isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Avoid changing the order of non-negated hosts and commands.

Browse Source 
We still put negated hosts/commands at the end of the list.
This commit is contained in:
Todd C. Miller
2018-03-02 10:58:50 -07:00
parent e750bae75d
commit e96398cac2
1 changed files with 11 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
plugins/sudoers/ldap_util.c
View File

@@ -252,6 +252,8 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
const char *notafter, bool warnings, bool store_options, const char *notafter, bool warnings, bool store_options,
sudo_ldap_iter_t iter) sudo_ldap_iter_t iter)
{ {
struct cmndspec_list negated_cmnds = TAILQ_HEAD_INITIALIZER(negated_cmnds);
struct member_list negated_hosts = TAILQ_HEAD_INITIALIZER(negated_hosts);
struct cmndspec *cmndspec = NULL; struct cmndspec *cmndspec = NULL;
struct cmndspec *prev_cmndspec = NULL; struct cmndspec *prev_cmndspec = NULL;
struct sudo_command *c; struct sudo_command *c;
@@ -281,12 +283,13 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
while ((host = iter(&hosts)) != NULL) { while ((host = iter(&hosts)) != NULL) {
if ((m = host_to_member(host)) == NULL) if ((m = host_to_member(host)) == NULL)
goto oom; goto oom;
/* Negated hosts have precedence so insert them at the end. */
if (m->negated) if (m->negated)
TAILQ_INSERT_TAIL(&priv->hostlist, m, entries); TAILQ_INSERT_TAIL(&negated_hosts, m, entries);
else else
TAILQ_INSERT_HEAD(&priv->hostlist, m, entries); TAILQ_INSERT_TAIL(&priv->hostlist, m, entries);
} }
/* Negated hosts take precedence so we insert them at the end. */
TAILQ_CONCAT(&priv->hostlist, &negated_hosts, entries);
} }
/* /*
@@ -310,9 +313,9 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
/* Negated commands have precedence so insert them at the end. */ /* Negated commands have precedence so insert them at the end. */
if (negated) if (negated)
TAILQ_INSERT_TAIL(&priv->cmndlist, cmndspec, entries); TAILQ_INSERT_TAIL(&negated_cmnds, cmndspec, entries);
else else
TAILQ_INSERT_HEAD(&priv->cmndlist, cmndspec, entries); TAILQ_INSERT_TAIL(&priv->cmndlist, cmndspec, entries);
/* Initialize cmndspec */ /* Initialize cmndspec */
TAGS_INIT(cmndspec->tags); TAGS_INIT(cmndspec->tags);
@@ -468,6 +471,9 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
prev_cmndspec = cmndspec; prev_cmndspec = cmndspec;
} }
} }
/* Negated commands take precedence so we insert them at the end. */
TAILQ_CONCAT(&priv->cmndlist, &negated_cmnds, entries);
debug_return_ptr(priv); debug_return_ptr(priv);
oom: oom: