From: Todd C. Miller Date: Mon, 5 Mar 2018 17:42:02 +0000 (-0700) Subject: Add case_insensitive_group and case_insensitive_user sudoers options, X-Git-Tag: SUDO_1_8_23^2~88 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e26ef96a65f045673a100be8cb36a6b0ccbe205b;p=sudo Add case_insensitive_group and case_insensitive_user sudoers options, which are enabled by default. --- diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 5c65888c0..026d61b43 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -950,6 +950,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS the PASSWD and NOPASSWD tags. This flag is _o_n by default. + case_insensitive_group + If enabled, group names in _s_u_d_o_e_r_s will be matched in a + case insentive manner. This may be necessary when + users are stored in LDAP or AD. This flag is _o_n by + default. + + case_insensitive_user + If enabled, user names in _s_u_d_o_e_r_s will be matched in a + case insentive manner. This may be necessary when + groups are stored in LDAP or AD. This flag is _o_n by + default. + closefrom_override If set, the user may use ssuuddoo's --CC option which overrides the default starting point at which ssuuddoo @@ -2897,4 +2909,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.23 February 26, 2018 Sudo 1.8.23 +Sudo 1.8.23 March 5, 2018 Sudo 1.8.23 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 85d0806af..c131639e7 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "February 26, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "March 5, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -2042,6 +2042,24 @@ This flag is \fIon\fR by default. .TP 18n +case_insensitive_group +If enabled, group names in +\fIsudoers\fR +will be matched in a case insentive manner. +This may be necessary when users are stored in LDAP or AD. +This flag is +\fIon\fR +by default. +.TP 18n +case_insensitive_user +If enabled, user names in +\fIsudoers\fR +will be matched in a case insentive manner. +This may be necessary when groups are stored in LDAP or AD. +This flag is +\fIon\fR +by default. +.TP 18n closefrom_override If set, the user may use \fBsudo\fR's diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 8a78855b6..9456e0916 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd February 26, 2018 +.Dd March 5, 2018 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -1911,6 +1911,22 @@ tags. This flag is .Em on by default. +.It case_insensitive_group +If enabled, group names in +.Em sudoers +will be matched in a case insentive manner. +This may be necessary when users are stored in LDAP or AD. +This flag is +.Em on +by default. +.It case_insensitive_user +If enabled, user names in +.Em sudoers +will be matched in a case insentive manner. +This may be necessary when groups are stored in LDAP or AD. +This flag is +.Em on +by default. .It closefrom_override If set, the user may use .Nm sudo Ns 's diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index 73f18d8b2..07e343320 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -485,6 +485,14 @@ struct sudo_defs_types sudo_defs_table[] = { "authfail_message", T_STR, N_("Authentication failure message: %s"), NULL, + }, { + "case_insensitive_user", T_FLAG, + N_("Ignore case when matching user names"), + NULL, + }, { + "case_insensitive_group", T_FLAG, + N_("Ignore case when matching group names"), + NULL, }, { NULL, 0, NULL } diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index 67dc145da..65f10c355 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -222,6 +222,10 @@ #define def_timestamp_type (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple) #define I_AUTHFAIL_MESSAGE 111 #define def_authfail_message (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str) +#define I_CASE_INSENSITIVE_USER 112 +#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag) +#define I_CASE_INSENSITIVE_GROUP 113 +#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) enum def_tuple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 5bb8d31ee..99d436008 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -351,3 +351,9 @@ timestamp_type authfail_message T_STR "Authentication failure message: %s" +case_insensitive_user + T_FLAG + "Ignore case when matching user names" +case_insensitive_group + T_FLAG + "Ignore case when matching group names" diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index cbee79d45..69766a81d 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -637,6 +637,8 @@ init_defaults(void) def_set_utmp = true; def_pam_setcred = true; def_syslog_maxlen = MAXSYSLOGLEN; + def_case_insensitive_user = true; + def_case_insensitive_group = true; /* Reset the locale. */ if (!firsttime) { diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 8857c0ce3..d0a1c8808 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -435,7 +435,7 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched) * No runas user entries but have a matching runas group entry. * If trying to run as the invoking user, allow it. */ - if (strcmp(user_name, runas_pw->pw_name) == 0) + if (userpw_matches(user_name, runas_pw->pw_name, runas_pw)) ret = true; break; } @@ -475,7 +475,7 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched) case '\0': /* Empty RunAsUser means run as the invoking user. */ if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && - strcmp(user_name, runas_pw->pw_name) == 0) + userpw_matches(user_name, runas_pw->pw_name, runas_pw)) ret = true; break; case 'A': diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 318eec8dd..e67809a53 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -980,7 +980,10 @@ userpw_matches(const char *sudoers_user, const char *user, const struct passwd * goto done; } } - rc = strcasecmp(sudoers_user, user) == 0; + if (def_case_insensitive_user) + rc = strcasecmp(sudoers_user, user) == 0; + else + rc = strcmp(sudoers_user, user) == 0; done: sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, "user %s matches sudoers user %s: %s", @@ -1007,7 +1010,10 @@ group_matches(const char *sudoers_group, const struct group *gr) goto done; } } - rc = strcasecmp(sudoers_group, gr->gr_name) == 0; + if (def_case_insensitive_group) + rc = strcasecmp(sudoers_group, gr->gr_name) == 0; + else + rc = strcmp(sudoers_group, gr->gr_name) == 0; done: sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, "group %s matches sudoers group %s: %s", diff --git a/plugins/sudoers/pwutil.c b/plugins/sudoers/pwutil.c index 1983311af..26235812a 100644 --- a/plugins/sudoers/pwutil.c +++ b/plugins/sudoers/pwutil.c @@ -1034,9 +1034,15 @@ user_in_group(const struct passwd *pw, const char *group) } } } else if ((grlist = sudo_get_grlist(pw)) != NULL) { + int (*compare)(const char *, const char *); + if (def_case_insensitive_group) + compare = strcasecmp; + else + compare = strcmp; + /* Check the supplementary group vector. */ for (i = 0; i < grlist->ngroups; i++) { - if (strcasecmp(group, grlist->groups[i]) == 0) { + if (compare(group, grlist->groups[i]) == 0) { matched = true; goto done; } @@ -1044,7 +1050,7 @@ user_in_group(const struct passwd *pw, const char *group) /* Check against user's primary (passwd file) group. */ if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { - if (strcasecmp(group, grp->gr_name) == 0) { + if (compare(group, grp->gr_name) == 0) { matched = true; goto done; } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 1994f9c1c..b380125a4 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -455,7 +455,7 @@ sudo_sss_open(struct sudo_nss *nss) * If runhost is the same as the local host, check for ipa_hostname * in sssd.conf and use it in preference to user_runhost. */ - if (strcmp(user_runhost, user_host) == 0) { + if (strcasecmp(user_runhost, user_host) == 0) { if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { free(handle); debug_return_int(ENOMEM); @@ -607,7 +607,7 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule * * If trying to run as the invoking user, allow it. */ sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against user_name"); - if (strcmp(user_name, runas_pw->pw_name) == 0) + if (userpw_matches(user_name, runas_pw->pw_name, runas_pw)) ret = true; break; } @@ -660,7 +660,7 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule * case '\0': /* Empty RunAsUser means run as the invoking user. */ if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && - strcmp(user_name, runas_pw->pw_name) == 0) + userpw_matches(user_name, runas_pw->pw_name, runas_pw)) ret = true; break; case 'A':