[sudo-users] Overriding default options in defined in LDAP
Todd C. Miller
Todd.Miller at courtesan.com
Wed Feb 27 13:14:17 EST 2008
In sudo 1.6.9 the sudoers file is not consulted if LDAP sudoers
allowed the user to run the command. Things are split up
a bit more in sudo 1.7 (presently in beta) which supports
nsswitch.conf.
The following patch to 1.6.9p12 should do what you want.
- todd
Index: sudo.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/sudo.c,v
retrieving revision 1.369.2.36
diff -u -r1.369.2.36 sudo.c
--- sudo.c 9 Feb 2008 14:44:48 -0000 1.369.2.36
+++ sudo.c 27 Feb 2008 18:12:11 -0000
@@ -273,25 +273,21 @@
validated = sudo_ldap_check(pwflag);
/* Skip reading /etc/sudoers if LDAP told us to */
- if (def_ignore_local_sudoers); /* skips */
- else if (ISSET(validated, VALIDATE_OK) && !printmatches); /* skips */
- else if (ISSET(validated, VALIDATE_OK) && printmatches)
- {
+ if (!def_ignore_local_sudoers) {
check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
- /* User is found in LDAP and we want a list of all sudo commands the
- * user can do, so consult sudoers but throw away result.
- */
- sudoers_lookup(pwflag);
+ /* If user was found in LDAP, check sudoers for Defaults and -l mode */
+ if (ISSET(validated, VALIDATE_OK))
+ (void) sudoers_lookup(pwflag);
+ else
+ validated = sudoers_lookup(pwflag);
}
- else
-#endif
- {
- check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
+#else
+ check_sudoers(); /* check mode/owner on _PATH_SUDOERS */
- /* Validate the user but don't search for pseudo-commands. */
- validated = sudoers_lookup(pwflag);
- }
+ /* Validate the user but don't search for pseudo-commands. */
+ validated = sudoers_lookup(pwflag);
+#endif
if (safe_cmnd == NULL)
safe_cmnd = estrdup(user_cmnd);
More information about the sudo-users
mailing list