The format value has to be a string literal, every time.
Otherwise, you are not using these functions correctly. To reinforce this fact, I putrestrict over every non-contrib example of this I could find.
When a sudoers rule permits the user to run commands as a group,
not a user, we should set the runasusers to single member with the
special MYSELF token. This guarantees that the only time runasusers
will be NULL is when no runaslist is present.
sudoers now supports an APPARMOR_PROFILE option, which can be specified
as e.g.
alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo ALL
The line above says "user alice can run any command as any user/group,
under confinement by the AppArmor profile 'foo'." Profiles can be
specified in any way that complies with the rules of
aa_change_profile(2). For instance, the sudoers configuration
alice ALL=(ALL:ALL) APPARMOR_PROFILE=unconfined ALL
allows alice to run any command unconfined (i.e., without an AppArmor
profile), while
alice ALL=(ALL:ALL) APPARMOR_PROFILE=foo//&bar ALL
tells sudoers that alice can run any command under the stacked AppArmor
profiles 'foo' and 'bar'.
The intention of this option is to give sysadmins on Linux distros
supporting AppArmor better options for fine-grained access control.
Among other things, this option can enforce mandatory access control
(MAC) over the operations that a privileged user is able to perform to
ensure that they cannot privesc past the boundaries of a specified
profile. It can also be used to limit which users are able to get
unconfined system access, by enforcing a default AppArmor profile on all
users and then specifying 'APPARMOR_PROFILE=unconfined' for a privileged
subset of users.
The hook can be used to log parser errors (sudoers module) or keep
track of which files have an error (visudo).
Previously, we only kept track of a single parse error.
Previously, we checked that the previous entry's binding pointer
was not the same while freeing. However, to be able to merge
Defaults records we cannot rely on Defaults entries with the same
binding being immediately adjacent. This removes the prev_binding
checks in favor of a reference count which allows us to plug the
memory leak in cvtsudoers when merging Defaults.
This means that lhost and shost in struct sudoers_parse_tree
are no longer const and that free_parse_tree() will free lhost/shost.
The only consumer that passed in lho.st/shost was the SSSD back-end
which has been updated to avoid a double-free.
This causes "intercept" to be set to true in command_info[] which
the sudo front-end will use to determine whether or not to intercept
attempts to run further commands, such as from a shell. Also add
"log_children" which will use the same mechanism but only log (audit)
further commands.
The parser will use that when reporting on an ERROR state. This
prevents the lexer from reporting errors about tokens that are not
actually consumed by the parser and we don't have to worry about
both the lexer and the parser reporting errors. It also means we
only get one error per sudoers line.
We need to be able to display it using alias_error().
Only free what we actually allocated in alias_add() on error and
let the caller handle cleanup. Note that we cannot completely fill
in the alias until it is inserted. Otherwise, we will have modified
the file and members parameters even if there was an error.
As a result, we have to remove those from the leak list after
alias_add(), not before.
We now need to remove the name and members from the leak list
*before* calling alias_add() since alias_add() will consume them
for both success and failure.
