diff --git a/MANIFEST b/MANIFEST index 2addbc633..7ddebc33e 100644 --- a/MANIFEST +++ b/MANIFEST @@ -1098,6 +1098,8 @@ plugins/sudoers/regress/testsudoers/test26.out.ok plugins/sudoers/regress/testsudoers/test26.sh plugins/sudoers/regress/testsudoers/test27.out.ok plugins/sudoers/regress/testsudoers/test27.sh +plugins/sudoers/regress/testsudoers/test28.out.ok +plugins/sudoers/regress/testsudoers/test28.sh plugins/sudoers/regress/testsudoers/test3.out.ok plugins/sudoers/regress/testsudoers/test3.sh plugins/sudoers/regress/testsudoers/test4.out.ok diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 0b2272cca..c4ecae31f 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -188,8 +188,14 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree, user_matched = !m->negated; break; case MYSELF: - if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || - strcmp(user_name, runas_pw->pw_name) == 0) + /* + * Only match a rule with an empty runas user if a group + * was specified on the command line without a user _or_ + * the user specified their own name on the command line. + */ + if ((!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && + ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) || + strcmp(user_name, runas_pw->pw_name) == 0) user_matched = !m->negated; break; } diff --git a/plugins/sudoers/regress/testsudoers/test28.out.ok b/plugins/sudoers/regress/testsudoers/test28.out.ok new file mode 100644 index 000000000..e45fa8ab7 --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test28.out.ok @@ -0,0 +1,117 @@ +This should match the 'ALL=ALL' rule. +Parses OK + +Entries for user admin: + +ALL = (admin : staff) NOPASSWD: ALL + host allowed + runas unmatched + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +This should match the 'ALL=ALL' rule. +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. +Parses OK + +Entries for user admin: + +ALL = (admin : staff) NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas unmatched + +ALL = (admin : staff) NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas unmatched + +ALL = (admin : staff) NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +This should match the 'ALL=(:staff) NOPASSWD: ALL' rule. +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas unmatched + +ALL = (admin : staff) NOPASSWD: ALL + host allowed + runas allowed + cmnd allowed + +Command allowed + +This should not match any rules. +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas unmatched + +ALL = (admin : staff) NOPASSWD: ALL + host allowed + runas unmatched + +Command unmatched + +This should not match any rules. +Parses OK + +Entries for user admin: + +ALL = ALL + host allowed + runas unmatched + +ALL = (admin : users) NOPASSWD: ALL + host allowed + runas unmatched + +Command unmatched diff --git a/plugins/sudoers/regress/testsudoers/test28.sh b/plugins/sudoers/regress/testsudoers/test28.sh new file mode 100644 index 000000000..04655319d --- /dev/null +++ b/plugins/sudoers/regress/testsudoers/test28.sh @@ -0,0 +1,99 @@ +#!/bin/sh +# +# Verify that a rule with an empty Runas user matches correctly. +# + +: ${TESTSUDOERS=testsudoers} + +exec 2>&1 + +status=0 + +echo "This should match the 'ALL=ALL' rule." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group \ + admin /bin/ls <<'EOF' +admin ALL = ALL +ALL ALL=(:staff) NOPASSWD: ALL +EOF +if [ $? -ne 0 ]; then + status=1 +fi + +echo "" +echo "This should match the 'ALL=ALL' rule." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group \ + admin /bin/ls <<'EOF' +ALL ALL=(:staff) NOPASSWD: ALL +admin ALL = ALL +EOF +if [ $? -ne 0 ]; then + status=1 +fi + +echo "" +echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -g staff \ + admin /bin/ls <<'EOF' +admin ALL = ALL +ALL ALL=(:staff) NOPASSWD: ALL +EOF +if [ $? -ne 0 ]; then + status=1 +fi + +echo "" +echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -g staff \ + admin /bin/ls <<'EOF' +ALL ALL=(:staff) NOPASSWD: ALL +admin ALL = ALL +EOF +if [ $? -ne 0 ]; then + status=1 +fi + +echo "" +echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -u admin \ + admin /bin/ls <<'EOF' +ALL ALL=(:staff) NOPASSWD: ALL +admin ALL = ALL +EOF +if [ $? -ne 0 ]; then + status=1 +fi + +echo "" +echo "This should match the 'ALL=(:staff) NOPASSWD: ALL' rule." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -u admin -g staff \ + admin /bin/ls <<'EOF' +ALL ALL=(:staff) NOPASSWD: ALL +admin ALL = ALL +EOF +if [ $? -ne 0 ]; then + status=1 +fi + +echo "" +echo "This should not match any rules." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -g guest \ + admin /bin/ls <<'EOF' +ALL ALL=(:staff) NOPASSWD: ALL +admin ALL = ALL +EOF +if [ $? -eq 0 ]; then + status=1 +fi + +echo "" +echo "This should not match any rules." +$TESTSUDOERS -p ${TESTDIR}/passwd -P ${TESTDIR}/group -u root -g users \ + admin /bin/ls <<'EOF' +ALL ALL=(:users) NOPASSWD: ALL +admin ALL = ALL +EOF +if [ $? -eq 0 ]; then + status=1 +fi + +exit $status