From 1fe582a0e3315e562f05830c33a02223c777a1bb Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 28 Oct 2018 15:46:27 -0600 Subject: [PATCH] Add support for negated sudoRunAsUser and sudoRunAsGroup entries. --- MANIFEST | 2 + doc/sudoers.ldap.cat | 23 ++++--- doc/sudoers.ldap.man.in | 22 ++++++- doc/sudoers.ldap.mdoc.in | 22 ++++++- plugins/sudoers/ldap_util.c | 12 +++- .../sudoers/regress/cvtsudoers/test33.out.ok | 7 +++ plugins/sudoers/regress/cvtsudoers/test33.sh | 61 +++++++++++++++++++ 7 files changed, 138 insertions(+), 11 deletions(-) create mode 100644 plugins/sudoers/regress/cvtsudoers/test33.out.ok create mode 100755 plugins/sudoers/regress/cvtsudoers/test33.sh diff --git a/MANIFEST b/MANIFEST index 5bfcf2973..49612b5df 100644 --- a/MANIFEST +++ b/MANIFEST @@ -460,6 +460,8 @@ plugins/sudoers/regress/cvtsudoers/test31.out.ok plugins/sudoers/regress/cvtsudoers/test31.sh plugins/sudoers/regress/cvtsudoers/test32.out.ok plugins/sudoers/regress/cvtsudoers/test32.sh +plugins/sudoers/regress/cvtsudoers/test33.out.ok +plugins/sudoers/regress/cvtsudoers/test33.sh plugins/sudoers/regress/cvtsudoers/test4.out.ok plugins/sudoers/regress/cvtsudoers/test4.sh plugins/sudoers/regress/cvtsudoers/test5.out.ok diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 2786bd4f9..a6da4c128 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -107,21 +107,28 @@ DDEESSCCRRIIPPTTIIOONN A user name or uid (prefixed with `#') that commands may be run as or a Unix group (prefixed with a `%') or user netgroup (prefixed with a `+') that contains a list of users that commands may be run - as. The special value ALL will match any user. If sudoRunAsUser - is specified but empty, it will match the invoking user. If - neither sudoRunAsUser nor sudoRunAsGroup are present, the value of - the _r_u_n_a_s___d_e_f_a_u_l_t sudoOption is used (defaults to root). + as. The special value ALL will match any user. If a sudoRunAsUser + entry is preceded by an exclamation point, `!', and the entry + matches, the sudoRole in which it resides will be ignored. If + sudoRunAsUser is specified but empty, it will match the invoking + user. If neither sudoRunAsUser nor sudoRunAsGroup are present, the + value of the _r_u_n_a_s___d_e_f_a_u_l_t sudoOption is used (defaults to root). The sudoRunAsUser attribute is only available in ssuuddoo versions 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs - attribute instead. + attribute instead. Negated sudoRunAsUser entries are only + supported by version 1.8.26 or higher. ssuuddooRRuunnAAssGGrroouupp A Unix group or gid (prefixed with `#') that commands may be run - as. The special value ALL will match any group. + as. The special value ALL will match any group. If a + sudoRunAsGroup entry is preceded by an exclamation point, `!', and + the entry matches, the sudoRole in which it resides will be + ignored. The sudoRunAsGroup attribute is only available in ssuuddoo versions - 1.7.0 and higher. + 1.7.0 and higher. Negated sudoRunAsGroup entries are only + supported by version 1.8.26 or higher. ssuuddooNNoottBBeeffoorree A timestamp in the form yyyymmddHHMMSSZ that can be used to provide @@ -1011,4 +1018,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.26 October 7, 2018 Sudo 1.8.26 +Sudo 1.8.26 October 28, 2018 Sudo 1.8.26 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index a656203b3..b2b99ffce 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDOERS.LDAP" "5" "October 7, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "5" "October 28, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -218,6 +218,13 @@ that contains a list of users that commands may be run as. The special value \fRALL\fR will match any user. +If a +\fRsudoRunAsUser\fR +entry is preceded by an exclamation point, +\(oq\&!\(cq, +and the entry matches, the +\fRsudoRole\fR +in which it resides will be ignored. If \fRsudoRunAsUser\fR is specified but empty, it will match the invoking user. @@ -242,6 +249,9 @@ Older versions of use the \fRsudoRunAs\fR attribute instead. +Negated +\fRsudoRunAsUser\fR +entries are only supported by version 1.8.26 or higher. .TP 6n \fBsudoRunAsGroup\fR A Unix group or gid (prefixed with @@ -250,6 +260,13 @@ that commands may be run as. The special value \fRALL\fR will match any group. +If a +\fRsudoRunAsGroup\fR +entry is preceded by an exclamation point, +\(oq\&!\(cq, +and the entry matches, the +\fRsudoRole\fR +in which it resides will be ignored. .sp The \fRsudoRunAsGroup\fR @@ -257,6 +274,9 @@ attribute is only available in \fBsudo\fR versions 1.7.0 and higher. +Negated +\fRsudoRunAsGroup\fR +entries are only supported by version 1.8.26 or higher. .TP 6n \fBsudoNotBefore\fR A timestamp in the form diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 55217b641..58b3bd06f 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -13,7 +13,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd October 7, 2018 +.Dd October 28, 2018 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -203,6 +203,13 @@ that contains a list of users that commands may be run as. The special value .Li ALL will match any user. +If a +.Li sudoRunAsUser +entry is preceded by an exclamation point, +.Ql \&! , +and the entry matches, the +.Li sudoRole +in which it resides will be ignored. If .Li sudoRunAsUser is specified but empty, it will match the invoking user. @@ -227,6 +234,9 @@ Older versions of use the .Li sudoRunAs attribute instead. +Negated +.Li sudoRunAsUser +entries are only supported by version 1.8.26 or higher. .It Sy sudoRunAsGroup A Unix group or gid (prefixed with .Ql # ) @@ -234,6 +244,13 @@ that commands may be run as. The special value .Li ALL will match any group. +If a +.Li sudoRunAsGroup +entry is preceded by an exclamation point, +.Ql \&! , +and the entry matches, the +.Li sudoRole +in which it resides will be ignored. .Pp The .Li sudoRunAsGroup @@ -241,6 +258,9 @@ attribute is only available in .Nm sudo versions 1.7.0 and higher. +Negated +.Li sudoRunAsGroup +entries are only supported by version 1.8.26 or higher. .It Sy sudoNotBefore A timestamp in the form .Li yyyymmddHHMMSSZ diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c index 061b199a1..9b8f69ea4 100644 --- a/plugins/sudoers/ldap_util.c +++ b/plugins/sudoers/ldap_util.c @@ -123,6 +123,8 @@ sudo_ldap_parse_option(char *optstr, char **varp, char **valp) static struct member_list * array_to_member_list(void *a, sudo_ldap_iter_t iter) { + struct member_list negated_members = + TAILQ_HEAD_INITIALIZER(negated_members); struct member_list *members; struct member *m; char *val; @@ -135,6 +137,7 @@ array_to_member_list(void *a, sudo_ldap_iter_t iter) while ((val = iter(&a)) != NULL) { if ((m = calloc(1, sizeof(*m))) == NULL) goto bad; + m->negated = sudo_ldap_is_negated(&val); switch (val[0]) { case '\0': @@ -172,10 +175,17 @@ array_to_member_list(void *a, sudo_ldap_iter_t iter) } break; } - TAILQ_INSERT_TAIL(members, m, entries); + if (m->negated) + TAILQ_INSERT_TAIL(&negated_members, m, entries); + else + TAILQ_INSERT_TAIL(members, m, entries); } + + /* Negated members take precedence so we insert them at the end. */ + TAILQ_CONCAT(members, &negated_members, entries); debug_return_ptr(members); bad: + free_members(&negated_members); free_members(members); free(members); debug_return_ptr(NULL); diff --git a/plugins/sudoers/regress/cvtsudoers/test33.out.ok b/plugins/sudoers/regress/cvtsudoers/test33.out.ok new file mode 100644 index 000000000..6584701da --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test33.out.ok @@ -0,0 +1,7 @@ +Defaults log_output + +# sudoRole root +root ALL = (ALL : ALL) NOPASSWD: ALL + +# sudoRole millert +millert ALL = (ALL, !bin, !root : ALL, !wheel) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test33.sh b/plugins/sudoers/regress/cvtsudoers/test33.sh new file mode 100755 index 000000000..db8d8d179 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test33.sh @@ -0,0 +1,61 @@ +#!/bin/sh +# +# Test LDAP negated sudoRunAsUser and sudoRunAsGroup converted to sudoers. +# + +exec 2>&1 +./cvtsudoers -c "" -i ldif -f sudoers <