Mercurial > repos > sudo

changeset 9259:e9dc28c7db60

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
It is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting.
author Todd C. Miller <Todd.Miller@courtesan.com>
date Thu, 23 Jan 2014 14:52:54 -0700
parents 1559c301caec
children cfaf895c1db4
files NEWS common/sudo_conf.c doc/sudo.conf.cat doc/sudo.conf.man.in doc/sudo.conf.mdoc.in include/sudo_conf.h src/net_ifs.c
diffstat 7 files changed, 99 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/NEWS	Wed Jan 22 20:48:49 2014 -0700
+++ b/NEWS	Thu Jan 23 14:52:54 2014 -0700
@@ -1,3 +1,9 @@
+What's new in Sudo 1.8.10?
+
+ * It is now possible to disable network interface probing in
+   sudo.conf by changing the value of the probe_interfaces
+   setting.
+
 What's new in Sudo 1.8.9p4?
 
  * Fixed a bug where sudo could consume large amounts of CPU while
--- a/common/sudo_conf.c	Wed Jan 22 20:48:49 2014 -0700
+++ b/common/sudo_conf.c	Thu Jan 23 14:52:54 2014 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2009-2014 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -86,6 +86,7 @@
 static void set_var_disable_coredump(const char *entry, const char *conf_file);
 static void set_var_group_source(const char *entry, const char *conf_file);
 static void set_var_max_groups(const char *entry, const char *conf_file);
+static void set_var_probe_interfaces(const char *entry, const char *conf_file);
 
 static unsigned int conf_lineno;
 
@@ -101,11 +102,13 @@
     { "disable_coredump", sizeof("disable_coredump") - 1, set_var_disable_coredump },
     { "group_source", sizeof("group_source") - 1, set_var_group_source },
     { "max_groups", sizeof("max_groups") - 1, set_var_max_groups },
+    { "probe_interfaces", sizeof("probe_interfaces") - 1, set_var_probe_interfaces },
     { NULL }
 };
 
 static struct sudo_conf_data {
     bool disable_coredump;
+    bool probe_interfaces;
     int group_source;
     int max_groups;
     const char *debug_flags;
@@ -113,6 +116,7 @@
     struct sudo_conf_paths paths[5];
 } sudo_conf_data = {
     true,
+    true,
     GROUP_SOURCE_ADAPTIVE,
     -1,
     NULL,
@@ -192,6 +196,15 @@
     }
 }
 
+static void
+set_var_probe_interfaces(const char *entry, const char *conf_file)
+{
+    int val = atobool(entry);
+
+    if (val != -1)
+	sudo_conf_data.probe_interfaces = val;
+}
+
 /*
  * "Debug progname debug_file debug_flags"
  */
@@ -362,6 +375,12 @@
     return sudo_conf_data.disable_coredump;
 }
 
+bool
+sudo_conf_probe_interfaces(void)
+{
+    return sudo_conf_data.probe_interfaces;
+}
+
 /*
  * Reads in /etc/sudo.conf and populates sudo_conf_data.
  */
--- a/doc/sudo.conf.cat	Wed Jan 22 20:48:49 2014 -0700
+++ b/doc/sudo.conf.cat	Thu Jan 23 14:52:54 2014 -0700
@@ -204,6 +204,21 @@
                This setting is only available in ssuuddoo version 1.8.7 and
                higher.
 
+     probe_interfaces
+               By default, ssuuddoo will probe the system's network interfaces and
+               pass the IP address of each enabled interface to the policy
+               plugin.  This makes it possible for the plugin to match rules
+               based on the IP address without having to query DNS.  On Linux
+               systems with a large number of virtual interfaces, this may
+               take a non-negligible amount of time.  If IP-based matching is
+               not required, network interface probing can be disabled as
+               follows:
+
+                     Set probe_interfaces false
+
+               This setting is only available in ssuuddoo version 1.8.10 and
+               higher.
+
    DDeebbuugg ffllaaggss
      ssuuddoo versions 1.8.4 and higher support a flexible debugging framework
      that can help track down what ssuuddoo is doing internally if there is a
@@ -376,4 +391,4 @@
      file distributed with ssuuddoo or http://www.sudo.ws/sudo/license.html for
      complete details.
 
-Sudo 1.8.9                     December 4, 2013                     Sudo 1.8.9
+Sudo 1.8.9                     January 22, 2014                     Sudo 1.8.9
--- a/doc/sudo.conf.man.in	Wed Jan 22 20:48:49 2014 -0700
+++ b/doc/sudo.conf.man.in	Thu Jan 23 14:52:54 2014 -0700
@@ -1,7 +1,7 @@
 .\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
 .\" IT IS GENERATED AUTOMATICALLY FROM sudo.conf.mdoc.in
 .\"
-.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDO" "5" "December 4, 2013" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
+.TH "SUDO" "5" "January 22, 2014" "Sudo @PACKAGE_VERSION@" "OpenBSD Programmer's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -405,6 +405,29 @@
 \fBsudo\fR
 version 1.8.7 and higher.
 .PD
+.TP 10n
+probe_interfaces
+By default,
+\fBsudo\fR
+will probe the system's network interfaces and pass the IP address
+of each enabled interface to the policy plugin.  This makes it
+possible for the plugin to match rules based on the IP address
+without having to query DNS.  On Linux systems with a large number
+of virtual interfaces, this may take a non-negligible amount of time.
+If IP-based matching is not required, network interface probing
+can be disabled as follows:
+.RS
+.nf
+.sp
+.RS 6n
+Set probe_interfaces false
+.RE
+.fi
+.sp
+This setting is only available in
+\fBsudo\fR
+version 1.8.10 and higher.
+.RE
 .SS "Debug flags"
 \fBsudo\fR
 versions 1.8.4 and higher support a flexible debugging framework
--- a/doc/sudo.conf.mdoc.in	Wed Jan 22 20:48:49 2014 -0700
+++ b/doc/sudo.conf.mdoc.in	Thu Jan 23 14:52:54 2014 -0700
@@ -1,5 +1,5 @@
 .\"
-.\" Copyright (c) 2010-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 2010-2014 Todd C. Miller <Todd.Miller@courtesan.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd December 4, 2013
+.Dd January 22, 2014
 .Dt SUDO @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -360,6 +360,23 @@
 This setting is only available in
 .Nm sudo
 version 1.8.7 and higher.
+.It probe_interfaces
+By default,
+.Nm sudo
+will probe the system's network interfaces and pass the IP address
+of each enabled interface to the policy plugin.  This makes it
+possible for the plugin to match rules based on the IP address
+without having to query DNS.  On Linux systems with a large number
+of virtual interfaces, this may take a non-negligible amount of time.
+If IP-based matching is not required, network interface probing
+can be disabled as follows:
+.Bd -literal -offset indent
+Set probe_interfaces false
+.Ed
+.Pp
+This setting is only available in
+.Nm sudo
+version 1.8.10 and higher.
 .El
 .Ss Debug flags
 .Nm sudo
--- a/include/sudo_conf.h	Wed Jan 22 20:48:49 2014 -0700
+++ b/include/sudo_conf.h	Thu Jan 23 14:52:54 2014 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2013 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2011-2014 Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -43,6 +43,7 @@
 const char *sudo_conf_debug_flags(void);
 struct plugin_info_list *sudo_conf_plugins(void);
 bool sudo_conf_disable_coredump(void);
+bool sudo_conf_probe_interfaces(void);
 int sudo_conf_group_source(void);
 int sudo_conf_max_groups(void);
 
--- a/src/net_ifs.c	Wed Jan 22 20:48:49 2014 -0700
+++ b/src/net_ifs.c	Thu Jan 23 14:52:54 2014 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 1998-2005, 2007-2013
+ * Copyright (c) 1996, 1998-2005, 2007-2014
  *	Todd C. Miller <Todd.Miller@courtesan.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -55,6 +55,11 @@
 #ifdef HAVE_STRINGS_H
 # include <strings.h>
 #endif /* HAVE_STRINGS_H */
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include "compat/stdbool.h"
+#endif /* HAVE_STDBOOL_H */
 #ifdef HAVE_UNISTD_H
 # include <unistd.h>
 #endif /* HAVE_UNISTD_H */
@@ -82,6 +87,7 @@
 #include "missing.h"
 #include "alloc.h"
 #include "fatal.h"
+#include "sudo_conf.h"
 #include "sudo_debug.h"
 
 #define DEFAULT_TEXT_DOMAIN	"sudo"
@@ -115,7 +121,7 @@
     char *cp;
     debug_decl(get_net_ifs, SUDO_DEBUG_NETIF)
 
-    if (getifaddrs(&ifaddrs))
+    if (!sudo_conf_probe_interfaces() || getifaddrs(&ifaddrs) != 0)
 	debug_return_int(0);
 
     /* Allocate space for the interfaces info string. */
@@ -221,6 +227,9 @@
 #endif /* _ISC */
     debug_decl(get_net_ifs, SUDO_DEBUG_NETIF)
 
+    if (!sudo_conf_probe_interfaces())
+	debug_return_int(0);
+
     sock = socket(AF_INET, SOCK_DGRAM, 0);
     if (sock < 0)
 	fatal(U_("unable to open socket"));