From fa6c857112bea5c8234048543e8a30c133e22f77 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 25 Apr 2013 14:49:02 -0400 Subject: [PATCH] Allow ldap_conf and ldap_secret to be specified as plugin arguments in sudo.conf --- NEWS | 3 +++ doc/sudoers.cat | 16 ++++++++++++---- doc/sudoers.ldap.cat | 9 ++++++--- doc/sudoers.ldap.man.in | 18 +++++++++++++++--- doc/sudoers.ldap.mdoc.in | 18 +++++++++++++++--- doc/sudoers.man.in | 23 ++++++++++++++++++----- doc/sudoers.mdoc.in | 21 ++++++++++++++++----- plugins/sudoers/ldap.c | 8 ++++---- plugins/sudoers/policy.c | 14 ++++++++++++-- plugins/sudoers/sudoers.h | 2 ++ 10 files changed, 103 insertions(+), 29 deletions(-) diff --git a/NEWS b/NEWS index 3858d7825..d2de016b2 100644 --- a/NEWS +++ b/NEWS @@ -94,6 +94,9 @@ What's new in Sudo 1.8.7? or the description of sudoCommand in the sudoers.ldap manual for details. + * The paths to ldap.conf and ldap.secret may now be specified as + arguments to the sudoers plugin in the sudo.conf file. + What's new in Sudo 1.8.6p8? * Terminal detection now works properly on 64-bit AIX kernels. diff --git a/doc/sudoers.cat b/doc/sudoers.cat index 66274e988..2dd5eedf1 100644 --- a/doc/sudoers.cat +++ b/doc/sudoers.cat @@ -30,22 +30,30 @@ DDEESSCCRRIIPPTTIIOONN The following plugin arguments are supported: + ldap_conf=pathname + The _l_d_a_p___c_o_n_f argument can be used to override the default path + to the _l_d_a_p_._c_o_n_f file. + + ldap_secret=pathname + The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default + path to the _l_d_a_p_._s_e_c_r_e_t file. + sudoers_file=pathname - The _s_u_d_o_e_r_s___f_i_l_e arguments can be used to override the default + The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default path to the _s_u_d_o_e_r_s file. sudoers_uid=uid - The _s_u_d_o_e_r_s___u_i_d arguments can be used to override the default + The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default owner of the sudoers file. It should be specified as a numeric user ID. sudoers_gid=gid - The _s_u_d_o_e_r_s___g_i_d arguments can be used to override the default + The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default group of the sudoers file. It must be specified as a numeric group ID (not a group name). sudoers_mode=mode - The _s_u_d_o_e_r_s___m_o_d_e arguments can be used to override the default + The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default file mode for the sudoers file. It should be specified as an octal value. diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 1d9134a72..9f3f38caf 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -274,7 +274,8 @@ DDEESSCCRRIIPPTTIIOONN Typically, this file is shared between different LDAP-aware clients. As such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those - described in the system's ldap.conf(1m) manual. + described in the system's ldap.conf(1m) manual. The path to _l_d_a_p_._c_o_n_f may + be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4). Also note that on systems using the OpenLDAP libraries, default values specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not @@ -379,8 +380,10 @@ DDEESSCCRRIIPPTTIIOONN The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as _s_u_d_o_e_r_s queries. The password corresponding to - the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not - specified, the BBIINNDDDDNN identity is used (if any). + the identity should be stored in the or the path specified by the + _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to + _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN + identity is used (if any). LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r The version of the LDAP protocol to use when connecting to the diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 2f399235d..918f3d394 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -491,6 +491,12 @@ itself and may support options that differ from those described in the system's ldap.conf(@mansectsu@) manual. +The path to +\fIldap.conf\fR +may be overridden via the +\fIldap_conf\fR +plugin argument in +sudo.conf(@mansectform@). .PP Also note that on systems using the OpenLDAP libraries, default values specified in @@ -693,10 +699,16 @@ parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as \fIsudoers\fR queries. -The password corresponding -to the identity should be stored in +The password corresponding to the identity should be stored in the +or the path specified by the +\fIldap_secret\fR +plugin argument in +sudo.conf(@mansectform@), +which defaults to \fI@ldap_secret@\fR. -If not specified, the +If no +\fBROOTBINDDN\fR +is specified, the \fBBINDDN\fR identity is used (if any). .TP 6n diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index 45ddb1b99..d042a85f7 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -460,6 +460,12 @@ itself and may support options that differ from those described in the system's .Xr ldap.conf @mansectsu@ manual. +The path to +.Pa ldap.conf +may be overridden via the +.Em ldap_conf +plugin argument in +.Xr sudo.conf @mansectform@ . .Pp Also note that on systems using the OpenLDAP libraries, default values specified in @@ -649,10 +655,16 @@ parameter specifies the identity, in the form of a Distinguished Name (DN), to use when performing privileged LDAP operations, such as .Em sudoers queries. -The password corresponding -to the identity should be stored in +The password corresponding to the identity should be stored in the +or the path specified by the +.Em ldap_secret +plugin argument in +.Xr sudo.conf @mansectform@ , +which defaults to .Pa @ldap_secret@ . -If not specified, the +If no +.Sy ROOTBINDDN +is specified, the .Sy BINDDN identity is used (if any). .It Sy LDAP_VERSION Ar number diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in index 7e459b5e1..7e5c4042d 100644 --- a/doc/sudoers.man.in +++ b/doc/sudoers.man.in @@ -94,30 +94,43 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400 .PP The following plugin arguments are supported: .TP 10n +ldap_conf=pathname +The +\fIldap_conf\fR +argument can be used to override the default path to the +\fIldap.conf\fR +file. +.TP 10n +ldap_secret=pathname +The +\fIldap_secret\fR +argument can be used to override the default path to the +\fIldap.secret\fR +file. +.TP 10n sudoers_file=pathname The \fIsudoers_file\fR -arguments can be used to override the default path -to the +argument can be used to override the default path to the \fIsudoers\fR file. .TP 10n sudoers_uid=uid The \fIsudoers_uid\fR -arguments can be used to override the default owner of the sudoers file. +argument can be used to override the default owner of the sudoers file. It should be specified as a numeric user ID. .TP 10n sudoers_gid=gid The \fIsudoers_gid\fR -arguments can be used to override the default group of the sudoers file. +argument can be used to override the default group of the sudoers file. It must be specified as a numeric group ID (not a group name). .TP 10n sudoers_mode=mode The \fIsudoers_mode\fR -arguments can be used to override the default file mode for the sudoers file. +argument can be used to override the default file mode for the sudoers file. It should be specified as an octal value. .PP For more information on configuring diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in index f816931be..9539afbeb 100644 --- a/doc/sudoers.mdoc.in +++ b/doc/sudoers.mdoc.in @@ -86,27 +86,38 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400 .Pp The following plugin arguments are supported: .Bl -tag -width 8n +.It ldap_conf=pathname +The +.Em ldap_conf +argument can be used to override the default path to the +.Pa ldap.conf +file. +.It ldap_secret=pathname +The +.Em ldap_secret +argument can be used to override the default path to the +.Pa ldap.secret +file. .It sudoers_file=pathname The .Em sudoers_file -arguments can be used to override the default path -to the +argument can be used to override the default path to the .Em sudoers file. .It sudoers_uid=uid The .Em sudoers_uid -arguments can be used to override the default owner of the sudoers file. +argument can be used to override the default owner of the sudoers file. It should be specified as a numeric user ID. .It sudoers_gid=gid The .Em sudoers_gid -arguments can be used to override the default group of the sudoers file. +argument can be used to override the default group of the sudoers file. It must be specified as a numeric group ID (not a group name). .It sudoers_mode=mode The .Em sudoers_mode -arguments can be used to override the default file mode for the sudoers file. +argument can be used to override the default file mode for the sudoers file. It should be specified as an octal value. .El .Pp diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 33da477b9..2bb4b65ed 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -593,7 +593,7 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port) ldapssl_err2string(rc)); if (ldap_conf.tls_certfile == NULL) warningx(_("you must set TLS_CERT in %s to use SSL"), - _PATH_LDAP_CONF); + path_ldap_conf); goto done; } @@ -1368,7 +1368,7 @@ sudo_ldap_read_secret(const char *path) char buf[LINE_MAX], *cp; debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP) - if ((fp = fopen(_PATH_LDAP_SECRET, "r")) != NULL) { + if ((fp = fopen(path_ldap_secret, "r")) != NULL) { if (fgets(buf, sizeof(buf), fp) != NULL) { if ((cp = strchr(buf, '\n')) != NULL) *cp = '\0'; @@ -1460,7 +1460,7 @@ sudo_ldap_read_config(void) ldap_conf.rootuse_sasl = -1; ldap_conf.deref = -1; - if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL) + if ((fp = fopen(path_ldap_conf, "r")) == NULL) debug_return_bool(false); while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { @@ -1635,7 +1635,7 @@ sudo_ldap_read_config(void) /* If rootbinddn set, read in /etc/ldap.secret if it exists. */ if (ldap_conf.rootbinddn) - sudo_ldap_read_secret(_PATH_LDAP_SECRET); + sudo_ldap_read_secret(path_ldap_secret); #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S /* diff --git a/plugins/sudoers/policy.c b/plugins/sudoers/policy.c index 2e759b432..f3f625646 100644 --- a/plugins/sudoers/policy.c +++ b/plugins/sudoers/policy.c @@ -69,6 +69,8 @@ struct sudoers_exec_args { static int sudo_version; static const char *interfaces_string; sudo_conv_t sudo_conv; +const char *path_ldap_conf = _PATH_LDAP_CONF; +const char *path_ldap_secret = _PATH_LDAP_SECRET; extern __dso_public struct policy_plugin sudoers_policy; @@ -112,6 +114,14 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group) NULL, 8); continue; } + if (MATCHES(*cur, "ldap_conf=")) { + path_ldap_conf = *cur + sizeof("ldap_conf=") - 1; + continue; + } + if (MATCHES(*cur, "ldap_secret=")) { + path_ldap_secret = *cur + sizeof("ldap_secret=") - 1; + continue; + } } } @@ -667,8 +677,8 @@ sudoers_policy_version(int verbose) # ifdef _PATH_NSSWITCH_CONF sudo_printf(SUDO_CONV_INFO_MSG, _("nsswitch path: %s\n"), _PATH_NSSWITCH_CONF); # endif - sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), _PATH_LDAP_CONF); - sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), _PATH_LDAP_SECRET); + sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), path_ldap_conf); + sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), path_ldap_secret); #endif dump_auth_methods(); dump_defaults(); diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h index 7dc3c1ff7..4e64a8e43 100644 --- a/plugins/sudoers/sudoers.h +++ b/plugins/sudoers/sudoers.h @@ -365,6 +365,8 @@ void sudoers_cleanup(void); /* policy.c */ int sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group); int sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v); +extern const char *path_ldap_conf; +extern const char *path_ldap_secret; /* aix.c */ void aix_restoreauthdb(void); -- 2.40.0