From 56ead73886cb59d3a3f2b4d720a40040d91b6696 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 9 Aug 2016 13:14:31 -0600 Subject: [PATCH] Load sudoers group plugin via an early callback. --- doc/sudoers.cat | 2 +- doc/sudoers.man.in | 1 + doc/sudoers.mdoc.in | 1 + plugins/sudoers/defaults.c | 1 + plugins/sudoers/group_plugin.c | 16 ++++++++++++++++ plugins/sudoers/sudoers.c | 11 +++-------- plugins/sudoers/sudoers.h | 1 + plugins/sudoers/testsudoers.c | 6 +++--- 8 files changed, 27 insertions(+), 12 deletions(-) diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 33d576546..d60ae6898 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -461,7 +461,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT If there are multiple Defaults settings of the same type, the last matching setting is used. The following Defaults settings are parsed before all others since they may affect subsequent entries: _f_q_d_n, - _r_u_n_a_s___d_e_f_a_u_l_t, _s_u_d_o_e_r_s___l_o_c_a_l_e. + _g_r_o_u_p___p_l_u_g_i_n, _r_u_n_a_s___d_e_f_a_u_l_t, _s_u_d_o_e_r_s___l_o_c_a_l_e. See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters. diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 052ec9a22..5ac07fc4e 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -962,6 +962,7 @@ matching setting is used. The following Defaults settings are parsed before all others since they may affect subsequent entries: \fIfqdn\fR, +\fIgroup_plugin\fR, \fIrunas_default\fR, \fIsudoers_locale\fR. .PP diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index 74508d0d7..bf82a7277 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -916,6 +916,7 @@ matching setting is used. The following Defaults settings are parsed before all others since they may affect subsequent entries: .Em fqdn , +.Em group_plugin , .Em runas_default , .Em sudoers_locale . .Pp diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index 20b93d5ab..ee7776df3 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -82,6 +82,7 @@ static struct early_default early_defaults[] = { #else { "fqdn" }, #endif + { "group_plugin" }, { "runas_default" }, { "sudoers_locale" }, { NULL } diff --git a/plugins/sudoers/group_plugin.c b/plugins/sudoers/group_plugin.c index a91ac3e86..443d2af58 100644 --- a/plugins/sudoers/group_plugin.c +++ b/plugins/sudoers/group_plugin.c @@ -212,3 +212,19 @@ group_plugin_query(const char *user, const char *group, } #endif /* HAVE_DLOPEN || HAVE_SHL_LOAD */ + +/* + * Group plugin sudoers callback. + */ +bool +cb_group_plugin(const union sudo_defs_val *sd_un) +{ + bool rc = true; + debug_decl(cb_group_plugin, SUDOERS_DEBUG_PLUGIN) + + /* Unload any existing group plugin before loading a new one. */ + group_plugin_unload(); + if (sd_un->str != NULL) + rc = group_plugin_load(sd_un->str); + debug_return_bool(rc); +} diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c index da44135df..6b99046c7 100644 --- a/plugins/sudoers/sudoers.c +++ b/plugins/sudoers/sudoers.c @@ -207,14 +207,6 @@ sudoers_policy_init(void *info, char * const envp[]) /* XXX - collect post-sudoers parse settings into a function */ - /* - * Initialize external group plugin, if any. - */ - if (def_group_plugin) { - if (group_plugin_load(def_group_plugin) != true) - def_group_plugin = NULL; - } - /* * Set runas passwd/group entries based on command line or sudoers. * Note that if runas_group was specified without runas_user we @@ -747,6 +739,9 @@ init_vars(char * const envp[]) /* Set fqdn callback. */ sudo_defs_table[I_FQDN].callback = cb_fqdn; + /* Set group_plugin callback. */ + sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin; + /* Set runas callback. */ sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default; diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 4f988f946..bf2ce13dd 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -370,6 +370,7 @@ int group_plugin_load(char *plugin_info); void group_plugin_unload(void); int group_plugin_query(const char *user, const char *group, const struct passwd *pwd); +bool cb_group_plugin(const union sudo_defs_val *sd_un); extern const char *path_plugin_dir; /* editor.c */ diff --git a/plugins/sudoers/testsudoers.c b/plugins/sudoers/testsudoers.c index ecaa59f9d..ff19d04a0 100644 --- a/plugins/sudoers/testsudoers.c +++ b/plugins/sudoers/testsudoers.c @@ -243,6 +243,9 @@ main(int argc, char *argv[]) if (!init_defaults()) sudo_fatalx(U_("unable to initialize sudoers default values")); + /* Set group_plugin callback. */ + sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin; + /* Set runas callback. */ sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default; @@ -274,9 +277,6 @@ main(int argc, char *argv[]) (void) fputs(" (problem with defaults entries)", stdout); puts("."); - if (def_group_plugin && group_plugin_load(def_group_plugin) != true) - def_group_plugin = NULL; - /* * Set runas passwd/group entries based on command line or sudoers. * Note that if runas_group was specified without runas_user we -- 2.40.0