isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

The fix for matching when no sudoRunAsUser is present in a sudoRole

Browse Source 
was incomplete.  If no -g option was specified on the command line
but sudoRunAsGroup is present in a sudoRole, we need to treat the
group match as failed instead of missing.
This commit is contained in:
Todd C. Miller
2017-09-01 11:36:15 -06:00
parent 507ab6fdcd
commit 06d52c97c2
2 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/sudoers/ldap.c
View File

@@ -781,7 +781,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
}
static int
sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched)
sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
{
struct berval **bv, **p;
char *val;
@@ -793,9 +793,18 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched)
if (bv == NULL)
bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */
if (bv == NULL) {
DPRINTF2("sudoRunAsUser: no result.");
if (*group_matched == UNSPEC) {
/* We haven't check for sudoRunAsGroup yet, check now. */
bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
if (bv != NULL) {
*group_matched = false;
ldap_value_free_len(bv);
}
}
if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED))
debug_return_int(UNSPEC);
switch (group_matched) {
switch (*group_matched) {
case UNSPEC:
/*
* No runas user or group entries. Match runas_default
@@ -875,6 +884,7 @@ sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry)
/* get the values from the entry */
bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
if (bv == NULL) {
DPRINTF2("sudoRunAsGroup: no result.");
if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) {
if (runas_pw->pw_gid == runas_gr->gr_gid)
ret = true; /* runas group matches passwd db */
@@ -912,7 +922,7 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
group_matched = sudo_ldap_check_runas_group(ld, entry);
user_matched = sudo_ldap_check_runas_user(ld, entry, group_matched);
user_matched = sudo_ldap_check_runas_user(ld, entry, &group_matched);
debug_return_bool(group_matched != false && user_matched != false);
}

14
plugins/sudoers/sssd.c
View File

@@ -583,7 +583,7 @@ sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw)
}
static int
sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched)
sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int *group_matched)
{
const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
@@ -603,9 +603,17 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
break;
case ENOENT:
sudo_debug_printf(SUDO_DEBUG_INFO, "sudoRunAsUser: no result.");
if (*group_matched == UNSPEC) {
/* We haven't check for sudoRunAsGroup yet, check now. */
i = handle->fn_get_values(sss_rule, "sudoRunAsGroup", &val_array);
if (i == 0) {
*group_matched = false;
handle->fn_free_values(val_array);
}
}
if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED))
debug_return_int(UNSPEC);
switch (group_matched) {
switch (*group_matched) {
case UNSPEC:
/*
* No runas user or group entries. Match runas_default
@@ -755,7 +763,7 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
group_matched = sudo_sss_check_runas_group(handle, rule);
user_matched = sudo_sss_check_runas_user(handle, rule, group_matched);
user_matched = sudo_sss_check_runas_user(handle, rule, &group_matched);
debug_return_bool(group_matched != false && user_matched != false);
}