isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding

Browse Source 
whether to check runas user/group instead of checking runas_pw or
runas_gr.
This commit is contained in:
Todd C. Miller
2016-09-15 13:47:38 -06:00
parent 0ff95dfaaa
commit b165a5ff71
4 changed files with 6 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
plugins/sudoers/match.c
View File

@@ -153,12 +153,7 @@ runaslist_matches(const struct member_list *user_list,
int group_matched = UNSPEC;
debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH)
/*
* Skip checking runas user if it is the same as the invoking user
* and a runas group was specified.
* This logic assumes that we cache and refcount passwd structs.
*/
if (runas_user_set()) {
if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) {
/* If no runas user or runas group listed in sudoers, use default. */
if (user_list == NULL && group_list == NULL) {
debug_return_int(userpw_matches(def_runas_default,
@@ -214,7 +209,7 @@ runaslist_matches(const struct member_list *user_list,
/*
* Skip checking runas group if none was specified.
*/
if (runas_gr != NULL) {
if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) {
if (user_matched == UNSPEC) {
if (strcmp(runas_pw->pw_name, user_name) == 0)
user_matched = ALLOW; /* only changing group */