not an error to use the -= operator to remove an element that does not
exist in a list.
- Defaults entries are parsed in the following order: generic, host and
- user Defaults first, then runas Defaults and finally command defaults.
- If there are multiple Defaults settings of the same type, the last
- matching setting is used. The following Defaults settings are parsed
- before all others since they may affect subsequent entries: _\bf_\bq_\bd_\bn,
- _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn, _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt, _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be.
+ Defaults entries are parsed in the following order: generic, host, user
+ and runas Defaults first, then command defaults. If there are multiple
+ Defaults settings of the same type, the last matching setting is used.
+ The following Defaults settings are parsed before all others since they
+ may affect subsequent entries: _\bf_\bq_\bd_\bn, _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn, _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt,
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be.
See _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS for a list of supported Defaults parameters.
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.18 August 9, 2016 Sudo 1.8.18
+Sudo 1.8.18 August 10, 2016 Sudo 1.8.18
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "August 9, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "August 10, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
operator to remove an element
that does not exist in a list.
.PP
-Defaults entries are parsed in the following order: generic, host
-and user Defaults first, then runas Defaults and finally command
-defaults.
+Defaults entries are parsed in the following order: generic, host,
+user and runas Defaults first, then command defaults.
If there are multiple Defaults settings of the same type, the last
matching setting is used.
The following Defaults settings are parsed before all others since
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd August 9, 2016
+.Dd August 10, 2016
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
operator to remove an element
that does not exist in a list.
.Pp
-Defaults entries are parsed in the following order: generic, host
-and user Defaults first, then runas Defaults and finally command
-defaults.
+Defaults entries are parsed in the following order: generic, host,
+user and runas Defaults first, then command defaults.
If there are multiple Defaults settings of the same type, the last
matching setting is used.
The following Defaults settings are parsed before all others since
int group_matched = UNSPEC;
debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH)
- if (runas_pw != NULL) {
+ /*
+ * Skip checking runas user if it is the same as the invoking user
+ * and a runas group was specified.
+ * This logic assumes that we cache and refcount passwd structs.
+ */
+ if (!(runas_pw == sudo_user.pw && runas_gr != NULL)) {
/* If no runas user or runas group listed in sudoers, use default. */
- if (user_list == NULL && group_list == NULL)
- debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw));
+ if (user_list == NULL && group_list == NULL) {
+ debug_return_int(userpw_matches(def_runas_default,
+ runas_pw->pw_name, runas_pw));
+ }
if (user_list != NULL) {
TAILQ_FOREACH_REVERSE(m, user_list, member_list, entries) {
}
}
+ /*
+ * Skip checking runas group if none was specified.
+ */
if (runas_gr != NULL) {
if (user_matched == UNSPEC) {
if (runas_pw == NULL || strcmp(runas_pw->pw_name, user_name) == 0)
if (nss->handle == NULL)
debug_return_int(-1);
- if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER, false))
+ if (!update_defaults(SETDEF_GENERIC|SETDEF_HOST|SETDEF_USER|SETDEF_RUNAS,
+ false))
debug_return_int(-1);
debug_return_int(0);
}
goto cleanup;
}
- /* XXX - collect post-sudoers parse settings into a function */
-
- /*
- * Set runas passwd/group entries based on command line or sudoers.
- * Note that if runas_group was specified without runas_user we
- * defer setting runas_pw so the match routines know to ignore it.
- */
- /* XXX - qpm4u does more here as it may have already set runas_pw */
- if (runas_group != NULL) {
- if (!set_runasgr(runas_group, false))
- goto cleanup;
- if (runas_user != NULL) {
- if (!set_runaspw(runas_user, false))
- goto cleanup;
- }
- } else {
- if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
- goto cleanup;
- }
-
- if (!update_defaults(SETDEF_RUNAS, false)) {
- log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
- N_("problem with defaults entries"));
- }
-
- /* Set login class if applicable. */
+ /* Set login class if applicable (after sudoers is parsed). */
if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw))
rval = true;
}
}
- /* If only a group was specified, set runas_pw based on invoking user. */
- if (runas_pw == NULL) {
- if (!set_runaspw(user_name, false)) {
- goto done;
- }
- }
-
/*
* Look up the timestamp dir owner if one is specified.
*/
}
/*
- * Get a local copy of the user's struct passwd if we don't already
- * have one.
+ * Get a local copy of the user's passwd struct and group list if we
+ * don't already have them.
*/
if (sudo_user.pw == NULL) {
if ((sudo_user.pw = sudo_getpwnam(user_name)) == NULL) {
unknown_user = true;
}
}
-
- /*
- * Get group list and store initialize permissions.
- */
if (user_group_list == NULL)
user_group_list = sudo_get_grlist(sudo_user.pw);
+
+ /* Store initialize permissions so we can restore them later. */
if (!set_perms(PERM_INITIAL))
debug_return_bool(false);
debug_return_bool(false);
}
+ /*
+ * Set runas passwd/group entries based on command line or sudoers.
+ * Note that if runas_group was specified without runas_user we
+ * run the command as the invoking user.
+ */
+ if (runas_group != NULL) {
+ if (!set_runasgr(runas_group, false))
+ debug_return_bool(false);
+ if (!set_runaspw(runas_user ? runas_user : user_name, false))
+ debug_return_bool(false);
+ } else {
+ if (!set_runaspw(runas_user ? runas_user : def_runas_default, false))
+ debug_return_bool(false);
+ }
+
debug_return_bool(true);
}
/* Allocate space for data structures in the parser. */
init_parser("sudoers", false);
+ /*
+ * Set runas passwd/group entries based on command line or sudoers.
+ * Note that if runas_group was specified without runas_user we
+ * run the command as the invoking user.
+ */
+ if (runas_group != NULL) {
+ set_runasgr(runas_group);
+ set_runaspw(runas_user ? runas_user : user_name);
+ } else
+ set_runaspw(runas_user ? runas_user : def_runas_default);
+
sudoers_setlocale(SUDOERS_LOCALE_SUDOERS, NULL);
if (sudoersparse() != 0 || parse_error) {
parse_error = true;
(void) fputs(" (problem with defaults entries)", stdout);
puts(".");
- /*
- * Set runas passwd/group entries based on command line or sudoers.
- * Note that if runas_group was specified without runas_user we
- * defer setting runas_pw so the match routines know to ignore it.
- */
- if (runas_group != NULL) {
- set_runasgr(runas_group);
- if (runas_user != NULL)
- set_runaspw(runas_user);
- } else
- set_runaspw(runas_user ? runas_user : def_runas_default);
-
if (dflag) {
(void) putchar('\n');
dump_sudoers();