Annotation of src/usr.bin/sudo/sudo_nss.c, Revision 1.2
1.1 millert 1: /*
2: * Copyright (c) 2007-2008 Todd C. Miller <Todd.Miller@courtesan.com>
3: *
4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
7: *
8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15: */
16:
17: #include <config.h>
18:
19: #include <sys/types.h>
20: #include <sys/param.h>
21: #include <stdio.h>
22: #ifdef STDC_HEADERS
23: # include <stdlib.h>
24: # include <stddef.h>
25: #else
26: # ifdef HAVE_STDLIB_H
27: # include <stdlib.h>
28: # endif
29: #endif /* STDC_HEADERS */
30: #ifdef HAVE_STRING_H
31: # include <string.h>
32: #else
33: # ifdef HAVE_STRINGS_H
34: # include <strings.h>
35: # endif
36: #endif /* HAVE_STRING_H */
37: #ifdef HAVE_UNISTD_H
38: # include <unistd.h>
39: #endif /* HAVE_UNISTD_H */
40: #include <pwd.h>
41: #include <grp.h>
1.2 ! millert 42: #include <ctype.h>
1.1 millert 43:
44: #include "sudo.h"
45: #include "lbuf.h"
46:
47: #ifndef lint
1.2 ! millert 48: __unused static const char rcsid[] = "$Sudo: sudo_nss.c,v 1.7 2009/03/10 20:44:05 millert Exp $";
1.1 millert 49: #endif /* lint */
50:
51: extern struct sudo_nss sudo_nss_file;
52: #ifdef HAVE_LDAP
53: extern struct sudo_nss sudo_nss_ldap;
54: #endif
55:
56: #if defined(HAVE_LDAP) && defined(_PATH_NSSWITCH_CONF)
57: /*
58: * Read in /etc/nsswitch.conf
59: * Returns a tail queue of matches.
60: */
61: struct sudo_nss_list *
62: sudo_read_nss()
63: {
64: FILE *fp;
65: char *cp;
66: int saw_files = FALSE;
67: int saw_ldap = FALSE;
68: int got_match = FALSE;
69: static struct sudo_nss_list snl;
70:
71: if ((fp = fopen(_PATH_NSSWITCH_CONF, "r")) == NULL)
72: goto nomatch;
73:
74: while ((cp = sudo_parseln(fp)) != NULL) {
75: /* Skip blank or comment lines */
76: if (*cp == '\0')
77: continue;
78:
79: /* Look for a line starting with "sudoers:" */
80: if (strncasecmp(cp, "sudoers:", 8) != 0)
81: continue;
82:
83: /* Parse line */
84: for ((cp = strtok(cp + 8, " \t")); cp != NULL; (cp = strtok(NULL, " \t"))) {
85: if (strcasecmp(cp, "files") == 0 && !saw_files) {
86: tq_append(&snl, &sudo_nss_file);
87: got_match = TRUE;
88: } else if (strcasecmp(cp, "ldap") == 0 && !saw_ldap) {
89: tq_append(&snl, &sudo_nss_ldap);
90: got_match = TRUE;
91: } else if (strcasecmp(cp, "[NOTFOUND=return]") == 0 && got_match) {
92: /* NOTFOUND affects the most recent entry */
1.2 ! millert 93: tq_last(&snl)->ret_if_notfound = TRUE;
1.1 millert 94: got_match = FALSE;
95: } else
96: got_match = FALSE;
97: }
98: /* Only parse the first "sudoers:" line */
99: break;
100: }
101: fclose(fp);
102:
103: nomatch:
104: /* Default to files only if no matches */
105: if (tq_empty(&snl))
106: tq_append(&snl, &sudo_nss_file);
107:
108: return(&snl);
109: }
110:
111: #else /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
112:
1.2 ! millert 113: # if defined(HAVE_LDAP) && defined(_PATH_NETSVC_CONF)
! 114:
! 115: /*
! 116: * Read in /etc/netsvc.conf (like nsswitch.conf on AIX)
! 117: * Returns a tail queue of matches.
! 118: */
! 119: struct sudo_nss_list *
! 120: sudo_read_nss()
! 121: {
! 122: FILE *fp;
! 123: char *cp, *ep;
! 124: int saw_files = FALSE;
! 125: int saw_ldap = FALSE;
! 126: int got_match = FALSE;
! 127: static struct sudo_nss_list snl;
! 128:
! 129: if ((fp = fopen(_PATH_NETSVC_CONF, "r")) == NULL)
! 130: goto nomatch;
! 131:
! 132: while ((cp = sudo_parseln(fp)) != NULL) {
! 133: /* Skip blank or comment lines */
! 134: if (*cp == '\0')
! 135: continue;
! 136:
! 137: /* Look for a line starting with "sudoers = " */
! 138: if (strncasecmp(cp, "sudoers", 7) != 0)
! 139: continue;
! 140: cp += 7;
! 141: while (isspace((unsigned char)*cp))
! 142: cp++;
! 143: if (*cp++ != '=')
! 144: continue;
! 145:
! 146: /* Parse line */
! 147: for ((cp = strtok(cp, ",")); cp != NULL; (cp = strtok(NULL, ","))) {
! 148: /* Trim leading whitespace. */
! 149: while (isspace((unsigned char)*cp))
! 150: cp++;
! 151:
! 152: if (!saw_files && strncasecmp(cp, "files", 5) == 0 &&
! 153: (isspace((unsigned char)cp[5]) || cp[5] == '\0')) {
! 154: tq_append(&snl, &sudo_nss_file);
! 155: got_match = TRUE;
! 156: ep = &cp[5];
! 157: } else if (!saw_ldap && strncasecmp(cp, "ldap", 4) == 0 &&
! 158: (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
! 159: tq_append(&snl, &sudo_nss_ldap);
! 160: got_match = TRUE;
! 161: ep = &cp[4];
! 162: } else {
! 163: got_match = FALSE;
! 164: }
! 165:
! 166: /* check for = auth qualifier */
! 167: if (got_match && *ep) {
! 168: cp = ep;
! 169: while (isspace((unsigned char)*cp) || *cp == '=')
! 170: cp++;
! 171: if (strncasecmp(cp, "auth", 4) == 0 &&
! 172: (isspace((unsigned char)cp[4]) || cp[4] == '\0')) {
! 173: tq_last(&snl)->ret_if_found = TRUE;
! 174: }
! 175: }
! 176: }
! 177: /* Only parse the first "sudoers" line */
! 178: break;
! 179: }
! 180: fclose(fp);
! 181:
! 182: nomatch:
! 183: /* Default to files only if no matches */
! 184: if (tq_empty(&snl))
! 185: tq_append(&snl, &sudo_nss_file);
! 186:
! 187: return(&snl);
! 188: }
! 189:
! 190: # else /* !_PATH_NETSVC_CONF && !_PATH_NSSWITCH_CONF */
! 191:
1.1 millert 192: /*
193: * Non-nsswitch.conf version with hard-coded order.
194: */
195: struct sudo_nss_list *
196: sudo_read_nss()
197: {
198: static struct sudo_nss_list snl;
199:
1.2 ! millert 200: # ifdef HAVE_LDAP
1.1 millert 201: tq_append(&snl, &sudo_nss_ldap);
1.2 ! millert 202: # endif
1.1 millert 203: tq_append(&snl, &sudo_nss_file);
204:
205: return(&snl);
206: }
1.2 ! millert 207:
! 208: # endif /* !HAVE_LDAP || !_PATH_NETSVC_CONF */
1.1 millert 209:
210: #endif /* HAVE_LDAP && _PATH_NSSWITCH_CONF */
211:
212: /* Reset user_groups based on passwd entry. */
213: static void
214: reset_groups(pw)
215: struct passwd *pw;
216: {
217: #if defined(HAVE_INITGROUPS) && defined(HAVE_GETGROUPS)
218: if (pw != sudo_user.pw) {
219: (void) initgroups(pw->pw_name, pw->pw_gid);
220: if ((user_ngroups = getgroups(0, NULL)) > 0) {
221: user_groups = erealloc3(user_groups, user_ngroups,
222: sizeof(GETGROUPS_T));
223: if (getgroups(user_ngroups, user_groups) < 0)
224: log_error(USE_ERRNO|MSG_ONLY, "can't get group vector");
225: } else {
226: user_ngroups = 0;
227: efree(user_groups);
228: }
229: }
230: #endif
231: }
232:
233: /*
234: * Print out privileges for the specified user.
235: * We only get here if the user is allowed to run something on this host.
236: */
237: void
238: display_privs(snl, pw)
239: struct sudo_nss_list *snl;
240: struct passwd *pw;
241: {
242: struct sudo_nss *nss;
243: struct lbuf lbuf;
244: int count;
245:
246: /* Reset group vector so group matching works correctly. */
247: reset_groups(pw);
248:
249: lbuf_init(&lbuf, NULL, 4, 0);
250:
251: /* Display defaults from all sources. */
252: count = 0;
253: tq_foreach_fwd(snl, nss)
254: count += nss->display_defaults(nss, pw, &lbuf);
255: if (count) {
256: printf("Matching Defaults entries for %s on this host:\n", pw->pw_name);
257: lbuf_print(&lbuf);
258: putchar('\n');
259: }
260:
261: /* Display Runas and Cmnd-specific defaults from all sources. */
262: count = 0;
263: tq_foreach_fwd(snl, nss)
264: count += nss->display_bound_defaults(nss, pw, &lbuf);
265: if (count) {
266: printf("Runas and Command-specific defaults for %s:\n", pw->pw_name);
267: lbuf_print(&lbuf);
268: putchar('\n');
269: }
270:
271: /* Display privileges from all sources. */
272: printf("User %s may run the following commands on this host:\n",
273: pw->pw_name);
274: tq_foreach_fwd(snl, nss)
275: (void) nss->display_privs(nss, pw, &lbuf);
276: if (lbuf.len != 0)
277: lbuf_print(&lbuf); /* print remainder, if any */
278: lbuf_destroy(&lbuf);
279: }
280:
281: /*
282: * Check user_cmnd against sudoers and print the matching entry if the
283: * command is allowed.
284: */
285: int
286: display_cmnd(snl, pw)
287: struct sudo_nss_list *snl;
288: struct passwd *pw;
289: {
290: struct sudo_nss *nss;
291:
292: /* Reset group vector so group matching works correctly. */
293: reset_groups(pw);
294:
295: tq_foreach_fwd(snl, nss) {
296: if (nss->display_cmnd(nss, pw) == 0)
297: return(0);
298: }
299: return(1);
300: }