isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sudoers error recovery can be configured via an "error_recovery" setting.

Browse Source 
This setting is an argument to the sudoers plugin, similar to how
sudoers_file, sudoers_mode, sudoers_uid, etc. are implemented.
The default value is true.
This commit is contained in:
Todd C. Miller
2020-08-17 13:14:30 -06:00
parent 360c264760
commit 609910cc21
5 changed files with 59 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
doc/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "July 5, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "August 17, 2020" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -98,6 +98,25 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
.PP .PP
The following plugin arguments are supported: The following plugin arguments are supported:
.TP 10n .TP 10n
error_recovery=bool
The
\fIerror_recovery\fR
argument can be used to control whether
\fBsudoers\fR
should attempt to recover from parse errors in the
\fIsudoers\fR
file.
If set to
\fItrue\fR
(the default),
\fBsudoers\fR
will try to recover from a parse error by discarding the portion
of the line that contains the error until the end of the line.
A value of
\fIfalse\fR
will disable error recovery.
Prior to version 1.9.3, no error recovery was performed.
.TP 10n
ldap_conf=pathname ldap_conf=pathname
The The
\fIldap_conf\fR \fIldap_conf\fR

20
doc/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd July 5, 2020 .Dd August 17, 2020
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -91,6 +91,24 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
.Pp .Pp
The following plugin arguments are supported: The following plugin arguments are supported:
.Bl -tag -width 8n .Bl -tag -width 8n
.It error_recovery=bool
The
.Em error_recovery
argument can be used to control whether
.Nm
should attempt to recover from parse errors in the
.Em sudoers
file.
If set to
.Em true
(the default),
.Nm
will try to recover from a parse error by discarding the portion
of the line that contains the error until the end of the line.
A value of
.Em false
will disable error recovery.
Prior to version 1.9.3, no error recovery was performed.
.It ldap_conf=pathname .It ldap_conf=pathname
The The
.Em ldap_conf .Em ldap_conf

2
plugins/sudoers/file.c
View File

@@ -109,7 +109,7 @@ sudo_file_parse(struct sudo_nss *nss)
log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR, log_warningx(SLOG_SEND_MAIL|SLOG_NO_STDERR,
N_("parse error in %s"), errorfile); N_("parse error in %s"), errorfile);
} }
if (error) { if (error || !sudoers_recovery) {
/* unrecoverable error */ /* unrecoverable error */
debug_return_ptr(NULL); debug_return_ptr(NULL);
} }

20
plugins/sudoers/policy.c
View File

@@ -49,6 +49,7 @@ struct sudoers_exec_args {
static unsigned int sudo_version; static unsigned int sudo_version;
static const char *interfaces_string; static const char *interfaces_string;
bool sudoers_recovery = true;
sudo_conv_t sudo_conv; sudo_conv_t sudo_conv;
sudo_printf_t sudo_printf; sudo_printf_t sudo_printf;
const char *path_ldap_conf = _PATH_LDAP_CONF; const char *path_ldap_conf = _PATH_LDAP_CONF;
@@ -97,10 +98,14 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
#define MATCHES(s, v) \ #define MATCHES(s, v) \
(strncmp((s), (v), sizeof(v) - 1) == 0) (strncmp((s), (v), sizeof(v) - 1) == 0)
#define INVALID(v) do { \
sudo_warn(U_("invalid %.*s set by sudo front-end"), \
(int)(sizeof(v) - 2), (v)); \
} while (0)
#define CHECK(s, v) do { \ #define CHECK(s, v) do { \
if ((s)[sizeof(v) - 1] == '\0') { \ if ((s)[sizeof(v) - 1] == '\0') { \
sudo_warn(U_("invalid %.*s set by sudo front-end"), \ INVALID(v); \
(int)(sizeof(v) - 2), v); \
goto bad; \ goto bad; \
} \ } \
} while (0) } while (0)
@@ -108,6 +113,15 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
/* Parse sudo.conf plugin args. */ /* Parse sudo.conf plugin args. */
if (info->plugin_args != NULL) { if (info->plugin_args != NULL) {
for (cur = info->plugin_args; *cur != NULL; cur++) { for (cur = info->plugin_args; *cur != NULL; cur++) {
if (MATCHES(*cur, "error_recovery=")) {
int val = sudo_strtobool(*cur + sizeof("error_recovery=") - 1);
if (val == -1) {
INVALID("error_recovery="); /* Not a fatal error. */
} else {
sudoers_recovery = val;
}
continue;
}
if (MATCHES(*cur, "sudoers_file=")) { if (MATCHES(*cur, "sudoers_file=")) {
CHECK(*cur, "sudoers_file="); CHECK(*cur, "sudoers_file=");
sudoers_file = *cur + sizeof("sudoers_file=") - 1; sudoers_file = *cur + sizeof("sudoers_file=") - 1;
@@ -485,6 +499,8 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
sudo_debug_printf(SUDO_DEBUG_INFO, "user_info: %s", *cur); sudo_debug_printf(SUDO_DEBUG_INFO, "user_info: %s", *cur);
#undef MATCHES #undef MATCHES
#undef INVALID
#undef CHECK
debug_return_int(flags); debug_return_int(flags);
oom: oom:

1
plugins/sudoers/sudoers.h
View File

@@ -298,6 +298,7 @@ extern char *errorfile;
extern int errorlineno; extern int errorlineno;
extern bool parse_error; extern bool parse_error;
extern bool sudoers_warnings; extern bool sudoers_warnings;
extern bool sudoers_recovery;
extern bool sudoers_strict; extern bool sudoers_strict;
/* toke.l */ /* toke.l */