isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add -n (non-interactive) flag.

Browse Source
This commit is contained in:
Todd C. Miller
2008-03-18 20:04:41 +00:00
parent f2c84d5a6d
commit c352187cf8
8 changed files with 81 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
WHATSNEW
View File

@@ -58,3 +58,7 @@ What's new in Sudo 1.7?
* A new Defaults option, "mailfrom" that sets the value of the * A new Defaults option, "mailfrom" that sets the value of the
"From:" field in the warning/error mail. If unspecified, the "From:" field in the warning/error mail. If unspecified, the
login name of the invoking user is used. login name of the invoking user is used.
* A new flag, -n, may be used to indicate that sudo should not
prompt the user for a password and, instead, exit with an error
if authentication is required.

7
check.c
View File

@@ -84,8 +84,9 @@ static void update_timestamp __P((char *, char *));
* verify who he/she is. * verify who he/she is.
*/ */
void void
check_user(validated) check_user(validated, interactive)
int validated; int validated;
int interactive;
{ {
char *timestampdir = NULL; char *timestampdir = NULL;
char *timestampfile = NULL; char *timestampfile = NULL;
@@ -99,6 +100,10 @@ check_user(validated)
status = timestamp_status(timestampdir, timestampfile, user_name, status = timestamp_status(timestampdir, timestampfile, user_name,
TS_MAKE_DIRS); TS_MAKE_DIRS);
if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) { if (status != TS_CURRENT || ISSET(validated, FLAG_CHECK_USER)) {
/* Bail out if we are non-interactive and a password is required */
if (!interactive)
errorx(1, "sorry, a password is required to run %s", getprogname());
if (!ISSET(tgetpass_flags, TGP_ASKPASS)) if (!ISSET(tgetpass_flags, TGP_ASKPASS))
lecture(status); lecture(status);

7
sudo.c
View File

@@ -402,7 +402,7 @@ main(argc, argv, envp)
/* Require a password if sudoers says so. */ /* Require a password if sudoers says so. */
if (def_authenticate) if (def_authenticate)
check_user(validated); check_user(validated, !ISSET(sudo_mode, MODE_NONINTERACTIVE));
/* If run as root with SUDO_USER set, set sudo_user.pw to that user. */ /* If run as root with SUDO_USER set, set sudo_user.pw to that user. */
/* XXX - causes confusion when root is not listed in sudoers */ /* XXX - causes confusion when root is not listed in sudoers */
@@ -827,7 +827,7 @@ parse_args(argc, argv)
* Some trickiness is required to allow environment variables * Some trickiness is required to allow environment variables
* to be interspersed with command line options. * to be interspersed with command line options.
*/ */
if ((ch = getopt(argc, argv, "+Aa:bC:c:Eeg:HhiKkLlPp:r:Sst:Uu:Vv")) != -1) { if ((ch = getopt(argc, argv, "+Aa:bC:c:Eeg:HhiKkLlnPp:r:Sst:Uu:Vv")) != -1) {
switch (ch) { switch (ch) {
case 'A': case 'A':
SET(tgetpass_flags, TGP_ASKPASS); SET(tgetpass_flags, TGP_ASKPASS);
@@ -907,6 +907,9 @@ parse_args(argc, argv)
usage_excl(1); usage_excl(1);
excl = 'l'; excl = 'l';
break; break;
case 'n':
SET(rval, MODE_NONINTERACTIVE);
break;
case 'V': case 'V':
rval = MODE_VERSION; rval = MODE_VERSION;
if (excl && excl != 'V') if (excl && excl != 'V')

80
sudo.cat
View File

@@ -8,15 +8,15 @@ NNAAMMEE
sudo, sudoedit - execute a command as another user sudo, sudoedit - execute a command as another user
SSYYNNOOPPSSIISS SSYYNNOOPPSSIISS
ssuuddoo --hh | --KK | --kk | --LL | --VV | --vv ssuuddoo [--nn] --hh | --KK | --kk | --LL | --VV | --vv
ssuuddoo --ll[[ll]] [--AASS] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] ssuuddoo --ll[[ll]] [--AAnnSS] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] [--UU _u_s_e_r_n_a_m_e] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d]
[_c_o_m_m_a_n_d] [_c_o_m_m_a_n_d]
ssuuddoo [--AAbbEEHHPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] ssuuddoo [--AAbbEEHHnnPPSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}] [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] [VVAARR=_v_a_l_u_e] [{--ii | --ss] [<_c_o_m_m_a_n_d}]
ssuuddooeeddiitt [--AASS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d] ssuuddooeeddiitt [--AAnnSS] [--aa _a_u_t_h___t_y_p_e] [--CC _f_d] [--cc _c_l_a_s_s|_-] [--gg _g_r_o_u_p_n_a_m_e|_#_g_i_d]
[--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ... [--pp _p_r_o_m_p_t] [--uu _u_s_e_r_n_a_m_e|_#_u_i_d] file ...
DDEESSCCRRIIPPTTIIOONN DDEESSCCRRIIPPTTIIOONN
@@ -61,7 +61,7 @@ DDEESSCCRRIIPPTTIIOONN
1.7 March 2, 2008 1 1.7 March 18, 2008 1
@@ -127,7 +127,7 @@ OOPPTTIIOONNSS
1.7 March 2, 2008 2 1.7 March 18, 2008 2
@@ -193,7 +193,7 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
1.7 March 2, 2008 3 1.7 March 18, 2008 3
@@ -229,6 +229,11 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
--llll), or if --ll is specified multiple times, a longer list --llll), or if --ll is specified multiple times, a longer list
format is used. format is used.
-n The --nn (_n_o_n_-_i_n_t_e_r_a_c_t_i_v_e) option prevents ssuuddoo from prompt-
ing the user for a password. If a password is required for
the command to run, ssuuddoo will display an error messages and
exit.
-P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to pre- -P The --PP (_p_r_e_s_e_r_v_e _g_r_o_u_p _v_e_c_t_o_r) option causes ssuuddoo to pre-
serve the invoking user's group vector unaltered. By serve the invoking user's group vector unaltered. By
default, ssuuddoo will initialize the group vector to the list default, ssuuddoo will initialize the group vector to the list
@@ -252,14 +257,9 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
%U expanded to the login name of the user the command will %U expanded to the login name of the user the command will
be run as (defaults to root) be run as (defaults to root)
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a sin-
gle % character
1.7 March 18, 2008 4
1.7 March 2, 2008 4
@@ -268,6 +268,11 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
%u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a sin-
gle % character
The prompt specified by the --pp option will override the The prompt specified by the --pp option will override the
system password prompt on systems that support PAM unless system password prompt on systems that support PAM unless
the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s. the _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e flag is disabled in _s_u_d_o_e_r_s.
@@ -317,15 +322,10 @@ SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
line are subject to the same restrictions as normal environment vari- line are subject to the same restrictions as normal environment vari-
ables with one important exception. If the _s_e_t_e_n_v option is set in ables with one important exception. If the _s_e_t_e_n_v option is set in
_s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command _s_u_d_o_e_r_s, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be for-
bidden. See _s_u_d_o_e_r_s(4) for more information.
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value from ssuuddoo will
1.7 March 2, 2008 5 1.7 March 18, 2008 5
@@ -334,6 +334,11 @@ RREETTUURRNN VVAALLUUEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
matched is ALL, the user may set variables that would overwise be for-
bidden. See _s_u_d_o_e_r_s(4) for more information.
RREETTUURRNN VVAALLUUEESS
Upon successful execution of a program, the return value from ssuuddoo will
simply be the return value of the program that was executed. simply be the return value of the program that was executed.
Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura- Otherwise, ssuuddoo quits with an exit value of 1 if there is a configura-
@@ -383,15 +388,10 @@ SSEECCUURRIITTYY NNOOTTEESS
environment variable is _n_o_t modified and is passed unchanged to the environment variable is _n_o_t modified and is passed unchanged to the
program that ssuuddoo executes. program that ssuuddoo executes.
ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o
by default) and ignore the directory's contents if it is not owned by
root or if it is writable by a user other than root. On systems that
allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp
directory is located in a directory writable by anyone (e.g., _/_t_m_p), it
1.7 March 2, 2008 6 1.7 March 18, 2008 6
@@ -400,6 +400,11 @@ SSEECCUURRIITTYY NNOOTTEESS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
ssuuddoo will check the ownership of its timestamp directory (_/_v_a_r_/_r_u_n_/_s_u_d_o
by default) and ignore the directory's contents if it is not owned by
root or if it is writable by a user other than root. On systems that
allow non-root users to give away files via _c_h_o_w_n(2), if the timestamp
directory is located in a directory writable by anyone (e.g., _/_t_m_p), it
is possible for a user to create the timestamp directory before ssuuddoo is is possible for a user to create the timestamp directory before ssuuddoo is
run. However, because ssuuddoo checks the ownership and mode of the direc- run. However, because ssuuddoo checks the ownership and mode of the direc-
tory and its contents, the only damage that can be done is to "hide" tory and its contents, the only damage that can be done is to "hide"
@@ -450,14 +455,9 @@ EENNVVIIRROONNMMEENNTT
SUDO_COMMAND Set to the command run by sudo SUDO_COMMAND Set to the command run by sudo
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
1.7 March 18, 2008 7
1.7 March 2, 2008 7
@@ -466,6 +466,10 @@ EENNVVIIRROONNMMEENNTT
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
SUDO_USER Set to the login of the user who invoked sudo
SUDO_UID Set to the uid of the user who invoked sudo
SUDO_GID Set to the gid of the user who invoked sudo SUDO_GID Set to the gid of the user who invoked sudo
SUDO_PS1 If set, PS1 will be set to its value SUDO_PS1 If set, PS1 will be set to its value
@@ -517,13 +521,9 @@ AAUUTTHHOORRSS
Many people have worked on ssuuddoo over the years; this version consists Many people have worked on ssuuddoo over the years; this version consists
of code written primarily by: of code written primarily by:
Todd C. Miller
See the HISTORY file in the ssuuddoo distribution or visit
1.7 March 18, 2008 8
1.7 March 2, 2008 8
@@ -532,6 +532,9 @@ AAUUTTHHOORRSS
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m) SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
Todd C. Miller
See the HISTORY file in the ssuuddoo distribution or visit
http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo. http://www.sudo.ws/sudo/history.html for a short history of ssuuddoo.
CCAAVVEEAATTSS CCAAVVEEAATTSS
@@ -586,9 +589,6 @@ DDIISSCCLLAAIIMMEERR
1.7 March 18, 2008 9
1.7 March 2, 2008 9

3
sudo.h
View File

@@ -114,6 +114,7 @@ struct sudo_user {
#define MODE_RESET_HOME 0x04000 #define MODE_RESET_HOME 0x04000
#define MODE_PRESERVE_GROUPS 0x08000 #define MODE_PRESERVE_GROUPS 0x08000
#define MODE_PRESERVE_ENV 0x10000 #define MODE_PRESERVE_ENV 0x10000
#define MODE_NONINTERACTIVE 0x20000
/* /*
* Used with set_perms() * Used with set_perms()
@@ -236,7 +237,7 @@ int mkstemp __P((char *));
char *sudo_goodpath __P((const char *, struct stat *)); char *sudo_goodpath __P((const char *, struct stat *));
char *tgetpass __P((const char *, int, int)); char *tgetpass __P((const char *, int, int));
int find_path __P((char *, char **, struct stat *, char *)); int find_path __P((char *, char **, struct stat *, char *));
void check_user __P((int)); void check_user __P((int, int));
void verify_user __P((struct passwd *, char *)); void verify_user __P((struct passwd *, char *));
#ifdef HAVE_LDAP #ifdef HAVE_LDAP
int sudo_ldap_open __P((struct sudo_nss *)); int sudo_ldap_open __P((struct sudo_nss *));

15
sudo.man.in
View File

@@ -150,17 +150,17 @@
.\" ======================================================================== .\" ========================================================================
.\" .\"
.IX Title "SUDO @mansectsu@" .IX Title "SUDO @mansectsu@"
.TH SUDO @mansectsu@ "March 2, 2008" "1.7" "MAINTENANCE COMMANDS" .TH SUDO @mansectsu@ "March 18, 2008" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME" .SH "NAME"
sudo, sudoedit \- execute a command as another user sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS" .SH "SYNOPSIS"
.IX Header "SYNOPSIS" .IX Header "SYNOPSIS"
\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR \&\fBsudo\fR [\fB\-n\fR] \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR | \fB\-v\fR
.PP .PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AS\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR] \&\fBsudo\fR \fB\-l[l]\fR [\fB\-AnS\fR] [\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-U\fR\ \fIusername\fR]
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
.PP .PP
\&\fBsudo\fR [\fB\-AbEHPS\fR] \&\fBsudo\fR [\fB\-AbEHnPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR] [\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] @LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
@@ -169,7 +169,7 @@ sudo, sudoedit \- execute a command as another user
[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}] [\fB\s-1VAR\s0\fR=\fIvalue\fR] [{\fB\-i\fR\ |\ \fB\-s\fR]\ [<\fIcommand\fR}]
.PP .PP
\&\fBsudoedit\fR [\fB\-AS\fR] \&\fBsudoedit\fR [\fB\-AnS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR] @BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR] [\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] @LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
@@ -362,6 +362,11 @@ command line arguments. If \fIcommand\fR is specified but not allowed,
\&\fBsudo\fR will exit with a return value of 1. If the \fB\-l\fR flag is \&\fBsudo\fR will exit with a return value of 1. If the \fB\-l\fR flag is
specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
is specified multiple times, a longer list format is used. is specified multiple times, a longer list format is used.
.IP "\-n" 12
.IX Item "-n"
The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
the user for a password. If a password is required for the command
to run, \fBsudo\fR will display an error messages and exit.
.IP "\-P" 12 .IP "\-P" 12
.IX Item "-P" .IX Item "-P"
The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to

14
sudo.pod
View File

@@ -27,12 +27,12 @@ sudo, sudoedit - execute a command as another user
=head1 SYNOPSIS =head1 SYNOPSIS
B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v> B<sudo> [B<-n>] B<-h> | B<-K> | B<-k> | B<-L> | B<-V> | B<-v>
B<sudo> B<-l[l]> [B<-AS>] S<[B<-g> I<groupname>|I<#gid>]> S<[B<-U> I<username>]> B<sudo> B<-l[l]> [B<-AnS>] S<[B<-g> I<groupname>|I<#gid>]> S<[B<-U> I<username>]>
S<[B<-u> I<username>|I<#uid>]> [I<command>] S<[B<-u> I<username>|I<#uid>]> [I<command>]
B<sudo> [B<-AbEHPS>] B<sudo> [B<-AbEHnPS>]
S<[B<-a> I<auth_type>]> S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]> S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]> S<[B<-c> I<class>|I<->]>
@@ -41,7 +41,7 @@ S<[B<-r> I<role>]> S<[B<-t> I<type>]>
S<[B<-u> I<username>|I<#uid>]> S<[B<-u> I<username>|I<#uid>]>
S<[B<VAR>=I<value>]> [S<{B<-i> | B<-s>] [<I<command>}>] S<[B<VAR>=I<value>]> [S<{B<-i> | B<-s>] [<I<command>}>]
B<sudoedit> [B<-AS>] B<sudoedit> [B<-AnS>]
S<[B<-a> I<auth_type>]> S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]> S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]> S<[B<-c> I<class>|I<->]>
@@ -260,6 +260,12 @@ B<sudo> will exit with a return value of 1. If the B<-l> flag is
specified with an B<l> argument (i.e. B<-ll>), or if B<-l> specified with an B<l> argument (i.e. B<-ll>), or if B<-l>
is specified multiple times, a longer list format is used. is specified multiple times, a longer list format is used.
=item -n
The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
the user for a password. If a password is required for the command
to run, B<sudo> will display an error messages and exit.
=item -P =item -P
The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to

8
sudo_usage.h.in
View File

@@ -5,9 +5,9 @@
* Usage strings for sudo. These are here because we * Usage strings for sudo. These are here because we
* need to be able to substitute values from configure. * need to be able to substitute values from configure.
*/ */
#define SUDO_USAGE1 " -h | -K | -k | -L | -V | -v" #define SUDO_USAGE1 " [-n] -h | -K | -k | -L | -V | -v"
#define SUDO_USAGE2 " -l[l] [-AS] [-g groupname|#gid] [-U username] [-u username|#uid] [-g groupname|#gid] [command]" #define SUDO_USAGE2 " -l[l] [-AnS] [-g groupname|#gid] [-U username] [-u username|#uid] [-g groupname|#gid] [command]"
#define SUDO_USAGE3 " [-AbEHPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]" #define SUDO_USAGE3 " [-AbEHnPS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] [<command>]"
#define SUDO_USAGE4 " -e [-AS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..." #define SUDO_USAGE4 " -e [-AnS] @BSDAUTH_USAGE@@SELINUX_USAGE@[-C fd] @LOGINCAP_USAGE@[-g groupname|#gid] [-p prompt] [-u username|#uid] file ..."
#endif /* _SUDO_USAGE_H */ #endif /* _SUDO_USAGE_H */