Avoid changing the order of non-negated hosts and commands.

We still put negated hosts/commands at the end of the list.

plugins/sudoers/ldap_util.c

@@ -252,6 +252,8 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
     const char *notafter, bool warnings, bool store_options,
     sudo_ldap_iter_t iter)
 {
+    struct cmndspec_list negated_cmnds = TAILQ_HEAD_INITIALIZER(negated_cmnds);
+    struct member_list negated_hosts = TAILQ_HEAD_INITIALIZER(negated_hosts);
     struct cmndspec *cmndspec = NULL;
     struct cmndspec *prev_cmndspec = NULL;
     struct sudo_command *c;
@@ -281,12 +283,13 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 	while ((host = iter(&hosts)) != NULL) {
 	    if ((m = host_to_member(host)) == NULL)
 		goto oom;
-	    /* Negated hosts have precedence so insert them at the end. */
 	    if (m->negated)
-		TAILQ_INSERT_TAIL(&priv->hostlist, m, entries);
+		TAILQ_INSERT_TAIL(&negated_hosts, m, entries);
 	    else
-		TAILQ_INSERT_HEAD(&priv->hostlist, m, entries);
+		TAILQ_INSERT_TAIL(&priv->hostlist, m, entries);
 	}
+	/* Negated hosts take precedence so we insert them at the end. */
+	TAILQ_CONCAT(&priv->hostlist, &negated_hosts, entries);
     }
 
     /*
@@ -310,9 +313,9 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 
 	/* Negated commands have precedence so insert them at the end. */
 	if (negated)
-	    TAILQ_INSERT_TAIL(&priv->cmndlist, cmndspec, entries);
+	    TAILQ_INSERT_TAIL(&negated_cmnds, cmndspec, entries);
 	else
-	    TAILQ_INSERT_HEAD(&priv->cmndlist, cmndspec, entries);
+	    TAILQ_INSERT_TAIL(&priv->cmndlist, cmndspec, entries);
 
 	/* Initialize cmndspec */
 	TAGS_INIT(cmndspec->tags);
@@ -468,6 +471,9 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 	    prev_cmndspec = cmndspec;
 	}
     }
+    /* Negated commands take precedence so we insert them at the end. */
+    TAILQ_CONCAT(&priv->cmndlist, &negated_cmnds, entries);
+
     debug_return_ptr(priv);
 
 oom: