isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add case_insensitive_group and case_insensitive_user sudoers options,

Browse Source 
which are enabled by default.
This commit is contained in:
Todd C. Miller
2018-03-05 10:42:02 -07:00
parent 6014b4075c
commit e26ef96a65
11 changed files with 90 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
doc/sudoers.cat
View File

@@ -950,6 +950,18 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
the PASSWD and NOPASSWD tags. This flag is _o_n by the PASSWD and NOPASSWD tags. This flag is _o_n by
default. default.
case_insensitive_group
If enabled, group names in _s_u_d_o_e_r_s will be matched in a
case insentive manner. This may be necessary when
users are stored in LDAP or AD. This flag is _o_n by
default.
case_insensitive_user
If enabled, user names in _s_u_d_o_e_r_s will be matched in a
case insentive manner. This may be necessary when
groups are stored in LDAP or AD. This flag is _o_n by
default.
closefrom_override closefrom_override
If set, the user may use ssuuddoo's --CC option which If set, the user may use ssuuddoo's --CC option which
overrides the default starting point at which ssuuddoo overrides the default starting point at which ssuuddoo
@@ -2897,4 +2909,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.23 February 26, 2018 Sudo 1.8.23 Sudo 1.8.23 March 5, 2018 Sudo 1.8.23

20
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "February 26, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "March 5, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -2042,6 +2042,24 @@ This flag is
\fIon\fR \fIon\fR
by default. by default.
.TP 18n .TP 18n
case_insensitive_group
If enabled, group names in
\fIsudoers\fR
will be matched in a case insentive manner.
This may be necessary when users are stored in LDAP or AD.
This flag is
\fIon\fR
by default.
.TP 18n
case_insensitive_user
If enabled, user names in
\fIsudoers\fR
will be matched in a case insentive manner.
This may be necessary when groups are stored in LDAP or AD.
This flag is
\fIon\fR
by default.
.TP 18n
closefrom_override closefrom_override
If set, the user may use If set, the user may use
\fBsudo\fR's \fBsudo\fR's

18
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd February 26, 2018 .Dd March 5, 2018
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -1911,6 +1911,22 @@ tags.
This flag is This flag is
.Em on .Em on
by default. by default.
.It case_insensitive_group
If enabled, group names in
.Em sudoers
will be matched in a case insentive manner.
This may be necessary when users are stored in LDAP or AD.
This flag is
.Em on
by default.
.It case_insensitive_user
If enabled, user names in
.Em sudoers
will be matched in a case insentive manner.
This may be necessary when groups are stored in LDAP or AD.
This flag is
.Em on
by default.
.It closefrom_override .It closefrom_override
If set, the user may use If set, the user may use
.Nm sudo Ns 's .Nm sudo Ns 's

8
plugins/sudoers/def_data.c
View File

@@ -485,6 +485,14 @@ struct sudo_defs_types sudo_defs_table[] = {
"authfail_message", T_STR, "authfail_message", T_STR,
N_("Authentication failure message: %s"), N_("Authentication failure message: %s"),
NULL, NULL,
}, {
"case_insensitive_user", T_FLAG,
N_("Ignore case when matching user names"),
NULL,
}, {
"case_insensitive_group", T_FLAG,
N_("Ignore case when matching group names"),
NULL,
}, { }, {
NULL, 0, NULL NULL, 0, NULL
} }

4
plugins/sudoers/def_data.h
View File

@@ -222,6 +222,10 @@
#define def_timestamp_type (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple) #define def_timestamp_type (sudo_defs_table[I_TIMESTAMP_TYPE].sd_un.tuple)
#define I_AUTHFAIL_MESSAGE 111 #define I_AUTHFAIL_MESSAGE 111
#define def_authfail_message (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str) #define def_authfail_message (sudo_defs_table[I_AUTHFAIL_MESSAGE].sd_un.str)
#define I_CASE_INSENSITIVE_USER 112
#define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag)
#define I_CASE_INSENSITIVE_GROUP 113
#define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag)
enum def_tuple { enum def_tuple {
never, never,

6
plugins/sudoers/def_data.in
View File

@@ -351,3 +351,9 @@ timestamp_type
authfail_message authfail_message
T_STR T_STR
"Authentication failure message: %s" "Authentication failure message: %s"
case_insensitive_user
T_FLAG
"Ignore case when matching user names"
case_insensitive_group
T_FLAG
"Ignore case when matching group names"

2
plugins/sudoers/defaults.c
View File

@@ -637,6 +637,8 @@ init_defaults(void)
def_set_utmp = true; def_set_utmp = true;
def_pam_setcred = true; def_pam_setcred = true;
def_syslog_maxlen = MAXSYSLOGLEN; def_syslog_maxlen = MAXSYSLOGLEN;
def_case_insensitive_user = true;
def_case_insensitive_group = true;
/* Reset the locale. */ /* Reset the locale. */
if (!firsttime) { if (!firsttime) {

4
plugins/sudoers/ldap.c
View File

@@ -435,7 +435,7 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
* No runas user entries but have a matching runas group entry. * No runas user entries but have a matching runas group entry.
* If trying to run as the invoking user, allow it. * If trying to run as the invoking user, allow it.
*/ */
if (strcmp(user_name, runas_pw->pw_name) == 0) if (userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true; ret = true;
break; break;
} }
@@ -475,7 +475,7 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
case '\0': case '\0':
/* Empty RunAsUser means run as the invoking user. */ /* Empty RunAsUser means run as the invoking user. */
if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
strcmp(user_name, runas_pw->pw_name) == 0) userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true; ret = true;
break; break;
case 'A': case 'A':

10
plugins/sudoers/match.c
View File

@@ -980,7 +980,10 @@ userpw_matches(const char *sudoers_user, const char *user, const struct passwd *
goto done; goto done;
} }
} }
rc = strcasecmp(sudoers_user, user) == 0; if (def_case_insensitive_user)
rc = strcasecmp(sudoers_user, user) == 0;
else
rc = strcmp(sudoers_user, user) == 0;
done: done:
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"user %s matches sudoers user %s: %s", "user %s matches sudoers user %s: %s",
@@ -1007,7 +1010,10 @@ group_matches(const char *sudoers_group, const struct group *gr)
goto done; goto done;
} }
} }
rc = strcasecmp(sudoers_group, gr->gr_name) == 0; if (def_case_insensitive_group)
rc = strcasecmp(sudoers_group, gr->gr_name) == 0;
else
rc = strcmp(sudoers_group, gr->gr_name) == 0;
done: done:
sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO, sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
"group %s matches sudoers group %s: %s", "group %s matches sudoers group %s: %s",

10
plugins/sudoers/pwutil.c
View File

@@ -1034,9 +1034,15 @@ user_in_group(const struct passwd *pw, const char *group)
} }
} }
} else if ((grlist = sudo_get_grlist(pw)) != NULL) { } else if ((grlist = sudo_get_grlist(pw)) != NULL) {
int (*compare)(const char *, const char *);
if (def_case_insensitive_group)
compare = strcasecmp;
else
compare = strcmp;
/* Check the supplementary group vector. */ /* Check the supplementary group vector. */
for (i = 0; i < grlist->ngroups; i++) { for (i = 0; i < grlist->ngroups; i++) {
if (strcasecmp(group, grlist->groups[i]) == 0) { if (compare(group, grlist->groups[i]) == 0) {
matched = true; matched = true;
goto done; goto done;
} }
@@ -1044,7 +1050,7 @@ user_in_group(const struct passwd *pw, const char *group)
/* Check against user's primary (passwd file) group. */ /* Check against user's primary (passwd file) group. */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
if (strcasecmp(group, grp->gr_name) == 0) { if (compare(group, grp->gr_name) == 0) {
matched = true; matched = true;
goto done; goto done;
} }

6
plugins/sudoers/sssd.c
View File

@@ -455,7 +455,7 @@ sudo_sss_open(struct sudo_nss *nss)
* If runhost is the same as the local host, check for ipa_hostname * If runhost is the same as the local host, check for ipa_hostname
* in sssd.conf and use it in preference to user_runhost. * in sssd.conf and use it in preference to user_runhost.
*/ */
if (strcmp(user_runhost, user_host) == 0) { if (strcasecmp(user_runhost, user_host) == 0) {
if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) { if (get_ipa_hostname(&handle->ipa_shost, &handle->ipa_host) == -1) {
free(handle); free(handle);
debug_return_int(ENOMEM); debug_return_int(ENOMEM);
@@ -607,7 +607,7 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
* If trying to run as the invoking user, allow it. * If trying to run as the invoking user, allow it.
*/ */
sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against user_name"); sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against user_name");
if (strcmp(user_name, runas_pw->pw_name) == 0) if (userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true; ret = true;
break; break;
} }
@@ -660,7 +660,7 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
case '\0': case '\0':
/* Empty RunAsUser means run as the invoking user. */ /* Empty RunAsUser means run as the invoking user. */
if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
strcmp(user_name, runas_pw->pw_name) == 0) userpw_matches(user_name, runas_pw->pw_name, runas_pw))
ret = true; ret = true;
break; break;
case 'A': case 'A':