From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 11 Nov 2004 17:12:20 +0000 (+0000)
Subject: The syntax to list another user's entries is now "-u otheruser -l".
X-Git-Tag: SUDO_1_7_0~843
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a239e60a6ab7d5fae92e76d5be086613026a4d68;p=sudo

The syntax to list another user's entries is now "-u otheruser -l".
Only root or users with sudo "ALL" may list other user's entries.
---

diff --git a/parse.c b/parse.c
index 50ccd976e..e475c1fef 100644
--- a/parse.c
+++ b/parse.c
@@ -97,7 +97,7 @@ sudoers_lookup(pwflag)
 
     /* Assume the worst.  */
     validated = VALIDATE_NOT_OK | FLAG_NO_HOST | FLAG_NO_USER;
-    if (pwflag)
+    if (pwflag && list_pw == NULL)
 	SET(validated, FLAG_NO_CHECK);
     else if (!def_authenticate)
 	validated |= FLAG_NOPASS;
@@ -117,8 +117,11 @@ sudoers_lookup(pwflag)
 	    if (user_matches(sudo_user.pw, us->user) == TRUE) {
 		priv = us->privileges;
 		if (host_matches(user_shost, user_host, priv->hostlist) == TRUE) {
-		    matched = TRUE;
 		    for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
+			/* Only check the command when listing another user. */
+			if (user_uid == 0 || list_pw == NULL ||
+			    cmnd_matches(user_cmnd, user_args, cs->cmnd) == TRUE)
+				matched = TRUE;
 			if ((pwcheck == any && nopass != TRUE) ||
 			    (pwcheck == all && nopass == TRUE))
 			    nopass = cs->tags.nopasswd;
diff --git a/sudo.c b/sudo.c
index 18d12aea7..f9fcddd82 100644
--- a/sudo.c
+++ b/sudo.c
@@ -122,8 +122,7 @@ int Argc, NewArgc;
 char **Argv, **NewArgv;
 char *prev_user;
 struct sudo_user sudo_user;
-struct passwd *auth_pw;
-static struct passwd *list_pw;
+struct passwd *auth_pw, *list_pw;
 struct interface *interfaces;
 int num_interfaces;
 int tgetpass_flags;
@@ -791,15 +790,6 @@ parse_args(argc, argv)
 		if (excl && excl != 'l')
 		    usage_excl(1);
 		excl = 'l';
-		if (NewArgv[1] != NULL && *NewArgv[1] != '-') {
-		    if ((list_pw = sudo_getpwnam(NewArgv[1])) != NULL) {
-			if (getuid() != 0 && list_pw->pw_uid != getuid())
-			    errx(1, "only root may list other user's entries");
-		    } else
-			errx(1, "unknown user %s", NewArgv[1]);
-		    NewArgc--;
-		    NewArgv++;
-		}
 		break;
 	    case 'V':
 		rval = MODE_VERSION;
@@ -845,6 +835,16 @@ parse_args(argc, argv)
 	NewArgv++;
     }
 
+    if (user_runas != NULL) {
+	if (rval == MODE_LIST) {
+	    if ((list_pw = sudo_getpwnam(*user_runas)) == NULL)
+		errx(1, "unknown user %s", *user_runas);
+	    user_runas = NULL;
+	} else if (!ISSET(rval, (MODE_EDIT|MODE_RUN))) {
+	    warnx("the `-u' and '-%c' options may not be used together", excl);
+	    usage(1);
+	}
+    }
     if ((NewArgc == 0 && (rval & MODE_EDIT)) ||
 	(NewArgc > 0 && !(rval & (MODE_RUN | MODE_EDIT))))
 	usage(1);
@@ -1128,7 +1128,7 @@ usage(exit_val)
 	    continue;
 	*p = " file [...]";
     } else {
-	fprintf(stderr, "usage: %s -K | -L | -V | -h | -k | -l [user] | -v\n",
+	fprintf(stderr, "usage: %s -K | -L | -V | -h | -k | -l | -v\n",
 	    getprogname());
     }
 
diff --git a/sudo.h b/sudo.h
index 2589e7ac1..d579ac1f8 100644
--- a/sudo.h
+++ b/sudo.h
@@ -245,7 +245,7 @@ YY_DECL;
 /* Only provide extern declarations outside of sudo.c. */
 #ifndef _SUDO_MAIN
 extern struct sudo_user sudo_user;
-extern struct passwd *auth_pw;
+extern struct passwd *auth_pw, *list_pw;
 
 extern int tgetpass_flags;
 extern uid_t timestamp_uid;