isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow ldap_conf and ldap_secret to be specified as plugin arguments

Browse Source 
in sudo.conf
This commit is contained in:
Todd C. Miller
2013-04-25 14:49:02 -04:00
parent 67dad9a83c
commit fa6c857112
10 changed files with 103 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@@ -94,6 +94,9 @@ What's new in Sudo 1.8.7?
or the description of sudoCommand in the sudoers.ldap manual for or the description of sudoCommand in the sudoers.ldap manual for
details. details.
* The paths to ldap.conf and ldap.secret may now be specified as
arguments to the sudoers plugin in the sudo.conf file.
What's new in Sudo 1.8.6p8? What's new in Sudo 1.8.6p8?
* Terminal detection now works properly on 64-bit AIX kernels. * Terminal detection now works properly on 64-bit AIX kernels.

16
doc/sudoers.cat
View File

@@ -30,22 +30,30 @@ DDEESSCCRRIIPPTTIIOONN
The following plugin arguments are supported: The following plugin arguments are supported:
ldap_conf=pathname
The _l_d_a_p___c_o_n_f argument can be used to override the default path
to the _l_d_a_p_._c_o_n_f file.
ldap_secret=pathname
The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default
path to the _l_d_a_p_._s_e_c_r_e_t file.
sudoers_file=pathname sudoers_file=pathname
The _s_u_d_o_e_r_s___f_i_l_e arguments can be used to override the default The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default
path to the _s_u_d_o_e_r_s file. path to the _s_u_d_o_e_r_s file.
sudoers_uid=uid sudoers_uid=uid
The _s_u_d_o_e_r_s___u_i_d arguments can be used to override the default The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default
owner of the sudoers file. It should be specified as a numeric owner of the sudoers file. It should be specified as a numeric
user ID. user ID.
sudoers_gid=gid sudoers_gid=gid
The _s_u_d_o_e_r_s___g_i_d arguments can be used to override the default The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default
group of the sudoers file. It must be specified as a numeric group of the sudoers file. It must be specified as a numeric
group ID (not a group name). group ID (not a group name).
sudoers_mode=mode sudoers_mode=mode
The _s_u_d_o_e_r_s___m_o_d_e arguments can be used to override the default The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default
file mode for the sudoers file. It should be specified as an file mode for the sudoers file. It should be specified as an
octal value. octal value.

9
doc/sudoers.ldap.cat
View File

@@ -274,7 +274,8 @@ DDEESSCCRRIIPPTTIIOONN
Typically, this file is shared between different LDAP-aware clients. As Typically, this file is shared between different LDAP-aware clients. As
such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
_/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
described in the system's ldap.conf(1m) manual. described in the system's ldap.conf(1m) manual. The path to _l_d_a_p_._c_o_n_f may
be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4).
Also note that on systems using the OpenLDAP libraries, default values Also note that on systems using the OpenLDAP libraries, default values
specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
@@ -379,8 +380,10 @@ DDEESSCCRRIIPPTTIIOONN
The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _s_u_d_o_e_r_s queries. The password corresponding to operations, such as _s_u_d_o_e_r_s queries. The password corresponding to
the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If not the identity should be stored in the or the path specified by the
specified, the BBIINNDDDDNN identity is used (if any). _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to
_/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t. If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN
identity is used (if any).
LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
The version of the LDAP protocol to use when connecting to the The version of the LDAP protocol to use when connecting to the

18
doc/sudoers.ldap.man.in
View File

@@ -491,6 +491,12 @@ itself and may support options that differ from those described in the
system's system's
ldap.conf(@mansectsu@) ldap.conf(@mansectsu@)
manual. manual.
The path to
\fIldap.conf\fR
may be overridden via the
\fIldap_conf\fR
plugin argument in
sudo.conf(@mansectform@).
.PP .PP
Also note that on systems using the OpenLDAP libraries, default Also note that on systems using the OpenLDAP libraries, default
values specified in values specified in
@@ -693,10 +699,16 @@ parameter specifies the identity, in the form of a Distinguished Name (DN),
to use when performing privileged LDAP operations, such as to use when performing privileged LDAP operations, such as
\fIsudoers\fR \fIsudoers\fR
queries. queries.
The password corresponding The password corresponding to the identity should be stored in the
to the identity should be stored in or the path specified by the
\fIldap_secret\fR
plugin argument in
sudo.conf(@mansectform@),
which defaults to
\fI@ldap_secret@\fR. \fI@ldap_secret@\fR.
If not specified, the If no
\fBROOTBINDDN\fR
is specified, the
\fBBINDDN\fR \fBBINDDN\fR
identity is used (if any). identity is used (if any).
.TP 6n .TP 6n

18
doc/sudoers.ldap.mdoc.in
View File

@@ -460,6 +460,12 @@ itself and may support options that differ from those described in the
system's system's
.Xr ldap.conf @mansectsu@ .Xr ldap.conf @mansectsu@
manual. manual.
The path to
.Pa ldap.conf
may be overridden via the
.Em ldap_conf
plugin argument in
.Xr sudo.conf @mansectform@ .
.Pp .Pp
Also note that on systems using the OpenLDAP libraries, default Also note that on systems using the OpenLDAP libraries, default
values specified in values specified in
@@ -649,10 +655,16 @@ parameter specifies the identity, in the form of a Distinguished Name (DN),
to use when performing privileged LDAP operations, such as to use when performing privileged LDAP operations, such as
.Em sudoers .Em sudoers
queries. queries.
The password corresponding The password corresponding to the identity should be stored in the
to the identity should be stored in or the path specified by the
.Em ldap_secret
plugin argument in
.Xr sudo.conf @mansectform@ ,
which defaults to
.Pa @ldap_secret@ . .Pa @ldap_secret@ .
If not specified, the If no
.Sy ROOTBINDDN
is specified, the
.Sy BINDDN .Sy BINDDN
identity is used (if any). identity is used (if any).
.It Sy LDAP_VERSION Ar number .It Sy LDAP_VERSION Ar number

23
doc/sudoers.man.in
View File

@@ -94,30 +94,43 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
.PP .PP
The following plugin arguments are supported: The following plugin arguments are supported:
.TP 10n .TP 10n
ldap_conf=pathname
The
\fIldap_conf\fR
argument can be used to override the default path to the
\fIldap.conf\fR
file.
.TP 10n
ldap_secret=pathname
The
\fIldap_secret\fR
argument can be used to override the default path to the
\fIldap.secret\fR
file.
.TP 10n
sudoers_file=pathname sudoers_file=pathname
The The
\fIsudoers_file\fR \fIsudoers_file\fR
arguments can be used to override the default path argument can be used to override the default path to the
to the
\fIsudoers\fR \fIsudoers\fR
file. file.
.TP 10n .TP 10n
sudoers_uid=uid sudoers_uid=uid
The The
\fIsudoers_uid\fR \fIsudoers_uid\fR
arguments can be used to override the default owner of the sudoers file. argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID. It should be specified as a numeric user ID.
.TP 10n .TP 10n
sudoers_gid=gid sudoers_gid=gid
The The
\fIsudoers_gid\fR \fIsudoers_gid\fR
arguments can be used to override the default group of the sudoers file. argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group ID (not a group name). It must be specified as a numeric group ID (not a group name).
.TP 10n .TP 10n
sudoers_mode=mode sudoers_mode=mode
The The
\fIsudoers_mode\fR \fIsudoers_mode\fR
arguments can be used to override the default file mode for the sudoers file. argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value. It should be specified as an octal value.
.PP .PP
For more information on configuring For more information on configuring

21
doc/sudoers.mdoc.in
View File

@@ -86,27 +86,38 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
.Pp .Pp
The following plugin arguments are supported: The following plugin arguments are supported:
.Bl -tag -width 8n .Bl -tag -width 8n
.It ldap_conf=pathname
The
.Em ldap_conf
argument can be used to override the default path to the
.Pa ldap.conf
file.
.It ldap_secret=pathname
The
.Em ldap_secret
argument can be used to override the default path to the
.Pa ldap.secret
file.
.It sudoers_file=pathname .It sudoers_file=pathname
The The
.Em sudoers_file .Em sudoers_file
arguments can be used to override the default path argument can be used to override the default path to the
to the
.Em sudoers .Em sudoers
file. file.
.It sudoers_uid=uid .It sudoers_uid=uid
The The
.Em sudoers_uid .Em sudoers_uid
arguments can be used to override the default owner of the sudoers file. argument can be used to override the default owner of the sudoers file.
It should be specified as a numeric user ID. It should be specified as a numeric user ID.
.It sudoers_gid=gid .It sudoers_gid=gid
The The
.Em sudoers_gid .Em sudoers_gid
arguments can be used to override the default group of the sudoers file. argument can be used to override the default group of the sudoers file.
It must be specified as a numeric group ID (not a group name). It must be specified as a numeric group ID (not a group name).
.It sudoers_mode=mode .It sudoers_mode=mode
The The
.Em sudoers_mode .Em sudoers_mode
arguments can be used to override the default file mode for the sudoers file. argument can be used to override the default file mode for the sudoers file.
It should be specified as an octal value. It should be specified as an octal value.
.El .El
.Pp .Pp

8
plugins/sudoers/ldap.c
View File

@@ -593,7 +593,7 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
ldapssl_err2string(rc)); ldapssl_err2string(rc));
if (ldap_conf.tls_certfile == NULL) if (ldap_conf.tls_certfile == NULL)
warningx(_("you must set TLS_CERT in %s to use SSL"), warningx(_("you must set TLS_CERT in %s to use SSL"),
_PATH_LDAP_CONF); path_ldap_conf);
goto done; goto done;
} }
@@ -1368,7 +1368,7 @@ sudo_ldap_read_secret(const char *path)
char buf[LINE_MAX], *cp; char buf[LINE_MAX], *cp;
debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP) debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP)
if ((fp = fopen(_PATH_LDAP_SECRET, "r")) != NULL) { if ((fp = fopen(path_ldap_secret, "r")) != NULL) {
if (fgets(buf, sizeof(buf), fp) != NULL) { if (fgets(buf, sizeof(buf), fp) != NULL) {
if ((cp = strchr(buf, '\n')) != NULL) if ((cp = strchr(buf, '\n')) != NULL)
*cp = '\0'; *cp = '\0';
@@ -1460,7 +1460,7 @@ sudo_ldap_read_config(void)
ldap_conf.rootuse_sasl = -1; ldap_conf.rootuse_sasl = -1;
ldap_conf.deref = -1; ldap_conf.deref = -1;
if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL) if ((fp = fopen(path_ldap_conf, "r")) == NULL)
debug_return_bool(false); debug_return_bool(false);
while (sudo_parseln(&line, &linesize, NULL, fp) != -1) { while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
@@ -1635,7 +1635,7 @@ sudo_ldap_read_config(void)
/* If rootbinddn set, read in /etc/ldap.secret if it exists. */ /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
if (ldap_conf.rootbinddn) if (ldap_conf.rootbinddn)
sudo_ldap_read_secret(_PATH_LDAP_SECRET); sudo_ldap_read_secret(path_ldap_secret);
#ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
/* /*

14
plugins/sudoers/policy.c
View File

@@ -69,6 +69,8 @@ struct sudoers_exec_args {
static int sudo_version; static int sudo_version;
static const char *interfaces_string; static const char *interfaces_string;
sudo_conv_t sudo_conv; sudo_conv_t sudo_conv;
const char *path_ldap_conf = _PATH_LDAP_CONF;
const char *path_ldap_secret = _PATH_LDAP_SECRET;
extern __dso_public struct policy_plugin sudoers_policy; extern __dso_public struct policy_plugin sudoers_policy;
@@ -112,6 +114,14 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
NULL, 8); NULL, 8);
continue; continue;
} }
if (MATCHES(*cur, "ldap_conf=")) {
path_ldap_conf = *cur + sizeof("ldap_conf=") - 1;
continue;
}
if (MATCHES(*cur, "ldap_secret=")) {
path_ldap_secret = *cur + sizeof("ldap_secret=") - 1;
continue;
}
} }
} }
@@ -667,8 +677,8 @@ sudoers_policy_version(int verbose)
# ifdef _PATH_NSSWITCH_CONF # ifdef _PATH_NSSWITCH_CONF
sudo_printf(SUDO_CONV_INFO_MSG, _("nsswitch path: %s\n"), _PATH_NSSWITCH_CONF); sudo_printf(SUDO_CONV_INFO_MSG, _("nsswitch path: %s\n"), _PATH_NSSWITCH_CONF);
# endif # endif
sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), _PATH_LDAP_CONF); sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), path_ldap_conf);
sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), _PATH_LDAP_SECRET); sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), path_ldap_secret);
#endif #endif
dump_auth_methods(); dump_auth_methods();
dump_defaults(); dump_defaults();

2
plugins/sudoers/sudoers.h
View File

@@ -365,6 +365,8 @@ void sudoers_cleanup(void);
/* policy.c */ /* policy.c */
int sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group); int sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group);
int sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v); int sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
extern const char *path_ldap_conf;
extern const char *path_ldap_secret;
/* aix.c */ /* aix.c */
void aix_restoreauthdb(void); void aix_restoreauthdb(void);