Load sudoers group plugin via an early callback.

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 33d5765460fdc72c9628841d04c3c6adefcf2c8d..d60ae6898dd0f4a27a166dc2764c9be11751b974 100644 (file)
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -461,7 +461,7 @@ S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
      If there are multiple Defaults settings of the same type, the last
      matching setting is used.  The following Defaults settings are parsed
      before all others since they may affect subsequent entries: _\bf_\bq_\bd_\bn,
-     _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt, _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be.
+     _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn, _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt, _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be.
 
      See _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS for a list of supported Defaults parameters.
 

diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 052ec9a223ae1b4865f24936829e24afd17e90a2..5ac07fc4ec56261d408da1c181a91de6444fb7b7 100644 (file)
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -962,6 +962,7 @@ matching setting is used.
 The following Defaults settings are parsed before all others since
 they may affect subsequent entries:
 \fIfqdn\fR,
+\fIgroup_plugin\fR,
 \fIrunas_default\fR,
 \fIsudoers_locale\fR.
 .PP

diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index 74508d0d7bf36c22cadfcc373aa922e65bb2b8a1..bf82a727748791b1370b0b0d16707756618da384 100644 (file)
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -916,6 +916,7 @@ matching setting is used.
 The following Defaults settings are parsed before all others since
 they may affect subsequent entries:
 .Em fqdn ,
+.Em group_plugin ,
 .Em runas_default ,
 .Em sudoers_locale .
 .Pp

diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
index 20b93d5ab63c7f46945f568e75a8e64e273d81b1..ee7776df312460de49d9dcc28da82d3ffacc6654 100644 (file)
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -82,6 +82,7 @@ static struct early_default early_defaults[] = {
 #else
     { "fqdn" },
 #endif
+    { "group_plugin" },
     { "runas_default" },
     { "sudoers_locale" },
     { NULL }

diff --git a/plugins/sudoers/group_plugin.c b/plugins/sudoers/group_plugin.c
index a91ac3e86813040049a906f34bd40902e085d51f..443d2af588738769de3ccf53ad5ede742b9e5470 100644 (file)
--- a/plugins/sudoers/group_plugin.c
+++ b/plugins/sudoers/group_plugin.c
@@ -212,3 +212,19 @@ group_plugin_query(const char *user, const char *group,
 }
 
 #endif /* HAVE_DLOPEN || HAVE_SHL_LOAD */
+
+/*
+ * Group plugin sudoers callback.
+ */
+bool
+cb_group_plugin(const union sudo_defs_val *sd_un)
+{
+    bool rc = true;
+    debug_decl(cb_group_plugin, SUDOERS_DEBUG_PLUGIN)
+
+    /* Unload any existing group plugin before loading a new one. */
+    group_plugin_unload();
+    if (sd_un->str != NULL)
+       rc = group_plugin_load(sd_un->str);
+    debug_return_bool(rc);
+}

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index da44135df857b8a104470823a97a26096c2b417c..6b99046c77499bb565da20f10a2dfc615915a4c9 100644 (file)
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -207,14 +207,6 @@ sudoers_policy_init(void *info, char * const envp[])
 
     /* XXX - collect post-sudoers parse settings into a function */
 
-    /*
-     * Initialize external group plugin, if any.
-     */
-    if (def_group_plugin) {
-       if (group_plugin_load(def_group_plugin) != true)
-           def_group_plugin = NULL;
-    }
-
     /*
      * Set runas passwd/group entries based on command line or sudoers.
      * Note that if runas_group was specified without runas_user we
@@ -747,6 +739,9 @@ init_vars(char * const envp[])
     /* Set fqdn callback. */
     sudo_defs_table[I_FQDN].callback = cb_fqdn;
 
+    /* Set group_plugin callback. */
+    sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin;
+
     /* Set runas callback. */
     sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default;
 

diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h
index 4f988f9468a3069185db55c9e41ffffbacb0c7ef..bf2ce13dd700dcb18261285a2302c910bd1cecb6 100644 (file)
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -370,6 +370,7 @@ int group_plugin_load(char *plugin_info);
 void group_plugin_unload(void);
 int group_plugin_query(const char *user, const char *group,
     const struct passwd *pwd);
+bool cb_group_plugin(const union sudo_defs_val *sd_un);
 extern const char *path_plugin_dir;
 
 /* editor.c */

diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c
index ecaa59f9d48b9d466a28e4c26f586cf413111223..ff19d04a0b396ca27a6961d0db48a395cf6ae78f 100644 (file)
--- a/plugins/sudoers/testsudoers.c
+++ b/plugins/sudoers/testsudoers.c
@@ -243,6 +243,9 @@ main(int argc, char *argv[])
     if (!init_defaults())
        sudo_fatalx(U_("unable to initialize sudoers default values"));
 
+    /* Set group_plugin callback. */
+    sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin;
+
     /* Set runas callback. */
     sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default;
 
@@ -274,9 +277,6 @@ main(int argc, char *argv[])
        (void) fputs(" (problem with defaults entries)", stdout);
     puts(".");
 
-    if (def_group_plugin && group_plugin_load(def_group_plugin) != true)
-       def_group_plugin = NULL;
-
     /*
      * Set runas passwd/group entries based on command line or sudoers.
      * Note that if runas_group was specified without runas_user we