Add ignore_unknown_defaults flag to ignore unknown Defaults entries

in sudoers instead of producing a warning.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 10ebc14227d71e324a79f4cb3b0578bb9272c1f4..9b1583ca7e02f081ba75ff01e5e118d409f7e867 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1073,6 +1073,12 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
                        meaningful for the cn=defaults section.  This flag is
                        _\bo_\bf_\bf by default.
 
+     ignore_unknown_defaults
+                       If set, s\bsu\bud\bdo\bo will not produce a warning if it
+                       encounters an unknown Defaults entry in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+                       file or an unknown sudoOption in LDAP.  This flag is
+                       _\bo_\bf_\bf by default.
+
      insults           If set, s\bsu\bud\bdo\bo will insult users when they enter an
                        incorrect password.  This flag is _\bo_\bf_\bf by default.
 
@@ -2672,4 +2678,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.19                    January 17, 2017                    Sudo 1.8.19
+Sudo 1.8.20                    February 5, 2017                    Sudo 1.8.20

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 9ab794eef42b5d297382fb013b3a6ba1f402ab7a..903b020cca0da733aad4cccb5ecff65df23d06b9 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "February 5, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -2271,6 +2271,17 @@ This flag is
 \fIoff\fR
 by default.
 .TP 18n
+ignore_unknown_defaults
+If set,
+\fBsudo\fR
+will not produce a warning if it encounters an unknown Defaults entry
+in the
+\fIsudoers\fR
+file or an unknown sudoOption in LDAP.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
 insults
 If set,
 \fBsudo\fR

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index f343fa15f61fd74e4ecb721b5ccca86caa6d1657..484204c4c50764ae2c9b9a75ddeaa5b8aa560e97 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd January 17, 2017
+.Dd February 5, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2129,6 +2129,16 @@ section.
 This flag is
 .Em off
 by default.
+.It ignore_unknown_defaults
+If set,
+.Nm sudo
+will not produce a warning if it encounters an unknown Defaults entry
+in the
+.Em sudoers
+file or an unknown sudoOption in LDAP.
+This flag is
+.Em off
+by default.
 .It insults
 If set,
 .Nm sudo

diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
index 489cb23a978b0d5ec74e9d9bd614dfc46d804a2a..05ee96d335f852909176d2463641768e82bf4f74 100644 (file)
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -445,6 +445,10 @@ struct sudo_defs_types sudo_defs_table[] = {
        "fdexec", T_TUPLE|T_BOOL,
        N_("Execute commands by file descriptor instead of by path: %s"),
        def_data_fdexec,
+    }, {
+       "ignore_unknown_defaults", T_FLAG,
+       N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"),
+       NULL,
     }, {
        NULL, 0, NULL
     }

diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
index 8b798a541aa9903008a1e818ea6feec3c4bf6e7c..2d8e17c19a1bf40e214240f6d76ccc69863a92c7 100644 (file)
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -206,6 +206,8 @@
 #define def_iolog_mode          (sudo_defs_table[I_IOLOG_MODE].sd_un.mode)
 #define I_FDEXEC                103
 #define def_fdexec              (sudo_defs_table[I_FDEXEC].sd_un.tuple)
+#define I_IGNORE_UNKNOWN_DEFAULTS 104
+#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag)
 
 enum def_tuple {
        never,

diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
index 000b3a926da7606f2b073ea9e40e1a39ed1f27bc..aecbf9166214f862cfb28a8676d7af495970f846 100644 (file)
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -326,3 +326,6 @@ fdexec
        T_TUPLE|T_BOOL
        "Execute commands by file descriptor instead of by path: %s"
        never digest_only always
+ignore_unknown_defaults
+       T_FLAG
+       "Ignore unknown Defaults entries in sudoers instead of producing a warning"

diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
index 70f81f66926d6c40e511d38cf1b4f6dc550917ca..869b684f2db49ba282eac71f6fdf08ee130e05a0 100644 (file)
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -79,6 +79,7 @@ static struct strmap priorities[] = {
 };
 
 static struct early_default early_defaults[] = {
+    { I_IGNORE_UNKNOWN_DEFAULTS },
 #ifdef FQDN
     { I_FQDN, true },
 #else
@@ -206,7 +207,7 @@ find_default(const char *name, const char *file, int lineno, bool quiet)
        if (strcmp(name, sudo_defs_table[i].name) == 0)
            debug_return_int(i);
     }
-    if (!quiet) {
+    if (!quiet && !def_ignore_unknown_defaults) {
        if (lineno > 0) {
            sudo_warnx(U_("%s:%d unknown defaults entry \"%s\""),
                file, lineno, name);