Todd C. Miller [Tue, 9 Aug 2011 18:55:29 +0000 (14:55 -0400)]
Go back to using a callback for runas_default to keep runas_pw in
sync. This is needed to make per-entry runas_default settings work
with LDAP-based sudoers. Instead of declaring it a callback in
def_data.in, sudo and testsudoers poke sudo_defs_table[] which is
a bit naughty, but avoids requiring stub functions in visudo and
the tests.
Todd C. Miller [Tue, 9 Aug 2011 18:54:42 +0000 (14:54 -0400)]
Go back to using a callback for runas_default to keep runas_pw in
sync. This is needed to make per-entry runas_default settings work
with LDAP-based sudoers. Instead of declaring it a callback in
def_data.in, sudo and testsudoers poke sudo_defs_table[] which is
a bit naughty, but avoids requiring stub functions in visudo and
the tests.
Todd C. Miller [Fri, 29 Jul 2011 14:50:52 +0000 (10:50 -0400)]
Go back to escaping the command args for "sudo -i" and "sudo -s"
before calling the plugin. Otherwise, spaces in the command args
are not treated properly. The sudoers plugin will unescape non-spaces
to make matching easier.
Todd C. Miller [Fri, 29 Jul 2011 14:10:40 +0000 (10:10 -0400)]
Go back to escaping the command args for "sudo -i" and "sudo -s"
before calling the plugin. Otherwise, spaces in the command args
are not treated properly. The sudoers plugin will unescape non-spaces
to make matching easier.
Todd C. Miller [Wed, 27 Jul 2011 16:12:27 +0000 (12:12 -0400)]
Don't try to audit failure if the runas user does not exist. We don't
have the user's command at this point so there is nothing to audit.
Add a NULL check in audit_success() and audit_failure() just to be
on the safe side.
Todd C. Miller [Wed, 27 Jul 2011 16:11:33 +0000 (12:11 -0400)]
Don't try to audit failure if the runas user does not exist. We don't
have the user's command at this point so there is nothing to audit.
Add a NULL check in audit_success() and audit_failure() just to be
on the safe side.
Todd C. Miller [Mon, 25 Jul 2011 13:43:44 +0000 (09:43 -0400)]
Remove fallback to per-group lookup when matching groups in sudoers.
The sudo front-end will now use getgrouplist() to get the user's
list of groups if getgroups() fails or returns zero groups so we
always have a list of the user's groups. For systems with
mbr_check_membership() which support more that NGROUPS_MAX groups
(Mac OS X), skip the call to getgroups() and use getgrouplist() so
we get all the groups.
Todd C. Miller [Mon, 25 Jul 2011 13:17:18 +0000 (09:17 -0400)]
Remove fallback to per-group lookup when matching groups in sudoers.
The sudo front-end will now use getgrouplist() to get the user's
list of groups if getgroups() fails or returns zero groups so we
always have a list of the user's groups. For systems with
mbr_check_membership() which support more that NGROUPS_MAX groups
(Mac OS X), skip the call to getgroups() and use getgrouplist() so
we get all the groups.
Todd C. Miller [Thu, 21 Jul 2011 13:56:00 +0000 (09:56 -0400)]
Add a wrapper for setgroups() that trims off extra groups and retries
if setgroups() fails. Also add some missing addrefs for PERM_USER
and PERM_FULL_USER.
Todd C. Miller [Thu, 21 Jul 2011 13:55:48 +0000 (09:55 -0400)]
Instead of keeping separate groups and gids arrays, create struct
group_info and use it to store both, along with a count for each.
Cache group info on a per-user basis using getgrouplist() to get
the groups. We no longer need special to special case the user or
list user for user_in_group() and thus no longer need to reset the
groups list when listing another user.
Todd C. Miller [Wed, 20 Jul 2011 20:54:12 +0000 (16:54 -0400)]
Add a wrapper for setgroups() that trims off extra groups and retries
if setgroups() fails. Also add some missing addrefs for PERM_USER
and PERM_FULL_USER.
Todd C. Miller [Wed, 20 Jul 2011 15:58:45 +0000 (11:58 -0400)]
Instead of keeping separate groups and gids arrays, create struct
group_info and use it to store both, along with a count for each.
Cache group info on a per-user basis using getgrouplist() to get
the groups. We no longer need special to special case the user or
list user for user_in_group() and thus no longer need to reset the
groups list when listing another user.