From 28d65159ed2dd3fd4c7b880b6c48c7e46f105512 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 5 Apr 2021 20:13:50 -0600
Subject: [PATCH] Document SUCCESS=return support in sudoers nsswitch.conf
 entries. Based on a patch from Dennis Filder.  Bug #971.

---
 doc/sudoers.ldap.man.in  | 41 ++++++++++++++++++++++++++++++----------
 doc/sudoers.ldap.mdoc.in | 38 +++++++++++++++++++++++++++----------
 2 files changed, 59 insertions(+), 20 deletions(-)

diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index dc81ddbda..30cdec932 100644
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -2,7 +2,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2003-2021 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDOERS.LDAP" "@mansectform@" "October 29, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "@mansectform@" "April 5, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -1318,11 +1318,12 @@ search order.
 Sudo looks for a line beginning with
 \fRsudoers\fR:
 and uses this to determine the search order.
-Note that
+Note that by default,
 \fBsudo\fR
-does
-not stop searching after the first match and later matches take
-precedence over earlier ones.
+does not stop searching after the first match and later matches take
+precedence over earlier ones (unless
+\fR[SUCCESS=return]\fR
+is used, see below).
 The following sources are recognized:
 .PP
 .RS 4n
@@ -1337,10 +1338,21 @@ read sudoers from LDAP
 .RE
 .PD
 .PP
-In addition, the entry
-\fR[NOTFOUND=return]\fR
-will short-circuit the search if the user was not found in the
-preceding source.
+In addition, a subset of
+\fInsswitch.conf\fR-style
+action statements is supported, specifically
+\fR[SUCCESS=return]\fR
+and
+\fR[NOTFOUND=return]\fR.
+These will unconditionally terminate the search if the user was either
+found
+(\fR[SUCCESS=return]\fR)
+or not found
+(\fR[NOTFOUND=return]\fR)
+in the immediately preceding source.
+Other action statements tokens are not supported, nor is test
+negation with
+\(oq\&!\(cq.
 .PP
 To consult LDAP first followed by the local sudoers file (if it
 exists), use:
@@ -1351,6 +1363,15 @@ sudoers: ldap files
 .RE
 .fi
 .PP
+To consult LDAP only when no match is found in the local sudoers
+file (if it exists), use:
+.nf
+.sp
+.RS 4n
+sudoers: files [SUCCESS=return] ldap
+.RE
+.fi
+.PP
 The local
 \fIsudoers\fR
 file can be ignored completely by using:
diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index ac32bfaa6..34c164abd 100644
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -1,7 +1,7 @@
 .\"
 .\" SPDX-License-Identifier: ISC
 .\"
-.\" Copyright (c) 2003-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2003-2021 Todd C. Miller <Todd.Miller@sudo.ws>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd October 29, 2020
+.Dd April 5, 2021
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -1211,11 +1211,12 @@ search order.
 Sudo looks for a line beginning with
 .Li sudoers :
 and uses this to determine the search order.
-Note that
+Note that by default,
 .Nm sudo
-does
-not stop searching after the first match and later matches take
-precedence over earlier ones.
+does not stop searching after the first match and later matches take
+precedence over earlier ones (unless
+.Li [SUCCESS=return]
+is used, see below).
 The following sources are recognized:
 .Pp
 .Bl -tag -width 8n -offset 4n -compact
@@ -1226,10 +1227,21 @@ read sudoers from
 read sudoers from LDAP
 .El
 .Pp
-In addition, the entry
-.Li [NOTFOUND=return]
-will short-circuit the search if the user was not found in the
-preceding source.
+In addition, a subset of
+.Pa nsswitch.conf Ns -style
+action statements is supported, specifically
+.Li [SUCCESS=return]
+and
+.Li [NOTFOUND=return] .
+These will unconditionally terminate the search if the user was either
+found
+.No ( Li [SUCCESS=return] )
+or not found
+.No ( Li [NOTFOUND=return] )
+in the immediately preceding source.
+Other action statements tokens are not supported, nor is test
+negation with
+.Ql \&! .
 .Pp
 To consult LDAP first followed by the local sudoers file (if it
 exists), use:
@@ -1237,6 +1249,12 @@ exists), use:
 sudoers: ldap files
 .Ed
 .Pp
+To consult LDAP only when no match is found in the local sudoers
+file (if it exists), use:
+.Bd -literal -offset 4n
+sudoers: files [SUCCESS=return] ldap
+.Ed
+.Pp
 The local
 .Em sudoers
 file can be ignored completely by using: