This means that lhost and shost in struct sudoers_parse_tree
are no longer const and that free_parse_tree() will free lhost/shost.
The only consumer that passed in lho.st/shost was the SSSD back-end
which has been updated to avoid a double-free.
In the sssd backend, the rule_to_priv() cleanup code assumes cmnds
can be passed to fn_free_values(), which was not the case if we
receive an error getting values for "sudoCommand". This is a
regression introduced in sudo 1.9.1. Fix from Ron Bowes.
GitHub issue #67.
The file name in struct userspec was not set for the LDAP and SSSD
backends. There is no actual file in this case so set the name to
LDAP/SSSD. Also add a guard to make sure we don't try to print
NULL in sudoers_lookup_check() if name is left unset.
Otherwise, sudo_ldap_role_to_priv() will treat a NULL host list as
as the "ALL" wildcard. This regression was introduced in sudo 1.8.23,
which was the first version to convert LDAP sudoRole objects to
sudoers internal data structures.
Thanks to Andreas Mueller for reporting and debugging this problem.
Previously we needed to include headers required by the various
sudo*h files. Now those files are more self-sufficient and we
should only include headers needed by code in the various .c files.
were sorted in descending order by sudoOrder. That allowed it to
avoid iterating over the entire list of rules. Now that we convert
to a sudoers parse tree, we need to convert rules in ascending
order, not descending. The simplest way to accomplish this is to
simply iterate over the rules from last to first, reversing the
sort order. Bug #849
we are listing in short mode (in which case we convert them to tags
if possible). Fixes a problem where sudoOptions were not being
applied to the command.
o The parse tree is now passed to the alias, match and defaults functions.
o The nss API has been changed so that the nss parse() function returns
a pointer to a struct sudoers_parse_tree which will be filled in
by the getdefs() and query() functions.
in a per-nss list of userspecs and defaults instead of using separate
lookup and list functions. This makes it possible to have a single
implementation of the code for sudoers lookup and listing.
This makes it possible to convert from LDAP sudoers to a traditional
sudoers file. Semantic differences between file sudoers and LDAP
sudoers mean that LDIF -> sudoers is not completely equivalent.
is an unqualified host name. From Daniel Kopecek.
Also move the "unable to allocate memory" warning into get_ipa_hostname()
itself to make it easier to see where the allocation failed in the
debug log.
is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
set to "all" and there are multiple sudoers sources a password will
be required unless none of the entries in all sources require
authentication. From Radovan Sroka of RedHat
