From 622b7a1d97202ff76b6deb7c21c36e4c18079d34 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 7 Apr 1999 23:18:52 +0000 Subject: [PATCH] You can now specifiy a host list instead of just a host or alias. Ie: user = host1,host2,ALIAS,!host3 my_command now works. --- parse.yacc | 2 +- sudo.tab.c | 120 +++++++++++++++++++++++++-------------------------- sudo.tab.h | 24 +++++++++++ sudoers.cat | 66 ++++++++++++++-------------- sudoers.html | 5 +-- sudoers.man | 15 +++---- sudoers.pod | 5 +-- 7 files changed, 127 insertions(+), 110 deletions(-) create mode 100644 sudo.tab.h diff --git a/parse.yacc b/parse.yacc index 34bef0bfc..b537b81ec 100644 --- a/parse.yacc +++ b/parse.yacc @@ -230,7 +230,7 @@ privileges : privilege | privileges ':' privilege ; -privilege : hostspec '=' cmndspeclist { +privilege : hostlist '=' cmndspeclist { /* * We already did a push if necessary in * cmndspec so just reset some values so diff --git a/sudo.tab.c b/sudo.tab.c index e0e2e15fe..e040635b6 100644 --- a/sudo.tab.c +++ b/sudo.tab.c @@ -213,11 +213,11 @@ typedef union { #define YYERRCODE 256 short yylhs[] = { -1, 0, 0, 3, 3, 5, 3, 3, 3, 3, 3, - 6, 6, 11, 14, 15, 14, 12, 12, 12, 12, - 12, 12, 13, 13, 16, 2, 19, 2, 17, 17, - 20, 20, 21, 23, 21, 22, 22, 22, 22, 22, - 18, 18, 18, 1, 1, 1, 8, 8, 25, 24, - 26, 26, 9, 9, 28, 27, 29, 29, 10, 10, + 6, 6, 11, 14, 16, 14, 15, 15, 15, 15, + 15, 15, 13, 13, 17, 2, 20, 2, 18, 18, + 21, 21, 22, 24, 22, 23, 23, 23, 23, 23, + 19, 19, 19, 1, 1, 1, 8, 8, 26, 25, + 12, 12, 9, 9, 28, 27, 29, 29, 10, 10, 31, 30, 7, 7, 33, 32, 34, 34, 35, 36, 35, 4, 4, 4, 4, 4, }; @@ -236,62 +236,62 @@ short yydefred[] = { 0, 49, 0, 47, 55, 0, 53, 65, 0, 63, 61, 0, 59, 2, 75, 74, 73, 72, 76, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 18, 21, - 19, 20, 17, 0, 11, 0, 0, 48, 0, 54, - 0, 64, 0, 60, 0, 0, 15, 14, 51, 0, - 45, 46, 44, 27, 26, 57, 0, 70, 69, 0, - 67, 39, 38, 37, 36, 40, 34, 0, 31, 33, - 12, 0, 0, 23, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 42, 43, 0, 16, 52, + 19, 20, 17, 15, 0, 11, 0, 51, 14, 0, + 48, 0, 54, 0, 64, 0, 60, 0, 0, 0, + 0, 0, 45, 46, 44, 27, 26, 57, 0, 70, + 69, 0, 67, 39, 38, 37, 36, 40, 34, 0, + 31, 33, 16, 12, 0, 0, 23, 0, 52, 0, + 0, 0, 0, 0, 0, 0, 0, 42, 43, 0, 28, 58, 71, 68, 35, 32, 24, 25, }; short yydgoto[] = { 7, - 65, 66, 8, 69, 9, 44, 18, 12, 15, 21, - 45, 58, 83, 59, 86, 84, 85, 98, 88, 78, - 79, 80, 92, 13, 30, 60, 16, 32, 67, 22, - 36, 19, 34, 70, 71, 90, + 67, 68, 8, 71, 9, 45, 18, 12, 15, 21, + 46, 47, 86, 48, 49, 58, 87, 88, 100, 90, + 80, 81, 82, 94, 13, 30, 16, 32, 69, 22, + 36, 19, 34, 72, 73, 92, }; -short yysindex[] = { -250, - -264, 0, -246, -234, -230, -215, -250, 0, -252, 0, - 0, -51, 0, 0, -12, 0, 0, -8, 0, 0, - -5, 0, 0, 0, 0, 0, 0, 0, -221, -7, - -246, -6, -234, -4, -230, -3, -215, 0, 0, 0, - 0, 0, 0, 2, 0, 3, -33, 0, -2, 0, - -29, 0, -20, 0, -221, -207, 0, 0, 0, 17, - 0, 0, 0, 0, 0, 0, 19, 0, 0, 21, - 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, - 0, -20, 23, 0, -239, -33, -33, -2, -2, -29, - -29, -20, -20, 22, -207, 0, 0, -2, 0, 0, +short yysindex[] = { -247, + -262, 0, -242, -223, -216, -215, -247, 0, -254, 0, + 0, -37, 0, 0, -15, 0, 0, -13, 0, 0, + -12, 0, 0, 0, 0, 0, 0, 0, -33, -14, + -242, -11, -223, -10, -216, -8, -215, 0, 0, 0, + 0, 0, 0, 0, -9, 0, -42, 0, 0, -33, + 0, -2, 0, -29, 0, -20, 0, -33, -33, -209, + -33, 4, 0, 0, 0, 0, 0, 0, 11, 0, + 0, 12, 0, 0, 0, 0, 0, 0, 0, 13, + 0, 0, 0, 0, -20, 14, 0, -236, 0, -2, + -2, -29, -29, -20, -20, 13, -209, 0, 0, -2, 0, 0, 0, 0, 0, 0, 0, 0, }; -short yyrindex[] = { -217, - 0, 0, 0, 0, 0, 0, -217, 0, 0, 0, +short yyrindex[] = { -224, + 0, 0, 0, 0, 0, 0, -224, 0, 0, 0, 0, 86, 0, 0, 103, 0, 0, 120, 0, 0, 137, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 154, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, -21, 0, 0, 0, 1, - 0, 0, 0, 0, 0, 0, 18, 0, 0, 35, - 0, 0, 0, 0, 0, 0, 0, 52, 0, 0, - 0, 0, 69, 0, -1, 0, 0, 0, 0, 0, - 0, 0, 0, 163, -21, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 154, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, -21, + 0, 1, 0, 0, 0, 0, 0, 0, 18, 0, + 0, 35, 0, 0, 0, 0, 0, 0, 0, 52, + 0, 0, 0, 0, 0, 69, 0, -1, 0, 0, + 0, 0, 0, 0, 0, 163, -21, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, }; short yygindex[] = { 0, - 0, -74, 55, 59, 0, 0, 0, 0, 0, 0, - 15, -27, 0, -57, 0, -24, 0, 0, 0, -10, - -59, 0, 0, 42, 0, 0, 41, 0, 0, 38, - 0, 43, 0, 0, -42, 0, + 0, -74, 53, 54, 0, 0, 0, 0, 0, 0, + 2, 15, 0, -31, 0, 0, -35, 0, 0, 0, + -19, -84, 0, 0, 33, 0, 34, 0, 0, 31, + 0, 36, 0, 0, -53, 0, }; #define YYTABLESIZE 431 -short yytable[] = { 57, - 50, 46, 10, 68, 24, 1, 31, 25, 26, 27, - 11, 29, 77, 101, 102, 28, 2, 56, 3, 4, - 5, 6, 14, 108, 96, 97, 17, 46, 99, 100, - 64, 41, 105, 106, 66, 38, 39, 40, 41, 5, - 42, 20, 5, 5, 5, 33, 43, 103, 104, 35, - 5, 62, 37, 47, 49, 82, 51, 53, 50, 55, - 87, 23, 89, 56, 91, 93, 95, 29, 13, 81, - 107, 94, 48, 50, 54, 56, 0, 52, 0, 0, +short yytable[] = { 44, + 50, 61, 24, 70, 10, 25, 26, 27, 1, 105, + 106, 29, 79, 28, 11, 101, 102, 56, 60, 2, + 31, 3, 4, 5, 6, 108, 83, 98, 99, 89, + 66, 41, 5, 14, 66, 5, 5, 5, 103, 104, + 17, 20, 33, 5, 35, 37, 50, 61, 59, 52, + 54, 62, 56, 85, 91, 93, 95, 97, 50, 23, + 84, 107, 29, 51, 62, 96, 53, 57, 13, 0, + 55, 0, 0, 0, 0, 56, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 66, 0, 0, 0, 0, 0, 0, 0, 0, 0, 9, 0, 0, 0, 0, 0, 0, 62, @@ -307,10 +307,10 @@ short yytable[] = { 57, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 38, 39, 40, 41, 24, 42, 0, - 25, 26, 27, 0, 43, 29, 72, 0, 28, 73, - 74, 75, 29, 29, 29, 0, 29, 76, 0, 0, - 0, 0, 0, 0, 61, 41, 50, 50, 0, 0, - 50, 50, 50, 62, 41, 63, 41, 50, 50, 50, + 25, 26, 27, 0, 43, 29, 74, 0, 28, 75, + 76, 77, 29, 29, 29, 0, 29, 78, 0, 0, + 0, 0, 0, 0, 63, 41, 50, 50, 0, 0, + 50, 50, 50, 64, 41, 65, 41, 50, 50, 50, 50, 50, 50, 56, 56, 0, 0, 56, 56, 56, 0, 0, 0, 0, 56, 56, 56, 56, 56, 56, 66, 66, 0, 0, 66, 66, 66, 0, 0, 0, @@ -330,14 +330,14 @@ short yytable[] = { 57, 30, }; short yycheck[] = { 33, - 0, 29, 267, 33, 257, 256, 58, 260, 261, 262, - 257, 33, 33, 88, 89, 268, 267, 0, 269, 270, - 271, 272, 257, 98, 264, 265, 257, 55, 86, 87, - 33, 33, 92, 93, 0, 257, 258, 259, 260, 257, - 262, 257, 260, 261, 262, 58, 268, 90, 91, 58, - 268, 0, 58, 61, 61, 263, 61, 61, 58, 58, - 44, 7, 44, 61, 44, 44, 44, 9, 0, 55, - 95, 82, 31, 33, 37, 58, -1, 35, -1, -1, + 0, 44, 257, 33, 267, 260, 261, 262, 256, 94, + 95, 33, 33, 268, 257, 90, 91, 0, 61, 267, + 58, 269, 270, 271, 272, 100, 58, 264, 265, 61, + 33, 33, 257, 257, 0, 260, 261, 262, 92, 93, + 257, 257, 58, 268, 58, 58, 61, 44, 58, 61, + 61, 0, 61, 263, 44, 44, 44, 44, 58, 7, + 59, 97, 9, 31, 50, 85, 33, 37, 0, -1, + 35, -1, -1, -1, -1, 58, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, -1, -1, -1, -1, -1, -1, 58, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, -1, -1, -1, -1, -1, -1, 58, @@ -407,7 +407,7 @@ char *yyrule[] = { "entry : RUNASALIAS runasaliases", "privileges : privilege", "privileges : privileges ':' privilege", -"privilege : hostspec '=' cmndspeclist", +"privilege : hostlist '=' cmndspeclist", "ophostspec : hostspec", "$$2 :", "ophostspec : '!' $$2 ophostspec", diff --git a/sudo.tab.h b/sudo.tab.h new file mode 100644 index 000000000..a9aff54b4 --- /dev/null +++ b/sudo.tab.h @@ -0,0 +1,24 @@ +#define ALIAS 257 +#define NTWKADDR 258 +#define FQHOST 259 +#define NETGROUP 260 +#define USERGROUP 261 +#define NAME 262 +#define RUNAS 263 +#define NOPASSWD 264 +#define PASSWD 265 +#define COMMAND 266 +#define COMMENT 267 +#define ALL 268 +#define HOSTALIAS 269 +#define CMNDALIAS 270 +#define USERALIAS 271 +#define RUNASALIAS 272 +#define ERROR 273 +typedef union { + char *string; + int BOOLEAN; + struct sudo_command command; + int tok; +} YYSTYPE; +extern YYSTYPE yylval; diff --git a/sudoers.cat b/sudoers.cat index 7bc47369f..207b6cfff 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -24,11 +24,8 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN user access_group [: access_group] ... - access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type + access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... - host_type ::= a lower-case hostname, netgroup, ip address, - network number, network number/netmask, - or host alias. cmnd_type ::= a command OR a command alias. op ::= the logical "!" NOT operator. @@ -57,23 +54,21 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN of these. + rrrruuuunnnnaaaassss aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: - - -6/Apr/99 1.6 1 + Runas_Alias RUNASALIAS = runas-list +7/Apr/99 1.6 1 -sudoers(5) FILE FORMATS sudoers(5) - rrrruuuunnnnaaaassss aaaalllliiiiaaaassss sssseeeeccccttttiiiioooonnnn ffffoooorrrrmmmmaaaatttt:::: +sudoers(5) FILE FORMATS sudoers(5) - Runas_Alias RUNASALIAS = runas-list Runas_Alias ::= a keyword. RUNASALIAS ::= an upper-case alias name. @@ -124,10 +119,15 @@ sudoers(5) FILE FORMATS sudoers(5) an _a_c_c_e_s_s___g_r_o_u_p. For example given: oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir User oper will be able to run /usr/bin/kill, + /bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we + change that to: + oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: + /bin/rm, /bin/rmdir User oper can still run /usr/bin/kill + without a password but must give a password to run /bin/rm -6/Apr/99 1.6 2 +7/Apr/99 1.6 2 @@ -136,11 +136,6 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) - /bin/rm, and /bin/rmdir as rrrrooooooootttt without a password. If we - change that to: - oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: - /bin/rm, /bin/rmdir User oper can still run /usr/bin/kill - without a password but must give a password to run /bin/rm and /bin/rmdir. wwwwiiiillllddddccccaaaarrrrddddssss ((((aaaakkkkaaaa mmmmeeeettttaaaa cccchhhhaaaarrrraaaacccctttteeeerrrrssss)))):::: @@ -191,9 +186,14 @@ sudoers(5) FILE FORMATS sudoers(5) elements from the universe by using the syntax: user host=ALL,!ALIAS1,!/sbin/halt... + Commands may have optional command line arguments. If + they do, then the arguments in the _s_u_d_o_e_r_s file must + exactly match those on the command line. It is also + possible to have a command's arguments span multiple lines + -6/Apr/99 1.6 3 +7/Apr/99 1.6 3 @@ -202,10 +202,6 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) - Commands may have optional command line arguments. If - they do, then the arguments in the _s_u_d_o_e_r_s file must - exactly match those on the command line. It is also - possible to have a command's arguments span multiple lines as long as the line continuance character "\" is used. The following characters must be escaped with a "\" if used in command arguments: ",", ":", "=", "\". @@ -256,10 +252,14 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS three machines merlin, kodiakthorn and spirit. Similarly, SERVERS is set to the machines houdini, merlin, kodiakthorn and spirit. The CSNETS alias will match any + host on the 128.138.243.0, 128.138.204.0, or + 128.138.205.192 nets. The CUNETS alias will match any + host on the 128.138.0.0 (class B) network. Note that + these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an -6/Apr/99 1.6 4 +7/Apr/99 1.6 4 @@ -268,10 +268,6 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS sudoers(5) FILE FORMATS sudoers(5) - host on the 128.138.243.0, 128.138.204.0, or - 128.138.205.192 nets. The CUNETS alias will match any - host on the 128.138.0.0 (class B) network. Note that - these are nnnneeeettttwwwwoooorrrrkkkk addresses, not ip addresses. Unless an explicit netmask is given, the local _n_e_t_m_a_s_k is used to determine whether or not the current host belongs to a network. @@ -322,22 +318,22 @@ sudoers(5) FILE FORMATS sudoers(5) jill The user jill may run /sbin/shutdown -h now or /sbin/shutdown -r now as well as + the commands in the MISC alias on houdini. + markm The user markm may run any command on the + HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n, -6/Apr/99 1.6 5 +7/Apr/99 1.6 5 -sudoers(5) FILE FORMATS sudoers(5) +sudoers(5) FILE FORMATS sudoers(5) - the commands in the MISC alias on houdini. - markm The user markm may run any command on the - HUB machines except _/_s_b_i_n_/_s_h_u_t_d_o_w_n, _/_s_b_i_n_/_h_a_l_t, and commands listed in the MISC alias. @@ -391,7 +387,11 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO -6/Apr/99 1.6 6 + + + + +7/Apr/99 1.6 6 @@ -457,6 +457,6 @@ sudoers(5) FILE FORMATS sudoers(5) -6/Apr/99 1.6 7 +7/Apr/99 1.6 7 diff --git a/sudoers.html b/sudoers.html index 6b1053bab..2207a1f5e 100644 --- a/sudoers.html +++ b/sudoers.html @@ -79,11 +79,8 @@ entry that grants access the user will be allowed to run the command.

-

    access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+
    access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
                      [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... 
-       host_type ::= a lower-case hostname, netgroup, ip address,
-                     network number, network number/netmask,
-                     or host alias.
        cmnd_type ::= a command OR a command alias.
               op ::= the logical "!" NOT operator.
 

diff --git a/sudoers.man b/sudoers.man
index fd834d032..b332be7ab 100644
--- a/sudoers.man
+++ b/sudoers.man
@@ -2,8 +2,10 @@
 ''' $RCSfile$$Revision$$Date$
 '''
 ''' $Log$
-''' Revision 1.8  1999/04/07 00:24:35  millert
-''' runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most everywhere
+''' Revision 1.9  1999/04/07 23:18:51  millert
+''' You can now specifiy a host list instead of just a host or alias.
+''' Ie: user = host1,host2,ALIAS,!host3 my_command
+''' now works.
 '''
 '''
 .de Sh
@@ -96,7 +98,7 @@
 .nr % 0
 .rr F
 .\}
-.TH sudoers 5 "1.6" "6/Apr/99" "FILE FORMATS"
+.TH sudoers 5 "1.6" "7/Apr/99" "FILE FORMATS"
 .UC
 .if n .hy 0
 .if n .na
@@ -206,12 +208,9 @@ will be allowed to run the command.
 .Vb 1
 \&  user access_group [: access_group] ...
 .Ve
-.Vb 7
-\&    access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+.Vb 4
+\&    access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
 \&                     [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... 
-\&       host_type ::= a lower-case hostname, netgroup, ip address,
-\&                     network number, network number/netmask,
-\&                     or host alias.
 \&       cmnd_type ::= a command OR a command alias.
 \&              op ::= the logical "!" NOT operator.
 .Ve
diff --git a/sudoers.pod b/sudoers.pod
index 8fbf30771..c003c8e56 100644
--- a/sudoers.pod
+++ b/sudoers.pod
@@ -21,11 +21,8 @@ will be allowed to run the command.
 
   user access_group [: access_group] ...
 
-    access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+    access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
 		     [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ... 
-       host_type ::= a lower-case hostname, netgroup, ip address,
-                     network number, network number/netmask,
-		     or host alias.
        cmnd_type ::= a command OR a command alias.
               op ::= the logical "!" NOT operator.
 
-- 
2.50.1