From f5488d733d0010dfc3231560e00e5e65a7ad9c03 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 7 Dec 2022 10:25:00 -0700 Subject: [PATCH] Fix potential crash introduced in the fix for GitHub issue #134. If a user's sudoers entry did not have any RunAs user's set, running "sudo -U otheruser -l" would dereference a NULL pointer. We need to compare the default RunAs user if the sudoers entry does not specify one explicitly. Problem reported by Andreas Mueller who also suggested a different solution in PR #219. --- plugins/sudoers/parse.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c index c0c5f86ad..71bab9695 100644 --- a/plugins/sudoers/parse.c +++ b/plugins/sudoers/parse.c @@ -35,6 +35,23 @@ #include "sudo_lbuf.h" #include +static int +runas_matches_pw(struct sudoers_parse_tree *parse_tree, + const struct cmndspec *cs, const struct passwd *pw) +{ + debug_decl(runas_matches_pw, SUDOERS_DEBUG_PARSER); + + if (cs->runasuserlist != NULL) + debug_return_int(userlist_matches(parse_tree, pw, cs->runasuserlist)); + + if (cs->runasgrouplist == NULL) { + /* No explicit runas user or group, use default. */ + if (userpw_matches(def_runas_default, pw->pw_name, pw)) + debug_return_int(ALLOW); + } + debug_return_int(UNSPEC); +} + /* * Look up the user in the sudoers parse tree for pseudo-commands like * list, verify and kill. @@ -101,12 +118,10 @@ sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, continue; } /* Runas user must match list user or root. */ - if (userlist_matches(nss->parse_tree, list_pw, - cs->runasuserlist) == DENY) { + if (runas_matches_pw(nss->parse_tree, cs, list_pw) == DENY) continue; - } - if (root_pw == NULL || userlist_matches(nss->parse_tree, - root_pw, cs->runasuserlist) != ALLOW) { + if (root_pw == NULL || runas_matches_pw(nss->parse_tree, + cs, root_pw) != ALLOW) { continue; } if (cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot,