From 3742f7a46e26fdc17c1832892966ee8b1378c982 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 6 Feb 2017 05:41:57 -0700 Subject: [PATCH] Add ignore_unknown_defaults flag to ignore unknown Defaults entries in sudoers instead of producing a warning. --- doc/sudoers.cat | 8 +++++++- doc/sudoers.man.in | 13 ++++++++++++- doc/sudoers.mdoc.in | 12 +++++++++++- plugins/sudoers/def_data.c | 4 ++++ plugins/sudoers/def_data.h | 2 ++ plugins/sudoers/def_data.in | 3 +++ plugins/sudoers/defaults.c | 3 ++- 7 files changed, 41 insertions(+), 4 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 10ebc1422..9b1583ca7 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -1073,6 +1073,12 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS meaningful for the cn=defaults section. This flag is _o_f_f by default. + ignore_unknown_defaults + If set, ssuuddoo will not produce a warning if it + encounters an unknown Defaults entry in the _s_u_d_o_e_r_s + file or an unknown sudoOption in LDAP. This flag is + _o_f_f by default. + insults If set, ssuuddoo will insult users when they enter an incorrect password. This flag is _o_f_f by default. @@ -2672,4 +2678,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.19 January 17, 2017 Sudo 1.8.19 +Sudo 1.8.20 February 5, 2017 Sudo 1.8.20 diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 9ab794eef..903b020cc 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "SUDOERS" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "5" "February 5, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -2271,6 +2271,17 @@ This flag is \fIoff\fR by default. .TP 18n +ignore_unknown_defaults +If set, +\fBsudo\fR +will not produce a warning if it encounters an unknown Defaults entry +in the +\fIsudoers\fR +file or an unknown sudoOption in LDAP. +This flag is +\fIoff\fR +by default. +.TP 18n insults If set, \fBsudo\fR diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index f343fa15f..484204c4c 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -19,7 +19,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd January 17, 2017 +.Dd February 5, 2017 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -2129,6 +2129,16 @@ section. This flag is .Em off by default. +.It ignore_unknown_defaults +If set, +.Nm sudo +will not produce a warning if it encounters an unknown Defaults entry +in the +.Em sudoers +file or an unknown sudoOption in LDAP. +This flag is +.Em off +by default. .It insults If set, .Nm sudo diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index 489cb23a9..05ee96d33 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -445,6 +445,10 @@ struct sudo_defs_types sudo_defs_table[] = { "fdexec", T_TUPLE|T_BOOL, N_("Execute commands by file descriptor instead of by path: %s"), def_data_fdexec, + }, { + "ignore_unknown_defaults", T_FLAG, + N_("Ignore unknown Defaults entries in sudoers instead of producing a warning"), + NULL, }, { NULL, 0, NULL } diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index 8b798a541..2d8e17c19 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -206,6 +206,8 @@ #define def_iolog_mode (sudo_defs_table[I_IOLOG_MODE].sd_un.mode) #define I_FDEXEC 103 #define def_fdexec (sudo_defs_table[I_FDEXEC].sd_un.tuple) +#define I_IGNORE_UNKNOWN_DEFAULTS 104 +#define def_ignore_unknown_defaults (sudo_defs_table[I_IGNORE_UNKNOWN_DEFAULTS].sd_un.flag) enum def_tuple { never, diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 000b3a926..aecbf9166 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -326,3 +326,6 @@ fdexec T_TUPLE|T_BOOL "Execute commands by file descriptor instead of by path: %s" never digest_only always +ignore_unknown_defaults + T_FLAG + "Ignore unknown Defaults entries in sudoers instead of producing a warning" diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 70f81f669..869b684f2 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -79,6 +79,7 @@ static struct strmap priorities[] = { }; static struct early_default early_defaults[] = { + { I_IGNORE_UNKNOWN_DEFAULTS }, #ifdef FQDN { I_FQDN, true }, #else @@ -206,7 +207,7 @@ find_default(const char *name, const char *file, int lineno, bool quiet) if (strcmp(name, sudo_defs_table[i].name) == 0) debug_return_int(i); } - if (!quiet) { + if (!quiet && !def_ignore_unknown_defaults) { if (lineno > 0) { sudo_warnx(U_("%s:%d unknown defaults entry \"%s\""), file, lineno, name); -- 2.40.0