Todd C. Miller [Tue, 27 Mar 2018 22:00:08 +0000 (16:00 -0600)]
In pty_close() we still need to check whether the pty master and
slave fds are open before closing them. When no tty is present but
we are I/O logging pty_close() will be called when there is no
actual pty in use.
Todd C. Miller [Mon, 26 Mar 2018 12:28:23 +0000 (06:28 -0600)]
In pty_close() there is no need to remove events associated with
the pty slave as there are none. We also don't need to check for
the pty fds being -1 since they are not closed elsewhere and
pty_close() is only called if pty_setup() succeeds.
Todd C. Miller [Thu, 22 Mar 2018 17:38:39 +0000 (11:38 -0600)]
Add cvtsudoers command line option to suppress certain parts of the
security policy. Can be used to suppress displaying of Defaults
entries, aliases or privileges.
Todd C. Miller [Wed, 21 Mar 2018 18:24:11 +0000 (12:24 -0600)]
Initial support filtering by user, group and host in cvtsudoers.
Currently forces alias expansion when a filter is applied and the
entire matching user or host list is printed, even the non-matching
entries. This effectively allows you to grep sudoers by user, group
and host.
Todd C. Miller [Wed, 21 Mar 2018 18:11:19 +0000 (12:11 -0600)]
Add free_default() to free a struct defaults pointer so we have a
single place where we free the defaults. A pointer to the previous
Default's binding may be passed in to avoid freeing an already free
binding.
Todd C. Miller [Sun, 4 Mar 2018 14:03:43 +0000 (07:03 -0700)]
Initial support for adding comments that will be emitted when
sudoers is formatted. Currently adds a comment for the source
sudoRole when converting from ldif -> sudoers.
Todd C. Miller [Fri, 2 Mar 2018 16:27:27 +0000 (09:27 -0700)]
Refactor the code that actually converts the role to sudoers format
into role_to_sudoers() now that it is more involved than just calling
sudo_ldap_role_to_priv().
Todd C. Miller [Fri, 2 Mar 2018 13:42:29 +0000 (06:42 -0700)]
When merging two privileges, use the runas lists of the previous
privilege when possible. Otherwise, the generated sudoers line
will include a runas list for commands that is not necessary.
Todd C. Miller [Fri, 2 Mar 2018 03:31:01 +0000 (20:31 -0700)]
Use a case-insensitive comparison when matching user and group names
in sudoers with the passwd or group database. This can be necessary
when users and groups are stored in AD or LDAP.
Todd C. Miller [Wed, 28 Feb 2018 21:02:50 +0000 (14:02 -0700)]
When converting from ldif to sudoers, sudoRole objects with the
same user if possible. If both user and host are the same, merge
into a single privilege. This makes it possible to convert a
sudoers entry like:
Todd C. Miller [Wed, 28 Feb 2018 14:05:36 +0000 (07:05 -0700)]
Restore line to set MODE_PRESERVE_ENV in flags when the -E command
line option is used. The caller doesn't check MODE_PRESERVE_ENV
these days but parse_args uses it to detect usage errors when -E
is used along with a mutually excusive option. Problem found by
Yuriy Vostrikov.
Todd C. Miller [Sun, 25 Feb 2018 13:30:32 +0000 (06:30 -0700)]
When converting from LDAP to sudoers, put negated hosts and commands
at the end of the list. Since LDAP doesn't guarantee attribute order
we need to make sure negated entries always override non-negated ones.
Todd C. Miller [Sat, 24 Feb 2018 16:23:14 +0000 (09:23 -0700)]
Add support for setting default options in a config file. In
addition to expand_aliases, input_format and output_format, both
the initial sudoOrder and the increment when updating sudoOrder for
subsequent sudoRole objects can be specified. Command line options
have also been added for the start order and increment.
Todd C. Miller [Thu, 22 Feb 2018 16:53:12 +0000 (09:53 -0700)]
Initial support for parsing sudoers LDIF files in cvtsudoers.
This makes it possible to convert from LDAP sudoers to a traditional
sudoers file. Semantic differences between file sudoers and LDAP
sudoers mean that LDIF -> sudoers is not completely equivalent.
Todd C. Miller [Tue, 20 Feb 2018 20:22:59 +0000 (13:22 -0700)]
Use setpassent() and setgroupent() on systems that support it to
keep the passwd and group database open. Sudo does a lot of passwd
and group lookups so it can be beneficial to just leave the file
open.
Todd C. Miller [Mon, 19 Feb 2018 18:00:12 +0000 (11:00 -0700)]
In pty_cleanup() we need to call sudo_term_restore() even if no I/O
plugins are present as long as /dev/tty exists. Fixes the use_pty
case with no I/O plugins.