This used to indicate that email had been sent to the administrator
telling them that someone tried to run sudo. Whether or not sudo
sends email is now configurable, so the warning may not be accurate.
It is also confusing to the user since they will not know who the
incident is being reported to. See also https://xkcd.com/838/
This may simply mean that nsswitch.conf lists sss as a sudoers
source but SSSD is not configured for sudo. Otherwise, the user
will receive a useless "problem with defaults entries" when the
sssd backend tries to fetch the global defaults. Bug #1022.
If noninteractive_auth is set, authentication methods that do not
require input from the user's terminal may proceed. It is off by
default, which restores the pre-1.9.9 behavior of "sudo -n".
If the Defaults name matched but the binding does not, we can simply
leave it be. Fixes a problem where given two sudoers sources that
have a host specified, if they contain conflicting Defaults entries
we would drop one of the Defaults instead of keeping both after
making them host-specific.
We convert the global Defaults to a host-based one with a single
"ALL" member. Later, when we simplify the host list, we'll convert
this back to a global Defaults.
When logging terminal input, if log_passwords is disabled and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.
Defaults settings passed in by the front end are already "early"
so there is no need to treat any of them as special.
Otherwise, we end up running the early defaults callbacks before
sudoers has been parsed. This means that, for instance, it is not
possible to disable the fqdn flag before its callback is run if
sudo is build with the --with-fqdn option. Bug #1016.
This makes it possible to use a different PAM configuration for
when "sudo -A" is used. The main use case is to only use PAM modules
that can interact with the askpass program. GitHub issue #112.
In the past, some PAM modules assumed that PAM_TTY was set and would
misbehave (or crash) if not. This was primarily obsolete versions
of Linux-PAM, so it should now be safe to remove this. Setting
PAM_TTY to an empty string can cause its own set of issues.
GitHub issue #74
For "sudo -n" we only want to reject a command if user input is
actually required. In the case of PAM at least, we may not need
to interact with the user. Bug #956, GitHub issue #83
If a host is specified for the input file, cvtsudoers will bind
global Defaults to that host and change host "ALL" in a userspec
to the host name. However, if all the input files have matching
hosts we can simplify the merged file by converting back to ALL
after resolving conflicts.
