isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sudo_ldap_check_non_unix_group: pass nss pointer to netgr_matches()

Browse Source 
This allows us to use the LDAP-specific version of innetgr() when
possible.  Also enable "use_netgroups" by default even on systems
without innetgr() since we can now query netgroups directly via
LDAP.
This commit is contained in:
Todd C. Miller
2023-06-06 19:55:06 -06:00
parent 245c56bac1
commit 6fddb2875c
4 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/sudoers/defaults.c
View File

@@ -539,9 +539,6 @@ init_defaults(void)
#ifdef HAVE_SELINUX #ifdef HAVE_SELINUX
def_selinux = true; def_selinux = true;
#endif #endif
#ifdef HAVE_INNETGR
def_use_netgroups = true;
#endif
#ifdef _PATH_SUDO_ADMIN_FLAG #ifdef _PATH_SUDO_ADMIN_FLAG
if ((def_admin_flag = strdup(_PATH_SUDO_ADMIN_FLAG)) == NULL) if ((def_admin_flag = strdup(_PATH_SUDO_ADMIN_FLAG)) == NULL)
goto oom; goto oom;
@@ -550,6 +547,7 @@ init_defaults(void)
goto oom; goto oom;
def_intercept_type = dso; def_intercept_type = dso;
def_intercept_verify = true; def_intercept_verify = true;
def_use_netgroups = true;
def_netgroup_tuple = false; def_netgroup_tuple = false;
def_sudoedit_checkdir = true; def_sudoedit_checkdir = true;
def_iolog_mode = S_IRUSR|S_IWUSR; def_iolog_mode = S_IRUSR|S_IWUSR;

10
plugins/sudoers/ldap.c
View File

@@ -297,8 +297,11 @@ sudo_ldap_get_values_len(LDAP *ld, LDAPMessage *entry, const char *attr, int *rc
* A matching entry that is negated will always return false. * A matching entry that is negated will always return false.
*/ */
static int static int
sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw) sudo_ldap_check_non_unix_group(const struct sudo_nss *nss, LDAPMessage *entry,
struct passwd *pw)
{ {
struct sudo_ldap_handle *handle = nss->handle;
LDAP *ld = handle->ld;
struct berval **bv, **p; struct berval **bv, **p;
bool ret = false; bool ret = false;
int rc; int rc;
@@ -325,8 +328,7 @@ sudo_ldap_check_non_unix_group(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
negated = true; negated = true;
} }
if (*val == '+') { if (*val == '+') {
/* Custom innetgr() function not used here. */ if (netgr_matches(nss, val,
if (netgr_matches(NULL, val,
def_netgroup_tuple ? user_runhost : NULL, def_netgroup_tuple ? user_runhost : NULL,
def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name)) def_netgroup_tuple ? user_srunhost : NULL, pw->pw_name))
ret = true; ret = true;
@@ -1845,7 +1847,7 @@ sudo_ldap_result_get(const struct sudo_nss *nss, struct passwd *pw)
LDAP_FOREACH(entry, ld, result) { LDAP_FOREACH(entry, ld, result) {
if (pass != 0) { if (pass != 0) {
/* Check non-unix group in 2nd pass. */ /* Check non-unix group in 2nd pass. */
switch (sudo_ldap_check_non_unix_group(ld, entry, pw)) { switch (sudo_ldap_check_non_unix_group(nss, entry, pw)) {
case -1: case -1:
goto oom; goto oom;
case false: case false:

2
plugins/sudoers/match.c
View File

@@ -671,7 +671,7 @@ sudo_getdomainname(void)
* in which case that argument is not checked... * in which case that argument is not checked...
*/ */
bool bool
netgr_matches(struct sudo_nss *nss, const char *netgr, netgr_matches(const struct sudo_nss *nss, const char *netgr,
const char *lhost, const char *shost, const char *user) const char *lhost, const char *shost, const char *user)
{ {
const char *domain; const char *domain;

2
plugins/sudoers/parse.h
View File

@@ -435,7 +435,7 @@ struct group;
struct passwd; struct passwd;
bool group_matches(const char *sudoers_group, const struct group *gr); bool group_matches(const char *sudoers_group, const struct group *gr);
bool hostname_matches(const char *shost, const char *lhost, const char *pattern); bool hostname_matches(const char *shost, const char *lhost, const char *pattern);
bool netgr_matches(struct sudo_nss *nss, const char *netgr, const char *lhost, const char *shost, const char *user); bool netgr_matches(const struct sudo_nss *nss, const char *netgr, const char *lhost, const char *shost, const char *user);
bool usergr_matches(const char *group, const char *user, const struct passwd *pw); bool usergr_matches(const char *group, const char *user, const struct passwd *pw);
bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw); bool userpw_matches(const char *sudoers_user, const char *user, const struct passwd *pw);
int cmnd_matches(const struct sudoers_parse_tree *parse_tree, const struct member *m, const char *runchroot, struct cmnd_info *info); int cmnd_matches(const struct sudoers_parse_tree *parse_tree, const struct member *m, const char *runchroot, struct cmnd_info *info);