If the debug sudoers subsystem is not registered, because it does not
get any file names to deal with (TAILQ_EMPTY(debug_files)), deregistration
of the subsystem outputs a warning:
sudo: sudo_debug_deregister_v1: invalid instance ID -1, max -1
This patch prevents that by only increasing the refcount if the
debug_instance was registered successfully.
Examples are installed by default to "docdir", which refers to
PACKAGE_TARNAME variable which was empty for the python plugin Makefile.in
So the examples were installed to '.../share/doc/examples' instead
of '.../share/doc/sudo/examples'. This also made them be skipped from the
package.
Also the install target now depends on install-doc so the examples
gets installed also (similarly as other examples).
If non root can alter any imported python modules, he is able to run
anything he would like to as root user.
This class is a helper to avoid such situation.
This feature can be disabled with 'DeveloperMode=1' plugin option.
It can be used to disable the enforcement that a plugin (shared object or
an imported python module) must be owned by root and not modifiable by
others.
This can make plugin development easier.
Previous, sudo would always allow unknown user or group IDs if the
sudoers entry permitted it. This included the "ALL" alias.
With this change, the admin must explicitly enable support for unknown IDs.
Reference count calls to sudoers_debug_register and only deregister
sudoers_debug_instance when refcnt reaches 0.
Fixes a problem where the debug system was deregistered when the
sudoers policy is closed even though the iolog plugin is active.
Previously, it was only called when a command was run (including
sudoedit). Now, plugin operations list, validate, invalidate, and
show_version are also closed.
Some admin are confused about how to give users sudoedit permission
and many users try to run sudoedit via sudo instead of directly.
If the user runs "sudo sudoedit" sudo will now treat it as plain
"sudoedit" after issuing a warning. If the admin has specified a
fully-qualified path for sudoedit in sudoers, sudo will treat it
as just "sudoedit" and match accordingly. In visudo (but not sudo),
a fully-qualified path for sudoedit is now treated as an error.
