Add intercept_authenticate sudoers option, defaults to false.

By default, sudoers will not require authentication of commands run via an intercepted session. To require authenticaton of subsequent commands, enable intercept_authenticate in sudoers.
2021-08-09 15:50:26 -06:00
parent 13b89e9103
commit 788708c9ff
9 changed files with 68 additions and 3 deletions
--- a/plugins/sudoers/check.c
+++ b/plugins/sudoers/check.c
@@ -299,8 +299,14 @@ user_is_exempt(void)
    bool ret = false;
    debug_decl(user_is_exempt, SUDOERS_DEBUG_AUTH);

-    if (def_exempt_group)
-	ret = user_in_group(sudo_user.pw, def_exempt_group);
+    if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED)) {
+	if (!def_intercept_authenticate)
+	    ret = true;
+    }
+    if (def_exempt_group) {
+	if (user_in_group(sudo_user.pw, def_exempt_group))
+	    ret = true;
+    }
    debug_return_bool(ret);
 }