Add always_query_group_plugin

2025-08-22 01:49:11 +00:00 · 2015-10-24 05:43:07 -06:00 · 2015-10-24 05:43:07 -06:00 · 7761af6d7e
commit 7761af6d7e
parent 4f1912148f
9 changed files with 64 additions and 11 deletions
--- a/10
+++ b/10
@ -74,8 +74,14 @@ What's new in Sudo 1.8.15

 * Fixed challenge/response style BSD authentication.

- * Added a sudoers option to prevent sudoedit from editing files
-   located in a directory that is writable by the invoking user.
+ * Added the sudoedit_checkdir Defaults option to prevent sudoedit
+   from editing files located in a directory that is writable by
+   the invoking user.
+
+ * Added the always_query_group_plugin Defaults option to control
+   whether groups not found in the system group database are passed
+   to the group plugin.  Previously, unknown system groups were
+   always passed to the group plugin.

 What's new in Sudo 1.8.14p3

--- a/doc/UPGRADE
+++ b/doc/UPGRADE
@ -14,6 +14,13 @@ o Upgrading from a version prior to 1.8.15:
    enabling the sudoedit_follow option in sudoers or on a per-command
    basis with the FOLLOW and NOFOLLOW tags.

+    Prior to version 1.8.15, groups listed in sudoers that were not
+    found in the system group database were passed to the group
+    plugin, if any.  Starting with 1.8.15, only groups of the form
+    %:group are resolved via the group plugin by default.  The old
+    behavior can be restored by using the always_query_group_plugin
+    sudoers option.
+
    Locking of the time stamp file has changed in sudo 1.8.15.
    Previously, the user's entire time stamp file was locked while
    retrieving and updating a time stamp record.  Now, only a single
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@ -851,6 +851,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS

     BBoooolleeaann FFllaaggss:

+     always_query_group_plugin
+                       If a _g_r_o_u_p___p_l_u_g_i_n is configured, use it to resolve
+                       groups of the form %group as long as there is not also
+                       a system group of the same name.  Normally, only groups
+                       of the form %:group are passed to the _g_r_o_u_p___p_l_u_g_i_n.
+                       This flag is _o_f_f by default.
+
     always_set_home   If enabled, ssuuddoo will set the HOME environment variable
                       to the home directory of the target user (which is root
                       unless the --uu option is used).  This effectively means
@ -2472,4 +2479,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or http://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.15                    October 23, 2015                    Sudo 1.8.15
+Sudo 1.8.15                    October 24, 2015                    Sudo 1.8.15
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "October 23, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "October 24, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@ -1843,6 +1843,17 @@ A list of all supported Defaults parameters, grouped by type, are listed below.
 .PP
 \fBBoolean Flags\fR:
 .TP 18n
+always_query_group_plugin
+If a
+\fIgroup_plugin\fR
+is configured, use it to resolve groups of the form %group as long
+as there is not also a system group of the same name.
+Normally, only groups of the form %:group are passed to the
+\fIgroup_plugin\fR.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
 always_set_home
 If enabled,
 \fBsudo\fR
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd October 23, 2015
+.Dd October 24, 2015
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@ -1718,6 +1718,16 @@ A list of all supported Defaults parameters, grouped by type, are listed below.
 .Pp
 .Sy Boolean Flags :
 .Bl -tag -width 16n
+.It always_query_group_plugin
+If a
+.Em group_plugin
+is configured, use it to resolve groups of the form %group as long
+as there is not also a system group of the same name.
+Normally, only groups of the form %:group are passed to the
+.Em group_plugin .
+This flag is
+.Em off
+by default.
 .It always_set_home
 If enabled,
 .Nm sudo
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@ -394,6 +394,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"sudoedit_follow", T_FLAG,
 	N_("Follow symbolic links when editing files with sudoedit"),
 	NULL,
+    }, {
+	"always_query_group_plugin", T_FLAG,
+	N_("Query the group plugin for unknown system groups"),
+	NULL,
    }, {
 	NULL, 0, NULL
    }
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@ -184,6 +184,8 @@
 #define I_SUDOEDIT_CHECKDIR     91
 #define def_sudoedit_follow     (sudo_defs_table[92].sd_un.flag)
 #define I_SUDOEDIT_FOLLOW       92
+#define def_always_query_group_plugin (sudo_defs_table[93].sd_un.flag)
+#define I_ALWAYS_QUERY_GROUP_PLUGIN93

 enum def_tuple {
 	never,
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@ -292,3 +292,6 @@ sudoedit_checkdir
 sudoedit_follow
 	T_FLAG
 	"Follow symbolic links when editing files with sudoedit"
+always_query_group_plugin
+	T_FLAG
+	"Query the group plugin for unknown system groups"
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@ -852,20 +852,21 @@ usergr_matches(const char *group, const char *user, const struct passwd *pw)
    struct passwd *pw0 = NULL;
    debug_decl(usergr_matches, SUDOERS_DEBUG_MATCH)

-    /* make sure we have a valid usergroup, sudo style */
+    /* Make sure we have a valid usergroup, sudo style */
    if (*group++ != '%') {
 	sudo_debug_printf(SUDO_DEBUG_DIAG, "user group %s has no leading '%%'",
 	    group);
 	goto done;
    }

+    /* Query group plugin for %:name groups. */
    if (*group == ':' && def_group_plugin) {
 	if (group_plugin_query(user, group + 1, pw) == true)
 	    matched = true;
 	goto done;
    }

-    /* look up user's primary gid in the passwd file */
+    /* Look up user's primary gid in the passwd file. */
    if (pw == NULL) {
 	if ((pw0 = sudo_getpwnam(user)) == NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_DIAG, "unable to find %s in passwd db",
@ -880,10 +881,12 @@ usergr_matches(const char *group, const char *user, const struct passwd *pw)
 	goto done;
    }

-    /* not a Unix group, could be an external group */
-    if (def_group_plugin && group_plugin_query(user, group, pw) == true) {
-	matched = true;
-	goto done;
+    /* Query the group plugin for Unix groups too? */
+    if (def_group_plugin && def_always_query_group_plugin) {
+	if (group_plugin_query(user, group, pw) == true) {
+	    matched = true;
+	    goto done;
+	}
    }

 done: