mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-29 13:28:10 +00:00
Code Issues Releases Wiki Activity

Add always_query_group_plugin

Browse Source
This commit is contained in:
Todd C. Miller 2015-10-24 05:43:07 -06:00
parent 4f1912148f
commit 7761af6d7e
9 changed files with 64 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
NEWS
View File

@ -74,8 +74,14 @@ What's new in Sudo 1.8.15
* Fixed challenge/response style BSD authentication. * Fixed challenge/response style BSD authentication.
* Added a sudoers option to prevent sudoedit from editing files * Added the sudoedit_checkdir Defaults option to prevent sudoedit
located in a directory that is writable by the invoking user. from editing files located in a directory that is writable by
the invoking user.
* Added the always_query_group_plugin Defaults option to control
whether groups not found in the system group database are passed
to the group plugin. Previously, unknown system groups were
always passed to the group plugin.
What's new in Sudo 1.8.14p3 What's new in Sudo 1.8.14p3

7
doc/UPGRADE
View File

@ -14,6 +14,13 @@ o Upgrading from a version prior to 1.8.15:
enabling the sudoedit_follow option in sudoers or on a per-command enabling the sudoedit_follow option in sudoers or on a per-command
basis with the FOLLOW and NOFOLLOW tags. basis with the FOLLOW and NOFOLLOW tags.
Prior to version 1.8.15, groups listed in sudoers that were not
found in the system group database were passed to the group
plugin, if any. Starting with 1.8.15, only groups of the form
%:group are resolved via the group plugin by default. The old
behavior can be restored by using the always_query_group_plugin
sudoers option.
Locking of the time stamp file has changed in sudo 1.8.15. Locking of the time stamp file has changed in sudo 1.8.15.
Previously, the user's entire time stamp file was locked while Previously, the user's entire time stamp file was locked while
retrieving and updating a time stamp record. Now, only a single retrieving and updating a time stamp record. Now, only a single

9
doc/sudoers.cat
View File

@ -851,6 +851,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
BBoooolleeaann FFllaaggss: BBoooolleeaann FFllaaggss:
always_query_group_plugin
If a _g_r_o_u_p___p_l_u_g_i_n is configured, use it to resolve
groups of the form %group as long as there is not also
a system group of the same name. Normally, only groups
of the form %:group are passed to the _g_r_o_u_p___p_l_u_g_i_n.
This flag is _o_f_f by default.
always_set_home If enabled, ssuuddoo will set the HOME environment variable always_set_home If enabled, ssuuddoo will set the HOME environment variable
to the home directory of the target user (which is root to the home directory of the target user (which is root
unless the --uu option is used). This effectively means unless the --uu option is used). This effectively means
@ -2472,4 +2479,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or http://www.sudo.ws/license.html for file distributed with ssuuddoo or http://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.15 October 23, 2015 Sudo 1.8.15 Sudo 1.8.15 October 24, 2015 Sudo 1.8.15

13
doc/sudoers.man.in
View File

@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "October 23, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "October 24, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@ -1843,6 +1843,17 @@ A list of all supported Defaults parameters, grouped by type, are listed below.
.PP .PP
\fBBoolean Flags\fR: \fBBoolean Flags\fR:
.TP 18n .TP 18n
always_query_group_plugin
If a
\fIgroup_plugin\fR
is configured, use it to resolve groups of the form %group as long
as there is not also a system group of the same name.
Normally, only groups of the form %:group are passed to the
\fIgroup_plugin\fR.
This flag is
\fIoff\fR
by default.
.TP 18n
always_set_home always_set_home
If enabled, If enabled,
\fBsudo\fR \fBsudo\fR

12
doc/sudoers.mdoc.in
View File

@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd October 23, 2015 .Dd October 24, 2015
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@ -1718,6 +1718,16 @@ A list of all supported Defaults parameters, grouped by type, are listed below.
.Pp .Pp
.Sy Boolean Flags : .Sy Boolean Flags :
.Bl -tag -width 16n .Bl -tag -width 16n
.It always_query_group_plugin
If a
.Em group_plugin
is configured, use it to resolve groups of the form %group as long
as there is not also a system group of the same name.
Normally, only groups of the form %:group are passed to the
.Em group_plugin .
This flag is
.Em off
by default.
.It always_set_home .It always_set_home
If enabled, If enabled,
.Nm sudo .Nm sudo

4
plugins/sudoers/def_data.c
View File

@ -394,6 +394,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"sudoedit_follow", T_FLAG, "sudoedit_follow", T_FLAG,
N_("Follow symbolic links when editing files with sudoedit"), N_("Follow symbolic links when editing files with sudoedit"),
NULL, NULL,
}, {
"always_query_group_plugin", T_FLAG,
N_("Query the group plugin for unknown system groups"),
NULL,
}, { }, {
NULL, 0, NULL NULL, 0, NULL
} }

2
plugins/sudoers/def_data.h
View File

@ -184,6 +184,8 @@
#define I_SUDOEDIT_CHECKDIR 91 #define I_SUDOEDIT_CHECKDIR 91
#define def_sudoedit_follow (sudo_defs_table[92].sd_un.flag) #define def_sudoedit_follow (sudo_defs_table[92].sd_un.flag)
#define I_SUDOEDIT_FOLLOW 92 #define I_SUDOEDIT_FOLLOW 92
#define def_always_query_group_plugin (sudo_defs_table[93].sd_un.flag)
#define I_ALWAYS_QUERY_GROUP_PLUGIN93
enum def_tuple { enum def_tuple {
never, never,

3
plugins/sudoers/def_data.in
View File

@ -292,3 +292,6 @@ sudoedit_checkdir
sudoedit_follow sudoedit_follow
T_FLAG T_FLAG
"Follow symbolic links when editing files with sudoedit" "Follow symbolic links when editing files with sudoedit"
always_query_group_plugin
T_FLAG
"Query the group plugin for unknown system groups"

15
plugins/sudoers/match.c
View File

@ -852,20 +852,21 @@ usergr_matches(const char *group, const char *user, const struct passwd *pw)
struct passwd *pw0 = NULL; struct passwd *pw0 = NULL;
debug_decl(usergr_matches, SUDOERS_DEBUG_MATCH) debug_decl(usergr_matches, SUDOERS_DEBUG_MATCH)
/* make sure we have a valid usergroup, sudo style */ /* Make sure we have a valid usergroup, sudo style */
if (*group++ != '%') { if (*group++ != '%') {
sudo_debug_printf(SUDO_DEBUG_DIAG, "user group %s has no leading '%%'", sudo_debug_printf(SUDO_DEBUG_DIAG, "user group %s has no leading '%%'",
group); group);
goto done; goto done;
} }
/* Query group plugin for %:name groups. */
if (*group == ':' && def_group_plugin) { if (*group == ':' && def_group_plugin) {
if (group_plugin_query(user, group + 1, pw) == true) if (group_plugin_query(user, group + 1, pw) == true)
matched = true; matched = true;
goto done; goto done;
} }
/* look up user's primary gid in the passwd file */ /* Look up user's primary gid in the passwd file. */
if (pw == NULL) { if (pw == NULL) {
if ((pw0 = sudo_getpwnam(user)) == NULL) { if ((pw0 = sudo_getpwnam(user)) == NULL) {
sudo_debug_printf(SUDO_DEBUG_DIAG, "unable to find %s in passwd db", sudo_debug_printf(SUDO_DEBUG_DIAG, "unable to find %s in passwd db",
@ -880,10 +881,12 @@ usergr_matches(const char *group, const char *user, const struct passwd *pw)
goto done; goto done;
} }
/* not a Unix group, could be an external group */ /* Query the group plugin for Unix groups too? */
if (def_group_plugin && group_plugin_query(user, group, pw) == true) { if (def_group_plugin && def_always_query_group_plugin) {
matched = true; if (group_plugin_query(user, group, pw) == true) {
goto done; matched = true;
goto done;
}
} }
done: done: