From 4f6f75ae35a931f58160abd7f70c2d0946ef115e Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 5 Apr 1999 20:28:16 +0000 Subject: [PATCH] Make runas and NOPASSWD tags persistent across entris in a command list. Add a PASSWD tag to reverse NOPASSWD. When you override a runas or *PASSWD tag the value given becomes the new default for the rest of the command list. --- parse.lex | 6 ++++++ parse.yacc | 56 ++++++++++++++++++++++++++++++++++++------------------ 2 files changed, 44 insertions(+), 18 deletions(-) diff --git a/parse.lex b/parse.lex index 6adfbc0aa..b99f7d929 100644 --- a/parse.lex +++ b/parse.lex @@ -157,6 +157,12 @@ NOPASSWD[[:blank:]]*: { return(NOPASSWD); } +PASSWD[[:blank:]]*: { + /* cmnd requires passwd for this user */ + LEXTRACE("PASSWD "); + return(PASSWD); + } + \+{WORD} { /* netgroup */ fill(yytext, yyleng); diff --git a/parse.yacc b/parse.yacc index caa0c633d..0081780f0 100644 --- a/parse.yacc +++ b/parse.yacc @@ -102,6 +102,20 @@ int top = 0, stacksize = 0; top++; \ } +#define pushcp \ + { \ + if (top >= stacksize) { \ + while ((stacksize += STACKINCREMENT) < top); \ + match = (struct matchstack *) erealloc(match, sizeof(struct matchstack) * stacksize); \ + } \ + match[top].user = match[top-1].user; \ + match[top].cmnd = match[top-1].cmnd; \ + match[top].host = match[top-1].host; \ + match[top].runas = match[top-1].runas; \ + match[top].nopass = match[top-1].nopass; \ + top++; \ + } + #define pop \ { \ if (top == 0) \ @@ -171,7 +185,8 @@ void yyerror(s) %token USERGROUP /* a usergroup (%NAME) */ %token NAME /* a mixed-case name */ %token RUNAS /* a mixed-case runas name */ -%token NOPASSWD /* no passwd req for command*/ +%token NOPASSWD /* no passwd req for command */ +%token PASSWD /* passwd req for command (default) */ %token COMMAND /* an absolute pathname */ %token COMMENT /* comment and/or carriage return */ %token ALL /* ALL keyword */ @@ -268,20 +283,11 @@ cmndspeclist : cmndspec cmndspec : { /* Push a new entry onto the stack if needed */ if (user_matches == TRUE && host_matches == TRUE && - cmnd_matches != -1 && runas_matches == TRUE) { - push; - user_matches = TRUE; - host_matches = TRUE; - } else { - cmnd_matches = -1; - runas_matches = -1; - no_passwd = -1; - } + cmnd_matches != -1 && runas_matches == TRUE) + pushcp; + cmnd_matches = -1; } runasspec nopasswd opcmnd { - if ($2 > 0) - runas_matches = TRUE; - if ($3 == TRUE) - no_passwd = TRUE; + /* XXX - test runas_matches and cmnd_matches instead? */ if (($2 == -1 || $4 == -1) && printmatches == TRUE) { cm_list[cm_list_len].runas_len = 0; cm_list[cm_list_len].cmnd_len = 0; @@ -315,10 +321,18 @@ opcmnd : cmnd { ; } ; runasspec : /* empty */ { - $$ = (strcmp(RUNAS_DEFAULT, runas_user) == 0); + /* + * If this is the first entry in a command list + * then check against RUNAS_DEFAULT. + */ + if (runas_matches == -1) + runas_matches = + (strcmp(RUNAS_DEFAULT, runas_user) == 0); + $$ = runas_matches; } | RUNAS runaslist { - $$ = $2; + runas_matches = ($2 > 0); + $$ = runas_matches; } ; @@ -411,14 +425,20 @@ runasuser : NAME { ; nopasswd : /* empty */ { - $$ = FALSE; + ; } | NOPASSWD { - $$ = TRUE; + no_passwd = $$ = TRUE; if (printmatches == TRUE && host_matches == TRUE && user_matches == TRUE) cm_list[cm_list_len].nopasswd = TRUE; } + | PASSWD { + no_passwd = $$ = FALSE; + if (printmatches == TRUE && host_matches == TRUE && + user_matches == TRUE) + cm_list[cm_list_len].nopasswd = FALSE; + } ; cmnd : ALL { -- 2.50.1