===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.14
retrieving revision 1.15
diff -c -r1.14 -r1.15
*** src/usr.bin/doas/doas.c	2015/07/20 01:04:37	1.14
--- src/usr.bin/doas/doas.c	2015/07/21 11:04:06	1.15
***************
*** 1,4 ****
! /* $OpenBSD: doas.c,v 1.14 2015/07/20 01:04:37 tedu Exp $ */
  /*
   * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
   *
--- 1,4 ----
! /* $OpenBSD: doas.c,v 1.15 2015/07/21 11:04:06 zhuk Exp $ */
  /*
   * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
   *
***************
*** 97,103 ****
  
  static int
  match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd,
!     struct rule *r)
  {
  	int i;
  
--- 97,103 ----
  
  static int
  match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd,
!     const char **cmdargs, struct rule *r)
  {
  	int i;
  
***************
*** 117,136 ****
  	}
  	if (r->target && uidcheck(r->target, target) != 0)
  		return 0;
! 	if (r->cmd && strcmp(r->cmd, cmd) != 0)
! 		return 0;
  	return 1;
  }
  
  static int
  permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
!     uid_t target, const char *cmd)
  {
  	int i;
  
  	*lastr = NULL;
  	for (i = 0; i < nrules; i++) {
! 		if (match(uid, groups, ngroups, target, cmd, rules[i]))
  			*lastr = rules[i];
  	}
  	if (!*lastr)
--- 117,149 ----
  	}
  	if (r->target && uidcheck(r->target, target) != 0)
  		return 0;
! 	if (r->cmd) {
! 		if (strcmp(r->cmd, cmd))
! 			return 0;
! 		if (r->cmdargs) {
! 			/* if arguments were given, they should match explicitly */
! 			for (i = 0; r->cmdargs[i]; i++) {
! 				if (!cmdargs[i])
! 					return 0;
! 				if (strcmp(r->cmdargs[i], cmdargs[i]))
! 					return 0;
! 			}
! 			if (cmdargs[i])
! 				return 0;
! 		}
! 	}
  	return 1;
  }
  
  static int
  permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
!     uid_t target, const char *cmd, const char **cmdargs)
  {
  	int i;
  
  	*lastr = NULL;
  	for (i = 0; i < nrules; i++) {
! 		if (match(uid, groups, ngroups, target, cmd, cmdargs, rules[i]))
  			*lastr = rules[i];
  	}
  	if (!*lastr)
***************
*** 334,340 ****
  			errx(1, "command line too long");
  	}
  
! 	if (!permit(uid, groups, ngroups, &rule, target, cmd)) {
  		syslog(LOG_AUTHPRIV | LOG_NOTICE,
  		    "failed command for %s: %s", myname, cmdline);
  		fail();
--- 347,354 ----
  			errx(1, "command line too long");
  	}
  
! 	if (!permit(uid, groups, ngroups, &rule, target, cmd,
! 	    (const char**)argv + 1)) {
  		syslog(LOG_AUTHPRIV | LOG_NOTICE,
  		    "failed command for %s: %s", myname, cmdline);
  		fail();