From 171686c422eb69c47b96876e43bf242a0a78081d Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 2 Aug 2018 14:06:36 -0600 Subject: [PATCH] update_defaults() needs to be able to take a defaults_list for the ldap/sssd backends which support per-role defaults. --- plugins/sudoers/defaults.c | 11 ++++++++--- plugins/sudoers/defaults.h | 3 ++- plugins/sudoers/parse.c | 2 +- plugins/sudoers/sudoers.c | 4 ++-- plugins/sudoers/testsudoers.c | 2 +- plugins/sudoers/visudo.c | 6 +++--- 6 files changed, 17 insertions(+), 11 deletions(-) diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 8611d5906..bfe4ee46d 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -730,7 +730,8 @@ default_binding_matches(struct sudoers_parse_tree *parse_tree, * Pass in an OR'd list of which default types to update. */ bool -update_defaults(struct sudoers_parse_tree *parse_tree, int what, bool quiet) +update_defaults(struct sudoers_parse_tree *parse_tree, + struct defaults_list *defs, int what, bool quiet) { struct defaults *d; bool ret = true; @@ -739,10 +740,14 @@ update_defaults(struct sudoers_parse_tree *parse_tree, int what, bool quiet) sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO, "what: 0x%02x", what); + /* If no defaults list specified, use the global one in the parse tree. */ + if (defs == NULL) + defs = &parse_tree->defaults; + /* * First apply Defaults values marked as early. */ - TAILQ_FOREACH(d, &parse_tree->defaults, entries) { + TAILQ_FOREACH(d, defs, entries) { struct early_default *early = is_early_default(d->var); if (early == NULL) continue; @@ -764,7 +769,7 @@ update_defaults(struct sudoers_parse_tree *parse_tree, int what, bool quiet) /* * Then set the rest of the defaults. */ - TAILQ_FOREACH(d, &parse_tree->defaults, entries) { + TAILQ_FOREACH(d, defs, entries) { /* Skip Defaults marked as early, we already did them. */ if (is_early_default(d->var)) continue; diff --git a/plugins/sudoers/defaults.h b/plugins/sudoers/defaults.h index 3d360b8e0..4b2db16c4 100644 --- a/plugins/sudoers/defaults.h +++ b/plugins/sudoers/defaults.h @@ -122,6 +122,7 @@ struct early_default { /* * Prototypes */ +struct defaults_list; struct sudoers_parse_tree; void dump_default(void); bool init_defaults(void); @@ -129,7 +130,7 @@ struct early_default *is_early_default(const char *name); bool run_early_defaults(void); bool set_early_default(const char *var, const char *val, int op, const char *file, int lineno, bool quiet, struct early_default *early); bool set_default(const char *var, const char *val, int op, const char *file, int lineno, bool quiet); -bool update_defaults(struct sudoers_parse_tree *parse_tree, int what, bool quiet); +bool update_defaults(struct sudoers_parse_tree *parse_tree, struct defaults_list *defs, int what, bool quiet); bool check_defaults(struct sudoers_parse_tree *parse_tree, bool quiet); extern struct sudo_defs_types sudo_defs_table[]; diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index f61518636..25a07e0ef 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -310,7 +310,7 @@ sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int validated, } if (match != UNSPEC) { if (defs != NULL) - update_defaults(parse_tree, SETDEF_GENERIC, false); + update_defaults(parse_tree, defs, SETDEF_GENERIC, false); if (!apply_cmndspec(cs)) SET(validated, VALIDATE_ERROR); else if (match == ALLOW) diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index 28c6ada56..a7916315c 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -198,7 +198,7 @@ sudoers_policy_init(void *info, char * const envp[]) } sources++; - if (nss->getdefs(nss) == -1 || !update_defaults(nss->parse_tree, + if (nss->getdefs(nss) == -1 || !update_defaults(nss->parse_tree, NULL, SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS, false)) { log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR, N_("problem with defaults entries")); @@ -854,7 +854,7 @@ set_cmnd(void) user_base = user_cmnd; TAILQ_FOREACH(nss, snl, entries) { - if (!update_defaults(nss->parse_tree, SETDEF_CMND, false)) { + if (!update_defaults(nss->parse_tree, NULL, SETDEF_CMND, false)) { log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR, N_("problem with defaults entries")); } diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c index fde8b743e..489a4b3d8 100644 --- a/plugins/sudoers/testsudoers.c +++ b/plugins/sudoers/testsudoers.c @@ -285,7 +285,7 @@ main(int argc, char *argv[]) (void) fputs("Parses OK", stdout); } - if (!update_defaults(&parsed_policy, SETDEF_ALL, false)) + if (!update_defaults(&parsed_policy, NULL, SETDEF_ALL, false)) (void) fputs(" (problem with defaults entries)", stdout); puts("."); diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c index 340dbb5c5..533c952e8 100644 --- a/plugins/sudoers/visudo.c +++ b/plugins/sudoers/visudo.c @@ -246,7 +246,7 @@ main(int argc, char *argv[]) init_parser(sudoers_file, quiet); sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, &oldlocale); (void) sudoersparse(); - (void) update_defaults(&parsed_policy, + (void) update_defaults(&parsed_policy, NULL, SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, quiet); sudoers_setlocale(oldlocale, NULL); @@ -602,7 +602,7 @@ reparse_sudoers(char *editor, int editor_argc, char **editor_argv, } fclose(sudoersin); if (!parse_error) { - (void) update_defaults(&parsed_policy, + (void) update_defaults(&parsed_policy, NULL, SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, true); check_defaults_and_aliases(strict, quiet); } @@ -920,7 +920,7 @@ check_syntax(const char *sudoers_file, bool quiet, bool strict, bool oldperms) sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory")); } if (!parse_error) { - (void) update_defaults(&parsed_policy, + (void) update_defaults(&parsed_policy, NULL, SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, true); check_defaults_and_aliases(strict, quiet); } -- 2.40.0