From a8153f4d5d9ef00879827963b75634e5b73dd0cd Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Fri, 17 Jan 2003 23:09:45 +0000 Subject: [PATCH] Add support for Defaults>RunasUser --- parse.lex | 7 +++++-- parse.yacc | 5 +++++ sudoers.pod | 26 +++++++++++++++----------- 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/parse.lex b/parse.lex index 96481ce18..bfe78ee3e 100644 --- a/parse.lex +++ b/parse.lex @@ -99,7 +99,7 @@ extern void yyerror __P((char *)); OCTET (1?[0-9]{1,2})|(2[0-4][0-9])|(25[0-5]) DOTTEDQUAD {OCTET}(\.{OCTET}){3} HOSTNAME [[:alnum:]_-]+ -WORD ([^#@!=:,\(\) \t\n\\]|\\[^\n])+ +WORD ([^#>@!=:,\(\) \t\n\\]|\\[^\n])+ ENVAR ([^#!=, \t\n\\]|\\[^\n])([^#=, \t\n\\]|\\[^\n])* DEFVAR [a-z_]+ @@ -175,12 +175,15 @@ DEFVAR [a-z_]+ } /* a command line arg */ } -^Defaults[:@]? { +^Defaults[:@>]? { BEGIN GOTDEFS; switch (yytext[8]) { case ':': LEXTRACE("DEFAULTS_USER "); return(DEFAULTS_USER); + case '>': + LEXTRACE("DEFAULTS_RUNAS "); + return(DEFAULTS_RUNAS); case '@': LEXTRACE("DEFAULTS_HOST "); return(DEFAULTS_HOST); diff --git a/parse.yacc b/parse.yacc index 210bf78e4..1d203dc77 100644 --- a/parse.yacc +++ b/parse.yacc @@ -229,6 +229,7 @@ yyerror(s) %token DEFAULTS /* Defaults entry */ %token DEFAULTS_HOST /* Host-specific defaults entry */ %token DEFAULTS_USER /* User-specific defaults entry */ +%token DEFAULTS_RUNAS /* Runas-specific defaults entry */ %token RUNAS /* ( runas_list ) */ %token NOPASSWD /* no passwd req for command */ %token PASSWD /* passwd req for command (default) */ @@ -289,6 +290,10 @@ defaults_type : DEFAULTS { defaults_matches = user_matches; pop; } + | DEFAULTS_RUNAS { push; } runaslist { + defaults_matches = $3 == TRUE; + pop; + } | DEFAULTS_HOST { push; } hostlist { defaults_matches = host_matches; pop; diff --git a/sudoers.pod b/sudoers.pod index befd58310..b8fdca1bf 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -199,14 +199,15 @@ arguments: ',', ':', '=', '\'. Certain configuration options may be changed from their default values at runtime via one or more C lines. These -may affect all users on any host, all users on a specific host, -or just a specific user. When multiple entries match, they are -applied in order. Where there are conflicting values, the last -value on a matching line takes effect. +may affect all users on any host, all users on a specific host, a +specific user, or commands being run as a specific user. When +multiple entries match, they are applied in order. Where there are +conflicting values, the last value on a matching line takes effect. Default_Type ::= 'Defaults' || + 'Defaults' '@' Host || 'Defaults' ':' User || - 'Defaults' '@' Host + 'Defaults' '>' RunasUser Default_Entry ::= Default_Type Parameter_List @@ -918,15 +919,18 @@ these are a bit contrived. First, we define our I: Cmnd_Alias SU = /usr/bin/su Here we override some of the compiled in default values. We want -B to log via syslog(3) using the I facility in all cases. -We don't want to subject the full time staff to the B lecture, -and user B need not give a password. In addition, on the -machines in the I C, we keep an additional -local log file and make sure we log the year in each log line since -the log entries will be kept around for several years. +B to log via syslog(3) using the I facility in all +cases. We don't want to subject the full time staff to the B +lecture, user B need not give a password, and we don't +want to set the C or C environment variables when +running commands as root. Additionally, on the machines in the +I C, we keep an additional local log file and +make sure we log the year in each log line since the log entries +will be kept around for several years. # Override built in defaults Defaults syslog=auth + Defaults>root !set_logname Defaults:FULLTIMERS !lecture Defaults:millert !authenticate Defaults@SERVERS log_year, logfile=/var/log/sudo.log -- 2.40.0