When logging terminal input, if log_passwords is false and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.
When logging terminal input, if log_passwords is disabled and any
of the regular expressions in the passprompt_regex list are found
in the terminal output, terminal input will be replaced with '*'
characters until a newline or carriage return is found in the input
or an output character is received.
The concatenation of command and arguments and escaping of special
characters was not documented.
Text adapted from GitHub issue #121 from Kris Rinzwind
Defaults settings passed in by the front end are already "early"
so there is no need to treat any of them as special.
Otherwise, we end up running the early defaults callbacks before
sudoers has been parsed. This means that, for instance, it is not
possible to disable the fqdn flag before its callback is run if
sudo is build with the --with-fqdn option. Bug #1016.
On some systems, such as Solaris, the max length of a directory
entry is filesystem-dependent. We could use fpathconf() and
dynamically allocate the name but it is simpler to just use
PATH_MAX here.
Fixes a problem where sudo could reduce the max stack size on some
systems if the original limit was higher than the fallback limit,
but not unlimited/infinity.
This makes it possible to use a different PAM configuration for
when "sudo -A" is used. The main use case is to only use PAM modules
that can interact with the askpass program. GitHub issue #112.
In the past, some PAM modules assumed that PAM_TTY was set and would
misbehave (or crash) if not. This was primarily obsolete versions
of Linux-PAM, so it should now be safe to remove this. Setting
PAM_TTY to an empty string can cause its own set of issues.
GitHub issue #74
For "sudo -n" we only want to reject a command if user input is
actually required. In the case of PAM at least, we may not need
to interact with the user. Bug #956, GitHub issue #83
If a host is specified for the input file, cvtsudoers will bind
global Defaults to that host and change host "ALL" in a userspec
to the host name. However, if all the input files have matching
hosts we can simplify the merged file by converting back to ALL
after resolving conflicts.
