isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

runas_userlist_matches: fix matching a Runas_Spec with an empty runas user.

Browse Source 
We should only match a rule with an empty runas user if a group was
specified on the command line (sudo -g) without a user (no -u option)
or the user specified their own name on the command line.
GitHub issue #290
This commit is contained in:
Todd C. Miller
2023-07-15 08:44:57 -06:00
parent 78b712101e
commit db704c22ec
4 changed files with 226 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
plugins/sudoers/match.c
View File

@@ -188,8 +188,14 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
user_matched = !m->negated;
break;
case MYSELF:
if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) ||
strcmp(user_name, runas_pw->pw_name) == 0)
/*
* Only match a rule with an empty runas user if a group
* was specified on the command line without a user _or_
* the user specified their own name on the command line.
*/
if ((!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) ||
strcmp(user_name, runas_pw->pw_name) == 0)
user_matched = !m->negated;
break;
}