isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for matching the entire netgroup tuple (user, host, domain).

Browse Source
This commit is contained in:
Todd C. Miller
2016-01-12 14:59:44 -07:00
parent 9d7bc0311f
commit 5a77989a33
13 changed files with 180 additions and 86 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
doc/sudoers.cat
View File

@@ -890,14 +890,6 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
This flag is _o_n by default when ssuuddoo is compiled with This flag is _o_n by default when ssuuddoo is compiled with
zzlliibb support. zzlliibb support.
use_netgroups If set, netgroups (prefixed with `+'), may be used in
place of a user or host. For LDAP-based sudoers,
netgroup support requires an expensive substring match
on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is
present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are
not needed, this option can be disabled to reduce the
load on the LDAP server. This flag is _o_n by default.
exec_background By default, ssuuddoo runs a command as the foreground exec_background By default, ssuuddoo runs a command as the foreground
process as long as ssuuddoo itself is running in the process as long as ssuuddoo itself is running in the
foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled foreground. When the _e_x_e_c___b_a_c_k_g_r_o_u_n_d flag is enabled
@@ -1140,6 +1132,13 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
invoking user is not in the _s_u_d_o_e_r_s file. This flag is invoking user is not in the _s_u_d_o_e_r_s file. This flag is
_o_n by default. _o_n by default.
netgroup_tuple If set, netgroup lookups will be performed using the
full netgroup tuple: host name, user name and domain
(if one is set). Historically, ssuuddoo only matched the
user name and domain for netgroups used in a User_List
and only matched the host name and domain for netgroups
used in a Host_List. This flag is _o_f_f by default.
noexec If set, all commands run via ssuuddoo will behave as if the noexec If set, all commands run via ssuuddoo will behave as if the
NOEXEC tag has been set, unless overridden by an EXEC NOEXEC tag has been set, unless overridden by an EXEC
tag. See the description of _E_X_E_C _a_n_d _N_O_E_X_E_C above as tag. See the description of _E_X_E_C _a_n_d _N_O_E_X_E_C above as
@@ -1337,6 +1336,14 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
available if ssuuddoo is configured with the available if ssuuddoo is configured with the
--with-logincap option. This flag is _o_f_f by default. --with-logincap option. This flag is _o_f_f by default.
use_netgroups If set, netgroups (prefixed with `+'), may be used in
place of a user or host. For LDAP-based sudoers,
netgroup support requires an expensive substring match
on the server unless the NNEETTGGRROOUUPP__BBAASSEE directive is
present in the _/_e_t_c_/_l_d_a_p_._c_o_n_f file. If netgroups are
not needed, this option can be disabled to reduce the
load on the LDAP server. This flag is _o_n by default.
use_pty If set, ssuuddoo will run the command in a pseudo-pty even use_pty If set, ssuuddoo will run the command in a pseudo-pty even
if no I/O logging is being gone. A malicious program if no I/O logging is being gone. A malicious program
run under ssuuddoo could conceivably fork a background run under ssuuddoo could conceivably fork a background
@@ -2498,4 +2505,4 @@ DDIISSCCLLAAIIMMEERR
file distributed with ssuuddoo or https://www.sudo.ws/license.html for file distributed with ssuuddoo or https://www.sudo.ws/license.html for
complete details. complete details.
Sudo 1.8.16 January 9, 2016 Sudo 1.8.16 Sudo 1.8.16 January 12, 2016 Sudo 1.8.16

47
doc/sudoers.man.in
View File

@@ -21,7 +21,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.TH "SUDOERS" "5" "January 9, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .TH "SUDOERS" "5" "January 12, 2016" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh .nh
.if n .ad l .if n .ad l
.SH "NAME" .SH "NAME"
@@ -1926,22 +1926,6 @@ is compiled with
\fBzlib\fR \fBzlib\fR
support. support.
.TP 18n .TP 18n
use_netgroups
If set, netgroups (prefixed with
\(oq+\(cq),
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server unless the
\fBNETGROUP_BASE\fR
directive is present in the
\fI@ldap_conf@\fR
file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is
\fIon\fR
by default.
.TP 18n
exec_background exec_background
By default, By default,
\fBsudo\fR \fBsudo\fR
@@ -2424,6 +2408,19 @@ This flag is
\fI@mail_no_user@\fR \fI@mail_no_user@\fR
by default. by default.
.TP 18n .TP 18n
netgroup_tuple
If set, netgroup lookups will be performed using the full netgroup
tuple: host name, user name and domain (if one is set).
Historically,
\fBsudo\fR
only matched the user name and domain for netgroups used in a
\fRUser_List\fR
and only matched the host name and domain for netgroups used in a
\fRHost_List\fR.
This flag is
\fIoff\fR
by default.
.TP 18n
noexec noexec
If set, all commands run via If set, all commands run via
\fBsudo\fR \fBsudo\fR
@@ -2842,6 +2839,22 @@ This flag is
\fIoff\fR \fIoff\fR
by default. by default.
.TP 18n .TP 18n
use_netgroups
If set, netgroups (prefixed with
\(oq+\(cq),
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server unless the
\fBNETGROUP_BASE\fR
directive is present in the
\fI@ldap_conf@\fR
file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is
\fIon\fR
by default.
.TP 18n
use_pty use_pty
If set, If set,
\fBsudo\fR \fBsudo\fR

44
doc/sudoers.mdoc.in
View File

@@ -19,7 +19,7 @@
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\" .\"
.Dd January 9, 2016 .Dd January 12, 2016
.Dt SUDOERS @mansectform@ .Dt SUDOERS @mansectform@
.Os Sudo @PACKAGE_VERSION@ .Os Sudo @PACKAGE_VERSION@
.Sh NAME .Sh NAME
@@ -1796,21 +1796,6 @@ by default when
is compiled with is compiled with
.Sy zlib .Sy zlib
support. support.
.It use_netgroups
If set, netgroups (prefixed with
.Ql + ) ,
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server unless the
.Sy NETGROUP_BASE
directive is present in the
.Pa @ldap_conf@
file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is
.Em on
by default.
.It exec_background .It exec_background
By default, By default,
.Nm sudo .Nm sudo
@@ -2276,6 +2261,18 @@ file.
This flag is This flag is
.Em @mail_no_user@ .Em @mail_no_user@
by default. by default.
.It netgroup_tuple
If set, netgroup lookups will be performed using the full netgroup
tuple: host name, user name and domain (if one is set).
Historically,
.Nm sudo
only matched the user name and domain for netgroups used in a
.Li User_List
and only matched the host name and domain for netgroups used in a
.Li Host_List .
This flag is
.Em off
by default.
.It noexec .It noexec
If set, all commands run via If set, all commands run via
.Nm sudo .Nm sudo
@@ -2670,6 +2667,21 @@ option.
This flag is This flag is
.Em off .Em off
by default. by default.
.It use_netgroups
If set, netgroups (prefixed with
.Ql + ) ,
may be used in place of a user or host.
For LDAP-based sudoers, netgroup support requires an expensive
substring match on the server unless the
.Sy NETGROUP_BASE
directive is present in the
.Pa @ldap_conf@
file.
If netgroups are not needed, this option can be disabled to reduce the
load on the LDAP server.
This flag is
.Em on
by default.
.It use_pty .It use_pty
If set, If set,
.Nm sudo .Nm sudo

4
plugins/sudoers/def_data.c
View File

@@ -398,6 +398,10 @@ struct sudo_defs_types sudo_defs_table[] = {
"always_query_group_plugin", T_FLAG, "always_query_group_plugin", T_FLAG,
N_("Query the group plugin for unknown system groups"), N_("Query the group plugin for unknown system groups"),
NULL, NULL,
}, {
"netgroup_tuple", T_FLAG,
N_("Match netgroups based on the entire tuple: user, host and domain"),
NULL,
}, { }, {
NULL, 0, NULL NULL, 0, NULL
} }

2
plugins/sudoers/def_data.h
View File

@@ -186,6 +186,8 @@
#define I_SUDOEDIT_FOLLOW 92 #define I_SUDOEDIT_FOLLOW 92
#define def_always_query_group_plugin (sudo_defs_table[93].sd_un.flag) #define def_always_query_group_plugin (sudo_defs_table[93].sd_un.flag)
#define I_ALWAYS_QUERY_GROUP_PLUGIN93 #define I_ALWAYS_QUERY_GROUP_PLUGIN93
#define def_netgroup_tuple (sudo_defs_table[94].sd_un.flag)
#define I_NETGROUP_TUPLE 94
enum def_tuple { enum def_tuple {
never, never,

3
plugins/sudoers/def_data.in
View File

@@ -295,3 +295,6 @@ sudoedit_follow
always_query_group_plugin always_query_group_plugin
T_FLAG T_FLAG
"Query the group plugin for unknown system groups" "Query the group plugin for unknown system groups"
netgroup_tuple
T_FLAG
"Match netgroups based on the entire tuple: user, host and domain"

3
plugins/sudoers/defaults.c
View File

@@ -439,6 +439,7 @@ init_defaults(void)
#ifdef HAVE_INNETGR #ifdef HAVE_INNETGR
def_use_netgroups = true; def_use_netgroups = true;
#endif #endif
def_netgroup_tuple = false;
/* Syslog options need special care since they both strings and ints */ /* Syslog options need special care since they both strings and ints */
#if (LOGGING & SLOG_SYSLOG) #if (LOGGING & SLOG_SYSLOG)
@@ -549,7 +550,7 @@ update_defaults(int what)
break; break;
case DEFAULTS_HOST: case DEFAULTS_HOST:
if (ISSET(what, SETDEF_HOST) && if (ISSET(what, SETDEF_HOST) &&
hostlist_matches(def->binding) == ALLOW && hostlist_matches(sudo_user.pw, def->binding) == ALLOW &&
!set_default(def->var, def->val, def->op)) !set_default(def->var, def->val, def->op))
rc = false; rc = false;
break; break;

92
plugins/sudoers/ldap.c
View File

@@ -694,7 +694,8 @@ sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
for (p = bv; *p != NULL && !ret; p++) { for (p = bv; *p != NULL && !ret; p++) {
val = (*p)->bv_val; val = (*p)->bv_val;
if (*val == '+') { if (*val == '+') {
if (netgr_matches(val, NULL, NULL, pw->pw_name)) if (netgr_matches(val, def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name))
ret = true; ret = true;
DPRINTF2("ldap sudoUser netgroup '%s' ... %s", val, DPRINTF2("ldap sudoUser netgroup '%s' ... %s", val,
ret ? "MATCH!" : "not"); ret ? "MATCH!" : "not");
@@ -716,7 +717,7 @@ sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
* host match, else false. * host match, else false.
*/ */
static bool static bool
sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry) sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
{ {
struct berval **bv, **p; struct berval **bv, **p;
char *val; char *val;
@@ -736,7 +737,8 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
val = (*p)->bv_val; val = (*p)->bv_val;
/* match any or address or netgroup or hostname */ /* match any or address or netgroup or hostname */
if (!strcmp(val, "ALL") || addr_matches(val) || if (!strcmp(val, "ALL") || addr_matches(val) ||
netgr_matches(val, user_runhost, user_srunhost, NULL) || netgr_matches(val, user_runhost, user_srunhost,
def_netgroup_tuple ? pw->pw_name : NULL) ||
hostname_matches(user_srunhost, user_runhost, val)) hostname_matches(user_srunhost, user_runhost, val))
ret = true; ret = true;
DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
@@ -792,7 +794,8 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry)
val = (*p)->bv_val; val = (*p)->bv_val;
switch (val[0]) { switch (val[0]) {
case '+': case '+':
if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) if (netgr_matches(val, def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, runas_pw->pw_name))
ret = true; ret = true;
break; break;
case '%': case '%':
@@ -1401,8 +1404,8 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
struct timeval tv, *tvp = NULL; struct timeval tv, *tvp = NULL;
LDAPMessage *entry, *result = NULL; LDAPMessage *entry, *result = NULL;
const char *domain; const char *domain;
char *escaped_domain, *escaped_host, *escaped_shost, *escaped_user; char *escaped_domain = NULL, *escaped_user = NULL;
char *filt = NULL; char *escaped_host = NULL, *escaped_shost = NULL, *filt = NULL;
int filt_len, rc; int filt_len, rc;
debug_decl(sudo_netgroup_lookup, SUDOERS_DEBUG_LDAP); debug_decl(sudo_netgroup_lookup, SUDOERS_DEBUG_LDAP);
@@ -1416,29 +1419,70 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
domain = sudo_getdomainname(); domain = sudo_getdomainname();
/* Escape the domain, host names, and user name per RFC 4515. */ /* Escape the domain, host names, and user name per RFC 4515. */
escaped_domain = domain ? sudo_ldap_value_dup(domain) : NULL; if (domain != NULL) {
escaped_host = sudo_ldap_value_dup(user_runhost); if ((escaped_domain = sudo_ldap_value_dup(domain)) == NULL)
if (user_runhost == user_srunhost) goto oom;
escaped_shost = escaped_host; }
else if ((escaped_user = sudo_ldap_value_dup(pw->pw_name)) == NULL)
escaped_shost = sudo_ldap_value_dup(user_srunhost); goto oom;
escaped_user = sudo_ldap_value_dup(pw->pw_name); if (def_netgroup_tuple) {
if (escaped_domain == NULL || escaped_host == NULL || escaped_host = sudo_ldap_value_dup(user_runhost);
escaped_shost == NULL || escaped_user == NULL) if (user_runhost == user_srunhost)
goto oom; escaped_shost = escaped_host;
else
escaped_shost = sudo_ldap_value_dup(user_srunhost);
if (escaped_host == NULL || escaped_shost == NULL)
goto oom;
}
/* Build query, using NIS domain if it is set. */ /* Build query, using NIS domain if it is set. */
if (domain != NULL) { if (domain != NULL) {
if (user_runhost != user_srunhost) { if (escaped_host != escaped_shost) {
filt_len = asprintf(&filt, "(&%s(|(nisNetgroupTriple=\\28,%s,%s\\29)(nisNetgroupTriple=\\28%s,%s,%s\\29)(nisNetgroupTriple=\\28%s,%s,%s\\29)(nisNetgroupTriple=\\28,%s,\\29)(nisNetgroupTriple=\\28%s,%s,\\29)(nisNetgroupTriple=\\28%s,%s,\\29)))", ldap_conf.netgroup_search_filter, escaped_user, escaped_domain, escaped_shost, escaped_user, escaped_domain, escaped_host, escaped_user, escaped_domain, escaped_user, escaped_shost, escaped_user, escaped_host, escaped_user); filt_len = asprintf(&filt, "(&%s(|"
"(nisNetgroupTriple=\\28,%s,%s\\29)"
"(nisNetgroupTriple=\\28%s,%s,%s\\29)"
"(nisNetgroupTriple=\\28%s,%s,%s\\29)"
"(nisNetgroupTriple=\\28,%s,\\29)"
"(nisNetgroupTriple=\\28%s,%s,\\29)"
"(nisNetgroupTriple=\\28%s,%s,\\29)))",
ldap_conf.netgroup_search_filter, escaped_user, escaped_domain,
escaped_shost, escaped_user, escaped_domain,
escaped_host, escaped_user, escaped_domain, escaped_user,
escaped_shost, escaped_user, escaped_host, escaped_user);
} else if (escaped_shost != NULL) {
filt_len = asprintf(&filt, "(&%s(|"
"(nisNetgroupTriple=\\28,%s,%s\\29)"
"(nisNetgroupTriple=\\28%s,%s,%s\\29)"
"(nisNetgroupTriple=\\28,%s,\\29)"
"(nisNetgroupTriple=\\28%s,%s,\\29)))",
ldap_conf.netgroup_search_filter, escaped_user, escaped_domain,
escaped_shost, escaped_user, escaped_domain,
escaped_user, escaped_shost, escaped_user);
} else { } else {
filt_len = asprintf(&filt, "(&%s(|(nisNetgroupTriple=\\28,%s,%s\\29)(nisNetgroupTriple=\\28%s,%s,%s\\29)(nisNetgroupTriple=\\28,%s,\\29)(nisNetgroupTriple=\\28%s,%s,\\29)))", ldap_conf.netgroup_search_filter, escaped_user, escaped_domain, escaped_shost, escaped_user, escaped_domain, escaped_user, escaped_shost, escaped_user); filt_len = asprintf(&filt, "(&%s(|"
"(nisNetgroupTriple=\\28*,%s,%s\\29)"
"(nisNetgroupTriple=\\28*,%s,\\29)))",
ldap_conf.netgroup_search_filter, escaped_user, escaped_domain,
escaped_user);
} }
} else { } else {
if (user_runhost != user_srunhost) { if (escaped_host != escaped_shost) {
filt_len = asprintf(&filt, "(&%s(|(nisNetgroupTriple=\\28,%s,*\\29)(nisNetgroupTriple=\\28%s,%s,*\\29)(nisNetgroupTriple=\\28%s,%s,*\\29)))", ldap_conf.netgroup_search_filter, escaped_user, escaped_shost, escaped_user, escaped_host, escaped_user); filt_len = asprintf(&filt, "(&%s(|"
"(nisNetgroupTriple=\\28,%s,*\\29)"
"(nisNetgroupTriple=\\28%s,%s,*\\29)"
"(nisNetgroupTriple=\\28%s,%s,*\\29)))",
ldap_conf.netgroup_search_filter, escaped_user,
escaped_shost, escaped_user, escaped_host, escaped_user);
} else if (escaped_shost != NULL) {
filt_len = asprintf(&filt, "(&%s(|"
"(nisNetgroupTriple=\\28,%s,*\\29)"
"(nisNetgroupTriple=\\28%s,%s,*\\29)))",
ldap_conf.netgroup_search_filter, escaped_user,
escaped_shost, escaped_user);
} else { } else {
filt_len = asprintf(&filt, "(&%s(|(nisNetgroupTriple=\\28,%s,*\\29)(nisNetgroupTriple=\\28%s,%s,*\\29)))", ldap_conf.netgroup_search_filter, escaped_user, escaped_shost, escaped_user); filt_len = asprintf(&filt,
"(&%s(|(nisNetgroupTriple=\\28*,%s,*\\29)))",
ldap_conf.netgroup_search_filter, escaped_user);
} }
} }
if (filt_len == -1) if (filt_len == -1)
@@ -1497,10 +1541,10 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw,
oom: oom:
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
free(escaped_domain); free(escaped_domain);
free(escaped_user);
free(escaped_host); free(escaped_host);
if (escaped_host != escaped_shost) if (escaped_host != escaped_shost)
free(escaped_shost); free(escaped_shost);
free(escaped_user);
free(filt); free(filt);
ldap_msgfree(result); ldap_msgfree(result);
debug_return_bool(false); debug_return_bool(false);
@@ -3399,7 +3443,7 @@ sudo_ldap_result_get(struct sudo_nss *nss, struct passwd *pw)
continue; continue;
lres->user_matches = true; lres->user_matches = true;
/* Check host. */ /* Check host. */
if (!sudo_ldap_check_host(ld, entry)) if (!sudo_ldap_check_host(ld, entry, pw))
continue; continue;
lres->host_matches = true; lres->host_matches = true;
if (sudo_ldap_result_add_entry(lres, entry) == NULL) { if (sudo_ldap_result_add_entry(lres, entry) == NULL) {

16
plugins/sudoers/match.c
View File

@@ -107,7 +107,9 @@ userlist_matches(const struct passwd *pw, const struct member_list *list)
matched = !m->negated; matched = !m->negated;
break; break;
case NETGROUP: case NETGROUP:
if (netgr_matches(m->name, NULL, NULL, pw->pw_name)) if (netgr_matches(m->name,
def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name))
matched = !m->negated; matched = !m->negated;
break; break;
case USERGROUP: case USERGROUP:
@@ -163,7 +165,10 @@ runaslist_matches(const struct member_list *user_list,
user_matched = !m->negated; user_matched = !m->negated;
break; break;
case NETGROUP: case NETGROUP:
if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name)) if (netgr_matches(m->name,
def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL,
runas_pw->pw_name))
user_matched = !m->negated; user_matched = !m->negated;
break; break;
case USERGROUP: case USERGROUP:
@@ -250,7 +255,7 @@ runaslist_matches(const struct member_list *user_list,
* Returns ALLOW, DENY or UNSPEC. * Returns ALLOW, DENY or UNSPEC.
*/ */
int int
hostlist_matches(const struct member_list *list) hostlist_matches(const struct passwd *pw, const struct member_list *list)
{ {
struct member *m; struct member *m;
struct alias *a; struct alias *a;
@@ -263,7 +268,8 @@ hostlist_matches(const struct member_list *list)
matched = !m->negated; matched = !m->negated;
break; break;
case NETGROUP: case NETGROUP:
if (netgr_matches(m->name, user_runhost, user_srunhost, NULL)) if (netgr_matches(m->name, user_runhost, user_srunhost,
pw->pw_name))
matched = !m->negated; matched = !m->negated;
break; break;
case NTWKADDR: case NTWKADDR:
@@ -272,7 +278,7 @@ hostlist_matches(const struct member_list *list)
break; break;
case ALIAS: case ALIAS:
if ((a = alias_get(m->name, HOSTALIAS)) != NULL) { if ((a = alias_get(m->name, HOSTALIAS)) != NULL) {
rval = hostlist_matches(&a->members); rval = hostlist_matches(pw, &a->members);
if (rval != UNSPEC) if (rval != UNSPEC)
matched = m->negated ? !rval : rval; matched = m->negated ? !rval : rval;
alias_put(a); alias_put(a);

12
plugins/sudoers/parse.c
View File

@@ -176,7 +176,7 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
if (userlist_matches(sudo_user.pw, &us->users) != ALLOW) if (userlist_matches(sudo_user.pw, &us->users) != ALLOW)
continue; continue;
TAILQ_FOREACH(priv, &us->privileges, entries) { TAILQ_FOREACH(priv, &us->privileges, entries) {
if (hostlist_matches(&priv->hostlist) != ALLOW) if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
continue; continue;
TAILQ_FOREACH(cs, &priv->cmndlist, entries) { TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
/* Only check the command when listing another user. */ /* Only check the command when listing another user. */
@@ -212,7 +212,7 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
continue; continue;
CLR(validated, FLAG_NO_USER); CLR(validated, FLAG_NO_USER);
TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) { TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
host_match = hostlist_matches(&priv->hostlist); host_match = hostlist_matches(sudo_user.pw, &priv->hostlist);
if (host_match == ALLOW) if (host_match == ALLOW)
CLR(validated, FLAG_NO_HOST); CLR(validated, FLAG_NO_HOST);
else else
@@ -415,7 +415,7 @@ sudo_file_display_priv_short(struct passwd *pw, struct userspec *us,
/* gcc -Wuninitialized false positive */ /* gcc -Wuninitialized false positive */
TAGS_INIT(tags); TAGS_INIT(tags);
TAILQ_FOREACH(priv, &us->privileges, entries) { TAILQ_FOREACH(priv, &us->privileges, entries) {
if (hostlist_matches(&priv->hostlist) != ALLOW) if (hostlist_matches(pw, &priv->hostlist) != ALLOW)
continue; continue;
prev_cs = NULL; prev_cs = NULL;
TAILQ_FOREACH(cs, &priv->cmndlist, entries) { TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
@@ -494,7 +494,7 @@ sudo_file_display_priv_long(struct passwd *pw, struct userspec *us,
debug_decl(sudo_file_display_priv_long, SUDOERS_DEBUG_NSS) debug_decl(sudo_file_display_priv_long, SUDOERS_DEBUG_NSS)
TAILQ_FOREACH(priv, &us->privileges, entries) { TAILQ_FOREACH(priv, &us->privileges, entries) {
if (hostlist_matches(&priv->hostlist) != ALLOW) if (hostlist_matches(pw, &priv->hostlist) != ALLOW)
continue; continue;
prev_cs = NULL; prev_cs = NULL;
TAILQ_FOREACH(cs, &priv->cmndlist, entries) { TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
@@ -616,7 +616,7 @@ sudo_file_display_defaults(struct sudo_nss *nss, struct passwd *pw,
TAILQ_FOREACH(d, &defaults, entries) { TAILQ_FOREACH(d, &defaults, entries) {
switch (d->type) { switch (d->type) {
case DEFAULTS_HOST: case DEFAULTS_HOST:
if (hostlist_matches(d->binding) != ALLOW) if (hostlist_matches(pw, d->binding) != ALLOW)
continue; continue;
break; break;
case DEFAULTS_USER: case DEFAULTS_USER:
@@ -753,7 +753,7 @@ sudo_file_display_cmnd(struct sudo_nss *nss, struct passwd *pw)
continue; continue;
TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) { TAILQ_FOREACH_REVERSE(priv, &us->privileges, privilege_list, entries) {
host_match = hostlist_matches(&priv->hostlist); host_match = hostlist_matches(pw, &priv->hostlist);
if (host_match != ALLOW) if (host_match != ALLOW)
continue; continue;
TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) { TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {

2
plugins/sudoers/parse.h
View File

@@ -258,7 +258,7 @@ bool usergr_matches(const char *group, const char *user, const struct passwd *pw
bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw); bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw);
int cmnd_matches(const struct member *m); int cmnd_matches(const struct member *m);
int cmndlist_matches(const struct member_list *list); int cmndlist_matches(const struct member_list *list);
int hostlist_matches(const struct member_list *list); int hostlist_matches(const struct passwd *pw, const struct member_list *list);
int runaslist_matches(const struct member_list *user_list, const struct member_list *group_list, struct member **matching_user, struct member **matching_group); int runaslist_matches(const struct member_list *user_list, const struct member_list *group_list, struct member **matching_user, struct member **matching_group);
int userlist_matches(const struct passwd *pw, const struct member_list *list); int userlist_matches(const struct passwd *pw, const struct member_list *list);
const char *sudo_getdomainname(void); const char *sudo_getdomainname(void);

14
plugins/sudoers/sssd.c
View File

@@ -544,7 +544,8 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
switch (val[0]) { switch (val[0]) {
case '+': case '+':
sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_"); sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) { if (netgr_matches(val, def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, runas_pw->pw_name)) {
sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match"); sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
ret = true; ret = true;
} }
@@ -655,8 +656,7 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
debug_return_bool(ret); debug_return_bool(ret);
/* get the values from the rule */ /* get the values from the rule */
switch (handle->fn_get_values(rule, "sudoHost", &val_array)) switch (handle->fn_get_values(rule, "sudoHost", &val_array)) {
{
case 0: case 0:
break; break;
case ENOENT: case ENOENT:
@@ -673,8 +673,8 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
/* match any or address or netgroup or hostname */ /* match any or address or netgroup or hostname */
if (!strcmp(val, "ALL") || addr_matches(val) || if (!strcmp(val, "ALL") || addr_matches(val) || netgr_matches(val,
netgr_matches(val, user_runhost, user_srunhost, NULL) || user_runhost, user_srunhost, handle->pw->pw_name) ||
hostname_matches(user_srunhost, user_runhost, val)) hostname_matches(user_srunhost, user_runhost, val))
ret = true; ret = true;
@@ -724,7 +724,9 @@ sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_ru
netgroup_spec_found = true; netgroup_spec_found = true;
} }
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, handle->pw->pw_name)) { if (strcmp(val, "ALL") == 0 || netgr_matches(val,
def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, handle->pw->pw_name)) {
ret = true; ret = true;
sudo_debug_printf(SUDO_DEBUG_DIAG, sudo_debug_printf(SUDO_DEBUG_DIAG,
"sssd/ldap sudoUser '%s' ... MATCH! (%s)", "sssd/ldap sudoUser '%s' ... MATCH! (%s)",

2
plugins/sudoers/testsudoers.c
View File

@@ -305,7 +305,7 @@ main(int argc, char *argv[])
putchar('\n'); putchar('\n');
print_privilege(priv); print_privilege(priv);
putchar('\n'); putchar('\n');
host_match = hostlist_matches(&priv->hostlist); host_match = hostlist_matches(sudo_user.pw, &priv->hostlist);
if (host_match == ALLOW) { if (host_match == ALLOW) {
puts("\thost matched"); puts("\thost matched");
TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) { TAILQ_FOREACH_REVERSE(cs, &priv->cmndlist, cmndspec_list, entries) {