[sudo-users] Non-UNIX groups plugin
Phil
1966phils at gmail.com
Thu Oct 15 17:54:51 MDT 2015
Hi,
We're looking into producing a sudo_plugin for non-UNIX groups, but our
initial tests show some unexpected calls to our plugin.
With the following lines in sudoers:
%unixgroup ALL=(ALL) ALL
%:nonunixgroup ALL=(ALL) ALL
We expected our plugin to only be called for the nonunixgroup, but we
found it's also called for unixgroup. In fact it's called for all group
('%') entries.
Is this the expected behavior?
We're running on RHEL6 with sudo-1.8.6p3-20.el6_7.x86_64 and our test
code is below.
Thanks
Phil
#include <stdbool.h>
#include "sudo_plugin.h"
static sudo_printf_t sudo_log;
static int
test_init(int version, sudo_printf_t sudo_printf, char *const argv[])
{
sudo_log = sudo_printf;
if (GROUP_API_VERSION_GET_MAJOR(version) !=
GROUP_API_VERSION_MAJOR) {
sudo_log(SUDO_CONV_ERROR_MSG,
"test_group: incompatible major version %d, expected %d\n",
GROUP_API_VERSION_GET_MAJOR(version),
GROUP_API_VERSION_MAJOR);
return -1;
}
return true;
}
static void
test_cleanup(void)
{
}
static int
test_query(const char *user, const char *group, const struct passwd
*pwd)
{
sudo_log(SUDO_CONV_ERROR_MSG,
"called with group %s\n", group);
return false;
}
struct sudoers_group_plugin group_plugin = {
GROUP_API_VERSION,
test_init,
test_cleanup,
test_query
};
More information about the sudo-users
mailing list