Skip to content

Commit 131e7e2

Browse files
citrus-itmillert
authored andcommitted
Allow --secure-path-value=no
This adds support for --with-secure-path-value=no to allow packagers to ship the sudoers configuration file with the secure path line commented out if required.
1 parent ae5cf31 commit 131e7e2

2 files changed

Lines changed: 7 additions & 3 deletions

File tree

configure.ac

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
177177
AC_SUBST([nsswitch_conf])
178178
AC_SUBST([netsvc_conf])
179179
AC_SUBST([secure_path])
180+
AC_SUBST([secure_path_config])
180181
AC_SUBST([secure_path_status])
181182
AC_SUBST([editor])
182183
AC_SUBST([pam_session])
@@ -230,6 +231,7 @@ sesh_file="$libexecdir/sudo/sesh"
230231
visudo="$sbindir/visudo"
231232
nsswitch_conf=/etc/nsswitch.conf
232233
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
234+
secure_path_config=
233235
secure_path_status="disabled"
234236
pam_session=on
235237
pam_login_service=sudo
@@ -1068,9 +1070,11 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t
10681070
test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
10691071
SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
10701072

1071-
AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])],
1073+
AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file, or "no" to comment out by default])],
10721074
[case $with_secure_path_value in
1073-
yes|no) AC_MSG_ERROR([must give --secure-path-value an argument.])
1075+
yes) AC_MSG_ERROR([must give --with-secure-path-value an argument.])
1076+
;;
1077+
no) secure_path_config="# "
10741078
;;
10751079
*) secure_path="$with_secure_path_value"
10761080
;;

plugins/sudoers/sudoers.in

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
4848
## Use a hard-coded PATH instead of the user's to find commands.
4949
## This also helps prevent poorly written scripts from running
5050
## artbitrary commands under sudo.
51-
Defaults secure_path="@secure_path@"
51+
@secure_path_config@Defaults secure_path="@secure_path@"
5252
##
5353
## You may wish to keep some of the following environment variables
5454
## when running commands via sudo.

0 commit comments

Comments
 (0)