#ifndef SUDOERS_PARSE_H
#define SUDOERS_PARSE_H
#include "sudo_queue.h"
#define SUDOERS_QUOTED ":\\,=#\""
#define has_meta(s) (strpbrk(s, "\\?*[]") != NULL)
#undef UNSPEC
#define UNSPEC -1
#undef DENY
#define DENY 0
#undef ALLOW
#define ALLOW 1
#undef IMPLIED
#define IMPLIED 2
#define TAGS_INIT(t) do { \
(t).follow = UNSPEC; \
(t).log_input = UNSPEC; \
(t).log_output = UNSPEC; \
(t).noexec = UNSPEC; \
(t).nopasswd = UNSPEC; \
(t).send_mail = UNSPEC; \
(t).setenv = UNSPEC; \
} while (0)
#define TAGS_MERGE(t, t2) do { \
if ((t2).follow != UNSPEC) \
(t).follow = (t2).follow; \
if ((t2).log_input != UNSPEC) \
(t).log_input = (t2).log_input; \
if ((t2).log_output != UNSPEC) \
(t).log_output = (t2).log_output; \
if ((t2).noexec != UNSPEC) \
(t).noexec = (t2).noexec; \
if ((t2).nopasswd != UNSPEC) \
(t).nopasswd = (t2).nopasswd; \
if ((t2).send_mail != UNSPEC) \
(t).send_mail = (t2).send_mail; \
if ((t2).setenv != UNSPEC) \
(t).setenv = (t2).setenv; \
} while (0)
#define TAGS_SET(t) \
((t).follow != UNSPEC || (t).log_input != UNSPEC || \
(t).log_output != UNSPEC || (t).noexec != UNSPEC || \
(t).nopasswd != UNSPEC || (t).send_mail != UNSPEC || \
(t).setenv != UNSPEC)
#define TAG_SET(tt) \
((tt) != UNSPEC && (tt) != IMPLIED)
#define TAGS_CHANGED(ot, nt) \
((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \
(TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \
(TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \
(TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \
(TAG_SET((nt).nopasswd) && (nt).nopasswd != (ot).nopasswd) || \
(TAG_SET((nt).setenv) && (nt).setenv != (ot).setenv) || \
(TAG_SET((nt).send_mail) && (nt).send_mail != (ot).send_mail))
#define RUNAS_CHANGED(cs1, cs2) \
((cs1)->runasuserlist != (cs2)->runasuserlist || \
(cs1)->runasgrouplist != (cs2)->runasgrouplist)
struct command_digest {
unsigned int digest_type;
char *digest_str;
};
struct sudo_command {
char *cmnd;
char *args;
struct command_digest *digest;
};
struct cmndtag {
signed int nopasswd: 3;
signed int noexec: 3;
signed int setenv: 3;
signed int log_input: 3;
signed int log_output: 3;
signed int send_mail: 3;
signed int follow: 3;
};
struct command_options {
time_t notbefore;
time_t notafter;
int timeout;
#ifdef HAVE_SELINUX
char *role, *type;
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs;
#endif
};
TAILQ_HEAD(defaults_list, defaults);
TAILQ_HEAD(userspec_list, userspec);
TAILQ_HEAD(member_list, member);
TAILQ_HEAD(privilege_list, privilege);
TAILQ_HEAD(cmndspec_list, cmndspec);
STAILQ_HEAD(comment_list, sudoers_comment);
struct userspec {
TAILQ_ENTRY(userspec) entries;
struct member_list users;
struct privilege_list privileges;
struct comment_list comments;
int lineno;
char *file;
};
struct privilege {
TAILQ_ENTRY(privilege) entries;
char *ldap_role;
struct member_list hostlist;
struct cmndspec_list cmndlist;
struct defaults_list defaults;
};
struct cmndspec {
TAILQ_ENTRY(cmndspec) entries;
struct member_list *runasuserlist;
struct member_list *runasgrouplist;
struct member *cmnd;
struct cmndtag tags;
int timeout;
time_t notbefore;
time_t notafter;
#ifdef HAVE_SELINUX
char *role, *type;
#endif
#ifdef HAVE_PRIV_SET
char *privs, *limitprivs;
#endif
};
struct member {
TAILQ_ENTRY(member) entries;
char *name;
short type;
short negated;
};
struct runascontainer {
struct member *runasusers;
struct member *runasgroups;
};
struct sudoers_comment {
STAILQ_ENTRY(sudoers_comment) entries;
char *str;
};
struct alias {
char *name;
unsigned short type;
short used;
int lineno;
char *file;
struct member_list members;
};
struct defaults {
TAILQ_ENTRY(defaults) entries;
char *var;
char *val;
struct member_list *binding;
char *file;
short type;
char op;
char error;
int lineno;
};
struct sudoers_parse_tree {
struct userspec_list userspecs;
struct defaults_list defaults;
struct rbtree *aliases;
const char *shost, *lhost;
};
struct rbtree *alloc_aliases(void);
void free_aliases(struct rbtree *aliases);
bool no_aliases(struct sudoers_parse_tree *parse_tree);
const char *alias_add(struct sudoers_parse_tree *parse_tree, char *name, int type, char *file, int lineno, struct member *members);
const char *alias_type_to_string(int alias_type);
struct alias *alias_get(struct sudoers_parse_tree *parse_tree, const char *name, int type);
struct alias *alias_remove(struct sudoers_parse_tree *parse_tree, char *name, int type);
bool alias_find_used(struct sudoers_parse_tree *parse_tree, struct rbtree *used_aliases);
void alias_apply(struct sudoers_parse_tree *parse_tree, int (*func)(struct sudoers_parse_tree *, struct alias *, void *), void *cookie);
void alias_free(void *a);
void alias_put(struct alias *a);
extern struct sudoers_parse_tree parsed_policy;
bool init_parser(const char *path, bool quiet);
void free_member(struct member *m);
void free_members(struct member_list *members);
void free_privilege(struct privilege *priv);
void free_userspec(struct userspec *us);
void free_userspecs(struct userspec_list *usl);
void free_default(struct defaults *def, struct member_list **binding);
void free_defaults(struct defaults_list *defs);
void init_parse_tree(struct sudoers_parse_tree *parse_tree, const char *shost, const char *lhost);
void free_parse_tree(struct sudoers_parse_tree *parse_tree);
void reparent_parse_tree(struct sudoers_parse_tree *new_tree);
bool addr_matches(char *n);
bool command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest);
bool digest_matches(int fd, const char *file, const struct command_digest *digest);
struct group;
struct passwd;
bool group_matches(const char *sudoers_group, const struct group *gr);
bool hostname_matches(const char *shost, const char *lhost, const char *pattern);
bool netgr_matches(const char *netgr, const char *lhost, const char *shost, const char *user);
bool usergr_matches(const char *group, const char *user, const struct passwd *pw);
bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw);
int cmnd_matches(struct sudoers_parse_tree *parse_tree, const struct member *m);
int cmndlist_matches(struct sudoers_parse_tree *parse_tree, const struct member_list *list);
int host_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const char *host, const char *shost, const struct member *m);
int hostlist_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member_list *list);
int runaslist_matches(struct sudoers_parse_tree *parse_tree, const struct member_list *user_list, const struct member_list *group_list, struct member **matching_user, struct member **matching_group);
int user_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member *m);
int userlist_matches(struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member_list *list);
const char *sudo_getdomainname(void);
struct gid_list *runas_getgroups(void);
void init_lexer(void);
int hexchar(const char *s);
size_t base64_decode(const char *str, unsigned char *dst, size_t dsize);
size_t base64_encode(const unsigned char *in, size_t in_len, char *out, size_t out_len);
int parse_timeout(const char *timestr);
long get_gmtoff(time_t *clock);
time_t parse_gentime(const char *expstr);
unsigned char *sudo_filedigest(int fd, const char *file, int digest_type, size_t *digest_len);
const char *digest_type_to_name(int digest_type);
struct sudo_nss_list;
int sudoers_lookup(struct sudo_nss_list *snl, struct passwd *pw, int validated, int pwflag);
int display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose);
int display_cmnd(struct sudo_nss_list *snl, struct passwd *pw);
bool sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree, FILE *fp, const char *sudoers_base, bool store_options);
struct sudo_lbuf;
bool sudoers_format_cmndspec(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct cmndspec *cs, struct cmndspec *prev_cs, struct cmndtag tags, bool expand_aliases);
bool sudoers_format_default(struct sudo_lbuf *lbuf, struct defaults *d);
bool sudoers_format_default_line(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct defaults *d, struct defaults **next, bool expand_aliases);
bool sudoers_format_member(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct member *m, const char *separator, int alias_type);
bool sudoers_format_privilege(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct privilege *priv, bool expand_aliases);
bool sudoers_format_userspec(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, struct userspec *us, bool expand_aliases);
bool sudoers_format_userspecs(struct sudo_lbuf *lbuf, struct sudoers_parse_tree *parse_tree, const char *separator, bool expand_aliases, bool flush);
bool sudoers_defaults_to_tags(const char *var, const char *val, int op, struct cmndtag *tags);
bool sudoers_defaults_list_to_tags(struct defaults_list *defs, struct cmndtag *tags);
#endif