From d0e38675870ce7cfe4e9403c8e9093fc6f3db66e Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 14 Aug 2013 13:49:14 -0600 Subject: [PATCH] Add limited support for "sudo -l -h other_host". Since group lookups are done on the local host, rules that use group membership may be incorrect if the group database is not synchronized between hosts. --- doc/sudo.cat | 2 ++ doc/sudo.man.in | 3 +++ doc/sudo.mdoc.in | 3 +++ plugins/sudoers/logging.c | 20 ++++++++++++-------- plugins/sudoers/match.c | 4 ++-- plugins/sudoers/policy.c | 8 ++++++++ plugins/sudoers/sudo_nss.c | 10 +++++----- plugins/sudoers/sudoers.h | 4 ++++ 8 files changed, 39 insertions(+), 15 deletions(-) diff --git a/doc/sudo.cat b/doc/sudo.cat index f8d813ee9..471bc4f72 100644 --- a/doc/sudo.cat +++ b/doc/sudo.cat @@ -153,6 +153,8 @@ DDEESSCCRRIIPPTTIIOONN Run the command on the specified _h_o_s_t if the security policy plugin supports remote commands. Note that the _s_u_d_o_e_r_s plugin does not currently support running remote commands. + This may also be used in conjunction with the --ll option to + list a user's privileges for the remote host. --ii, ----llooggiinn Run the shell specified by the target user's password diff --git a/doc/sudo.man.in b/doc/sudo.man.in index d02fdc979..d5e68129c 100644 --- a/doc/sudo.man.in +++ b/doc/sudo.man.in @@ -348,6 +348,9 @@ if the security policy plugin supports remote commands. Note that the \fIsudoers\fR plugin does not currently support running remote commands. +This may also be used in conjunction with the +\fB\-l\fR +option to list a user's privileges for the remote host. .TP 12n \fB\-i\fR, \fB\--login\fR Run the shell specified by the target user's password database entry diff --git a/doc/sudo.mdoc.in b/doc/sudo.mdoc.in index 881281bf5..e5d14ac9c 100644 --- a/doc/sudo.mdoc.in +++ b/doc/sudo.mdoc.in @@ -372,6 +372,9 @@ if the security policy plugin supports remote commands. Note that the .Em sudoers plugin does not currently support running remote commands. +This may also be used in conjunction with the +.Fl l +option to list a user's privileges for the remote host. .It Fl i , -login Run the shell specified by the target user's password database entry as a login shell. diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c index 2b4c48b7c..b454b21bd 100644 --- a/plugins/sudoers/logging.c +++ b/plugins/sudoers/logging.c @@ -200,19 +200,23 @@ do_logfile(char *msg) time(&now); if (def_loglinelen < sizeof(LOG_INDENT)) { /* Don't pretty-print long log file lines (hard to grep) */ - if (def_log_host) + if (def_log_host) { (void) fprintf(fp, "%s : %s : HOST=%s : %s\n", - get_timestr(now, def_log_year), user_name, user_shost, msg); - else + get_timestr(now, def_log_year), user_name, user_srunhost, + msg); + } else { (void) fprintf(fp, "%s : %s : %s\n", get_timestr(now, def_log_year), user_name, msg); + } } else { - if (def_log_host) + if (def_log_host) { len = easprintf(&full_line, "%s : %s : HOST=%s : %s", - get_timestr(now, def_log_year), user_name, user_shost, msg); - else + get_timestr(now, def_log_year), user_name, user_srunhost, + msg); + } else { len = easprintf(&full_line, "%s : %s : %s", get_timestr(now, def_log_year), user_name, msg); + } /* * Print out full_line with word wrap around def_loglinelen chars. @@ -290,10 +294,10 @@ log_denial(int status, bool inform_user) } else if (ISSET(status, FLAG_NO_HOST)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("%s is not allowed to run sudo " "on %s. This incident will be reported.\n"), - user_name, user_shost); + user_name, user_srunhost); } else if (ISSET(status, FLAG_NO_CHECK)) { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s may not run " - "sudo on %s.\n"), user_name, user_shost); + "sudo on %s.\n"), user_name, user_srunhost); } else { sudo_printf(SUDO_CONV_ERROR_MSG, _("Sorry, user %s is not allowed " "to execute '%s%s%s' as %s%s%s on %s.\n"), diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index ac393fc4b..dd7f8bc24 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -275,7 +275,7 @@ hostlist_matches(struct member_list *list) matched = !m->negated; break; case NETGROUP: - if (netgr_matches(m->name, user_host, user_shost, NULL)) + if (netgr_matches(m->name, user_runhost, user_srunhost, NULL)) matched = !m->negated; break; case NTWKADDR: @@ -292,7 +292,7 @@ hostlist_matches(struct member_list *list) } /* FALLTHROUGH */ case WORD: - if (hostname_matches(user_shost, user_host, m->name)) + if (hostname_matches(user_srunhost, user_runhost, m->name)) matched = !m->negated; break; } diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 57c19e246..3ca0ba373 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -89,6 +89,7 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) char * const *cur; const char *p, *errstr, *groups = NULL; const char *debug_flags = NULL; + const char *remhost = NULL; int flags = 0; debug_decl(sudoers_policy_deserialize_info, SUDO_DEBUG_PLUGIN) @@ -251,6 +252,10 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) sudo_user.max_groups = atoi(*cur + sizeof("max_groups=") - 1); continue; } + if (MATCHES(*cur, "remote_host=")) { + remhost = *cur + sizeof("remote_host=") - 1; + continue; + } } for (cur = info->user_info; *cur != NULL; cur++) { @@ -308,6 +313,9 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) continue; } } + user_runhost = user_srunhost = estrdup(remhost ? remhost : user_host); + if ((p = strchr(user_runhost, '.'))) + user_srunhost = estrndup(user_runhost, (size_t)(p - user_runhost)); if (user_cwd == NULL) user_cwd = "unknown"; if (user_tty == NULL) diff --git a/plugins/sudoers/sudo_nss.c b/plugins/sudoers/sudo_nss.c index bf216fa3d..fd09dc626 100644 --- a/plugins/sudoers/sudo_nss.c +++ b/plugins/sudoers/sudo_nss.c @@ -262,7 +262,7 @@ output(const char *buf) /* * Print out privileges for the specified user. - * We only get here if the user is allowed to run something on this host. + * We only get here if the user is allowed to run something. */ void display_privs(struct sudo_nss_list *snl, struct passwd *pw) @@ -280,8 +280,8 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw) lbuf_init(&privs, output, 8, NULL, cols); /* Display defaults from all sources. */ - lbuf_append(&defs, _("Matching Defaults entries for %s on this host:\n"), - pw->pw_name); + lbuf_append(&defs, _("Matching Defaults entries for %s on %s:\n"), + pw->pw_name, user_srunhost); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_defaults(nss, pw, &defs); @@ -306,8 +306,8 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw) /* Display privileges from all sources. */ lbuf_append(&privs, - _("User %s may run the following commands on this host:\n"), - pw->pw_name); + _("User %s may run the following commands on %s:\n"), + pw->pw_name, user_srunhost); count = 0; tq_foreach_fwd(snl, nss) { count += nss->display_privs(nss, pw, &privs); diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index fbe984129..405f03ff6 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -68,6 +68,8 @@ struct sudo_user { char *ttypath; char *host; char *shost; + char *runhost; + char *srunhost; char *prompt; char *cmnd; char *cmnd_args; @@ -192,6 +194,8 @@ struct sudo_user { #define user_prompt (sudo_user.prompt) #define user_host (sudo_user.host) #define user_shost (sudo_user.shost) +#define user_runhost (sudo_user.runhost) +#define user_srunhost (sudo_user.srunhost) #define user_ccname (sudo_user.krb5_ccname) #define safe_cmnd (sudo_user.cmnd_safe) #define login_class (sudo_user.class_name) -- 2.50.0