version 1.14, 2015/07/20 01:04:37 |
version 1.15, 2015/07/21 11:04:06 |
|
|
|
|
static int |
static int |
match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd, |
match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd, |
struct rule *r) |
const char **cmdargs, struct rule *r) |
{ |
{ |
int i; |
int i; |
|
|
|
|
} |
} |
if (r->target && uidcheck(r->target, target) != 0) |
if (r->target && uidcheck(r->target, target) != 0) |
return 0; |
return 0; |
if (r->cmd && strcmp(r->cmd, cmd) != 0) |
if (r->cmd) { |
return 0; |
if (strcmp(r->cmd, cmd)) |
|
return 0; |
|
if (r->cmdargs) { |
|
/* if arguments were given, they should match explicitly */ |
|
for (i = 0; r->cmdargs[i]; i++) { |
|
if (!cmdargs[i]) |
|
return 0; |
|
if (strcmp(r->cmdargs[i], cmdargs[i])) |
|
return 0; |
|
} |
|
if (cmdargs[i]) |
|
return 0; |
|
} |
|
} |
return 1; |
return 1; |
} |
} |
|
|
static int |
static int |
permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr, |
permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr, |
uid_t target, const char *cmd) |
uid_t target, const char *cmd, const char **cmdargs) |
{ |
{ |
int i; |
int i; |
|
|
*lastr = NULL; |
*lastr = NULL; |
for (i = 0; i < nrules; i++) { |
for (i = 0; i < nrules; i++) { |
if (match(uid, groups, ngroups, target, cmd, rules[i])) |
if (match(uid, groups, ngroups, target, cmd, cmdargs, rules[i])) |
*lastr = rules[i]; |
*lastr = rules[i]; |
} |
} |
if (!*lastr) |
if (!*lastr) |
|
|
errx(1, "command line too long"); |
errx(1, "command line too long"); |
} |
} |
|
|
if (!permit(uid, groups, ngroups, &rule, target, cmd)) { |
if (!permit(uid, groups, ngroups, &rule, target, cmd, |
|
(const char**)argv + 1)) { |
syslog(LOG_AUTHPRIV | LOG_NOTICE, |
syslog(LOG_AUTHPRIV | LOG_NOTICE, |
"failed command for %s: %s", myname, cmdline); |
"failed command for %s: %s", myname, cmdline); |
fail(); |
fail(); |