userspec_overridden: fix checks when there is more than one userspec

2022-01-03 16:40:32 -07:00
parent 835079fa3f
commit 296d876b76
7 changed files with 17 additions and 6 deletions
--- a/plugins/sudoers/cvtsudoers_merge.c
+++ b/plugins/sudoers/cvtsudoers_merge.c
@@ -1014,7 +1014,7 @@ userspec_overridden(struct userspec *us1,
 	struct privilege *priv1, *priv2;

 	if (!member_list_override(&us1->users, &us2->users, check_negated))
-	    break;
+	    continue;

 	/* XXX - order should not matter */
 	priv1 = TAILQ_LAST(&us1->privileges, privilege_list);
@@ -1031,8 +1031,10 @@ userspec_overridden(struct userspec *us1,
 	    priv1 = TAILQ_PREV(priv1, privilege_list, entries);
 	    priv2 = TAILQ_PREV(priv2, privilege_list, entries);
 	}
-	if (priv1 != NULL || priv2 != NULL)
-	    break;
+	if (priv1 != NULL || priv2 != NULL) {
+	    /* mismatch */
+	    continue;
+	}

 	/*
 	 * If we have a match of everything except the host list,
@@ -1075,16 +1077,16 @@ userspec_check_conflict(struct userspec *us1,
    struct sudoers_parse_tree *parse_tree0)
 {
    struct sudoers_parse_tree *parse_tree = parse_tree0;
-    enum cvtsudoers_conflict ret = CONFLICT_NONE;
    debug_decl(userspec_check_conflict, SUDOERS_DEBUG_PARSER);

    while ((parse_tree = TAILQ_NEXT(parse_tree, entries)) != NULL) {
-	ret = userspec_overridden(us1, parse_tree, false);
+	enum cvtsudoers_conflict ret =
+	    userspec_overridden(us1, parse_tree, false);
 	if (ret != CONFLICT_NONE)
 	    debug_return_int(ret);
    }

-    debug_return_int(ret);
+    debug_return_int(CONFLICT_NONE);
 }

 /*
--- a/plugins/sudoers/regress/cvtsudoers/sudoers1
+++ b/plugins/sudoers/regress/cvtsudoers/sudoers1
@@ -77,6 +77,7 @@ Defaults!REBOOT !log_output
 ## User privilege specification
 ##
 root ALL=(ALL) ALL
+ALL ALL=(ALL) /usr/bin/id

 ## Uncomment to allow members of group wheel to execute any command
 # %wheel ALL=(ALL) ALL
--- a/plugins/sudoers/regress/cvtsudoers/sudoers2
+++ b/plugins/sudoers/regress/cvtsudoers/sudoers2
@@ -77,6 +77,7 @@ Defaults!REBOOT !log_output
 ## User privilege specification
 ##
 root ALL=(ALL) ALL
+ALL ALL=(ALL) /usr/bin/id

 ## Uncomment to allow members of group wheel to execute any command
 # %wheel ALL=(ALL) ALL
--- a/plugins/sudoers/regress/cvtsudoers/sudoers3
+++ b/plugins/sudoers/regress/cvtsudoers/sudoers3
@@ -77,6 +77,7 @@ Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
 ## User privilege specification
 ##
 root ALL=(ALL) ALL
+ALL ALL=(ALL) /usr/bin/id

 ## Uncomment to allow members of group wheel to execute any command
 # %wheel ALL=(ALL) ALL
--- a/plugins/sudoers/regress/cvtsudoers/test34.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test34.out.ok
@@ -12,3 +12,5 @@ Host_Alias WEBSERVERS_1 = www1, www2, www3, www5
 Host_Alias WEBSERVERS_2 = www1, www2, www3, www4

 root ALL = (ALL) ALL
+
+ALL ALL = (ALL) /usr/bin/id
--- a/plugins/sudoers/regress/cvtsudoers/test35.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test35.out.ok
@@ -12,3 +12,5 @@ Host_Alias WEBSERVERS_1 = www1, www2, www3, www5
 Host_Alias WEBSERVERS_2 = www1, www2, www3, www4

 root ALL = (ALL) ALL
+
+ALL ALL = (ALL) /usr/bin/id
--- a/plugins/sudoers/regress/cvtsudoers/test36.out.ok
+++ b/plugins/sudoers/regress/cvtsudoers/test36.out.ok
@@ -11,3 +11,5 @@ Host_Alias WEBSERVERS = www1, www2, www3
 Host_Alias WEBSERVERS_1 = www1, www2, www3, www4

 root ALL = (ALL) ALL
+
+ALL ALL = (ALL) /usr/bin/id