Allow ldap_conf and ldap_secret to be specified as plugin arguments

in sudo.conf
2013-04-25 14:49:02 -04:00
parent 67dad9a83c
commit fa6c857112
10 changed files with 103 additions and 29 deletions
--- a/3
+++ b/3
@@ -94,6 +94,9 @@ What's new in Sudo 1.8.7?
   or the description of sudoCommand in the sudoers.ldap manual for
   details.

+ * The paths to ldap.conf and ldap.secret may now be specified as
+   arguments to the sudoers plugin in the sudo.conf file.
+
 What's new in Sudo 1.8.6p8?

 * Terminal detection now works properly on 64-bit AIX kernels.
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -30,22 +30,30 @@ DDEESSCCRRIIPPTTIIOONN

     The following plugin arguments are supported:

+     ldap_conf=pathname
+               The _l_d_a_p___c_o_n_f argument can be used to override the default path
+               to the _l_d_a_p_._c_o_n_f file.
+
+     ldap_secret=pathname
+               The _l_d_a_p___s_e_c_r_e_t argument can be used to override the default
+               path to the _l_d_a_p_._s_e_c_r_e_t file.
+
     sudoers_file=pathname
-               The _s_u_d_o_e_r_s___f_i_l_e arguments can be used to override the default
+               The _s_u_d_o_e_r_s___f_i_l_e argument can be used to override the default
               path to the _s_u_d_o_e_r_s file.

     sudoers_uid=uid
-               The _s_u_d_o_e_r_s___u_i_d arguments can be used to override the default
+               The _s_u_d_o_e_r_s___u_i_d argument can be used to override the default
               owner of the sudoers file.  It should be specified as a numeric
               user ID.

     sudoers_gid=gid
-               The _s_u_d_o_e_r_s___g_i_d arguments can be used to override the default
+               The _s_u_d_o_e_r_s___g_i_d argument can be used to override the default
               group of the sudoers file.  It must be specified as a numeric
               group ID (not a group name).

     sudoers_mode=mode
-               The _s_u_d_o_e_r_s___m_o_d_e arguments can be used to override the default
+               The _s_u_d_o_e_r_s___m_o_d_e argument can be used to override the default
               file mode for the sudoers file.  It should be specified as an
               octal value.

--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -274,7 +274,8 @@ DDEESSCCRRIIPPTTIIOONN
     Typically, this file is shared between different LDAP-aware clients.  As
     such, most of the settings are not ssuuddoo-specific. Note that ssuuddoo parses
     _/_e_t_c_/_l_d_a_p_._c_o_n_f itself and may support options that differ from those
-     described in the system's ldap.conf(1m) manual.
+     described in the system's ldap.conf(1m) manual.  The path to _l_d_a_p_._c_o_n_f may
+     be overridden via the _l_d_a_p___c_o_n_f plugin argument in sudo.conf(4).

     Also note that on systems using the OpenLDAP libraries, default values
     specified in _/_e_t_c_/_o_p_e_n_l_d_a_p_/_l_d_a_p_._c_o_n_f or the user's _._l_d_a_p_r_c files are not
@@ -379,8 +380,10 @@ DDEESSCCRRIIPPTTIIOONN
           The RROOOOTTBBIINNDDDDNN parameter specifies the identity, in the form of a
           Distinguished Name (DN), to use when performing privileged LDAP
           operations, such as _s_u_d_o_e_r_s queries.  The password corresponding to
-           the identity should be stored in _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If not
-           specified, the BBIINNDDDDNN identity is used (if any).
+           the identity should be stored in the or the path specified by the
+           _l_d_a_p___s_e_c_r_e_t plugin argument in sudo.conf(4), which defaults to
+           _/_e_t_c_/_l_d_a_p_._s_e_c_r_e_t.  If no RROOOOTTBBIINNDDDDNN is specified, the BBIINNDDDDNN
+           identity is used (if any).

     LLDDAAPP__VVEERRSSIIOONN _n_u_m_b_e_r
           The version of the LDAP protocol to use when connecting to the
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -491,6 +491,12 @@ itself and may support options that differ from those described in the
 system's
 ldap.conf(@mansectsu@)
 manual.
+The path to
+\fIldap.conf\fR
+may be overridden via the
+\fIldap_conf\fR
+plugin argument in
+sudo.conf(@mansectform@).
 .PP
 Also note that on systems using the OpenLDAP libraries, default
 values specified in
@@ -693,10 +699,16 @@ parameter specifies the identity, in the form of a Distinguished Name (DN),
 to use when performing privileged LDAP operations, such as
 \fIsudoers\fR
 queries.
-The password corresponding
-to the identity should be stored in
+The password corresponding to the identity should be stored in the
+or the path specified by the
+\fIldap_secret\fR
+plugin argument in
+sudo.conf(@mansectform@),
+which defaults to
 \fI@ldap_secret@\fR.
-If not specified, the
+If no
+\fBROOTBINDDN\fR
+is specified, the
 \fBBINDDN\fR
 identity is used (if any).
 .TP 6n
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -460,6 +460,12 @@ itself and may support options that differ from those described in the
 system's
 .Xr ldap.conf @mansectsu@
 manual.
+The path to
+.Pa ldap.conf
+may be overridden via the
+.Em ldap_conf
+plugin argument in
+.Xr sudo.conf @mansectform@ .
 .Pp
 Also note that on systems using the OpenLDAP libraries, default
 values specified in
@@ -649,10 +655,16 @@ parameter specifies the identity, in the form of a Distinguished Name (DN),
 to use when performing privileged LDAP operations, such as
 .Em sudoers
 queries.
-The password corresponding
-to the identity should be stored in
+The password corresponding to the identity should be stored in the
+or the path specified by the
+.Em ldap_secret
+plugin argument in
+.Xr sudo.conf @mansectform@ ,
+which defaults to
 .Pa @ldap_secret@ .
-If not specified, the
+If no
+.Sy ROOTBINDDN
+is specified, the
 .Sy BINDDN
 identity is used (if any).
 .It Sy LDAP_VERSION Ar number
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -94,30 +94,43 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
 .PP
 The following plugin arguments are supported:
 .TP 10n
+ldap_conf=pathname
+The
+\fIldap_conf\fR
+argument can be used to override the default path to the
+\fIldap.conf\fR
+file.
+.TP 10n
+ldap_secret=pathname
+The
+\fIldap_secret\fR
+argument can be used to override the default path to the
+\fIldap.secret\fR
+file.
+.TP 10n
 sudoers_file=pathname
 The
 \fIsudoers_file\fR
-arguments can be used to override the default path
-to the
+argument can be used to override the default path to the
 \fIsudoers\fR
 file.
 .TP 10n
 sudoers_uid=uid
 The
 \fIsudoers_uid\fR
-arguments can be used to override the default owner of the sudoers file.
+argument can be used to override the default owner of the sudoers file.
 It should be specified as a numeric user ID.
 .TP 10n
 sudoers_gid=gid
 The
 \fIsudoers_gid\fR
-arguments can be used to override the default group of the sudoers file.
+argument can be used to override the default group of the sudoers file.
 It must be specified as a numeric group ID (not a group name).
 .TP 10n
 sudoers_mode=mode
 The
 \fIsudoers_mode\fR
-arguments can be used to override the default file mode for the sudoers file.
+argument can be used to override the default file mode for the sudoers file.
 It should be specified as an octal value.
 .PP
 For more information on configuring
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -86,27 +86,38 @@ Plugin sudoers_policy sudoers.so sudoers_mode=0400
 .Pp
 The following plugin arguments are supported:
 .Bl -tag -width 8n
+.It ldap_conf=pathname
+The
+.Em ldap_conf
+argument can be used to override the default path to the
+.Pa ldap.conf
+file.
+.It ldap_secret=pathname
+The
+.Em ldap_secret
+argument can be used to override the default path to the
+.Pa ldap.secret
+file.
 .It sudoers_file=pathname
 The
 .Em sudoers_file
-arguments can be used to override the default path
-to the
+argument can be used to override the default path to the
 .Em sudoers
 file.
 .It sudoers_uid=uid
 The
 .Em sudoers_uid
-arguments can be used to override the default owner of the sudoers file.
+argument can be used to override the default owner of the sudoers file.
 It should be specified as a numeric user ID.
 .It sudoers_gid=gid
 The
 .Em sudoers_gid
-arguments can be used to override the default group of the sudoers file.
+argument can be used to override the default group of the sudoers file.
 It must be specified as a numeric group ID (not a group name).
 .It sudoers_mode=mode
 The
 .Em sudoers_mode
-arguments can be used to override the default file mode for the sudoers file.
+argument can be used to override the default file mode for the sudoers file.
 It should be specified as an octal value.
 .El
 .Pp
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -593,7 +593,7 @@ sudo_ldap_init(LDAP **ldp, const char *host, int port)
 		ldapssl_err2string(rc));
 	    if (ldap_conf.tls_certfile == NULL)
 		warningx(_("you must set TLS_CERT in %s to use SSL"),
-		    _PATH_LDAP_CONF);
+		    path_ldap_conf);
 	    goto done;
 	}

@@ -1368,7 +1368,7 @@ sudo_ldap_read_secret(const char *path)
    char buf[LINE_MAX], *cp;
    debug_decl(sudo_ldap_read_secret, SUDO_DEBUG_LDAP)

-    if ((fp = fopen(_PATH_LDAP_SECRET, "r")) != NULL) {
+    if ((fp = fopen(path_ldap_secret, "r")) != NULL) {
 	if (fgets(buf, sizeof(buf), fp) != NULL) {
 	    if ((cp = strchr(buf, '\n')) != NULL)
 		*cp = '\0';
@@ -1460,7 +1460,7 @@ sudo_ldap_read_config(void)
    ldap_conf.rootuse_sasl = -1;
    ldap_conf.deref = -1;

-    if ((fp = fopen(_PATH_LDAP_CONF, "r")) == NULL)
+    if ((fp = fopen(path_ldap_conf, "r")) == NULL)
 	debug_return_bool(false);

    while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
@@ -1635,7 +1635,7 @@ sudo_ldap_read_config(void)

    /* If rootbinddn set, read in /etc/ldap.secret if it exists. */
    if (ldap_conf.rootbinddn)
-	sudo_ldap_read_secret(_PATH_LDAP_SECRET);
+	sudo_ldap_read_secret(path_ldap_secret);

 #ifdef HAVE_LDAP_SASL_INTERACTIVE_BIND_S
    /*
--- a/plugins/sudoers/policy.c
+++ b/plugins/sudoers/policy.c
@@ -69,6 +69,8 @@ struct sudoers_exec_args {
 static int sudo_version;
 static const char *interfaces_string;
 sudo_conv_t sudo_conv;
+const char *path_ldap_conf = _PATH_LDAP_CONF;
+const char *path_ldap_secret = _PATH_LDAP_SECRET;

 extern __dso_public struct policy_plugin sudoers_policy;

@@ -112,6 +114,14 @@ sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group)
 		    NULL, 8);
 		continue;
 	    }
+	    if (MATCHES(*cur, "ldap_conf=")) {
+		path_ldap_conf = *cur + sizeof("ldap_conf=") - 1;
+		continue;
+	    }
+	    if (MATCHES(*cur, "ldap_secret=")) {
+		path_ldap_secret = *cur + sizeof("ldap_secret=") - 1;
+		continue;
+	    }
 	}
    }

@@ -667,8 +677,8 @@ sudoers_policy_version(int verbose)
 # ifdef _PATH_NSSWITCH_CONF
 	sudo_printf(SUDO_CONV_INFO_MSG, _("nsswitch path: %s\n"), _PATH_NSSWITCH_CONF);
 # endif
-	sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), _PATH_LDAP_CONF);
-	sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), _PATH_LDAP_SECRET);
+	sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.conf path: %s\n"), path_ldap_conf);
+	sudo_printf(SUDO_CONV_INFO_MSG, _("ldap.secret path: %s\n"), path_ldap_secret);
 #endif
 	dump_auth_methods();
 	dump_defaults();
--- a/plugins/sudoers/sudoers.h
+++ b/plugins/sudoers/sudoers.h
@@ -365,6 +365,8 @@ void sudoers_cleanup(void);
 /* policy.c */
 int sudoers_policy_deserialize_info(void *v, char **runas_user, char **runas_group);
 int sudoers_policy_exec_setup(char *argv[], char *envp[], mode_t cmnd_umask, char *iolog_path, void *v);
+extern const char *path_ldap_conf;
+extern const char *path_ldap_secret;

 /* aix.c */
 void aix_restoreauthdb(void);