } + if (use_errno) { + fputs(": ", stderr); + fputs(strerror(serrno), stderr); + } + putc('\n', stderr); +} diff --git a/plugins/sudoers/find_path.c b/plugins/sudoers/find_path.c index 59d94f387..d98e2f7aa 100644 --- a/plugins/sudoers/find_path.c +++ b/plugins/sudoers/find_path.c @@ -43,7 +43,7 @@ # include #endif /* HAVE_UNISTD_H */ -#include "sudo.h" +#include "sudoers.h" /* * This function finds the full pathname for a command and diff --git a/plugins/sudoers/getspwuid.c b/plugins/sudoers/getspwuid.c index 8c07d1516..8037c4733 100644 --- a/plugins/sudoers/getspwuid.c +++ b/plugins/sudoers/getspwuid.c @@ -68,7 +68,7 @@ # include #endif /* HAVE_GETAUTHUID */ -#include "sudo.h" +#include "sudoers.h" /* * Exported for auth/secureware.c @@ -85,19 +85,18 @@ char * sudo_getepw(pw) const struct passwd *pw; { - char *epw; + char *epw = NULL; /* If there is a function to check for shadow enabled, use it... */ #ifdef HAVE_ISCOMSEC if (!iscomsec()) - return(estrdup(pw->pw_passwd)); + goto done; #endif /* HAVE_ISCOMSEC */ #ifdef HAVE_ISSECURE if (!issecure()) - return(estrdup(pw->pw_passwd)); + goto done; #endif /* HAVE_ISSECURE */ - epw = NULL; #ifdef HAVE_GETPRPWNAM { struct pr_passwd *spw; @@ -106,10 +105,8 @@ sudo_getepw(pw) # ifdef __alpha crypt_type = spw->ufld.fd_oldcrypt; # endif /* __alpha */ - epw = estrdup(spw->ufld.fd_encrypt); + epw = spw->ufld.fd_encrypt; } - if (epw) - return(epw); } #endif /* HAVE_GETPRPWNAM */ #ifdef HAVE_GETSPNAM @@ -117,9 +114,7 @@ sudo_getepw(pw) struct spwd *spw; if ((spw = getspnam(pw->pw_name)) && spw->sp_pwdp) - epw = estrdup(spw->sp_pwdp); - if (epw) - return(epw); + epw = spw->sp_pwdp; } #endif /* HAVE_GETSPNAM */ #ifdef HAVE_GETSPWUID @@ -127,9 +122,7 @@ sudo_getepw(pw) struct s_passwd *spw; if ((spw = getspwuid(pw->pw_uid)) && spw->pw_passwd) - epw = estrdup(spw->pw_passwd); - if (epw) - return(epw); + epw = spw->pw_passwd; } #endif /* HAVE_GETSPWUID */ #ifdef HAVE_GETPWANAM @@ -137,9 +130,7 @@ sudo_getepw(pw) struct passwd_adjunct *spw; if ((spw = getpwanam(pw->pw_name)) && spw->pwa_passwd) - epw = estrdup(spw->pwa_passwd); - if (epw) - return(epw); + epw = spw->pwa_passwd; } #endif /* HAVE_GETPWANAM */ #ifdef HAVE_GETAUTHUID @@ -147,14 +138,15 @@ sudo_getepw(pw) AUTHORIZATION *spw; if ((spw = getauthuid(pw->pw_uid)) && spw->a_password) - epw = estrdup(spw->a_password); - if (epw) - return(epw); + epw = spw->a_password; } #endif /* HAVE_GETAUTHUID */ - /* Fall back on normal password. */ - return(estrdup(pw->pw_passwd)); +#if defined(HAVE_ISCOMSEC) || defined(HAVE_ISSECURE) +done: +#endif + /* If no shadow password, fall back on regular password. */ + return estrdup(epw ? epw : pw->pw_passwd); } void diff --git a/plugins/sudoers/goodpath.c b/plugins/sudoers/goodpath.c index 258bc899a..c46ff2873 100644 --- a/plugins/sudoers/goodpath.c +++ b/plugins/sudoers/goodpath.c @@ -36,7 +36,7 @@ #endif /* HAVE_UNISTD_H */ #include -#include "sudo.h" +#include "sudoers.h" /* * Verify that path is a normal file and executable by root. diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c index add47a40a..a52015dd0 100644 --- a/plugins/sudoers/gram.c +++ b/plugins/sudoers/gram.c @@ -1,11 +1,3 @@ -#ifndef lint -/*static char yysccsid[] = "from: @(#)yaccpar 1.9 (Berkeley) 02/21/93";*/ -static char yyrcsid[] -#if __GNUC__ >= 2 - __attribute__ ((unused)) -#endif /* __GNUC__ >= 2 */ - = "$OpenBSD: skeleton.c,v 1.29 2008/07/08 15:06:50 otto Exp $"; -#endif #include #include #define YYBYACC 1 @@ -17,7 +9,7 @@ static char yyrcsid[] #define yyerrok (yyerrflag=0) #define YYRECOVERING() (yyerrflag!=0) #define YYPREFIX "yy" -#line 2 "gram.y" +#line 2 "./gram.y" /* * Copyright (c) 1996, 1998-2005, 2007-2009 * Todd C. Miller @@ -69,7 +61,7 @@ static char yyrcsid[] #endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */ #include -#include "sudo.h" +#include "sudoers.h" /* XXX */ #include "parse.h" /* @@ -118,6 +110,7 @@ yyerror(s) errorfile = estrdup(sudoers); } if (verbose && s != NULL) { + /* XXX - conversation function when called via plugin */ #ifndef TRACELEXER (void) fprintf(stderr, ">>> %s: %s near line %d <<<\n", sudoers, s, sudolineno ? sudolineno - 1 : 0); @@ -127,7 +120,7 @@ yyerror(s) } parse_error = TRUE; } -#line 117 "gram.y" +#line 114 "./gram.y" #ifndef YYSTYPE_DEFINED #define YYSTYPE_DEFINED typedef union { @@ -143,7 +136,7 @@ typedef union { int tok; } YYSTYPE; #endif /* YYSTYPE_DEFINED */ -#line 151 "y.tab.c" +#line 140 "y.tab.c" #define COMMAND 257 #define ALIAS 258 #define DEFVAR 259 @@ -625,7 +618,7 @@ short *yyss; short *yysslim; YYSTYPE *yyvs; int yystacksize; -#line 600 "gram.y" +#line 597 "./gram.y" static struct defaults * new_default(var, val, op) char *var; @@ -816,7 +809,7 @@ init_parser(path, quiet) sudolineno = 1; verbose = !quiet; } -#line 772 "y.tab.c" +#line 761 "y.tab.c" /* allocate initial stack or double stack size, up to YYMAXDEPTH */ #if defined(__cplusplus) || defined(__STDC__) static int yygrowstack(void) @@ -1022,127 +1015,127 @@ yyreduce: switch (yyn) { case 1: -#line 190 "gram.y" +#line 187 "./gram.y" { ; } break; case 5: -#line 198 "gram.y" +#line 195 "./gram.y" { ; } break; case 6: -#line 201 "gram.y" +#line 198 "./gram.y" { yyerrok; } break; case 7: -#line 204 "gram.y" +#line 201 "./gram.y" { add_userspec(yyvsp[-1].member, yyvsp[0].privilege); } break; case 8: -#line 207 "gram.y" +#line 204 "./gram.y" { ; } break; case 9: -#line 210 "gram.y" +#line 207 "./gram.y" { ; } break; case 10: -#line 213 "gram.y" +#line 210 "./gram.y" { ; } break; case 11: -#line 216 "gram.y" +#line 213 "./gram.y" { ; } break; case 12: -#line 219 "gram.y" +#line 216 "./gram.y" { add_defaults(DEFAULTS, NULL, yyvsp[0].defaults); } break; case 13: -#line 222 "gram.y" +#line 219 "./gram.y" { add_defaults(DEFAULTS_USER, yyvsp[-1].member, yyvsp[0].defaults); } break; case 14: -#line 225 "gram.y" +#line 222 "./gram.y" { add_defaults(DEFAULTS_RUNAS, yyvsp[-1].member, yyvsp[0].defaults); } break; case 15: -#line 228 "gram.y" +#line 225 "./gram.y" { add_defaults(DEFAULTS_HOST, yyvsp[-1].member, yyvsp[0].defaults); } break; case 16: -#line 231 "gram.y" +#line 228 "./gram.y" { add_defaults(DEFAULTS_CMND, yyvsp[-1].member, yyvsp[0].defaults); } break; case 18: -#line 237 "gram.y" +#line 234 "./gram.y" { list_append(yyvsp[-2].defaults, yyvsp[0].defaults); yyval.defaults = yyvsp[-2].defaults; } break; case 19: -#line 243 "gram.y" +#line 240 "./gram.y" { yyval.defaults = new_default(yyvsp[0].string, NULL, TRUE); } break; case 20: -#line 246 "gram.y" +#line 243 "./gram.y" { yyval.defaults = new_default(yyvsp[0].string, NULL, FALSE); } break; case 21: -#line 249 "gram.y" +#line 246 "./gram.y" { yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, TRUE); } break; case 22: -#line 252 "gram.y" +#line 249 "./gram.y" { yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '+'); } break; case 23: -#line 255 "gram.y" +#line 252 "./gram.y" { yyval.defaults = new_default(yyvsp[-2].string, yyvsp[0].string, '-'); } break; case 25: -#line 261 "gram.y" +#line 258 "./gram.y" { list_append(yyvsp[-2].privilege, yyvsp[0].privilege); yyval.privilege = yyvsp[-2].privilege; } break; case 26: -#line 267 "gram.y" +#line 264 "./gram.y" { struct privilege *p = emalloc(sizeof(*p)); list2tq(&p->hostlist, yyvsp[-2].member); @@ -1153,51 +1146,51 @@ case 26: } break; case 27: -#line 277 "gram.y" +#line 274 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = FALSE; } break; case 28: -#line 281 "gram.y" +#line 278 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = TRUE; } break; case 29: -#line 287 "gram.y" +#line 284 "./gram.y" { yyval.member = new_member(yyvsp[0].string, ALIAS); } break; case 30: -#line 290 "gram.y" +#line 287 "./gram.y" { yyval.member = new_member(NULL, ALL); } break; case 31: -#line 293 "gram.y" +#line 290 "./gram.y" { yyval.member = new_member(yyvsp[0].string, NETGROUP); } break; case 32: -#line 296 "gram.y" +#line 293 "./gram.y" { yyval.member = new_member(yyvsp[0].string, NTWKADDR); } break; case 33: -#line 299 "gram.y" +#line 296 "./gram.y" { yyval.member = new_member(yyvsp[0].string, WORD); } break; case 35: -#line 305 "gram.y" +#line 302 "./gram.y" { list_append(yyvsp[-2].cmndspec, yyvsp[0].cmndspec); #ifdef HAVE_SELINUX @@ -1228,7 +1221,7 @@ case 35: } break; case 36: -#line 335 "gram.y" +#line 332 "./gram.y" { struct cmndspec *cs = emalloc(sizeof(*cs)); if (yyvsp[-3].runas != NULL) { @@ -1255,80 +1248,80 @@ case 36: } break; case 37: -#line 361 "gram.y" +#line 358 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = FALSE; } break; case 38: -#line 365 "gram.y" +#line 362 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = TRUE; } break; case 39: -#line 371 "gram.y" +#line 368 "./gram.y" { yyval.string = yyvsp[0].string; } break; case 40: -#line 376 "gram.y" +#line 373 "./gram.y" { yyval.string = yyvsp[0].string; } break; case 41: -#line 381 "gram.y" +#line 378 "./gram.y" { yyval.seinfo.role = NULL; yyval.seinfo.type = NULL; } break; case 42: -#line 385 "gram.y" +#line 382 "./gram.y" { yyval.seinfo.role = yyvsp[0].string; yyval.seinfo.type = NULL; } break; case 43: -#line 389 "gram.y" +#line 386 "./gram.y" { yyval.seinfo.type = yyvsp[0].string; yyval.seinfo.role = NULL; } break; case 44: -#line 393 "gram.y" +#line 390 "./gram.y" { yyval.seinfo.role = yyvsp[-1].string; yyval.seinfo.type = yyvsp[0].string; } break; case 45: -#line 397 "gram.y" +#line 394 "./gram.y" { yyval.seinfo.type = yyvsp[-1].string; yyval.seinfo.role = yyvsp[0].string; } break; case 46: -#line 403 "gram.y" +#line 400 "./gram.y" { yyval.runas = NULL; } break; case 47: -#line 406 "gram.y" +#line 403 "./gram.y" { yyval.runas = yyvsp[-1].runas; } break; case 48: -#line 411 "gram.y" +#line 408 "./gram.y" { yyval.runas = emalloc(sizeof(struct runascontainer)); yyval.runas->runasusers = yyvsp[0].member; @@ -1336,7 +1329,7 @@ case 48: } break; case 49: -#line 416 "gram.y" +#line 413 "./gram.y" { yyval.runas = emalloc(sizeof(struct runascontainer)); yyval.runas->runasusers = yyvsp[-2].member; @@ -1344,7 +1337,7 @@ case 49: } break; case 50: -#line 421 "gram.y" +#line 418 "./gram.y" { yyval.runas = emalloc(sizeof(struct runascontainer)); yyval.runas->runasusers = NULL; @@ -1352,73 +1345,73 @@ case 50: } break; case 51: -#line 428 "gram.y" +#line 425 "./gram.y" { yyval.tag.nopasswd = yyval.tag.noexec = yyval.tag.setenv = yyval.tag.transcript = UNSPEC; } break; case 52: -#line 431 "gram.y" +#line 428 "./gram.y" { yyval.tag.nopasswd = TRUE; } break; case 53: -#line 434 "gram.y" +#line 431 "./gram.y" { yyval.tag.nopasswd = FALSE; } break; case 54: -#line 437 "gram.y" +#line 434 "./gram.y" { yyval.tag.noexec = TRUE; } break; case 55: -#line 440 "gram.y" +#line 437 "./gram.y" { yyval.tag.noexec = FALSE; } break; case 56: -#line 443 "gram.y" +#line 440 "./gram.y" { yyval.tag.setenv = TRUE; } break; case 57: -#line 446 "gram.y" +#line 443 "./gram.y" { yyval.tag.setenv = FALSE; } break; case 58: -#line 449 "gram.y" +#line 446 "./gram.y" { yyval.tag.transcript = TRUE; } break; case 59: -#line 452 "gram.y" +#line 449 "./gram.y" { yyval.tag.transcript = FALSE; } break; case 60: -#line 457 "gram.y" +#line 454 "./gram.y" { yyval.member = new_member(NULL, ALL); } break; case 61: -#line 460 "gram.y" +#line 457 "./gram.y" { yyval.member = new_member(yyvsp[0].string, ALIAS); } break; case 62: -#line 463 "gram.y" +#line 460 "./gram.y" { struct sudo_command *c = emalloc(sizeof(*c)); c->cmnd = yyvsp[0].command.cmnd; @@ -1427,7 +1420,7 @@ case 62: } break; case 65: -#line 475 "gram.y" +#line 472 "./gram.y" { char *s; if ((s = alias_add(yyvsp[-2].string, HOSTALIAS, yyvsp[0].member)) != NULL) { @@ -1437,14 +1430,14 @@ case 65: } break; case 67: -#line 485 "gram.y" +#line 482 "./gram.y" { list_append(yyvsp[-2].member, yyvsp[0].member); yyval.member = yyvsp[-2].member; } break; case 70: -#line 495 "gram.y" +#line 492 "./gram.y" { char *s; if ((s = alias_add(yyvsp[-2].string, CMNDALIAS, yyvsp[0].member)) != NULL) { @@ -1454,14 +1447,14 @@ case 70: } break; case 72: -#line 505 "gram.y" +#line 502 "./gram.y" { list_append(yyvsp[-2].member, yyvsp[0].member); yyval.member = yyvsp[-2].member; } break; case 75: -#line 515 "gram.y" +#line 512 "./gram.y" { char *s; if ((s = alias_add(yyvsp[-2].string, RUNASALIAS, yyvsp[0].member)) != NULL) { @@ -1471,7 +1464,7 @@ case 75: } break; case 78: -#line 528 "gram.y" +#line 525 "./gram.y" { char *s; if ((s = alias_add(yyvsp[-2].string, USERALIAS, yyvsp[0].member)) != NULL) { @@ -1481,96 +1474,96 @@ case 78: } break; case 80: -#line 538 "gram.y" +#line 535 "./gram.y" { list_append(yyvsp[-2].member, yyvsp[0].member); yyval.member = yyvsp[-2].member; } break; case 81: -#line 544 "gram.y" +#line 541 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = FALSE; } break; case 82: -#line 548 "gram.y" +#line 545 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = TRUE; } break; case 83: -#line 554 "gram.y" +#line 551 "./gram.y" { yyval.member = new_member(yyvsp[0].string, ALIAS); } break; case 84: -#line 557 "gram.y" +#line 554 "./gram.y" { yyval.member = new_member(NULL, ALL); } break; case 85: -#line 560 "gram.y" +#line 557 "./gram.y" { yyval.member = new_member(yyvsp[0].string, NETGROUP); } break; case 86: -#line 563 "gram.y" +#line 560 "./gram.y" { yyval.member = new_member(yyvsp[0].string, USERGROUP); } break; case 87: -#line 566 "gram.y" +#line 563 "./gram.y" { yyval.member = new_member(yyvsp[0].string, WORD); } break; case 89: -#line 572 "gram.y" +#line 569 "./gram.y" { list_append(yyvsp[-2].member, yyvsp[0].member); yyval.member = yyvsp[-2].member; } break; case 90: -#line 578 "gram.y" +#line 575 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = FALSE; } break; case 91: -#line 582 "gram.y" +#line 579 "./gram.y" { yyval.member = yyvsp[0].member; yyval.member->negated = TRUE; } break; case 92: -#line 588 "gram.y" +#line 585 "./gram.y" { yyval.member = new_member(yyvsp[0].string, ALIAS); } break; case 93: -#line 591 "gram.y" +#line 588 "./gram.y" { yyval.member = new_member(NULL, ALL); } break; case 94: -#line 594 "gram.y" +#line 591 "./gram.y" { yyval.member = new_member(yyvsp[0].string, WORD); } break; -#line 1526 "y.tab.c" +#line 1515 "y.tab.c" } yyssp -= yym; yystate = *yyssp; diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y index 561862a3e..25e1a72f0 100644 --- a/plugins/sudoers/gram.y +++ b/plugins/sudoers/gram.y @@ -50,7 +50,7 @@ #endif /* YYBISON && HAVE_ALLOCA_H && !__GNUC__ */ #include -#include "sudo.h" +#include "sudoers.h" /* XXX */ #include "parse.h" /* @@ -99,6 +99,7 @@ yyerror(s) errorfile = estrdup(sudoers); } if (verbose && s != NULL) { + /* XXX - conversation function when called via plugin */ #ifndef TRACELEXER (void) fprintf(stderr, ">>> %s: %s near line %d <<<\n", sudoers, s, sudolineno ? sudolineno - 1 : 0); diff --git a/plugins/sudoers/interfaces.c b/plugins/sudoers/interfaces.c index eed075301..1f1f5d5fa 100644 --- a/plugins/sudoers/interfaces.c +++ b/plugins/sudoers/interfaces.c @@ -81,7 +81,7 @@ struct rtentry; # include #endif -#include "sudo.h" +#include "sudoers.h" #include "interfaces.h" /* Minix apparently lacks IFF_LOOPBACK */ diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 94ea4cbe4..18ab135e5 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -77,7 +77,7 @@ # endif #endif -#include "sudo.h" +#include "sudoers.h" #include "parse.h" #include "lbuf.h" diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index 9034e7f0d..2c6ec5f1f 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -55,11 +55,11 @@ #include #include -#include "sudo.h" +#include "sudoers.h" static void do_syslog __P((int, char *)); static void do_logfile __P((char *)); -static void send_mail __P((char *)); +static void send_mail __P((const char *fmt, ...)); static int should_mail __P((int)); static void mysyslog __P((int, const char *, ...)); static char *new_logline __P((const char *, int)); @@ -184,15 +184,9 @@ do_logfile(msg) fp = fopen(def_logfile, "a"); (void) umask(oldmask); if (fp == NULL) { - easprintf(&full_line, "Can't open log file: %s: %s", - def_logfile, strerror(errno)); - send_mail(full_line); - efree(full_line); + send_mail("Can't open log file: %s: %s", def_logfile, strerror(errno)); } else if (!lock_file(fileno(fp), SUDO_LOCK)) { - easprintf(&full_line, "Can't lock log file: %s: %s", - def_logfile, strerror(errno)); - send_mail(full_line); - efree(full_line); + send_mail("Can't lock log file: %s: %s", def_logfile, strerror(errno)); } else { time_t now; @@ -369,13 +363,14 @@ log_error(flags, fmt, va_alist) va_start(ap); #endif - /* Become root if we are not already to avoid user interference */ - set_perms(PERM_ROOT|PERM_NOEXIT); - /* Expand printf-style format + args. */ evasprintf(&message, fmt, ap); va_end(ap); + /* Become root if we are not already to avoid user interference */ + /* XXX - could longjmp back with wrong uid */ + set_perms(PERM_ROOT|PERM_NOEXIT); + if (ISSET(flags, MSG_ONLY)) logline = message; else @@ -409,10 +404,14 @@ log_error(flags, fmt, va_alist) efree(logline); +#if 0 /* XXX - longjmp instead */ if (!ISSET(flags, NO_EXIT)) { cleanup(0); exit(1); } +#endif + + set_perms(PERM_USER); } #define MAX_MAILFLAGS 63 @@ -421,14 +420,14 @@ log_error(flags, fmt, va_alist) * Send a message to MAILTO user */ static void -send_mail(line) - char *line; +send_mail(const char *fmt, ...) { FILE *mail; char *p; int fd, pfd[2], status; pid_t pid, rv; sigaction_t sa; + va_list ap; #ifndef NO_ROOT_MAILER static char *root_envp[] = { "HOME=/", @@ -589,8 +588,14 @@ send_mail(line) } else (void) fputc(*p, mail); } - (void) fprintf(mail, "\n\n%s : %s : %s : %s\n\n", user_host, - get_timestr(time(NULL), def_log_year), user_name, line); + + (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, + get_timestr(time(NULL), def_log_year), user_name); + va_start(ap, fmt); + (void) vfprintf(mail, fmt, ap); + va_end(ap); + fputs("\n\n", mail); + fclose(mail); do { #ifdef HAVE_WAITPID @@ -667,9 +672,11 @@ new_logline(message, serrno) } len += sizeof(LL_ENV_STR) + 2 + evlen; } - len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd); - if (user_args != NULL) - len += strlen(user_args) + 1; + if (user_cmnd != NULL) { + len += sizeof(LL_CMND_STR) - 1 + strlen(user_cmnd); + if (user_args != NULL) + len += strlen(user_args) + 1; + } /* * Allocate and build up the line. @@ -720,16 +727,18 @@ new_logline(message, serrno) goto toobig; efree(evstr); } - if (strlcat(line, LL_CMND_STR, len) >= len || - strlcat(line, user_cmnd, len) >= len) - goto toobig; - if (user_args != NULL) { - if (strlcat(line, " ", len) >= len || - strlcat(line, user_args, len) >= len) + if (user_cmnd != NULL) { + if (strlcat(line, LL_CMND_STR, len) >= len || + strlcat(line, user_cmnd, len) >= len) goto toobig; + if (user_args != NULL) { + if (strlcat(line, " ", len) >= len || + strlcat(line, user_args, len) >= len) + goto toobig; + } } - return (line); + return line; toobig: errorx(1, "internal error: insufficient space for log line"); } diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 8757e7aec..0f61b88c2 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -78,7 +78,7 @@ # endif #endif -#include "sudo.h" +#include "sudoers.h" #include "interfaces.h" #include "parse.h" #include diff --git a/plugins/sudoers/mon_systrace.c b/plugins/sudoers/mon_systrace.c index 4afc05a39..83eb0e4f5 100644 --- a/plugins/sudoers/mon_systrace.c +++ b/plugins/sudoers/mon_systrace.c @@ -41,7 +41,7 @@ # endif #endif -#include "sudo.h" +#include "sudoers.h" #include "mon_systrace.h" /* diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index 464416916..fb4e3fd92 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -43,7 +43,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "parse.h" #include "lbuf.h" #include diff --git a/plugins/sudoers/pwutil.c b/plugins/sudoers/pwutil.c index 46c45d01d..f8f765485 100644 --- a/plugins/sudoers/pwutil.c +++ b/plugins/sudoers/pwutil.c @@ -49,7 +49,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "redblack.h" /* diff --git a/plugins/sudoers/redblack.c b/plugins/sudoers/redblack.c index 95ac095b0..48cce83f3 100644 --- a/plugins/sudoers/redblack.c +++ b/plugins/sudoers/redblack.c @@ -54,7 +54,7 @@ # endif #endif /* STDC_HEADERS */ -#include "sudo.h" +#include "sudoers.h" #include "redblack.h" static void rbrepair __P((struct rbtree *, struct rbnode *)); diff --git a/plugins/sudoers/set_perms.c b/plugins/sudoers/set_perms.c index 4f3f44900..e21ecda16 100644 --- a/plugins/sudoers/set_perms.c +++ b/plugins/sudoers/set_perms.c @@ -49,7 +49,7 @@ # include #endif -#include "sudo.h" +#include "sudoers.h" #ifdef __TANDEM # define ROOT_UID 65535 diff --git a/plugins/sudoers/sudo_nss.c b/plugins/sudoers/sudo_nss.c index e77aa627c..c474e9a42 100644 --- a/plugins/sudoers/sudo_nss.c +++ b/plugins/sudoers/sudo_nss.c @@ -41,7 +41,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "lbuf.h" extern struct sudo_nss sudo_nss_file; diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 1b93fabee..7dab3b117 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -97,11 +97,13 @@ #ifdef HAVE_MBR_CHECK_MEMBERSHIP # include #endif +#include -#include -#include "sudo.h" +#include "sudo_plugin.h" +#include "sudoers.h" #include "lbuf.h" #include "interfaces.h" +#include "auth/sudo_auth.h" #ifdef USING_NONUNIX_GROUPS # include "nonunix.h" @@ -110,45 +112,39 @@ /* * Prototypes */ -static void init_vars __P((int, char **)); +static void init_vars __P((char * const *)); static int set_cmnd __P((int)); -static int parse_args __P((int, char **)); -static void initial_setup __P((void)); static void set_loginclass __P((struct passwd *)); static void set_project __P((struct passwd *)); static void set_runasgr __P((char *)); static void set_runaspw __P((char *)); -static void show_version __P((void)); -static void usage __P((int)) - __attribute__((__noreturn__)); -static void usage_excl __P((int)) - __attribute__((__noreturn__)); +static int sudoers_policy_version(int verbose); static struct passwd *get_authpw __P((void)); +static int deserialize_info(char * const settings[], char * const user_info[]); + extern int sudo_edit __P((int, char **, char **)); -extern void rebuild_env __P((int, int)); +extern int rebuild_env __P((int, int)); +extern int env_init __P((char * const envp[])); void validate_env_vars __P((struct list_member *)); void insert_env_vars __P((struct list_member *)); +/* XXX */ +char *fmt_string(const char *, const char *); + /* * Globals */ -int Argc, NewArgc; -char **Argv, **NewArgv; char *prev_user; -static int user_closefrom = -1; struct sudo_user sudo_user; struct passwd *auth_pw, *list_pw; struct interface *interfaces; int num_interfaces; -int tgetpass_flags; int long_list; +int debug_level; uid_t timestamp_uid; extern int errorlineno; extern int parse_error; extern char *errorfile; -#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL) -static struct rlimit corelimit; -#endif /* RLIMIT_CORE && !SUDO_DEVEL */ #ifdef HAVE_LOGIN_CAP_H login_cap_t *lc; #endif /* HAVE_LOGIN_CAP_H */ @@ -160,34 +156,32 @@ static char *runas_user; static char *runas_group; static struct sudo_nss_list *snl; -/* For getopt(3) */ -extern char *optarg; -extern int optind; +static int NewArgc; +static char **NewArgv; + +/* XXX */ +extern int Argc; +extern char **Argv; +extern char **environ; + +/* error.c */ +extern sigjmp_buf error_jmp; -int -main(argc, argv, envp) - int argc; - char **argv; - char **envp; +static int sudo_mode; +static char * const * user_env; + +static int +sudoers_policy_open(unsigned int version, sudo_conv_t conversation, + char * const settings[], char * const user_info[], + char * const envp[]) { - int sources = 0, validated; - int fd, cmnd_status, sudo_mode, pwflag, rc = 0; + int sources = 0; sigaction_t sa; struct sudo_nss *nss; -#if defined(SUDO_DEVEL) && defined(__OpenBSD__) - extern char *malloc_options; - malloc_options = "AFGJPR"; -#endif -#ifdef HAVE_SETLOCALE - setlocale(LC_ALL, ""); -#endif - - Argv = argv; - if ((Argc = argc) < 1) - usage(1); + /* XXX - must not call log_error yet */ - /* Must be done as the first thing... */ + /* Must be done before we do any password lookups */ #if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS) (void) set_auth_parameters(Argc, Argv); # ifdef HAVE_INITPRIVS @@ -195,9 +189,14 @@ main(argc, argv, envp) # endif #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ - if (geteuid() != 0) - errorx(1, "must be setuid root"); + sudo_conv = conversation; /* XXX, stash elsewhere? */ + if (sigsetjmp(error_jmp, 1)) { + /* called via error(), errorx() or log_error() */ + return -1; + } + +/* XXX - duplicated in sudo.c */ /* * Signal setup: * Ignore keyboard-generated signals so the user cannot interrupt @@ -212,22 +211,19 @@ main(argc, argv, envp) (void) sigaction(SIGQUIT, &sa, &saved_sa_quit); (void) sigaction(SIGTSTP, &sa, &saved_sa_tstp); - /* - * Turn off core dumps and make sure fds 0-2 are open. - */ - initial_setup(); sudo_setpwent(); sudo_setgrent(); - /* Parse our arguments. */ - sudo_mode = parse_args(Argc, Argv); - /* Setup defaults data structures. */ init_defaults(); /* Load the list of local ip addresses and netmasks. */ load_interfaces(); + /* Parse settings and user_info */ + sudo_mode = deserialize_info(settings, user_info); + +#if 0 /* XXX */ pwflag = 0; if (ISSET(sudo_mode, MODE_SHELL)) user_cmnd = "shell"; @@ -270,8 +266,9 @@ main(argc, argv, envp) /* Must have a command to run... */ if (user_cmnd == NULL && NewArgc == 0) usage(1); +#endif - init_vars(sudo_mode, envp); /* XXX - move this later? */ + init_vars(envp); /* XXX - move this later? */ #ifdef USING_NONUNIX_GROUPS sudo_nonunix_groupcheck_init(); /* initialise nonunix groups impl */ @@ -287,8 +284,10 @@ main(argc, argv, envp) nss->setdefs(nss); } } - if (sources == 0) - log_error(0, "no valid sudoers sources found, quitting"); + if (sources == 0) { + warningx("no valid sudoers sources found, quitting"); + return -1; + } /* XXX - collect post-sudoers parse settings into a function */ @@ -310,34 +309,69 @@ main(argc, argv, envp) /* Set login class if applicable. */ set_loginclass(sudo_user.pw); +#if 0 /* XXX - later */ /* Update initial shell now that runas is set. */ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) NewArgv[0] = runas_pw->pw_shell; +#endif - /* This goes after sudoers is parsed since it may have timestamp options. */ - if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) { - remove_timestamp((sudo_mode == MODE_KILL)); - cleanup(0); - exit(0); - } + /* XXX */ + user_env = envp; /* stash for later */ + + return TRUE; +} + +static void +sudoers_policy_close(int exit_status, int error) +{ + /* XXX - fill in */ + return; +} + +static int +sudoers_policy_check(int argc, char * const argv[], char *env_add[], + char **command_infop[], char **argv_out[], char **user_env_out[]) +{ + static char *command_info[32]; /* XXX */ + struct sudo_nss *nss; + char **old_environ = environ; + int cmnd_status, fd, validated, pwflag = 0; + int info_len = 0; + int rval = FALSE; /* Is root even allowed to run sudo? */ if (user_uid == 0 && !def_root_sudo) { - (void) fprintf(stderr, - "Sorry, %s has been configured to not allow root to run it.\n", - getprogname()); - exit(1); - } + warningx("sudoers specifies that root is not allowed to sudo"); + goto done; + } - /* Check for -C overriding def_closefrom. */ - if (user_closefrom >= 0 && user_closefrom != def_closefrom) { - if (!def_closefrom_override) - errorx(1, "you are not permitted to use the -C option"); - else - def_closefrom = user_closefrom; + if (sigsetjmp(error_jmp, 1)) { + /* called via error(), errorx() or log_error() */ + return -1; } + /* Local copy of argv */ + NewArgv = emalloc2(argc + 1, sizeof(char *)); + memcpy(NewArgv, argv, argc * sizeof(char *)); + NewArgv[argc] = NULL; + NewArgc = argc; + + /* Set environ to contents of user_env. */ + env_init(user_env); + + /* XXX*/ + SET(sudo_mode, MODE_RUN); + +#ifdef USING_NONUNIX_GROUPS + sudo_nonunix_groupcheck_init(); /* initialise nonunix groups impl */ +#endif /* USING_NONUNIX_GROUPS */ + + /* Find command in path */ cmnd_status = set_cmnd(sudo_mode); + if (cmnd_status == -1) { + rval = -1; + goto done; + } #ifdef HAVE_SETLOCALE if (!setlocale(LC_ALL, def_sudoers_locale)) { @@ -347,6 +381,9 @@ main(argc, argv, envp) } #endif + /* + * Check sudoers sources. + */ validated = FLAG_NO_USER | FLAG_NO_HOST; tq_foreach_fwd(snl, nss) { validated = nss->lookup(nss, validated, pwflag); @@ -399,22 +436,21 @@ main(argc, argv, envp) def_preserve_groups = TRUE; /* If no command line args and "set_home" is not set, error out. */ - if (ISSET(sudo_mode, MODE_IMPLIED_SHELL) && !def_shell_noargs) - usage(1); + if (ISSET(sudo_mode, MODE_IMPLIED_SHELL) && !def_shell_noargs) { + /* XXX - error message */ + goto done; + } /* Bail if a tty is required and we don't have one. */ if (def_requiretty) { if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) { - audit_failure(NewArgv, "no tty"); - log_error(NO_MAIL, "sorry, you must have a tty to run sudo"); + //audit_failure(NewArgv, "no tty"); + warningx("sorry, you must have a tty to run sudo"); + goto done; } else (void) close(fd); } - /* Use askpass value from sudoers unless user specified their own. */ - if (def_askpass && !user_askpass) - user_askpass = def_askpass; - /* User may have overridden environment resetting via the -E flag. */ if (ISSET(sudo_mode, MODE_PRESERVE_ENV) && def_setenv) def_env_reset = FALSE; @@ -426,8 +462,12 @@ main(argc, argv, envp) auth_pw = get_authpw(); /* Require a password if sudoers says so. */ - if (def_authenticate) - check_user(validated, sudo_mode); + /* XXX - conversation function */ + if (def_authenticate) { + rval = check_user(validated, sudo_mode); + if (rval != TRUE) + goto done; + } /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ /* XXX - causes confusion when root is not listed in sudoers */ @@ -444,181 +484,118 @@ main(argc, argv, envp) } } - if (ISSET(validated, VALIDATE_OK)) { - /* Finally tell the user if the command did not exist. */ - if (cmnd_status == NOT_FOUND_DOT) { - audit_failure(NewArgv, "command in current directory"); - errorx(1, "ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); - } else if (cmnd_status == NOT_FOUND) { - audit_failure(NewArgv, "%s: command not found", user_cmnd); - errorx(1, "%s: command not found", user_cmnd); - } - - /* If user specified env vars make sure sudoers allows it. */ - if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) { - if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) - log_error(NO_MAIL, - "sorry, you are not allowed to preserve the environment"); - else - validate_env_vars(sudo_user.env_vars); - } + if (!ISSET(validated, VALIDATE_OK)) { + /* XXX - error message */ + goto done; + } -#ifdef _PATH_SUDO_TRANSCRIPT - /* Get next session ID so we can log it. */ - if (def_transcript && ISSET(sudo_mode, (MODE_RUN | MODE_EDIT))) - script_nextid(); -#endif + /* Finally tell the user if the command did not exist. */ + if (cmnd_status == NOT_FOUND_DOT) { + //audit_failure(NewArgv, "command in current directory"); + warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); + goto done; + } else if (cmnd_status == NOT_FOUND) { + //audit_failure(NewArgv, "%s: command not found", user_cmnd); + warningx("command not found", user_cmnd); + goto done; + } - log_allowed(validated); - if (ISSET(sudo_mode, MODE_CHECK)) - rc = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw); - else if (ISSET(sudo_mode, MODE_LIST)) - display_privs(snl, list_pw ? list_pw : sudo_user.pw); + /* If user specified env vars make sure sudoers allows it. */ + if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) { + if (ISSET(sudo_mode, MODE_PRESERVE_ENV)) { + warningx("sorry, you are not allowed to preserve the environment"); + goto done; + } else + validate_env_vars(sudo_user.env_vars); + } - /* Cleanup sudoers sources */ - tq_foreach_fwd(snl, nss) - nss->close(nss); + log_allowed(validated); - /* Deferred exit due to sudo_ldap_close() */ - if (ISSET(sudo_mode, (MODE_VALIDATE|MODE_CHECK|MODE_LIST))) - exit(rc); + /* Cleanup sudoers sources */ + tq_foreach_fwd(snl, nss) { + nss->close(nss); + } - /* - * Set umask based on sudoers. - * If user's umask is more restrictive, OR in those bits too - * unless umask_override is set. - */ - if (def_umask != 0777) { - if (def_umask_override) { - umask(def_umask); - } else { - mode_t mask = umask(def_umask); - mask |= def_umask; - if (mask != def_umask) - umask(mask); - } + /* + * Set umask based on sudoers. + * If user's umask is more restrictive, OR in those bits too + * unless umask_override is set. + */ + if (def_umask != 0777) { + mode_t mask = def_umask; + if (!def_umask_override) { + mode_t omask = umask(mask); + mask |= omask; + umask(omask); } + easprintf(&command_info[info_len++], "umask=0%o", mask); + } - /* Restore coredumpsize resource limit. */ -#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL) - (void) setrlimit(RLIMIT_CORE, &corelimit); -#endif /* RLIMIT_CORE && !SUDO_DEVEL */ - - /* Must audit before uid change. */ - audit_success(NewArgv); - -#ifdef _PATH_SUDO_TRANSCRIPT - /* Open tty as needed */ - if (def_transcript) - script_setup(); -#endif + if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { + char *p; - /* Become specified user or root if executing a command. */ - if (ISSET(sudo_mode, MODE_RUN)) - set_perms(PERM_FULL_RUNAS); + /* Convert /bin/sh -> -sh so shell knows it is a login shell */ + if ((p = strrchr(NewArgv[0], '/')) == NULL) + p = NewArgv[0]; + *p = '-'; + NewArgv[0] = p; - if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) { - char *p; + /* Set cwd to run user's homedir. */ + command_info[info_len++] = fmt_string("cwd", runas_pw->pw_dir); - /* Convert /bin/sh -> -sh so shell knows it is a login shell */ - if ((p = strrchr(NewArgv[0], '/')) == NULL) - p = NewArgv[0]; - *p = '-'; - NewArgv[0] = p; +#if defined(__linux__) || defined(_AIX) + /* Insert system-wide environment variables. */ + /* XXX */ + read_env_file(_PATH_ENVIRONMENT, TRUE); +#endif + } - /* Change to target user's homedir. */ - if (chdir(runas_pw->pw_dir) == -1) - warning("unable to change directory to %s", runas_pw->pw_dir); + /* Insert system-wide environment variables. */ +#if 0 /* XXX - add back */ + if (def_env_file) { + read_env_file(def_env_file, FALSE); + } -#if defined(__linux__) || defined(_AIX) - /* Insert system-wide environment variables. */ - read_env_file(_PATH_ENVIRONMENT, TRUE); + /* Insert user-specified environment variables. */ + insert_env_vars(sudo_user.env_vars); #endif - } - if (ISSET(sudo_mode, MODE_EDIT)) - exit(sudo_edit(NewArgc, NewArgv, envp)); + /* Restore signal handlers before we exec. */ + (void) sigaction(SIGINT, &saved_sa_int, NULL); + (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); + (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); + + /* Close the password and group files and free up memory. */ + sudo_endpwent(); + sudo_endgrent(); + + /* XXX - handle ENOMEM */ + command_info[info_len++] = fmt_string("command", safe_cmnd); + if (def_stay_setuid) { + easprintf(&command_info[info_len++], "runas_uid=%u", user_uid); + easprintf(&command_info[info_len++], "runas_gid=%u", user_gid); + easprintf(&command_info[info_len++], "runas_euid=%u", runas_pw->pw_uid); + easprintf(&command_info[info_len++], "runas_egid=%u", runas_pw->pw_gid); + } else { + easprintf(&command_info[info_len++], "runas_uid=%u", runas_pw->pw_uid); + easprintf(&command_info[info_len++], "runas_gid=%u", runas_pw->pw_gid); + } - /* Insert system-wide environment variables. */ - if (def_env_file) - read_env_file(def_env_file, FALSE); + /* Must audit before uid change. */ + //audit_success(NewArgv); /* XXX */ - /* Insert user-specified environment variables. */ - insert_env_vars(sudo_user.env_vars); + /* XXX - set argv_out and env_out */ + *command_infop = command_info; - /* Restore signal handlers before we exec. */ - (void) sigaction(SIGINT, &saved_sa_int, NULL); - (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); - (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); + *argv_out = NewArgv; + *user_env_out = environ; /* actually our local copy */ - /* Close the password and group files and free up memory. */ - sudo_endpwent(); - sudo_endgrent(); + rval = TRUE; - /* Move pty master/slave to low numbered fd and close the rest. */ -#ifdef _PATH_SUDO_TRANSCRIPT - fd = def_transcript ? script_duplow(def_closefrom) : def_closefrom; - closefrom(fd); -#else - closefrom(def_closefrom); -#endif +done: + environ = old_environ; -#ifdef PROFILING - exit(0); -#endif - if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { - syslog(LOG_AUTH|LOG_ERR, "fork"); /* XXX */ - exit(0); - } -#ifdef _PATH_SUDO_TRANSCRIPT - if (def_transcript) - script_execv(safe_cmnd, NewArgv); - else -#endif -#ifdef HAVE_SELINUX - if (is_selinux_enabled() > 0 && user_role != NULL) - selinux_exec(user_role, user_type, NewArgv); - else -#endif - execv(safe_cmnd, NewArgv); - /* - * If we got here then execve() failed... - */ - if (errno == ENOEXEC) { - NewArgv--; /* at least one extra slot... */ - NewArgv[0] = "sh"; - NewArgv[1] = safe_cmnd; - execv(_PATH_BSHELL, NewArgv); - } - warning("unable to execute %s", safe_cmnd); - exit(127); - } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { - audit_failure(NewArgv, "No user or host"); - log_denial(validated, 1); - exit(1); - } else { - if (def_path_info) { - /* - * We'd like to not leak path info at all here, but that can - * *really* confuse the users. To really close the leak we'd - * have to say "not allowed to run foo" even when the problem - * is just "no foo in path" since the user can trivially set - * their path to just contain a single dir. - */ - log_denial(validated, - !(cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND)); - if (cmnd_status == NOT_FOUND) - warningx("%s: command not found", user_cmnd); - else if (cmnd_status == NOT_FOUND_DOT) - warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); - } else { - /* Just tell the user they are not allowed to run foo. */ - log_denial(validated, 1); - } - audit_failure(NewArgv, "validation failure"); - exit(1); - } - exit(0); /* not reached */ + return rval; } /* @@ -626,59 +603,25 @@ main(argc, argv, envp) * load the ``interfaces'' array. */ static void -init_vars(sudo_mode, envp) - int sudo_mode; - char **envp; +init_vars(char * const envp[]) { - char *p, **ep, thost[MAXHOSTNAMELEN + 1]; - int nohostname; + char * const * ep; +#if 0 /* Sanity check command from user. */ if (user_cmnd == NULL && strlen(NewArgv[0]) >= PATH_MAX) errorx(1, "%s: File name too long", NewArgv[0]); +#endif #ifdef HAVE_TZSET (void) tzset(); /* set the timezone if applicable */ #endif /* HAVE_TZSET */ +#if 0 /* Default value for cmnd and cwd, overridden later. */ if (user_cmnd == NULL) user_cmnd = NewArgv[0]; - (void) strlcpy(user_cwd, "unknown", sizeof(user_cwd)); - - /* - * We avoid gethostbyname() if possible since we don't want - * sudo to block if DNS or NIS is hosed. - * "host" is the (possibly fully-qualified) hostname and - * "shost" is the unqualified form of the hostname. - */ - nohostname = gethostname(thost, sizeof(thost)); - if (nohostname) - user_host = user_shost = "localhost"; - else { - thost[sizeof(thost) - 1] = '\0'; - user_host = estrdup(thost); - if (def_fqdn) { - /* Defer call to set_fqdn() until log_error() is safe. */ - user_shost = user_host; - } else { - if ((p = strchr(user_host, '.'))) { - *p = '\0'; - user_shost = estrdup(user_host); - *p = '.'; - } else { - user_shost = user_host; - } - } - } - - if ((p = ttyname(STDIN_FILENO)) || (p = ttyname(STDOUT_FILENO)) || - (p = ttyname(STDERR_FILENO))) { - user_tty = user_ttypath = estrdup(p); - if (strncmp(user_tty, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) - user_tty += sizeof(_PATH_DEV) - 1; - } else - user_tty = "unknown"; +#endif for (ep = envp; *ep; ep++) { /* XXX - don't fill in if empty string */ @@ -713,8 +656,9 @@ init_vars(sudo_mode, envp) * if necessary. It is assumed that euid is 0 at this point so we * can read the shadow passwd file if necessary. */ - if ((sudo_user.pw = sudo_getpwuid(getuid())) == NULL) { + if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL) { /* Need to make a fake struct passwd for logging to work. */ + /* XXX - really needed now? */ struct passwd pw; char pw_name[MAX_UID_T_LEN + 1]; @@ -724,6 +668,7 @@ init_vars(sudo_mode, envp) pw.pw_name = pw_name; sudo_user.pw = &pw; +#if 0 /* * If we are in -k/-K mode, just spew to stderr. It is not unusual for * users to place "sudo -k" in a .logout file which can cause sudo to @@ -732,6 +677,7 @@ init_vars(sudo_mode, envp) if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) errorx(1, "unknown uid: %s", pw_name); log_error(0, "unknown uid: %s", pw_name); +#endif } #ifdef HAVE_MBR_CHECK_MEMBERSHIP mbr_uid_to_uuid(user_uid, user_uuid); @@ -741,33 +687,12 @@ init_vars(sudo_mode, envp) /* It is now safe to use log_error() and set_perms() */ -#ifdef HAVE_GETGROUPS - if ((user_ngroups = getgroups(0, NULL)) > 0) { - user_groups = emalloc2(user_ngroups, sizeof(GETGROUPS_T)); - if (getgroups(user_ngroups, user_groups) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); + if (def_fqdn) { + /* may call log_error() */ + set_fqdn(); } -#endif - - if (def_fqdn) - set_fqdn(); /* may call log_error() */ - - if (nohostname) - log_error(USE_ERRNO|MSG_ONLY, "can't get hostname"); - - /* - * Get current working directory. Try as user, fall back to root. - */ - set_perms(PERM_USER); - if (!getcwd(user_cwd, sizeof(user_cwd))) { - set_perms(PERM_ROOT); - if (!getcwd(user_cwd, sizeof(user_cwd))) { - warningx("cannot get working directory"); - (void) strlcpy(user_cwd, "unknown", sizeof(user_cwd)); - } - } else - set_perms(PERM_ROOT); +#if 0 /* XXX need to adapt this in sudo.c */ /* * If we were given the '-e', '-i' or '-s' options we need to redo * NewArgv and NewArgc. @@ -802,6 +727,7 @@ init_vars(sudo_mode, envp) av[++NewArgc] = NULL; NewArgv = av; } +#endif } /* @@ -820,6 +746,7 @@ set_cmnd(sudo_mode) /* Resolve the path and return. */ rval = FOUND; user_stat = emalloc(sizeof(struct stat)); + if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) { if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) { set_perms(PERM_RUNAS); @@ -848,7 +775,7 @@ set_cmnd(sudo_mode) } /* Alloc and build up user_args. */ - user_args = (char *) emalloc(size); + user_args = emalloc(size); for (to = user_args, from = NewArgv + 1; *from; from++) { n = strlcpy(to, *from, size - (to - user_args)); if (n >= size - (to - user_args)) @@ -873,241 +800,6 @@ set_cmnd(sudo_mode) return(rval); } -/* - * Command line argument parsing. - * Sets NewArgc and NewArgv which corresponds to the argc/argv we'll use - * for the command to be run (if we are running one). - */ -static int -parse_args(argc, argv) - int argc; - char **argv; -{ - int mode = 0; /* what mode is sudo to be run in? */ - int flags = 0; /* mode flags */ - int valid_flags, ch; - - /* First, check to see if we were invoked as "sudoedit". */ - if (strcmp(getprogname(), "sudoedit") == 0) - mode = MODE_EDIT; - - /* Returns true if the last option string was "--" */ -#define got_end_of_args (optind > 1 && argv[optind - 1][0] == '-' && \ - argv[optind - 1][1] == '-' && argv[optind - 1][2] == '\0') - - /* Returns true if next option is an environment variable */ -#define is_envar (optind < argc && argv[optind][0] != '/' && \ - strchr(argv[optind], '=') != NULL) - - /* Flags allowed when running a command */ - valid_flags = MODE_BACKGROUND|MODE_PRESERVE_ENV|MODE_RESET_HOME| - MODE_LOGIN_SHELL|MODE_INVALIDATE|MODE_NONINTERACTIVE| - MODE_PRESERVE_GROUPS|MODE_SHELL; - for (;;) { - /* - * We disable arg permutation for GNU getopt(). - * Some trickiness is required to allow environment variables - * to be interspersed with command line options. - */ - if ((ch = getopt(argc, argv, "+Aa:bC:c:Eeg:HhiKkLlnPp:r:Sst:U:u:Vv")) != -1) { - switch (ch) { - case 'A': - SET(tgetpass_flags, TGP_ASKPASS); - break; -#ifdef HAVE_BSD_AUTH_H - case 'a': - login_style = optarg; - break; -#endif - case 'b': - SET(flags, MODE_BACKGROUND); - break; - case 'C': - if ((user_closefrom = atoi(optarg)) < 3) { - warningx("the argument to -C must be at least 3"); - usage(1); - } - break; -#ifdef HAVE_LOGIN_CAP_H - case 'c': - login_class = optarg; - def_use_loginclass = TRUE; - break; -#endif - case 'E': - SET(flags, MODE_PRESERVE_ENV); - break; - case 'e': - if (mode && mode != MODE_EDIT) - usage_excl(1); - mode = MODE_EDIT; - valid_flags = MODE_INVALIDATE|MODE_NONINTERACTIVE; - break; - case 'g': - runas_group = optarg; - break; - case 'H': - SET(flags, MODE_RESET_HOME); - break; - case 'h': - if (mode && mode != MODE_HELP) { - if (strcmp(getprogname(), "sudoedit") != 0) - usage_excl(1); - } - mode = MODE_HELP; - valid_flags = 0; - break; - case 'i': - SET(flags, MODE_LOGIN_SHELL); - def_env_reset = TRUE; - break; - case 'k': - SET(flags, MODE_INVALIDATE); - break; - case 'K': - if (mode && mode != MODE_KILL) - usage_excl(1); - mode = MODE_KILL; - valid_flags = 0; - break; - case 'L': - if (mode && mode != MODE_LISTDEFS) - usage_excl(1); - mode = MODE_LISTDEFS; - valid_flags = MODE_INVALIDATE|MODE_NONINTERACTIVE; - break; - case 'l': - if (mode) { - if (mode == MODE_LIST) - long_list = 1; - else - usage_excl(1); - } - mode = MODE_LIST; - valid_flags = MODE_INVALIDATE|MODE_NONINTERACTIVE; - break; - case 'n': - SET(flags, MODE_NONINTERACTIVE); - break; - case 'P': - SET(flags, MODE_PRESERVE_GROUPS); - break; - case 'p': - user_prompt = optarg; - def_passprompt_override = TRUE; - break; -#ifdef HAVE_SELINUX - case 'r': - user_role = optarg; - break; - case 't': - user_type = optarg; - break; -#endif - case 'S': - SET(tgetpass_flags, TGP_STDIN); - break; - case 's': - SET(flags, MODE_SHELL); - break; - case 'U': - if ((list_pw = sudo_getpwnam(optarg)) == NULL) - errorx(1, "unknown user: %s", optarg); - break; - case 'u': - runas_user = optarg; - break; - case 'v': - if (mode && mode != MODE_VALIDATE) - usage_excl(1); - mode = MODE_VALIDATE; - valid_flags = MODE_INVALIDATE|MODE_NONINTERACTIVE; - break; - case 'V': - if (mode && mode != MODE_VERSION) - usage_excl(1); - mode = MODE_VERSION; - valid_flags = 0; - break; - default: - usage(1); - } - } else if (!got_end_of_args && is_envar) { - struct list_member *ev; - - /* Store environment variable. */ - ev = emalloc(sizeof(*ev)); - ev->value = argv[optind]; - ev->next = sudo_user.env_vars; - sudo_user.env_vars = ev; - - /* Crank optind and resume getopt. */ - optind++; - } else { - /* Not an option or an environment variable -- we're done. */ - break; - } - } - - NewArgc = argc - optind; - NewArgv = argv + optind; - - if (!mode) { - /* Defer -k mode setting until we know whether it is a flag or not */ - if (ISSET(flags, MODE_INVALIDATE) && NewArgc == 0) { - mode = MODE_INVALIDATE; /* -k by itself */ - CLR(flags, MODE_INVALIDATE); - valid_flags = 0; - } else { - mode = MODE_RUN; /* running a command */ - } - } - - if (NewArgc > 0 && mode == MODE_LIST) - mode = MODE_CHECK; - - if (ISSET(flags, MODE_LOGIN_SHELL)) { - if (ISSET(flags, MODE_SHELL)) { - warningx("you may not specify both the `-i' and `-s' options"); - usage(1); - } - if (ISSET(flags, MODE_PRESERVE_ENV)) { - warningx("you may not specify both the `-i' and `-E' options"); - usage(1); - } - SET(flags, MODE_SHELL); - } - if ((flags & valid_flags) != flags) - usage(1); - if (mode == MODE_EDIT && - (ISSET(flags, MODE_PRESERVE_ENV) || sudo_user.env_vars != NULL)) { - if (ISSET(mode, MODE_PRESERVE_ENV)) - warningx("the `-E' option is not valid in edit mode"); - if (sudo_user.env_vars != NULL) - warningx("you may not specify environment variables in edit mode"); - usage(1); - } - if ((runas_user != NULL || runas_group != NULL) && - !ISSET(mode, MODE_EDIT | MODE_RUN | MODE_CHECK | MODE_VALIDATE)) { - usage(1); - } - if (list_pw != NULL && mode != MODE_LIST && mode != MODE_CHECK) { - warningx("the `-U' option may only be used with the `-l' option"); - usage(1); - } - if (ISSET(tgetpass_flags, TGP_STDIN) && ISSET(tgetpass_flags, TGP_ASKPASS)) { - warningx("the `-A' and `-S' options may not be used together"); - usage(1); - } - if ((NewArgc == 0 && mode == MODE_EDIT) || - (NewArgc > 0 && !ISSET(mode, MODE_RUN | MODE_EDIT | MODE_CHECK))) - usage(1); - if (NewArgc == 0 && mode == MODE_RUN && !ISSET(flags, MODE_SHELL)) - SET(flags, (MODE_IMPLIED_SHELL | MODE_SHELL)); - - return(mode | flags); -} - /* * Open sudoers and sanity check mode/owner/type. * Returns a handle to the sudoers file or NULL on error. @@ -1188,63 +880,6 @@ open_sudoers(sudoers, doedit, keepopen) return(fp); } -/* - * Close all open files (except std*) and turn off core dumps. - * Also sets the set_perms() pointer to the correct function. - */ -static void -initial_setup() -{ - int miss[3], devnull = -1; -#if defined(__linux__) || (defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)) - struct rlimit rl; -#endif - -#if defined(__linux__) - /* - * Unlimit the number of processes since Linux's setuid() will - * apply resource limits when changing uid and return EAGAIN if - * nproc would be violated by the uid switch. - */ - rl.rlim_cur = rl.rlim_max = RLIM_INFINITY; - if (setrlimit(RLIMIT_NPROC, &rl)) { - if (getrlimit(RLIMIT_NPROC, &rl) == 0) { - rl.rlim_cur = rl.rlim_max; - (void)setrlimit(RLIMIT_NPROC, &rl); - } - } -#endif /* __linux__ */ -#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL) - /* - * Turn off core dumps. - */ - (void) getrlimit(RLIMIT_CORE, &corelimit); - memcpy(&rl, &corelimit, sizeof(struct rlimit)); - rl.rlim_cur = 0; - (void) setrlimit(RLIMIT_CORE, &rl); -#endif /* RLIMIT_CORE && !SUDO_DEVEL */ - - /* - * stdin, stdout and stderr must be open; set them to /dev/null - * if they are closed and close all other fds. - */ - miss[STDIN_FILENO] = fcntl(STDIN_FILENO, F_GETFL, 0) == -1; - miss[STDOUT_FILENO] = fcntl(STDOUT_FILENO, F_GETFL, 0) == -1; - miss[STDERR_FILENO] = fcntl(STDERR_FILENO, F_GETFL, 0) == -1; - if (miss[STDIN_FILENO] || miss[STDOUT_FILENO] || miss[STDERR_FILENO]) { - if ((devnull = open(_PATH_DEVNULL, O_RDWR, 0644)) != -1) { - if (miss[STDIN_FILENO]) - (void) dup2(devnull, STDIN_FILENO); - if (miss[STDOUT_FILENO]) - (void) dup2(devnull, STDOUT_FILENO); - if (miss[STDERR_FILENO]) - (void) dup2(devnull, STDERR_FILENO); - if (devnull > STDERR_FILENO) - close(devnull); - } - } -} - #ifdef HAVE_LOGIN_CAP_H static void set_loginclass(pw) @@ -1358,7 +993,7 @@ set_project(pw) * Look up the fully qualified domain name and set user_host and user_shost. */ void -set_fqdn() +set_fqdn(void) { #ifdef HAVE_GETADDRINFO struct addrinfo *res0, hint; @@ -1388,13 +1023,10 @@ set_fqdn() user_host = estrdup(hp->h_name); #endif } - if ((p = strchr(user_host, '.'))) { - *p = '\0'; - user_shost = estrdup(user_host); - *p = '.'; - } else { + if ((p = strchr(user_host, '.')) != NULL) + user_shost = estrndup(user_host, (size_t)(p - user_host)); + else user_shost = user_host; - } } /* @@ -1410,7 +1042,7 @@ set_runaspw(user) runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0); } else { if ((runas_pw = sudo_getpwnam(user)) == NULL) { - audit_failure(NewArgv, "unknown user: %s", user); + //audit_failure(NewArgv, "unknown user: %s", user); log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user); } } @@ -1477,16 +1109,30 @@ cleanup(gotsignal) sudo_endpwent(); sudo_endgrent(); } -#ifdef _PATH_SUDO_TRANSCRIPT +#ifdef notyet + /* XXX */ if (def_transcript) term_restore(STDIN_FILENO, 0); #endif } -static void -show_version() +static int +sudoers_policy_version(int verbose) { - (void) printf("Sudo version %s\n", PACKAGE_VERSION); + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + char *str; + + easprintf(&str, "Sudoers plugin version %s\n", PACKAGE_VERSION); + + /* Call conversation function */ + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_INFO_MSG; + msg.msg = str; + memset(&repl, 0, sizeof(repl)); + sudo_conv(1, &msg, &repl); + +#ifdef notyet if (getuid() == 0) { putchar('\n'); (void) printf("Sudoers path: %s\n", _PATH_SUDOERS); @@ -1501,57 +1147,196 @@ show_version() dump_defaults(); dump_interfaces(); } - exit(0); +#endif + return TRUE; } -/* - * Tell which options are mutually exclusive and exit. - */ -static void -usage_excl(exit_val) - int exit_val; +static int +deserialize_info(char * const settings[], char * const user_info[]) { - warningx("Only one of the -e, -h, -i, -K, -l, -s, -v or -V options may be specified"); - usage(exit_val); -} + char * const *cur; + const char *p; + int flags = 0; -/* - * Give usage message and exit. - * The actual usage strings are in sudo_usage.h for configure substitution. - */ -static void -usage(exit_val) - int exit_val; -{ - struct lbuf lbuf; - char *uvec[6]; - int i, ulen; +#define MATCHES(s, v) (strncmp(s, v, sizeof(v) - 1) == 0) - /* - * Use usage vectors appropriate to the progname. - */ - if (strcmp(getprogname(), "sudoedit") == 0) { - uvec[0] = SUDO_USAGE5 + 3; - uvec[1] = NULL; - } else { - uvec[0] = SUDO_USAGE1; - uvec[1] = SUDO_USAGE2; - uvec[2] = SUDO_USAGE3; - uvec[3] = SUDO_USAGE4; - uvec[4] = SUDO_USAGE5; - uvec[5] = NULL; + /* Parse command line settings. */ + for (cur = settings; *cur != NULL; cur++) { + if (MATCHES(*cur, "debug_level=")) { + debug_level = atoi(*cur + sizeof("debug_level=") - 1); + continue; + } + if (MATCHES(*cur, "runas_user=")) { + runas_user = *cur + sizeof("runas_user=") - 1; + continue; + } + if (MATCHES(*cur, "runas_group=")) { + runas_group = *cur + sizeof("runas_group=") - 1; + continue; + } + if (MATCHES(*cur, "prompt=")) { + user_prompt = *cur + sizeof("prompt=") - 1; + def_passprompt_override = TRUE; + continue; + } + if (MATCHES(*cur, "set_home=")) { + if (atobool(*cur + sizeof("set_home=") - 1) == TRUE) + SET(flags, MODE_RESET_HOME); + continue; + } + if (MATCHES(*cur, "preserve_environment=")) { + if (atobool(*cur + sizeof("preserve_environment=") - 1) == TRUE) + SET(flags, MODE_PRESERVE_ENV); + continue; + } + if (MATCHES(*cur, "login_shell=")) { + if (atobool(*cur + sizeof("login_shell=") - 1) == TRUE) { + SET(flags, MODE_LOGIN_SHELL); + def_env_reset = TRUE; + } + continue; + } + if (MATCHES(*cur, "preserve_groups=")) { + SET(flags, MODE_PRESERVE_GROUPS); + continue; + } + if (MATCHES(*cur, "ignore_ticket=")) { + /* XXX */ + continue; + } + if (MATCHES(*cur, "login_class=")) { + login_class = *cur + sizeof("login_class=") - 1; + def_use_loginclass = TRUE; + continue; + } +#ifdef HAVE_SELINUX + if (MATCHES(*cur, "selinux_role=")) { + user_role = *cur + sizeof("selinux_role=") - 1; + continue; + } + if (MATCHES(*cur, "selinux_type=")) { + user_role = *cur + sizeof("selinux_type=") - 1; + continue; + } +#endif /* HAVE_SELINUX */ +#ifdef HAVE_BSD_AUTH_H + if (MATCHES(*cur, "bsdauth_type=")) { + login_style = *cur + sizeof("bsdauth_type=") - 1; + continue; + } +#endif /* HAVE_BSD_AUTH_H */ } - /* - * Print usage and wrap lines as needed, depending on the - * tty width. - */ - ulen = (int)strlen(getprogname()) + 8; - lbuf_init(&lbuf, NULL, ulen, 0); - for (i = 0; uvec[i] != NULL; i++) { - lbuf_append(&lbuf, "usage: ", getprogname(), uvec[i], NULL); - lbuf_print(&lbuf); + for (cur = user_info; *cur != NULL; cur++) { + if (MATCHES(*cur, "user=")) { + user_name = estrdup(*cur + sizeof("user=") - 1); + continue; + } + if (MATCHES(*cur, "uid=")) { + user_uid = atoi(*cur + sizeof("uid=") - 1); + continue; + } + if (MATCHES(*cur, "gid=")) { + user_gid = atoi(*cur + sizeof("gid=") - 1); + continue; + } + if (MATCHES(*cur, "groups=")) { + /* XXX, set user_groups and user_ngroups */ + continue; + } + if (MATCHES(*cur, "cwd=")) { + user_cwd = estrdup(*cur + sizeof("cwd=") - 1); + continue; + } + if (MATCHES(*cur, "tty=")) { + user_tty = user_ttypath = estrdup(*cur + sizeof("tty=") - 1); + if (strncmp(user_tty, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) + user_tty += sizeof(_PATH_DEV) - 1; + continue; + } + if (MATCHES(*cur, "host=")) { + user_host = user_shost = estrdup(*cur + sizeof("host=") - 1); + if ((p = strchr(user_host, '.'))) + user_shost = estrndup(user_host, (size_t)(p - user_host)); + continue; + } } - lbuf_destroy(&lbuf); - exit(exit_val); + +#undef MATCHES + return flags; +} + +#if 0 /* move to error.c */ +void +warning(const char *fmt, ...) +{ + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + va_list ap; + char *str, *tmp; + + va_start(ap, fmt); + evasprintf(&tmp, fmt, ap); + va_end(ap); + easprintf(&str, "%s: %s: %s\n", getprogname(), tmp, strerror(errno)); + efree(tmp); + + /* Call conversation function */ + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_ERROR_MSG; + msg.msg = str; + memset(&repl, 0, sizeof(repl)); + sudo_conv(1, &msg, &repl); } + +void +warningx(const char *fmt, ...) +{ + struct sudo_conv_message msg; + struct sudo_conv_reply repl; + va_list ap; + char *str, *tmp; + int rc; + + va_start(ap, fmt); + rc = wvasprintf(&tmp, fmt, ap); + va_end(ap); + if (rc == -1) + return; + easprintf(&str, "%s: %s\n", getprogname(), tmp); + efree(tmp); + + /* Call conversation function */ + memset(&msg, 0, sizeof(msg)); + msg.msg_type = SUDO_CONV_ERROR_MSG; + msg.msg = str; + memset(&repl, 0, sizeof(repl)); + sudo_conv(1, &msg, &repl); +} +#endif + +struct policy_plugin sudoers_policy = { + SUDO_POLICY_PLUGIN, + SUDO_API_VERSION, + sudoers_policy_open, + sudoers_policy_close, + sudoers_policy_version, + sudoers_policy_check, +#ifdef notyet + sudoers_policy_list, + sudoers_policy_validate, + sudoers_policy_invalidate +#endif +}; + +#ifdef notyet +struct io_plugin sudoers_io = { + SUDO_IO_PLUGIN, + SUDO_API_VERSION, + io_open, + io_close, + io_version, + io_log_input, + io_log_output +}; +#endif diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index a181c3cd5..74022082b 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -19,19 +19,20 @@ * Materiel Command, USAF, under agreement number F39502-99-1-0512. */ -#ifndef _SUDO_SUDO_H -#define _SUDO_SUDO_H +#ifndef _SUDO_SUDOERS_H +#define _SUDO_SUDOERS_H #include #include #include "compat.h" -#include "alloc.h" #include "defaults.h" -#include "error.h" +#include "error.h" /* XXX */ +#include "alloc.h" /* XXX */ #include "list.h" #include "logging.h" #include "missing.h" #include "sudo_nss.h" +#include "sudo_plugin.h" #ifdef HAVE_MBR_CHECK_MEMBERSHIP # include @@ -45,6 +46,7 @@ struct sudo_user { struct passwd *_runas_pw; struct group *_runas_gr; struct stat *cmnd_stat; + char *name; char *path; char *shell; char *tty; @@ -61,13 +63,15 @@ struct sudo_user { char *display; char *askpass; int ngroups; + uid_t uid; + uid_t gid; GETGROUPS_T *groups; struct list_member *env_vars; #ifdef HAVE_SELINUX char *role; char *type; #endif - char cwd[PATH_MAX]; + char *cwd; char sessid[7]; #ifdef HAVE_MBR_CHECK_MEMBERSHIP uuid_t uuid; @@ -98,9 +102,9 @@ struct sudo_user { /* * find_path()/load_cmnd() return values */ -#define FOUND 1 -#define NOT_FOUND 0 -#define NOT_FOUND_DOT -1 +#define FOUND 0 +#define NOT_FOUND 1 +#define NOT_FOUND_DOT 2 /* * Various modes sudo can be in (based on arguments) in hex @@ -143,11 +147,11 @@ struct sudo_user { /* * Shortcuts for sudo_user contents. */ -#define user_name (sudo_user.pw->pw_name) +#define user_name (sudo_user.name) +#define user_uid (sudo_user.uid) +#define user_gid (sudo_user.gid) #define user_passwd (sudo_user.pw->pw_passwd) -#define user_uid (sudo_user.pw->pw_uid) #define user_uuid (sudo_user.uuid) -#define user_gid (sudo_user.pw->pw_gid) #define user_dir (sudo_user.pw->pw_dir) #define user_shell (sudo_user.shell) #define user_ngroups (sudo_user.ngroups) @@ -188,12 +192,14 @@ struct sudo_user { #define SUDO_TLOCK 2 /* test & lock a file (non-blocking) */ #define SUDO_UNLOCK 4 /* unlock a file */ +#if 0 /* XXX */ /* * Flags for tgetpass() */ #define TGP_ECHO 0x01 /* leave echo on when reading passwd */ #define TGP_STDIN 0x02 /* read from stdin, not /dev/tty */ #define TGP_ASKPASS 0x04 /* read from askpass helper program */ +#endif struct lbuf; struct passwd; @@ -204,11 +210,10 @@ struct passwd; #define YY_DECL int yylex __P((void)) char *sudo_goodpath __P((const char *, struct stat *)); -char *tgetpass __P((const char *, int, int)); int find_path __P((char *, char **, struct stat *, char *)); int tty_present __P((void)); -void check_user __P((int, int)); -void verify_user __P((struct passwd *, char *)); +int check_user __P((int, int)); +int verify_user __P((struct passwd *, char *)); #ifdef HAVE_LDAP int sudo_ldap_open __P((struct sudo_nss *)); int sudo_ldap_close __P((struct sudo_nss *)); @@ -235,7 +240,7 @@ int check_secureware __P((char *)); void sia_attempt_auth __P((void)); void pam_attempt_auth __P((void)); int yyparse __P((void)); -void pass_warn __P((FILE *)); +void pass_warn __P((void)); void dump_defaults __P((void)); void dump_auth_methods __P((void)); void init_envtables __P((void)); @@ -288,12 +293,15 @@ time_t get_boottime __P((void)); int user_in_group __P((struct passwd *, const char *)); YY_DECL; +/* atobool.c */ +int atobool(const char *str); + /* Only provide extern declarations outside of sudo.c. */ #ifndef _SUDO_MAIN extern struct sudo_user sudo_user; extern struct passwd *auth_pw, *list_pw; -extern int tgetpass_flags; +extern int tgetpass_flags; /* XXX */ extern int long_list; extern uid_t timestamp_uid; #endif @@ -301,4 +309,4 @@ extern uid_t timestamp_uid; extern int errno; #endif -#endif /* _SUDO_SUDO_H */ +#endif /* _SUDO_SUDOERS_H */ diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c index fb0f60657..559f7590a 100644 --- a/plugins/sudoers/testsudoers.c +++ b/plugins/sudoers/testsudoers.c @@ -61,7 +61,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #include "interfaces.h" #include "parse.h" #include diff --git a/plugins/sudoers/toke.c b/plugins/sudoers/toke.c index c342c8643..d4f2caae4 100644 --- a/plugins/sudoers/toke.c +++ b/plugins/sudoers/toke.c @@ -1412,7 +1412,7 @@ char *yytext; # endif #endif #include -#include "sudo.h" +#include "sudoers.h" #include "parse.h" #include diff --git a/plugins/sudoers/tsgetgrpw.c b/plugins/sudoers/tsgetgrpw.c index 175de78bd..c6618bb32 100644 --- a/plugins/sudoers/tsgetgrpw.c +++ b/plugins/sudoers/tsgetgrpw.c @@ -47,7 +47,7 @@ #include #include -#include "sudo.h" +#include "sudoers.h" #ifndef LINE_MAX # define LINE_MAX 2048 diff --git a/plugins/sudoers/vasgroups.c b/plugins/sudoers/vasgroups.c index 33a333d77..3888c3f0f 100644 --- a/plugins/sudoers/vasgroups.c +++ b/plugins/sudoers/vasgroups.c @@ -44,7 +44,7 @@ #include "logging.h" #include "nonunix.h" #include "parse.h" -#include "sudo.h" +#include "sudoers.h" /* Pseudo-boolean types */ diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c index 31bb50941..29d712bcb 100644 --- a/plugins/sudoers/visudo.c +++ b/plugins/sudoers/visudo.c @@ -80,7 +80,7 @@ # include #endif -#include "sudo.h" +#include "sudoers.h" #include "interfaces.h" #include "parse.h" #include "redblack.h"