isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding

Browse Source 
whether to check runas user/group instead of checking runas_pw or
runas_gr.
This commit is contained in:
Todd C. Miller
2016-09-15 13:47:38 -06:00
parent 0ff95dfaaa
commit b165a5ff71
4 changed files with 6 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/sudoers/ldap.c
View File

@@ -861,9 +861,9 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
if (!entry) if (!entry)
debug_return_bool(false); debug_return_bool(false);
if (runas_user_set()) if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
user_matched = sudo_ldap_check_runas_user(ld, entry); user_matched = sudo_ldap_check_runas_user(ld, entry);
if (runas_gr != NULL) if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
group_matched = sudo_ldap_check_runas_group(ld, entry); group_matched = sudo_ldap_check_runas_group(ld, entry);
/* /*

9
plugins/sudoers/match.c
View File

@@ -153,12 +153,7 @@ runaslist_matches(const struct member_list *user_list,
int group_matched = UNSPEC; int group_matched = UNSPEC;
debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH) debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH)
/* if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) {
* Skip checking runas user if it is the same as the invoking user
* and a runas group was specified.
* This logic assumes that we cache and refcount passwd structs.
*/
if (runas_user_set()) {
/* If no runas user or runas group listed in sudoers, use default. */ /* If no runas user or runas group listed in sudoers, use default. */
if (user_list == NULL && group_list == NULL) { if (user_list == NULL && group_list == NULL) {
debug_return_int(userpw_matches(def_runas_default, debug_return_int(userpw_matches(def_runas_default,
@@ -214,7 +209,7 @@ runaslist_matches(const struct member_list *user_list,
/* /*
* Skip checking runas group if none was specified. * Skip checking runas group if none was specified.
*/ */
if (runas_gr != NULL) { if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) {
if (user_matched == UNSPEC) { if (user_matched == UNSPEC) {
if (strcmp(runas_pw->pw_name, user_name) == 0) if (strcmp(runas_pw->pw_name, user_name) == 0)
user_matched = ALLOW; /* only changing group */ user_matched = ALLOW; /* only changing group */

5
plugins/sudoers/parse.h
View File

@@ -27,11 +27,6 @@
#undef IMPLIED #undef IMPLIED
#define IMPLIED 2 #define IMPLIED 2
/*
* Returns true if a runas user was specified on the command line.
*/
#define runas_user_set() (runas_pw != sudo_user.pw || runas_gr == NULL)
/* /*
* Initialize all tags to UNSPEC. * Initialize all tags to UNSPEC.
*/ */

4
plugins/sudoers/sssd.c
View File

@@ -705,9 +705,9 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
if (rule == NULL) if (rule == NULL)
debug_return_bool(false); debug_return_bool(false);
if (runas_user_set()) if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
user_matched = sudo_sss_check_runas_user(handle, rule); user_matched = sudo_sss_check_runas_user(handle, rule);
if (runas_gr != NULL) if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
group_matched = sudo_sss_check_runas_group(handle, rule); group_matched = sudo_sss_check_runas_group(handle, rule);
/* /*