From ca2a1f31099bc18bb963e5211b43fbe1156f4c0f Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 13 Sep 2016 09:12:42 -0600
Subject: [PATCH] Don't check the username when matching a host netgroup unless
 def_netgroup_tuple is enabled.

---
 plugins/sudoers/match.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index 3fb36f5e4..769fe8519 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -279,7 +279,7 @@ hostlist_matches(const struct passwd *pw, const struct member_list *list)
 		break;
 	    case NETGROUP:
 		if (netgr_matches(m->name, user_runhost, user_srunhost,
-		    pw->pw_name))
+		    def_netgroup_tuple ? pw->pw_name : NULL))
 		    matched = !m->negated;
 		break;
 	    case NTWKADDR: