isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add sudoers option to perform authentication even in non-interative mode.

Browse Source 
If noninteractive_auth is set, authentication methods that do not
require input from the user's terminal may proceed.  It is off by
default, which restores the pre-1.9.9 behavior of "sudo -n".
This commit is contained in:
Todd C. Miller
2022-02-01 20:08:26 -07:00
parent 6564f1ae4c
commit 85fef8b50f
7 changed files with 53 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
docs/sudoers.man.in
View File

@@ -25,7 +25,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.TH "SUDOERS" "@mansectform@" "January 27, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "@mansectform@" "February 1, 2022" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -3251,6 +3251,23 @@ This flag is
\fIoff\fR \fIoff\fR
by default. by default.
.TP 18n .TP 18n
noninteractive_auth
If set, authentication will be attempted even in non-interactive mode
(when
\fBsudo\fR's
\fB\-n\fR
option is specified).
This allows authentication methods that don't require user interaction
to succeed.
Authentication methods that require input from the user's terminal
will still fail.
If disabled, authentication will not be attempted in non-interactive mode.
This flag is
\fIoff\fR
by default.
.sp
This setting is only supported by version 1.9.10 or higher.
.TP 18n
pam_acct_mgmt pam_acct_mgmt
On systems that use PAM for authentication, On systems that use PAM for authentication,
\fBsudo\fR \fBsudo\fR

18
docs/sudoers.mdoc.in
View File

@@ -24,7 +24,7 @@
.nr BA @BAMAN@ .nr BA @BAMAN@
.nr LC @LCMAN@ .nr LC @LCMAN@
.nr PS @PSMAN@ .nr PS @PSMAN@
.Dd January 27, 2022 .Dd February 1, 2022
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -3063,6 +3063,22 @@ section at the end of this manual.
This flag is This flag is
.Em off .Em off
by default. by default.
.It noninteractive_auth
If set, authentication will be attempted even in non-interactive mode
(when
.Nm sudo Ns 's
.Fl n
option is specified).
This allows authentication methods that don't require user interaction
to succeed.
Authentication methods that require input from the user's terminal
will still fail.
If disabled, authentication will not be attempted in non-interactive mode.
This flag is
.Em off
by default.
.Pp
This setting is only supported by version 1.9.10 or higher.
.It pam_acct_mgmt .It pam_acct_mgmt
On systems that use PAM for authentication, On systems that use PAM for authentication,
.Nm sudo .Nm sudo

6
plugins/sudoers/check.c
View File

@@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure)
FALLTHROUGH; FALLTHROUGH;
default: default:
if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {
validated |= FLAG_NO_USER_INPUT;
log_auth_failure(validated, 0);
goto done;
}
/* XXX - should not lecture if askpass helper is being used. */ /* XXX - should not lecture if askpass helper is being used. */
lectured = display_lecture(closure->tstat); lectured = display_lecture(closure->tstat);

4
plugins/sudoers/def_data.c
View File

@@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"rlimit_stack", T_RLIMIT|T_BOOL, "rlimit_stack", T_RLIMIT|T_BOOL,
N_("The maximum size to which the process's stack may grow (in bytes): %s"), N_("The maximum size to which the process's stack may grow (in bytes): %s"),
NULL, NULL,
}, {
"noninteractive_auth", T_FLAG,
N_("Attempt authentication even when in non-interactive mode"),
NULL,
}, { }, {
"log_passwords", T_FLAG, "log_passwords", T_FLAG,
N_("Store plaintext passwords in I/O log input"), N_("Store plaintext passwords in I/O log input"),

6
plugins/sudoers/def_data.h
View File

@@ -300,9 +300,11 @@
#define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str) #define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
#define I_RLIMIT_STACK 149 #define I_RLIMIT_STACK 149
#define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str) #define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
#define I_LOG_PASSWORDS 150 #define I_NONINTERACTIVE_AUTH 150
#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
#define I_LOG_PASSWORDS 151
#define def_log_passwords (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag) #define def_log_passwords (sudo_defs_table[I_LOG_PASSWORDS].sd_un.flag)
#define I_PASSPROMPT_REGEX 151 #define I_PASSPROMPT_REGEX 152
#define def_passprompt_regex (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list) #define def_passprompt_regex (sudo_defs_table[I_PASSPROMPT_REGEX].sd_un.list)
enum def_tuple { enum def_tuple {

3
plugins/sudoers/def_data.in
View File

@@ -466,6 +466,9 @@ rlimit_rss
rlimit_stack rlimit_stack
T_RLIMIT|T_BOOL T_RLIMIT|T_BOOL
"The maximum size to which the process's stack may grow (in bytes): %s" "The maximum size to which the process's stack may grow (in bytes): %s"
noninteractive_auth
T_FLAG
"Attempt authentication even when in non-interactive mode"
log_passwords log_passwords
T_FLAG T_FLAG
"Store plaintext passwords in I/O log input" "Store plaintext passwords in I/O log input"

1
plugins/sudoers/defaults.c
View File

@@ -591,6 +591,7 @@ init_defaults(void)
def_log_denied = true; def_log_denied = true;
def_log_format = sudo; def_log_format = sudo;
def_runas_allow_unknown_id = false; def_runas_allow_unknown_id = false;
def_noninteractive_auth = false;
/* Syslog options need special care since they both strings and ints */ /* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG) #if (LOGGING & SLOG_SYSLOG)