Add support for negated sudoRunAsUser and sudoRunAsGroup entries.

MANIFEST

@@ -460,6 +460,8 @@ plugins/sudoers/regress/cvtsudoers/test31.out.ok
 plugins/sudoers/regress/cvtsudoers/test31.sh
 plugins/sudoers/regress/cvtsudoers/test32.out.ok
 plugins/sudoers/regress/cvtsudoers/test32.sh
+plugins/sudoers/regress/cvtsudoers/test33.out.ok
+plugins/sudoers/regress/cvtsudoers/test33.sh
 plugins/sudoers/regress/cvtsudoers/test4.out.ok
 plugins/sudoers/regress/cvtsudoers/test4.sh
 plugins/sudoers/regress/cvtsudoers/test5.out.ok

doc/sudoers.ldap.cat

@@ -107,21 +107,28 @@ DDEESSCCRRIIPPTTIIOONN
            A user name or uid (prefixed with `#') that commands may be run as
            or a Unix group (prefixed with a `%') or user netgroup (prefixed
            with a `+') that contains a list of users that commands may be run
-           as.  The special value ALL will match any user.  If sudoRunAsUser
+           as.  The special value ALL will match any user.  If a sudoRunAsUser
-           is specified but empty, it will match the invoking user.  If
+           entry is preceded by an exclamation point, `!', and the entry
-           neither sudoRunAsUser nor sudoRunAsGroup are present, the value of
+           matches, the sudoRole in which it resides will be ignored.  If
-           the _r_u_n_a_s___d_e_f_a_u_l_t sudoOption is used (defaults to root).
+           sudoRunAsUser is specified but empty, it will match the invoking
+           user.  If neither sudoRunAsUser nor sudoRunAsGroup are present, the
+           value of the _r_u_n_a_s___d_e_f_a_u_l_t sudoOption is used (defaults to root).
 
            The sudoRunAsUser attribute is only available in ssuuddoo versions
            1.7.0 and higher.  Older versions of ssuuddoo use the sudoRunAs
-           attribute instead.
+           attribute instead.  Negated sudoRunAsUser entries are only
+           supported by version 1.8.26 or higher.
 
      ssuuddooRRuunnAAssGGrroouupp
            A Unix group or gid (prefixed with `#') that commands may be run
-           as.  The special value ALL will match any group.
+           as.  The special value ALL will match any group.  If a
+           sudoRunAsGroup entry is preceded by an exclamation point, `!', and
+           the entry matches, the sudoRole in which it resides will be
+           ignored.
 
            The sudoRunAsGroup attribute is only available in ssuuddoo versions
-           1.7.0 and higher.
+           1.7.0 and higher.  Negated sudoRunAsGroup entries are only
+           supported by version 1.8.26 or higher.
 
      ssuuddooNNoottBBeeffoorree
            A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
@@ -1011,4 +1018,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.26                     October 7, 2018                    Sudo 1.8.26
+Sudo 1.8.26                    October 28, 2018                    Sudo 1.8.26

doc/sudoers.ldap.man.in

@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.TH "SUDOERS.LDAP" "5" "October 7, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "October 28, 2018" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -218,6 +218,13 @@ that contains a list of users that commands may be run as.
 The special value
 \fRALL\fR
 will match any user.
+If a
+\fRsudoRunAsUser\fR
+entry is preceded by an exclamation point,
+\(oq\&!\(cq,
+and the entry matches, the
+\fRsudoRole\fR
+in which it resides will be ignored.
 If
 \fRsudoRunAsUser\fR
 is specified but empty, it will match the invoking user.
@@ -242,6 +249,9 @@ Older versions of
 use the
 \fRsudoRunAs\fR
 attribute instead.
+Negated
+\fRsudoRunAsUser\fR
+entries are only supported by version 1.8.26 or higher.
 .TP 6n
 \fBsudoRunAsGroup\fR
 A Unix group or gid (prefixed with
@@ -250,6 +260,13 @@ that commands may be run as.
 The special value
 \fRALL\fR
 will match any group.
+If a
+\fRsudoRunAsGroup\fR
+entry is preceded by an exclamation point,
+\(oq\&!\(cq,
+and the entry matches, the
+\fRsudoRole\fR
+in which it resides will be ignored.
 .sp
 The
 \fRsudoRunAsGroup\fR
@@ -257,6 +274,9 @@ attribute is only available in
 \fBsudo\fR
 versions
 1.7.0 and higher.
+Negated
+\fRsudoRunAsGroup\fR
+entries are only supported by version 1.8.26 or higher.
 .TP 6n
 \fBsudoNotBefore\fR
 A timestamp in the form

doc/sudoers.ldap.mdoc.in

@@ -13,7 +13,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd October 7, 2018
+.Dd October 28, 2018
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -203,6 +203,13 @@ that contains a list of users that commands may be run as.
 The special value
 .Li ALL
 will match any user.
+If a
+.Li sudoRunAsUser
+entry is preceded by an exclamation point,
+.Ql \&! ,
+and the entry matches, the
+.Li sudoRole
+in which it resides will be ignored.
 If
 .Li sudoRunAsUser
 is specified but empty, it will match the invoking user.
@@ -227,6 +234,9 @@ Older versions of
 use the
 .Li sudoRunAs
 attribute instead.
+Negated
+.Li sudoRunAsUser
+entries are only supported by version 1.8.26 or higher.
 .It Sy sudoRunAsGroup
 A Unix group or gid (prefixed with
 .Ql # )
@@ -234,6 +244,13 @@ that commands may be run as.
 The special value
 .Li ALL
 will match any group.
+If a
+.Li sudoRunAsGroup
+entry is preceded by an exclamation point,
+.Ql \&! ,
+and the entry matches, the
+.Li sudoRole
+in which it resides will be ignored.
 .Pp
 The
 .Li sudoRunAsGroup
@@ -241,6 +258,9 @@ attribute is only available in
 .Nm sudo
 versions
 1.7.0 and higher.
+Negated
+.Li sudoRunAsGroup
+entries are only supported by version 1.8.26 or higher.
 .It Sy sudoNotBefore
 A timestamp in the form
 .Li yyyymmddHHMMSSZ

plugins/sudoers/ldap_util.c

@@ -123,6 +123,8 @@ sudo_ldap_parse_option(char *optstr, char **varp, char **valp)
 static struct member_list *
 array_to_member_list(void *a, sudo_ldap_iter_t iter)
 {
+    struct member_list negated_members =
+	TAILQ_HEAD_INITIALIZER(negated_members);
     struct member_list *members;
     struct member *m;
     char *val;
@@ -135,6 +137,7 @@ array_to_member_list(void *a, sudo_ldap_iter_t iter)
     while ((val = iter(&a)) != NULL) {
 	if ((m = calloc(1, sizeof(*m))) == NULL)
 	    goto bad;
+	m->negated = sudo_ldap_is_negated(&val);
 
 	switch (val[0]) {
 	case '\0':
@@ -172,10 +175,17 @@ array_to_member_list(void *a, sudo_ldap_iter_t iter)
 	    }
 	    break;
 	}
-	TAILQ_INSERT_TAIL(members, m, entries);
+	if (m->negated)
+	    TAILQ_INSERT_TAIL(&negated_members, m, entries);
+	else
+	    TAILQ_INSERT_TAIL(members, m, entries);
     }
+
+    /* Negated members take precedence so we insert them at the end. */
+    TAILQ_CONCAT(members, &negated_members, entries);
     debug_return_ptr(members);
 bad:
+    free_members(&negated_members);
     free_members(members);
     free(members);
     debug_return_ptr(NULL);

plugins/sudoers/regress/cvtsudoers/test33.out.ok

@@ -0,0 +1,7 @@
+Defaults log_output
+
+# sudoRole root
+root ALL = (ALL : ALL) NOPASSWD: ALL
+
+# sudoRole millert
+millert ALL = (ALL, !bin, !root : ALL, !wheel) ALL

plugins/sudoers/regress/cvtsudoers/test33.sh

@@ -0,0 +1,61 @@
+#!/bin/sh
+#
+# Test LDAP negated sudoRunAsUser and sudoRunAsGroup converted to sudoers.
+#
+
+exec 2>&1
+./cvtsudoers -c "" -i ldif -f sudoers <<EOF
+dn: dc=sudo,dc=ws
+objectClass: dcObject
+objectClass: organization
+dc: courtesan
+o: Sudo World Headquarters
+description: Sudo World Headquarters
+
+# Organizational Role for Directory Manager
+dn: cn=Manager,dc=sudo,dc=ws
+objectClass: organizationalRole
+cn: Manager
+description: Directory Manager
+
+# SUDOers, sudo.ws
+dn: ou=SUDOers,dc=sudo,dc=ws
+objectClass: top
+objectClass: organizationalUnit
+description: SUDO Configuration Subtree
+ou: SUDOers
+
+# defaults, SUDOers, sudo.ws
+dn: cn=defaults,ou=SUDOers,dc=sudo,dc=ws
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: log_output
+
+# root, SUDOers, sudo.ws
+dn: cn=root,ou=SUDOers,dc=sudo,dc=ws
+objectClass: top
+objectClass: sudoRole
+cn: root
+sudoUser: root
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoHost: ALL
+sudoCommand: ALL
+sudoOption: !authenticate
+
+# millert, SUDOers, sudo.ws
+dn: cn=millert,ou=SUDOers,dc=sudo,dc=ws
+objectClass: top
+objectClass: sudoRole
+cn: millert
+sudoUser: millert
+sudoRunAsUser: !bin
+sudoRunAsUser: !root
+sudoRunAsUser: ALL
+sudoRunAsGroup: ALL
+sudoRunAsGroup: !wheel
+sudoHost: ALL
+sudoCommand: ALL
+EOF