In the past, some PAM modules assumed that PAM_TTY was set and would
misbehave (or crash) if not. This was primarily obsolete versions
of Linux-PAM, so it should now be safe to remove this. Setting
PAM_TTY to an empty string can cause its own set of issues.
GitHub issue #74
For "sudo -n" we only want to reject a command if user input is
actually required. In the case of PAM at least, we may not need
to interact with the user. Bug #956, GitHub issue #83
If a host is specified for the input file, cvtsudoers will bind
global Defaults to that host and change host "ALL" in a userspec
to the host name. However, if all the input files have matching
hosts we can simplify the merged file by converting back to ALL
after resolving conflicts.
The switch() in the sudo_ldap_set_options_table() function needed to be
updated to treat CONF_DEREF_VAL and CONF_REQCERT_VAL data types as int.
Fix from Dennis Filder. Bug #1013.
When only the user (ALL) is specified explicitly, and the group is implied, only sudo -u works. Specifying both the user and group, like (ALL:ALL), is required to:
1) Use sudo -g by itself (with no -u user)
2) Use sudo -u and -g together, with a -g group that is different from the -u user's primary group
The "-l logfile" option can be used to store a log of what
actions cvtsudoers took when merging multiple files.
For example, which aliases were renamed, which entries were overriden
or removed as duplicated.
The warning that need_comma is always false is correct but in this
case it is better to use a consistent construct so that if the code
is re-ordered no bugs are introduced.
Previously, we checked that the previous entry's binding pointer
was not the same while freeing. However, to be able to merge
Defaults records we cannot rely on Defaults entries with the same
binding being immediately adjacent. This removes the prev_binding
checks in favor of a reference count which allows us to plug the
memory leak in cvtsudoers when merging Defaults.
This means that lhost and shost in struct sudoers_parse_tree
are no longer const and that free_parse_tree() will free lhost/shost.
The only consumer that passed in lho.st/shost was the SSSD back-end
which has been updated to avoid a double-free.
If a hostname is specified with the sudoers file, it will be used to
make the userspec host-specific, if possible. Duplicate userspecs
are removed but conflicting entries are not currently pruned.
If a hostname is specified with the sudoers file, it will be used to
make the Defaults setting host-specific, if possible.
Duplicate Defaults settings are removed and conflicts are warned about.
It is not possible to resolve all conflicts automatically.
Duplicate aliases are remove. If there are conflicting alias names,
the conflicts are renamed by appending a numerical suffix.
For example, if there are two SERVERS Host_Aliases, the second one
will be renamed to SERVERS_1.
The front-end uses this to decide whether or not to enable SELinux.
If selinux-rbac is true _or_ if it is not present and selinux_role or
selinux_type are set, SELinux support is enabled.
Previously, SELinux support was only enabled if a role was specified.
