An empty RunAsUser means run as the invoking user, similar to how

the sudoers files works.
2017-12-12 14:20:56 -07:00
parent f869086eff
commit 6ca8447e00
5 changed files with 47 additions and 6 deletions
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -122,7 +122,10 @@ DDEESSCCRRIIPPTTIIOONN
           A user name or uid (prefixed with `#') that commands may be run as
           or a Unix group (prefixed with a `%') or user netgroup (prefixed
           with a `+') that contains a list of users that commands may be run
-           as.  The special value ALL will match any user.
+           as.  The special value ALL will match any user.  If sudoRunAsUser
+           is specified but empty, it will match the invoking user.  If
+           neither sudoRunAsUser nor sudoRunAsGroup are present, the value of
+           the runas_default sudoOption is used (defaults to root ).

           The sudoRunAsUser attribute is only available in ssuuddoo versions
           1.7.0 and higher.  Older versions of ssuuddoo use the sudoRunAs
@@ -910,4 +913,4 @@ DDIISSCCLLAAIIMMEERR
     file distributed with ssuuddoo or https://www.sudo.ws/license.html for
     complete details.

-Sudo 1.8.22                    January 17, 2017                    Sudo 1.8.22
+Sudo 1.8.22                    December 12, 2017                   Sudo 1.8.22
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "December 12, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -245,6 +245,18 @@ that contains a list of users that commands may be run as.
 The special value
 \fRALL\fR
 will match any user.
+If
+\fRsudoRunAsUser\fR
+is specified but empty, it will match the invoking user.
+If neither
+\fRsudoRunAsUser\fR
+nor
+\fRsudoRunAsGroup\fR
+are present, the value of the
+runas_default
+\fRsudoOption\fR
+is used (defaults to
+\fR@runas_default@ ).\fR
 .sp
 The
 \fRsudoRunAsUser\fR
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 17, 2017
+.Dd December 12, 2017
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -229,6 +229,18 @@ that contains a list of users that commands may be run as.
 The special value
 .Li ALL
 will match any user.
+If
+.Li sudoRunAsUser
+is specified but empty, it will match the invoking user.
+If neither
+.Li sudoRunAsUser
+nor
+.Li sudoRunAsGroup
+are present, the value of the
+.En runas_default
+.Li sudoOption
+is used (defaults to
+.Li @runas_default@ ).
 .Pp
 The
 .Li sudoRunAsUser
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -855,6 +855,12 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
 	    if (usergr_matches(val, runas_pw->pw_name, runas_pw))
 		ret = true;
 	    break;
+	case '\0':
+	    /* Empty RunAsUser means run as the invoking user. */
+	    if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
+		strcmp(user_name, runas_pw->pw_name) == 0)
+		ret = true;
+	    break;
 	case 'A':
 	    if (strcmp(val, "ALL") == 0) {
 		ret = true;
@@ -2459,7 +2465,8 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
 	bv = ldap_get_values_len(ld, entry, "sudoRunAs");
    if (bv != NULL) {
 	for (p = bv; *p != NULL; p++) {
-	    sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
+	    sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "",
+		(*p)->bv_val[0] ? (*p)->bv_val : user_name);
 	}
 	ldap_value_free_len(bv);
 	no_runas_user = false;
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -680,6 +680,12 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
 		ret = true;
 	    }
 	    break;
+	case '\0':
+	    /* Empty RunAsUser means run as the invoking user. */
+	    if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
+		strcmp(user_name, runas_pw->pw_name) == 0)
+		ret = true;
+	    break;
 	case 'A':
 	    if (strcmp(val, "ALL") == 0) {
 		sudo_debug_printf(SUDO_DEBUG_DEBUG, "ALL => match");
@@ -1773,7 +1779,8 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle,
    switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
    case 0:
 	for (i = 0; val_array[i] != NULL; ++i) {
-	    sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+	    sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "",
+		val_array[i][0] ? val_array[i] : user_name);
 	    count++;
 	}
 	handle->fn_free_values(val_array);