Fix potential crash introduced in the fix for GitHub issue #134.

If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219.
2022-12-07 10:25:00 -07:00
parent 31684dccc0
commit f5488d733d
1 changed files with 20 additions and 5 deletions
--- a/plugins/sudoers/parse.c
+++ b/plugins/sudoers/parse.c
@@ -35,6 +35,23 @@
 #include "sudo_lbuf.h"
 #include <gram.h>

+static int
+runas_matches_pw(struct sudoers_parse_tree *parse_tree,
+    const struct cmndspec *cs, const struct passwd *pw)
+{
+    debug_decl(runas_matches_pw, SUDOERS_DEBUG_PARSER);
+
+    if (cs->runasuserlist != NULL)
+	debug_return_int(userlist_matches(parse_tree, pw, cs->runasuserlist));
+
+    if (cs->runasgrouplist == NULL) {
+	/* No explicit runas user or group, use default. */
+	if (userpw_matches(def_runas_default, pw->pw_name, pw))
+	    debug_return_int(ALLOW);
+    }
+    debug_return_int(UNSPEC);
+}
+
 /*
 * Look up the user in the sudoers parse tree for pseudo-commands like
 * list, verify and kill.
@@ -101,12 +118,10 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw,
 			continue;
 		    }
 		    /* Runas user must match list user or root. */
-		    if (userlist_matches(nss->parse_tree, list_pw,
-			    cs->runasuserlist) == DENY) {
+		    if (runas_matches_pw(nss->parse_tree, cs, list_pw) == DENY)
 			continue;
-		    }
-		    if (root_pw == NULL || userlist_matches(nss->parse_tree,
-			    root_pw, cs->runasuserlist) != ALLOW) {
+		    if (root_pw == NULL || runas_matches_pw(nss->parse_tree,
+			    cs, root_pw) != ALLOW) {
 			continue;
 		    }
 		    if (cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot,