a5f9360d9a
- major changes & fixes:
- when running a command in the background, sudo will now forward
SIGINFO to the command
- the passwords in ldap.conf and ldap.secret may now be encoded in base64.
- SELinux role changes are now audited. For sudoedit, we now audit
the actual editor being run, instead of just the sudoedit command.
- it is now possible to match an environment variable's value as well as
its name using env_keep and env_check
- new files created via sudoedit as a non-root user now have the proper group id
- sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
- it is now possible to disable network interface probing in sudo.conf by
changing the value of the probe_interfaces setting
- when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
for the user's password even if the targetpw, rootpw or runaspw options are set.
- the new use_netgroups sudoers option can be used to explicitly enable or disable
netgroups support
- visudo can now export a sudoers file in JSON format using the new -x flag
- added patch to read ldap.conf more closely to nss_ldap
- require /usr/bin/vi instead of vim-minimal
- include pam.d/system-auth in PAM session phase from pam.d/sudo
- include pam.d/sudo in PAM session phase from pam.d/sudo-i
55 lines
1.6 KiB
Diff
55 lines
1.6 KiB
Diff
diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
|
|
--- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch 2014-07-22 22:52:34.000000000 +0200
|
|
+++ sudo-1.8.11b4/plugins/sudoers/ldap.c 2014-09-15 11:22:11.122094452 +0200
|
|
@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
|
|
}
|
|
#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
|
|
|
|
+/*
|
|
+ * Read a line of input, remove whole line comments and strip off leading
|
|
+ * and trailing spaces. Returns static storage that is reused.
|
|
+ */
|
|
+static char *
|
|
+sudo_ldap_parseln(fp)
|
|
+ FILE *fp;
|
|
+{
|
|
+ size_t len;
|
|
+ char *cp = NULL;
|
|
+ static char buf[LINE_MAX];
|
|
+
|
|
+ if (fgets(buf, sizeof(buf), fp) != NULL) {
|
|
+ /* Remove comments */
|
|
+ if (*buf == '#')
|
|
+ *buf = '\0';
|
|
+
|
|
+ /* Trim leading and trailing whitespace/newline */
|
|
+ len = strlen(buf);
|
|
+ while (len > 0 && isspace((unsigned char)buf[len - 1]))
|
|
+ buf[--len] = '\0';
|
|
+ for (cp = buf; isblank(*cp); cp++)
|
|
+ continue;
|
|
+ }
|
|
+ return(cp);
|
|
+}
|
|
+
|
|
static bool
|
|
sudo_ldap_read_config(void)
|
|
{
|
|
@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
|
|
if ((fp = fopen(path_ldap_conf, "r")) == NULL)
|
|
debug_return_bool(false);
|
|
|
|
- while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
|
|
+ while ((line = sudo_ldap_parseln(fp)) != NULL) {
|
|
if (*line == '\0')
|
|
continue; /* skip empty line */
|
|
|
|
@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
|
|
if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
|
|
sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
|
|
}
|
|
- free(line);
|
|
fclose(fp);
|
|
|
|
if (!ldap_conf.host)
|