isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Support negated sudoHost entries.

Browse Source
This commit is contained in:
Todd C. Miller
2016-09-14 10:22:52 -06:00
parent ca2a1f3109
commit f51fbfa40d
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
plugins/sudoers/ldap.c
View File

@@ -722,6 +722,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
struct berval **bv, **p; struct berval **bv, **p;
char *val; char *val;
bool ret = false; bool ret = false;
bool foundbang = false;
debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
if (!entry) if (!entry)
@@ -733,14 +734,20 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
debug_return_bool(ret); debug_return_bool(ret);
/* walk through values */ /* walk through values */
for (p = bv; *p != NULL && !ret; p++) { for (p = bv; *p != NULL && !foundbang; p++) {
val = (*p)->bv_val; val = (*p)->bv_val;
if (*val == '!') {
val++;
foundbang = true;
}
/* match any or address or netgroup or hostname */ /* match any or address or netgroup or hostname */
if (strcmp(val, "ALL") == 0 || addr_matches(val) || if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
netgr_matches(val, user_runhost, user_srunhost, netgr_matches(val, user_runhost, user_srunhost,
def_netgroup_tuple ? pw->pw_name : NULL) || def_netgroup_tuple ? pw->pw_name : NULL) ||
hostname_matches(user_srunhost, user_runhost, val)) hostname_matches(user_srunhost, user_runhost, val))
ret = true; ret = !foundbang;
DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
} }