From: Todd C. Miller Date: Tue, 12 Apr 2005 01:37:08 +0000 (+0000) Subject: In -l mode, only check local sudoers file if def_ignore_sudoers is not set X-Git-Tag: SUDO_1_7_0~652 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f261a99f221d4ed6882cbaafe60f66bc39ea07ce;p=sudo In -l mode, only check local sudoers file if def_ignore_sudoers is not set and call LDAP versions from display_privs() and display_cmnd() instead of directly from main(). Because of this we need to defer closing the ldap connection until after -l processing has ocurred and we must pass in the ldap pointer to display_privs() and display_cmnd(). --- diff --git a/parse.c b/parse.c index b44bec5a0..d0e0a0ccd 100644 --- a/parse.c +++ b/parse.c @@ -206,7 +206,8 @@ sudoers_lookup(pwflag) * Print out privileges for the specified user. */ void -display_privs(pw) +display_privs(v, pw) + VOID *v; struct passwd *pw; { struct cmndspec *cs; @@ -218,60 +219,66 @@ display_privs(pw) #if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS) /* Set group vector so group matching works correctly. */ if (pw != sudo_user.pw) { - (void) initgroups(pw->pw_name, pw->pw_gid); - if ((user_ngroups = getgroups(0, NULL)) > 0) { - user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t)); - if (getgroups(user_ngroups, user_groups) < 0) - log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); - } else - user_ngroups = 0; + (void) initgroups(pw->pw_name, pw->pw_gid); + if ((user_ngroups = getgroups(0, NULL)) > 0) { + user_groups = erealloc3(user_groups, user_ngroups, sizeof(gid_t)); + if (getgroups(user_ngroups, user_groups) < 0) + log_error(USE_ERRNO|MSG_ONLY, "can't get group vector"); + } else + user_ngroups = 0; } #endif - display_defaults(pw); + if (!def_ignore_local_sudoers) { + display_defaults(pw); - print_priv3("User ", pw->pw_name, - " may run the following commands on this host:\n"); + print_priv3("User ", pw->pw_name, + " may run the following commands on this host:\n"); - for (us = userspecs; us != NULL; us = us->next) { - if (user_matches(pw, us->user) != TRUE || - host_matches(us->privileges->hostlist) != TRUE) - continue; + for (us = userspecs; us != NULL; us = us->next) { + if (user_matches(pw, us->user) != TRUE || + host_matches(us->privileges->hostlist) != TRUE) + continue; - for (priv = us->privileges; priv != NULL; priv = priv->next) { - tags.monitor = def_monitor; - tags.noexec = def_noexec; - tags.nopasswd = !def_authenticate; - for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { - if (cs != priv->cmndlist) - print_priv(", "); - if (cs->runaslist != NULL) { - print_priv(" ("); - for (m = cs->runaslist; m != NULL; m = m->next) { - if (m != cs->runaslist) - print_priv(", "); - print_member(m->name, m->type, m->negated, RUNASALIAS); + for (priv = us->privileges; priv != NULL; priv = priv->next) { + tags.monitor = def_monitor; + tags.noexec = def_noexec; + tags.nopasswd = !def_authenticate; + for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { + if (cs != priv->cmndlist) + print_priv(", "); + if (cs->runaslist != NULL) { + print_priv(" ("); + for (m = cs->runaslist; m != NULL; m = m->next) { + if (m != cs->runaslist) + print_priv(", "); + print_member(m->name, m->type, m->negated, RUNASALIAS); + } + print_priv(") "); } - print_priv(") "); - } - if (TAG_CHANGED(monitor)) { - print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: "); - tags.monitor = cs->tags.monitor; - } - if (TAG_CHANGED(noexec)) { - print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: "); - tags.noexec = cs->tags.noexec; - } - if (TAG_CHANGED(nopasswd)) { - print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: "); - tags.nopasswd = cs->tags.nopasswd; + if (TAG_CHANGED(monitor)) { + print_priv(cs->tags.monitor ? "MONITOR: " : "NOMONITOR: "); + tags.monitor = cs->tags.monitor; + } + if (TAG_CHANGED(noexec)) { + print_priv(cs->tags.monitor ? "EXEC: " : "NOEXEC: "); + tags.noexec = cs->tags.noexec; + } + if (TAG_CHANGED(nopasswd)) { + print_priv(cs->tags.monitor ? "PASSWD: " : "NOPASSWD: "); + tags.nopasswd = cs->tags.nopasswd; + } + m = cs->cmnd; + print_member(m->name, m->type, m->negated, CMNDALIAS); } - m = cs->cmnd; - print_member(m->name, m->type, m->negated, CMNDALIAS); + print_priv("\n"); } - print_priv("\n"); } } +#ifdef HAVE_LDAP + if (v != NULL) + sudo_ldap_display_privs(v, pw); +#endif } /* @@ -392,35 +399,43 @@ display_bound_defaults(dtype) * command is allowed. */ int -display_cmnd(pw) +display_cmnd(v, pw) + VOID *v; struct passwd *pw; { struct cmndspec *cs; struct member *match, *runas; struct privilege *priv; struct userspec *us; + int rval = 1; - for (match = NULL, us = userspecs; us != NULL; us = us->next) { - if (user_matches(pw, us->user) != TRUE || - host_matches(us->privileges->hostlist) != TRUE) - continue; +#ifdef HAVE_LDAP + rval = sudo_ldap_display_cmnd(v, pw); +#endif + if (rval != 0 && !def_ignore_local_sudoers) { + for (match = NULL, us = userspecs; us != NULL; us = us->next) { + if (user_matches(pw, us->user) != TRUE || + host_matches(us->privileges->hostlist) != TRUE) + continue; - for (priv = us->privileges; priv != NULL; priv = priv->next) { - runas = NULL; - for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { - if (cs->runaslist != NULL) - runas = cs->runaslist; - if (runas_matches(runas) == TRUE && - cmnd_matches(cs->cmnd) != UNSPEC) - match = cs->cmnd; + for (priv = us->privileges; priv != NULL; priv = priv->next) { + runas = NULL; + for (cs = priv->cmndlist; cs != NULL; cs = cs->next) { + if (cs->runaslist != NULL) + runas = cs->runaslist; + if (runas_matches(runas) == TRUE && + cmnd_matches(cs->cmnd) != UNSPEC) + match = cs->cmnd; + } } } + if (match != NULL && !match->negated) { + printf("%s%s%s\n", safe_cmnd, user_args ? " " : "", + user_args ? user_args : ""); + rval = 0; + } } - if (match == NULL || match->negated) - return(1); - printf("%s%s%s\n", safe_cmnd, user_args ? " " : "", - user_args ? user_args : ""); - return(0); + return(rval); } /* diff --git a/sudo.c b/sudo.c index 0664e4427..48a76c9e8 100644 --- a/sudo.c +++ b/sudo.c @@ -152,9 +152,7 @@ main(argc, argv) int sudo_mode; int pwflag; sigaction_t sa; -#ifdef HAVE_LDAP - VOID *ld; -#endif + VOID *ld = NULL; extern char **environ; #ifdef HAVE_SETLOCALE @@ -294,10 +292,8 @@ main(argc, argv) cmnd_status = set_cmnd(sudo_mode); #ifdef HAVE_LDAP - if (ld != NULL) { + if (ld != NULL) validated = sudo_ldap_check(ld, pwflag); - sudo_ldap_close(ld); - } /* Fallback to sudoers if we are allowed to and we aren't validated. */ if (!def_ignore_local_sudoers && !ISSET(validated, VALIDATE_OK)) #endif @@ -373,15 +369,19 @@ main(argc, argv) if (sudo_mode == MODE_VALIDATE) exit(0); else if (sudo_mode == MODE_CHECK) - exit(display_cmnd(list_pw ? list_pw : sudo_user.pw)); + exit(display_cmnd(ld, list_pw ? list_pw : sudo_user.pw)); else if (sudo_mode == MODE_LIST) { - display_privs(list_pw ? list_pw : sudo_user.pw); -#ifdef HAVE_LDAP - sudo_ldap_display_privs(); /* XXX - use list_pw */ -#endif + display_privs(ld, list_pw ? list_pw : sudo_user.pw); exit(0); } +#ifdef HAVE_LDAP + if (ld != NULL) { + sudo_ldap_close(ld); + ld = NULL; + } +#endif + #ifdef HAVE_SYSTRACE if (def_monitor) systrace_attach(getpid()); diff --git a/sudo.h b/sudo.h index 4769c4da6..9b9f30a32 100644 --- a/sudo.h +++ b/sudo.h @@ -216,7 +216,8 @@ int sudoers_lookup __P((int)); int parse_sudoers __P((const char *)); #ifdef HAVE_LDAP int sudo_ldap_check __P((VOID *, int)); -void sudo_ldap_display_privs __P((void)); +void sudo_ldap_display_privs __P((VOID *, struct passwd *)); +int sudo_ldap_display_cmnd __P((VOID *, struct passwd *)); void sudo_ldap_update_defaults __P((VOID *)); VOID *sudo_ldap_open __P((void)); void sudo_ldap_close __P((VOID *)); @@ -251,8 +252,8 @@ int pam_prep_user __P((struct passwd *)); void zero_bytes __P((volatile VOID *, size_t)); int gettime __P((struct timespec *)); FILE *open_sudoers __P((const char *, int *)); -void display_privs __P((struct passwd *)); -int display_cmnd __P((struct passwd *)); +void display_privs __P((VOID *, struct passwd *)); +int display_cmnd __P((VOID *, struct passwd *)); void sudo_setgrent __P((void)); void sudo_endgrent __P((void)); void sudo_setpwent __P((void));