-/* $OpenBSD: doas.c,v 1.13 2015/07/20 01:00:48 tedu Exp $ */
+/* $OpenBSD: doas.c,v 1.14 2015/07/20 01:04:37 tedu Exp $ */
/*
* Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
*
static int
match(uid_t uid, gid_t *groups, int ngroups, uid_t target, const char *cmd,
- struct rule *r)
+ const char **cmdargs, struct rule *r)
{
int i;
}
if (r->target && uidcheck(r->target, target) != 0)
return 0;
- if (r->cmd && strcmp(r->cmd, cmd) != 0)
- return 0;
+ if (r->cmd) {
+ if (strcmp(r->cmd, cmd))
+ return 0;
+ if (r->cmdargs) {
+ /* if arguments were given, they should match explicitly */
+ for (i = 0; r->cmdargs[i]; i++) {
+ if (!cmdargs[i])
+ return 0;
+ if (strcmp(r->cmdargs[i], cmdargs[i]))
+ return 0;
+ }
+ if (cmdargs[i])
+ return 0;
+ }
+ }
return 1;
}
static int
permit(uid_t uid, gid_t *groups, int ngroups, struct rule **lastr,
- uid_t target, const char *cmd)
+ uid_t target, const char *cmd, const char **cmdargs)
{
int i;
*lastr = NULL;
for (i = 0; i < nrules; i++) {
- if (match(uid, groups, ngroups, target, cmd, rules[i]))
+ if (match(uid, groups, ngroups, target, cmd, cmdargs, rules[i]))
*lastr = rules[i];
}
if (!*lastr)
errx(1, "command line too long");
}
- if (!permit(uid, groups, ngroups, &rule, target, cmd)) {
+ if (!permit(uid, groups, ngroups, &rule, target, cmd,
+ (const char**)argv + 1)) {
syslog(LOG_AUTHPRIV | LOG_NOTICE,
"failed command for %s: %s", myname, cmdline);
fail();
projects / opendoas.git / blobdiff