1/* 2 * Copyright (c) 1993-1996, 1998-2005, 2007-2010 3 * Todd C. Miller <Todd.Miller@courtesan.com> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * 17 * Sponsored in part by the Defense Advanced Research Projects 18 * Agency (DARPA) and Air Force Research Laboratory, Air Force 19 * Materiel Command, USAF, under agreement number F39502-99-1-0512. 20 */ 21 22#ifndef _SUDO_SUDO_H 23#define _SUDO_SUDO_H 24 25#include <pathnames.h> 26#include <limits.h> 27#include "missing.h" 28#include "alloc.h" 29#include "defaults.h" 30#include "error.h" 31#include "list.h" 32#include "logging.h" 33#include "missing.h" 34#include "sudo_nss.h" 35 36#ifdef HAVE_MBR_CHECK_MEMBERSHIP 37# include <membership.h> 38#endif 39 40/* 41 * Info pertaining to the invoking user. 42 */ 43struct sudo_user { 44 struct passwd *pw; 45 struct passwd *_runas_pw; 46 struct group *_runas_gr; 47 struct stat *cmnd_stat; 48 char *path; 49 char *shell; 50 char *tty; 51 char *ttypath; 52 char *host; 53 char *shost; 54 char *prompt; 55 char *cmnd; 56 char *cmnd_args; 57 char *cmnd_base; 58 char *cmnd_safe; 59 char *class_name; 60 char *krb5_ccname; 61 char *display; 62 char *askpass; 63 pid_t sid; 64 int ngroups; 65 GETGROUPS_T *groups; 66 struct list_member *env_vars; 67#ifdef HAVE_SELINUX 68 char *role; 69 char *type; 70#endif 71 char cwd[PATH_MAX]; 72 char sessid[7]; 73#ifdef HAVE_MBR_CHECK_MEMBERSHIP 74 uuid_t uuid; 75#endif 76}; 77 78/* Status passed between parent and child via socketpair */ 79struct command_status { 80#define CMD_INVALID 0 81#define CMD_ERRNO 1 82#define CMD_WSTATUS 2 83#define CMD_SIGNO 3 84#define CMD_PID 4 85 int type; 86 int val; 87}; 88 89/* 90 * Return values for sudoers_lookup(), also used as arguments for log_auth() 91 * Note: cannot use '0' as a value here. 92 */ 93/* XXX - VALIDATE_SUCCESS and VALIDATE_FAILURE instead? */ 94#define VALIDATE_ERROR 0x001 95#define VALIDATE_OK 0x002 96#define VALIDATE_NOT_OK 0x004 97#define FLAG_CHECK_USER 0x010 98#define FLAG_NO_USER 0x020 99#define FLAG_NO_HOST 0x040 100#define FLAG_NO_CHECK 0x080 101#define FLAG_NON_INTERACTIVE 0x100 102#define FLAG_BAD_PASSWORD 0x200 103#define FLAG_AUTH_ERROR 0x400 104 105/* 106 * Pseudo-boolean values 107 */ 108#undef TRUE 109#define TRUE 1 110#undef FALSE 111#define FALSE 0 112 113/* 114 * find_path()/load_cmnd() return values 115 */ 116#define FOUND 1 117#define NOT_FOUND 0 118#define NOT_FOUND_DOT -1 119 120/* 121 * Various modes sudo can be in (based on arguments) in hex 122 */ 123#define MODE_RUN 0x00000001 124#define MODE_EDIT 0x00000002 125#define MODE_VALIDATE 0x00000004 126#define MODE_INVALIDATE 0x00000008 127#define MODE_KILL 0x00000010 128#define MODE_VERSION 0x00000020 129#define MODE_HELP 0x00000040 130#define MODE_LIST 0x00000080 131#define MODE_CHECK 0x00000100 132#define MODE_LISTDEFS 0x00000200 133#define MODE_MASK 0x0000ffff 134 135/* Mode flags */ 136#define MODE_BACKGROUND 0x00010000 137#define MODE_SHELL 0x00020000 138#define MODE_LOGIN_SHELL 0x00040000 139#define MODE_IMPLIED_SHELL 0x00080000 140#define MODE_RESET_HOME 0x00100000 141#define MODE_PRESERVE_GROUPS 0x00200000 142#define MODE_PRESERVE_ENV 0x00400000 143#define MODE_NONINTERACTIVE 0x00800000 144 145/* 146 * Used with set_perms() 147 */ 148#define PERM_ROOT 0x00 149#define PERM_USER 0x01 150#define PERM_FULL_USER 0x02 151#define PERM_SUDOERS 0x03 152#define PERM_RUNAS 0x04 153#define PERM_FULL_RUNAS 0x05 154#define PERM_TIMESTAMP 0x06 155#define PERM_NOEXIT 0x10 /* flag */ 156#define PERM_MASK 0xf0 157 158/* 159 * Shortcuts for sudo_user contents. 160 */ 161#define user_name (sudo_user.pw->pw_name) 162#define user_passwd (sudo_user.pw->pw_passwd) 163#define user_uid (sudo_user.pw->pw_uid) 164#define user_uuid (sudo_user.uuid) 165#define user_gid (sudo_user.pw->pw_gid) 166#define user_dir (sudo_user.pw->pw_dir) 167#define user_shell (sudo_user.shell) 168#define user_ngroups (sudo_user.ngroups) 169#define user_groups (sudo_user.groups) 170#define user_sid (sudo_user.sid) 171#define user_tty (sudo_user.tty) 172#define user_ttypath (sudo_user.ttypath) 173#define user_cwd (sudo_user.cwd) 174#define user_cmnd (sudo_user.cmnd) 175#define user_args (sudo_user.cmnd_args) 176#define user_base (sudo_user.cmnd_base) 177#define user_stat (sudo_user.cmnd_stat) 178#define user_path (sudo_user.path) 179#define user_prompt (sudo_user.prompt) 180#define user_host (sudo_user.host) 181#define user_shost (sudo_user.shost) 182#define user_ccname (sudo_user.krb5_ccname) 183#define user_display (sudo_user.display) 184#define user_askpass (sudo_user.askpass) 185#define safe_cmnd (sudo_user.cmnd_safe) 186#define login_class (sudo_user.class_name) 187#define runas_pw (sudo_user._runas_pw) 188#define runas_gr (sudo_user._runas_gr) 189#define user_role (sudo_user.role) 190#define user_type (sudo_user.type) 191 192#ifdef __TANDEM 193# define ROOT_UID 65535 194#else 195# define ROOT_UID 0 196#endif 197#define ROOT_GID 0 198 199/* 200 * We used to use the system definition of PASS_MAX or _PASSWD_LEN, 201 * but that caused problems with various alternate authentication 202 * methods. So, we just define our own and assume that it is >= the 203 * system max. 204 */ 205#define SUDO_PASS_MAX 256 206 207/* 208 * Flags for lock_file() 209 */ 210#define SUDO_LOCK 1 /* lock a file */ 211#define SUDO_TLOCK 2 /* test & lock a file (non-blocking) */ 212#define SUDO_UNLOCK 4 /* unlock a file */ 213 214/* 215 * Flags for tgetpass() 216 */ 217#define TGP_ECHO 0x01 /* leave echo on when reading passwd */ 218#define TGP_STDIN 0x02 /* read from stdin, not /dev/tty */ 219#define TGP_ASKPASS 0x04 /* read from askpass helper program */ 220 221struct lbuf; 222struct passwd; 223struct stat; 224struct timeval; 225 226/* aix.c */ 227void aix_prep_user __P((char *, char *)); 228void aix_setauthdb __P((char *user)); 229void aix_restoreauthdb __P((void)); 230 231/* boottime.c */ 232int get_boottime __P((struct timeval *)); 233 234/* check.c */ 235int check_user __P((int, int)); 236int user_is_exempt __P((void)); 237void remove_timestamp __P((int)); 238 239/* env.c */ 240char **env_get __P((void)); 241void env_init __P((int lazy)); 242void env_merge __P((char * const envp[], int overwrite)); 243void init_envtables __P((void)); 244void insert_env_vars __P((struct list_member *)); 245void read_env_file __P((const char *, int)); 246void rebuild_env __P((int)); 247void validate_env_vars __P((struct list_member *)); 248 249/* exec.c */ 250int sudo_execve __P((const char *path, char *argv[], char *envp[], uid_t uid, 251 struct command_status *cstat, int dowait, int bgmode)); 252void save_signals __P((void)); 253void restore_signals __P((void)); 254 255/* exec_pty.c */ 256void cleanup_pty __P((int gotsignal)); 257 258/* fileops.c */ 259char *sudo_parseln __P((FILE *)); 260int lock_file __P((int, int)); 261int touch __P((int, char *, struct timeval *)); 262 263/* find_path.c */ 264int find_path __P((char *, char **, struct stat *, char *, int)); 265 266/* getspwuid.c */ 267char *sudo_getepw __P((const struct passwd *)); 268 269/* gettime.c */ 270int gettime __P((struct timeval *)); 271 272/* goodpath.c */ 273int sudo_goodpath __P((const char *, struct stat *)); 274 275/* gram.y */ 276int yyparse __P((void)); 277 278/* iolog.c */ 279int io_log_open __P((void)); 280int log_stderr __P((const char *buf, unsigned int len)); 281int log_stdin __P((const char *buf, unsigned int len)); 282int log_stdout __P((const char *buf, unsigned int len)); 283int log_ttyin __P((const char *buf, unsigned int len)); 284int log_ttyout __P((const char *buf, unsigned int len)); 285void io_log_close __P((void)); 286void io_nextid __P((void)); 287 288/* pam.c */ 289int pam_begin_session __P((struct passwd *)); 290int pam_end_session __P((struct passwd *)); 291 292/* parse.c */ 293int sudo_file_open __P((struct sudo_nss *)); 294int sudo_file_close __P((struct sudo_nss *)); 295int sudo_file_setdefs __P((struct sudo_nss *)); 296int sudo_file_lookup __P((struct sudo_nss *, int, int)); 297int sudo_file_parse __P((struct sudo_nss *)); 298int sudo_file_display_cmnd __P((struct sudo_nss *, struct passwd *)); 299int sudo_file_display_defaults __P((struct sudo_nss *, struct passwd *, struct lbuf *)); 300int sudo_file_display_bound_defaults __P((struct sudo_nss *, struct passwd *, struct lbuf *)); 301int sudo_file_display_privs __P((struct sudo_nss *, struct passwd *, struct lbuf *)); 302 303/* parse_args.c */ 304int parse_args __P((int, char **)); 305 306/* get_pty.c */ 307int get_pty __P((int *master, int *slave, char *name, size_t namesz, uid_t uid)); 308 309/* pwutil.c */ 310int user_in_group __P((struct passwd *, const char *)); 311struct group *sudo_fakegrnam __P((const char *)); 312struct group *sudo_getgrgid __P((gid_t)); 313struct group *sudo_getgrnam __P((const char *)); 314struct passwd *sudo_fakepwnam __P((const char *, gid_t)); 315struct passwd *sudo_fakepwuid __P((uid_t uid, gid_t gid)); 316struct passwd *sudo_getpwnam __P((const char *)); 317struct passwd *sudo_getpwuid __P((uid_t)); 318void sudo_endgrent __P((void)); 319void sudo_endpwent __P((void)); 320void sudo_endspent __P((void)); 321void sudo_setgrent __P((void)); 322void sudo_setpwent __P((void)); 323void sudo_setspent __P((void)); 324void gr_addref __P((struct group *)); 325void gr_delref __P((struct group *)); 326void pw_addref __P((struct passwd *)); 327void pw_delref __P((struct passwd *)); 328 329/* selinux.c */ 330int selinux_restore_tty __P((void)); 331int selinux_setup __P((const char *role, const char *type, const char *ttyn, 332 int ttyfd)); 333void selinux_execve __P((const char *path, char *argv[], char *envp[])); 334 335/* set_perms.c */ 336int set_perms __P((int)); 337 338/* sudo.c */ 339FILE *open_sudoers __P((const char *, int, int *)); 340int exec_setup __P((int, const char *, int)); 341RETSIGTYPE cleanup __P((int)); 342void set_fqdn __P((void)); 343 344/* sudo_auth.c */ 345int sudo_auth_cleanup __P((struct passwd *)); 346int sudo_auth_init __P((struct passwd *)); 347int verify_user __P((struct passwd *, char *, int)); 348void dump_auth_methods __P((void)); 349void pass_warn __P((FILE *)); 350 351/* sudo_nss.c */ 352void display_privs __P((struct sudo_nss_list *, struct passwd *)); 353int display_cmnd __P((struct sudo_nss_list *, struct passwd *)); 354 355/* term.c */ 356int term_cbreak __P((int)); 357int term_copy __P((int, int)); 358int term_noecho __P((int)); 359int term_raw __P((int, int)); 360int term_restore __P((int, int)); 361 362/* tgetpass.c */ 363char *tgetpass __P((const char *, int, int)); 364int tty_present __P((void)); 365 366/* timestr.c */ 367char *get_timestr __P((time_t, int)); 368 369/* toke.l */ 370#define YY_DECL int yylex __P((void)) 371YY_DECL; 372 373/* zero_bytes.c */ 374void zero_bytes __P((volatile void *, size_t)); 375 376/* ttyname.c */ 377char *get_process_ttyname __P((void)); 378 379/* Only provide extern declarations outside of sudo.c. */ 380#ifndef _SUDO_MAIN 381extern struct sudo_user sudo_user; 382extern struct passwd *list_pw; 383 384extern int tgetpass_flags; 385extern int long_list; 386extern int sudo_mode; 387extern uid_t timestamp_uid; 388/* XXX - conflicts with the one in visudo */ 389int run_command __P((const char *path, char *argv[], char *envp[], uid_t uid, int dowait)); 390#endif 391 392#endif /* _SUDO_SUDO_H */ 393