[sudo-users] listpw/verifypw issues with sssd and ldap
Todd C. Miller
Todd.Miller at courtesan.com
Sun Apr 17 06:26:49 MDT 2016
On Sun, 10 Apr 2016 10:13:57 -0700, Michael Fischer wrote:
> How do we address this? Is it a simple fix? Can you clarify the
> documentation in the interim?
Here's the fix that I plan to include in sudo 1.8.17.
- todd
diff -r 2adcf1b17f83 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/ldap.c Sun Apr 17 06:25:01 2016 -0600
@@ -3178,10 +3178,7 @@
case all:
case any:
if (doauth == false)
- def_authenticate = false;
- break;
- case never:
- def_authenticate = false;
+ SET(ret, FLAG_NOPASSWD);
break;
default:
break;
diff -r 2adcf1b17f83 plugins/sudoers/parse.c
--- a/plugins/sudoers/parse.c Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/parse.c Sun Apr 17 06:25:01 2016 -0600
@@ -197,8 +197,8 @@
SET(validated, VALIDATE_FAILURE);
if (pwcheck == always && def_authenticate)
SET(validated, FLAG_CHECK_USER);
- else if (pwcheck == never || nopass == true)
- def_authenticate = false;
+ else if (nopass == true)
+ SET(validated, FLAG_NOPASSWD);
debug_return_int(validated);
}
diff -r 2adcf1b17f83 plugins/sudoers/sssd.c
--- a/plugins/sudoers/sssd.c Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/sssd.c Sun Apr 17 06:25:01 2016 -0600
@@ -1154,10 +1154,7 @@
case all:
case any:
if (doauth == false)
- def_authenticate = false;
- break;
- case never:
- def_authenticate = false;
+ SET(ret, FLAG_NOPASSWD);
break;
default:
break;
diff -r 2adcf1b17f83 plugins/sudoers/sudoers.c
--- a/plugins/sudoers/sudoers.c Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/sudoers.c Sun Apr 17 06:25:01 2016 -0600
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1993-1996, 1998-2015 Todd C. Miller <Todd.Miller at courtesan.com>
+ * Copyright (c) 1993-1996, 1998-2016 Todd C. Miller <Todd.Miller at courtesan.com>
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -261,6 +261,7 @@
char *iolog_path = NULL;
mode_t cmnd_umask = 0777;
struct sudo_nss *nss;
+ bool nopass = false;
int cmnd_status = -1, oldlocale, validated;
int rval = -1;
debug_decl(sudoers_policy_main, SUDOERS_DEBUG_PLUGIN)
@@ -343,6 +344,33 @@
TAILQ_FOREACH(nss, snl, entries) {
validated = nss->lookup(nss, validated, pwflag);
+ /*
+ * The NOPASSWD tag needs special handling among all sources
+ * in -l or -v mode.
+ */
+ if (pwflag) {
+ enum def_tuple pwcheck =
+ (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
+ switch (pwcheck) {
+ case all:
+ if (!ISSET(validated, FLAG_NOPASSWD))
+ nopass = false;
+ break;
+ case any:
+ if (ISSET(validated, FLAG_NOPASSWD))
+ nopass = true;
+ break;
+ case never:
+ nopass = true;
+ break;
+ case always:
+ nopass = false;
+ break;
+ default:
+ break;
+ }
+ }
+
if (ISSET(validated, VALIDATE_ERROR)) {
/* The lookup function should have printed an error. */
goto done;
@@ -356,6 +384,8 @@
break;
}
}
+ if (pwflag && nopass)
+ def_authenticate = false;
/* Restore user's locale. */
sudoers_setlocale(oldlocale, NULL);
diff -r 2adcf1b17f83 plugins/sudoers/sudoers.h
--- a/plugins/sudoers/sudoers.h Tue Mar 22 16:31:47 2016 -0600
+++ b/plugins/sudoers/sudoers.h Sun Apr 17 06:25:01 2016 -0600
@@ -123,6 +123,7 @@
#define FLAG_NON_INTERACTIVE 0x100
#define FLAG_BAD_PASSWORD 0x200
#define FLAG_AUTH_ERROR 0x400
+#define FLAG_NOPASSWD 0x800
/*
* find_path()/set_cmnd() return values
More information about the sudo-users
mailing list