From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 23 Jan 2014 21:52:54 +0000 (-0700)
Subject: It is now possible to disable network interface probing in sudo.conf
X-Git-Tag: SUDO_1_8_10^2~89
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1a42e5f63dcfe96d2c9326904e1066e51e5c77f3;p=sudo

It is now possible to disable network interface probing in sudo.conf
by changing the value of the probe_interfaces setting.
---

diff --git a/NEWS b/NEWS
index 6c3ea8006..c2efbca25 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
+What's new in Sudo 1.8.10?
+
+ * It is now possible to disable network interface probing in
+   sudo.conf by changing the value of the probe_interfaces
+   setting.
+
 What's new in Sudo 1.8.9p4?
 
  * Fixed a bug where sudo could consume large amounts of CPU while
diff --git a/common/sudo_conf.c b/common/sudo_conf.c
index 0704a7b1d..d45ac1957 100644
--- a/common/sudo_conf.c
+++ b/common/sudo_conf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2009-2014 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -86,6 +86,7 @@ static void set_variable(const char *entry, const char *conf_file);
 static void set_var_disable_coredump(const char *entry, const char *conf_file);
 static void set_var_group_source(const char *entry, const char *conf_file);
 static void set_var_max_groups(const char *entry, const char *conf_file);
+static void set_var_probe_interfaces(const char *entry, const char *conf_file);
 
 static unsigned int conf_lineno;
 
@@ -101,17 +102,20 @@ static struct sudo_conf_table sudo_conf_table_vars[] = {
     { "disable_coredump", sizeof("disable_coredump") - 1, set_var_disable_coredump },
     { "group_source", sizeof("group_source") - 1, set_var_group_source },
     { "max_groups", sizeof("max_groups") - 1, set_var_max_groups },
+    { "probe_interfaces", sizeof("probe_interfaces") - 1, set_var_probe_interfaces },
     { NULL }
 };
 
 static struct sudo_conf_data {
     bool disable_coredump;
+    bool probe_interfaces;
     int group_source;
     int max_groups;
     const char *debug_flags;
     struct plugin_info_list plugins;
     struct sudo_conf_paths paths[5];
 } sudo_conf_data = {
+    true,
     true,
     GROUP_SOURCE_ADAPTIVE,
     -1,
@@ -192,6 +196,15 @@ set_var_max_groups(const char *entry, const char *conf_file)
     }
 }
 
+static void
+set_var_probe_interfaces(const char *entry, const char *conf_file)
+{
+    int val = atobool(entry);
+
+    if (val != -1)
+	sudo_conf_data.probe_interfaces = val;
+}
+
 /*
  * "Debug progname debug_file debug_flags"
  */
@@ -362,6 +375,12 @@ sudo_conf_disable_coredump(void)
     return sudo_conf_data.disable_coredump;
 }
 
+bool
+sudo_conf_probe_interfaces(void)
+{
+    return sudo_conf_data.probe_interfaces;
+}
+
 /*
  * Reads in /etc/sudo.conf and populates sudo_conf_data.
  */
diff --git a/doc/sudo.conf.cat b/doc/sudo.conf.cat
index 525b09f05..dbd820f52 100644
--- a/doc/sudo.conf.cat
+++ b/doc/sudo.conf.cat
@@ -204,6 +204,21 @@ DDEESSCCRRIIPPTTIIOONN
                This setting is only available in ssuuddoo version 1.8.7 and
                higher.
 
+     probe_interfaces
+               By default, ssuuddoo will probe the system's network interfaces and
+               pass the IP address of each enabled interface to the policy
+               plugin.  This makes it possible for the plugin to match rules
+               based on the IP address without having to query DNS.  On Linux
+               systems with a large number of virtual interfaces, this may
+               take a non-negligible amount of time.  If IP-based matching is
+               not required, network interface probing can be disabled as
+               follows:
+
+                     Set probe_interfaces false
+
+               This setting is only available in ssuuddoo version 1.8.10 and
+               higher.
+
    DDeebbuugg ffllaaggss
      ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
      that can help track down what ssuuddoo is doing internally if there is a
@@ -376,4 +391,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.9                     December 4, 2013                     Sudo 1.8.9
+Sudo 1.8.9                     January 22, 2014                     Sudo 1.8.9
diff --git a/doc/sudo.conf.man.in b/doc/sudo.conf.man.in
index 5721df48c..f08d2e751 100644
--- a/doc/sudo.conf.man.in
+++ b/doc/sudo.conf.man.in
@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in
 .\"
-.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDO" "5" "December 4, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO" "5" "January 22, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -405,6 +405,29 @@ This setting is only available in
 \fBsudo\fR
 version 1.8.7 and higher.
 .PD
+.TP 10n
+probe_interfaces
+By default,
+\fBsudo\fR
+will probe the system's network interfaces and pass the IP address
+of each enabled interface to the policy plugin.  This makes it
+possible for the plugin to match rules based on the IP address
+without having to query DNS.  On Linux systems with a large number
+of virtual interfaces, this may take a non-negligible amount of time.
+If IP-based matching is not required, network interface probing
+can be disabled as follows:
+.RS
+.nf
+.sp
+.RS 6n
+Set probe_interfaces false
+.RE
+.fi
+.sp
+This setting is only available in
+\fBsudo\fR
+version 1.8.10 and higher.
+.RE
 .SS "Debug flags"
 \fBsudo\fR
 versions 1.8.4 and higher support a flexible debugging framework
diff --git a/doc/sudo.conf.mdoc.in b/doc/sudo.conf.mdoc.in
index b4eeab6df..d192995f2 100644
--- a/doc/sudo.conf.mdoc.in
+++ b/doc/sudo.conf.mdoc.in
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 4, 2013
+.Dd January 22, 2014
 .Dt SUDO @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -360,6 +360,23 @@ do not indicate an error when there is a lack of space.
 This setting is only available in
 .Nm sudo
 version 1.8.7 and higher.
+.It probe_interfaces
+By default,
+.Nm sudo
+will probe the system's network interfaces and pass the IP address
+of each enabled interface to the policy plugin.  This makes it
+possible for the plugin to match rules based on the IP address
+without having to query DNS.  On Linux systems with a large number
+of virtual interfaces, this may take a non-negligible amount of time.
+If IP-based matching is not required, network interface probing
+can be disabled as follows:
+.Bd -literal -offset indent
+Set probe_interfaces false
+.Ed
+.Pp
+This setting is only available in
+.Nm sudo
+version 1.8.10 and higher.
 .El
 .Ss Debug flags
 .Nm sudo
diff --git a/include/sudo_conf.h b/include/sudo_conf.h
index 27a096d06..6350e9c76 100644
--- a/include/sudo_conf.h
+++ b/include/sudo_conf.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2011-2014 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -43,6 +43,7 @@ const char *sudo_conf_plugin_dir_path(void);
 const char *sudo_conf_debug_flags(void);
 struct plugin_info_list *sudo_conf_plugins(void);
 bool sudo_conf_disable_coredump(void);
+bool sudo_conf_probe_interfaces(void);
 int sudo_conf_group_source(void);
 int sudo_conf_max_groups(void);
 
diff --git a/src/net_ifs.c b/src/net_ifs.c
index 69b20eb01..ced77a932 100644
--- a/src/net_ifs.c
+++ b/src/net_ifs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 1998-2005, 2007-2013
+ * Copyright (c) 1996, 1998-2005, 2007-2014
  *	Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -55,6 +55,11 @@ struct rtentry;
 #ifdef HAVE_STRINGS_H
 # include <strings.h>
 #endif /* HAVE_STRINGS_H */
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include "compat/stdbool.h"
+#endif /* HAVE_STDBOOL_H */
 #ifdef HAVE_UNISTD_H
 # include <unistd.h>
 #endif /* HAVE_UNISTD_H */
@@ -82,6 +87,7 @@ struct rtentry;
 #include "missing.h"
 #include "alloc.h"
 #include "fatal.h"
+#include "sudo_conf.h"
 #include "sudo_debug.h"
 
 #define DEFAULT_TEXT_DOMAIN	"sudo"
@@ -115,7 +121,7 @@ get_net_ifs(char **addrinfo)
     char *cp;
     debug_decl(get_net_ifs, SUDO_DEBUG_NETIF)
 
-    if (getifaddrs(&ifaddrs))
+    if (!sudo_conf_probe_interfaces() || getifaddrs(&ifaddrs) != 0)
 	debug_return_int(0);
 
     /* Allocate space for the interfaces info string. */
@@ -221,6 +227,9 @@ get_net_ifs(char **addrinfo)
 #endif /* _ISC */
     debug_decl(get_net_ifs, SUDO_DEBUG_NETIF)
 
+    if (!sudo_conf_probe_interfaces())
+	debug_return_int(0);
+
     sock = socket(AF_INET, SOCK_DGRAM, 0);
     if (sock < 0)
 	fatal(U_("unable to open socket"));