Add support for runas groups. This allows the user to run a command

with a different effective group. If the -g option is specified without -u the command will be run as the current user (only the group will change). the -g and -u options may be used together. TODO: implement runas group for ldap improve runas group documentation add testsudoers support
2025-08-31 14:25:15 +00:00 · 2007-11-21 20:12:00 +00:00
parent bfd781ff65
commit f9f4aca556
28 changed files with 1446 additions and 1061 deletions
--- a/parse.h
+++ b/parse.h
@@ -98,7 +98,8 @@ struct privilege {
 */
 struct cmndspec {
    struct cmndspec *prev, *next;
-    struct member_list runaslist;	/* list of runas users */
+    struct member_list runasuserlist;	/* list of runas users */
+    struct member_list runasgrouplist;	/* list of runas groups */
    struct member *cmnd;		/* command to allow/deny */
    struct cmndtag tags;		/* tag specificaion */
 };
@@ -113,6 +114,11 @@ struct member {
    short negated;			/* negated via '!'? */
 };

+struct runascontainer {
+    struct member *runasusers;
+    struct member *runasgroups;
+};
+
 /*
 * Generic structure to hold {User,Host,Runas,Cmnd}_Alias
 * Aliases are stored in a red-black tree, sorted by name and type.
@@ -160,10 +166,11 @@ int hostlist_matches	__P((struct member_list *));
 int hostname_matches	__P((char *, char *, char *));
 int netgr_matches	__P((char *, char *, char *, char *));
 int no_aliases		__P((void));
-int runaslist_matches	__P((struct member_list *));
+int runaslist_matches	__P((struct member_list *, struct member_list *));
 int userlist_matches	__P((struct passwd *, struct member_list *));
 int usergr_matches	__P((char *, char *, struct passwd *));
 int userpw_matches	__P((char *, char *, struct passwd *));
+int group_matches	__P((char *, struct group *));
 struct alias *find_alias __P((char *, int));
 void alias_apply	__P((int (*)(void *, void *), void *));
 void init_aliases	__P((void));