Add a new flag "allow_unknown_runas_id" to control matching of unknown IDs.

Previous, sudo would always allow unknown user or group IDs if the sudoers entry permitted it. This included the "ALL" alias. With this change, the admin must explicitly enable support for unknown IDs.
2019-12-09 17:14:06 -07:00
parent d7b4f88658
commit df8f06609c
7 changed files with 71 additions and 4 deletions
--- a/plugins/sudoers/def_data.c
+++ b/plugins/sudoers/def_data.c
@@ -525,6 +525,10 @@ struct sudo_defs_types sudo_defs_table[] = {
 	"log_server_peer_key", T_STR|T_BOOL|T_PATH,
 	N_("Path to the sudoers private key file: %s"),
 	NULL,
+    }, {
+	"runas_allow_unknown_id", T_FLAG,
+	N_("Allow the use of unknown runas user and/or group ID"),
+	NULL,
    }, {
 	NULL, 0, NULL
    }