Annotation of src/usr.bin/sudo/sudo.c, Revision 1.17
1.1 millert 1: /*
1.17 ! millert 2: * Copyright (c) 1993-1996,1998-2003 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 3: * All rights reserved.
4: *
5: * Redistribution and use in source and binary forms, with or without
6: * modification, are permitted provided that the following conditions
7: * are met:
8: *
9: * 1. Redistributions of source code must retain the above copyright
10: * notice, this list of conditions and the following disclaimer.
11: *
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: *
16: * 3. The name of the author may not be used to endorse or promote products
17: * derived from this software without specific prior written permission.
18: *
19: * 4. Products derived from this software may not be called "Sudo" nor
20: * may "Sudo" appear in their names without specific prior written
21: * permission from the author.
22: *
23: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24: * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
25: * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
26: * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27: * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28: * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
29: * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
30: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
31: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
32: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33: *
34: * For a brief history of sudo, please see the HISTORY file included
35: * with this distribution.
36: */
37:
38: #define _SUDO_SUDO_C
39:
40: #include "config.h"
41:
1.11 millert 42: #include <sys/types.h>
43: #include <sys/stat.h>
44: #include <sys/param.h>
45: #include <sys/socket.h>
46: #ifdef HAVE_SETRLIMIT
47: # include <sys/time.h>
48: # include <sys/resource.h>
49: #endif
1.1 millert 50: #include <stdio.h>
51: #ifdef STDC_HEADERS
1.11 millert 52: # include <stdlib.h>
53: # include <stddef.h>
54: #else
55: # ifdef HAVE_STDLIB_H
56: # include <stdlib.h>
57: # endif
1.1 millert 58: #endif /* STDC_HEADERS */
1.11 millert 59: #ifdef HAVE_STRING_H
60: # if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
61: # include <memory.h>
62: # endif
63: # include <string.h>
64: #else
65: # ifdef HAVE_STRINGS_H
66: # include <strings.h>
67: # endif
68: #endif /* HAVE_STRING_H */
1.1 millert 69: #ifdef HAVE_UNISTD_H
1.11 millert 70: # include <unistd.h>
1.1 millert 71: #endif /* HAVE_UNISTD_H */
72: #include <pwd.h>
73: #include <errno.h>
74: #include <fcntl.h>
75: #include <signal.h>
76: #include <grp.h>
77: #include <time.h>
78: #include <netinet/in.h>
79: #include <netdb.h>
80: #if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS)
81: # ifdef __hpux
82: # undef MAXINT
83: # include <hpsecurity.h>
84: # else
85: # include <sys/security.h>
86: # endif /* __hpux */
87: # include <prot.h>
88: #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
1.8 millert 89: #ifdef HAVE_LOGIN_CAP_H
1.4 millert 90: # include <login_cap.h>
91: # ifndef LOGIN_DEFROOTCLASS
92: # define LOGIN_DEFROOTCLASS "daemon"
93: # endif
94: #endif
1.1 millert 95:
96: #include "sudo.h"
97: #include "interfaces.h"
98: #include "version.h"
99:
100: #ifndef lint
1.17 ! millert 101: static const char rcsid[] = "$Sudo: sudo.c,v 1.333 2003/03/15 20:31:01 millert Exp $";
1.1 millert 102: #endif /* lint */
103:
104: /*
105: * Prototypes
106: */
1.11 millert 107: static int init_vars __P((int));
108: static int parse_args __P((void));
109: static void check_sudoers __P((void));
110: static void initial_setup __P((void));
111: static void set_loginclass __P((struct passwd *));
1.1 millert 112: static void usage __P((int));
113: static void usage_excl __P((int));
1.6 millert 114: static struct passwd *get_authpw __P((void));
1.11 millert 115: extern void list_matches __P((void));
116: extern char **rebuild_env __P((int, char **));
117: extern char **zero_env __P((char **));
118: extern struct passwd *sudo_getpwnam __P((const char *));
1.1 millert 119: extern struct passwd *sudo_getpwuid __P((uid_t));
120:
121: /*
122: * Globals
123: */
124: int Argc;
125: char **Argv;
126: int NewArgc = 0;
127: char **NewArgv = NULL;
128: struct sudo_user sudo_user;
1.6 millert 129: struct passwd *auth_pw;
1.1 millert 130: FILE *sudoers_fp = NULL;
131: struct interface *interfaces;
132: int num_interfaces;
1.4 millert 133: int tgetpass_flags;
1.17 ! millert 134: uid_t timestamp_uid;
1.1 millert 135: extern int errorlineno;
1.4 millert 136: #if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
137: static struct rlimit corelimit;
138: #endif /* RLIMIT_CORE */
1.8 millert 139: #ifdef HAVE_LOGIN_CAP_H
140: login_cap_t *lc;
141: #endif /* HAVE_LOGIN_CAP_H */
142: #ifdef HAVE_BSD_AUTH_H
143: char *login_style;
144: #endif /* HAVE_BSD_AUTH_H */
1.17 ! millert 145: void (*set_perms) __P((int));
1.1 millert 146:
147:
148: int
1.11 millert 149: main(argc, argv, envp)
1.1 millert 150: int argc;
151: char **argv;
1.11 millert 152: char **envp;
1.1 millert 153: {
154: int validated;
155: int fd;
156: int cmnd_status;
157: int sudo_mode;
1.11 millert 158: int pwflag;
1.12 millert 159: char **new_environ;
1.17 ! millert 160: sigaction_t sa, saved_sa_int, saved_sa_quit, saved_sa_tstp, saved_sa_chld;
1.11 millert 161: extern int printmatches;
1.1 millert 162: extern char **environ;
163:
164: /* Must be done as the first thing... */
165: #if defined(HAVE_GETPRPWNAM) && defined(HAVE_SET_AUTH_PARAMETERS)
166: (void) set_auth_parameters(argc, argv);
167: # ifdef HAVE_INITPRIVS
168: initprivs();
169: # endif
170: #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
171:
1.11 millert 172: /* Zero out the environment. */
173: environ = zero_env(envp);
174:
1.1 millert 175: Argv = argv;
176: Argc = argc;
177:
178: if (geteuid() != 0) {
179: (void) fprintf(stderr, "Sorry, %s must be setuid root.\n", Argv[0]);
180: exit(1);
181: }
182:
183: /*
1.17 ! millert 184: * Signal setup:
! 185: * Ignore keyboard-generated signals so the user cannot interrupt
! 186: * us at some point and avoid the logging.
! 187: * Install handler to wait for children when they exit.
1.1 millert 188: */
1.11 millert 189: sigemptyset(&sa.sa_mask);
190: sa.sa_flags = SA_RESTART;
191: sa.sa_handler = SIG_IGN;
1.17 ! millert 192: (void) sigaction(SIGINT, &sa, &saved_sa_int);
! 193: (void) sigaction(SIGQUIT, &sa, &saved_sa_quit);
! 194: (void) sigaction(SIGTSTP, &sa, &saved_sa_tstp);
! 195: sa.sa_handler = reapchild;
! 196: (void) sigaction(SIGCHLD, &sa, &saved_sa_chld);
1.1 millert 197:
198: /*
1.17 ! millert 199: * Turn off core dumps, close open files and setup set_perms().
1.1 millert 200: */
201: initial_setup();
1.11 millert 202: setpwent();
1.1 millert 203:
204: /* Parse our arguments. */
205: sudo_mode = parse_args();
206:
207: /* Setup defaults data structures. */
208: init_defaults();
209:
1.11 millert 210: /* Load the list of local ip addresses and netmasks. */
211: load_interfaces();
212:
213: pwflag = 0;
1.1 millert 214: if (sudo_mode & MODE_SHELL)
215: user_cmnd = "shell";
216: else
217: switch (sudo_mode) {
218: case MODE_VERSION:
219: (void) printf("Sudo version %s\n", version);
220: if (getuid() == 0) {
221: putchar('\n');
222: dump_auth_methods();
223: dump_defaults();
1.11 millert 224: dump_interfaces();
1.1 millert 225: }
226: exit(0);
227: break;
228: case MODE_HELP:
229: usage(0);
230: break;
231: case MODE_VALIDATE:
232: user_cmnd = "validate";
1.11 millert 233: pwflag = I_VERIFYPW_I;
1.1 millert 234: break;
235: case MODE_KILL:
236: case MODE_INVALIDATE:
237: user_cmnd = "kill";
1.11 millert 238: pwflag = -1;
1.1 millert 239: break;
240: case MODE_LISTDEFS:
241: list_options();
242: exit(0);
243: break;
244: case MODE_LIST:
245: user_cmnd = "list";
1.11 millert 246: pwflag = I_LISTPW_I;
1.1 millert 247: printmatches = 1;
248: break;
249: }
250:
251: /* Must have a command to run... */
252: if (user_cmnd == NULL && NewArgc == 0)
253: usage(1);
254:
255: cmnd_status = init_vars(sudo_mode);
256:
1.11 millert 257: check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
1.1 millert 258:
1.11 millert 259: /* Validate the user but don't search for pseudo-commands. */
260: validated = sudoers_lookup(pwflag);
1.13 millert 261:
262: /*
1.17 ! millert 263: * If we are using set_perms_posix() and the stay_setuid flag was not set,
! 264: * set the real, effective and saved uids to 0 and use set_perms_nosuid()
1.13 millert 265: * instead of set_perms_posix().
266: */
1.17 ! millert 267: #if !defined(HAVE_SETRESUID) && !defined(HAVE_SETREUID) && \
! 268: !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
1.13 millert 269: if (!def_flag(I_STAY_SETUID) && set_perms == set_perms_posix) {
270: if (setuid(0)) {
271: perror("setuid(0)");
272: exit(1);
273: }
1.17 ! millert 274: set_perms = set_perms_nosuid;
1.13 millert 275: }
276: #endif
1.1 millert 277:
1.11 millert 278: /*
279: * Look up runas user passwd struct. If we are given a uid then
280: * there may be no corresponding passwd(5) entry (which is OK).
281: */
282: if (**user_runas == '#') {
283: runas_pw = sudo_getpwuid(atoi(*user_runas + 1));
284: if (runas_pw == NULL) {
285: runas_pw = emalloc(sizeof(struct passwd));
286: (void) memset((VOID *)runas_pw, 0, sizeof(struct passwd));
287: runas_pw->pw_uid = atoi(*user_runas + 1);
288: }
289: } else {
290: runas_pw = sudo_getpwnam(*user_runas);
291: if (runas_pw == NULL)
292: log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", *user_runas);
293: }
1.2 millert 294:
1.17 ! millert 295: /*
! 296: * Look up the timestamp dir owner if one is specified.
! 297: */
! 298: if (def_str(I_TIMESTAMPOWNER)) {
! 299: struct passwd *pw;
! 300:
! 301: if (*def_str(I_TIMESTAMPOWNER) == '#')
! 302: pw = getpwuid(atoi(def_str(I_TIMESTAMPOWNER) + 1));
! 303: else
! 304: pw = getpwnam(def_str(I_TIMESTAMPOWNER));
! 305: if (!pw)
! 306: log_error(0, "timestamp owner (%s): No such user",
! 307: def_str(I_TIMESTAMPOWNER));
! 308: timestamp_uid = pw->pw_uid;
! 309: }
! 310:
1.2 millert 311: /* This goes after the sudoers parse since we honor sudoers options. */
1.1 millert 312: if (sudo_mode == MODE_KILL || sudo_mode == MODE_INVALIDATE) {
313: remove_timestamp((sudo_mode == MODE_KILL));
314: exit(0);
315: }
316:
317: if (validated & VALIDATE_ERROR)
318: log_error(0, "parse error in %s near line %d", _PATH_SUDOERS,
319: errorlineno);
320:
321: /* Is root even allowed to run sudo? */
322: if (user_uid == 0 && !def_flag(I_ROOT_SUDO)) {
1.17 ! millert 323: (void) fprintf(stderr,
! 324: "Sorry, %s has been configured to not allow root to run it.\n",
! 325: Argv[0]);
1.1 millert 326: exit(1);
327: }
328:
1.11 millert 329: /* If given the -P option, set the "preserve_groups" flag. */
330: if (sudo_mode & MODE_PRESERVE_GROUPS)
331: def_flag(I_PRESERVE_GROUPS) = TRUE;
332:
1.3 millert 333: /* If no command line args and "set_home" is not set, error out. */
334: if ((sudo_mode & MODE_IMPLIED_SHELL) && !def_flag(I_SHELL_NOARGS))
335: usage(1);
336:
1.15 millert 337: /* May need to set $HOME to target user if we are running a command. */
338: if ((sudo_mode & MODE_RUN) && (def_flag(I_ALWAYS_SET_HOME) ||
339: ((sudo_mode & MODE_SHELL) && def_flag(I_SET_HOME))))
1.2 millert 340: sudo_mode |= MODE_RESET_HOME;
341:
1.1 millert 342: /* Bail if a tty is required and we don't have one. */
343: if (def_flag(I_REQUIRETTY)) {
344: if ((fd = open(_PATH_TTY, O_RDWR|O_NOCTTY)) == -1)
345: log_error(NO_MAIL, "sorry, you must have a tty to run sudo");
346: else
347: (void) close(fd);
348: }
349:
1.6 millert 350: /* Fill in passwd struct based on user we are authenticating as. */
351: auth_pw = get_authpw();
1.4 millert 352:
1.1 millert 353: /* Require a password unless the NOPASS tag was set. */
354: if (!(validated & FLAG_NOPASS))
355: check_user();
356:
1.14 millert 357: /* Build up custom environment that avoids any nasty bits. */
358: new_environ = rebuild_env(sudo_mode, envp);
359:
1.1 millert 360: if (validated & VALIDATE_OK) {
361: /* Finally tell the user if the command did not exist. */
362: if (cmnd_status == NOT_FOUND_DOT) {
363: (void) fprintf(stderr, "%s: ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.\n", Argv[0], user_cmnd, user_cmnd, user_cmnd);
364: exit(1);
365: } else if (cmnd_status == NOT_FOUND) {
366: (void) fprintf(stderr, "%s: %s: command not found\n", Argv[0],
367: user_cmnd);
368: exit(1);
369: }
370:
371: log_auth(validated, 1);
372: if (sudo_mode == MODE_VALIDATE)
373: exit(0);
374: else if (sudo_mode == MODE_LIST) {
375: list_matches();
376: exit(0);
377: }
378:
379: /* This *must* have been set if we got a match but... */
380: if (safe_cmnd == NULL) {
381: log_error(MSG_ONLY,
1.11 millert 382: "internal error, safe_cmnd never got set for %s; %s",
1.1 millert 383: user_cmnd,
384: "please report this error at http://courtesan.com/sudo/bugs/");
385: }
386:
387: /* Override user's umask if configured to do so. */
388: if (def_ival(I_UMASK) != 0777)
389: (void) umask(def_mode(I_UMASK));
390:
1.4 millert 391: /* Restore coredumpsize resource limit. */
392: #if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
393: (void) setrlimit(RLIMIT_CORE, &corelimit);
394: #endif /* RLIMIT_CORE */
395:
396: /* Become specified user or root. */
1.17 ! millert 397: set_perms(PERM_RUNAS);
1.16 millert 398:
399: /* Close the password and group files */
400: endpwent();
401: endgrent();
1.12 millert 402:
403: /* Install the new environment. */
404: environ = new_environ;
1.5 millert 405:
1.17 ! millert 406: /* Restore signal handlers before we exec. */
! 407: (void) sigaction(SIGINT, &saved_sa_int, NULL);
! 408: (void) sigaction(SIGQUIT, &saved_sa_quit, NULL);
! 409: (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL);
! 410: (void) sigaction(SIGCHLD, &saved_sa_chld, NULL);
! 411:
1.1 millert 412: #ifndef PROFILING
413: if ((sudo_mode & MODE_BACKGROUND) && fork() > 0)
414: exit(0);
415: else
416: EXEC(safe_cmnd, NewArgv); /* run the command */
417: #else
418: exit(0);
419: #endif /* PROFILING */
420: /*
421: * If we got here then the exec() failed...
422: */
423: (void) fprintf(stderr, "%s: unable to exec %s: %s\n",
424: Argv[0], safe_cmnd, strerror(errno));
1.11 millert 425: exit(127);
1.1 millert 426: } else if ((validated & FLAG_NO_USER) || (validated & FLAG_NO_HOST)) {
427: log_auth(validated, 1);
428: exit(1);
429: } else if (validated & VALIDATE_NOT_OK) {
430: if (def_flag(I_PATH_INFO)) {
431: /*
432: * We'd like to not leak path info at all here, but that can
433: * *really* confuse the users. To really close the leak we'd
434: * have to say "not allowed to run foo" even when the problem
435: * is just "no foo in path" since the user can trivially set
436: * their path to just contain a single dir.
437: */
438: log_auth(validated,
439: !(cmnd_status == NOT_FOUND_DOT || cmnd_status == NOT_FOUND));
440: if (cmnd_status == NOT_FOUND)
441: (void) fprintf(stderr, "%s: %s: command not found\n", Argv[0],
442: user_cmnd);
443: else if (cmnd_status == NOT_FOUND_DOT)
444: (void) fprintf(stderr, "%s: ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.\n", Argv[0], user_cmnd, user_cmnd, user_cmnd);
445: } else {
446: /* Just tell the user they are not allowed to run foo. */
447: log_auth(validated, 1);
448: }
449: exit(1);
450: } else {
451: /* should never get here */
452: log_auth(validated, 1);
453: exit(1);
454: }
455: exit(0); /* not reached */
456: }
457:
458: /*
459: * Initialize timezone, set umask, fill in ``sudo_user'' struct and
460: * load the ``interfaces'' array.
461: */
462: static int
463: init_vars(sudo_mode)
464: int sudo_mode;
465: {
466: char *p, thost[MAXHOSTNAMELEN];
1.11 millert 467: int nohostname, rval;
1.1 millert 468:
469: /* Sanity check command from user. */
470: if (user_cmnd == NULL && strlen(NewArgv[0]) >= MAXPATHLEN) {
471: (void) fprintf(stderr, "%s: %s: Pathname too long\n", Argv[0],
472: NewArgv[0]);
473: exit(1);
474: }
475:
476: #ifdef HAVE_TZSET
477: (void) tzset(); /* set the timezone if applicable */
478: #endif /* HAVE_TZSET */
479:
480: /* Default value for cmnd and cwd, overridden later. */
481: if (user_cmnd == NULL)
482: user_cmnd = NewArgv[0];
1.17 ! millert 483: (void) strlcpy(user_cwd, "unknown", sizeof(user_cwd));
1.1 millert 484:
485: /*
486: * We avoid gethostbyname() if possible since we don't want
487: * sudo to block if DNS or NIS is hosed.
488: * "host" is the (possibly fully-qualified) hostname and
489: * "shost" is the unqualified form of the hostname.
490: */
1.11 millert 491: nohostname = gethostname(thost, sizeof(thost));
492: if (nohostname)
493: user_host = user_shost = "localhost";
494: else {
1.1 millert 495: user_host = estrdup(thost);
1.11 millert 496: if (def_flag(I_FQDN)) {
497: /* Defer call to set_fqdn() until log_error() is safe. */
498: user_shost = user_host;
1.1 millert 499: } else {
1.11 millert 500: if ((p = strchr(user_host, '.'))) {
501: *p = '\0';
502: user_shost = estrdup(user_host);
503: *p = '.';
504: } else {
505: user_shost = user_host;
506: }
1.1 millert 507: }
508: }
509:
510: if ((p = ttyname(STDIN_FILENO)) || (p = ttyname(STDOUT_FILENO))) {
511: if (strncmp(p, _PATH_DEV, sizeof(_PATH_DEV) - 1) == 0)
512: p += sizeof(_PATH_DEV) - 1;
513: user_tty = estrdup(p);
514: } else
515: user_tty = "unknown";
516:
517: /*
518: * Get a local copy of the user's struct passwd with the shadow password
519: * if necessary. It is assumed that euid is 0 at this point so we
520: * can read the shadow passwd file if necessary.
521: */
522: if ((sudo_user.pw = sudo_getpwuid(getuid())) == NULL) {
523: /* Need to make a fake struct passwd for logging to work. */
524: struct passwd pw;
525: char pw_name[MAX_UID_T_LEN + 1];
526:
527: pw.pw_uid = getuid();
1.17 ! millert 528: (void) snprintf(pw_name, sizeof(pw_name), "%lu",
! 529: (unsigned long) pw.pw_uid);
1.1 millert 530: pw.pw_name = pw_name;
531: sudo_user.pw = &pw;
532:
1.17 ! millert 533: log_error(0, "uid %lu does not exist in the passwd file!",
! 534: (unsigned long) pw.pw_uid);
1.1 millert 535: }
1.15 millert 536: if (user_shell == NULL || *user_shell == '\0')
537: user_shell = sudo_user.pw->pw_shell;
1.1 millert 538:
539: /* It is now safe to use log_error() and set_perms() */
540:
541: /*
1.11 millert 542: * Must defer set_fqdn() until it is safe to call log_error()
543: */
544: if (def_flag(I_FQDN))
545: set_fqdn();
546:
547: if (nohostname)
548: log_error(USE_ERRNO|MSG_ONLY, "can't get hostname");
549:
550: /*
1.1 millert 551: * Get current working directory. Try as user, fall back to root.
552: */
1.17 ! millert 553: set_perms(PERM_USER);
1.1 millert 554: if (!getcwd(user_cwd, sizeof(user_cwd))) {
1.17 ! millert 555: set_perms(PERM_ROOT);
1.1 millert 556: if (!getcwd(user_cwd, sizeof(user_cwd))) {
557: (void) fprintf(stderr, "%s: Can't get working directory!\n",
558: Argv[0]);
1.17 ! millert 559: (void) strlcpy(user_cwd, "unknown", sizeof(user_cwd));
1.1 millert 560: }
561: } else
1.17 ! millert 562: set_perms(PERM_ROOT);
1.1 millert 563:
564: /*
565: * If we were given the '-s' option (run shell) we need to redo
566: * NewArgv and NewArgc.
567: */
568: if ((sudo_mode & MODE_SHELL)) {
569: char **dst, **src = NewArgv;
570:
1.17 ! millert 571: NewArgv = (char **) emalloc2((++NewArgc + 1), sizeof(char *));
1.1 millert 572: if (user_shell && *user_shell) {
573: NewArgv[0] = user_shell;
574: } else {
575: (void) fprintf(stderr, "%s: Unable to determine shell.", Argv[0]);
576: exit(1);
577: }
578:
579: /* copy the args from Argv */
580: for (dst = NewArgv + 1; (*dst = *src) != NULL; ++src, ++dst)
581: ;
582: }
583:
1.8 millert 584: /* Set login class if applicable. */
585: set_loginclass(sudo_user.pw);
586:
1.1 millert 587: /* Resolve the path and return. */
1.11 millert 588: if ((sudo_mode & MODE_RUN)) {
589: /* XXX - should call this as runas user, not root. */
590: rval = find_path(NewArgv[0], &user_cmnd, user_path);
591: if (rval != FOUND) {
592: /* Failed as root, try as invoking user. */
1.17 ! millert 593: set_perms(PERM_USER);
1.11 millert 594: rval = find_path(NewArgv[0], &user_cmnd, user_path);
1.17 ! millert 595: set_perms(PERM_ROOT);
1.11 millert 596: }
597:
598: /* set user_args */
599: if (NewArgc > 1) {
600: char *to, **from;
1.17 ! millert 601: size_t size, n;
1.11 millert 602:
603: /* If MODE_SHELL not set then NewArgv is contiguous so just count */
604: if (!(sudo_mode & MODE_SHELL)) {
605: size = (size_t) (NewArgv[NewArgc-1] - NewArgv[1]) +
606: strlen(NewArgv[NewArgc-1]) + 1;
607: } else {
608: for (size = 0, from = NewArgv + 1; *from; from++)
609: size += strlen(*from) + 1;
610: }
611:
612: /* alloc and copy. */
1.17 ! millert 613: user_args = (char *) emalloc(size);
! 614: for (to = user_args, from = NewArgv + 1; *from; from++) {
! 615: n = strlcpy(to, *from, size - (to - user_args));
! 616: if (n >= size) {
! 617: (void) fprintf(stderr,
! 618: "%s: internal error, init_vars() overflow\n", Argv[0]);
! 619: exit(1);
! 620: }
! 621: to += n;
1.11 millert 622: *to++ = ' ';
623: }
624: *--to = '\0';
625: }
626: } else
627: rval = FOUND;
628:
629: return(rval);
1.1 millert 630: }
631:
632: /*
633: * Command line argument parsing, can't use getopt(3).
634: */
635: static int
636: parse_args()
637: {
1.17 ! millert 638: int rval = MODE_RUN; /* what mode is sudo to be run in? */
1.1 millert 639: int excl = 0; /* exclusive arg, no others allowed */
640:
641: NewArgv = Argv + 1;
642: NewArgc = Argc - 1;
643:
1.2 millert 644: if (NewArgc == 0) { /* no options and no command */
1.3 millert 645: rval |= (MODE_IMPLIED_SHELL | MODE_SHELL);
1.1 millert 646: return(rval);
647: }
648:
649: while (NewArgc > 0 && NewArgv[0][0] == '-') {
650: if (NewArgv[0][1] != '\0' && NewArgv[0][2] != '\0') {
651: (void) fprintf(stderr, "%s: Please use single character options\n",
652: Argv[0]);
653: usage(1);
654: }
655:
656: switch (NewArgv[0][1]) {
657: case 'p':
658: /* Must have an associated prompt. */
659: if (NewArgv[1] == NULL)
660: usage(1);
661:
662: user_prompt = NewArgv[1];
663:
664: /* Shift Argv over and adjust Argc. */
665: NewArgc--;
666: NewArgv++;
667: break;
668: case 'u':
669: /* Must have an associated runas user. */
670: if (NewArgv[1] == NULL)
671: usage(1);
672:
673: user_runas = &NewArgv[1];
674:
675: /* Shift Argv over and adjust Argc. */
676: NewArgc--;
677: NewArgv++;
678: break;
1.8 millert 679: #ifdef HAVE_BSD_AUTH_H
680: case 'a':
681: /* Must have an associated authentication style. */
682: if (NewArgv[1] == NULL)
683: usage(1);
684:
685: login_style = NewArgv[1];
686:
687: /* Shift Argv over and adjust Argc. */
688: NewArgc--;
689: NewArgv++;
690: break;
691: #endif
692: #ifdef HAVE_LOGIN_CAP_H
1.4 millert 693: case 'c':
694: /* Must have an associated login class. */
695: if (NewArgv[1] == NULL)
696: usage(1);
697:
698: login_class = NewArgv[1];
1.11 millert 699: def_flag(I_USE_LOGINCLASS) = TRUE;
1.4 millert 700:
701: /* Shift Argv over and adjust Argc. */
702: NewArgc--;
703: NewArgv++;
704: break;
705: #endif
1.1 millert 706: case 'b':
707: rval |= MODE_BACKGROUND;
708: break;
709: case 'v':
710: rval = MODE_VALIDATE;
711: if (excl && excl != 'v')
712: usage_excl(1);
713: excl = 'v';
714: break;
715: case 'k':
716: rval = MODE_INVALIDATE;
717: if (excl && excl != 'k')
718: usage_excl(1);
719: excl = 'k';
720: break;
721: case 'K':
722: rval = MODE_KILL;
723: if (excl && excl != 'K')
724: usage_excl(1);
725: excl = 'K';
726: break;
727: case 'L':
728: rval = MODE_LISTDEFS;
729: if (excl && excl != 'L')
730: usage_excl(1);
731: excl = 'L';
732: break;
733: case 'l':
734: rval = MODE_LIST;
735: if (excl && excl != 'l')
736: usage_excl(1);
737: excl = 'l';
738: break;
739: case 'V':
740: rval = MODE_VERSION;
741: if (excl && excl != 'V')
742: usage_excl(1);
743: excl = 'V';
744: break;
745: case 'h':
746: rval = MODE_HELP;
747: if (excl && excl != 'h')
748: usage_excl(1);
749: excl = 'h';
750: break;
751: case 's':
752: rval |= MODE_SHELL;
1.2 millert 753: if (excl && excl != 's')
754: usage_excl(1);
755: excl = 's';
1.1 millert 756: break;
757: case 'H':
758: rval |= MODE_RESET_HOME;
759: break;
1.11 millert 760: case 'P':
761: rval |= MODE_PRESERVE_GROUPS;
762: break;
1.4 millert 763: case 'S':
764: tgetpass_flags |= TGP_STDIN;
765: break;
1.1 millert 766: case '-':
767: NewArgc--;
768: NewArgv++;
1.2 millert 769: if (rval == MODE_RUN)
1.3 millert 770: rval |= (MODE_IMPLIED_SHELL | MODE_SHELL);
1.1 millert 771: return(rval);
772: case '\0':
773: (void) fprintf(stderr, "%s: '-' requires an argument\n",
774: Argv[0]);
775: usage(1);
776: default:
777: (void) fprintf(stderr, "%s: Illegal option %s\n", Argv[0],
778: NewArgv[0]);
779: usage(1);
780: }
781: NewArgc--;
782: NewArgv++;
783: }
784:
785: if (NewArgc > 0 && !(rval & MODE_RUN))
786: usage(1);
787:
788: return(rval);
789: }
790:
791: /*
792: * Sanity check sudoers mode/owner/type.
793: * Leaves a file pointer to the sudoers file open in ``fp''.
794: */
795: static void
796: check_sudoers()
797: {
798: struct stat statbuf;
799: int rootstat, i;
800: char c;
801:
802: /*
803: * Fix the mode and group on sudoers file from old default.
804: * Only works if filesystem is readable/writable by root.
805: */
1.17 ! millert 806: if ((rootstat = stat_sudoers(_PATH_SUDOERS, &statbuf)) == 0 &&
1.1 millert 807: SUDOERS_UID == statbuf.st_uid && SUDOERS_MODE != 0400 &&
808: (statbuf.st_mode & 0007777) == 0400) {
809:
810: if (chmod(_PATH_SUDOERS, SUDOERS_MODE) == 0) {
811: (void) fprintf(stderr, "%s: fixed mode on %s\n",
812: Argv[0], _PATH_SUDOERS);
1.3 millert 813: statbuf.st_mode |= SUDOERS_MODE;
1.1 millert 814: if (statbuf.st_gid != SUDOERS_GID) {
815: if (!chown(_PATH_SUDOERS,(uid_t) -1,SUDOERS_GID)) {
816: (void) fprintf(stderr, "%s: set group on %s\n",
817: Argv[0], _PATH_SUDOERS);
818: statbuf.st_gid = SUDOERS_GID;
819: } else {
820: (void) fprintf(stderr,"%s: Unable to set group on %s: %s\n",
821: Argv[0], _PATH_SUDOERS, strerror(errno));
822: }
823: }
824: } else {
825: (void) fprintf(stderr, "%s: Unable to fix mode on %s: %s\n",
826: Argv[0], _PATH_SUDOERS, strerror(errno));
827: }
828: }
829:
830: /*
831: * Sanity checks on sudoers file. Must be done as sudoers
832: * file owner. We already did a stat as root, so use that
833: * data if we can't stat as sudoers file owner.
834: */
1.17 ! millert 835: set_perms(PERM_SUDOERS);
1.1 millert 836:
1.17 ! millert 837: if (rootstat != 0 && stat_sudoers(_PATH_SUDOERS, &statbuf) != 0)
1.1 millert 838: log_error(USE_ERRNO, "can't stat %s", _PATH_SUDOERS);
839: else if (!S_ISREG(statbuf.st_mode))
840: log_error(0, "%s is not a regular file", _PATH_SUDOERS);
1.9 millert 841: else if (statbuf.st_size == 0)
842: log_error(0, "%s is zero length", _PATH_SUDOERS);
1.1 millert 843: else if ((statbuf.st_mode & 07777) != SUDOERS_MODE)
844: log_error(0, "%s is mode 0%o, should be 0%o", _PATH_SUDOERS,
845: (statbuf.st_mode & 07777), SUDOERS_MODE);
846: else if (statbuf.st_uid != SUDOERS_UID)
1.17 ! millert 847: log_error(0, "%s is owned by uid %lu, should be %lu", _PATH_SUDOERS,
! 848: (unsigned long) statbuf.st_uid, SUDOERS_UID);
1.1 millert 849: else if (statbuf.st_gid != SUDOERS_GID)
1.17 ! millert 850: log_error(0, "%s is owned by gid %lu, should be %lu", _PATH_SUDOERS,
! 851: (unsigned long) statbuf.st_gid, SUDOERS_GID);
1.1 millert 852: else {
853: /* Solaris sometimes returns EAGAIN so try 10 times */
854: for (i = 0; i < 10 ; i++) {
855: errno = 0;
856: if ((sudoers_fp = fopen(_PATH_SUDOERS, "r")) == NULL ||
857: fread(&c, sizeof(c), 1, sudoers_fp) != 1) {
858: sudoers_fp = NULL;
859: if (errno != EAGAIN && errno != EWOULDBLOCK)
860: break;
861: } else
862: break;
863: sleep(1);
864: }
865: if (sudoers_fp == NULL)
866: log_error(USE_ERRNO, "can't open %s", _PATH_SUDOERS);
867: }
868:
1.17 ! millert 869: set_perms(PERM_ROOT); /* change back to root */
1.1 millert 870: }
871:
872: /*
873: * Close all open files (except std*) and turn off core dumps.
1.11 millert 874: * Also sets the set_perms() pointer to the correct function.
1.1 millert 875: */
876: static void
877: initial_setup()
878: {
879: int fd, maxfd;
880: #ifdef HAVE_SETRLIMIT
881: struct rlimit rl;
882: #endif
883:
884: #if defined(RLIMIT_CORE) && !defined(SUDO_DEVEL)
885: /*
886: * Turn off core dumps.
887: */
1.4 millert 888: (void) getrlimit(RLIMIT_CORE, &corelimit);
1.1 millert 889: rl.rlim_cur = rl.rlim_max = 0;
890: (void) setrlimit(RLIMIT_CORE, &rl);
891: #endif /* RLIMIT_CORE */
892:
893: /*
894: * Close any open fd's other than stdin, stdout and stderr.
895: */
896: #ifdef HAVE_SYSCONF
1.3 millert 897: maxfd = sysconf(_SC_OPEN_MAX) - 1;
1.1 millert 898: #else
1.3 millert 899: maxfd = getdtablesize() - 1;
1.1 millert 900: #endif /* HAVE_SYSCONF */
1.3 millert 901: #ifdef RLIMIT_NOFILE
902: if (getrlimit(RLIMIT_NOFILE, &rl) == 0) {
903: if (rl.rlim_max != RLIM_INFINITY && rl.rlim_max <= maxfd)
904: maxfd = rl.rlim_max - 1;
905: }
906: #endif /* RLIMIT_NOFILE */
1.1 millert 907:
908: for (fd = maxfd; fd > STDERR_FILENO; fd--)
909: (void) close(fd);
910:
1.17 ! millert 911: /*
! 912: * Make set_perms point to the correct function.
! 913: * If we are using setresuid() or setreuid() we only need to set this
! 914: * once. If we are using POSIX saved uids we will switch to
! 915: * set_perms_nosuid after sudoers has been parsed if the "stay_suid"
! 916: * option is not set.
! 917: */
! 918: #if defined(HAVE_SETRESUID) || defined(HAVE_SETREUID)
! 919: set_perms = set_perms_suid;
! 920: #else
! 921: # if !defined(NO_SAVED_IDS) && defined(_SC_SAVED_IDS) && defined(_SC_VERSION)
1.11 millert 922: if (sysconf(_SC_SAVED_IDS) == 1 && sysconf(_SC_VERSION) >= 199009)
923: set_perms = set_perms_posix;
924: else
1.17 ! millert 925: # endif
! 926: set_perms = set_perms_nosuid;
! 927: #endif /* HAVE_SETRESUID || HAVE_SETREUID */
1.1 millert 928: }
929:
1.8 millert 930: #ifdef HAVE_LOGIN_CAP_H
931: static void
1.4 millert 932: set_loginclass(pw)
933: struct passwd *pw;
934: {
935: int errflags;
936:
937: /*
938: * Don't make it a fatal error if the user didn't specify the login
939: * class themselves. We do this because if login.conf gets
940: * corrupted we want the admin to be able to use sudo to fix it.
941: */
942: if (login_class)
943: errflags = NO_MAIL|MSG_ONLY;
944: else
945: errflags = NO_MAIL|MSG_ONLY|NO_EXIT;
946:
947: if (login_class && strcmp(login_class, "-") != 0) {
948: if (strcmp(*user_runas, "root") != 0 && user_uid != 0) {
949: (void) fprintf(stderr, "%s: only root can use -c %s\n",
950: Argv[0], login_class);
951: exit(1);
952: }
953: } else {
954: login_class = pw->pw_class;
955: if (!login_class || !*login_class)
956: login_class =
957: (pw->pw_uid == 0) ? LOGIN_DEFROOTCLASS : LOGIN_DEFCLASS;
958: }
959:
960: lc = login_getclass(login_class);
1.10 millert 961: if (!lc || !lc->lc_class || strcmp(lc->lc_class, login_class) != 0) {
1.4 millert 962: log_error(errflags, "unknown login class: %s", login_class);
1.11 millert 963: if (!lc)
964: lc = login_getclass(NULL); /* needed for login_getstyle() later */
1.10 millert 965: }
1.4 millert 966: }
967: #else
1.8 millert 968: static void
1.4 millert 969: set_loginclass(pw)
970: struct passwd *pw;
971: {
972: }
1.8 millert 973: #endif /* HAVE_LOGIN_CAP_H */
1.4 millert 974:
1.1 millert 975: /*
1.2 millert 976: * Look up the fully qualified domain name and set user_host and user_shost.
977: */
978: void
979: set_fqdn()
980: {
981: struct hostent *hp;
982: char *p;
983:
1.14 millert 984: if (!(hp = gethostbyname(user_host))) {
985: log_error(MSG_ONLY|NO_EXIT,
986: "unable to lookup %s via gethostbyname()", user_host);
987: } else {
988: if (user_shost != user_host)
989: free(user_shost);
990: free(user_host);
991: user_host = estrdup(hp->h_name);
1.2 millert 992: }
993: if ((p = strchr(user_host, '.'))) {
994: *p = '\0';
995: user_shost = estrdup(user_host);
996: *p = '.';
997: } else {
998: user_shost = user_host;
999: }
1000: }
1001:
1002: /*
1.6 millert 1003: * Get passwd entry for the user we are going to authenticate as.
1004: * By default, this is the user invoking sudo...
1.4 millert 1005: */
1.6 millert 1006: static struct passwd *
1007: get_authpw()
1.4 millert 1008: {
1009: struct passwd *pw;
1010:
1011: if (def_ival(I_ROOTPW)) {
1.6 millert 1012: if ((pw = sudo_getpwuid(0)) == NULL)
1.4 millert 1013: log_error(0, "uid 0 does not exist in the passwd file!");
1014: } else if (def_ival(I_RUNASPW)) {
1.11 millert 1015: if ((pw = sudo_getpwnam(def_str(I_RUNAS_DEFAULT))) == NULL)
1.4 millert 1016: log_error(0, "user %s does not exist in the passwd file!",
1.11 millert 1017: def_str(I_RUNAS_DEFAULT));
1.4 millert 1018: } else if (def_ival(I_TARGETPW)) {
1019: if (**user_runas == '#') {
1.6 millert 1020: if ((pw = sudo_getpwuid(atoi(*user_runas + 1))) == NULL)
1.4 millert 1021: log_error(0, "uid %s does not exist in the passwd file!",
1022: user_runas);
1023: } else {
1.6 millert 1024: if ((pw = sudo_getpwnam(*user_runas)) == NULL)
1.4 millert 1025: log_error(0, "user %s does not exist in the passwd file!",
1026: user_runas);
1027: }
1.6 millert 1028: } else
1029: pw = sudo_user.pw;
1030:
1031: return(pw);
1.4 millert 1032: }
1033:
1034: /*
1.1 millert 1035: * Tell which options are mutually exclusive and exit.
1036: */
1037: static void
1038: usage_excl(exit_val)
1039: int exit_val;
1040: {
1041: (void) fprintf(stderr,
1.2 millert 1042: "Only one of the -h, -k, -K, -l, -s, -v or -V options may be used\n");
1.1 millert 1043: usage(exit_val);
1044: }
1045:
1046: /*
1047: * Give usage message and exit.
1048: */
1049: static void
1050: usage(exit_val)
1051: int exit_val;
1052: {
1.8 millert 1053:
1054: (void) fprintf(stderr, "usage: sudo -V | -h | -L | -l | -v | -k | -K | %s",
1.11 millert 1055: "[-H] [-P] [-S] [-b] [-p prompt]\n [-u username/#uid] ");
1.8 millert 1056: #ifdef HAVE_LOGIN_CAP_H
1057: (void) fprintf(stderr, "[-c class] ");
1058: #endif
1059: #ifdef HAVE_BSD_AUTH_H
1060: (void) fprintf(stderr, "[-a auth_type] ");
1.4 millert 1061: #endif
1.8 millert 1062: (void) fprintf(stderr, "-s | <command>\n");
1.1 millert 1063: exit(exit_val);
1064: }