From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 24 Oct 2015 11:43:07 +0000 (-0600)
Subject: Add always_query_group_plugin
X-Git-Tag: SUDO_1_8_15^2~11
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7761af6d7edf5f51700230957eee522e6c9d61da;p=sudo

Add always_query_group_plugin
---

diff --git a/NEWS b/NEWS
index ccc052cd1..c47334a29 100644
--- a/NEWS
+++ b/NEWS
@@ -74,8 +74,14 @@ What's new in Sudo 1.8.15
 
  * Fixed challenge/response style BSD authentication.
 
- * Added a sudoers option to prevent sudoedit from editing files
-   located in a directory that is writable by the invoking user.
+ * Added the sudoedit_checkdir Defaults option to prevent sudoedit
+   from editing files located in a directory that is writable by
+   the invoking user.
+
+ * Added the always_query_group_plugin Defaults option to control
+   whether groups not found in the system group database are passed
+   to the group plugin.  Previously, unknown system groups were
+   always passed to the group plugin.
 
 What's new in Sudo 1.8.14p3
 
diff --git a/doc/UPGRADE b/doc/UPGRADE
index 2678d1a99..2f4a0db2f 100644
--- a/doc/UPGRADE
+++ b/doc/UPGRADE
@@ -14,6 +14,13 @@ o Upgrading from a version prior to 1.8.15:
     enabling the sudoedit_follow option in sudoers or on a per-command
     basis with the FOLLOW and NOFOLLOW tags.
 
+    Prior to version 1.8.15, groups listed in sudoers that were not
+    found in the system group database were passed to the group
+    plugin, if any.  Starting with 1.8.15, only groups of the form
+    %:group are resolved via the group plugin by default.  The old
+    behavior can be restored by using the always_query_group_plugin
+    sudoers option.
+
     Locking of the time stamp file has changed in sudo 1.8.15.
     Previously, the user's entire time stamp file was locked while
     retrieving and updating a time stamp record.  Now, only a single
diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index ce77649c9..fcac8d658 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -851,6 +851,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
 
      BBoooolleeaann FFllaaggss:
 
+     always_query_group_plugin
+                       If a _g_r_o_u_p___p_l_u_g_i_n is configured, use it to resolve
+                       groups of the form %group as long as there is not also
+                       a system group of the same name.  Normally, only groups
+                       of the form %:group are passed to the _g_r_o_u_p___p_l_u_g_i_n.
+                       This flag is _o_f_f by default.
+
      always_set_home   If enabled, ssuuddoo will set the HOME environment variable
                        to the home directory of the target user (which is root
                        unless the --uu option is used).  This effectively means
@@ -2472,4 +2479,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or http://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.15                    October 23, 2015                    Sudo 1.8.15
+Sudo 1.8.15                    October 24, 2015                    Sudo 1.8.15
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 88908cd81..c2999a9e1 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "October 23, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "October 24, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1843,6 +1843,17 @@ A list of all supported Defaults parameters, grouped by type, are listed below.
 .PP
 \fBBoolean Flags\fR:
 .TP 18n
+always_query_group_plugin
+If a
+\fIgroup_plugin\fR
+is configured, use it to resolve groups of the form %group as long
+as there is not also a system group of the same name.
+Normally, only groups of the form %:group are passed to the
+\fIgroup_plugin\fR.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
 always_set_home
 If enabled,
 \fBsudo\fR
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index bf88dcc41..2eaa6e428 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd October 23, 2015
+.Dd October 24, 2015
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1718,6 +1718,16 @@ A list of all supported Defaults parameters, grouped by type, are listed below.
 .Pp
 .Sy Boolean Flags :
 .Bl -tag -width 16n
+.It always_query_group_plugin
+If a
+.Em group_plugin
+is configured, use it to resolve groups of the form %group as long
+as there is not also a system group of the same name.
+Normally, only groups of the form %:group are passed to the
+.Em group_plugin .
+This flag is
+.Em off
+by default.
 .It always_set_home
 If enabled,
 .Nm sudo
diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
index 6d75d3907..27e53c8e8 100644
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -394,6 +394,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"sudoedit_follow", T_FLAG,
 	N_("Follow symbolic links when editing files with sudoedit"),
 	NULL,
+    }, {
+	"always_query_group_plugin", T_FLAG,
+	N_("Query the group plugin for unknown system groups"),
+	NULL,
     }, {
 	NULL, 0, NULL
     }
diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
index 6faa8f075..5005812cf 100644
--- a/plugins/sudoers/def_data.h
+++ b/plugins/sudoers/def_data.h
@@ -184,6 +184,8 @@
 #define I_SUDOEDIT_CHECKDIR     91
 #define def_sudoedit_follow     (sudo_defs_table[92].sd_un.flag)
 #define I_SUDOEDIT_FOLLOW       92
+#define def_always_query_group_plugin (sudo_defs_table[93].sd_un.flag)
+#define I_ALWAYS_QUERY_GROUP_PLUGIN93
 
 enum def_tuple {
 	never,
diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
index 72d35df50..3f6b2a7d1 100644
--- a/plugins/sudoers/def_data.in
+++ b/plugins/sudoers/def_data.in
@@ -292,3 +292,6 @@ sudoedit_checkdir
 sudoedit_follow
 	T_FLAG
 	"Follow symbolic links when editing files with sudoedit"
+always_query_group_plugin
+	T_FLAG
+	"Query the group plugin for unknown system groups"
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index e41e72192..f0e954ed2 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -852,20 +852,21 @@ usergr_matches(const char *group, const char *user, const struct passwd *pw)
     struct passwd *pw0 = NULL;
     debug_decl(usergr_matches, SUDOERS_DEBUG_MATCH)
 
-    /* make sure we have a valid usergroup, sudo style */
+    /* Make sure we have a valid usergroup, sudo style */
     if (*group++ != '%') {
 	sudo_debug_printf(SUDO_DEBUG_DIAG, "user group %s has no leading '%%'",
 	    group);
 	goto done;
     }
 
+    /* Query group plugin for %:name groups. */
     if (*group == ':' && def_group_plugin) {
 	if (group_plugin_query(user, group + 1, pw) == true)
 	    matched = true;
 	goto done;
     }
 
-    /* look up user's primary gid in the passwd file */
+    /* Look up user's primary gid in the passwd file. */
     if (pw == NULL) {
 	if ((pw0 = sudo_getpwnam(user)) == NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_DIAG, "unable to find %s in passwd db",
@@ -880,10 +881,12 @@ usergr_matches(const char *group, const char *user, const struct passwd *pw)
 	goto done;
     }
 
-    /* not a Unix group, could be an external group */
-    if (def_group_plugin && group_plugin_query(user, group, pw) == true) {
-	matched = true;
-	goto done;
+    /* Query the group plugin for Unix groups too? */
+    if (def_group_plugin && def_always_query_group_plugin) {
+	if (group_plugin_query(user, group, pw) == true) {
+	    matched = true;
+	    goto done;
+	}
     }
 
 done: