1
/*
2
 * SPDX-License-Identifier: ISC
3
 *
4
 * Copyright (c) 2004-2005, 2007-2024 Todd C. Miller <[email protected]>
5
 *
6
 * Permission to use, copy, modify, and distribute this software for any
7
 * purpose with or without fee is hereby granted, provided that the above
8
 * copyright notice and this permission notice appear in all copies.
9
 *
10
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
 */
18

19
#include <config.h>
20

21
#include <sys/stat.h>
22
#include <stdio.h>
23
#include <stdlib.h>
24
#include <string.h>
25
#include <unistd.h>
26
#include <ctype.h>
27
#include <pwd.h>
28

29
#include <sudoers.h>
30
#include <sudo_lbuf.h>
31
#include <gram.h>
32

33
static int
34
display_priv_short(const struct sudoers_parse_tree *parse_tree,
35
    const struct passwd *pw, const struct userspec *us, struct sudo_lbuf *lbuf)
36
{
37
    struct privilege *priv;
38
    int nfound = 0;
39
    debug_decl(display_priv_short, SUDOERS_DEBUG_PARSER);
40

41
    TAILQ_FOREACH(priv, &us->privileges, entries) {
42
	struct cmndspec *cs;
43
	struct cmndtag tags;
44

45
	if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
46
	    continue;
47

48
	sudoers_defaults_list_to_tags(&priv->defaults, &tags);
49
	TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
50
	    struct cmndspec *prev_cs = TAILQ_PREV(cs, cmndspec_list, entries);
51

52
	    if (prev_cs == NULL || RUNAS_CHANGED(cs, prev_cs)) {
53
		struct member *m;
54

55
		/* Start new line, first entry or RunAs changed. */
56
		if (prev_cs != NULL)
57
		    sudo_lbuf_append(lbuf, "\n");
58
		sudo_lbuf_append(lbuf, "    (");
59
		if (cs->runasuserlist != NULL) {
60
		    TAILQ_FOREACH(m, cs->runasuserlist, entries) {
61
			if (m != TAILQ_FIRST(cs->runasuserlist))
62
			    sudo_lbuf_append(lbuf, ", ");
63
			sudoers_format_member(lbuf, parse_tree, m, ", ",
64
			    RUNASALIAS);
65
		    }
66
		} else if (cs->runasgrouplist == NULL) {
67
		    sudo_lbuf_append(lbuf, "%s", def_runas_default);
68
		} else {
69
		    sudo_lbuf_append(lbuf, "%s", pw->pw_name);
70
		}
71
		if (cs->runasgrouplist != NULL) {
72
		    sudo_lbuf_append(lbuf, " : ");
73
		    TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
74
			if (m != TAILQ_FIRST(cs->runasgrouplist))
75
			    sudo_lbuf_append(lbuf, ", ");
76
			sudoers_format_member(lbuf, parse_tree, m, ", ",
77
			    RUNASALIAS);
78
		    }
79
		}
80
		sudo_lbuf_append(lbuf, ") ");
81
		sudoers_format_cmndspec(lbuf, parse_tree, cs, NULL,
82
		    tags, true);
83
	    } else {
84
		/* Continue existing line. */
85
		sudo_lbuf_append(lbuf, ", ");
86
		sudoers_format_cmndspec(lbuf, parse_tree, cs, prev_cs,
87
		    tags, true);
88
	    }
89
	    nfound++;
90
	}
91
	sudo_lbuf_append(lbuf, "\n");
92
    }
93
    debug_return_int(nfound);
94
}
95

96
/*
97
 * Compare the current cmndspec with the previous one to determine
98
 * whether we need to start a new long entry for "sudo -ll".
99
 * Returns true if we should start a new long entry, else false.
100
 */
101
static bool
102
new_long_entry(const struct cmndspec *cs, const struct cmndspec *prev_cs)
103
{
104
    debug_decl(new_long_entry, SUDOERS_DEBUG_PARSER);
105

106
    if (prev_cs == NULL)
107
	debug_return_bool(true);
108
    if (RUNAS_CHANGED(cs, prev_cs) || TAGS_CHANGED(prev_cs->tags, cs->tags))
109
	debug_return_bool(true);
110
    if (cs->privs && (!prev_cs->privs || strcmp(cs->privs, prev_cs->privs) != 0))
111
	debug_return_bool(true);
112
    if (cs->limitprivs && (!prev_cs->limitprivs || strcmp(cs->limitprivs, prev_cs->limitprivs) != 0))
113
	debug_return_bool(true);
114
    if (cs->role && (!prev_cs->role || strcmp(cs->role, prev_cs->role) != 0))
115
	debug_return_bool(true);
116
    if (cs->type && (!prev_cs->type || strcmp(cs->type, prev_cs->type) != 0))
117
	debug_return_bool(true);
118
    if (cs->apparmor_profile && (!prev_cs->apparmor_profile || strcmp(cs->apparmor_profile, prev_cs->apparmor_profile) != 0))
119
	debug_return_bool(true);
120
    if (cs->runchroot && (!prev_cs->runchroot || strcmp(cs->runchroot, prev_cs->runchroot) != 0))
121
	debug_return_bool(true);
122
    if (cs->runcwd && (!prev_cs->runcwd || strcmp(cs->runcwd, prev_cs->runcwd) != 0))
123
	debug_return_bool(true);
124
    if (cs->timeout != prev_cs->timeout)
125
	debug_return_bool(true);
126
    if (cs->notbefore != prev_cs->notbefore)
127
	debug_return_bool(true);
128
    if (cs->notafter != prev_cs->notafter)
129
	debug_return_bool(true);
130
    debug_return_bool(false);
131
}
132

133
static void
134
display_cmndspec_long(const struct sudoers_parse_tree *parse_tree,
135
    const struct passwd *pw, const struct userspec *us,
136
    const struct privilege *priv, const struct cmndspec *cs,
137
    const struct cmndspec *prev_cs, struct sudo_lbuf *lbuf)
138
{
139
    const struct defaults *d;
140
    const struct member *m;
141
    debug_decl(display_cmndspec_long, SUDOERS_DEBUG_PARSER);
142

143
    if (new_long_entry(cs, prev_cs)) {
144
	unsigned int olen;
145

146
	if (prev_cs != NULL)
147
	    sudo_lbuf_append(lbuf, "\n");
148
	if (priv->ldap_role != NULL) {
149
	    sudo_lbuf_append(lbuf, _("LDAP Role: %s\n"),
150
		priv->ldap_role);
151
	} else {
152
	    sudo_lbuf_append(lbuf, _("Sudoers entry: %s\n"),
153
		us->file);
154
	}
155
	sudo_lbuf_append(lbuf, "%s", _("    RunAsUsers: "));
156
	if (cs->runasuserlist != NULL) {
157
	    TAILQ_FOREACH(m, cs->runasuserlist, entries) {
158
		if (m != TAILQ_FIRST(cs->runasuserlist))
159
		    sudo_lbuf_append(lbuf, ", ");
160
		sudoers_format_member(lbuf, parse_tree, m, ", ",
161
		    RUNASALIAS);
162
	    }
163
	} else if (cs->runasgrouplist == NULL) {
164
	    sudo_lbuf_append(lbuf, "%s", def_runas_default);
165
	} else {
166
	    sudo_lbuf_append(lbuf, "%s", pw->pw_name);
167
	}
168
	sudo_lbuf_append(lbuf, "\n");
169
	if (cs->runasgrouplist != NULL) {
170
	    sudo_lbuf_append(lbuf, "%s", _("    RunAsGroups: "));
171
	    TAILQ_FOREACH(m, cs->runasgrouplist, entries) {
172
		if (m != TAILQ_FIRST(cs->runasgrouplist))
173
		    sudo_lbuf_append(lbuf, ", ");
174
		sudoers_format_member(lbuf, parse_tree, m, ", ",
175
		    RUNASALIAS);
176
	    }
177
	    sudo_lbuf_append(lbuf, "\n");
178
	}
179
	olen = lbuf->len;
180
	sudo_lbuf_append(lbuf, "%s", _("    Options: "));
181
	TAILQ_FOREACH(d, &priv->defaults, entries) {
182
	    sudoers_format_default(lbuf, d);
183
	    sudo_lbuf_append(lbuf, ", ");
184
	}
185
	if (TAG_SET(cs->tags.setenv))
186
	    sudo_lbuf_append(lbuf, "%ssetenv, ", cs->tags.setenv ? "" : "!");
187
	if (TAG_SET(cs->tags.noexec))
188
	    sudo_lbuf_append(lbuf, "%snoexec, ", cs->tags.noexec ? "" : "!");
189
	if (TAG_SET(cs->tags.intercept))
190
	    sudo_lbuf_append(lbuf, "%sintercept, ", cs->tags.intercept ? "" : "!");
191
	if (TAG_SET(cs->tags.nopasswd))
192
	    sudo_lbuf_append(lbuf, "%sauthenticate, ", cs->tags.nopasswd ? "!" : "");
193
	if (TAG_SET(cs->tags.log_input))
194
	    sudo_lbuf_append(lbuf, "%slog_input, ", cs->tags.log_input ? "" : "!");
195
	if (TAG_SET(cs->tags.log_output))
196
	    sudo_lbuf_append(lbuf, "%slog_output, ", cs->tags.log_output ? "" : "!");
197
	if (lbuf->buf[lbuf->len - 2] == ',') {
198
	    lbuf->len -= 2;	/* remove trailing ", " */
199
	    sudo_lbuf_append(lbuf, "\n");
200
	} else {
201
	    lbuf->len = olen;	/* no options */
202
	}
203
	if (cs->apparmor_profile != NULL) {
204
	    sudo_lbuf_append(lbuf, "    ApparmorProfile: %s\n",
205
		cs->apparmor_profile);
206
	}
207
	if (cs->privs != NULL)
208
	    sudo_lbuf_append(lbuf, "    Privs: %s\n", cs->privs);
209
	if (cs->limitprivs != NULL)
210
	    sudo_lbuf_append(lbuf, "    Limitprivs: %s\n", cs->limitprivs);
211
	if (cs->role != NULL)
212
	    sudo_lbuf_append(lbuf, "    Role: %s\n", cs->role);
213
	if (cs->type != NULL)
214
	    sudo_lbuf_append(lbuf, "    Type: %s\n", cs->type);
215
	if (cs->runchroot != NULL)
216
	    sudo_lbuf_append(lbuf, "    Chroot: %s\n", cs->runchroot);
217
	if (cs->runcwd != NULL)
218
	    sudo_lbuf_append(lbuf, "    Cwd: %s\n", cs->runcwd);
219
	if (cs->timeout > 0) {
220
	    char numbuf[STRLEN_MAX_SIGNED(int) + 1];
221
	    (void)snprintf(numbuf, sizeof(numbuf), "%d", cs->timeout);
222
	    sudo_lbuf_append(lbuf, "    Timeout: %s\n", numbuf);
223
	}
224
	if (cs->notbefore != UNSPEC) {
225
	    char buf[sizeof("CCYYMMDDHHMMSSZ")] = "";
226
	    struct tm gmt;
227
	    size_t len;
228
	    if (gmtime_r(&cs->notbefore, &gmt) != NULL) {
229
		len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt);
230
		if (len != 0 && buf[sizeof(buf) - 1] == '\0')
231
		    sudo_lbuf_append(lbuf, "    NotBefore: %s\n", buf);
232
	    }
233
	}
234
	if (cs->notafter != UNSPEC) {
235
	    char buf[sizeof("CCYYMMDDHHMMSSZ")] = "";
236
	    struct tm gmt;
237
	    size_t len;
238
	    if (gmtime_r(&cs->notafter, &gmt) != NULL) {
239
		len = strftime(buf, sizeof(buf), "%Y%m%d%H%M%SZ", &gmt);
240
		if (len != 0 && buf[sizeof(buf) - 1] == '\0')
241
		    sudo_lbuf_append(lbuf, "    NotAfter: %s\n", buf);
242
	    }
243
	}
244
	sudo_lbuf_append(lbuf, "%s", _("    Commands:\n"));
245
    }
246
    sudo_lbuf_append(lbuf, "\t");
247
    sudoers_format_member(lbuf, parse_tree, cs->cmnd, "\n\t",
248
	CMNDALIAS);
249
    sudo_lbuf_append(lbuf, "\n");
250

251
    debug_return;
252
}
253

254
static int
255
display_priv_long(const struct sudoers_parse_tree *parse_tree,
256
    const struct passwd *pw, const struct userspec *us, struct sudo_lbuf *lbuf)
257
{
258
    const struct privilege *priv;
259
    int nfound = 0;
260
    debug_decl(display_priv_long, SUDOERS_DEBUG_PARSER);
261

262
    TAILQ_FOREACH(priv, &us->privileges, entries) {
263
	const struct cmndspec *cs, *prev_cs;
264

265
	if (hostlist_matches(parse_tree, pw, &priv->hostlist) != ALLOW)
266
	    continue;
267
	prev_cs = NULL;
268
	sudo_lbuf_append(lbuf, "\n");
269
	TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
270
	    display_cmndspec_long(parse_tree, pw, us, priv, cs, prev_cs,
271
		lbuf);
272
	    prev_cs = cs;
273
	    nfound++;
274
	}
275
    }
276
    debug_return_int(nfound);
277
}
278

279
static int
280
sudo_display_userspecs(struct sudoers_parse_tree *parse_tree,
281
    const struct passwd *pw, struct sudo_lbuf *lbuf, bool verbose)
282
{
283
    const struct userspec *us;
284
    int nfound = 0;
285
    debug_decl(sudo_display_userspecs, SUDOERS_DEBUG_PARSER);
286

287
    TAILQ_FOREACH(us, &parse_tree->userspecs, entries) {
288
	if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
289
	    continue;
290

291
	if (verbose)
292
	    nfound += display_priv_long(parse_tree, pw, us, lbuf);
293
	else
294
	    nfound += display_priv_short(parse_tree, pw, us, lbuf);
295
    }
296
    if (sudo_lbuf_error(lbuf))
297
	debug_return_int(-1);
298
    debug_return_int(nfound);
299
}
300

301
/*
302
 * Display matching Defaults entries for the given user on this host.
303
 */
304
static int
305
display_defaults(const struct sudoers_parse_tree *parse_tree,
306
    const struct passwd *pw, struct sudo_lbuf *lbuf)
307
{
308
    const struct defaults *d;
309
    const char *prefix;
310
    int nfound = 0;
311
    debug_decl(display_defaults, SUDOERS_DEBUG_PARSER);
312

313
    if (lbuf->len == 0 || isspace((unsigned char)lbuf->buf[lbuf->len - 1]))
314
	prefix = "    ";
315
    else
316
	prefix = ", ";
317

318
    TAILQ_FOREACH(d, &parse_tree->defaults, entries) {
319
	switch (d->type) {
320
	    case DEFAULTS_HOST:
321
		if (hostlist_matches(parse_tree, pw, &d->binding->members) != ALLOW)
322
		    continue;
323
		break;
324
	    case DEFAULTS_USER:
325
		if (userlist_matches(parse_tree, pw, &d->binding->members) != ALLOW)
326
		    continue;
327
		break;
328
	    case DEFAULTS_RUNAS:
329
	    case DEFAULTS_CMND:
330
		continue;
331
	}
332
	sudo_lbuf_append(lbuf, "%s", prefix);
333
	sudoers_format_default(lbuf, d);
334
	prefix = ", ";
335
	nfound++;
336
    }
337
    if (sudo_lbuf_error(lbuf))
338
	debug_return_int(-1);
339
    debug_return_int(nfound);
340
}
341

342
/*
343
 * Display Defaults entries of the given type.
344
 */
345
static int
346
display_bound_defaults_by_type(const struct sudoers_parse_tree *parse_tree,
347
    int deftype, struct sudo_lbuf *lbuf)
348
{
349
    const struct defaults *d;
350
    const struct defaults_binding *binding = NULL;
351
    const struct member *m;
352
    const char *dsep;
353
    short atype;
354
    int nfound = 0;
355
    debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER);
356

357
    switch (deftype) {
358
	case DEFAULTS_HOST:
359
	    atype = HOSTALIAS;
360
	    dsep = "@";
361
	    break;
362
	case DEFAULTS_USER:
363
	    atype = USERALIAS;
364
	    dsep = ":";
365
	    break;
366
	case DEFAULTS_RUNAS:
367
	    atype = RUNASALIAS;
368
	    dsep = ">";
369
	    break;
370
	case DEFAULTS_CMND:
371
	    atype = CMNDALIAS;
372
	    dsep = "!";
373
	    break;
374
	default:
375
	    debug_return_int(-1);
376
    }
377
    TAILQ_FOREACH(d, &parse_tree->defaults, entries) {
378
	if (d->type != deftype)
379
	    continue;
380

381
	nfound++;
382
	if (binding != d->binding) {
383
	    binding = d->binding;
384
	    if (nfound != 1)
385
		sudo_lbuf_append(lbuf, "\n");
386
	    sudo_lbuf_append(lbuf, "    Defaults%s", dsep);
387
	    TAILQ_FOREACH(m, &binding->members, entries) {
388
		if (m != TAILQ_FIRST(&binding->members))
389
		    sudo_lbuf_append(lbuf, ", ");
390
		sudoers_format_member(lbuf, parse_tree, m, ", ", atype);
391
	    }
392
	    sudo_lbuf_append(lbuf, " ");
393
	} else
394
	    sudo_lbuf_append(lbuf, ", ");
395
	sudoers_format_default(lbuf, d);
396
    }
397

398
    if (sudo_lbuf_error(lbuf))
399
	debug_return_int(-1);
400
    debug_return_int(nfound);
401
}
402

403
/*
404
 * Display Defaults entries that are per-runas or per-command
405
 */
406
static int
407
display_bound_defaults(const struct sudoers_parse_tree *parse_tree,
408
    const struct passwd *pw, struct sudo_lbuf *lbuf)
409
{
410
    int nfound = 0;
411
    debug_decl(display_bound_defaults, SUDOERS_DEBUG_PARSER);
412

413
    /* XXX - should only print ones that match what the user can do. */
414
    nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_RUNAS,
415
	lbuf);
416
    nfound += display_bound_defaults_by_type(parse_tree, DEFAULTS_CMND,
417
	lbuf);
418

419
    if (sudo_lbuf_error(lbuf))
420
	debug_return_int(-1);
421
    debug_return_int(nfound);
422
}
423

424
static int
425
output(const char *buf)
426
{
427
    struct sudo_conv_message msg;
428
    struct sudo_conv_reply repl;
429
    debug_decl(output, SUDOERS_DEBUG_NSS);
430

431
    /* Call conversation function */
432
    memset(&msg, 0, sizeof(msg));
433
    msg.msg_type = SUDO_CONV_INFO_MSG;
434
    msg.msg = buf;
435
    memset(&repl, 0, sizeof(repl));
436
    if (sudo_conv(1, &msg, &repl, NULL) == -1)
437
	debug_return_int(0);
438
    debug_return_int((int)strlen(buf));
439
}
440

441
/*
442
 * Print out privileges for the specified user.
443
 * Returns true on success or -1 on error.
444
 */
445
int
446
display_privs(struct sudoers_context *ctx, const struct sudo_nss_list *snl,
447
    struct passwd *pw, int verbose)
448
{
449
    const struct sudo_nss *nss;
450
    struct sudo_lbuf def_buf, priv_buf;
451
    int cols, count, n;
452
    unsigned int olen;
453
    struct stat sb;
454
    debug_decl(display_privs, SUDOERS_DEBUG_PARSER);
455

456
    if (verbose < 0) {
457
	/* Nothing to display. */
458
	debug_return_int(true);
459
    }
460

461
    cols = ctx->user.cols;
462
    if (fstat(STDOUT_FILENO, &sb) == 0 && S_ISFIFO(sb.st_mode))
463
	cols = 0;
464
    sudo_lbuf_init(&def_buf, output, 4, NULL, cols);
465
    sudo_lbuf_init(&priv_buf, output, 8, NULL, cols);
466

467
    sudo_lbuf_append(&def_buf, _("Matching Defaults entries for %s on %s:\n"),
468
	pw->pw_name, ctx->runas.shost);
469
    count = 0;
470
    TAILQ_FOREACH(nss, snl, entries) {
471
	n = display_defaults(nss->parse_tree, pw, &def_buf);
472
	if (n == -1)
473
	    goto bad;
474
	count += n;
475
    }
476
    if (count != 0) {
477
	sudo_lbuf_append(&def_buf, "\n\n");
478
    } else {
479
	/* Undo Defaults header. */
480
	def_buf.len = 0;
481
    }
482

483
    /* Display Runas and Cmnd-specific defaults. */
484
    olen = def_buf.len;
485
    sudo_lbuf_append(&def_buf, _("Runas and Command-specific defaults for %s:\n"),
486
	pw->pw_name);
487
    count = 0;
488
    TAILQ_FOREACH(nss, snl, entries) {
489
	n = display_bound_defaults(nss->parse_tree, pw, &def_buf);
490
	if (n == -1)
491
	    goto bad;
492
	count += n;
493
    }
494
    if (count != 0) {
495
	sudo_lbuf_append(&def_buf, "\n\n");
496
    } else {
497
	/* Undo Defaults header. */
498
	def_buf.len = olen;
499
    }
500

501
    /* Display privileges from all sources. */
502
    sudo_lbuf_append(&priv_buf,
503
	_("User %s may run the following commands on %s:\n"),
504
	pw->pw_name, ctx->runas.shost);
505
    count = 0;
506
    TAILQ_FOREACH(nss, snl, entries) {
507
	if (nss->query(ctx, nss, pw) != -1) {
508
	    n = sudo_display_userspecs(nss->parse_tree, pw, &priv_buf,
509
		verbose);
510
	    if (n == -1)
511
		goto bad;
512
	    count += n;
513
	}
514
    }
515
    if (count == 0) {
516
	def_buf.len = 0;
517
	priv_buf.len = 0;
518
	sudo_lbuf_append(&priv_buf,
519
	    _("User %s is not allowed to run sudo on %s.\n"),
520
	    pw->pw_name, ctx->runas.shost);
521
    }
522
    if (sudo_lbuf_error(&def_buf) || sudo_lbuf_error(&priv_buf))
523
	goto bad;
524

525
    sudo_lbuf_print(&def_buf);
526
    sudo_lbuf_print(&priv_buf);
527

528
    sudo_lbuf_destroy(&def_buf);
529
    sudo_lbuf_destroy(&priv_buf);
530

531
    debug_return_int(true);
532
bad:
533
    sudo_lbuf_destroy(&def_buf);
534
    sudo_lbuf_destroy(&priv_buf);
535

536
    debug_return_int(-1);
537
}
538

539
static int
540
display_cmnd_check(struct sudoers_context *ctx,
541
    const struct sudoers_parse_tree *parse_tree, const struct passwd *pw,
542
    time_t now, struct sudoers_match_info *match_info)
543
{
544
    int host_match, runas_match, cmnd_match = UNSPEC;
545
    char *saved_user_cmnd, *saved_user_base;
546
    const struct privilege *priv;
547
    const struct userspec *us;
548
    const struct cmndspec *cs;
549
    debug_decl(display_cmnd_check, SUDOERS_DEBUG_PARSER);
550

551
    /*
552
     * For "sudo -l command", ctx->user.cmnd is "list" and the actual
553
     * command we are checking is in ctx->user.cmnd_list.
554
     */
555
    saved_user_cmnd = ctx->user.cmnd;
556
    saved_user_base = ctx->user.cmnd_base;
557
    ctx->user.cmnd = ctx->user.cmnd_list;
558
    ctx->user.cmnd_base = sudo_basename(ctx->user.cmnd);
559

560
    TAILQ_FOREACH_REVERSE(us, &parse_tree->userspecs, userspec_list, entries) {
561
	if (userlist_matches(parse_tree, pw, &us->users) != ALLOW)
562
	    continue;
563
	TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
564
	    host_match = hostlist_matches(parse_tree, pw, &priv->hostlist);
565
	    if (host_match != ALLOW)
566
		continue;
567
	    TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {
568
		if (cs->notbefore != UNSPEC) {
569
		    if (now < cs->notbefore)
570
			continue;
571
		}
572
		if (cs->notafter != UNSPEC) {
573
		    if (now > cs->notafter)
574
			continue;
575
		}
576
		runas_match = runaslist_matches(parse_tree, cs->runasuserlist,
577
		    cs->runasgrouplist);
578
		if (runas_match == ALLOW) {
579
		    cmnd_match = cmnd_matches(parse_tree, cs->cmnd,
580
			cs->runchroot, NULL);
581
		    if (cmnd_match != UNSPEC) {
582
			match_info->parse_tree = parse_tree;
583
			match_info->us = us;
584
			match_info->priv = priv;
585
			match_info->cs = cs;
586
			goto done;
587
		    }
588
		}
589
	    }
590
	}
591
    }
592
done:
593
    ctx->user.cmnd = saved_user_cmnd;
594
    ctx->user.cmnd_base = saved_user_base;
595
    debug_return_int(cmnd_match);
596
}
597

598
/*
599
 * Check ctx->user.cmnd against sudoers and print the matching entry if the
600
 * command is allowed.
601
 * Returns true if the command is allowed, false if not or -1 on error.
602
 */
603
int
604
display_cmnd(struct sudoers_context *ctx, const struct sudo_nss_list *snl,
605
    struct passwd *pw, int verbose)
606
{
607
    struct sudoers_match_info match_info = { NULL };
608
    struct sudo_lbuf lbuf;
609
    struct sudo_nss *nss;
610
    int m, match = UNSPEC;
611
    int ret = false;
612
    time_t now;
613
    debug_decl(display_cmnd, SUDOERS_DEBUG_PARSER);
614

615
    /* Iterate over each source, checking for the command. */
616
    time(&now);
617
    sudo_lbuf_init(&lbuf, output, 0, NULL, 0);
618
    TAILQ_FOREACH(nss, snl, entries) {
619
	if (nss->query(ctx, nss, pw) == -1) {
620
	    /* The query function should have printed an error message. */
621
	    debug_return_int(-1);
622
	}
623

624
	m = display_cmnd_check(ctx, nss->parse_tree, pw, now, &match_info);
625
	if (m != UNSPEC)
626
	    match = m;
627

628
	if (!sudo_nss_can_continue(nss, m))
629
	    break;
630
    }
631
    if (match == ALLOW) {
632
	if (verbose < 0) {
633
	    /* Nothing to display. */
634
	    debug_return_int(true);
635
	}
636
	if (verbose) {
637
	    /* Append matching sudoers rule (long form). */
638
	    display_cmndspec_long(match_info.parse_tree, pw, match_info.us,
639
		match_info.priv, match_info.cs, NULL, &lbuf);
640
	    sudo_lbuf_append(&lbuf, "    Matched: ");
641
	}
642
	sudo_lbuf_append(&lbuf, "%s%s%s\n", ctx->user.cmnd_list,
643
	    ctx->user.cmnd_args ? " " : "",
644
	    ctx->user.cmnd_args ? ctx->user.cmnd_args : "");
645
	sudo_lbuf_print(&lbuf);
646
	ret = sudo_lbuf_error(&lbuf) ? -1 : true;
647
	sudo_lbuf_destroy(&lbuf);
648
    }
649
    debug_return_int(ret);
650
}
651

652