isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add intercept_authenticate sudoers option, defaults to false.

Browse Source 
By default, sudoers will not require authentication of commands run
via an intercepted session.  To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
This commit is contained in:
Todd C. Miller
2021-08-09 15:50:26 -06:00
parent 13b89e9103
commit 788708c9ff
9 changed files with 68 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/sudoers/sudoers.c
View File

@@ -383,6 +383,14 @@ sudoers_policy_main(int argc, char * const argv[], int pwflag, char *env_add[],
debug_return_int(-1);
}
/* Was previous command was intercepted? */
if (def_intercept)
SET(sudo_mode, MODE_POLICY_INTERCEPTED);
/* Only certain mode flags are legal for intercepted commands. */
if (ISSET(sudo_mode, MODE_POLICY_INTERCEPTED))
sudo_mode &= MODE_INTERCEPT_MASK;
/* Re-initialize defaults if we are called multiple times. */
if (need_reinit) {
if (!sudoers_reinit_defaults())