Annotation of src/usr.bin/sudo/testsudoers.c, Revision 1.12
1.1 millert 1: /*
1.12 ! millert 2: * Copyright (c) 1996, 1998-2005 Todd C. Miller <Todd.Miller@courtesan.com>
1.1 millert 3: *
1.11 millert 4: * Permission to use, copy, modify, and distribute this software for any
5: * purpose with or without fee is hereby granted, provided that the above
6: * copyright notice and this permission notice appear in all copies.
1.1 millert 7: *
1.11 millert 8: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1.1 millert 15: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
16: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
1.10 millert 17: *
18: * Sponsored in part by the Defense Advanced Research Projects
19: * Agency (DARPA) and Air Force Research Laboratory, Air Force
20: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
1.1 millert 21: */
22:
1.9 millert 23: #define _SUDO_MAIN
24:
1.12 ! millert 25: #include <config.h>
1.1 millert 26:
1.5 millert 27: #include <sys/param.h>
28: #include <sys/types.h>
29: #include <sys/stat.h>
30: #include <sys/socket.h>
1.1 millert 31: #include <stdio.h>
32: #ifdef STDC_HEADERS
33: # include <stdlib.h>
1.5 millert 34: # include <stddef.h>
35: #else
36: # ifdef HAVE_STDLIB_H
37: # include <stdlib.h>
38: # endif
1.1 millert 39: #endif /* STDC_HEADERS */
1.5 millert 40: #ifdef HAVE_STRING_H
41: # include <string.h>
42: #else
43: # ifdef HAVE_STRINGS_H
44: # include <strings.h>
45: # endif
46: #endif /* HAVE_STRING_H */
1.1 millert 47: #ifdef HAVE_UNISTD_H
48: # include <unistd.h>
49: #endif /* HAVE_UNISTD_H */
1.2 millert 50: #ifdef HAVE_FNMATCH
1.1 millert 51: # include <fnmatch.h>
1.9 millert 52: #endif /* HAVE_FNMATCH */
1.1 millert 53: #ifdef HAVE_NETGROUP_H
54: # include <netgroup.h>
55: #endif /* HAVE_NETGROUP_H */
1.9 millert 56: #ifdef HAVE_ERR_H
57: # include <err.h>
58: #else
59: # include "emul/err.h"
60: #endif /* HAVE_ERR_H */
1.1 millert 61: #include <ctype.h>
62: #include <pwd.h>
63: #include <grp.h>
64: #include <netinet/in.h>
65: #include <arpa/inet.h>
66: #include <netdb.h>
67: #include <dirent.h>
68:
69: #include "sudo.h"
70: #include "parse.h"
71: #include "interfaces.h"
72:
73: #ifndef HAVE_FNMATCH
74: # include "emul/fnmatch.h"
75: #endif /* HAVE_FNMATCH */
76:
77: #ifndef lint
1.12 ! millert 78: __unused static const char rcsid[] = "$Sudo: testsudoers.c,v 1.88.2.4 2007/06/12 01:43:01 millert Exp $";
1.1 millert 79: #endif /* lint */
80:
1.5 millert 81:
82: /*
83: * Prototypes
84: */
85: void init_parser __P((void));
86: void dumpaliases __P((void));
87:
1.1 millert 88: /*
89: * Globals
90: */
1.9 millert 91: int Argc, NewArgc;
1.1 millert 92: char **Argv, **NewArgv;
93: int parse_error = FALSE;
94: int num_interfaces;
95: struct interface *interfaces;
96: struct sudo_user sudo_user;
97: extern int clearaliases;
98: extern int pedantic;
99:
100: /*
101: * Returns TRUE if "s" has shell meta characters in it,
102: * else returns FALSE.
103: */
104: int
105: has_meta(s)
106: char *s;
107: {
1.4 millert 108: char *t;
1.11 millert 109:
1.1 millert 110: for (t = s; *t; t++) {
111: if (*t == '\\' || *t == '?' || *t == '*' || *t == '[' || *t == ']')
112: return(TRUE);
113: }
114: return(FALSE);
115: }
116:
117: /*
1.11 millert 118: * Returns TRUE if user_cmnd matches, in the sudo sense,
1.1 millert 119: * the pathname in path; otherwise, return FALSE
120: */
121: int
1.11 millert 122: command_matches(path, sudoers_args)
1.1 millert 123: char *path;
124: char *sudoers_args;
125: {
126: int clen, plen;
127: char *args;
128:
1.11 millert 129: if (user_cmnd == NULL)
1.1 millert 130: return(FALSE);
131:
1.11 millert 132: if ((args = strchr(path, ' ')))
1.1 millert 133: *args++ = '\0';
134:
135: if (has_meta(path)) {
1.11 millert 136: if (fnmatch(path, user_cmnd, FNM_PATHNAME))
1.1 millert 137: return(FALSE);
138: if (!sudoers_args)
139: return(TRUE);
1.11 millert 140: else if (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args))
1.1 millert 141: return(TRUE);
142: else if (sudoers_args)
1.11 millert 143: return((fnmatch(sudoers_args, user_args ? user_args : "", 0) == 0));
1.1 millert 144: else
145: return(FALSE);
146: } else {
147: plen = strlen(path);
148: if (path[plen - 1] != '/') {
1.11 millert 149: if (strcmp(user_cmnd, path))
1.1 millert 150: return(FALSE);
151: if (!sudoers_args)
152: return(TRUE);
1.11 millert 153: else if (!user_args && sudoers_args && !strcmp("\"\"", sudoers_args))
1.1 millert 154: return(TRUE);
155: else if (sudoers_args)
1.11 millert 156: return((fnmatch(sudoers_args, user_args ? user_args : "", 0) == 0));
1.1 millert 157: else
158: return(FALSE);
159: }
160:
1.11 millert 161: clen = strlen(user_cmnd);
1.1 millert 162: if (clen < plen + 1)
1.11 millert 163: /* path cannot be the parent dir of user_cmnd */
1.1 millert 164: return(FALSE);
165:
1.11 millert 166: if (strchr(user_cmnd + plen + 1, '/') != NULL)
167: /* path could only be an anscestor of user_cmnd -- */
1.1 millert 168: /* ignoring, of course, things like // & /./ */
169: return(FALSE);
170:
1.11 millert 171: /* see whether path is the prefix of user_cmnd */
172: return((strncmp(user_cmnd, path, plen) == 0));
1.1 millert 173: }
174: }
175:
176: int
177: addr_matches(n)
178: char *n;
179: {
180: int i;
181: char *m;
182: struct in_addr addr, mask;
183:
184: /* If there's an explicit netmask, use it. */
185: if ((m = strchr(n, '/'))) {
186: *m++ = '\0';
187: addr.s_addr = inet_addr(n);
188: if (strchr(m, '.'))
189: mask.s_addr = inet_addr(m);
1.5 millert 190: else {
191: i = 32 - atoi(m);
192: mask.s_addr = 0xffffffff;
193: mask.s_addr >>= i;
194: mask.s_addr <<= i;
195: mask.s_addr = htonl(mask.s_addr);
196: }
1.11 millert 197: *(m - 1) = '/';
1.1 millert 198:
199: for (i = 0; i < num_interfaces; i++)
200: if ((interfaces[i].addr.s_addr & mask.s_addr) == addr.s_addr)
201: return(TRUE);
202: } else {
203: addr.s_addr = inet_addr(n);
204:
205: for (i = 0; i < num_interfaces; i++)
206: if (interfaces[i].addr.s_addr == addr.s_addr ||
207: (interfaces[i].addr.s_addr & interfaces[i].netmask.s_addr)
208: == addr.s_addr)
209: return(TRUE);
210: }
211:
212: return(FALSE);
1.4 millert 213: }
214:
215: int
216: hostname_matches(shost, lhost, pattern)
217: char *shost;
218: char *lhost;
219: char *pattern;
220: {
1.11 millert 221: if (has_meta(pattern)) {
222: if (strchr(pattern, '.'))
1.4 millert 223: return(fnmatch(pattern, lhost, FNM_CASEFOLD));
224: else
225: return(fnmatch(pattern, shost, FNM_CASEFOLD));
226: } else {
227: if (strchr(pattern, '.'))
228: return(strcasecmp(lhost, pattern));
229: else
230: return(strcasecmp(shost, pattern));
231: }
1.1 millert 232: }
233:
234: int
1.11 millert 235: userpw_matches(sudoers_user, user, pw)
236: char *sudoers_user;
237: char *user;
238: struct passwd *pw;
239: {
240: if (pw != NULL && *sudoers_user == '#') {
241: uid_t uid = atoi(sudoers_user + 1);
242: if (uid == pw->pw_uid)
243: return(1);
244: }
245: return(strcmp(sudoers_user, user) == 0);
246: }
247:
248: int
249: usergr_matches(group, user, pw)
1.1 millert 250: char *group;
251: char *user;
1.11 millert 252: struct passwd *pw;
1.1 millert 253: {
254: struct group *grp;
255: char **cur;
256:
257: /* Make sure we have a valid usergroup, sudo style. */
258: if (*group++ != '%')
259: return(FALSE);
260:
1.11 millert 261: if ((grp = getgrnam(group)) == NULL)
1.1 millert 262: return(FALSE);
263:
264: /*
265: * Check against user's real gid as well as group's user list
266: */
267: if (getgid() == grp->gr_gid)
268: return(TRUE);
269:
270: for (cur=grp->gr_mem; *cur; cur++) {
271: if (strcmp(*cur, user) == 0)
272: return(TRUE);
273: }
274:
275: return(FALSE);
276: }
277:
278: int
1.3 millert 279: netgr_matches(netgr, host, shost, user)
1.1 millert 280: char *netgr;
281: char *host;
1.3 millert 282: char *shost;
1.1 millert 283: char *user;
284: {
285: #ifdef HAVE_GETDOMAINNAME
286: static char *domain = (char *) -1;
287: #else
288: static char *domain = NULL;
289: #endif /* HAVE_GETDOMAINNAME */
290:
291: /* Make sure we have a valid netgroup, sudo style. */
292: if (*netgr++ != '+')
293: return(FALSE);
294:
295: #ifdef HAVE_GETDOMAINNAME
296: /* Get the domain name (if any). */
297: if (domain == (char *) -1) {
298: domain = (char *) emalloc(MAXHOSTNAMELEN);
299:
300: if (getdomainname(domain, MAXHOSTNAMELEN) != 0 || *domain == '\0') {
1.12 ! millert 301: efree(domain);
1.1 millert 302: domain = NULL;
303: }
304: }
305: #endif /* HAVE_GETDOMAINNAME */
306:
307: #ifdef HAVE_INNETGR
1.3 millert 308: if (innetgr(netgr, host, user, domain))
309: return(TRUE);
310: else if (host != shost && innetgr(netgr, shost, user, domain))
311: return(TRUE);
312: #endif /* HAVE_INNETGR */
313:
1.1 millert 314: return(FALSE);
315: }
316:
317: void
1.12 ! millert 318: set_perms(i)
1.7 millert 319: int i;
1.2 millert 320: {
321: return;
322: }
323:
324: void
325: set_fqdn()
1.5 millert 326: {
327: return;
328: }
329:
1.11 millert 330: int
331: set_runaspw(user)
332: char *user;
333: {
334: return(TRUE);
335: }
336:
1.5 millert 337: void
338: init_envtables()
1.1 millert 339: {
340: return;
341: }
342:
343: int
344: main(argc, argv)
345: int argc;
346: char **argv;
347: {
348: struct passwd pw;
349: char *p;
350: #ifdef YYDEBUG
351: extern int yydebug;
352: yydebug = 1;
353: #endif
354:
355: Argv = argv;
356: Argc = argc;
357:
358: if (Argc >= 6 && strcmp(Argv[1], "-u") == 0) {
359: user_runas = &Argv[2];
360: pw.pw_name = Argv[3];
361: user_host = Argv[4];
362: user_cmnd = Argv[5];
363:
364: NewArgv = &Argv[5];
365: NewArgc = Argc - 5;
366: } else if (Argc >= 4) {
367: pw.pw_name = Argv[1];
368: user_host = Argv[2];
369: user_cmnd = Argv[3];
370:
371: NewArgv = &Argv[3];
372: NewArgc = Argc - 3;
373: } else {
374: (void) fprintf(stderr,
1.9 millert 375: "usage: sudo [-u user] <user> <host> <command> [args]\n");
1.1 millert 376: exit(1);
377: }
378:
379: sudo_user.pw = &pw; /* user_name needs to be defined */
380:
381: if ((p = strchr(user_host, '.'))) {
382: *p = '\0';
383: user_shost = estrdup(user_host);
384: *p = '.';
385: } else {
386: user_shost = user_host;
387: }
388:
1.11 millert 389: /* Fill in user_args from NewArgv. */
1.1 millert 390: if (NewArgc > 1) {
391: char *to, **from;
1.7 millert 392: size_t size, n;
1.1 millert 393:
1.7 millert 394: size = (size_t) (NewArgv[NewArgc-1] - NewArgv[1]) +
395: strlen(NewArgv[NewArgc-1]) + 1;
1.1 millert 396: user_args = (char *) emalloc(size);
1.7 millert 397: for (to = user_args, from = NewArgv + 1; *from; from++) {
398: n = strlcpy(to, *from, size - (to - user_args));
1.9 millert 399: if (n >= size - (to - user_args))
400: errx(1, "internal error, init_vars() overflow");
1.7 millert 401: to += n;
1.1 millert 402: *to++ = ' ';
403: }
1.7 millert 404: *--to = '\0';
1.1 millert 405: }
406:
407: /* Initialize default values. */
408: init_defaults();
409:
410: /* Warn about aliases that are used before being defined. */
411: pedantic = TRUE;
412:
413: /* Need to keep aliases around for dumpaliases(). */
414: clearaliases = FALSE;
415:
416: /* Load ip addr/mask for each interface. */
417: load_interfaces();
418:
419: /* Allocate space for data structures in the parser. */
420: init_parser();
421:
422: if (yyparse() || parse_error) {
423: (void) printf("doesn't parse.\n");
424: } else {
425: (void) printf("parses OK.\n\n");
426: if (top == 0)
427: (void) printf("User %s not found\n", pw.pw_name);
428: else while (top) {
429: (void) printf("[%d]\n", top-1);
430: (void) printf("user_match : %d\n", user_matches);
431: (void) printf("host_match : %d\n", host_matches);
432: (void) printf("cmnd_match : %d\n", cmnd_matches);
433: (void) printf("no_passwd : %d\n", no_passwd);
434: (void) printf("runas_match: %d\n", runas_matches);
435: (void) printf("runas : %s\n", *user_runas);
436: top--;
437: }
438: }
439:
440: /* Dump aliases. */
441: (void) printf("Matching Aliases --\n");
442: dumpaliases();
443:
444: exit(0);
445: }
![[BACK]](/icons/back.gif){kind=icon}
Return to testsudoers.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / sudo