version 1.20, 2008/01/21 19:44:29 |
version 1.21, 2008/07/31 16:44:03 |
|
|
#endif /* HAVE_LSEARCH */ |
#endif /* HAVE_LSEARCH */ |
|
|
#ifndef lint |
#ifndef lint |
__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.10 2008/01/16 23:20:53 millert Exp $"; |
__unused static const char rcsid[] = "$Sudo: parse.yacc,v 1.204.2.13 2008/02/27 20:34:42 millert Exp $"; |
#endif /* lint */ |
#endif /* lint */ |
|
|
/* |
/* |
|
|
match[top].nopass = def_authenticate ? UNSPEC : TRUE; \ |
match[top].nopass = def_authenticate ? UNSPEC : TRUE; \ |
match[top].noexec = def_noexec ? TRUE : UNSPEC; \ |
match[top].noexec = def_noexec ? TRUE : UNSPEC; \ |
match[top].setenv = def_setenv ? TRUE : UNSPEC; \ |
match[top].setenv = def_setenv ? TRUE : UNSPEC; \ |
|
match[top].role = NULL; \ |
|
match[top].type = NULL; \ |
top++; \ |
top++; \ |
} while (0) |
} while (0) |
|
|
|
|
match[top].nopass = match[top-1].nopass; \ |
match[top].nopass = match[top-1].nopass; \ |
match[top].noexec = match[top-1].noexec; \ |
match[top].noexec = match[top-1].noexec; \ |
match[top].setenv = match[top-1].setenv; \ |
match[top].setenv = match[top-1].setenv; \ |
|
match[top].role = estrdup(match[top-1].role); \ |
|
match[top].type = estrdup(match[top-1].type); \ |
top++; \ |
top++; \ |
} while (0) |
} while (0) |
|
|
|
|
do { \ |
do { \ |
if (top == 0) \ |
if (top == 0) \ |
yyerror("matching stack underflow"); \ |
yyerror("matching stack underflow"); \ |
else \ |
else { \ |
|
efree(match[top-1].role); \ |
|
efree(match[top-1].type); \ |
top--; \ |
top--; \ |
|
} \ |
} while (0) |
} while (0) |
|
|
|
|
|
|
#define append_runas(s, p) append(s, &cm_list[cm_list_len].runas, \ |
#define append_runas(s, p) append(s, &cm_list[cm_list_len].runas, \ |
&cm_list[cm_list_len].runas_len, &cm_list[cm_list_len].runas_size, p) |
&cm_list[cm_list_len].runas_len, &cm_list[cm_list_len].runas_size, p) |
|
|
|
#define append_role(s, p) append(s, &cm_list[cm_list_len].role, \ |
|
&cm_list[cm_list_len].role_len, &cm_list[cm_list_len].role_size, p) |
|
|
|
#define append_type(s, p) append(s, &cm_list[cm_list_len].type, \ |
|
&cm_list[cm_list_len].type_len, &cm_list[cm_list_len].type_size, p) |
|
|
#define append_entries(s, p) append(s, &ga_list[ga_list_len-1].entries, \ |
#define append_entries(s, p) append(s, &ga_list[ga_list_len-1].entries, \ |
&ga_list[ga_list_len-1].entries_len, \ |
&ga_list[ga_list_len-1].entries_len, \ |
&ga_list[ga_list_len-1].entries_size, p) |
&ga_list[ga_list_len-1].entries_size, p) |
|
|
int BOOLEAN; |
int BOOLEAN; |
struct sudo_command command; |
struct sudo_command command; |
int tok; |
int tok; |
|
struct selinux_info seinfo; |
} |
} |
|
|
%start file /* special start symbol */ |
%start file /* special start symbol */ |
|
|
%token <tok> RUNASALIAS /* Runas_Alias keyword */ |
%token <tok> RUNASALIAS /* Runas_Alias keyword */ |
%token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */ |
%token <tok> ':' '=' ',' '!' '+' '-' /* union member tokens */ |
%token <tok> ERROR |
%token <tok> ERROR |
|
%token <tok> TYPE /* SELinux type */ |
|
%token <tok> ROLE /* SELinux role */ |
|
|
/* |
/* |
* NOTE: these are not true booleans as there are actually 4 possible values: |
* NOTE: these are not true booleans as there are actually 4 possible values: |
|
|
%type <BOOLEAN> oprunasuser |
%type <BOOLEAN> oprunasuser |
%type <BOOLEAN> runaslist |
%type <BOOLEAN> runaslist |
%type <BOOLEAN> user |
%type <BOOLEAN> user |
|
%type <seinfo> selinux |
|
%type <string> rolespec |
|
%type <string> typespec |
|
|
%% |
%% |
|
|
|
|
no_passwd = def_authenticate ? UNSPEC : TRUE; |
no_passwd = def_authenticate ? UNSPEC : TRUE; |
no_execve = def_noexec ? TRUE : UNSPEC; |
no_execve = def_noexec ? TRUE : UNSPEC; |
setenv_ok = def_setenv ? TRUE : UNSPEC; |
setenv_ok = def_setenv ? TRUE : UNSPEC; |
|
#ifdef HAVE_SELINUX |
|
efree(match[top-1].role); |
|
match[top-1].role = NULL; |
|
efree(match[top-1].type); |
|
match[top-1].type = NULL; |
|
#endif |
} |
} |
; |
; |
|
|
|
|
| cmndspeclist ',' cmndspec |
| cmndspeclist ',' cmndspec |
; |
; |
|
|
cmndspec : { SETENV_RESET; } runasspec cmndtag opcmnd { |
cmndspec : { SETENV_RESET; } runasspec selinux cmndtag opcmnd { |
|
#ifdef HAVE_SELINUX |
|
/* Replace inherited role/type as needed. */ |
|
if ($3.role != NULL) { |
|
efree(match[top-1].role); |
|
match[top-1].role = $3.role; |
|
} |
|
if ($3.type != NULL) { |
|
efree(match[top-1].type); |
|
match[top-1].type = $3.type; |
|
} |
|
#endif |
/* |
/* |
* Push the entry onto the stack if it is worth |
* Push the entry onto the stack if it is worth |
* saving and reset cmnd_matches for next cmnd. |
* saving and reset cmnd_matches for next cmnd. |
|
|
pushcp; |
pushcp; |
else if (user_matches == TRUE && keepall) |
else if (user_matches == TRUE && keepall) |
pushcp; |
pushcp; |
|
|
cmnd_matches = UNSPEC; |
cmnd_matches = UNSPEC; |
} |
} |
; |
; |
|
|
} |
} |
; |
; |
|
|
|
rolespec : ROLE '=' WORD { |
|
#ifdef HAVE_SELINUX |
|
if (printmatches == TRUE && host_matches == TRUE && |
|
user_matches == TRUE && runas_matches == TRUE) |
|
append_role($3, NULL); |
|
$$ = $3; |
|
#else |
|
free($3); |
|
$$ = NULL; |
|
#endif /* HAVE_SELINUX */ |
|
} |
|
; |
|
|
|
typespec : TYPE '=' WORD { |
|
#ifdef HAVE_SELINUX |
|
if (printmatches == TRUE && host_matches == TRUE && |
|
user_matches == TRUE && runas_matches == TRUE) |
|
append_type($3, NULL); |
|
$$ = $3; |
|
#else |
|
free($3); |
|
$$ = NULL; |
|
#endif /* HAVE_SELINUX */ |
|
} |
|
; |
|
|
|
selinux : /* empty */ { |
|
#ifdef HAVE_SELINUX |
|
if (printmatches == TRUE && host_matches == TRUE && |
|
user_matches == TRUE && runas_matches == TRUE) { |
|
/* Inherit role. */ |
|
cm_list[cm_list_len].role = |
|
estrdup(cm_list[cm_list_len-1].role); |
|
cm_list[cm_list_len].role_len = |
|
cm_list[cm_list_len-1].role_len; |
|
cm_list[cm_list_len].role_size = |
|
cm_list[cm_list_len-1].role_len + 1; |
|
/* Inherit type. */ |
|
cm_list[cm_list_len].type = |
|
estrdup(cm_list[cm_list_len-1].type); |
|
cm_list[cm_list_len].type_len = |
|
cm_list[cm_list_len-1].type_len; |
|
cm_list[cm_list_len].type_size = |
|
cm_list[cm_list_len-1].type_len + 1; |
|
} |
|
#endif /* HAVE_SELINUX */ |
|
$$.role = NULL; |
|
$$.type = NULL; |
|
} |
|
| rolespec { |
|
#ifdef HAVE_SELINUX |
|
if (printmatches == TRUE && host_matches == TRUE && |
|
user_matches == TRUE && runas_matches == TRUE) { |
|
/* Inherit type. */ |
|
cm_list[cm_list_len].type = |
|
estrdup(cm_list[cm_list_len-1].type); |
|
cm_list[cm_list_len].type_len = |
|
cm_list[cm_list_len-1].type_len; |
|
cm_list[cm_list_len].type_size = |
|
cm_list[cm_list_len-1].type_len + 1; |
|
} |
|
#endif /* HAVE_SELINUX */ |
|
$$.role = $1; |
|
$$.type = NULL; |
|
} |
|
| typespec { |
|
#ifdef HAVE_SELINUX |
|
if (printmatches == TRUE && host_matches == TRUE && |
|
user_matches == TRUE && runas_matches == TRUE) { |
|
/* Inherit role. */ |
|
cm_list[cm_list_len].role = |
|
estrdup(cm_list[cm_list_len-1].role); |
|
cm_list[cm_list_len].role_len = |
|
cm_list[cm_list_len-1].role_len; |
|
cm_list[cm_list_len].role_size = |
|
cm_list[cm_list_len-1].role_len + 1; |
|
} |
|
#endif /* HAVE_SELINUX */ |
|
$$.type = $1; |
|
$$.role = NULL; |
|
} |
|
| rolespec typespec { |
|
$$.role = $1; |
|
$$.type = $2; |
|
} |
|
| typespec rolespec { |
|
$$.type = $1; |
|
$$.role = $2; |
|
} |
|
; |
|
|
runasspec : /* empty */ { |
runasspec : /* empty */ { |
if (printmatches == TRUE && host_matches == TRUE && |
if (printmatches == TRUE && host_matches == TRUE && |
user_matches == TRUE) { |
user_matches == TRUE) { |
|
|
cm_list[cm_list_len].runas_len = |
cm_list[cm_list_len].runas_len = |
cm_list[cm_list_len-1].runas_len; |
cm_list[cm_list_len-1].runas_len; |
cm_list[cm_list_len].runas_size = |
cm_list[cm_list_len].runas_size = |
cm_list[cm_list_len-1].runas_size; |
cm_list[cm_list_len-1].runas_len + 1; |
} |
} |
} |
} |
/* |
/* |
|
|
(void) printf("(%s) ", def_runas_default); |
(void) printf("(%s) ", def_runas_default); |
} |
} |
|
|
|
#ifdef HAVE_SELINUX |
|
/* SELinux role and type */ |
|
if (cm_list[count].role != NULL) |
|
(void) printf("ROLE=%s ", cm_list[count].role); |
|
if (cm_list[count].type != NULL) |
|
(void) printf("TYPE=%s ", cm_list[count].type); |
|
#endif |
|
|
/* Is execve(2) disabled? */ |
/* Is execve(2) disabled? */ |
if (cm_list[count].noexecve == TRUE && !def_noexec) |
if (cm_list[count].noexecve == TRUE && !def_noexec) |
(void) fputs("NOEXEC: ", stdout); |
(void) fputs("NOEXEC: ", stdout); |
|
|
for (count = 0; count < cm_list_len; count++) { |
for (count = 0; count < cm_list_len; count++) { |
efree(cm_list[count].runas); |
efree(cm_list[count].runas); |
efree(cm_list[count].cmnd); |
efree(cm_list[count].cmnd); |
|
efree(cm_list[count].role); |
|
efree(cm_list[count].type); |
} |
} |
efree(cm_list); |
efree(cm_list); |
cm_list = NULL; |
cm_list = NULL; |
|
|
} |
} |
|
|
cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL; |
cm_list[cm_list_len].runas = cm_list[cm_list_len].cmnd = NULL; |
|
cm_list[cm_list_len].type = cm_list[cm_list_len].role = NULL; |
cm_list[cm_list_len].nopasswd = FALSE; |
cm_list[cm_list_len].nopasswd = FALSE; |
cm_list[cm_list_len].noexecve = FALSE; |
cm_list[cm_list_len].noexecve = FALSE; |
cm_list[cm_list_len].setenv = FALSE; |
cm_list[cm_list_len].setenv = FALSE; |