Todd C. Miller [Sat, 5 Jan 2008 12:59:05 +0000 (12:59 +0000)]
Parse uri ourself if no ldap_initialize() is present
Use ldap_create() instead of deprecated ldap_init()
Use ldap_sasl_bind_s() instead of deprecated ldap_simple_bind_s()
Todd C. Miller [Thu, 3 Jan 2008 21:11:33 +0000 (21:11 +0000)]
Add sudo_ldap_get_first_rdn() to return the first rdn of an entry's dn
using the mechanism appropriate for the LDAP SDK in use.
Use ldap_unbind_ext_s() instead of deprecated ldap_unbind_s().
Emulate ldap_unbind_ext_s() and ldap_search_ext_s() for SDK's without them.
Todd C. Miller [Tue, 1 Jan 2008 21:25:23 +0000 (21:25 +0000)]
When building up a query don't list groups in the aux group vector
that are the same as the passwd file group. On most systems the
first gid in the group vector is the same as the passwd entry gid.
Todd C. Miller [Tue, 1 Jan 2008 18:22:03 +0000 (18:22 +0000)]
Rename read_nss -> sudo_read_nss
Add --with-nsswitch to allow users to specify nsswitch.conf path or disable it.
If --with-nsswitch=no but --with-ldap, order is LDAP, then sudoers.
Fix --with-ldap-conf-file and --with-ldap-secret-file
Todd C. Miller [Mon, 31 Dec 2007 21:36:53 +0000 (21:36 +0000)]
Refactor group vector resetting into a function and also call it
from display_cmnd.
Stop after the first sucessful match in display_cmnd.
Print a newline between each display_privs method.
Todd C. Miller [Mon, 31 Dec 2007 20:04:46 +0000 (20:04 +0000)]
Refactor line reading into a separate function, sudo_parseln(),
which removes comments, leading/trailing whitespace and newlines.
May want to rethink the use of sudo_parseln() for /etc/ldap.secret
Todd C. Miller [Mon, 31 Dec 2007 19:26:52 +0000 (19:26 +0000)]
Make the inability to read the sudoers file a non-fatal error if
there are other sudoers sources available.
sudoers_file_lookup now returns "not OK" if sudoers was not present
Todd C. Miller [Fri, 21 Dec 2007 21:53:32 +0000 (21:53 +0000)]
Add support for reading and /etc/environment file. Still needs to
be documented and should probably only applies to OSes that have
it (AIX and Linux, maybe others).
Todd C. Miller [Wed, 19 Dec 2007 19:28:57 +0000 (19:28 +0000)]
Use ldapssl_init() for ldaps support instead of trying
to do it manually with ldap_init() + ldapssl_install_routines().
Use tls_cert and tls_key for cert7.db and key3.db respectively.
Don't print debugging info for options that are not set.
Add warning if start_tls specified when not supported.
Todd C. Miller [Sun, 2 Dec 2007 17:13:48 +0000 (17:13 +0000)]
Add passprompt_override flag to sudoers that will cause the prompt
to be overridden in all cases. This flag is also set when the
user specifies the -p flag.
Todd C. Miller [Sat, 1 Dec 2007 16:22:25 +0000 (16:22 +0000)]
Add basic support for looking up the string "Password: " in the PAM
localized text db. This allows us to determine whether the PAM
prompt is the default "Password: " one even if it has been localized.
TODO: concatenate non-std PAM prompts and user-specified sudo prompts.
Todd C. Miller [Sun, 25 Nov 2007 13:07:21 +0000 (13:07 +0000)]
Set aux group vector for PERM_RUNAS and restore group vector for
PERM_ROOT if we previously changed it. Stash the runas group vector
so we don't have to call initgroups more than once. Also add no-op
check to check_perms.
Todd C. Miller [Wed, 21 Nov 2007 20:12:00 +0000 (20:12 +0000)]
Add support for runas groups. This allows the user to run a command
with a different effective group. If the -g option is specified
without -u the command will be run as the current user (only the
group will change). the -g and -u options may be used together.
TODO: implement runas group for ldap
improve runas group documentation
add testsudoers support