Fix sudoers_policy plugin options when sudoers_audit is not listed.
As of sudo 1.9.1 the sudoers file is opened by the audit plugin, not the policy plugin. As a result, plugin options set for sudoers_policy have no effect. If sudoers_policy has plugin options in sudo.conf and sudoers_audit is not listed, move the options to sudoers_audit so they will have an effect.
This commit is contained in:
Todd C. Miller
@@ -72,6 +72,7 @@ plugin, the following configuration can be used.
|
||||
.nf
|
||||
.sp
|
||||
.RS 6n
|
||||
Plugin sudoers_audit sudoers.so
|
||||
Plugin sudoers_policy sudoers.so
|
||||
Plugin sudoers_io sudoers.so
|
||||
.RE
|
||||
@@ -84,15 +85,27 @@ Starting with
|
||||
plugin in the
|
||||
sudo.conf(@mansectform@)
|
||||
file.
|
||||
These arguments, if present, should be listed after the path to the plugin
|
||||
Plugin arguments, if any, should be listed after the path to the plugin
|
||||
(i.e., after
|
||||
\fIsudoers.so\fR).
|
||||
The arguments are only effective for the plugin that opens (and parses) the
|
||||
\fIsudoers\fR
|
||||
file.
|
||||
.PP
|
||||
For
|
||||
\fBsudo\fR
|
||||
version 1.9.1 and higher, this is the
|
||||
\fIsudoers_audit\fR
|
||||
plugin.
|
||||
For older versions, it is the
|
||||
\fIsudoers_policy\fR
|
||||
plugin.
|
||||
Multiple arguments may be specified, separated by white space.
|
||||
For example:
|
||||
.nf
|
||||
.sp
|
||||
.RS 6n
|
||||
Plugin sudoers_policy sudoers.so sudoers_mode=0400
|
||||
Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
|
||||
.RE
|
||||
.fi
|
||||
.PP
|
||||
|
||||
@@ -69,6 +69,7 @@ to use the
|
||||
.Nm
|
||||
plugin, the following configuration can be used.
|
||||
.Bd -literal -offset indent
|
||||
Plugin sudoers_audit sudoers.so
|
||||
Plugin sudoers_policy sudoers.so
|
||||
Plugin sudoers_io sudoers.so
|
||||
.Ed
|
||||
@@ -80,13 +81,25 @@ Starting with
|
||||
plugin in the
|
||||
.Xr sudo.conf @mansectform@
|
||||
file.
|
||||
These arguments, if present, should be listed after the path to the plugin
|
||||
Plugin arguments, if any, should be listed after the path to the plugin
|
||||
(i.e., after
|
||||
.Pa sudoers.so ) .
|
||||
The arguments are only effective for the plugin that opens (and parses) the
|
||||
.Em sudoers
|
||||
file.
|
||||
.Pp
|
||||
For
|
||||
.Nm sudo
|
||||
version 1.9.1 and higher, this is the
|
||||
.Em sudoers_audit
|
||||
plugin.
|
||||
For older versions, it is the
|
||||
.Em sudoers_policy
|
||||
plugin.
|
||||
Multiple arguments may be specified, separated by white space.
|
||||
For example:
|
||||
.Bd -literal -offset indent
|
||||
Plugin sudoers_policy sudoers.so sudoers_mode=0400
|
||||
Plugin sudoers_audit sudoers.so sudoers_mode=0400 error_recovery=false
|
||||
.Ed
|
||||
.Pp
|
||||
The following plugin arguments are supported:
|
||||
|
||||
@@ -532,8 +532,18 @@ sudo_load_plugins(struct plugin_container *policy_plugin,
|
||||
* loaded, load it too, if possible.
|
||||
*/
|
||||
if (!plugin_exists(audit_plugins, "sudoers_audit")) {
|
||||
(void)sudo_load_sudoers_plugin("sudoers_audit", policy_plugin,
|
||||
io_plugins, audit_plugins, approval_plugins, true);
|
||||
if (sudo_load_sudoers_plugin("sudoers_audit", policy_plugin,
|
||||
io_plugins, audit_plugins, approval_plugins, true)) {
|
||||
/*
|
||||
* Move the plugin options from sudoers_policy to sudoers_audit
|
||||
* since the audit module is now what actually opens sudoers.
|
||||
*/
|
||||
if (policy_plugin->options != NULL) {
|
||||
TAILQ_LAST(audit_plugins, plugin_container_list)->options =
|
||||
policy_plugin->options;
|
||||
policy_plugin->options = NULL;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user