From 85fef8b50f0847f4fce39a7fead9aae767be1dca Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 1 Feb 2022 20:08:26 -0700 Subject: [PATCH] Add sudoers option to perform authentication even in non-interative mode. If noninteractive_auth is set, authentication methods that do not require input from the user's terminal may proceed. It is off by default, which restores the pre-1.9.9 behavior of "sudo -n". --- docs/sudoers.man.in | 19 ++++++++++++++++++- docs/sudoers.mdoc.in | 18 +++++++++++++++++- plugins/sudoers/check.c | 6 ++++++ plugins/sudoers/def_data.c | 4 ++++ plugins/sudoers/def_data.h | 6 ++++-- plugins/sudoers/def_data.in | 3 +++ plugins/sudoers/defaults.c | 1 + 7 files changed, 53 insertions(+), 4 deletions(-) diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in index 17148c109..a92b2d519 100644 --- a/docs/sudoers.man.in +++ b/docs/sudoers.man.in @@ -25,7 +25,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.TH "SUDOERS" "@mansectform@" "January 27, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS" "@mansectform@" "February 1, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -3251,6 +3251,23 @@ This flag is \fIoff\fR by default. .TP 18n +noninteractive_auth +If set, authentication will be attempted even in non-interactive mode +(when +\fBsudo\fR's +\fB\-n\fR +option is specified). +This allows authentication methods that don't require user interaction +to succeed. +Authentication methods that require input from the user's terminal +will still fail. +If disabled, authentication will not be attempted in non-interactive mode. +This flag is +\fIoff\fR +by default. +.sp +This setting is only supported by version 1.9.10 or higher. +.TP 18n pam_acct_mgmt On systems that use PAM for authentication, \fBsudo\fR diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in index 6e9390177..88200dccd 100644 --- a/docs/sudoers.mdoc.in +++ b/docs/sudoers.mdoc.in @@ -24,7 +24,7 @@ .nr BA @BAMAN@ .nr LC @LCMAN@ .nr PS @PSMAN@ -.Dd January 27, 2022 +.Dd February 1, 2022 .Dt SUDOERS @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -3063,6 +3063,22 @@ section at the end of this manual. This flag is .Em off by default. +.It noninteractive_auth +If set, authentication will be attempted even in non-interactive mode +(when +.Nm sudo Ns 's +.Fl n +option is specified). +This allows authentication methods that don't require user interaction +to succeed. +Authentication methods that require input from the user's terminal +will still fail. +If disabled, authentication will not be attempted in non-interactive mode. +This flag is +.Em off +by default. +.Pp +This setting is only supported by version 1.9.10 or higher. .It pam_acct_mgmt On systems that use PAM for authentication, .Nm sudo diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c index 2ba18d27e..25a2087b0 100644 --- a/plugins/sudoers/check.c +++ b/plugins/sudoers/check.c @@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure) FALLTHROUGH; default: + if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) { + validated |= FLAG_NO_USER_INPUT; + log_auth_failure(validated, 0); + goto done; + } + /* XXX - should not lecture if askpass helper is being used. */ lectured = display_lecture(closure->tstat); diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c index 458035221..e5a80e2b8 100644 --- a/plugins/sudoers/def_data.c +++ b/plugins/sudoers/def_data.c @@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = { "rlimit_stack", T_RLIMIT|T_BOOL, N_("The maximum size to which the process's stack may grow (in bytes): %s"), NULL, + }, { + "noninteractive_auth", T_FLAG, + N_("Attempt authentication even when in non-interactive mode"), + NULL, }, { "log_passwords", T_FLAG, N_("Store plaintext passwords in I/O log input"), diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h index 850f71cf1..4795177bb 100644 --- a/plugins/sudoers/def_data.h +++ b/plugins/sudoers/def_data.h @@ -300,9 +300,11 @@ #define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str) #define I_RLIMIT_STACK 149 #define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str) -#define I_LOG_PASSWORDS 150 +#define I_NONINTERACTIVE_AUTH 150 +#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag) +#define I_LOG_PASSWORDS 151 #define def_log_passwords (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag) -#define I_PASSPROMPT_REGEX 151 +#define I_PASSPROMPT_REGEX 152 #define def_passprompt_regex (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list) enum def_tuple { diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in index 10637df95..d0cc1780d 100644 --- a/plugins/sudoers/def_data.in +++ b/plugins/sudoers/def_data.in @@ -466,6 +466,9 @@ rlimit_rss rlimit_stack T_RLIMIT|T_BOOL "The maximum size to which the process's stack may grow (in bytes): %s" +noninteractive_auth + T_FLAG + "Attempt authentication even when in non-interactive mode" log_passwords T_FLAG "Store plaintext passwords in I/O log input" diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c index a2ddcff8d..ca4bdc2f9 100644 --- a/plugins/sudoers/defaults.c +++ b/plugins/sudoers/defaults.c @@ -591,6 +591,7 @@ init_defaults(void) def_log_denied = true; def_log_format = sudo; def_runas_allow_unknown_id = false; + def_noninteractive_auth = false; /* Syslog options need special care since they both strings and ints */ #if (LOGGING & SLOG_SYSLOG)