isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sudo parsed "deref" and "tls_reqcert" in ldap.conf but didn't set the options.

Browse Source 
The switch() in the sudo_ldap_set_options_table() function needed to be
updated to treat CONF_DEREF_VAL and CONF_REQCERT_VAL data types as int.
Fix from Dennis Filder.  Bug #1013.
This commit is contained in:
Todd C. Miller
2021-12-11 08:35:14 -07:00
parent a2aa709707
commit 55db239243
2 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
plugins/sudoers/ldap_conf.c
View File

@@ -398,6 +398,7 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
if (strcasecmp(keyword, cur->conf_str) == 0) { if (strcasecmp(keyword, cur->conf_str) == 0) {
switch (cur->type) { switch (cur->type) {
case CONF_DEREF_VAL: case CONF_DEREF_VAL:
#ifdef LDAP_OPT_DEREF
if (strcasecmp(value, "searching") == 0) if (strcasecmp(value, "searching") == 0)
*(int *)(cur->valp) = LDAP_DEREF_SEARCHING; *(int *)(cur->valp) = LDAP_DEREF_SEARCHING;
else if (strcasecmp(value, "finding") == 0) else if (strcasecmp(value, "finding") == 0)
@@ -406,6 +407,7 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
*(int *)(cur->valp) = LDAP_DEREF_ALWAYS; *(int *)(cur->valp) = LDAP_DEREF_ALWAYS;
else else
*(int *)(cur->valp) = LDAP_DEREF_NEVER; *(int *)(cur->valp) = LDAP_DEREF_NEVER;
#endif /* LDAP_OPT_DEREF */
break; break;
case CONF_REQCERT_VAL: case CONF_REQCERT_VAL:
#ifdef LDAP_OPT_X_TLS_REQUIRE_CERT #ifdef LDAP_OPT_X_TLS_REQUIRE_CERT
@@ -461,6 +463,14 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
} }
} }
break; break;
default:
sudo_warnx(
"internal error: unhandled CONF_ value %d for option %s",
cur->type, cur->conf_str);
sudo_warnx(
"update %s to add missing support for CONF_ value %d",
__func__, cur->type);
break;
} }
debug_return_bool(true); debug_return_bool(true);
} }
@@ -817,6 +827,8 @@ sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table)
continue; continue;
switch (cur->type) { switch (cur->type) {
case CONF_DEREF_VAL:
case CONF_REQCERT_VAL:
case CONF_BOOL: case CONF_BOOL:
case CONF_INT: case CONF_INT:
ival = *(int *)(cur->valp); ival = *(int *)(cur->valp);
@@ -842,6 +854,14 @@ sudo_ldap_set_options_table(LDAP *ld, struct ldap_config_table *table)
} }
} }
break; break;
case CONF_LIST_STR:
/* Lists are iterated over and don't set LDAP options directly. */
break;
default:
sudo_warnx("internal error: unhandled CONF_ value %d for option %s",
cur->type, cur->conf_str);
sudo_warnx("update %s to add missing support for CONF_ value %d",
__func__, cur->type);
} }
} }
debug_return_int(errors ? -1 : LDAP_SUCCESS); debug_return_int(errors ? -1 : LDAP_SUCCESS);

7
plugins/sudoers/sudo_ldap_conf.h
View File

@@ -64,6 +64,11 @@
} while (0) } while (0)
#endif #endif
/*
* Configuration data types.
* When adding a new data type, be sure to update sudo_ldap_parse_keyword()
* and sudo_ldap_set_options_table().
*/
#define CONF_BOOL 0 #define CONF_BOOL 0
#define CONF_INT 1 #define CONF_INT 1
#define CONF_STR 2 #define CONF_STR 2
@@ -77,7 +82,7 @@
struct ldap_config_table { struct ldap_config_table {
const char *conf_str; /* config file string */ const char *conf_str; /* config file string */
int type; /* CONF_BOOL, CONF_INT, CONF_STR */ int type; /* CONF_* value, see above */
int opt_val; /* LDAP_OPT_* (or -1 for sudo internal) */ int opt_val; /* LDAP_OPT_* (or -1 for sudo internal) */
void *valp; /* pointer into ldap_conf */ void *valp; /* pointer into ldap_conf */
}; };