Load sudoers group plugin via an early callback.

doc/sudoers.cat

@@ -461,7 +461,7 @@ SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT
      If there are multiple Defaults settings of the same type, the last
      matching setting is used.  The following Defaults settings are parsed
      before all others since they may affect subsequent entries: _f_q_d_n,
-     _r_u_n_a_s___d_e_f_a_u_l_t, _s_u_d_o_e_r_s___l_o_c_a_l_e.
+     _g_r_o_u_p___p_l_u_g_i_n, _r_u_n_a_s___d_e_f_a_u_l_t, _s_u_d_o_e_r_s___l_o_c_a_l_e.
 
      See _S_U_D_O_E_R_S _O_P_T_I_O_N_S for a list of supported Defaults parameters.
 

doc/sudoers.man.in

@@ -962,6 +962,7 @@ matching setting is used.
 The following Defaults settings are parsed before all others since
 they may affect subsequent entries:
 \fIfqdn\fR,
+\fIgroup_plugin\fR,
 \fIrunas_default\fR,
 \fIsudoers_locale\fR.
 .PP

doc/sudoers.mdoc.in

@@ -916,6 +916,7 @@ matching setting is used.
 The following Defaults settings are parsed before all others since
 they may affect subsequent entries:
 .Em fqdn ,
+.Em group_plugin ,
 .Em runas_default ,
 .Em sudoers_locale .
 .Pp

plugins/sudoers/defaults.c

@@ -82,6 +82,7 @@ static struct early_default early_defaults[] = {
 #else
     { "fqdn" },
 #endif
+    { "group_plugin" },
     { "runas_default" },
     { "sudoers_locale" },
     { NULL }

plugins/sudoers/group_plugin.c

@@ -212,3 +212,19 @@ group_plugin_query(const char *user, const char *group,
 }
 
 #endif /* HAVE_DLOPEN || HAVE_SHL_LOAD */
+
+/*
+ * Group plugin sudoers callback.
+ */
+bool
+cb_group_plugin(const union sudo_defs_val *sd_un)
+{
+    bool rc = true;
+    debug_decl(cb_group_plugin, SUDOERS_DEBUG_PLUGIN)
+
+    /* Unload any existing group plugin before loading a new one. */
+    group_plugin_unload();
+    if (sd_un->str != NULL)
+	rc = group_plugin_load(sd_un->str);
+    debug_return_bool(rc);
+}

plugins/sudoers/sudoers.c

@@ -207,14 +207,6 @@ sudoers_policy_init(void *info, char * const envp[])
 
     /* XXX - collect post-sudoers parse settings into a function */
 
-    /*
-     * Initialize external group plugin, if any.
-     */
-    if (def_group_plugin) {
-	if (group_plugin_load(def_group_plugin) != true)
-	    def_group_plugin = NULL;
-    }
-
     /*
      * Set runas passwd/group entries based on command line or sudoers.
      * Note that if runas_group was specified without runas_user we
@@ -747,6 +739,9 @@ init_vars(char * const envp[])
     /* Set fqdn callback. */
     sudo_defs_table[I_FQDN].callback = cb_fqdn;
 
+    /* Set group_plugin callback. */
+    sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin;
+
     /* Set runas callback. */
     sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default;
 

plugins/sudoers/sudoers.h

@@ -370,6 +370,7 @@ int group_plugin_load(char *plugin_info);
 void group_plugin_unload(void);
 int group_plugin_query(const char *user, const char *group,
     const struct passwd *pwd);
+bool cb_group_plugin(const union sudo_defs_val *sd_un);
 extern const char *path_plugin_dir;
 
 /* editor.c */

plugins/sudoers/testsudoers.c

@@ -243,6 +243,9 @@ main(int argc, char *argv[])
     if (!init_defaults())
 	sudo_fatalx(U_("unable to initialize sudoers default values"));
 
+    /* Set group_plugin callback. */
+    sudo_defs_table[I_GROUP_PLUGIN].callback = cb_group_plugin;
+
     /* Set runas callback. */
     sudo_defs_table[I_RUNAS_DEFAULT].callback = cb_runas_default;
 
@@ -274,9 +277,6 @@ main(int argc, char *argv[])
 	(void) fputs(" (problem with defaults entries)", stdout);
     puts(".");
 
-    if (def_group_plugin && group_plugin_load(def_group_plugin) != true)
-	def_group_plugin = NULL;
-
     /*
      * Set runas passwd/group entries based on command line or sudoers.
      * Note that if runas_group was specified without runas_user we