Skip to content

Commit

Permalink
add implicit SETENV: to 'ALL'
Browse files Browse the repository at this point in the history
  • Loading branch information
squell committed Dec 18, 2024
1 parent ca13518 commit f1dd0df
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 11 deletions.
23 changes: 13 additions & 10 deletions src/sudoers/ast.rs
Original file line number Diff line number Diff line change
Expand Up @@ -81,13 +81,16 @@ pub enum Authenticate {
Nopasswd = HARDENED_ENUM_VALUE_2,
}

// A type that represents a hardened bool
type EnvironmentControl = Qualified<()>;

impl Default for EnvironmentControl {
fn default() -> Self {
Qualified::Forbid(())
}
#[derive(Copy, Clone, Default, PartialEq)]
#[cfg_attr(test, derive(Debug, Eq))]
#[repr(u32)]
pub enum EnvironmentControl {
#[default]
Implicit = HARDENED_ENUM_VALUE_0,
// PASSWD:
Setenv = HARDENED_ENUM_VALUE_1,
// NOPASSWD:
Nosetenv = HARDENED_ENUM_VALUE_2,
}

/// Commands in /etc/sudoers can have attributes attached to them, such as NOPASSWD, NOEXEC, ...
Expand All @@ -105,7 +108,7 @@ impl Tag {
}

pub fn allows_setenv(&self) -> bool {
self.env == Qualified::Allow(())
matches!(self.env, EnvironmentControl::Setenv)
}
}

Expand Down Expand Up @@ -381,8 +384,8 @@ impl Parse for MetaOrTag {
// a parse error elsewhere. 'EXEC' and 'NOINTERCEPT' are the default behaviour.
"FOLLOW" | "NOFOLLOW" | "EXEC" | "NOINTERCEPT" => switch(|_| {})?,

"SETENV" => switch(|tag| tag.env = Qualified::Allow(()))?,
"NOSETENV" => switch(|tag| tag.env = Qualified::Forbid(()))?,
"SETENV" => switch(|tag| tag.env = EnvironmentControl::Setenv)?,
"NOSETENV" => switch(|tag| tag.env = EnvironmentControl::Nosetenv)?,
"PASSWD" => switch(|tag| tag.authenticate = Authenticate::Passwd)?,
"NOPASSWD" => switch(|tag| tag.authenticate = Authenticate::Nopasswd)?,

Expand Down
10 changes: 9 additions & 1 deletion src/sudoers/mod.rs
Original file line number Diff line number Diff line change
Expand Up @@ -348,7 +348,15 @@ fn distribute_tags(
f(tag);
}

Some((last_runas, (tag.clone(), cmd)))
let this_tag = match cmd {
Qualified::Allow(Meta::All) if tag.env != EnvironmentControl::Nosetenv => Tag {

Check failure on line 352 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / build-and-test

missing fields `authenticate` and `cwd` in initializer of `ast::Tag`

Check failure on line 352 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / build-and-test-msrv

missing fields `authenticate` and `cwd` in initializer of `ast::Tag`

Check failure on line 352 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / build-and-test-minimal

missing fields `authenticate` and `cwd` in initializer of `ast::Tag`

Check failure on line 352 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / clippy

missing fields `authenticate` and `cwd` in initializer of `sudoers::ast::Tag`
// "ALL" has an implicit "SETENV" that doesn't distribute
env: EnvironmentControl::Setenv..tag.clone(),

Check failure on line 354 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / build-and-test

mismatched types

Check failure on line 354 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / build-and-test-msrv

mismatched types

Check failure on line 354 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / build-and-test-minimal

mismatched types

Check failure on line 354 in src/sudoers/mod.rs

View workflow job for this annotation

GitHub Actions / clippy

mismatched types
},
_ => tag.clone(),
};

Some((last_runas, (this_tag, cmd)))
},
)
}
Expand Down

0 comments on commit f1dd0df

Please sign in to comment.