This makes it possible to use a different PAM configuration for
when "sudo -A" is used. The main use case is to only use PAM modules
that can interact with the askpass program. GitHub issue #112.
For "sudo -n" we only want to reject a command if user input is
actually required. In the case of PAM at least, we may not need
to interact with the user. Bug #956, GitHub issue #83
There is no case where we should fail to find an editor just because
the values of EDITOR, VISUAL and SUDO_EDITOR are unavailable. Both
sudoedit and the "env_editor" sudoers setting are documented as
falling back on the hard-coded list of editors in the "editors"
sudoers setting. Bug #1000
By default, sudoers will not require authentication of commands run
via an intercepted session. To require authenticaton of subsequent
commands, enable intercept_authenticate in sudoers.
This setting is an argument to the sudoers plugin, similar to how
sudoers_file, sudoers_mode, sudoers_uid, etc. are implemented.
The default value is true.
This adds audit plugin support to the sudoers module, currently
only used for accept events. As a result, the sudoers file is now
initially parsed as an audit plugin.
In the past we've relied on the various .c files to include the
system headers that define types that the sudo_*.h headers require.
This is fragile and can cause issues when includes get re-ordered.
This is used for PAM authentication to make sure pam_end() is called
via sudo_auth_cleanup() when the user authenticates successfully but
sudoers denies the command. Debian bug #669687
Some admin are confused about how to give users sudoedit permission
and many users try to run sudoedit via sudo instead of directly.
If the user runs "sudo sudoedit" sudo will now treat it as plain
"sudoedit" after issuing a warning. If the admin has specified a
fully-qualified path for sudoedit in sudoers, sudo will treat it
as just "sudoedit" and match accordingly. In visudo (but not sudo),
a fully-qualified path for sudoedit is now treated as an error.
If the umask is explicitly set in sudoers, use that value regardless
of what is in PAM or login.conf. If using the default umask from
sudoers, allow PAM or login.conf to override it. Bug #900
we are listing in short mode (in which case we convert them to tags
if possible). Fixes a problem where sudoOptions were not being
applied to the command.
in a per-nss list of userspecs and defaults instead of using separate
lookup and list functions. This makes it possible to have a single
implementation of the code for sudoers lookup and listing.
