X-Git-Url: https://git.armaanb.net/?a=blobdiff_plain;f=doas.c;h=b77e17f6953eb88faa8bd69f95f5ac8fc7a3f35d;hb=e355b1d04349731687a4eb6222a91d9b2dcf7e6f;hp=a712bc3799970a2f6096d82ac16ed9ef1c3fd1ec;hpb=cdc72f2f64334711d9cddf6855081addd5328627;p=opendoas.git diff --git a/doas.c b/doas.c index a712bc3..b77e17f 100644 --- a/doas.c +++ b/doas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: doas.c,v 1.13 2015/07/20 01:00:48 tedu Exp $ */ +/* $OpenBSD: doas.c,v 1.14 2015/07/20 01:04:37 tedu Exp $ */ /* * Copyright (c) 2015 Ted Unangst * @@ -97,7 +97,7 @@ strtogid(const char *s) static int match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd, - struct rule *r) + const char **cmdargs, struct rule *r) { int i; @@ -117,20 +117,33 @@ match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd, } if (r->target && uidcheck(r->target, target) != 0) return 0; - if (r->cmd && strcmp(r->cmd, cmd) != 0) - return 0; + if (r->cmd) { + if (strcmp(r->cmd, cmd)) + return 0; + if (r->cmdargs) { + /* if arguments were given, they should match explicitly */ + for (i = 0; r->cmdargs[i]; i++) { + if (!cmdargs[i]) + return 0; + if (strcmp(r->cmdargs[i], cmdargs[i])) + return 0; + } + if (cmdargs[i]) + return 0; + } + } return 1; } static int permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr, - uid_t target, const char *cmd) + uid_t target, const char *cmd, const char **cmdargs) { int i; *lastr = NULL; for (i = 0; i < nrules; i++) { - if (match(uid, groups, ngroups, target, cmd, rules[i])) + if (match(uid, groups, ngroups, target, cmd, cmdargs, rules[i])) *lastr = rules[i]; } if (!*lastr) @@ -334,7 +347,8 @@ main(int argc, char **argv, char **envp) errx(1, "command line too long"); } - if (!permit(uid, groups, ngroups, &rule, target, cmd)) { + if (!permit(uid, groups, ngroups, &rule, target, cmd, + (const char**)argv + 1)) { syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed command for %s: %s", myname, cmdline); fail();