these in parse.yacc. Also in parse.yacc initialize the *_matches
vars to UNSPEC and add two macros, SETMATCH and SETNMATCH for use
when setting *_matches to a value that may be NOMATCH/UNSPEC/TRUE/FALSE.
between the initialized value and the value of a non-match when
passing along the runas value to multiple commands.
The result of this is that an unmatched runas is now set to -1, not 0.
This is required now that parse.c treats a FALSE value for runas as
being explicitly denied.
the passwd file, set runas_user to the name, not the uid.
When comparing usernames in sudoers, if a name is really a uid (starts
with '#') compare it numerically to pw_uid.
function that just sets error and returns -1. This adds a
"noexec_file" option to load the filename as well as a "noexec" flag
to enable it unconditionally. There is also a NOEXEC tag that can
be attached to specific commands and an EXEC tag to disable it.
There's really no need for a separate token for fully-qualified vs.
unqualified anymore so FQHOST is now history and hostname_matches
now decides which hostname (short or long) to check based on whether
or not the pattern contains a '.'.
if there is *any* entry for the user on the host with a NOPASSWD flag.
For -v, only allow w/o a passwd if *all* entries for the user on the host
w/ the specified runas user have the NOPASSWD flag set.
o oprunasuser and runaslist now return a value
o in a runasspec, if a runaslist does not return TRUE, set runas_matches to
FALSE. Normally, a runaslist only returns FALSE for explicitly denied
users.
o since runaslist does not modify the stack there is no need for a push/pop
in runasalias.
o Implement mailer_flags
o Store syslog stuff both in int and string form. Setting the string
form magically updates the int version.
o Add boolean attribute to strings where it makes sense to say !foo
changable at runtime (and on a global, per-host and per-user basis).
Both the names and the internal representation are still subject to change.
It was necessary to make sudo_user.runas but a char ** instead of a
char * since this value can be changed by a Defaults line. There is a
similar (but more complicated) issue with sudo_user.prompt but it
is handled differently at the moment.
Add a "-L" flag to list the name of options with their descriptions. This
may only be temporary.
Move some prototypes to parse.h
Be much less restrictive on what is allowed for a username.
stored with the contents. This could lead to incorrect output
if the sudoers file had different alias types with the same name.
Normal parsing (ie: not in '-l' mode) is unaffected.
possible to express things like "failed to validate because user not listed
for this host". Some thigns that were previously VALIDATE_FOO are now
FLAG_FOO. This may change later on.
Reorganized code in log_auth() and sudo.c to deal with above changes.
Safer versions of push/pushcp with in the do { ... } while (0) style
parse.yacc now saves info on the stack to allow parse.c to determine
if a user was listed, but not for the host he/she tried to run on.
Added --with-mail-if-no-host option
o real dependencies in the Makefile
o --with-devel option to enable yacc, lex, and -Wall
o style -- "foo -> bar" becomes "foo->bar"
o ALL goes back to being a token, not a string but don't leak memory
o rename hsotspec -> host in parse.yacc
where an alias may be used before it is defined. Only turned on for visudo
and testsudoers.
o Add --disable-authentication option that makes sudo not require
authentication by default. The PASSWD tag can be used to require
authentication for an entry. We no longer overload --without-passwd.
o find_alias() now returns an aliasinfo * instead of boolean
o add_alias() now takes a value parameter to store in the aliasinfo.val
o The cmnd, hostspec, runasuser, and user rules now return:
1) positive match
0) negative match (due to '!')
-1) no match
This means setting $$ explicitly in all cases, which I should have done in
the first place. It also means that we always store a value that is != -1
and when we see a '!' we can set *_matches to !rv if rv != -1.
The upshot of all of this is that '!' now works the way it should in
lists and some of the rules are more uniform and sensible.
