which are enabled by default.
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
+ case_insensitive_group
+ If enabled, group names in _\bs_\bu_\bd_\bo_\be_\br_\bs will be matched in a
+ case insentive manner. This may be necessary when
+ users are stored in LDAP or AD. This flag is _\bo_\bn by
+ default.
+
+ case_insensitive_user
+ If enabled, user names in _\bs_\bu_\bd_\bo_\be_\br_\bs will be matched in a
+ case insentive manner. This may be necessary when
+ groups are stored in LDAP or AD. This flag is _\bo_\bn by
+ default.
+
closefrom_override
If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
complete details.
-Sudo 1.8.23 February 26, 2018 Sudo 1.8.23
+Sudo 1.8.23 March 5, 2018 Sudo 1.8.23
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "February 26, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "March 5, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
\fIon\fR
by default.
.TP 18n
+case_insensitive_group
+If enabled, group names in
+\fIsudoers\fR
+will be matched in a case insentive manner.
+This may be necessary when users are stored in LDAP or AD.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
+case_insensitive_user
+If enabled, user names in
+\fIsudoers\fR
+will be matched in a case insentive manner.
+This may be necessary when groups are stored in LDAP or AD.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
closefrom_override
If set, the user may use
\fBsudo\fR's
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.Dd February 26, 2018
+.Dd March 5, 2018
.Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@
.Sh NAME
This flag is
.Em on
by default.
+.It case_insensitive_group
+If enabled, group names in
+.Em sudoers
+will be matched in a case insentive manner.
+This may be necessary when users are stored in LDAP or AD.
+This flag is
+.Em on
+by default.
+.It case_insensitive_user
+If enabled, user names in
+.Em sudoers
+will be matched in a case insentive manner.
+This may be necessary when groups are stored in LDAP or AD.
+This flag is
+.Em on
+by default.
.It closefrom_override
If set, the user may use
.Nm sudo Ns 's
"authfail_message", T_STR,
N_("Authentication failure message: %s"),
NULL,
+ }, {
+ "case_insensitive_user", T_FLAG,
+ N_("Ignore case when matching user names"),
+ NULL,
+ }, {
+ "case_insensitive_group", T_FLAG,
+ N_("Ignore case when matching group names"),
+ NULL,
}, {
NULL, 0, NULL
}
#define def_timestamp_type (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple)
#define I_AUTHFAIL_MESSAGE 111
#define def_authfail_message (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str)
+#define I_CASE_INSENSITIVE_USER 112
+#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
+#define I_CASE_INSENSITIVE_GROUP 113
+#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
enum def_tuple {
never,
authfail_message
T_STR
"Authentication failure message: %s"
+case_insensitive_user
+ T_FLAG
+ "Ignore case when matching user names"
+case_insensitive_group
+ T_FLAG
+ "Ignore case when matching group names"
def_set_utmp = true;
def_pam_setcred = true;
def_syslog_maxlen = MAXSYSLOGLEN;
+ def_case_insensitive_user = true;
+ def_case_insensitive_group = true;
/* Reset the locale. */
if (!firsttime) {
* No runas user entries but have a matching runas group entry.
* If trying to run as the invoking user, allow it.
*/
- if (strcmp(user_name, runas_pw->pw_name) == 0)
+ if (userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true;
break;
}
case '\0':
/* Empty RunAsUser means run as the invoking user. */
if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
- strcmp(user_name, runas_pw->pw_name) == 0)
+ userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true;
break;
case 'A':
goto done;
}
}
- rc = strcasecmp(sudoers_user, user) == 0;
+ if (def_case_insensitive_user)
+ rc = strcasecmp(sudoers_user, user) == 0;
+ else
+ rc = strcmp(sudoers_user, user) == 0;
done:
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"user %s matches sudoers user %s: %s",
goto done;
}
}
- rc = strcasecmp(sudoers_group, gr->gr_name) == 0;
+ if (def_case_insensitive_group)
+ rc = strcasecmp(sudoers_group, gr->gr_name) == 0;
+ else
+ rc = strcmp(sudoers_group, gr->gr_name) == 0;
done:
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"group %s matches sudoers group %s: %s",
}
}
} else if ((grlist = sudo_get_grlist(pw)) != NULL) {
+ int (*compare)(const char *, const char *);
+ if (def_case_insensitive_group)
+ compare = strcasecmp;
+ else
+ compare = strcmp;
+
/* Check the supplementary group vector. */
for (i = 0; i < grlist->ngroups; i++) {
- if (strcasecmp(group, grlist->groups[i]) == 0) {
+ if (compare(group, grlist->groups[i]) == 0) {
matched = true;
goto done;
}
/* Check against user's primary (passwd file) group. */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
- if (strcasecmp(group, grp->gr_name) == 0) {
+ if (compare(group, grp->gr_name) == 0) {
matched = true;
goto done;
}
* If runhost is the same as the local host, check for ipa_hostname
* in sssd.conf and use it in preference to user_runhost.
*/
- if (strcmp(user_runhost, user_host) == 0) {
+ if (strcasecmp(user_runhost, user_host) == 0) {
if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
free(handle);
debug_return_int(ENOMEM);
* If trying to run as the invoking user, allow it.
*/
sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against user_name");
- if (strcmp(user_name, runas_pw->pw_name) == 0)
+ if (userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true;
break;
}
case '\0':
/* Empty RunAsUser means run as the invoking user. */
if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
- strcmp(user_name, runas_pw->pw_name) == 0)
+ userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true;
break;
case 'A':
projects / sudo / commitdiff