/src/sudo/plugins/sudoers/pwutil.c
Line | Count | Source |
1 | | /* |
2 | | * SPDX-License-Identifier: ISC |
3 | | * |
4 | | * Copyright (c) 1996, 1998-2005, 2007-2018 |
5 | | * Todd C. Miller <Todd.Miller@sudo.ws> |
6 | | * |
7 | | * Permission to use, copy, modify, and distribute this software for any |
8 | | * purpose with or without fee is hereby granted, provided that the above |
9 | | * copyright notice and this permission notice appear in all copies. |
10 | | * |
11 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
12 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
13 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR |
14 | | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
15 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN |
16 | | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF |
17 | | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
18 | | * |
19 | | * Sponsored in part by the Defense Advanced Research Projects |
20 | | * Agency (DARPA) and Air Force Research Laboratory, Air Force |
21 | | * Materiel Command, USAF, under agreement number F39502-99-1-0512. |
22 | | */ |
23 | | |
24 | | #include <config.h> |
25 | | |
26 | | #include <stdarg.h> |
27 | | #include <stddef.h> |
28 | | #include <stdio.h> |
29 | | #include <stdlib.h> |
30 | | #include <string.h> |
31 | | #ifdef HAVE_STRINGS_H |
32 | | # include <strings.h> /* strcasecmp */ |
33 | | #endif |
34 | | #ifdef HAVE_SETAUTHDB |
35 | | # include <usersec.h> |
36 | | #endif /* HAVE_SETAUTHDB */ |
37 | | #include <errno.h> |
38 | | #include <pwd.h> |
39 | | #include <grp.h> |
40 | | |
41 | | #include <sudoers.h> |
42 | | #include <redblack.h> |
43 | | #include <pwutil.h> |
44 | | |
45 | | /* |
46 | | * The passwd and group caches. |
47 | | */ |
48 | | static struct rbtree *pwcache_byuid, *pwcache_byname; |
49 | | static struct rbtree *grcache_bygid, *grcache_byname; |
50 | | static struct rbtree *gidlist_cache, *grlist_cache; |
51 | | |
52 | | static int cmp_pwuid(const void *, const void *); |
53 | | static int cmp_pwnam(const void *, const void *); |
54 | | static int cmp_grgid(const void *, const void *); |
55 | | |
56 | | static int max_groups; |
57 | | |
58 | | /* |
59 | | * Default functions for building cache items. |
60 | | */ |
61 | | static sudo_make_pwitem_t make_pwitem = sudo_make_pwitem; |
62 | | static sudo_make_gritem_t make_gritem = sudo_make_gritem; |
63 | | static sudo_make_gidlist_item_t make_gidlist_item = sudo_make_gidlist_item; |
64 | | static sudo_make_grlist_item_t make_grlist_item = sudo_make_grlist_item; |
65 | | static sudo_valid_shell_t valid_shell = sudo_valid_shell; |
66 | | |
67 | 0 | #define cmp_grnam cmp_pwnam |
68 | | |
69 | | /* |
70 | | * AIX has the concept of authentication registries (files, NIS, LDAP, etc). |
71 | | * This allows you to have separate ID <-> name mappings based on which |
72 | | * authentication registries the user was looked up in. |
73 | | * We store the registry as part of the key and use it when matching. |
74 | | */ |
75 | | #ifdef HAVE_SETAUTHDB |
76 | | # define getauthregistry(u, r) aix_getauthregistry((u), (r)) |
77 | | #else |
78 | 0 | # define getauthregistry(u, r) ((r)[0] = '\0') |
79 | | #endif |
80 | | |
81 | | /* |
82 | | * Change the default pwutil backend functions. |
83 | | * The default functions query the password and group databases. |
84 | | */ |
85 | | void |
86 | | sudo_pwutil_set_backend(sudo_make_pwitem_t pwitem, sudo_make_gritem_t gritem, |
87 | | sudo_make_gidlist_item_t gidlist_item, sudo_make_grlist_item_t grlist_item, |
88 | | sudo_valid_shell_t check_shell) |
89 | 0 | { |
90 | 0 | debug_decl(sudo_pwutil_set_backend, SUDOERS_DEBUG_NSS); |
91 | |
|
92 | 0 | if (pwitem != NULL) |
93 | 0 | make_pwitem = pwitem; |
94 | 0 | if (gritem != NULL) |
95 | 0 | make_gritem = gritem; |
96 | 0 | if (gidlist_item != NULL) |
97 | 0 | make_gidlist_item = gidlist_item; |
98 | 0 | if (grlist_item != NULL) |
99 | 0 | make_grlist_item = grlist_item; |
100 | 0 | if (check_shell != NULL) |
101 | 0 | valid_shell = check_shell; |
102 | |
|
103 | 0 | debug_return; |
104 | 0 | } |
105 | | |
106 | | /* Get the max number of user groups if set, or 0 if not set. */ |
107 | | int |
108 | | sudo_pwutil_get_max_groups(void) |
109 | 0 | { |
110 | 0 | return max_groups; |
111 | 0 | } |
112 | | |
113 | | /* Set the max number of user groups (negative values ignored). */ |
114 | | void |
115 | | sudo_pwutil_set_max_groups(int n) |
116 | 0 | { |
117 | 0 | max_groups = n > 0 ? n : 0; |
118 | 0 | } |
119 | | |
120 | | /* |
121 | | * Compare by user-ID. |
122 | | * v1 is the key to find or data to insert, v2 is in-tree data. |
123 | | */ |
124 | | static int |
125 | | cmp_pwuid(const void *v1, const void *v2) |
126 | 0 | { |
127 | 0 | const struct cache_item *ci1 = (const struct cache_item *) v1; |
128 | 0 | const struct cache_item *ci2 = (const struct cache_item *) v2; |
129 | 0 | if (ci1->k.uid == ci2->k.uid) |
130 | 0 | return strcmp(ci1->registry, ci2->registry); |
131 | 0 | if (ci1->k.uid < ci2->k.uid) |
132 | 0 | return -1; |
133 | 0 | return 1; |
134 | 0 | } |
135 | | |
136 | | /* |
137 | | * Compare by user/group name. |
138 | | * v1 is the key to find or data to insert, v2 is in-tree data. |
139 | | */ |
140 | | static int |
141 | | cmp_pwnam(const void *v1, const void *v2) |
142 | 0 | { |
143 | 0 | const struct cache_item *ci1 = (const struct cache_item *) v1; |
144 | 0 | const struct cache_item *ci2 = (const struct cache_item *) v2; |
145 | 0 | int ret = strcmp(ci1->k.name, ci2->k.name); |
146 | 0 | if (ret == 0) |
147 | 0 | ret = strcmp(ci1->registry, ci2->registry); |
148 | 0 | return ret; |
149 | 0 | } |
150 | | |
151 | | /* |
152 | | * Compare by user name, taking into account the source type. |
153 | | * Need to differentiate between group-IDs received from the front-end |
154 | | * (via getgroups()) and groups IDs queried from the group database. |
155 | | * v1 is the key to find or data to insert, v2 is in-tree data. |
156 | | */ |
157 | | static int |
158 | | cmp_gidlist(const void *v1, const void *v2) |
159 | 0 | { |
160 | 0 | const struct cache_item *ci1 = (const struct cache_item *) v1; |
161 | 0 | const struct cache_item *ci2 = (const struct cache_item *) v2; |
162 | 0 | int ret = strcmp(ci1->k.name, ci2->k.name); |
163 | 0 | if (ret == 0) { |
164 | 0 | if (ci1->type == ENTRY_TYPE_ANY || ci1->type == ci2->type) |
165 | 0 | return strcmp(ci1->registry, ci2->registry); |
166 | 0 | if (ci1->type < ci2->type) |
167 | 0 | return -1; |
168 | 0 | return 1; |
169 | 0 | } |
170 | 0 | return ret; |
171 | 0 | } |
172 | | |
173 | | void |
174 | | sudo_pw_addref(struct passwd *pw) |
175 | 0 | { |
176 | 0 | debug_decl(sudo_pw_addref, SUDOERS_DEBUG_NSS); |
177 | 0 | ptr_to_item(pw)->refcnt++; |
178 | 0 | debug_return; |
179 | 0 | } |
180 | | |
181 | | static void |
182 | | sudo_pw_delref_item(void *v) |
183 | 0 | { |
184 | 0 | struct cache_item *item = v; |
185 | 0 | debug_decl(sudo_pw_delref_item, SUDOERS_DEBUG_NSS); |
186 | |
|
187 | 0 | if (--item->refcnt == 0) |
188 | 0 | free(item); |
189 | |
|
190 | 0 | debug_return; |
191 | 0 | } |
192 | | |
193 | | void |
194 | | sudo_pw_delref(struct passwd *pw) |
195 | 0 | { |
196 | 0 | debug_decl(sudo_pw_delref, SUDOERS_DEBUG_NSS); |
197 | 0 | sudo_pw_delref_item(ptr_to_item(pw)); |
198 | 0 | debug_return; |
199 | 0 | } |
200 | | |
201 | | /* |
202 | | * Get a password entry by uid and allocate space for it. |
203 | | */ |
204 | | struct passwd * |
205 | | sudo_getpwuid(uid_t uid) |
206 | 0 | { |
207 | 0 | struct cache_item key, *item; |
208 | 0 | struct rbnode *node; |
209 | 0 | debug_decl(sudo_getpwuid, SUDOERS_DEBUG_NSS); |
210 | |
|
211 | 0 | if (pwcache_byuid == NULL) { |
212 | 0 | pwcache_byuid = rbcreate(cmp_pwuid); |
213 | 0 | if (pwcache_byuid == NULL) { |
214 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
215 | 0 | debug_return_ptr(NULL); |
216 | 0 | } |
217 | 0 | } |
218 | | |
219 | 0 | key.k.uid = uid; |
220 | 0 | getauthregistry(IDtouser(uid), key.registry); |
221 | 0 | if ((node = rbfind(pwcache_byuid, &key)) != NULL) { |
222 | 0 | item = node->data; |
223 | 0 | goto done; |
224 | 0 | } |
225 | | /* |
226 | | * Cache passwd db entry if it exists or a negative response if not. |
227 | | */ |
228 | | #ifdef HAVE_SETAUTHDB |
229 | | aix_setauthdb(IDtouser(uid), key.registry); |
230 | | #endif |
231 | 0 | item = make_pwitem(uid, NULL); |
232 | | #ifdef HAVE_SETAUTHDB |
233 | | aix_restoreauthdb(); |
234 | | #endif |
235 | 0 | if (item == NULL) { |
236 | 0 | if (errno != ENOENT || (item = calloc(1, sizeof(*item))) == NULL) { |
237 | 0 | sudo_warn(U_("unable to cache uid %u"), (unsigned int) uid); |
238 | | /* cppcheck-suppress memleak */ |
239 | 0 | debug_return_ptr(NULL); |
240 | 0 | } |
241 | 0 | item->refcnt = 1; |
242 | 0 | item->k.uid = uid; |
243 | | /* item->d.pw = NULL; */ |
244 | 0 | } |
245 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
246 | 0 | switch (rbinsert(pwcache_byuid, item, NULL)) { |
247 | 0 | case 1: |
248 | | /* should not happen */ |
249 | 0 | sudo_warnx(U_("unable to cache uid %u, already exists"), |
250 | 0 | (unsigned int) uid); |
251 | 0 | item->refcnt = 0; |
252 | 0 | break; |
253 | 0 | case -1: |
254 | | /* can't cache item, just return it */ |
255 | 0 | sudo_warn(U_("unable to cache uid %u"), (unsigned int) uid); |
256 | 0 | item->refcnt = 0; |
257 | 0 | break; |
258 | 0 | } |
259 | 0 | done: |
260 | 0 | if (item->refcnt != 0) { |
261 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
262 | 0 | "%s: uid %u [%s] -> user %s [%s] (%s)", __func__, |
263 | 0 | (unsigned int)uid, key.registry, |
264 | 0 | item->d.pw ? item->d.pw->pw_name : "unknown", |
265 | 0 | item->registry, node ? "cache hit" : "cached"); |
266 | 0 | } |
267 | 0 | if (item->d.pw != NULL) |
268 | 0 | item->refcnt++; |
269 | 0 | debug_return_ptr(item->d.pw); |
270 | 0 | } |
271 | | |
272 | | /* |
273 | | * Get a password entry by name and allocate space for it. |
274 | | */ |
275 | | struct passwd * |
276 | | sudo_getpwnam(const char *name) |
277 | 0 | { |
278 | 0 | struct cache_item key, *item; |
279 | 0 | struct rbnode *node; |
280 | 0 | debug_decl(sudo_getpwnam, SUDOERS_DEBUG_NSS); |
281 | |
|
282 | 0 | if (pwcache_byname == NULL) { |
283 | 0 | pwcache_byname = rbcreate(cmp_pwnam); |
284 | 0 | if (pwcache_byname == NULL) { |
285 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
286 | 0 | debug_return_ptr(NULL); |
287 | 0 | } |
288 | 0 | } |
289 | | |
290 | 0 | key.k.name = (char *) name; |
291 | 0 | getauthregistry((char *) name, key.registry); |
292 | 0 | if ((node = rbfind(pwcache_byname, &key)) != NULL) { |
293 | 0 | item = node->data; |
294 | 0 | goto done; |
295 | 0 | } |
296 | | /* |
297 | | * Cache passwd db entry if it exists or a negative response if not. |
298 | | */ |
299 | | #ifdef HAVE_SETAUTHDB |
300 | | aix_setauthdb((char *) name, key.registry); |
301 | | #endif |
302 | 0 | item = make_pwitem((uid_t)-1, name); |
303 | | #ifdef HAVE_SETAUTHDB |
304 | | aix_restoreauthdb(); |
305 | | #endif |
306 | 0 | if (item == NULL) { |
307 | 0 | const size_t len = strlen(name) + 1; |
308 | 0 | if (errno != ENOENT || (item = calloc(1, sizeof(*item) + len)) == NULL) { |
309 | 0 | sudo_warn(U_("unable to cache user %s"), name); |
310 | | /* cppcheck-suppress memleak */ |
311 | 0 | debug_return_ptr(NULL); |
312 | 0 | } |
313 | 0 | item->refcnt = 1; |
314 | 0 | item->k.name = (char *) item + sizeof(*item); |
315 | 0 | memcpy(item->k.name, name, len); |
316 | | /* item->d.pw = NULL; */ |
317 | 0 | } |
318 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
319 | 0 | switch (rbinsert(pwcache_byname, item, NULL)) { |
320 | 0 | case 1: |
321 | | /* should not happen */ |
322 | 0 | sudo_warnx(U_("unable to cache user %s, already exists"), name); |
323 | 0 | item->refcnt = 0; |
324 | 0 | break; |
325 | 0 | case -1: |
326 | | /* can't cache item, just return it */ |
327 | 0 | sudo_warn(U_("unable to cache user %s"), name); |
328 | 0 | item->refcnt = 0; |
329 | 0 | break; |
330 | 0 | } |
331 | 0 | done: |
332 | 0 | if (item->refcnt != 0) { |
333 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
334 | 0 | "%s: user %s [%s] -> uid %d [%s] (%s)", __func__, name, |
335 | 0 | key.registry, item->d.pw ? (int)item->d.pw->pw_uid : -1, |
336 | 0 | item->registry, node ? "cache hit" : "cached"); |
337 | 0 | } |
338 | 0 | if (item->d.pw != NULL) |
339 | 0 | item->refcnt++; |
340 | 0 | debug_return_ptr(item->d.pw); |
341 | 0 | } |
342 | | |
343 | | /* |
344 | | * Take a user, uid, gid, home and shell and return a faked up passwd struct. |
345 | | * If home or shell are NULL default values will be used. |
346 | | */ |
347 | | struct passwd * |
348 | | sudo_mkpwent(const char *user, uid_t uid, gid_t gid, const char *home, |
349 | | const char *shell) |
350 | 0 | { |
351 | 0 | struct cache_item_pw *pwitem; |
352 | 0 | struct cache_item *item; |
353 | 0 | struct passwd *pw; |
354 | 0 | size_t len, name_len, home_len, shell_len; |
355 | 0 | unsigned int i; |
356 | 0 | debug_decl(sudo_mkpwent, SUDOERS_DEBUG_NSS); |
357 | |
|
358 | 0 | if (pwcache_byuid == NULL) |
359 | 0 | pwcache_byuid = rbcreate(cmp_pwuid); |
360 | 0 | if (pwcache_byname == NULL) |
361 | 0 | pwcache_byname = rbcreate(cmp_pwnam); |
362 | 0 | if (pwcache_byuid == NULL || pwcache_byname == NULL) { |
363 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
364 | 0 | debug_return_ptr(NULL); |
365 | 0 | } |
366 | | |
367 | | /* Optional arguments. */ |
368 | 0 | if (home == NULL) |
369 | 0 | home = "/"; |
370 | 0 | if (shell == NULL) |
371 | 0 | shell = _PATH_BSHELL; |
372 | |
|
373 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
374 | 0 | "%s: creating and caching passwd struct for %s:%u:%u:%s:%s", __func__, |
375 | 0 | user, (unsigned int)uid, (unsigned int)gid, home, shell); |
376 | |
|
377 | 0 | name_len = strlen(user); |
378 | 0 | home_len = strlen(home); |
379 | 0 | shell_len = strlen(shell); |
380 | 0 | len = sizeof(*pwitem) + name_len + 1 /* pw_name */ + |
381 | 0 | sizeof("*") /* pw_passwd */ + sizeof("") /* pw_gecos */ + |
382 | 0 | home_len + 1 /* pw_dir */ + shell_len + 1 /* pw_shell */; |
383 | |
|
384 | 0 | for (i = 0; i < 2; i++) { |
385 | 0 | struct rbtree *pwcache; |
386 | 0 | struct rbnode *node; |
387 | |
|
388 | 0 | pwitem = calloc(1, len); |
389 | 0 | if (pwitem == NULL) { |
390 | 0 | sudo_warn(U_("unable to cache user %s"), user); |
391 | 0 | debug_return_ptr(NULL); |
392 | 0 | } |
393 | 0 | pw = &pwitem->pw; |
394 | 0 | pw->pw_uid = uid; |
395 | 0 | pw->pw_gid = gid; |
396 | 0 | pw->pw_name = (char *)(pwitem + 1); |
397 | 0 | memcpy(pw->pw_name, user, name_len + 1); |
398 | 0 | pw->pw_passwd = pw->pw_name + name_len + 1; |
399 | 0 | memcpy(pw->pw_passwd, "*", 2); |
400 | 0 | pw->pw_gecos = pw->pw_passwd + 2; |
401 | 0 | pw->pw_gecos[0] = '\0'; |
402 | 0 | pw->pw_dir = pw->pw_gecos + 1; |
403 | 0 | memcpy(pw->pw_dir, home, home_len + 1); |
404 | 0 | pw->pw_shell = pw->pw_dir + home_len + 1; |
405 | 0 | memcpy(pw->pw_shell, shell, shell_len + 1); |
406 | |
|
407 | 0 | item = &pwitem->cache; |
408 | 0 | item->refcnt = 1; |
409 | 0 | item->d.pw = pw; |
410 | 0 | if (i == 0) { |
411 | | /* Store by uid. */ |
412 | 0 | item->k.uid = pw->pw_uid; |
413 | 0 | pwcache = pwcache_byuid; |
414 | 0 | } else { |
415 | | /* Store by name. */ |
416 | 0 | item->k.name = pw->pw_name; |
417 | 0 | pwcache = pwcache_byname; |
418 | 0 | } |
419 | 0 | getauthregistry(NULL, item->registry); |
420 | 0 | switch (rbinsert(pwcache, item, &node)) { |
421 | 0 | case 1: |
422 | | /* Already exists. */ |
423 | 0 | item = node->data; |
424 | 0 | if (item->d.pw == NULL) { |
425 | | /* Negative cache entry, replace with ours. */ |
426 | 0 | sudo_pw_delref_item(item); |
427 | 0 | item = node->data = &pwitem->cache; |
428 | 0 | } else { |
429 | | /* Good entry, discard our fake one. */ |
430 | 0 | free(pwitem); |
431 | 0 | } |
432 | 0 | break; |
433 | 0 | case -1: |
434 | | /* can't cache item, just return it */ |
435 | 0 | sudo_warn(U_("unable to cache user %s"), user); |
436 | 0 | item->refcnt = 0; |
437 | 0 | break; |
438 | 0 | } |
439 | 0 | } |
440 | 0 | item->refcnt++; |
441 | 0 | debug_return_ptr(item->d.pw); |
442 | 0 | } |
443 | | |
444 | | /* |
445 | | * Take a uid in string form "#123" and return a faked up passwd struct. |
446 | | */ |
447 | | struct passwd * |
448 | | sudo_fakepwnam(const char *user, gid_t gid) |
449 | 0 | { |
450 | 0 | const char *errstr; |
451 | 0 | uid_t uid; |
452 | 0 | debug_decl(sudo_fakepwnam, SUDOERS_DEBUG_NSS); |
453 | |
|
454 | 0 | uid = (uid_t) sudo_strtoid(user + 1, &errstr); |
455 | 0 | if (errstr != NULL) { |
456 | 0 | sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, |
457 | 0 | "uid %s %s", user, errstr); |
458 | 0 | debug_return_ptr(NULL); |
459 | 0 | } |
460 | 0 | debug_return_ptr(sudo_mkpwent(user, uid, gid, NULL, NULL)); |
461 | 0 | } |
462 | | |
463 | | void |
464 | | sudo_freepwcache(void) |
465 | 0 | { |
466 | 0 | debug_decl(sudo_freepwcache, SUDOERS_DEBUG_NSS); |
467 | |
|
468 | 0 | if (pwcache_byuid != NULL) { |
469 | 0 | rbdestroy(pwcache_byuid, sudo_pw_delref_item); |
470 | 0 | pwcache_byuid = NULL; |
471 | 0 | } |
472 | 0 | if (pwcache_byname != NULL) { |
473 | 0 | rbdestroy(pwcache_byname, sudo_pw_delref_item); |
474 | 0 | pwcache_byname = NULL; |
475 | 0 | } |
476 | |
|
477 | 0 | debug_return; |
478 | 0 | } |
479 | | |
480 | | /* |
481 | | * Compare by group-ID. |
482 | | * v1 is the key to find or data to insert, v2 is in-tree data. |
483 | | */ |
484 | | static int |
485 | | cmp_grgid(const void *v1, const void *v2) |
486 | 0 | { |
487 | 0 | const struct cache_item *ci1 = (const struct cache_item *) v1; |
488 | 0 | const struct cache_item *ci2 = (const struct cache_item *) v2; |
489 | 0 | if (ci1->k.gid == ci2->k.gid) |
490 | 0 | return strcmp(ci1->registry, ci2->registry); |
491 | 0 | if (ci1->k.gid < ci2->k.gid) |
492 | 0 | return -1; |
493 | 0 | return 1; |
494 | 0 | } |
495 | | |
496 | | void |
497 | | sudo_gr_addref(struct group *gr) |
498 | 0 | { |
499 | 0 | debug_decl(sudo_gr_addref, SUDOERS_DEBUG_NSS); |
500 | 0 | ptr_to_item(gr)->refcnt++; |
501 | 0 | debug_return; |
502 | 0 | } |
503 | | |
504 | | static void |
505 | | sudo_gr_delref_item(void *v) |
506 | 0 | { |
507 | 0 | struct cache_item *item = v; |
508 | 0 | debug_decl(sudo_gr_delref_item, SUDOERS_DEBUG_NSS); |
509 | |
|
510 | 0 | if (--item->refcnt == 0) |
511 | 0 | free(item); |
512 | |
|
513 | 0 | debug_return; |
514 | 0 | } |
515 | | |
516 | | void |
517 | | sudo_gr_delref(struct group *gr) |
518 | 0 | { |
519 | 0 | debug_decl(sudo_gr_delref, SUDOERS_DEBUG_NSS); |
520 | 0 | sudo_gr_delref_item(ptr_to_item(gr)); |
521 | 0 | debug_return; |
522 | 0 | } |
523 | | |
524 | | /* |
525 | | * Get a group entry by gid and allocate space for it. |
526 | | */ |
527 | | struct group * |
528 | | sudo_getgrgid(gid_t gid) |
529 | 0 | { |
530 | 0 | struct cache_item key, *item; |
531 | 0 | struct rbnode *node; |
532 | 0 | debug_decl(sudo_getgrgid, SUDOERS_DEBUG_NSS); |
533 | |
|
534 | 0 | if (grcache_bygid == NULL) { |
535 | 0 | grcache_bygid = rbcreate(cmp_grgid); |
536 | 0 | if (grcache_bygid == NULL) { |
537 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
538 | 0 | debug_return_ptr(NULL); |
539 | 0 | } |
540 | 0 | } |
541 | | |
542 | 0 | key.k.gid = gid; |
543 | 0 | getauthregistry(NULL, key.registry); |
544 | 0 | if ((node = rbfind(grcache_bygid, &key)) != NULL) { |
545 | 0 | item = node->data; |
546 | 0 | goto done; |
547 | 0 | } |
548 | | /* |
549 | | * Cache group db entry if it exists or a negative response if not. |
550 | | */ |
551 | 0 | item = make_gritem(gid, NULL); |
552 | 0 | if (item == NULL) { |
553 | 0 | if (errno != ENOENT || (item = calloc(1, sizeof(*item))) == NULL) { |
554 | 0 | sudo_warn(U_("unable to cache gid %u"), (unsigned int) gid); |
555 | | /* cppcheck-suppress memleak */ |
556 | 0 | debug_return_ptr(NULL); |
557 | 0 | } |
558 | 0 | item->refcnt = 1; |
559 | 0 | item->k.gid = gid; |
560 | | /* item->d.gr = NULL; */ |
561 | 0 | } |
562 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
563 | 0 | switch (rbinsert(grcache_bygid, item, NULL)) { |
564 | 0 | case 1: |
565 | | /* should not happen */ |
566 | 0 | sudo_warnx(U_("unable to cache gid %u, already exists"), |
567 | 0 | (unsigned int) gid); |
568 | 0 | item->refcnt = 0; |
569 | 0 | break; |
570 | 0 | case -1: |
571 | | /* can't cache item, just return it */ |
572 | 0 | sudo_warn(U_("unable to cache gid %u"), (unsigned int) gid); |
573 | 0 | item->refcnt = 0; |
574 | 0 | break; |
575 | 0 | } |
576 | 0 | done: |
577 | 0 | if (item->refcnt != 0) { |
578 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
579 | 0 | "%s: gid %u [%s] -> group %s [%s] (%s)", __func__, |
580 | 0 | (unsigned int)gid, key.registry, |
581 | 0 | item->d.gr ? item->d.gr->gr_name : "unknown", |
582 | 0 | item->registry, node ? "cache hit" : "cached"); |
583 | 0 | } |
584 | 0 | if (item->d.gr != NULL) |
585 | 0 | item->refcnt++; |
586 | 0 | debug_return_ptr(item->d.gr); |
587 | 0 | } |
588 | | |
589 | | /* |
590 | | * Get a group entry by name and allocate space for it. |
591 | | */ |
592 | | struct group * |
593 | | sudo_getgrnam(const char *name) |
594 | 0 | { |
595 | 0 | struct cache_item key, *item; |
596 | 0 | struct rbnode *node; |
597 | 0 | debug_decl(sudo_getgrnam, SUDOERS_DEBUG_NSS); |
598 | |
|
599 | 0 | if (grcache_byname == NULL) { |
600 | 0 | grcache_byname = rbcreate(cmp_grnam); |
601 | 0 | if (grcache_byname == NULL) { |
602 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
603 | 0 | debug_return_ptr(NULL); |
604 | 0 | } |
605 | 0 | } |
606 | | |
607 | 0 | key.k.name = (char *) name; |
608 | 0 | getauthregistry(NULL, key.registry); |
609 | 0 | if ((node = rbfind(grcache_byname, &key)) != NULL) { |
610 | 0 | item = node->data; |
611 | 0 | goto done; |
612 | 0 | } |
613 | | /* |
614 | | * Cache group db entry if it exists or a negative response if not. |
615 | | */ |
616 | 0 | item = make_gritem((gid_t)-1, name); |
617 | 0 | if (item == NULL) { |
618 | 0 | const size_t len = strlen(name) + 1; |
619 | 0 | if (errno != ENOENT || (item = calloc(1, sizeof(*item) + len)) == NULL) { |
620 | 0 | sudo_warn(U_("unable to cache group %s"), name); |
621 | | /* cppcheck-suppress memleak */ |
622 | 0 | debug_return_ptr(NULL); |
623 | 0 | } |
624 | 0 | item->refcnt = 1; |
625 | 0 | item->k.name = (char *) item + sizeof(*item); |
626 | 0 | memcpy(item->k.name, name, len); |
627 | | /* item->d.gr = NULL; */ |
628 | 0 | } |
629 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
630 | 0 | switch (rbinsert(grcache_byname, item, NULL)) { |
631 | 0 | case 1: |
632 | | /* should not happen */ |
633 | 0 | sudo_warnx(U_("unable to cache group %s, already exists"), name); |
634 | 0 | item->refcnt = 0; |
635 | 0 | break; |
636 | 0 | case -1: |
637 | | /* can't cache item, just return it */ |
638 | 0 | sudo_warn(U_("unable to cache group %s"), name); |
639 | 0 | item->refcnt = 0; |
640 | 0 | break; |
641 | 0 | } |
642 | 0 | done: |
643 | 0 | if (item->refcnt != 0) { |
644 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
645 | 0 | "%s: group %s [%s] -> gid %d [%s] (%s)", __func__, name, |
646 | 0 | key.registry, item->d.gr ? (int)item->d.gr->gr_gid : -1, |
647 | 0 | item->registry, node ? "cache hit" : "cached"); |
648 | 0 | } |
649 | 0 | if (item->d.gr != NULL) |
650 | 0 | item->refcnt++; |
651 | 0 | debug_return_ptr(item->d.gr); |
652 | 0 | } |
653 | | |
654 | | /* |
655 | | * Take a group name, ID, members and return a faked up group struct. |
656 | | */ |
657 | | struct group * |
658 | | sudo_mkgrent(const char *group, gid_t gid, ...) |
659 | 0 | { |
660 | 0 | struct cache_item_gr *gritem; |
661 | 0 | struct cache_item *item; |
662 | 0 | struct group *gr; |
663 | 0 | size_t nmem, nsize, total; |
664 | 0 | char *cp, *mem; |
665 | 0 | va_list ap; |
666 | 0 | unsigned int i; |
667 | 0 | debug_decl(sudo_mkgrent, SUDOERS_DEBUG_NSS); |
668 | |
|
669 | 0 | if (grcache_bygid == NULL) |
670 | 0 | grcache_bygid = rbcreate(cmp_grgid); |
671 | 0 | if (grcache_byname == NULL) |
672 | 0 | grcache_byname = rbcreate(cmp_grnam); |
673 | 0 | if (grcache_bygid == NULL || grcache_byname == NULL) { |
674 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
675 | 0 | debug_return_ptr(NULL); |
676 | 0 | } |
677 | | |
678 | | /* Allocate in one big chunk for easy freeing. */ |
679 | 0 | nsize = strlen(group) + 1; |
680 | 0 | total = sizeof(*gritem) + nsize; |
681 | 0 | va_start(ap, gid); |
682 | 0 | for (nmem = 1; (mem = va_arg(ap, char *)) != NULL; nmem++) { |
683 | 0 | total += strlen(mem) + 1; |
684 | 0 | } |
685 | 0 | va_end(ap); |
686 | 0 | total += sizeof(char *) * nmem; |
687 | |
|
688 | 0 | for (i = 0; i < 2; i++) { |
689 | 0 | struct rbtree *grcache; |
690 | 0 | struct rbnode *node; |
691 | | |
692 | | /* |
693 | | * Fill in group contents and make strings relative to space |
694 | | * at the end of the buffer. Note that gr_mem must come |
695 | | * immediately after struct group to guarantee proper alignment. |
696 | | */ |
697 | 0 | gritem = calloc(1, total); |
698 | 0 | if (gritem == NULL) { |
699 | 0 | sudo_warn(U_("unable to cache group %s"), group); |
700 | 0 | debug_return_ptr(NULL); |
701 | 0 | } |
702 | 0 | gr = &gritem->gr; |
703 | 0 | gr->gr_gid = gid; |
704 | 0 | gr->gr_passwd = (char *)"*"; |
705 | 0 | cp = (char *)(gritem + 1); |
706 | 0 | gr->gr_mem = (char **)cp; |
707 | 0 | cp += sizeof(char *) * nmem; |
708 | 0 | va_start(ap, gid); |
709 | 0 | for (nmem = 0; (mem = va_arg(ap, char *)) != NULL; nmem++) { |
710 | 0 | size_t len = strlen(mem) + 1; |
711 | 0 | memcpy(cp, mem, len); |
712 | 0 | gr->gr_mem[nmem] = cp; |
713 | 0 | cp += len; |
714 | 0 | } |
715 | 0 | va_end(ap); |
716 | 0 | gr->gr_mem[nmem] = NULL; |
717 | 0 | gr->gr_name = cp; |
718 | 0 | memcpy(gr->gr_name, group, nsize); |
719 | |
|
720 | 0 | item = &gritem->cache; |
721 | 0 | item->refcnt = 1; |
722 | 0 | item->d.gr = gr; |
723 | 0 | if (i == 0) { |
724 | | /* Store by gid if it doesn't already exist. */ |
725 | 0 | item->k.gid = gr->gr_gid; |
726 | 0 | grcache = grcache_bygid; |
727 | 0 | } else { |
728 | | /* Store by name, overwriting cached version. */ |
729 | 0 | gritem->cache.k.name = gr->gr_name; |
730 | 0 | grcache = grcache_byname; |
731 | 0 | } |
732 | 0 | getauthregistry(NULL, item->registry); |
733 | 0 | switch (rbinsert(grcache, item, &node)) { |
734 | 0 | case 1: |
735 | | /* Already exists. */ |
736 | 0 | item = node->data; |
737 | 0 | if (item->d.gr == NULL) { |
738 | | /* Negative cache entry, replace with ours. */ |
739 | 0 | sudo_gr_delref_item(item); |
740 | 0 | item = node->data = &gritem->cache; |
741 | 0 | } else { |
742 | | /* Good entry, discard our fake one. */ |
743 | 0 | free(gritem); |
744 | 0 | } |
745 | 0 | break; |
746 | 0 | case -1: |
747 | | /* can't cache item, just return it */ |
748 | 0 | sudo_warn(U_("unable to cache group %s"), group); |
749 | 0 | item->refcnt = 0; |
750 | 0 | break; |
751 | 0 | } |
752 | 0 | } |
753 | 0 | if (item->d.gr != NULL) |
754 | 0 | item->refcnt++; |
755 | 0 | debug_return_ptr(item->d.gr); |
756 | 0 | } |
757 | | |
758 | | /* |
759 | | * Take a gid in string form "#123" and return a faked up group struct. |
760 | | */ |
761 | | struct group * |
762 | | sudo_fakegrnam(const char *group) |
763 | 0 | { |
764 | 0 | const char *errstr; |
765 | 0 | gid_t gid; |
766 | 0 | debug_decl(sudo_fakegrnam, SUDOERS_DEBUG_NSS); |
767 | |
|
768 | 0 | gid = (gid_t) sudo_strtoid(group + 1, &errstr); |
769 | 0 | if (errstr != NULL) { |
770 | 0 | sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, |
771 | 0 | "gid %s %s", group, errstr); |
772 | 0 | debug_return_ptr(NULL); |
773 | 0 | } |
774 | | |
775 | 0 | debug_return_ptr(sudo_mkgrent(group, gid, (char *)NULL)); |
776 | 0 | } |
777 | | |
778 | | void |
779 | | sudo_gidlist_addref(struct gid_list *gidlist) |
780 | 0 | { |
781 | 0 | debug_decl(sudo_gidlist_addref, SUDOERS_DEBUG_NSS); |
782 | 0 | ptr_to_item(gidlist)->refcnt++; |
783 | 0 | debug_return; |
784 | 0 | } |
785 | | |
786 | | static void |
787 | | sudo_gidlist_delref_item(void *v) |
788 | 0 | { |
789 | 0 | struct cache_item *item = v; |
790 | 0 | debug_decl(sudo_gidlist_delref_item, SUDOERS_DEBUG_NSS); |
791 | |
|
792 | 0 | if (--item->refcnt == 0) |
793 | 0 | free(item); |
794 | |
|
795 | 0 | debug_return; |
796 | 0 | } |
797 | | |
798 | | void |
799 | | sudo_gidlist_delref(struct gid_list *gidlist) |
800 | 0 | { |
801 | 0 | debug_decl(sudo_gidlist_delref, SUDOERS_DEBUG_NSS); |
802 | 0 | sudo_gidlist_delref_item(ptr_to_item(gidlist)); |
803 | 0 | debug_return; |
804 | 0 | } |
805 | | |
806 | | void |
807 | | sudo_grlist_addref(struct group_list *grlist) |
808 | 0 | { |
809 | 0 | debug_decl(sudo_grlist_addref, SUDOERS_DEBUG_NSS); |
810 | 0 | ptr_to_item(grlist)->refcnt++; |
811 | 0 | debug_return; |
812 | 0 | } |
813 | | |
814 | | static void |
815 | | sudo_grlist_delref_item(void *v) |
816 | 0 | { |
817 | 0 | struct cache_item *item = v; |
818 | 0 | debug_decl(sudo_grlist_delref_item, SUDOERS_DEBUG_NSS); |
819 | |
|
820 | 0 | if (--item->refcnt == 0) |
821 | 0 | free(item); |
822 | |
|
823 | 0 | debug_return; |
824 | 0 | } |
825 | | |
826 | | void |
827 | | sudo_grlist_delref(struct group_list *grlist) |
828 | 0 | { |
829 | 0 | debug_decl(sudo_grlist_delref, SUDOERS_DEBUG_NSS); |
830 | 0 | sudo_grlist_delref_item(ptr_to_item(grlist)); |
831 | 0 | debug_return; |
832 | 0 | } |
833 | | |
834 | | void |
835 | | sudo_freegrcache(void) |
836 | 0 | { |
837 | 0 | debug_decl(sudo_freegrcache, SUDOERS_DEBUG_NSS); |
838 | |
|
839 | 0 | if (grcache_bygid != NULL) { |
840 | 0 | rbdestroy(grcache_bygid, sudo_gr_delref_item); |
841 | 0 | grcache_bygid = NULL; |
842 | 0 | } |
843 | 0 | if (grcache_byname != NULL) { |
844 | 0 | rbdestroy(grcache_byname, sudo_gr_delref_item); |
845 | 0 | grcache_byname = NULL; |
846 | 0 | } |
847 | 0 | if (grlist_cache != NULL) { |
848 | 0 | rbdestroy(grlist_cache, sudo_grlist_delref_item); |
849 | 0 | grlist_cache = NULL; |
850 | 0 | } |
851 | 0 | if (gidlist_cache != NULL) { |
852 | 0 | rbdestroy(gidlist_cache, sudo_gidlist_delref_item); |
853 | 0 | gidlist_cache = NULL; |
854 | 0 | } |
855 | |
|
856 | 0 | debug_return; |
857 | 0 | } |
858 | | |
859 | | struct group_list * |
860 | | sudo_get_grlist(const struct passwd *pw) |
861 | 0 | { |
862 | 0 | struct cache_item key, *item; |
863 | 0 | struct rbnode *node; |
864 | 0 | debug_decl(sudo_get_grlist, SUDOERS_DEBUG_NSS); |
865 | |
|
866 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: looking up group names for %s", |
867 | 0 | __func__, pw->pw_name); |
868 | |
|
869 | 0 | if (grlist_cache == NULL) { |
870 | 0 | grlist_cache = rbcreate(cmp_pwnam); |
871 | 0 | if (grlist_cache == NULL) { |
872 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
873 | 0 | debug_return_ptr(NULL); |
874 | 0 | } |
875 | 0 | } |
876 | | |
877 | 0 | key.k.name = pw->pw_name; |
878 | 0 | getauthregistry(pw->pw_name, key.registry); |
879 | 0 | if ((node = rbfind(grlist_cache, &key)) != NULL) { |
880 | 0 | item = node->data; |
881 | 0 | goto done; |
882 | 0 | } |
883 | | /* |
884 | | * Cache group db entry if it exists or a negative response if not. |
885 | | */ |
886 | 0 | item = make_grlist_item(pw, NULL); |
887 | 0 | if (item == NULL) { |
888 | | /* Out of memory? */ |
889 | 0 | debug_return_ptr(NULL); |
890 | 0 | } |
891 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
892 | 0 | switch (rbinsert(grlist_cache, item, NULL)) { |
893 | 0 | case 1: |
894 | | /* should not happen */ |
895 | 0 | sudo_warnx(U_("unable to cache group list for %s, already exists"), |
896 | 0 | pw->pw_name); |
897 | 0 | item->refcnt = 0; |
898 | 0 | break; |
899 | 0 | case -1: |
900 | | /* can't cache item, just return it */ |
901 | 0 | sudo_warn(U_("unable to cache group list for %s"), pw->pw_name); |
902 | 0 | item->refcnt = 0; |
903 | 0 | break; |
904 | 0 | } |
905 | 0 | if (item->d.grlist != NULL) { |
906 | 0 | int i; |
907 | 0 | for (i = 0; i < item->d.grlist->ngroups; i++) { |
908 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
909 | 0 | "%s: user %s is a member of group %s", __func__, |
910 | 0 | pw->pw_name, item->d.grlist->groups[i]); |
911 | 0 | } |
912 | 0 | } |
913 | 0 | done: |
914 | 0 | if (item->d.grlist != NULL) |
915 | 0 | item->refcnt++; |
916 | 0 | debug_return_ptr(item->d.grlist); |
917 | 0 | } |
918 | | |
919 | | static void |
920 | | sudo_debug_group_list(const char *user, char * const *groups, |
921 | | unsigned int level) |
922 | 0 | { |
923 | 0 | size_t i, len = 0; |
924 | 0 | debug_decl(sudo_debug_group_list, SUDOERS_DEBUG_NSS); |
925 | |
|
926 | 0 | if (groups == NULL || !sudo_debug_needed(level)) |
927 | 0 | debug_return; |
928 | | |
929 | 0 | for (i = 0; groups[i] != NULL; i++) { |
930 | 0 | len += strlen(groups[i]) + 1; |
931 | 0 | } |
932 | 0 | if (len != 0) { |
933 | 0 | char *groupstr = malloc(len); |
934 | 0 | if (groupstr != NULL) { |
935 | 0 | char *cp = groupstr; |
936 | 0 | for (i = 0; groups[i] != NULL; i++) { |
937 | 0 | size_t n = (size_t)snprintf(cp, len, "%s%s", i ? "," : "", |
938 | 0 | groups[i]); |
939 | 0 | if (n >= len) |
940 | 0 | break; |
941 | 0 | cp += n; |
942 | 0 | len -= n; |
943 | 0 | } |
944 | 0 | sudo_debug_printf(level, "%s: %s", user, groupstr); |
945 | 0 | free(groupstr); |
946 | 0 | } |
947 | 0 | } |
948 | 0 | debug_return; |
949 | 0 | } |
950 | | |
951 | | int |
952 | | sudo_set_grlist(struct passwd *pw, char * const *groups) |
953 | 0 | { |
954 | 0 | struct cache_item key, *item; |
955 | 0 | debug_decl(sudo_set_grlist, SUDOERS_DEBUG_NSS); |
956 | |
|
957 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: setting group names for %s", |
958 | 0 | __func__, pw->pw_name); |
959 | |
|
960 | 0 | sudo_debug_group_list(pw->pw_name, groups, SUDO_DEBUG_DEBUG); |
961 | |
|
962 | 0 | if (grlist_cache == NULL) { |
963 | 0 | grlist_cache = rbcreate(cmp_pwnam); |
964 | 0 | if (grlist_cache == NULL) { |
965 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
966 | 0 | debug_return_int(-1); |
967 | 0 | } |
968 | 0 | } |
969 | | |
970 | | /* |
971 | | * Cache group db entry if it doesn't already exist |
972 | | */ |
973 | 0 | key.k.name = pw->pw_name; |
974 | 0 | getauthregistry(pw->pw_name, key.registry); |
975 | 0 | if (rbfind(grlist_cache, &key) == NULL) { |
976 | 0 | if ((item = make_grlist_item(pw, groups)) == NULL) { |
977 | 0 | sudo_warnx(U_("unable to parse groups for %s"), pw->pw_name); |
978 | 0 | debug_return_int(-1); |
979 | 0 | } |
980 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
981 | 0 | switch (rbinsert(grlist_cache, item, NULL)) { |
982 | 0 | case 1: |
983 | 0 | sudo_warnx(U_("unable to cache group list for %s, already exists"), |
984 | 0 | pw->pw_name); |
985 | 0 | sudo_grlist_delref_item(item); |
986 | 0 | break; |
987 | 0 | case -1: |
988 | 0 | sudo_warn(U_("unable to cache group list for %s"), pw->pw_name); |
989 | 0 | sudo_grlist_delref_item(item); |
990 | 0 | debug_return_int(-1); |
991 | 0 | } |
992 | 0 | } else { |
993 | 0 | sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, |
994 | 0 | "groups for user %s are already cached", pw->pw_name); |
995 | 0 | } |
996 | | |
997 | 0 | debug_return_int(0); |
998 | 0 | } |
999 | | |
1000 | | struct gid_list * |
1001 | | sudo_get_gidlist(const struct passwd *pw, unsigned int type) |
1002 | 0 | { |
1003 | 0 | struct cache_item key, *item; |
1004 | 0 | struct rbnode *node; |
1005 | 0 | debug_decl(sudo_get_gidlist, SUDOERS_DEBUG_NSS); |
1006 | |
|
1007 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: looking up group-IDs for %s", |
1008 | 0 | __func__, pw->pw_name); |
1009 | |
|
1010 | 0 | if (gidlist_cache == NULL) { |
1011 | 0 | gidlist_cache = rbcreate(cmp_gidlist); |
1012 | 0 | if (gidlist_cache == NULL) { |
1013 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
1014 | 0 | debug_return_ptr(NULL); |
1015 | 0 | } |
1016 | 0 | } |
1017 | | |
1018 | 0 | key.k.name = pw->pw_name; |
1019 | 0 | key.type = type; |
1020 | 0 | getauthregistry(pw->pw_name, key.registry); |
1021 | 0 | if ((node = rbfind(gidlist_cache, &key)) != NULL) { |
1022 | 0 | item = node->data; |
1023 | 0 | goto done; |
1024 | 0 | } |
1025 | | /* |
1026 | | * Cache group db entry if it exists or a negative response if not. |
1027 | | */ |
1028 | 0 | item = make_gidlist_item(pw, -1, NULL, NULL, type); |
1029 | 0 | if (item == NULL) { |
1030 | | /* Out of memory? */ |
1031 | 0 | debug_return_ptr(NULL); |
1032 | 0 | } |
1033 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
1034 | 0 | switch (rbinsert(gidlist_cache, item, NULL)) { |
1035 | 0 | case 1: |
1036 | | /* should not happen */ |
1037 | 0 | sudo_warnx(U_("unable to cache group list for %s, already exists"), |
1038 | 0 | pw->pw_name); |
1039 | 0 | item->refcnt = 0; |
1040 | 0 | break; |
1041 | 0 | case -1: |
1042 | | /* can't cache item, just return it */ |
1043 | 0 | sudo_warn(U_("unable to cache group list for %s"), pw->pw_name); |
1044 | 0 | item->refcnt = 0; |
1045 | 0 | break; |
1046 | 0 | } |
1047 | 0 | if (item->d.gidlist != NULL) { |
1048 | 0 | int i; |
1049 | 0 | for (i = 0; i < item->d.gidlist->ngids; i++) { |
1050 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, |
1051 | 0 | "%s: user %s has supplementary gid %u", __func__, |
1052 | 0 | pw->pw_name, (unsigned int)item->d.gidlist->gids[i]); |
1053 | 0 | } |
1054 | 0 | } |
1055 | 0 | done: |
1056 | 0 | if (item->d.gidlist != NULL) |
1057 | 0 | item->refcnt++; |
1058 | 0 | debug_return_ptr(item->d.gidlist); |
1059 | 0 | } |
1060 | | |
1061 | | int |
1062 | | sudo_set_gidlist(struct passwd *pw, int ngids, GETGROUPS_T *gids, |
1063 | | char * const *gidstrs, unsigned int type) |
1064 | 0 | { |
1065 | 0 | struct cache_item key, *item; |
1066 | 0 | debug_decl(sudo_set_gidlist, SUDOERS_DEBUG_NSS); |
1067 | |
|
1068 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: setting group-IDs for %s", |
1069 | 0 | __func__, pw->pw_name); |
1070 | | |
1071 | | /* XXX - ngids/gids too */ |
1072 | 0 | sudo_debug_group_list(pw->pw_name, gidstrs, SUDO_DEBUG_DEBUG); |
1073 | |
|
1074 | 0 | if (gidlist_cache == NULL) { |
1075 | 0 | gidlist_cache = rbcreate(cmp_gidlist); |
1076 | 0 | if (gidlist_cache == NULL) { |
1077 | 0 | sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); |
1078 | 0 | debug_return_int(-1); |
1079 | 0 | } |
1080 | 0 | } |
1081 | | |
1082 | | /* |
1083 | | * Cache group db entry if it doesn't already exist |
1084 | | */ |
1085 | 0 | key.k.name = pw->pw_name; |
1086 | 0 | key.type = type; |
1087 | 0 | getauthregistry(pw->pw_name, key.registry); |
1088 | 0 | if (rbfind(gidlist_cache, &key) == NULL) { |
1089 | 0 | if ((item = make_gidlist_item(pw, ngids, gids, gidstrs, type)) == NULL) { |
1090 | 0 | sudo_warnx(U_("unable to parse gids for %s"), pw->pw_name); |
1091 | 0 | debug_return_int(-1); |
1092 | 0 | } |
1093 | 0 | strlcpy(item->registry, key.registry, sizeof(item->registry)); |
1094 | 0 | switch (rbinsert(gidlist_cache, item, NULL)) { |
1095 | 0 | case 1: |
1096 | 0 | sudo_warnx(U_("unable to cache group list for %s, already exists"), |
1097 | 0 | pw->pw_name); |
1098 | 0 | sudo_gidlist_delref_item(item); |
1099 | 0 | break; |
1100 | 0 | case -1: |
1101 | 0 | sudo_warn(U_("unable to cache group list for %s"), pw->pw_name); |
1102 | 0 | sudo_gidlist_delref_item(item); |
1103 | 0 | debug_return_int(-1); |
1104 | 0 | } |
1105 | 0 | } else { |
1106 | 0 | sudo_debug_printf(SUDO_DEBUG_WARN|SUDO_DEBUG_LINENO, |
1107 | 0 | "gids for user %s are already cached", pw->pw_name); |
1108 | 0 | } |
1109 | | |
1110 | 0 | debug_return_int(0); |
1111 | 0 | } |
1112 | | |
1113 | | bool |
1114 | | user_in_group(const struct passwd *pw, const char *group) |
1115 | 0 | { |
1116 | 0 | struct group_list *grlist = NULL; |
1117 | 0 | struct gid_list *gidlist = NULL; |
1118 | 0 | struct group *grp = NULL; |
1119 | 0 | bool matched = false; |
1120 | 0 | int i; |
1121 | 0 | debug_decl(user_in_group, SUDOERS_DEBUG_NSS); |
1122 | | |
1123 | | /* |
1124 | | * If it could be a sudo-style group-ID check gids first. |
1125 | | */ |
1126 | 0 | if (group[0] == '#') { |
1127 | 0 | const char *errstr; |
1128 | 0 | gid_t gid = (gid_t) sudo_strtoid(group + 1, &errstr); |
1129 | 0 | if (errstr != NULL) { |
1130 | 0 | sudo_debug_printf(SUDO_DEBUG_DIAG|SUDO_DEBUG_LINENO, |
1131 | 0 | "gid %s %s", group, errstr); |
1132 | 0 | } else { |
1133 | 0 | if (gid == pw->pw_gid) { |
1134 | 0 | matched = true; |
1135 | 0 | goto done; |
1136 | 0 | } |
1137 | 0 | if ((gidlist = sudo_get_gidlist(pw, ENTRY_TYPE_ANY)) != NULL) { |
1138 | 0 | for (i = 0; i < gidlist->ngids; i++) { |
1139 | 0 | if (gid == gidlist->gids[i]) { |
1140 | 0 | matched = true; |
1141 | 0 | goto done; |
1142 | 0 | } |
1143 | 0 | } |
1144 | 0 | } |
1145 | 0 | } |
1146 | 0 | } |
1147 | | |
1148 | | /* |
1149 | | * Next match the group name. By default, sudoers resolves all the user's |
1150 | | * group-IDs to names and matches by name. If match_group_by_gid is |
1151 | | * set, each group is sudoers is resolved and matching is by group-ID. |
1152 | | */ |
1153 | 0 | if (def_match_group_by_gid) { |
1154 | 0 | gid_t gid; |
1155 | | |
1156 | | /* Look up the ID of the group in sudoers. */ |
1157 | 0 | if ((grp = sudo_getgrnam(group)) == NULL) |
1158 | 0 | goto done; |
1159 | 0 | gid = grp->gr_gid; |
1160 | | |
1161 | | /* Check against user's primary (passwd file) group-ID. */ |
1162 | 0 | if (gid == pw->pw_gid) { |
1163 | 0 | matched = true; |
1164 | 0 | goto done; |
1165 | 0 | } |
1166 | | |
1167 | | /* Check the supplementary group vector. */ |
1168 | 0 | if (gidlist == NULL) { |
1169 | 0 | if ((gidlist = sudo_get_gidlist(pw, ENTRY_TYPE_ANY)) != NULL) { |
1170 | 0 | for (i = 0; i < gidlist->ngids; i++) { |
1171 | 0 | if (gid == gidlist->gids[i]) { |
1172 | 0 | matched = true; |
1173 | 0 | goto done; |
1174 | 0 | } |
1175 | 0 | } |
1176 | 0 | } |
1177 | 0 | } |
1178 | 0 | } else if ((grlist = sudo_get_grlist(pw)) != NULL) { |
1179 | 0 | int (*compare)(const char *, const char *); |
1180 | 0 | if (def_case_insensitive_group) |
1181 | 0 | compare = strcasecmp; |
1182 | 0 | else |
1183 | 0 | compare = strcmp; |
1184 | | |
1185 | | /* Check the user's group vector, which includes the primary group. */ |
1186 | 0 | for (i = 0; i < grlist->ngroups; i++) { |
1187 | 0 | if (compare(group, grlist->groups[i]) == 0) { |
1188 | 0 | matched = true; |
1189 | 0 | goto done; |
1190 | 0 | } |
1191 | 0 | } |
1192 | 0 | } |
1193 | | |
1194 | 0 | done: |
1195 | 0 | if (grp != NULL) |
1196 | 0 | sudo_gr_delref(grp); |
1197 | 0 | if (grlist != NULL) |
1198 | 0 | sudo_grlist_delref(grlist); |
1199 | 0 | if (gidlist != NULL) |
1200 | 0 | sudo_gidlist_delref(gidlist); |
1201 | |
|
1202 | 0 | sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: user %s %sin group %s", |
1203 | 0 | __func__, pw->pw_name, matched ? "" : "NOT ", group); |
1204 | 0 | debug_return_bool(matched); |
1205 | 0 | } |
1206 | | |
1207 | | /* |
1208 | | * Returns true if the user's shell is considered to be valid. |
1209 | | */ |
1210 | | bool |
1211 | | user_shell_valid(const struct passwd *pw) |
1212 | 0 | { |
1213 | 0 | debug_decl(user_shell_valid, SUDOERS_DEBUG_NSS); |
1214 | |
|
1215 | 0 | if (!def_runas_check_shell) |
1216 | 0 | debug_return_bool(true); |
1217 | | |
1218 | 0 | debug_return_bool(valid_shell(pw->pw_shell)); |
1219 | 0 | } |