Move RUNAS_{USER,GROUP}_SPECIFIED flags into struct sudoers_runas_con…

…text.
sudo-project · Aug 14, 2023 · 08afb51 · 08afb51
1 parent 392f0d6
commit 08afb51
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 16 deletions.
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
@@ -193,8 +193,8 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
 		 * was specified on the command line without a user _or_
 		 * the user specified their own name on the command line.
 		 */
-		if ((!ISSET(user_ctx.flags, RUNAS_USER_SPECIFIED) &&
-			ISSET(user_ctx.flags, RUNAS_GROUP_SPECIFIED)) ||
+		if ((!ISSET(runas_ctx.flags, RUNAS_USER_SPECIFIED) &&
+			ISSET(runas_ctx.flags, RUNAS_GROUP_SPECIFIED)) ||
 			strcmp(user_ctx.name, runas_ctx.pw->pw_name) == 0)
 		    user_matched = !m->negated;
 		break;
@@ -303,7 +303,7 @@ runaslist_matches(const struct sudoers_parse_tree *parse_tree,
     }
 
     user_matched = runas_userlist_matches(parse_tree, user_list, matching_user);
-    if (ISSET(user_ctx.flags, RUNAS_GROUP_SPECIFIED)) {
+    if (ISSET(runas_ctx.flags, RUNAS_GROUP_SPECIFIED)) {
 	group_matched = runas_grouplist_matches(parse_tree, group_list,
 	    matching_group);
     }

diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c
@@ -220,13 +220,13 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 	if (MATCHES(*cur, "runas_user=")) {
 	    CHECK(*cur, "runas_user=");
 	    runas_ctx.user = *cur + sizeof("runas_user=") - 1;
-	    SET(user_ctx.flags, RUNAS_USER_SPECIFIED);
+	    SET(runas_ctx.flags, RUNAS_USER_SPECIFIED);
 	    continue;
 	}
 	if (MATCHES(*cur, "runas_group=")) {
 	    CHECK(*cur, "runas_group=");
 	    runas_ctx.group = *cur + sizeof("runas_group=") - 1;
-	    SET(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
+	    SET(runas_ctx.flags, RUNAS_GROUP_SPECIFIED);
 	    continue;
 	}
 	if (MATCHES(*cur, "prompt=")) {

diff --git a/plugins/sudoers/regress/fuzz/fuzz_sudoers.c b/plugins/sudoers/regress/fuzz/fuzz_sudoers.c
@@ -340,11 +340,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		sudo_pw_delref(runas_ctx.pw);
 	    if (ud->runuser != NULL) {
 		runas_ctx.user = (char *)ud->runuser;
-		SET(user_ctx.flags, RUNAS_USER_SPECIFIED);
+		SET(runas_ctx.flags, RUNAS_USER_SPECIFIED);
 		runas_ctx.pw = sudo_getpwnam(runas_ctx.user);
 	    } else {
 		runas_ctx.user = NULL;
-		CLR(user_ctx.flags, RUNAS_USER_SPECIFIED);
+		CLR(runas_ctx.flags, RUNAS_USER_SPECIFIED);
 		runas_ctx.pw = sudo_getpwnam("root");
 	    }
 	    if (runas_ctx.pw == NULL) {
@@ -357,7 +357,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		sudo_gr_delref(runas_ctx.gr);
 	    if (ud->rungroup != NULL) {
 		runas_ctx.group = (char *)ud->rungroup;
-		SET(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
+		SET(runas_ctx.flags, RUNAS_GROUP_SPECIFIED);
 		runas_ctx.gr = sudo_getgrnam(runas_ctx.group);
 		if (runas_ctx.gr == NULL) {
 		    sudo_warnx_nodebug("unknown run group %s",
@@ -366,7 +366,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		}
 	    } else {
 		runas_ctx.group = NULL;
-		CLR(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
+		CLR(runas_ctx.flags, RUNAS_GROUP_SPECIFIED);
 		runas_ctx.gr = NULL;
 	    }
 

diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
@@ -104,11 +104,11 @@ struct sudoers_user_context {
     char *iolog_file;
     char *iolog_path;
     GETGROUPS_T *gids;
+    unsigned int flags;
     int   ngids;
     int   closefrom;
     int   lines;
     int   cols;
-    unsigned int   flags;
     int   max_groups;
     int   timeout;
     mode_t umask;
@@ -120,6 +120,8 @@ struct sudoers_user_context {
 };
 
 struct sudoers_runas_context {
+    unsigned int flags;
+    int execfd;
     struct passwd *pw;
     struct group *gr;
     struct passwd *list_pw;
@@ -142,7 +144,6 @@ struct sudoers_runas_context {
     char *privs;
     char *limitprivs;
 #endif
-    int execfd;
 };
 
 /*
@@ -155,11 +156,15 @@ struct sudoers_runas_context {
 /*
  * user_ctx.flag values
  */
+#define CAN_INTERCEPT_SETID	0x01U
+#define HAVE_INTERCEPT_PTRACE	0x02U
+#define USER_INTERCEPT_SETID	0x04U
+
+/*
+ * runas_ctx.flag values
+ */
 #define RUNAS_USER_SPECIFIED	0x01U
 #define RUNAS_GROUP_SPECIFIED	0x02U
-#define CAN_INTERCEPT_SETID	0x04U
-#define HAVE_INTERCEPT_PTRACE	0x08U
-#define USER_INTERCEPT_SETID	0x10U
 
 /*
  * Return values for sudoers_lookup(), also used as arguments for log_auth()

diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c
@@ -149,7 +149,7 @@ main(int argc, char *argv[])
 		break;
 	    case 'g':
 		runas_group = optarg;
-		SET(user_ctx.flags, RUNAS_GROUP_SPECIFIED);
+		SET(runas_ctx.flags, RUNAS_GROUP_SPECIFIED);
 		break;
 	    case 'h':
 		user_ctx.host = optarg;
@@ -206,7 +206,7 @@ main(int argc, char *argv[])
 		break;
 	    case 'u':
 		runas_user = optarg;
-		SET(user_ctx.flags, RUNAS_USER_SPECIFIED);
+		SET(runas_ctx.flags, RUNAS_USER_SPECIFIED);
 		break;
 	    case 'v':
 		if (sudo_mode != MODE_RUN) {