src/usr.bin/sudo/sudo.c - diff

Return to sudo.c CVS log

Up to [local] / src / usr.bin / sudo

Diff for /src/usr.bin/sudo/Attic/sudo.c between version 1.33 and 1.34

version 1.33, 2008/07/31 16:44:03

version 1.34, 2008/11/14 11:58:08

Line 1

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

Line 59

#ifdef HAVE_UNISTD_H

# include <unistd.h>

#endif /* HAVE_UNISTD_H */

#ifdef HAVE_ERR_H

# include <err.h>

#else

# include "emul/err.h"

#endif /* HAVE_ERR_H */

#include <pwd.h>

#include <errno.h>

#include <fcntl.h>

Line 101

Line 96

#endif

#include "sudo.h"

#include "sudo_usage.h"

#include "lbuf.h"

#include "interfaces.h"

#include "version.h"

#ifndef lint

__unused __unused static const char rcsid[] = "$Sudo: sudo.c,v 1.369.2.43 2008/07/02 10:28:43 millert Exp $";

__unused static const char rcsid[] = "$Sudo: sudo.c,v 1.499 2008/11/11 18:28:08 millert Exp $";

#endif /* lint */

* Prototypes

static int init_vars __P((int, char **));

static void init_vars __P((int, char **));

static int set_cmnd __P((int));

static int parse_args __P((int, char **));

static void check_sudoers __P((void));

static void initial_setup __P((void));

static void set_loginclass __P((struct passwd *));

static void set_project __P((struct passwd *));

static void set_runasgr __P((char *));

static void set_runaspw __P((char *));

static void show_version __P((void));

static void usage __P((int))

__attribute__((__noreturn__));

static void usage_excl __P((int))

__attribute__((__noreturn__));

static void usage_excl __P((int));

static struct passwd *get_authpw __P((void));

extern int sudo_edit __P((int, char **, char **));

extern void list_matches __P((void));

extern void rebuild_env __P((int, int));

extern char **rebuild_env __P((char **, int, int));

void validate_env_vars __P((struct list_member *));

extern void validate_env_vars __P((struct list_member *));

void insert_env_vars __P((struct list_member *));

extern char **insert_env_vars __P((char **, struct list_member *));

extern struct passwd *sudo_getpwnam __P((const char *));

extern struct passwd *sudo_getpwuid __P((uid_t));

extern struct passwd *sudo_pwdup __P((const struct passwd *));

* Globals

Line 138

Line 133

int Argc, NewArgc;

char **Argv, **NewArgv;

char *prev_user;

static int user_closefrom = -1;

struct sudo_user sudo_user;

struct passwd *auth_pw;

struct passwd *auth_pw, *list_pw;

FILE *sudoers_fp;

struct interface *interfaces;

int num_interfaces;

int tgetpass_flags;

int long_list;

uid_t timestamp_uid;

extern int errorlineno;

extern int parse_error;

extern char *errorfile;

#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)

static struct rlimit corelimit;

#endif /* RLIMIT_CORE && !SUDO_DEVEL */

Line 156

Line 154

char *login_style;

#endif /* HAVE_BSD_AUTH_H */

sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp;

static char *runas_user;

static char *runas_group;

static struct sudo_nss_list *snl;

/* For getopt(3) */

extern char *optarg;

extern int optind;

int

main(argc, argv, envp)

Line 164

Line 168

char **argv;

char **envp;

{

int validated;

int sources = 0, validated;

int fd;

int fd, cmnd_status, sudo_mode, pwflag, rc = 0;

int cmnd_status;

int sudo_mode;

int pwflag;

sigaction_t sa;

extern int printmatches;

#if defined(SUDO_DEVEL) && defined(__OpenBSD__)

extern char **environ;

extern char *malloc_options;

malloc_options = "AFGJPR";

#endif

struct sudo_nss *nss;

#ifdef HAVE_SETLOCALE

setlocale(LC_ALL, "");

Line 190

Line 194

#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */

if (geteuid() != 0)

errx(1, "must be setuid root");

errorx(1, "must be setuid root");

* Signal setup:

Line 198

Line 202

* us at some point and avoid the logging.

* Install handler to wait for children when they exit.

zero_bytes(&sa, sizeof(sa));

sigemptyset(&sa.sa_mask);

sa.sa_flags = SA_RESTART;

sa.sa_handler = SIG_IGN;

Line 206

Line 211

(void) sigaction(SIGTSTP, &sa, &saved_sa_tstp);

* Turn off core dumps and close open files.

* Turn off core dumps and make sure fds 0-2 are open.

initial_setup();

setpwent();

sudo_setpwent();

sudo_setgrent();

/* Parse our arguments. */

sudo_mode = parse_args(Argc, Argv);

Line 228

Line 234

else

switch (sudo_mode) {

case MODE_VERSION:

(void) printf("Sudo version %s\n", version);

show_version();

if (getuid() == 0) {

putchar('\n');

(void) printf("Sudoers path: %s\n", _PATH_SUDOERS);

dump_auth_methods();

dump_defaults();

dump_interfaces();

}

exit(0);

break;

case MODE_HELP:

usage(0);

Line 257

Line 255

case MODE_LIST:

user_cmnd = "list";

pwflag = I_LISTPW;

printmatches = 1;

break;

case MODE_CHECK:

pwflag = I_LISTPW;

break;

}

/* Must have a command to run... */

if (user_cmnd == NULL && NewArgc == 0)

usage(1);

cmnd_status = init_vars(sudo_mode, environ);

init_vars(sudo_mode, envp); /* XXX - move this later? */

#ifdef HAVE_LDAP

/* Parse nsswitch.conf for sudoers order. */

validated = sudo_ldap_check(pwflag);

snl = sudo_read_nss();

/* Skip reading /etc/sudoers if LDAP told us to */

/* Open and parse sudoers, set global defaults */

if (!def_ignore_local_sudoers) {

tq_foreach_fwd(snl, nss) {

int v;

if (nss->open(nss) == 0 && nss->parse(nss) == 0) {

sources++;

nss->setdefs(nss);

}

if (sources == 0)

log_error(0, "no valid sudoers sources found, quitting");

check_sudoers(); /* check mode/owner on _PATH_SUDOERS */

/* XXX - collect post-sudoers parse settings into a function */

/* Local sudoers file overrides LDAP if we have a match. */

v = sudoers_lookup(pwflag);

* Set runas passwd/group entries based on command line or sudoers.

if (validated == VALIDATE_ERROR || ISSET(v, VALIDATE_OK))

* Note that if runas_group was specified without runas_user we

validated = v;

* defer setting runas_pw so the match routines know to ignore it.

if (runas_group != NULL) {

set_runasgr(runas_group);

if (runas_user != NULL)

set_runaspw(runas_user);

} else

set_runaspw(runas_user ? runas_user : def_runas_default);

if (!update_defaults(SETDEF_RUNAS))

log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");

/* Set login class if applicable. */

set_loginclass(sudo_user.pw);

/* Update initial shell now that runas is set. */

if (ISSET(sudo_mode, MODE_LOGIN_SHELL))

NewArgv[0] = runas_pw->pw_shell;

/* This goes after sudoers is parsed since it may have timestamp options. */

if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {

remove_timestamp((sudo_mode == MODE_KILL));

cleanup(0);

exit(0);

}

#else

check_sudoers(); /* check mode/owner on _PATH_SUDOERS */

/* Validate the user but don't search for pseudo-commands. */

/* Is root even allowed to run sudo? */

validated = sudoers_lookup(pwflag);

if (user_uid == 0 && !def_root_sudo) {

(void) fprintf(stderr,

"Sorry, %s has been configured to not allow root to run it.\n",

getprogname());

exit(1);

}

/* Check for -C overriding def_closefrom. */

if (user_closefrom >= 0 && user_closefrom != def_closefrom) {

if (!def_closefrom_override)

errorx(1, "you are not permitted to use the -C option");

else

def_closefrom = user_closefrom;

}

cmnd_status = set_cmnd(sudo_mode);

#ifdef HAVE_SETLOCALE

if (!setlocale(LC_ALL, def_sudoers_locale)) {

warningx("unable to set locale to \"%s\", using \"C\"",

def_sudoers_locale);

setlocale(LC_ALL, "C");

}

#endif

validated = FLAG_NO_USER | FLAG_NO_HOST;

tq_foreach_fwd(snl, nss) {

validated = nss->lookup(nss, validated, pwflag);

/* Handle [NOTFOUND=return] */

if (!ISSET(validated, VALIDATE_OK) && nss->ret_notfound)

break;

}

if (safe_cmnd == NULL)

safe_cmnd = estrdup(user_cmnd);

#ifdef HAVE_SETLOCALE

setlocale(LC_ALL, "");

#endif

/* If only a group was specified, set runas_pw based on invoking user. */

if (runas_pw == NULL)

set_runaspw(user_name);

* Look up the timestamp dir owner if one is specified.

Line 297

Line 363

struct passwd *pw;

if (*def_timestampowner == '#')

pw = getpwuid(atoi(def_timestampowner + 1));

pw = sudo_getpwuid(atoi(def_timestampowner + 1));

else

pw = getpwnam(def_timestampowner);

pw = sudo_getpwnam(def_timestampowner);

if (!pw)

log_error(0, "timestamp owner (%s): No such user",

def_timestampowner);

timestamp_uid = pw->pw_uid;

}

/* This goes after the sudoers parse since we honor sudoers options. */

if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {

remove_timestamp((sudo_mode == MODE_KILL));

exit(0);

}

if (ISSET(validated, VALIDATE_ERROR))

log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,

errorlineno);

/* Is root even allowed to run sudo? */

if (user_uid == 0 && !def_root_sudo) {

(void) fprintf(stderr,

"Sorry, %s has been configured to not allow root to run it.\n",

getprogname());

exit(1);

}

/* If given the -P option, set the "preserve_groups" flag. */

if (ISSET(sudo_mode, MODE_PRESERVE_GROUPS))

def_preserve_groups = TRUE;

Line 340

Line 388

(void) close(fd);

}

/* User may have overriden environment resetting via the -E flag. */

/* Use askpass value from sudoers unless user specified their own. */

if (ISSET(sudo_mode, MODE_PRESERVE_ENV) && ISSET(validated, FLAG_SETENV))

if (def_askpass && !user_askpass)

user_askpass = def_askpass;

/* User may have overridden environment resetting via the -E flag. */

if (ISSET(sudo_mode, MODE_PRESERVE_ENV) && def_setenv)

def_env_reset = FALSE;

/* Build a new environment that avoids any nasty bits. */

environ = rebuild_env(environ, sudo_mode, ISSET(validated, FLAG_NOEXEC));

rebuild_env(sudo_mode, def_noexec);

/* Fill in passwd struct based on user we are authenticating as. */

auth_pw = get_authpw();

/* Require a password if sudoers says so. */

if (!ISSET(validated, FLAG_NOPASS))

if (def_authenticate)

check_user(validated);

check_user(validated, !ISSET(sudo_mode, MODE_NONINTERACTIVE));

/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */

if (user_uid == 0 && prev_user != NULL && strcmp(prev_user, "root") != 0) {

/* XXX - causes confusion when root is not listed in sudoers */

if (sudo_mode & (MODE_RUN | MODE_EDIT) && prev_user != NULL) {

if (user_uid == 0 && strcmp(prev_user, "root") != 0) {

struct passwd *pw;

if ((pw = sudo_getpwnam(prev_user)) != NULL) {

if ((pw = sudo_getpwnam(prev_user)) != NULL)

efree(sudo_user.pw);

sudo_user.pw = pw;

}

if (ISSET(validated, VALIDATE_OK)) {

/* Finally tell the user if the command did not exist. */

if (cmnd_status == NOT_FOUND_DOT) {

if (cmnd_status == NOT_FOUND_DOT)

warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);

errorx(1, "ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);

exit(1);

else if (cmnd_status == NOT_FOUND)

} else if (cmnd_status == NOT_FOUND) {

errorx(1, "%s: command not found", user_cmnd);

warnx("%s: command not found", user_cmnd);

exit(1);

}

/* If user specified env vars make sure sudoers allows it. */

if (ISSET(sudo_mode, MODE_RUN) && !ISSET(validated, FLAG_SETENV)) {

if (ISSET(sudo_mode, MODE_RUN) && !def_setenv) {

if (ISSET(sudo_mode, MODE_PRESERVE_ENV))

log_error(NO_MAIL,

"sorry, you are not allowed to preserve the environment");

Line 383

Line 433

validate_env_vars(sudo_user.env_vars);

}

log_auth(validated, 1);

log_allowed(validated);

if (sudo_mode == MODE_VALIDATE)

if (sudo_mode == MODE_CHECK)

exit(0);

rc = display_cmnd(snl, list_pw ? list_pw : sudo_user.pw);

else if (sudo_mode == MODE_LIST) {

else if (sudo_mode == MODE_LIST)

list_matches();

display_privs(snl, list_pw ? list_pw : sudo_user.pw);

#ifdef HAVE_LDAP

sudo_ldap_list_matches();

#endif

exit(0);

}

/* Override user's umask if configured to do so. */

/* Cleanup sudoers sources */

if (def_umask != 0777)

tq_foreach_fwd(snl, nss)

(void) umask(def_umask);

nss->close(nss);

/* Deferred exit due to sudo_ldap_close() */

if (sudo_mode == MODE_VALIDATE || sudo_mode == MODE_CHECK ||

sudo_mode == MODE_LIST)

exit(rc);

* Override user's umask if configured to do so.

* If user's umask is more restrictive, OR in those bits too.

if (def_umask != 0777) {

mode_t mask = umask(def_umask);

mask |= def_umask;

if (mask != def_umask)

umask(mask);

}

/* Restore coredumpsize resource limit. */

#if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)

(void) setrlimit(RLIMIT_CORE, &corelimit);

Line 407

Line 468

if (ISSET(sudo_mode, MODE_RUN))

set_perms(PERM_FULL_RUNAS);

/* Close the password and group files */

endpwent();

endgrent();

if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) {

char *p;

Line 422

Line 479

/* Change to target user's homedir. */

if (chdir(runas_pw->pw_dir) == -1)

warn("unable to change directory to %s", runas_pw->pw_dir);

warning("unable to change directory to %s", runas_pw->pw_dir);

#if defined(__linux__) || defined(_AIX)

/* Insert system-wide environment variables. */

read_env_file(_PATH_ENVIRONMENT, TRUE);

#endif

}

if (ISSET(sudo_mode, MODE_EDIT))

exit(sudo_edit(NewArgc, NewArgv, envp));

/* Insert system-wide environment variables. */

if (def_env_file)

read_env_file(def_env_file, FALSE);

/* Insert user-specified environment variables. */

environ = insert_env_vars(environ, sudo_user.env_vars);

insert_env_vars(sudo_user.env_vars);

/* Restore signal handlers before we exec. */

(void) sigaction(SIGINT, &saved_sa_int, NULL);

(void) sigaction(SIGQUIT, &saved_sa_quit, NULL);

(void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);

/* Close the password and group files and free up memory. */

sudo_endpwent();

sudo_endgrent();

closefrom(def_closefrom + 1);

#ifndef PROFILING

if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0)

exit(0);

else {

#ifdef HAVE_SELINUX

if (is_selinux_enabled() > 0 && user_role != NULL)

selinux_exec(user_role, user_type, NewArgv, environ,

selinux_exec(user_role, user_type, NewArgv,

ISSET(sudo_mode, MODE_LOGIN_SHELL));

#endif

execve(safe_cmnd, NewArgv, environ);

execv(safe_cmnd, NewArgv);

}

#else

exit(0);

#endif /* PROFILING */

* If we got here then the exec() failed...

* If we got here then execve() failed...

if (errno == ENOEXEC) {

NewArgv--; /* at least one extra slot... */

NewArgv[0] = "sh";

NewArgv[1] = safe_cmnd;

execve(_PATH_BSHELL, NewArgv, environ);

execv(_PATH_BSHELL, NewArgv);

}

} warning("unable to execute %s", safe_cmnd);

warn("unable to execute %s", safe_cmnd);

exit(127);

} else if (ISSET(validated, FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {

} else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) {

log_auth(validated, 1);

log_denial(validated, 1);

exit(1);

} else if (ISSET(validated, VALIDATE_NOT_OK)) {

} else {

if (def_path_info) {

* We'd like to not leak path info at all here, but that can

Line 473

Line 544

* is just "no foo in path" since the user can trivially set

* their path to just contain a single dir.

log_auth(validated,

log_denial(validated,

!(cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND));

if (cmnd_status == NOT_FOUND)

warnx("%s: command not found", user_cmnd);

warningx("%s: command not found", user_cmnd);

else if (cmnd_status == NOT_FOUND_DOT)

warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);

warningx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd);

} else {

/* Just tell the user they are not allowed to run foo. */

log_auth(validated, 1);

log_denial(validated, 1);

}

exit(1);

} else {

/* should never get here */

log_auth(validated, 1);

exit(1);

}

exit(0); /* not reached */

}

Line 496

Line 563

* Initialize timezone, set umask, fill in ``sudo_user'' struct and

* load the ``interfaces'' array.

static int

static void

init_vars(sudo_mode, envp)

int sudo_mode;

char **envp;

{

char *p, **ep, thost[MAXHOSTNAMELEN];

char *p, **ep, thost[MAXHOSTNAMELEN + 1];

int nohostname, rval;

int nohostname;

/* Sanity check command from user. */

if (user_cmnd == NULL && strlen(NewArgv[0]) >= PATH_MAX)

errx(1, "%s: File name too long", NewArgv[0]);

errorx(1, "%s: File name too long", NewArgv[0]);

#ifdef HAVE_TZSET

(void) tzset(); /* set the timezone if applicable */

Line 527

Line 594

if (nohostname)

user_host = user_shost = "localhost";

else {

thost[sizeof(thost) - 1] = '\0';

user_host = estrdup(thost);

if (def_fqdn) {

/* Defer call to set_fqdn() until log_error() is safe. */

Line 550

Line 618

user_tty = "unknown";

for (ep = envp; *ep; ep++) {

/* XXX - don't fill in if empty string */

switch (**ep) {

case 'D':

if (strncmp("DISPLAY=", *ep, 8) == 0)

user_display = *ep + 8;

break;

case 'K':

if (strncmp("KRB5CCNAME=", *ep, 11) == 0)

user_ccname = *ep + 11;

break;

case 'P':

if (strncmp("PATH=", *ep, 5) == 0)

user_path = *ep + 5;

Line 562

Line 639

user_prompt = *ep + 12;

else if (strncmp("SUDO_USER=", *ep, 10) == 0)

prev_user = *ep + 10;

else if (strncmp("SUDO_ASKPASS=", *ep, 13) == 0)

user_askpass = *ep + 13;

break;

}

Line 589

Line 667

* be run during reboot after the YP/NIS/NIS+/LDAP/etc daemon has died.

if (sudo_mode & (MODE_INVALIDATE|MODE_KILL))

errx(1, "uid %s does not exist in the passwd file!", pw_name);

errorx(1, "unknown uid: %s", pw_name);

log_error(0, "uid %s does not exist in the passwd file!", pw_name);

log_error(0, "unknown uid: %s", pw_name);

}

if (user_shell == NULL || *user_shell == '\0')

user_shell = sudo_user.pw->pw_shell;

user_shell = estrdup(sudo_user.pw->pw_shell);

/* It is now safe to use log_error() and set_perms() */

Line 612

Line 690

if (nohostname)

log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");

set_runaspw(*user_runas); /* may call log_error() */

if (*user_runas[0] == '#') {

if (runas_pw->pw_name != *user_runas && runas_pw->pw_name[0])

*user_runas = estrdup(runas_pw->pw_name);

}

* Get current working directory. Try as user, fall back to root.

Line 625

Line 697

if (!getcwd(user_cwd, sizeof(user_cwd))) {

set_perms(PERM_ROOT);

if (!getcwd(user_cwd, sizeof(user_cwd))) {

warnx("cannot get working directory");

warningx("cannot get working directory");

(void) strlcpy(user_cwd, "unknown", sizeof(user_cwd));

}

} else

Line 635

Line 707

* If we were given the '-e', '-i' or '-s' options we need to redo

* NewArgv and NewArgc.

if ((sudo_mode & (MODE_SHELL | MODE_EDIT))) {

if (ISSET(sudo_mode, MODE_EDIT)) {

char **dst, **src = NewArgv;

NewArgv--;

NewArgc++;

NewArgv[0] = "sudoedit";

} else if (ISSET(sudo_mode, MODE_SHELL)) {

char **av;

/* Allocate an extra slot for execve() failure (ENOEXEC). */

NewArgv = (char **) emalloc2((++NewArgc + 2), sizeof(char *));

av = (char **) emalloc2(5, sizeof(char *));

NewArgv++;

av++;

if (ISSET(sudo_mode, MODE_EDIT))

NewArgv[0] = "sudoedit";

else if (ISSET(sudo_mode, MODE_LOGIN_SHELL))

NewArgv[0] = runas_pw->pw_shell;

else if (user_shell && *user_shell)

NewArgv[0] = user_shell;

else

errx(1, "unable to determine shell");

/* copy the args from NewArgv */

av[0] = user_shell; /* may be updated later */

for (dst = NewArgv + 1; (*dst = *src) != NULL; ++src, ++dst)

if (NewArgc > 0) {

continue;

size_t size;

char *cmnd, *src, *dst, *end;

size = (size_t) (NewArgv[NewArgc - 1] - NewArgv[0]) +

strlen(NewArgv[NewArgc - 1]) + 1;

cmnd = emalloc(size);

src = NewArgv[0];

dst = cmnd;

for (end = src + size - 1; src < end; src++, dst++)

*dst = *src == 0 ? ' ' : *src;

*dst = '\0';

av[1] = "-c";

av[2] = cmnd;

NewArgc = 2;

}

av[++NewArgc] = NULL;

NewArgv = av;

}

/* Set login class if applicable. */

set_loginclass(sudo_user.pw);

* Fill in user_cmnd, user_args, user_base and user_stat variables

* and apply any command-specific defaults entries.

static int

set_cmnd(sudo_mode)

int sudo_mode;

{

int rval;

/* Set project if applicable. */

set_project(runas_pw);

Line 664

Line 755

/* Resolve the path and return. */

rval = FOUND;

user_stat = emalloc(sizeof(struct stat));

if (sudo_mode & (MODE_RUN | MODE_EDIT)) {

if (sudo_mode & (MODE_RUN | MODE_EDIT | MODE_CHECK)) {

if (ISSET(sudo_mode, MODE_RUN)) {

if (ISSET(sudo_mode, MODE_RUN | MODE_CHECK)) {

/* XXX - default_runas may be modified during parsing of sudoers */

set_perms(PERM_RUNAS);

rval = find_path(NewArgv[0], &user_cmnd, user_stat, user_path);

set_perms(PERM_ROOT);

Line 684

Line 774

size_t size, n;

/* If we didn't realloc NewArgv it is contiguous so just count. */

if (!(sudo_mode & (MODE_SHELL | MODE_EDIT))) {

if (!ISSET(sudo_mode, MODE_SHELL)) {

size = (size_t) (NewArgv[NewArgc-1] - NewArgv[1]) +

strlen(NewArgv[NewArgc-1]) + 1;

} else {

Line 697

Line 787

for (to = user_args, from = NewArgv + 1; *from; from++) {

n = strlcpy(to, *from, size - (to - user_args));

if (n >= size - (to - user_args))

errx(1, "internal error, init_vars() overflow");

errorx(1, "internal error, init_vars() overflow");

to += n;

*to++ = ' ';

}

Line 709

Line 799

else

user_base = user_cmnd;

if (!update_defaults(SETDEF_CMND))

log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");

return(rval);

}

* Command line argument parsing, can't use getopt(3).

* Command line argument parsing.

* Sets NewArgc and NewArgv which corresponds to the argc/argv we'll use

* for the command to be run (if we are running one).

static int

parse_args(argc, argv)

int argc;

char **argv;

{

int rval = MODE_RUN; /* what mode is sudo to be run in? */

int mode = 0; /* what mode is sudo to be run in? */

int excl = 0; /* exclusive arg, no others allowed */

int flags = 0; /* mode flags */

int ch;

NewArgv = argv + 1;

NewArgc = argc - 1;

/* First, check to see if we were invoked as "sudoedit". */

if (strcmp(getprogname(), "sudoedit") == 0) {

if (strcmp(getprogname(), "sudoedit") == 0)

rval = MODE_EDIT;

mode = MODE_EDIT;

excl = 'e';

} else

rval = MODE_RUN;

while (NewArgc > 0) {

/* Returns true if the last option string was "--" */

if (NewArgv[0][0] == '-') {

#define got_end_of_args (optind > 1 && argv[optind - 1][0] == '-' && \

if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') {

argv[optind - 1][1] == '-' && argv[optind - 1][2] == '\0')

warnx("please use single character options");

usage(1);

}

switch (NewArgv[0][1]) {

/* Returns true if next option is an environment variable */

case 'p':

#define is_envar (optind < argc && argv[optind][0] != '/' && \

/* Must have an associated prompt. */

strchr(argv[optind], '=') != NULL)

if (NewArgv[1] == NULL)

usage(1);

user_prompt = NewArgv[1];

for (;;) {

def_passprompt_override = TRUE;

* We disable arg permutation for GNU getopt().

NewArgc--;

* Some trickiness is required to allow environment variables

NewArgv++;

* to be interspersed with command line options.

if ((ch = getopt(argc, argv, "+Aa:bC:c:Eeg:HhiKkLlnPp:r:Sst:U:u:Vv")) != -1) {

switch (ch) {

case 'A':

SET(tgetpass_flags, TGP_ASKPASS);

break;

case 'u':

/* Must have an associated runas user. */

if (NewArgv[1] == NULL)

usage(1);

user_runas = &NewArgv[1];

NewArgc--;

NewArgv++;

break;

#ifdef HAVE_BSD_AUTH_H

case 'a':

/* Must have an associated authentication style. */

login_style = optarg;

if (NewArgv[1] == NULL)

usage(1);

login_style = NewArgv[1];

NewArgc--;

NewArgv++;

break;

#endif

case 'b':

SET(flags, MODE_BACKGROUND);

break;

case 'C':

if ((user_closefrom = atoi(optarg)) < 3) {

warningx("the argument to -C must be at least 3");

usage(1);

}

break;

#ifdef HAVE_LOGIN_CAP_H

case 'c':

/* Must have an associated login class. */

login_class = optarg;

if (NewArgv[1] == NULL)

usage(1);

login_class = NewArgv[1];

def_use_loginclass = TRUE;

NewArgc--;

NewArgv++;

break;

#endif

case 'b':

case 'E':

SET(rval, MODE_BACKGROUND);

SET(flags, MODE_PRESERVE_ENV);

break;

case 'e':

rval = MODE_EDIT;

if (mode && mode != MODE_EDIT)

if (excl && excl != 'e')

usage_excl(1);

excl = 'e';

mode = MODE_EDIT;

break;

case 'v':

case 'g':

rval = MODE_VALIDATE;

runas_group = optarg;

if (excl && excl != 'v')

break;

case 'H':

SET(flags, MODE_RESET_HOME);

break;

case 'h':

if (mode && mode != MODE_HELP)

usage_excl(1);

excl = 'v';

mode = MODE_HELP;

break;

case 'i':

SET(rval, (MODE_LOGIN_SHELL | MODE_SHELL));

SET(flags, MODE_LOGIN_SHELL);

def_env_reset = TRUE;

if (excl && excl != 'i')

usage_excl(1);

excl = 'i';

break;

case 'k':

rval = MODE_INVALIDATE;

if (mode && mode != MODE_INVALIDATE)

if (excl && excl != 'k')

usage_excl(1);

excl = 'k';

mode = MODE_INVALIDATE;

break;

case 'K':

rval = MODE_KILL;

if (mode && mode != MODE_KILL)

if (excl && excl != 'K')

usage_excl(1);

excl = 'K';

mode = MODE_KILL;

break;

case 'L':

rval = MODE_LISTDEFS;

if (mode && mode != MODE_LISTDEFS)

if (excl && excl != 'L')

usage_excl(1);

excl = 'L';

mode = MODE_LISTDEFS;

break;

case 'l':

rval = MODE_LIST;

if (mode) {

if (excl && excl != 'l')

if (mode == MODE_LIST)

usage_excl(1);

long_list = 1;

excl = 'l';

else

usage_excl(1);

}

mode = MODE_LIST;

break;

case 'V':

case 'n':

rval = MODE_VERSION;

SET(flags, MODE_NONINTERACTIVE);

if (excl && excl != 'V')

usage_excl(1);

excl = 'V';

break;

case 'h':

case 'P':

rval = MODE_HELP;

SET(flags, MODE_PRESERVE_GROUPS);

if (excl && excl != 'h')

usage_excl(1);

excl = 'h';

break;

case 's':

case 'p':

SET(rval, MODE_SHELL);

user_prompt = optarg;

if (excl && excl != 's')

def_passprompt_override = TRUE;

usage_excl(1);

excl = 's';

break;

case 'H':

#ifdef HAVE_SELINUX

SET(rval, MODE_RESET_HOME);

case 'r':

user_role = optarg;

break;

case 'P':

case 't':

SET(rval, MODE_PRESERVE_GROUPS);

user_type = optarg;

break;

#endif

case 'S':

SET(tgetpass_flags, TGP_STDIN);

break;

case 'E':

case 's':

SET(rval, MODE_PRESERVE_ENV);

SET(flags, MODE_SHELL);

break;

#ifdef HAVE_SELINUX

case 'U':

case 'r':

if ((list_pw = sudo_getpwnam(optarg)) == NULL)

/* Must have an associated SELinux role. */

errorx(1, "unknown user: %s", optarg);

if (NewArgv[1] == NULL)

usage(1);

user_role = NewArgv[1];

NewArgc--;

NewArgv++;

break;

case 't':

case 'u':

/* Must have an associated SELinux type. */

runas_user = optarg;

if (NewArgv[1] == NULL)

usage(1);

user_type = NewArgv[1];

NewArgc--;

NewArgv++;

break;

#endif

case 'v':

case '-':

if (mode && mode != MODE_VALIDATE)

NewArgc--;

usage_excl(1);

NewArgv++;

mode = MODE_VALIDATE;

goto args_done;

break;

case '\0':

case 'V':

warnx("'-' requires an argument");

if (mode && mode != MODE_VERSION)

usage(1);

usage_excl(1);

mode = MODE_VERSION;

break;

default:

warnx("illegal option `%s'", NewArgv[0]);

usage(1);

}

} else if (NewArgv[0][0] != '/' && strchr(NewArgv[0], '=') != NULL) {

} else if (!got_end_of_args && is_envar) {

/* Could be an environment variable. */

struct list_member *ev;

/* Store environment variable. */

ev = emalloc(sizeof(*ev));

ev->value = NewArgv[0];

ev->value = argv[optind];

ev->next = sudo_user.env_vars;

sudo_user.env_vars = ev;

/* Crank optind and resume getopt. */

optind++;

} else {

/* Not an arg */

/* Not an option or an environment variable -- we're done. */

break;

}

NewArgc--;

NewArgv++;

}

args_done:

if (ISSET(rval, MODE_EDIT) &&

NewArgc = argc - optind;

(ISSET(rval, MODE_PRESERVE_ENV) || sudo_user.env_vars != NULL)) {

NewArgv = argv + optind;

if (ISSET(rval, MODE_PRESERVE_ENV))

warnx("the `-E' option is not valid in edit mode");

if (!mode)

mode = MODE_RUN;

if (NewArgc > 0 && mode == MODE_LIST)

mode = MODE_CHECK;

if (ISSET(flags, MODE_LOGIN_SHELL)) {

if (ISSET(flags, MODE_SHELL)) {

warningx("you may not specify both the `-i' and `-s' options");

usage(1);

}

if (ISSET(flags, MODE_PRESERVE_ENV)) {

warningx("you may not specify both the `-i' and `-E' options");

usage(1);

}

SET(flags, MODE_SHELL);

}

if (mode == MODE_EDIT &&

(ISSET(flags, MODE_PRESERVE_ENV) || sudo_user.env_vars != NULL)) {

if (ISSET(mode, MODE_PRESERVE_ENV))

warningx("the `-E' option is not valid in edit mode");

if (sudo_user.env_vars != NULL)

warnx("you may not specify environment variables in edit mode");

warningx("you may not specify environment variables in edit mode");

usage(1);

}

if (ISSET(rval, MODE_PRESERVE_ENV) && ISSET(rval, MODE_LOGIN_SHELL)) {

if ((runas_user != NULL || runas_group != NULL) &&

warnx("you may not specify both the `-i' and `-E' options");

!ISSET(mode, MODE_EDIT | MODE_RUN | MODE_CHECK)) {

usage(1);

}

if (user_runas != NULL && !ISSET(rval, (MODE_EDIT|MODE_RUN))) {

if (list_pw != NULL && mode != MODE_LIST && mode != MODE_CHECK) {

if (excl != '\0')

warningx("the `-U' option may only be used with the `-l' option");

warnx("the `-u' and '-%c' options may not be used together", excl);

usage(1);

}

if ((NewArgc == 0 && (rval & MODE_EDIT)) ||

if (ISSET(tgetpass_flags, TGP_STDIN) && ISSET(tgetpass_flags, TGP_ASKPASS)) {

(NewArgc > 0 && !(rval & (MODE_RUN | MODE_EDIT))))

warningx("the `-A' and `-S' options may not be used together");

usage(1);

if (NewArgc == 0 && rval == MODE_RUN)

}

SET(rval, (MODE_IMPLIED_SHELL | MODE_SHELL));

if ((NewArgc == 0 && mode == MODE_EDIT) ||

(NewArgc > 0 && !ISSET(mode, MODE_RUN | MODE_EDIT | MODE_CHECK)))

usage(1);

if (NewArgc == 0 && mode == MODE_RUN && !ISSET(flags, MODE_SHELL))

SET(flags, (MODE_IMPLIED_SHELL | MODE_SHELL));

return(rval);

return(mode | flags);

}

* Sanity check sudoers mode/owner/type.

* Open sudoers and sanity check mode/owner/type.

* Leaves a file pointer to the sudoers file open in ``fp''.

* Returns a handle to the sudoers file or NULL on error.

static void

FILE *

check_sudoers()

open_sudoers(sudoers, keepopen)

const char *sudoers;

int *keepopen;

{

struct stat statbuf;

int rootstat, i;

FILE *fp = NULL;

int rootstat;

* Fix the mode and group on sudoers file from old default.

* Only works if file system is readable/writable by root.

if ((rootstat = stat_sudoers(_PATH_SUDOERS, &statbuf)) == 0 &&

if ((rootstat = stat_sudoers(sudoers, &statbuf)) == 0 &&

SUDOERS_UID == statbuf.st_uid && SUDOERS_MODE != 0400 &&

(statbuf.st_mode & 0007777) == 0400) {

if (chmod(_PATH_SUDOERS, SUDOERS_MODE) == 0) {

if (chmod(sudoers, SUDOERS_MODE) == 0) {

warnx("fixed mode on %s", _PATH_SUDOERS);

warningx("fixed mode on %s", sudoers);

SET(statbuf.st_mode, SUDOERS_MODE);

if (statbuf.st_gid != SUDOERS_GID) {

if (!chown(_PATH_SUDOERS,(uid_t) -1,SUDOERS_GID)) {

if (chown(sudoers, (uid_t) -1, SUDOERS_GID) == 0) {

warnx("set group on %s", _PATH_SUDOERS);

warningx("set group on %s", sudoers);

statbuf.st_gid = SUDOERS_GID;

} else

warn("unable to set group on %s", _PATH_SUDOERS);

warning("unable to set group on %s", sudoers);

}

} else

warn("unable to fix mode on %s", _PATH_SUDOERS);

warning("unable to fix mode on %s", sudoers);

}

Line 977

Line 1061

set_perms(PERM_SUDOERS);

if (rootstat != 0 && stat_sudoers(_PATH_SUDOERS, &statbuf) != 0)

if (rootstat != 0 && stat_sudoers(sudoers, &statbuf) != 0)

log_error(USE_ERRNO, "can't stat %s", _PATH_SUDOERS);

log_error(USE_ERRNO|NO_EXIT, "can't stat %s", sudoers);

else if (!S_ISREG(statbuf.st_mode))

log_error(0, "%s is not a regular file", _PATH_SUDOERS);

log_error(NO_EXIT, "%s is not a regular file", sudoers);

else if (statbuf.st_size == 0)

log_error(0, "%s is zero length", _PATH_SUDOERS);

else if ((statbuf.st_mode & 07777) != SUDOERS_MODE)

log_error(0, "%s is mode 0%o, should be 0%o", _PATH_SUDOERS,

log_error(NO_EXIT, "%s is mode 0%o, should be 0%o", sudoers,

(unsigned int) (statbuf.st_mode & 07777),

(unsigned int) SUDOERS_MODE);

else if (statbuf.st_uid != SUDOERS_UID)

log_error(0, "%s is owned by uid %lu, should be %lu", _PATH_SUDOERS,

log_error(NO_EXIT, "%s is owned by uid %lu, should be %lu", sudoers,

(unsigned long) statbuf.st_uid, (unsigned long) SUDOERS_UID);

else if (statbuf.st_gid != SUDOERS_GID)

log_error(0, "%s is owned by gid %lu, should be %lu", _PATH_SUDOERS,

log_error(NO_EXIT, "%s is owned by gid %lu, should be %lu", sudoers,

(unsigned long) statbuf.st_gid, (unsigned long) SUDOERS_GID);

else {

else if ((fp = fopen(sudoers, "r")) == NULL)

/* Solaris sometimes returns EAGAIN so try 10 times */

log_error(USE_ERRNO, "can't open %s", sudoers);

for (i = 0; i < 10 ; i++) {

else if (statbuf.st_size != 0) {

errno = 0;

if ((sudoers_fp = fopen(_PATH_SUDOERS, "r")) == NULL ||

* Make sure we can actually read sudoers so we can present the

fgetc(sudoers_fp) == EOF) {

* user with a reasonable error message.

if (sudoers_fp != NULL)

fclose(sudoers_fp);

if (fgetc(fp) == EOF)

sudoers_fp = NULL;

log_error(USE_ERRNO, "can't read %s", sudoers);

if (errno != EAGAIN && errno != EWOULDBLOCK)

rewind(fp);

break;

} else

break;

sleep(1);

}

if (sudoers_fp == NULL)

log_error(USE_ERRNO, "can't open %s", _PATH_SUDOERS);

}

(void) fcntl(fileno(fp), F_SETFD, 1);

set_perms(PERM_ROOT); /* change back to root */

return(fp);

}

* Close all open files (except std*) and turn off core dumps.

* Also sets the set_perms() pointer to the correct function.

static void

initial_setup()

Line 1065

Line 1143

(void) dup2(devnull, STDOUT_FILENO);

if (miss[STDERR_FILENO])

(void) dup2(devnull, STDERR_FILENO);

if (devnull > STDERR_FILENO)

close(devnull);

}

closefrom(STDERR_FILENO + 1);

}

#ifdef HAVE_LOGIN_CAP_H

Line 1088

Line 1167

errflags = NO_MAIL|MSG_ONLY|NO_EXIT;

if (login_class && strcmp(login_class, "-") != 0) {

if (strcmp(*user_runas, "root") != 0 && user_uid != 0)

if (user_uid != 0 &&

errx(1, "only root can use -c %s", login_class);

strcmp(runas_user ? runas_user : def_runas_default, "root") != 0)

errorx(1, "only root can use -c %s", login_class);

} else {

login_class = pw->pw_class;

if (!login_class || !*login_class)

Line 1192

Line 1272

char *p;

#ifdef HAVE_GETADDRINFO

memset(&hint, 0, sizeof(hint));

zero_bytes(&hint, sizeof(hint));

hint.ai_family = PF_UNSPEC;

hint.ai_flags = AI_CANONNAME;

if (getaddrinfo(user_host, NULL, &hint, &res0) != 0) {

Line 1225

Line 1305

* Get passwd entry for the user we are going to run commands as.

* By default, this is "root". Updates runas_pw as a side effect.

int

static void

set_runaspw(user)

char *user;

{

if (runas_pw != NULL) {

if (user_runas != &def_runas_default)

return(TRUE); /* don't override -u option */

efree(runas_pw);

}

if (*user == '#') {

runas_pw = sudo_getpwuid(atoi(user + 1));

if ((runas_pw = sudo_getpwuid(atoi(user + 1))) == NULL)

if (runas_pw == NULL) {

runas_pw = sudo_fakepwnam(user, runas_gr ? runas_gr->gr_gid : 0);

runas_pw = emalloc(sizeof(struct passwd));

(void) memset((VOID *)runas_pw, 0, sizeof(struct passwd));

runas_pw->pw_uid = atoi(user + 1);

runas_pw->pw_name = user;

runas_pw->pw_passwd = "*";

runas_pw->pw_gecos = user;

runas_pw->pw_dir = "/";

runas_pw->pw_shell = estrdup(_PATH_BSHELL);

}

} else {

runas_pw = sudo_getpwnam(user);

if ((runas_pw = sudo_getpwnam(user)) == NULL)

if (runas_pw == NULL)

log_error(NO_MAIL|MSG_ONLY, "unknown user: %s", user);

log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user);

}

return(TRUE);

}

* Get group entry for the group we are going to run commands as.

* Updates runas_pw as a side effect.

static void

set_runasgr(group)

char *group;

{

if (*group == '#') {

if ((runas_gr = sudo_getgrgid(atoi(group + 1))) == NULL)

runas_gr = sudo_fakegrnam(group);

} else {

if ((runas_gr = sudo_getgrnam(group)) == NULL)

log_error(NO_MAIL|MSG_ONLY, "unknown group: %s", group);

}

* Get passwd entry for the user we are going to authenticate as.

* By default, this is the user invoking sudo. In the most common

* case, this matches sudo_user.pw or runas_pw.

Line 1265

Line 1346

struct passwd *pw;

if (def_rootpw) {

if (runas_pw->pw_uid == 0)

if ((pw = sudo_getpwuid(0)) == NULL)

pw = runas_pw;

log_error(0, "unknown uid: 0");

else if ((pw = sudo_getpwuid(0)) == NULL)

log_error(0, "uid 0 does not exist in the passwd file!");

} else if (def_runaspw) {

if (strcmp(def_runas_default, *user_runas) == 0)

if ((pw = sudo_getpwnam(def_runas_default)) == NULL)

pw = runas_pw;

log_error(0, "unknown user: %s", def_runas_default);

else if ((pw = sudo_getpwnam(def_runas_default)) == NULL)

log_error(0, "user %s does not exist in the passwd file!",

def_runas_default);

} else if (def_targetpw) {

if (runas_pw->pw_name == NULL)

log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %lu!",

log_error(NO_MAIL|MSG_ONLY, "unknown uid: %lu",

(unsigned long) runas_pw->pw_uid);

pw = runas_pw;

} else

Line 1287

Line 1363

}

* Cleanup hook for error()/errorx()

void

cleanup(gotsignal)

int gotsignal;

{

struct sudo_nss *nss;

if (!gotsignal) {

if (snl != NULL) {

tq_foreach_fwd(snl, nss)

nss->close(nss);

}

sudo_endpwent();

sudo_endgrent();

}

static void

show_version()

{

(void) printf("Sudo version %s\n", version);

if (getuid() == 0) {

putchar('\n');

(void) printf("Sudoers path: %s\n", _PATH_SUDOERS);

#ifdef HAVE_LDAP

# ifdef _PATH_NSSWITCH_CONF

(void) printf("nsswitch path: %s\n", _PATH_NSSWITCH_CONF);

# endif

(void) printf("ldap.conf path: %s\n", _PATH_LDAP_CONF);

(void) printf("ldap.secret path: %s\n", _PATH_LDAP_SECRET);

#endif

dump_auth_methods();

dump_defaults();

dump_interfaces();

}

exit(0);

}

* Tell which options are mutually exclusive and exit.

static void

usage_excl(exit_val)

int exit_val;

{

warnx("Only one of the -e, -h, i, -k, -K, -l, -s, -v or -V options may be used");

warningx("Only one of the -e, -h, -i, -k, -K, -l, -s, -v or -V options may be specified");

usage(exit_val);

}

* Give usage message and exit.

* The actual usage strings are in sudo_usage.h for configure substitution.

static void

usage(exit_val)

int exit_val;

{

char **p, **uvec[4];

struct lbuf lbuf;

int i, linelen, linemax, ulen, plen;

char *uvec[5];

static char *uvec1[] = {

int i, ulen;

" -h |",

" -K |",

" -k |",

" -L |",

" -l |",

" -V |",

" -v",

NULL

};

static char *uvec2[] = {

" [-bEHPS]",

#ifdef HAVE_BSD_AUTH_H

" [-a auth_type]",

#endif

#ifdef HAVE_LOGIN_CAP_H

" [-c class|-]",

#endif

#ifdef HAVE_SELINUX

" [-r role]",

#endif

" [-p prompt]",

#ifdef HAVE_SELINUX

" [-t type]",

#endif

" [-u username|#uid]",

" [VAR=value]",

" {-i | -s | <command>}",

NULL

};

static char *uvec3[] = {

" -e",

" [-S]",

#ifdef HAVE_BSD_AUTH_H

" [-a auth_type]",

#endif

#ifdef HAVE_LOGIN_CAP_H

" [-c class|-]",

#endif

" [-p prompt]",

" [-u username|#uid]",

" file ...",

NULL

};

* Use usage vectors appropriate to the progname.

if (strcmp(getprogname(), "sudoedit") == 0) {

uvec[0] = uvec3 + 1;

uvec[0] = SUDO_USAGE4 + 3;

uvec[1] = NULL;

} else {

uvec[0] = uvec1;

uvec[0] = SUDO_USAGE1;

uvec[1] = uvec2;

uvec[1] = SUDO_USAGE2;

uvec[2] = uvec3;

uvec[2] = SUDO_USAGE3;

uvec[3] = NULL;

uvec[3] = SUDO_USAGE4;

uvec[4] = NULL;

}

* Print usage and wrap lines as needed.

* Print usage and wrap lines as needed, depending on the

* Assumes an 80-character wide terminal, which is kind of bogus...

* tty width.

ulen = (int)strlen(getprogname()) + 7;

ulen = (int)strlen(getprogname()) + 8;

linemax = 80;

lbuf_init(&lbuf, NULL, ulen, 0);

for (i = 0; uvec[i] != NULL; i++) {

printf("usage: %s", getprogname());

lbuf_append(&lbuf, "usage: ", getprogname(), uvec[i], NULL);

linelen = linemax - ulen;

lbuf_print(&lbuf);

for (p = uvec[i]; *p != NULL; p++) {

plen = (int)strlen(*p);

if (linelen >= plen || linelen == linemax - ulen) {

fputs(*p, stdout);

linelen -= plen;

} else {

p--;

linelen = linemax - ulen;

printf("\n%*s", ulen, "");

}

putchar('\n');

}

lbuf_destroy(&lbuf);

exit(exit_val);

}