* Fixed challenge/response style BSD authentication.
- * Added a sudoers option to prevent sudoedit from editing files
- located in a directory that is writable by the invoking user.
+ * Added the sudoedit_checkdir Defaults option to prevent sudoedit
+ from editing files located in a directory that is writable by
+ the invoking user.
+
+ * Added the always_query_group_plugin Defaults option to control
+ whether groups not found in the system group database are passed
+ to the group plugin. Previously, unknown system groups were
+ always passed to the group plugin.
What's new in Sudo 1.8.14p3
enabling the sudoedit_follow option in sudoers or on a per-command
basis with the FOLLOW and NOFOLLOW tags.
+ Prior to version 1.8.15, groups listed in sudoers that were not
+ found in the system group database were passed to the group
+ plugin, if any. Starting with 1.8.15, only groups of the form
+ %:group are resolved via the group plugin by default. The old
+ behavior can be restored by using the always_query_group_plugin
+ sudoers option.
+
Locking of the time stamp file has changed in sudo 1.8.15.
Previously, the user's entire time stamp file was locked while
retrieving and updating a time stamp record. Now, only a single
B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+ always_query_group_plugin
+ If a _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn is configured, use it to resolve
+ groups of the form %group as long as there is not also
+ a system group of the same name. Normally, only groups
+ of the form %:group are passed to the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn.
+ This flag is _\bo_\bf_\bf by default.
+
always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
to the home directory of the target user (which is root
unless the -\b-u\bu option is used). This effectively means
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.15 October 23, 2015 Sudo 1.8.15
+Sudo 1.8.15 October 24, 2015 Sudo 1.8.15
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "October 23, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "October 24, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
.PP
\fBBoolean Flags\fR:
.TP 18n
+always_query_group_plugin
+If a
+\fIgroup_plugin\fR
+is configured, use it to resolve groups of the form %group as long
+as there is not also a system group of the same name.
+Normally, only groups of the form %:group are passed to the
+\fIgroup_plugin\fR.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
always_set_home
If enabled,
\fBsudo\fR
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd October 23, 2015
+.Dd October 24, 2015
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
.Pp
.Sy Boolean Flags :
.Bl -tag -width 16n
+.It always_query_group_plugin
+If a
+.Em group_plugin
+is configured, use it to resolve groups of the form %group as long
+as there is not also a system group of the same name.
+Normally, only groups of the form %:group are passed to the
+.Em group_plugin .
+This flag is
+.Em off
+by default.
.It always_set_home
If enabled,
.Nm sudo
"sudoedit_follow", T_FLAG,
N_("Follow symbolic links when editing files with sudoedit"),
NULL,
+ }, {
+ "always_query_group_plugin", T_FLAG,
+ N_("Query the group plugin for unknown system groups"),
+ NULL,
}, {
NULL, 0, NULL
}
#define I_SUDOEDIT_CHECKDIR 91
#define def_sudoedit_follow (sudo_defs_table[92].sd_un.flag)
#define I_SUDOEDIT_FOLLOW 92
+#define def_always_query_group_plugin (sudo_defs_table[93].sd_un.flag)
+#define I_ALWAYS_QUERY_GROUP_PLUGIN93
enum def_tuple {
never,
sudoedit_follow
T_FLAG
"Follow symbolic links when editing files with sudoedit"
+always_query_group_plugin
+ T_FLAG
+ "Query the group plugin for unknown system groups"
struct passwd *pw0 = NULL;
debug_decl(usergr_matches, SUDOERS_DEBUG_MATCH)
- /* make sure we have a valid usergroup, sudo style */
+ /* Make sure we have a valid usergroup, sudo style */
if (*group++ != '%') {
sudo_debug_printf(SUDO_DEBUG_DIAG, "user group %s has no leading '%%'",
group);
goto done;
}
+ /* Query group plugin for %:name groups. */
if (*group == ':' && def_group_plugin) {
if (group_plugin_query(user, group + 1, pw) == true)
matched = true;
goto done;
}
- /* look up user's primary gid in the passwd file */
+ /* Look up user's primary gid in the passwd file. */
if (pw == NULL) {
if ((pw0 = sudo_getpwnam(user)) == NULL) {
sudo_debug_printf(SUDO_DEBUG_DIAG, "unable to find %s in passwd db",
goto done;
}
- /* not a Unix group, could be an external group */
- if (def_group_plugin && group_plugin_query(user, group, pw) == true) {
- matched = true;
- goto done;
+ /* Query the group plugin for Unix groups too? */
+ if (def_group_plugin && def_always_query_group_plugin) {
+ if (group_plugin_query(user, group, pw) == true) {
+ matched = true;
+ goto done;
+ }
}
done:
projects / sudo / commitdiff