From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Fri, 24 Sep 2004 17:15:51 +0000 (+0000)
Subject: Add trace Defaults option and TRACE/NOTRACE tags and set FLAG_TRACE
X-Git-Tag: SUDO_1_7_0~959
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e3391d597b933709247d3c410961db7fec63a6f1;p=sudo

Add trace Defaults option and TRACE/NOTRACE tags and set FLAG_TRACE
---

diff --git a/parse.c b/parse.c
index 54887025e..a7f214cf5 100644
--- a/parse.c
+++ b/parse.c
@@ -124,7 +124,6 @@ sudoers_lookup(pwflag)
     /* Need to be runas user while stat'ing things in the parser. */
     set_perms(PERM_RUNAS);
     error = yyparse();
-
     if (error || parse_error) {
 	set_perms(PERM_ROOT);
 	return(VALIDATE_ERROR);
@@ -196,7 +195,8 @@ sudoers_lookup(pwflag)
 		    set_perms(PERM_ROOT);
 		    return(VALIDATE_OK |
 			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
-			(no_execve == TRUE ? FLAG_NOEXEC : 0));
+			(no_execve == TRUE ? FLAG_NOEXEC : 0) |
+			(trace_cmnd == TRUE ? FLAG_TRACE : 0));
 		} else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
 		    (runas_matches == FALSE && cmnd_matches == TRUE)) {
 		    /*
@@ -205,7 +205,8 @@ sudoers_lookup(pwflag)
 		    set_perms(PERM_ROOT);
 		    return(VALIDATE_NOT_OK |
 			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
-			(no_execve == TRUE ? FLAG_NOEXEC : 0));
+			(no_execve == TRUE ? FLAG_NOEXEC : 0) |
+			(trace_cmnd == TRUE ? FLAG_TRACE : 0));
 		}
 	    }
 	    top--;
diff --git a/parse.h b/parse.h
index 5a59ba374..aa9cb55a5 100644
--- a/parse.h
+++ b/parse.h
@@ -33,6 +33,7 @@ struct matchstack {
 	int runas;
 	int nopass;
 	int noexec;
+	int trace;
 };
 
 /*
@@ -50,6 +51,7 @@ struct sudo_command {
 #define runas_matches	(match[top-1].runas)
 #define no_passwd	(match[top-1].nopass)
 #define no_execve	(match[top-1].noexec)
+#define trace_cmnd	(match[top-1].trace)
 
 /*
  * Structure containing command matches if "sudo -l" is used.
@@ -63,6 +65,7 @@ struct command_match {
     size_t cmnd_size;
     int nopasswd;
     int noexecve;
+    int trace;
 };
 
 /*
diff --git a/parse.lex b/parse.lex
index 4b73836fd..1145a57ab 100644
--- a/parse.lex
+++ b/parse.lex
@@ -228,6 +228,16 @@ EXEC[[:blank:]]*:	{
 			    	return(EXEC);
 			}
 
+NOTRACE[[:blank:]]*:	{
+			    	LEXTRACE("NOTRACE ");
+			    	return(NOTRACE);
+			}
+
+TRACE[[:blank:]]*:	{
+			    	LEXTRACE("TRACE ");
+			    	return(TRACE);
+			}
+
 \+{WORD}		{
 			    /* netgroup */
 			    fill(yytext, yyleng);
diff --git a/parse.yacc b/parse.yacc
index a171449ef..225da15fe 100644
--- a/parse.yacc
+++ b/parse.yacc
@@ -124,6 +124,7 @@ int top = 0, stacksize = 0;
 	match[top].runas  = UNSPEC; \
 	match[top].nopass = def_authenticate ? UNSPEC : TRUE; \
 	match[top].noexec = def_noexec ? TRUE : UNSPEC; \
+	match[top].trace  = def_trace ? TRUE : UNSPEC; \
 	top++; \
     } while (0)
 
@@ -139,6 +140,7 @@ int top = 0, stacksize = 0;
 	match[top].runas  = match[top-1].runas; \
 	match[top].nopass = match[top-1].nopass; \
 	match[top].noexec = match[top-1].noexec; \
+	match[top].trace  = match[top-1].trace; \
 	top++; \
     } while (0)
 
@@ -242,6 +244,8 @@ yyerror(s)
 %token <tok> 	 PASSWD			/* passwd req for command (default) */
 %token <tok> 	 NOEXEC			/* preload dummy execve() for cmnd */
 %token <tok> 	 EXEC			/* don't preload dummy execve() */
+%token <tok> 	 TRACE			/* trace children of cmnd */
+%token <tok> 	 NOTRACE		/* disable tracing of children */
 %token <tok>	 ALL			/* ALL keyword */
 %token <tok>	 COMMENT		/* comment and/or carriage return */
 %token <tok>	 HOSTALIAS		/* Host_Alias keyword */
@@ -374,6 +378,7 @@ privilege	:	hostlist '=' cmndspeclist {
 			    runas_matches = UNSPEC;
 			    no_passwd = def_authenticate ? UNSPEC : TRUE;
 			    no_execve = def_noexec ? TRUE : UNSPEC;
+			    trace_cmnd = def_trace ? TRUE : UNSPEC;
 			}
 		;
 
@@ -625,7 +630,7 @@ runasuser	:	WORD {
 		;
 
 cmndtag		:	/* empty */ {
-			    /* Inherit {NOPASSWD,PASSWD,NOEXEC,EXEC} status. */
+			    /* Inherit tags. */
 			    if (printmatches == TRUE && host_matches == TRUE &&
 				user_matches == TRUE) {
 				if (no_passwd == TRUE)
@@ -636,6 +641,10 @@ cmndtag		:	/* empty */ {
 				    cm_list[cm_list_len].noexecve = TRUE;
 				else
 				    cm_list[cm_list_len].noexecve = FALSE;
+				if (trace_cmnd == TRUE)
+				    cm_list[cm_list_len].trace = TRUE;
+				else
+				    cm_list[cm_list_len].trace = FALSE;
 			    }
 			}
 		|	cmndtag NOPASSWD {
@@ -662,6 +671,18 @@ cmndtag		:	/* empty */ {
 				user_matches == TRUE)
 				cm_list[cm_list_len].noexecve = FALSE;
 			}
+		|	cmndtag TRACE {
+			    trace_cmnd = TRUE;
+			    if (printmatches == TRUE && host_matches == TRUE &&
+				user_matches == TRUE)
+				cm_list[cm_list_len].trace = TRUE;
+			}
+		|	cmndtag NOTRACE {
+			    trace_cmnd = FALSE;
+			    if (printmatches == TRUE && host_matches == TRUE &&
+				user_matches == TRUE)
+				cm_list[cm_list_len].trace = FALSE;
+			}
 		;
 
 cmnd		:	ALL {
@@ -1082,6 +1103,12 @@ list_matches()
 	else if (cm_list[count].noexecve == FALSE && def_noexec)
 	    (void) fputs("EXEC: ", stdout);
 
+	/* Is tracing enabled? */
+	if (cm_list[count].trace == TRUE && !def_trace)
+	    (void) fputs("TRACE: ", stdout);
+	else if (cm_list[count].trace == FALSE && def_trace)
+	    (void) fputs("NOTRACE: ", stdout);
+
 	/* Is a password required? */
 	if (cm_list[count].nopasswd == TRUE && def_authenticate)
 	    (void) fputs("NOPASSWD: ", stdout);
@@ -1215,6 +1242,7 @@ expand_match_list()
     cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL;
     cm_list[cm_list_len].nopasswd = FALSE;
     cm_list[cm_list_len].noexecve = FALSE;
+    cm_list[cm_list_len].trace    = FALSE;
 }
 
 /*
diff --git a/sudo.h b/sudo.h
index ff2491229..80da4e6d8 100644
--- a/sudo.h
+++ b/sudo.h
@@ -65,6 +65,7 @@ struct sudo_user {
 #define FLAG_NO_HOST		0x080
 #define FLAG_NO_CHECK		0x100
 #define FLAG_NOEXEC		0x200
+#define FLAG_TRACE		0x400
 
 /*
  * Pseudo-boolean values