From 449f67f77649bf24829a85322645e8c52dccd725 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 2 Dec 1999 20:31:25 +0000 Subject: [PATCH] o Kill shell_noargs option, it cannot work since the command needs to be set before sudoers is parsed. o Fix the "set_home" sudoers option (only worked at compile time). o Fix "fqdn" sudoers option. We now set host/shost via set_fqdn which gets called when the "fqdn" option is set in sudoers. o Move the openlog() to store_syslogfac() so this gets overridden correctly from the sudoers file. --- INSTALL | 12 ++++---- defaults.c | 23 ++++++++------ defaults.h | 43 +++++++++++++------------- sudo.c | 76 +++++++++++++++++++++++++++------------------ sudo.h | 1 + sudoers.cat | 88 ++++++++++++++++++++++++++--------------------------- sudoers.man | 18 ++++++----- sudoers.pod | 4 --- visudo.c | 6 ++++ 9 files changed, 149 insertions(+), 122 deletions(-) diff --git a/INSTALL b/INSTALL index f8e755f42..0b4d98627 100644 --- a/INSTALL +++ b/INSTALL @@ -228,6 +228,12 @@ Special features/options: security hole as most editors allow a user to get a shell (which would be a root shell and hence, no logging). + --enable-noargs-shell + If sudo is invoked with no arguments it acts as if the "-s" flag had + been given. That is, it runs a shell as root (the shell is determined + by the SHELL environment variable, falling back on the shell listed + in the invoking user's /etc/passwd entry). + The following options are also configurable at runtime: --with-otp-only @@ -417,12 +423,6 @@ The following options are also configurable at runtime: --enable-log-host Log the hostname in the log file. - --enable-noargs-shell - If sudo is invoked with no arguments it acts as if the "-s" flag had - been given. That is, it runs a shell as root (the shell is determined - by the SHELL environment variable, falling back on the shell listed - in the invoking user's /etc/passwd entry). - --enable-shell-sets-home If sudo is invoked with the "-s" flag the HOME environment variable will be set to the home directory of the target user (which is root diff --git a/defaults.c b/defaults.c index 76d2dadf3..73ec7608c 100644 --- a/defaults.c +++ b/defaults.c @@ -165,9 +165,6 @@ struct sudo_defs_types sudo_defs_table[] = { }, { "log_year", T_FLAG, { 0 }, "Log the year in the (non-syslog) log file" - }, { - "shell_noargs", T_FLAG, { 0 }, - "If sudo is invoked with no arguments, start a shell" }, { "set_home", T_FLAG, { 0 }, "Set $HOME to the target user when starting a shell with -s" @@ -321,8 +318,9 @@ set_default(var, val, op) int op; /* TRUE or FALSE */ { struct sudo_defs_types *cur; + int num; - for (cur = sudo_defs_table; cur->name; cur++) { + for (cur = sudo_defs_table, num = 0; cur->name; cur++, num++) { if (strcmp(var, cur->name) == 0) break; } @@ -425,6 +423,10 @@ set_default(var, val, op) return(FALSE); } cur->sd_un.flag = op; + + /* Special action for I_FQDN. Move to own switch if we get more */ + if (num == I_FQDN && op) + set_fqdn(); break; } @@ -490,9 +492,6 @@ init_defaults() #ifdef HOST_IN_LOG def_flag(I_LOG_HOST) = TRUE; #endif -#ifdef SHELL_IF_NO_ARGS - def_flag(I_SHELL_NOARGS) = TRUE; -#endif #ifdef SHELL_SETS_HOME def_flag(I_SET_HOME) = TRUE; #endif @@ -615,13 +614,19 @@ store_syslogfac(val, def, op) return(FALSE); /* not found */ /* Store both name and number. */ - if (def->sd_un.str) + if (def->sd_un.str) { free(def->sd_un.str); + closelog(); + } + openlog("sudo", 0, fac->num); def->sd_un.str = estrdup(fac->name); sudo_defs_table[I_LOGFAC].sd_un.ival = fac->num; #else - if (def->sd_un.str) + if (def->sd_un.str) { free(def->sd_un.str); + closelog(); + } + openlog("sudo", 0); def->sd_un.str = estrdup("default"); #endif /* LOG_NFACILITIES */ return(TRUE); diff --git a/defaults.h b/defaults.h index 502789ad8..79014851d 100644 --- a/defaults.h +++ b/defaults.h @@ -103,32 +103,31 @@ struct sudo_defs_types { #define I_ROOT_SUDO 15 #define I_LOG_HOST 16 #define I_LOG_YEAR 17 -#define I_SHELL_NOARGS 18 -#define I_SET_HOME 19 -#define I_PATH_INFO 20 -#define I_FQDN 21 -#define I_INSULTS 22 -#define I_REQUIRETTY 23 +#define I_SET_HOME 18 +#define I_PATH_INFO 19 +#define I_FQDN 20 +#define I_INSULTS 21 +#define I_REQUIRETTY 22 /* Integer values */ -#define I_LOGLEN 24 /* wrap log file line after N chars */ -#define I_TS_TIMEOUT 25 /* timestamp stale after N minutes */ -#define I_PW_TIMEOUT 26 /* exit if pass not entered in N minutes */ -#define I_PW_TRIES 27 /* exit after N bad password tries */ -#define I_UMASK 28 /* umask to use or 0777 to use user's */ +#define I_LOGLEN 23 /* wrap log file line after N chars */ +#define I_TS_TIMEOUT 24 /* timestamp stale after N minutes */ +#define I_PW_TIMEOUT 25 /* exit if pass not entered in N minutes */ +#define I_PW_TRIES 26 /* exit after N bad password tries */ +#define I_UMASK 27 /* umask to use or 0777 to use user's */ /* Strings */ -#define I_LOGFILE 29 /* path to logfile (or NULL for none) */ -#define I_MAILERPATH 30 /* path to sendmail or other mailer */ -#define I_MAILERFLAGS 31 /* flags to pass to the mailer */ -#define I_MAILTO 32 /* who to send bitch mail to */ -#define I_MAILSUB 33 /* subject line of mail msg */ -#define I_BADPASS_MSG 34 /* what to say when passwd is wrong */ -#define I_TIMESTAMPDIR 35 /* path to timestamp dir */ -#define I_EXEMPT_GRP 36 /* no password or PATH override for these */ -#define I_PASSPROMPT 37 /* password prompt */ -#define I_RUNAS_DEF 38 /* default user to run commands as */ -#define I_SECURE_PATH 39 /* set $PATH to this if not NULL */ +#define I_LOGFILE 28 /* path to logfile (or NULL for none) */ +#define I_MAILERPATH 29 /* path to sendmail or other mailer */ +#define I_MAILERFLAGS 30 /* flags to pass to the mailer */ +#define I_MAILTO 31 /* who to send bitch mail to */ +#define I_MAILSUB 32 /* subject line of mail msg */ +#define I_BADPASS_MSG 33 /* what to say when passwd is wrong */ +#define I_TIMESTAMPDIR 34 /* path to timestamp dir */ +#define I_EXEMPT_GRP 35 /* no password or PATH override for these */ +#define I_PASSPROMPT 36 /* password prompt */ +#define I_RUNAS_DEF 37 /* default user to run commands as */ +#define I_SECURE_PATH 38 /* set $PATH to this if not NULL */ /* * Macros for accessing sudo_defs_table. diff --git a/sudo.c b/sudo.c index 7ef1c3d88..c0d8120ea 100644 --- a/sudo.c +++ b/sudo.c @@ -217,15 +217,6 @@ main(argc, argv) /* Setup defaults data structures. */ init_defaults(); - /* Initialize syslog(3) if we are using it. */ - if (def_str(I_LOGFACSTR)) { -#ifdef LOG_NFACILITIES - openlog("sudo", 0, def_ival(I_LOGFAC)); -#else - openlog("sudo", 0); -#endif /* LOG_NFACILITIES */ - } - if (sudo_mode & MODE_SHELL) user_cmnd = "shell"; else @@ -293,6 +284,10 @@ main(argc, argv) exit(1); } + /* May need to set $HOME to target user. */ + if ((sudo_mode & MODE_SHELL) && def_flag(I_SET_HOME)) + sudo_mode |= MODE_RESET_HOME; + /* Bail if a tty is required and we don't have one. */ if (def_flag(I_REQUIRETTY)) { if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1) @@ -416,7 +411,6 @@ init_vars(sudo_mode) int sudo_mode; { char *p, thost[MAXHOSTNAMELEN]; - struct hostent *hp; /* Sanity check command from user. */ if (user_cmnd == NULL && strlen(NewArgv[0]) >= MAXPATHLEN) { @@ -445,22 +439,17 @@ init_vars(sudo_mode) log_error(USE_ERRNO|MSG_ONLY, "can't get hostname"); } else user_host = estrdup(thost); - if (def_flag(I_FQDN)) { - if (!(hp = gethostbyname(user_host))) { - log_error(USE_ERRNO|MSG_ONLY|NO_EXIT, - "unable to lookup %s via gethostbyname()", user_host); + if (def_flag(I_FQDN)) + set_fqdn(); + else { + if ((p = strchr(user_host, '.'))) { + *p = '\0'; + user_shost = estrdup(user_host); + *p = '.'; } else { - free(user_host); - user_host = estrdup(hp->h_name); + user_shost = user_host; } } - if ((p = strchr(user_host, '.'))) { - *p = '\0'; - user_shost = estrdup(user_host); - *p = '.'; - } else { - user_shost = user_host; - } if ((p = ttyname(STDIN_FILENO)) || (p = ttyname(STDOUT_FILENO))) { if (strncmp(p, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0) @@ -549,12 +538,12 @@ parse_args() NewArgv = Argv + 1; NewArgc = Argc - 1; - if (Argc < 2) { /* no options and no command */ - if (!def_flag(I_SHELL_NOARGS)) - usage(1); +#ifdef SHELL_IF_NO_ARGS + if (NewArgc == 0) { /* no options and no command */ rval |= MODE_SHELL; return(rval); } +#endif while (NewArgc > 0 && NewArgv[0][0] == '-') { if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') { @@ -636,8 +625,6 @@ parse_args() if (excl && excl != 's') usage_excl(1); excl = 's'; - if (def_flag(I_SET_HOME)) - rval |= MODE_RESET_HOME; break; case 'H': rval |= MODE_RESET_HOME; @@ -645,8 +632,10 @@ parse_args() case '-': NewArgc--; NewArgv++; - if (def_flag(I_SHELL_NOARGS) && rval == MODE_RUN) +#ifdef SHELL_IF_NO_ARGS + if (rval == MODE_RUN) rval |= MODE_SHELL; +#endif return(rval); case '\0': (void) fprintf(stderr, "%s: '-' requires an argument\n", @@ -1038,6 +1027,35 @@ initial_setup() #endif /* POSIX_SIGNALS */ } +/* + * Look up the fully qualified domain name and set user_host and user_shost. + */ +void +set_fqdn() +{ + struct hostent *hp; + char *p; + + if (def_flag(I_FQDN)) { + if (!(hp = gethostbyname(user_host))) { + log_error(USE_ERRNO|MSG_ONLY|NO_EXIT, + "unable to lookup %s via gethostbyname()", user_host); + } else { + free(user_host); + user_host = estrdup(hp->h_name); + } + } + if (user_shost != user_host) + free(user_shost); + if ((p = strchr(user_host, '.'))) { + *p = '\0'; + user_shost = estrdup(user_host); + *p = '.'; + } else { + user_shost = user_host; + } +} + /* * Tell which options are mutually exclusive and exit. */ diff --git a/sudo.h b/sudo.h index 3bd5d69e0..528c44c63 100644 --- a/sudo.h +++ b/sudo.h @@ -193,6 +193,7 @@ void dump_defaults __P((void)); void dump_auth_methods __P((void)); int lock_file __P((int, int)); int touch __P((char *, time_t)); +void set_fqdn __P((void)); YY_DECL; /* Only provide extern declarations outside of sudo.c. */ diff --git a/sudoers.cat b/sudoers.cat index 0dbcd5844..d6c3b8978 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN -28/Nov/1999 1.6 1 +2/Dec/1999 1.6 1 @@ -127,7 +127,7 @@ sudoers(5) FILE FORMATS sudoers(5) -28/Nov/1999 1.6 2 +2/Dec/1999 1.6 2 @@ -193,7 +193,7 @@ sudoers(5) FILE FORMATS sudoers(5) -28/Nov/1999 1.6 3 +2/Dec/1999 1.6 3 @@ -259,7 +259,7 @@ sudoers(5) FILE FORMATS sudoers(5) -28/Nov/1999 1.6 4 +2/Dec/1999 1.6 4 @@ -268,10 +268,6 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) - shell_noargs - If sudo is invoked with no arguments, start a - shell - set_home Set $HOME to the target user when starting a shell with -s @@ -322,10 +318,14 @@ sudoers(5) FILE FORMATS sudoers(5) syslog_goodpri Syslog priority to use when user authenticates + successfully + + syslog_badpri + Syslog priority to use when user authenticates -28/Nov/1999 1.6 5 +2/Dec/1999 1.6 5 @@ -334,10 +334,6 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) - successfully - - syslog_badpri - Syslog priority to use when user authenticates unsuccessfully SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: @@ -388,10 +384,14 @@ sudoers(5) FILE FORMATS sudoers(5) A Runas_Spec is simply a Runas_List (as defined above) enclosed in a set of parentheses. If you do not specify a + Runas_Spec in the user specification, a default Runas_Spec + of rrrrooooooootttt will be used. A Runas_Spec sets the default for + commands that follow it. What this means is that for the + entry: -28/Nov/1999 1.6 6 +2/Dec/1999 1.6 6 @@ -400,11 +400,6 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) - Runas_Spec in the user specification, a default Runas_Spec - of rrrrooooooootttt will be used. A Runas_Spec sets the default for - commands that follow it. What this means is that for the - entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m @@ -453,24 +448,23 @@ sudoers(5) FILE FORMATS sudoers(5) [...] Matches any character in the specified range. + [!...] Matches any character nnnnooootttt in the specified range. + \x For any character "x", evaluates to "x". This is + used to escape special characters such as: "*", + "?", "[", and "}". -28/Nov/1999 1.6 7 +2/Dec/1999 1.6 7 -sudoers(5) FILE FORMATS sudoers(5) +sudoers(5) FILE FORMATS sudoers(5) - [!...] Matches any character nnnnooootttt in the specified range. - - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". Note that a forward slash ('/') will nnnnooootttt be matched by wildcards used in the pathname. When matching the command @@ -521,20 +515,22 @@ sudoers(5) FILE FORMATS sudoers(5) syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. + The following characters must be escaped with a backslash + ('\') when used as part of a word (eg. a username or + hostname): '@', '!', '=', ':', ',', '(', ')', '\'. -28/Nov/1999 1.6 8 +2/Dec/1999 1.6 8 -sudoers(5) FILE FORMATS sudoers(5) - The following characters must be escaped with a backslash - ('\') when used as part of a word (eg. a username or - hostname): '@', '!', '=', ':', ',', '(', ')', '\'. + +sudoers(5) FILE FORMATS sudoers(5) + EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Below are example _s_u_d_o_e_r_s entries. Admittedly, some of @@ -587,19 +583,20 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually + determines who may run what. -28/Nov/1999 1.6 9 +2/Dec/1999 1.6 9 -sudoers(5) FILE FORMATS sudoers(5) - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually - determines who may run what. +sudoers(5) FILE FORMATS sudoers(5) + root ALL = (ALL) ALL %wheel ALL = (ALL) ALL @@ -652,21 +649,21 @@ sudoers(5) FILE FORMATS sudoers(5) assumes _p_a_s_s_w_d(1) does not take multiple usernames on the command line. + bob SPARC = (OP) ALL : SGI = (OP) ALL + The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I -28/Nov/1999 1.6 10 +2/Dec/1999 1.6 10 -sudoers(5) FILE FORMATS sudoers(5) +sudoers(5) FILE FORMATS sudoers(5) - bob SPARC = (OP) ALL : SGI = (OP) ALL - The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I machines as any user listed in the _O_P Runas_Alias (rrrrooooooootttt and ooooppppeeeerrrraaaattttoooorrrr). @@ -718,19 +715,20 @@ sudoers(5) FILE FORMATS sudoers(5) On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, and wim), may run any command as user www + (which owns the web pages) or simply _s_u(1) to www. -28/Nov/1999 1.6 11 +2/Dec/1999 1.6 11 -sudoers(5) FILE FORMATS sudoers(5) - (which owns the web pages) or simply _s_u(1) to www. +sudoers(5) FILE FORMATS sudoers(5) + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM @@ -787,7 +785,9 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -28/Nov/1999 1.6 12 + + +2/Dec/1999 1.6 12 @@ -853,6 +853,6 @@ sudoers(5) FILE FORMATS sudoers(5) -28/Nov/1999 1.6 13 +2/Dec/1999 1.6 13 diff --git a/sudoers.man b/sudoers.man index 7f9164d18..3f043bfc8 100644 --- a/sudoers.man +++ b/sudoers.man @@ -2,8 +2,14 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.16 1999/11/29 01:57:04 millert -''' fix some syntactic goofs +''' Revision 1.17 1999/12/02 20:31:24 millert +''' o Kill shell_noargs option, it cannot work since the command needs to +''' be set before sudoers is parsed. +''' o Fix the "set_home" sudoers option (only worked at compile time). +''' o Fix "fqdn" sudoers option. We now set host/shost via set_fqdn which +''' gets called when the "fqdn" option is set in sudoers. +''' o Move the openlog() to store_syslogfac() so this gets overridden +''' correctly from the sudoers file. ''' ''' .de Sh @@ -96,7 +102,7 @@ .nr % 0 .rr F .\} -.TH sudoers 5 "1.6" "28/Nov/1999" "FILE FORMATS" +.TH sudoers 5 "1.6" "2/Dec/1999" "FILE FORMATS" .UC .if n .hy 0 .if n .na @@ -399,8 +405,6 @@ Root may run sudo Log the hostname in the (non-syslog) log file .Ip "log_year" 12 Log the year in the (non-syslog) log file -.Ip "shell_noargs" 12 -If sudo is invoked with no arguments, start a shell .Ip "set_home" 12 Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR .Ip "path_info" 12 @@ -847,8 +851,6 @@ will not run with a syntactically incorrect \fIsudoers\fR file. .IX Item "log_year" -.IX Item "shell_noargs" - .IX Item "set_home" .IX Item "path_info" @@ -915,7 +917,7 @@ will not run with a syntactically incorrect \fIsudoers\fR file. .IX Subsection "Exceptions to wildcard rules:" -.IX Item "\f(CW""\fR" +.IX Item \f(CW""\fR .IX Subsection "Other special characters and reserved words:" diff --git a/sudoers.pod b/sudoers.pod index 3dfb773c4..2a1effc98 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -269,10 +269,6 @@ Log the hostname in the (non-syslog) log file Log the year in the (non-syslog) log file -=item shell_noargs - -If sudo is invoked with no arguments, start a shell - =item set_home Set $HOME to the target user when starting a shell with C<-s> diff --git a/visudo.c b/visudo.c index f644fee20..f4bf564ad 100644 --- a/visudo.c +++ b/visudo.c @@ -407,6 +407,12 @@ netgr_matches(n, h, u) return(TRUE); } +void +set_fqdn() +{ + return; +} + /* * Assuming a parse error occurred, prompt the user for what they want * to do now. Returns the first letter of their choice. -- 2.40.0