create sudo -e pipeline

Author: squell

src/common/context.rs

@@ -2,7 +2,8 @@ use std::io;
 
 use crate::common::{HARDENED_ENUM_VALUE_0, HARDENED_ENUM_VALUE_1, HARDENED_ENUM_VALUE_2};
 use crate::exec::{RunOptions, Umask};
-use crate::sudo::{SudoListOptions, SudoRunOptions, SudoValidateOptions};
+#[cfg_attr(not(feature = "sudoedit"), allow(unused_imports))]
+use crate::sudo::{SudoEditOptions, SudoListOptions, SudoRunOptions, SudoValidateOptions};
 use crate::sudoers::Sudoers;
 use crate::system::{Group, Hostname, Process, User};
 
@@ -100,6 +101,42 @@ impl Context {
         })
     }
 
+    #[cfg(feature = "sudoedit")]
+    pub fn from_edit_opts(sudo_options: SudoEditOptions) -> Result<Context, Error> {
+        let hostname = Hostname::resolve();
+        let current_user = CurrentUser::resolve()?;
+
+        let (target_user, target_group) =
+            resolve_target_user_and_group(&sudo_options.user, &sudo_options.group, &current_user)?;
+
+        // TODO: the more Rust way of doing things would be to create an alternative for sudoedit instead;
+        // but a stringly typed interface feels the most decent thing to do (if we can pull it off)
+        // since "sudoedit" really is like a builtin command to sudo.
+        let command = CommandAndArguments {
+            command: std::path::PathBuf::from("sudoedit"),
+            arguments: sudo_options.positional_args,
+            ..Default::default()
+        };
+
+        Ok(Context {
+            hostname,
+            command,
+            current_user,
+            target_user,
+            target_group,
+            use_session_records: !sudo_options.reset_timestamp,
+            launch: Default::default(),
+            chdir: sudo_options.chdir,
+            stdin: sudo_options.stdin,
+            bell: sudo_options.bell,
+            prompt: sudo_options.prompt,
+            non_interactive: sudo_options.non_interactive,
+            process: Process::new(),
+            use_pty: true,
+            noexec: false,
+            umask: Umask::Preserve,
+        })
+    }
     pub fn from_validate_opts(sudo_options: SudoValidateOptions) -> Result<Context, Error> {
         let hostname = Hostname::resolve();
         let current_user = CurrentUser::resolve()?;

src/sudo/mod.rs

@@ -15,7 +15,7 @@ use cli::SudoAction;
 use std::path::PathBuf;
 
 mod cli;
-pub(crate) use cli::{SudoListOptions, SudoRunOptions, SudoValidateOptions};
+pub(crate) use cli::{SudoEditOptions, SudoListOptions, SudoRunOptions, SudoValidateOptions};
 
 pub(crate) mod diagnostic;
 mod env;

src/sudo/pipeline/edit.rs

@@ -1,18 +1,14 @@
 use std::process::exit;
 
-use super::super::cli::SudoRunOptions;
+use super::super::cli::SudoEditOptions;
 use crate::common::{Context, Error};
 use crate::exec::ExitReason;
-use crate::sudo::env::environment;
-use crate::sudo::pam::pre_exec;
 use crate::sudoers::Authorization;
 
-pub fn run_edit(mut cmd_opts: SudoRunOptions) -> Result<(), Error> {
-    let mut policy = super::read_sudoers()?;
+pub fn run_edit(edit_opts: SudoEditOptions) -> Result<(), Error> {
+    let policy = super::read_sudoers()?;
 
-    let user_requested_env_vars = std::mem::take(&mut cmd_opts.env_var_list);
-
-    let mut context = Context::from_run_opts(cmd_opts, &mut policy)?;
+    let mut context = Context::from_edit_opts(edit_opts)?;
 
     let policy = super::judge(policy, &context)?;
 
@@ -23,48 +19,18 @@ pub fn run_edit(mut cmd_opts: SudoRunOptions) -> Result<(), Error> {
     super::apply_policy_to_context(&mut context, &controls)?;
     let mut pam_context = super::auth_and_update_record_file(&context, auth)?;
 
-    // build environment
-    let additional_env = pre_exec(&mut pam_context, &context.target_user.name)?;
-
-    let current_env = environment::system_environment();
-    let (checked_vars, trusted_vars) = if controls.trust_environment {
-        (vec![], user_requested_env_vars)
-    } else {
-        (user_requested_env_vars, vec![])
-    };
-
-    let mut target_env = environment::get_target_environment(
-        current_env,
-        additional_env,
-        checked_vars,
-        &context,
-        &controls,
-    )?;
-
-    environment::dangerous_extend(&mut target_env, trusted_vars);
-
     let pid = context.process.pid;
 
-    // prepare switch of apparmor profile
-    #[cfg(feature = "apparmor")]
-    if let Some(profile) = controls.apparmor_profile {
-        crate::apparmor::set_profile_for_next_exec(&profile)
-            .map_err(|err| Error::AppArmor(profile, err))?;
-    }
-
     // run command and return corresponding exit code
-    let command_exit_reason = if context.command.resolved {
+    let command_exit_reason = {
         super::log_command_execution(&context);
 
-        crate::exec::run_command(
-            context
-                .try_as_run_options()
-                .map_err(|io_error| Error::Io(Some(context.command.command.clone()), io_error))?,
-            target_env,
-        )
-        .map_err(|io_error| Error::Io(Some(context.command.command), io_error))
-    } else {
-        Err(Error::CommandNotFound(context.command.command))
+        eprintln_ignore_io_error!(
+            "this would launch sudoedit as requested, to edit the files: {:?}",
+            context.command.arguments.as_slice()
+        );
+
+        Ok::<_, std::io::Error>(ExitReason::Code(42))
     };
 
     pam_context.close_session();