When matching against runas_default use userpw_matches() instead

of just strcasecmp().
2016-09-15 13:36:43 -06:00
parent a750bebf10
commit 0ff95dfaaa
2 changed files with 6 additions and 3 deletions
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -870,8 +870,10 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
     * If there are no runas entries, match runas_default against
     * what the user specified on the command line.
     */
-    if (user_matched == UNSPEC && group_matched == UNSPEC)
-	debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default));
+    if (user_matched == UNSPEC && group_matched == UNSPEC) {
+	debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name,
+	    runas_pw));
+    }

    debug_return_bool(group_matched != false && user_matched != false); 
 }
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -716,7 +716,8 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
     */
    if (user_matched == UNSPEC && group_matched == UNSPEC) {
 	sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against runas_default");
-	debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default));
+	debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name,
+	    runas_pw));
    }

    debug_return_bool(group_matched != false && user_matched != false);