isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

The fix for matching when no sudoRunAsUser is present in a sudoRole

Browse Source 
was incomplete.  If no -g option was specified on the command line
but sudoRunAsGroup is present in a sudoRole, we need to treat the
group match as failed instead of missing.
This commit is contained in:
Todd C. Miller
2017-09-01 11:36:15 -06:00
parent 507ab6fdcd
commit 06d52c97c2
2 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/sudoers/ldap.c
View File

@@ -781,7 +781,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
}
static int
sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched)
sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
{
struct berval **bv, **p;
char *val;
@@ -793,9 +793,18 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched)
if (bv == NULL)
bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */
if (bv == NULL) {
DPRINTF2("sudoRunAsUser: no result.");
if (*group_matched == UNSPEC) {
/* We haven't check for sudoRunAsGroup yet, check now. */
bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
if (bv != NULL) {
*group_matched = false;
ldap_value_free_len(bv);
}
}
if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED))
debug_return_int(UNSPEC);
switch (group_matched) {
switch (*group_matched) {
case UNSPEC:
/*
* No runas user or group entries. Match runas_default
@@ -875,6 +884,7 @@ sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry)
/* get the values from the entry */
bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
if (bv == NULL) {
DPRINTF2("sudoRunAsGroup: no result.");
if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) {
if (runas_pw->pw_gid == runas_gr->gr_gid)
ret = true; /* runas group matches passwd db */
@@ -912,7 +922,7 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
group_matched = sudo_ldap_check_runas_group(ld, entry);
user_matched = sudo_ldap_check_runas_user(ld, entry, group_matched);
user_matched = sudo_ldap_check_runas_user(ld, entry, &group_matched);
debug_return_bool(group_matched != false && user_matched != false);
}