1 /* 2 * SPDX-License-Identifier: ISC 3 * 4 * Copyright (c) 1993-1996, 1998-2005, 2007-2020 5 * Todd C. Miller <Todd.Miller@sudo.ws> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 * 19 * Sponsored in part by the Defense Advanced Research Projects 20 * Agency (DARPA) and Air Force Research Laboratory, Air Force 21 * Materiel Command, USAF, under agreement number F39502-99-1-0512. 22 */ 23 24 #ifndef SUDOERS_SUDOERS_H 25 #define SUDOERS_SUDOERS_H 26 27 #include <sys/types.h> /* for gid_t, mode_t, pid_t, size_t, uid_t */ 28 #include <limits.h> 29 #ifdef HAVE_STDBOOL_H 30 # include <stdbool.h> 31 #else 32 # include "compat/stdbool.h" 33 #endif /* HAVE_STDBOOL_H */ 34 35 #define DEFAULT_TEXT_DOMAIN "sudoers" 36 37 #include "pathnames.h" 38 #include "sudo_compat.h" 39 #include "sudo_conf.h" 40 #include "sudo_eventlog.h" 41 #include "sudo_fatal.h" 42 #include "sudo_gettext.h" 43 #include "sudo_nss.h" 44 #include "sudo_plugin.h" 45 #include "sudo_queue.h" 46 #include "sudo_util.h" 47 #include "sudoers_debug.h" 48 49 #include "defaults.h" 50 #include "logging.h" 51 #include "parse.h" 52 53 /* 54 * Info passed in from the sudo front-end. 55 */ 56 struct sudoers_open_info { 57 char * const *settings; 58 char * const *user_info; 59 char * const *plugin_args; 60 }; 61 62 /* 63 * Supplementary group IDs for a user. 64 */ 65 struct gid_list { 66 int ngids; 67 GETGROUPS_T *gids; 68 }; 69 70 /* 71 * Supplementary group names for a user. 72 */ 73 struct group_list { 74 int ngroups; 75 char **groups; 76 }; 77 78 /* 79 * Info pertaining to the invoking user. 80 * XXX - can we embed struct eventlog here or use it instead? 81 */ 82 struct sudo_user { 83 struct timespec submit_time; 84 struct passwd *pw; 85 struct passwd *_runas_pw; 86 struct group *_runas_gr; 87 struct stat *cmnd_stat; 88 char *cwd; 89 char *name; 90 char *runas_user; 91 char *runas_group; 92 char *path; 93 char *tty; 94 char *ttypath; 95 char *host; 96 char *shost; 97 char *runhost; 98 char *srunhost; 99 char *runchroot; 100 char *runcwd; 101 char *prompt; 102 char *cmnd; 103 char *cmnd_args; 104 char *cmnd_base; 105 char *cmnd_safe; 106 char *class_name; 107 char *krb5_ccname; 108 struct gid_list *gid_list; 109 char * const * env_vars; 110 #ifdef HAVE_SELINUX 111 char *role; 112 char *type; 113 #endif 114 #ifdef HAVE_PRIV_SET 115 char *privs; 116 char *limitprivs; 117 #endif 118 char *iolog_file; 119 char *iolog_path; 120 GETGROUPS_T *gids; 121 int execfd; 122 int ngids; 123 int closefrom; 124 int lines; 125 int cols; 126 int flags; 127 int max_groups; 128 int timeout; 129 mode_t umask; 130 uid_t uid; 131 uid_t gid; 132 pid_t sid; 133 char uuid_str[37]; 134 }; 135 136 /* 137 * sudo_get_gidlist() type values 138 */ 139 #define ENTRY_TYPE_ANY 0x00 140 #define ENTRY_TYPE_QUERIED 0x01 141 #define ENTRY_TYPE_FRONTEND 0x02 142 143 /* 144 * sudo_user flag values 145 */ 146 #define RUNAS_USER_SPECIFIED 0x01 147 #define RUNAS_GROUP_SPECIFIED 0x02 148 149 /* 150 * Return values for sudoers_lookup(), also used as arguments for log_auth() 151 * Note: cannot use '0' as a value here. 152 */ 153 #define VALIDATE_ERROR 0x001 154 #define VALIDATE_SUCCESS 0x002 155 #define VALIDATE_FAILURE 0x004 156 #define FLAG_CHECK_USER 0x010 157 #define FLAG_NO_USER 0x020 158 #define FLAG_NO_HOST 0x040 159 #define FLAG_NO_CHECK 0x080 160 #define FLAG_NON_INTERACTIVE 0x100 161 #define FLAG_BAD_PASSWORD 0x200 162 163 /* 164 * find_path()/set_cmnd() return values 165 */ 166 #define FOUND 0 167 #define NOT_FOUND 1 168 #define NOT_FOUND_DOT 2 169 #define NOT_FOUND_ERROR 3 170 #define NOT_FOUND_PATH 4 171 172 /* 173 * Various modes sudo can be in (based on arguments) in hex 174 */ 175 #define MODE_RUN 0x00000001 176 #define MODE_EDIT 0x00000002 177 #define MODE_VALIDATE 0x00000004 178 #define MODE_INVALIDATE 0x00000008 179 #define MODE_KILL 0x00000010 180 #define MODE_VERSION 0x00000020 181 #define MODE_HELP 0x00000040 182 #define MODE_LIST 0x00000080 183 #define MODE_CHECK 0x00000100 184 #define MODE_ERROR 0x00000200 185 #define MODE_MASK 0x0000ffff 186 187 /* Mode flags */ 188 #define MODE_BACKGROUND 0x00010000 /* XXX - unused */ 189 #define MODE_SHELL 0x00020000 190 #define MODE_LOGIN_SHELL 0x00040000 191 #define MODE_IMPLIED_SHELL 0x00080000 192 #define MODE_RESET_HOME 0x00100000 193 #define MODE_PRESERVE_GROUPS 0x00200000 194 #define MODE_PRESERVE_ENV 0x00400000 195 #define MODE_NONINTERACTIVE 0x00800000 196 #define MODE_IGNORE_TICKET 0x01000000 197 #define MODE_POLICY_INTERCEPTED 0x02000000 198 199 /* Mode bits allowed for intercepted commands. */ 200 #define MODE_INTERCEPT_MASK (MODE_RUN|MODE_NONINTERACTIVE|MODE_IGNORE_TICKET|MODE_POLICY_INTERCEPTED) 201 202 /* 203 * Used with set_perms() 204 */ 205 #define PERM_INITIAL 0x00 206 #define PERM_ROOT 0x01 207 #define PERM_USER 0x02 208 #define PERM_FULL_USER 0x03 209 #define PERM_SUDOERS 0x04 210 #define PERM_RUNAS 0x05 211 #define PERM_TIMESTAMP 0x06 212 #define PERM_IOLOG 0x07 213 214 /* 215 * Shortcuts for sudo_user contents. 216 */ 217 #define user_name (sudo_user.name) 218 #define user_uid (sudo_user.uid) 219 #define user_gid (sudo_user.gid) 220 #define user_sid (sudo_user.sid) 221 #define user_umask (sudo_user.umask) 222 #define user_passwd (sudo_user.pw->pw_passwd) 223 #define user_dir (sudo_user.pw->pw_dir) 224 #define user_gids (sudo_user.gids) 225 #define user_ngids (sudo_user.ngids) 226 #define user_gid_list (sudo_user.gid_list) 227 #define user_tty (sudo_user.tty) 228 #define user_ttypath (sudo_user.ttypath) 229 #define user_cwd (sudo_user.cwd) 230 #define user_cmnd (sudo_user.cmnd) 231 #define user_args (sudo_user.cmnd_args) 232 #define user_base (sudo_user.cmnd_base) 233 #define user_stat (sudo_user.cmnd_stat) 234 #define user_path (sudo_user.path) 235 #define user_prompt (sudo_user.prompt) 236 #define user_host (sudo_user.host) 237 #define user_shost (sudo_user.shost) 238 #define user_runhost (sudo_user.runhost) 239 #define user_srunhost (sudo_user.srunhost) 240 #define user_ccname (sudo_user.krb5_ccname) 241 #define safe_cmnd (sudo_user.cmnd_safe) 242 #define cmnd_fd (sudo_user.execfd) 243 #define login_class (sudo_user.class_name) 244 #define runas_pw (sudo_user._runas_pw) 245 #define runas_gr (sudo_user._runas_gr) 246 #define user_role (sudo_user.role) 247 #define user_type (sudo_user.type) 248 #define user_closefrom (sudo_user.closefrom) 249 #define runas_privs (sudo_user.privs) 250 #define runas_limitprivs (sudo_user.limitprivs) 251 #define user_timeout (sudo_user.timeout) 252 #define user_runchroot (sudo_user.runchroot) 253 #define user_runcwd (sudo_user.runcwd) 254 255 /* Default sudoers uid/gid/mode if not set by the Makefile. */ 256 #ifndef SUDOERS_UID 257 # define SUDOERS_UID 0 258 #endif 259 #ifndef SUDOERS_GID 260 # define SUDOERS_GID 0 261 #endif 262 #ifndef SUDOERS_MODE 263 # define SUDOERS_MODE 0600 264 #endif 265 266 struct sudo_lbuf; 267 struct passwd; 268 struct stat; 269 struct timespec; 270 271 /* 272 * Function prototypes 273 */ 274 #define YY_DECL int sudoerslex(void) 275 276 /* goodpath.c */ 277 bool sudo_goodpath(const char *path, const char *runchroot, struct stat *sbp); 278 279 /* findpath.c */ 280 int find_path(const char *infile, char **outfile, struct stat *sbp, 281 const char *path, const char *runchroot, int ignore_dot, 282 char * const *allowlist); 283 284 /* check.c */ 285 int check_user(int validate, int mode); 286 bool check_user_shell(const struct passwd *pw); 287 bool user_is_exempt(void); 288 289 /* prompt.c */ 290 char *expand_prompt(const char *old_prompt, const char *auth_user); 291 292 /* timestamp.c */ 293 int timestamp_remove(bool unlinkit); 294 295 /* sudo_auth.c */ 296 bool sudo_auth_needs_end_session(void); 297 int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv_callback *callback); 298 int sudo_auth_begin_session(struct passwd *pw, char **user_env[]); 299 int sudo_auth_end_session(struct passwd *pw); 300 int sudo_auth_init(struct passwd *pw); 301 int sudo_auth_approval(struct passwd *pw, int validated, bool exempt); 302 int sudo_auth_cleanup(struct passwd *pw, bool force); 303 304 /* set_perms.c */ 305 bool rewind_perms(void); 306 bool set_perms(int); 307 bool restore_perms(void); 308 int pam_prep_user(struct passwd *); 309 310 /* gram.y */ 311 int sudoersparse(void); 312 extern char *login_style; 313 extern char *errorfile; 314 extern int errorlineno; 315 extern bool parse_error; 316 extern bool sudoers_warnings; 317 extern bool sudoers_recovery; 318 extern bool sudoers_strict; 319 320 /* toke.l */ 321 YY_DECL; 322 void sudoersrestart(FILE *); 323 extern FILE *sudoersin; 324 extern const char *sudoers_file; 325 extern char *sudoers; 326 extern mode_t sudoers_mode; 327 extern uid_t sudoers_uid; 328 extern gid_t sudoers_gid; 329 extern int sudolineno; 330 331 /* defaults.c */ 332 void dump_defaults(void); 333 void dump_auth_methods(void); 334 335 /* getspwuid.c */ 336 char *sudo_getepw(const struct passwd *); 337 338 /* pwutil.c */ 339 typedef struct cache_item * (*sudo_make_pwitem_t)(uid_t uid, const char *user); 340 typedef struct cache_item * (*sudo_make_gritem_t)(gid_t gid, const char *group); 341 typedef struct cache_item * (*sudo_make_gidlist_item_t)(const struct passwd *pw, char * const *gids, unsigned int type); 342 typedef struct cache_item * (*sudo_make_grlist_item_t)(const struct passwd *pw, char * const *groups); 343 sudo_dso_public struct group *sudo_getgrgid(gid_t); 344 sudo_dso_public struct group *sudo_getgrnam(const char *); 345 sudo_dso_public void sudo_gr_addref(struct group *); 346 sudo_dso_public void sudo_gr_delref(struct group *); 347 bool user_in_group(const struct passwd *, const char *); 348 struct group *sudo_fakegrnam(const char *); 349 struct group *sudo_mkgrent(const char *group, gid_t gid, ...); 350 struct gid_list *sudo_get_gidlist(const struct passwd *pw, unsigned int type); 351 struct group_list *sudo_get_grlist(const struct passwd *pw); 352 struct passwd *sudo_fakepwnam(const char *, gid_t); 353 struct passwd *sudo_mkpwent(const char *user, uid_t uid, gid_t gid, const char *home, const char *shell); 354 struct passwd *sudo_getpwnam(const char *); 355 struct passwd *sudo_getpwuid(uid_t); 356 void sudo_endspent(void); 357 void sudo_freegrcache(void); 358 void sudo_freepwcache(void); 359 void sudo_gidlist_addref(struct gid_list *); 360 void sudo_gidlist_delref(struct gid_list *); 361 void sudo_grlist_addref(struct group_list *); 362 void sudo_grlist_delref(struct group_list *); 363 void sudo_pw_addref(struct passwd *); 364 void sudo_pw_delref(struct passwd *); 365 int sudo_set_gidlist(struct passwd *pw, char * const *gids, unsigned int type); 366 int sudo_set_grlist(struct passwd *pw, char * const *groups); 367 void sudo_pwutil_set_backend(sudo_make_pwitem_t, sudo_make_gritem_t, sudo_make_gidlist_item_t, sudo_make_grlist_item_t); 368 void sudo_setspent(void); 369 370 /* timestr.c */ 371 char *get_timestr(time_t, int); 372 373 /* boottime.c */ 374 bool get_boottime(struct timespec *); 375 376 /* iolog.c */ 377 bool cb_maxseq(const union sudo_defs_val *sd_un); 378 bool cb_iolog_user(const union sudo_defs_val *sd_un); 379 bool cb_iolog_group(const union sudo_defs_val *sd_un); 380 bool cb_iolog_mode(const union sudo_defs_val *sd_un); 381 382 /* iolog_path_escapes.c */ 383 struct iolog_path_escape; 384 extern const struct iolog_path_escape *sudoers_iolog_path_escapes; 385 386 /* env.c */ 387 char **env_get(void); 388 bool env_merge(char * const envp[]); 389 bool env_swap_old(void); 390 bool env_init(char * const envp[]); 391 bool init_envtables(void); 392 bool insert_env_vars(char * const envp[]); 393 bool read_env_file(const char *path, bool overwrite, bool restricted); 394 bool rebuild_env(void); 395 bool validate_env_vars(char * const envp[]); 396 int sudo_setenv(const char *var, const char *val, int overwrite); 397 int sudo_unsetenv(const char *var); 398 char *sudo_getenv(const char *name); 399 char *sudo_getenv_nodebug(const char *name); 400 int sudo_putenv_nodebug(char *str, bool dupcheck, bool overwrite); 401 int sudo_unsetenv_nodebug(const char *var); 402 int sudoers_hook_getenv(const char *name, char **value, void *closure); 403 int sudoers_hook_putenv(char *string, void *closure); 404 int sudoers_hook_setenv(const char *name, const char *value, int overwrite, void *closure); 405 int sudoers_hook_unsetenv(const char *name, void *closure); 406 void register_env_file(void * (*ef_open)(const char *), void (*ef_close)(void *), char * (*ef_next)(void *, int *), bool system); 407 408 /* env_pattern.c */ 409 bool matches_env_pattern(const char *pattern, const char *var, bool *full_match); 410 411 /* sudoers.c */ 412 FILE *open_sudoers(const char *, bool, bool *); 413 int set_cmnd_path(const char *runchroot); 414 int sudoers_init(void *info, char * const envp[]); 415 int sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[], bool verbose, void *closure); 416 void sudoers_cleanup(void); 417 void sudo_user_free(void); 418 extern struct sudo_user sudo_user; 419 extern struct passwd *list_pw; 420 extern bool force_umask; 421 extern int sudo_mode; 422 extern uid_t timestamp_uid; 423 extern gid_t timestamp_gid; 424 extern sudo_conv_t sudo_conv; 425 extern sudo_printf_t sudo_printf; 426 427 /* sudoers_debug.c */ 428 bool sudoers_debug_parse_flags(struct sudo_conf_debug_file_list *debug_files, const char *entry); 429 bool sudoers_debug_register(const char *plugin_path, struct sudo_conf_debug_file_list *debug_files); 430 void sudoers_debug_deregister(void); 431 432 /* policy.c */ 433 int sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults); 434 bool sudoers_policy_store_result(bool accepted, char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v); 435 extern const char *path_ldap_conf; 436 extern const char *path_ldap_secret; 437 438 /* group_plugin.c */ 439 int group_plugin_load(char *plugin_info); 440 void group_plugin_unload(void); 441 int group_plugin_query(const char *user, const char *group, 442 const struct passwd *pwd); 443 bool cb_group_plugin(const union sudo_defs_val *sd_un); 444 extern const char *path_plugin_dir; 445 446 /* editor.c */ 447 char *find_editor(int nfiles, char **files, int *argc_out, char ***argv_out, 448 char * const *allowlist, const char **env_editor, bool env_error); 449 450 /* exptilde.c */ 451 bool expand_tilde(char **path, const char *user); 452 453 /* gc.c */ 454 enum sudoers_gc_types { 455 GC_UNKNOWN, 456 GC_VECTOR, 457 GC_PTR 458 }; 459 bool sudoers_gc_add(enum sudoers_gc_types type, void *ptr); 460 bool sudoers_gc_remove(enum sudoers_gc_types type, void *ptr); 461 void sudoers_gc_init(void); 462 void sudoers_gc_run(void); 463 464 /* strlcpy_unesc.c */ 465 size_t strlcpy_unescape(char *dst, const char *src, size_t size); 466 467 /* strvec_join.c */ 468 char *strvec_join(char *const argv[], char sep, size_t (*cpy)(char *, const char *, size_t)); 469 470 #endif /* SUDOERS_SUDOERS_H */ 471