diff --git a/plugins/sudoers/cvtsudoers_merge.c b/plugins/sudoers/cvtsudoers_merge.c index 691daf0c1..bdb380b8e 100644 --- a/plugins/sudoers/cvtsudoers_merge.c +++ b/plugins/sudoers/cvtsudoers_merge.c @@ -1014,7 +1014,7 @@ userspec_overridden(struct userspec *us1, struct privilege *priv1, *priv2; if (!member_list_override(&us1->users, &us2->users, check_negated)) - break; + continue; /* XXX - order should not matter */ priv1 = TAILQ_LAST(&us1->privileges, privilege_list); @@ -1031,8 +1031,10 @@ userspec_overridden(struct userspec *us1, priv1 = TAILQ_PREV(priv1, privilege_list, entries); priv2 = TAILQ_PREV(priv2, privilege_list, entries); } - if (priv1 != NULL || priv2 != NULL) - break; + if (priv1 != NULL || priv2 != NULL) { + /* mismatch */ + continue; + } /* * If we have a match of everything except the host list, @@ -1075,16 +1077,16 @@ userspec_check_conflict(struct userspec *us1, struct sudoers_parse_tree *parse_tree0) { struct sudoers_parse_tree *parse_tree = parse_tree0; - enum cvtsudoers_conflict ret = CONFLICT_NONE; debug_decl(userspec_check_conflict, SUDOERS_DEBUG_PARSER); while ((parse_tree = TAILQ_NEXT(parse_tree, entries)) != NULL) { - ret = userspec_overridden(us1, parse_tree, false); + enum cvtsudoers_conflict ret = + userspec_overridden(us1, parse_tree, false); if (ret != CONFLICT_NONE) debug_return_int(ret); } - debug_return_int(ret); + debug_return_int(CONFLICT_NONE); } /* diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers1 b/plugins/sudoers/regress/cvtsudoers/sudoers1 index b766f6b63..feedf3104 100644 --- a/plugins/sudoers/regress/cvtsudoers/sudoers1 +++ b/plugins/sudoers/regress/cvtsudoers/sudoers1 @@ -77,6 +77,7 @@ Defaults!REBOOT !log_output ## User privilege specification ## root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers2 b/plugins/sudoers/regress/cvtsudoers/sudoers2 index b5b4bcef3..48f468075 100644 --- a/plugins/sudoers/regress/cvtsudoers/sudoers2 +++ b/plugins/sudoers/regress/cvtsudoers/sudoers2 @@ -77,6 +77,7 @@ Defaults!REBOOT !log_output ## User privilege specification ## root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/sudoers3 b/plugins/sudoers/regress/cvtsudoers/sudoers3 index 4134cef8d..4b7da86bb 100644 --- a/plugins/sudoers/regress/cvtsudoers/sudoers3 +++ b/plugins/sudoers/regress/cvtsudoers/sudoers3 @@ -77,6 +77,7 @@ Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff ## User privilege specification ## root ALL=(ALL) ALL +ALL ALL=(ALL) /usr/bin/id ## Uncomment to allow members of group wheel to execute any command # %wheel ALL=(ALL) ALL diff --git a/plugins/sudoers/regress/cvtsudoers/test34.out.ok b/plugins/sudoers/regress/cvtsudoers/test34.out.ok index 2f4c871be..3a5313fa3 100644 --- a/plugins/sudoers/regress/cvtsudoers/test34.out.ok +++ b/plugins/sudoers/regress/cvtsudoers/test34.out.ok @@ -12,3 +12,5 @@ Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 Host_Alias WEBSERVERS_2 = www1, www2, www3, www4 root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test35.out.ok b/plugins/sudoers/regress/cvtsudoers/test35.out.ok index 4dfd62c80..559cb4b86 100644 --- a/plugins/sudoers/regress/cvtsudoers/test35.out.ok +++ b/plugins/sudoers/regress/cvtsudoers/test35.out.ok @@ -12,3 +12,5 @@ Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 Host_Alias WEBSERVERS_2 = www1, www2, www3, www4 root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test36.out.ok b/plugins/sudoers/regress/cvtsudoers/test36.out.ok index 5a7ae0640..2df30b017 100644 --- a/plugins/sudoers/regress/cvtsudoers/test36.out.ok +++ b/plugins/sudoers/regress/cvtsudoers/test36.out.ok @@ -11,3 +11,5 @@ Host_Alias WEBSERVERS = www1, www2, www3 Host_Alias WEBSERVERS_1 = www1, www2, www3, www4 root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id