isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Only inherit SELinux role/type and Solaris privilege sets if

Browse Source 
the command does not include any.  Previously, a command with
only a role would inherit a type from the previous command
which is not what was intended.
This commit is contained in:
Todd C. Miller
2017-02-14 15:56:34 -07:00
parent 24cdbb8de1
commit d7f7cf7a79
2 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/sudoers/gram.c
View File

@@ -1436,17 +1436,17 @@ case 35:
HLTQ_CONCAT(yyvsp[-2].cmndspec, yyvsp[0].cmndspec, entries);
#ifdef HAVE_SELINUX
/* propagate role and type */
if (yyvsp[0].cmndspec->role == NULL)
if (yyvsp[0].cmndspec->role == NULL && yyvsp[0].cmndspec->type == NULL) {
yyvsp[0].cmndspec->role = prev->role;
if (yyvsp[0].cmndspec->type == NULL)
yyvsp[0].cmndspec->type = prev->type;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* propagate privs & limitprivs */
if (yyvsp[0].cmndspec->privs == NULL)
if (yyvsp[0].cmndspec->privs == NULL && yyvsp[0].cmndspec->limitprivs == NULL) {
yyvsp[0].cmndspec->privs = prev->privs;
if (yyvsp[0].cmndspec->limitprivs == NULL)
yyvsp[0].cmndspec->limitprivs = prev->limitprivs;
}
#endif /* HAVE_PRIV_SET */
/* propagate command timeout */
if (yyvsp[0].cmndspec->timeout == UNSPEC)

8
plugins/sudoers/gram.y
View File

@@ -343,17 +343,17 @@ cmndspeclist : cmndspec
HLTQ_CONCAT($1, $3, entries);
#ifdef HAVE_SELINUX
/* propagate role and type */
if ($3->role == NULL)
if ($3->role == NULL && $3->type == NULL) {
$3->role = prev->role;
if ($3->type == NULL)
$3->type = prev->type;
}
#endif /* HAVE_SELINUX */
#ifdef HAVE_PRIV_SET
/* propagate privs & limitprivs */
if ($3->privs == NULL)
if ($3->privs == NULL && $3->limitprivs == NULL) {
$3->privs = prev->privs;
if ($3->limitprivs == NULL)
$3->limitprivs = prev->limitprivs;
}
#endif /* HAVE_PRIV_SET */
/* propagate command timeout */
if ($3->timeout == UNSPEC)