RedHat dropped the word "server" from the release name in redhat-release
which results in the awk script printing the wrong field. Instead
of using awk, just use sed to pull out the version number immediately
following the word "release".
Note that clang 10 has support for -Wimplicit-fallthrough in C code
but doesn't recognize lint-style FALLTHROUGH comments like gcc does
so we can't use it.
This is only used when logging events from plugins other than sudoers,
such as an approval plugin. With this change, if an approval
plugin rejects the command the denial will be logged in the
sudoers log file using the message from the approval plugin.
The file name in struct userspec was not set for the LDAP and SSSD
backends. There is no actual file in this case so set the name to
LDAP/SSSD. Also add a guard to make sure we don't try to print
NULL in sudoers_lookup_check() if name is left unset.
Otherwise, sudo_ldap_role_to_priv() will treat a NULL host list as
as the "ALL" wildcard. This regression was introduced in sudo 1.8.23,
which was the first version to convert LDAP sudoRole objects to
sudoers internal data structures.
Thanks to Andreas Mueller for reporting and debugging this problem.
Now that logging of successful commands is performed by sudoers as an
audit plugin we need to load sudoers_audit if sudoers_policy is also
loaded. Otherwise, accpted commands will not be logged.
This adds audit plugin support to the sudoers module, currently
only used for accept events. As a result, the sudoers file is now
initially parsed as an audit plugin.
With this change, the sudo front-end will send an "accept" audit
event to the audit plugins after all the I/O logging plugins have
been initialized. This can be used by an audit plugin that does
not care about the result of the individual policy and approval
plugins and only wants to receive a single "accept" event if all
policy and approval plugins have succeeded. The plugin_type argument
for events sent by the front-end is SUDO_FRONT_END (0).
This fixes an issue on Solaris 11.4 (and probably others) with "sudo
reboot" when I/O logging is enabled. Previously, sudo would kill
the command if it was still running after the event loop terminated,
leaving the system in a half-dead state.
Fixes a problem on Solaris 11.4 (and possibly others) where sudo
continually tries to put itself in the background after the user's
terminal has been revoked.
