| Jackie Huang | 57fdea7 | 2020-04-23 11:29:15 +0800 | [diff] [blame^] | 1 | From acbbefdbcf2951a2ce31fe4fc789cf8397a406cc Mon Sep 17 00:00:00 2001 |
| 2 | From: "Sar Ashki, Babak" <Babak.SarAshki@windriver.com> |
| 3 | Date: Wed, 11 Dec 2019 19:43:19 -0800 |
| 4 | |
| 5 | --- |
| 6 | plugins/sudoers/def_data.c | 4 ++++ |
| 7 | plugins/sudoers/def_data.h | 2 ++ |
| 8 | plugins/sudoers/def_data.in | 3 +++ |
| 9 | plugins/sudoers/sudoers.c | 14 ++++++++++++++ |
| 10 | 4 files changed, 23 insertions(+) |
| 11 | |
| 12 | diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c |
| 13 | index 5fa45bb..9d7a842 100644 |
| 14 | --- a/plugins/sudoers/def_data.c |
| 15 | +++ b/plugins/sudoers/def_data.c |
| 16 | @@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[] = { |
| 17 | N_("Don't pre-resolve all group names"), |
| 18 | NULL, |
| 19 | }, { |
| 20 | + "cmnd_no_wait", T_FLAG, |
| 21 | + N_("Don't fork and wait for the command to finish, just exec it"), |
| 22 | + NULL, |
| 23 | + }, { |
| 24 | NULL, 0, NULL |
| 25 | } |
| 26 | }; |
| 27 | diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h |
| 28 | index 940fa8f..68ceed0 100644 |
| 29 | --- a/plugins/sudoers/def_data.h |
| 30 | +++ b/plugins/sudoers/def_data.h |
| 31 | @@ -228,6 +228,8 @@ |
| 32 | #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) |
| 33 | #define I_LEGACY_GROUP_PROCESSING 114 |
| 34 | #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) |
| 35 | +#define I_CMND_NO_WAIT 115 |
| 36 | +#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) |
| 37 | |
| 38 | enum def_tuple { |
| 39 | never, |
| 40 | diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in |
| 41 | index 571bc96..4250917 100644 |
| 42 | --- a/plugins/sudoers/def_data.in |
| 43 | +++ b/plugins/sudoers/def_data.in |
| 44 | @@ -360,3 +360,6 @@ case_insensitive_group |
| 45 | legacy_group_processing |
| 46 | T_FLAG |
| 47 | "Don't pre-resolve all group names" |
| 48 | +cmnd_no_wait |
| 49 | + T_FLAG |
| 50 | + "Don't fork and wait for the command to finish, just exec it" |
| 51 | diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c |
| 52 | index d8f4dd0..00669b4 100644 |
| 53 | --- a/plugins/sudoers/sudoers.c |
| 54 | +++ b/plugins/sudoers/sudoers.c |
| 55 | @@ -221,6 +221,20 @@ sudoers_policy_init(void *info, char * const envp[]) |
| 56 | def_match_group_by_gid = false; |
| 57 | def_legacy_group_processing = false; |
| 58 | } |
| 59 | + |
| 60 | + /* |
| 61 | + * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation |
| 62 | + * and I/O logging. This will cause sudo to execute the given command |
| 63 | + * directly instead of forking a separate process for it. |
| 64 | + */ |
| 65 | + if (def_cmnd_no_wait) { |
| 66 | + def_pam_setcred = false; |
| 67 | + def_pam_session = false; |
| 68 | + def_use_pty = false; |
| 69 | + def_log_input = false; |
| 70 | + def_log_output = false; |
| 71 | + } |
| 72 | + |
| 73 | cleanup: |
| 74 | if (!restore_perms()) |
| 75 | ret = -1; |