Add LDAP-specific innetgr() implementation.

Wheh netgroup_base is set we now do out own netgroup lookups using
LDAP.  Previously, LDAP was queried directly to get a list of the
netgroups the user belongs to but other netgroups queries went
through innetgr(3).  This makes it possible to use netgroups
in LDAP sudoers on systems that don't have an innetgr() function.
GitHub issue #251.

MANIFEST

@@ -649,6 +649,7 @@ plugins/sudoers/iolog.c
 plugins/sudoers/iolog_path_escapes.c
 plugins/sudoers/ldap.c
 plugins/sudoers/ldap_conf.c
+plugins/sudoers/ldap_innetgr.c
 plugins/sudoers/ldap_util.c
 plugins/sudoers/linux_audit.c
 plugins/sudoers/linux_audit.h

configure

@@ -30941,7 +30941,7 @@ fi
 
 	    with_ldap=yes
 	fi
-	SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo"
+	SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo"
 	case "$SUDOERS_OBJS" in
 	    *ldap_util.lo*) ;;
 	    *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";;

m4/ldap.m4

@@ -11,7 +11,7 @@ AC_DEFUN([SUDO_CHECK_LDAP], [
 	    AX_APPEND_FLAG([-I${with_ldap}/include], [CPPFLAGS])
 	    with_ldap=yes
 	fi
-	SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo"
+	SUDOERS_OBJS="${SUDOERS_OBJS} ldap.lo ldap_conf.lo ldap_innetgr.lo"
 	case "$SUDOERS_OBJS" in
 	    *ldap_util.lo*) ;;
 	    *) SUDOERS_OBJS="${SUDOERS_OBJS} ldap_util.lo";;

plugins/sudoers/Makefile.in

@@ -2075,6 +2075,32 @@ ldap_conf.i: $(srcdir)/ldap_conf.c $(devdir)/def_data.h \
 	$(CC) -E -o $@ $(CPPFLAGS) $<
 ldap_conf.plog: ldap_conf.i
 	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_conf.c --i-file $< --output-file $@
+ldap_innetgr.lo: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \
+                 $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+                 $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+                 $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+                 $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \
+                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+	$(LIBTOOL) $(LTFLAGS) --mode=compile $(CC) -c $(CPPFLAGS) $(CFLAGS) $(ASAN_CFLAGS) $(PIE_CFLAGS) $(HARDENING_CFLAGS) $(srcdir)/ldap_innetgr.c
+ldap_innetgr.i: $(srcdir)/ldap_innetgr.c $(devdir)/def_data.h \
+                 $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
+                 $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \
+                 $(incdir)/sudo_eventlog.h $(incdir)/sudo_fatal.h \
+                 $(incdir)/sudo_gettext.h $(incdir)/sudo_plugin.h \
+                 $(incdir)/sudo_queue.h $(incdir)/sudo_util.h \
+                 $(srcdir)/defaults.h $(srcdir)/logging.h $(srcdir)/parse.h \
+                 $(srcdir)/sudo_ldap.h $(srcdir)/sudo_ldap_conf.h \
+                 $(srcdir)/sudo_nss.h $(srcdir)/sudoers.h \
+                 $(srcdir)/sudoers_debug.h $(top_builddir)/config.h \
+                 $(top_builddir)/pathnames.h
+	$(CC) -E -o $@ $(CPPFLAGS) $<
+ldap_innetgr.plog: ldap_innetgr.i
+	rm -f $@; pvs-studio --cfg $(PVS_CFG) --sourcetree-root $(top_srcdir) --skip-cl-exe yes --source-file $(srcdir)/ldap_innetgr.c --i-file $< --output-file $@
 ldap_util.lo: $(srcdir)/ldap_util.c $(devdir)/def_data.h $(devdir)/gram.h \
               $(incdir)/compat/stdbool.h $(incdir)/sudo_compat.h \
               $(incdir)/sudo_conf.h $(incdir)/sudo_debug.h \

plugins/sudoers/ldap.c

@@ -1955,6 +1955,14 @@ sudo_ldap_parse(struct sudo_nss *nss)
     debug_return_ptr(&handle->parse_tree);
 }
 
+static int
+sudo_ldap_innetgr(struct sudo_nss *nss, const char *netgr, const char *host,
+    const char *user, const char *domain)
+{
+    const struct sudo_ldap_handle *handle = nss->handle;
+    return sudo_ldap_innetgr_int(handle->ld, netgr, host, user, domain);
+}
+
 #if 0
 /*
  * Create an ldap_result from an LDAP search result.
@@ -2013,5 +2021,6 @@ struct sudo_nss sudo_nss_ldap = {
     sudo_ldap_close,
     sudo_ldap_parse,
     sudo_ldap_query,
-    sudo_ldap_getdefs
+    sudo_ldap_getdefs,
+    sudo_ldap_innetgr
 };

plugins/sudoers/ldap_innetgr.c

@@ -0,0 +1,264 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2023 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <sys/types.h>
+#include <sys/time.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_STRINGS_H
+# include <strings.h>
+#endif /* HAVE_STRINGS_H */
+#include <time.h>
+#include <ctype.h>
+#ifdef HAVE_LBER_H
+# include <lber.h>
+#endif
+#include <ldap.h>
+
+#include "sudoers.h"
+#include "sudo_ldap.h"
+#include "sudo_ldap_conf.h"
+
+/*
+ * Compare str to netgroup string ngstr of length nglen where str is a
+ * NUL-terminated string and ngstr is part of a netgroup triple string.
+ * Uses innetgr(3)-style matching rules.
+ * Returns true if the strings match, else false.
+ */
+static bool
+sudo_ldap_netgroup_match_str(const char *str, const char *ngstr, size_t nglen,
+    bool ignore_case)
+{
+    debug_decl(sudo_ldap_netgroup_match_str, SUDOERS_DEBUG_LDAP);
+
+    /* Skip leading whitespace. */
+    while (isspace((unsigned char)*ngstr) && nglen > 0) {
+	ngstr++;
+	nglen--;
+    }
+    /* Skip trailing whitespace. */
+    while (nglen > 0 && isspace((unsigned char)ngstr[nglen - 1])) {
+	nglen--;
+    }
+
+    sudo_debug_printf(SUDO_DEBUG_DEBUG, "%s: compare \"%s\" to \"%.*s\"",
+	__func__, str ? str : "", (int)nglen, ngstr);
+
+    if (nglen == 0 || str == NULL) {
+	/* An empty string is a wildcard. */
+	debug_return_bool(true);
+    }
+    if (*ngstr == '-' && nglen == 1) {
+	/* '-' means no valid value. */
+	debug_return_bool(str == NULL);
+    }
+    if (ignore_case) {
+	if (strncasecmp(str, ngstr, nglen) == 0 && str[nglen] == '\0')
+	    debug_return_bool(true);
+    } else {
+	if (strncmp(str, ngstr, nglen) == 0 && str[nglen] == '\0')
+	    debug_return_bool(true);
+    }
+    debug_return_bool(false);
+}
+
+/*
+ * Match the specified netgroup triple using the given host,
+ * user and domain.  Matching rules as per innetgr(3).
+ * Returns 1 on match, else 0.
+ */
+static int
+sudo_ldap_match_netgroup(const char *triple, const char *host,
+    const char *user, const char *domain)
+{
+    const char *cp, *ep;
+    debug_decl(sudo_ldap_match_netgroup, SUDOERS_DEBUG_LDAP);
+
+    /* Trim leading space, check for opening paren. */
+    while (isspace((unsigned char)*triple))
+	triple++;
+    if (*triple != '(') {
+	sudo_debug_printf(SUDO_DEBUG_ERROR, "%s: invalid triple: %s",
+	    __func__, triple);
+	debug_return_int(0);
+    }
+    sudo_debug_printf(SUDO_DEBUG_INFO, "%s: matching (%s,%s,%s) against %s",
+	__func__, host ? host : "", user ? user : "", domain ? domain : "",
+	triple);
+
+    /* Parse host. */
+    cp = triple + 1;
+    ep = strchr(cp, ',');
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(host, cp, ep - cp, true))
+	debug_return_int(0);
+
+    /* Parse user. */
+    cp = ep + 1;
+    ep = strchr(cp, ',');
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(user, cp, ep - cp, def_case_insensitive_user))
+	debug_return_int(0);
+
+    /* Parse domain. */
+    cp = ep + 1;
+    ep = strchr(cp, ')');
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(domain, cp, ep - cp, true))
+	debug_return_int(0);
+
+    debug_return_int(1);
+}
+
+#define MAX_NETGROUP_DEPTH 128
+struct netgroups_seen {
+    const char *groups[MAX_NETGROUP_DEPTH];
+    size_t len;
+};
+
+static int
+sudo_ldap_innetgr_base(LDAP *ld, const char *base,
+    struct timeval *timeout, const char *netgr, const char *host,
+    const char *user, const char *domain, struct netgroups_seen *seen)
+{
+    char *escaped_netgr = NULL, *filt = NULL;
+    LDAPMessage *entry, *result = NULL;
+    int rc, ret = 0;
+    size_t n;
+    debug_decl(sudo_ldap_innetgr_base, SUDOERS_DEBUG_LDAP);
+
+    /* Cycle detection. */
+    for (n = 0; n < seen->len; n++) {
+	if (strcmp(netgr, seen->groups[n]) == 0) {
+	    DPRINTF1("%s: cycle in netgroups", netgr);
+	    goto done;
+	}
+    }
+    if (seen->len + 1 > MAX_NETGROUP_DEPTH) {
+	DPRINTF1("%s: too many nested netgroups", netgr);
+	goto done;
+    }
+    seen->groups[seen->len++] = netgr;
+
+    /* Escape the netgroup name per RFC 4515. */
+    if ((escaped_netgr = sudo_ldap_value_dup(netgr)) == NULL)
+	goto done;
+
+    /* Build nisNetgroup query. */
+    rc = asprintf(&filt, "(&%s(cn=%s))",
+	ldap_conf.netgroup_search_filter, escaped_netgr);
+    if (rc == -1)
+	goto done;
+    DPRINTF1("ldap netgroup search filter: '%s'", filt);
+
+    /* Perform an LDAP query for nisNetgroup. */
+    DPRINTF1("searching from netgroup_base '%s'", base);
+    rc = ldap_search_ext_s(ld, base, LDAP_SCOPE_SUBTREE, filt,
+	NULL, 0, NULL, NULL, timeout, 0, &result);
+    free(filt);
+    if (rc != LDAP_SUCCESS) {
+	DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc));
+	goto done;
+    }
+
+    LDAP_FOREACH(entry, ld, result) {
+	struct berval **bv, **p;
+
+	/* Check all nisNetgroupTriple entries. */
+	bv = ldap_get_values_len(ld, entry, "nisNetgroupTriple");
+	if (bv == NULL) {
+	    const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc);
+	    if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY)
+		debug_return_int(-1);
+	} else {
+	    for (p = bv; *p != NULL && !ret; p++) {
+		char *val = (*p)->bv_val;
+		if (sudo_ldap_match_netgroup(val, host, user, domain)) {
+		    ret = 1;
+		    break;
+		}
+	    }
+	    ldap_value_free_len(bv);
+	    if (ret == 1)
+		break;
+	}
+
+	/* Handle nested netgroups. */
+	bv = ldap_get_values_len(ld, entry, "memberNisNetgroup");
+	if (bv == NULL) {
+	    const int optrc = ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &rc);
+	    if (optrc != LDAP_OPT_SUCCESS || rc == LDAP_NO_MEMORY)
+		debug_return_int(-1);
+	} else {
+	    for (p = bv; *p != NULL && !ret; p++) {
+		const char *val = (*p)->bv_val;
+		const size_t saved_len = seen->len;
+		ret = sudo_ldap_innetgr_base(ld, base, timeout, val, host,
+		    user, domain, seen);
+		/* Restore seen state to avoid use-after-free. */
+		seen->len = saved_len;
+	    }
+	    ldap_value_free_len(bv);
+	}
+    }
+
+done:
+    ldap_msgfree(result);
+    free(escaped_netgr);
+
+    debug_return_int(ret);
+}
+
+int
+sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host,
+    const char *user, const char *domain)
+{
+    LDAP *ld = v;
+    struct timeval tv, *tvp = NULL;
+    struct ldap_config_str *base;
+    struct netgroups_seen seen;
+    int ret = 0;
+    debug_decl(sudo_ldap_innetgr, SUDOERS_DEBUG_LDAP);
+
+    if (STAILQ_EMPTY(&ldap_conf.netgroup_base)) {
+	/* LDAP netgroups not configured. */
+	debug_return_int(-1);
+    }
+
+    if (ldap_conf.timeout > 0) {
+	tv.tv_sec = ldap_conf.timeout;
+	tv.tv_usec = 0;
+	tvp = &tv;
+    }
+
+    /* Perform an LDAP query for nisNetgroup. */
+    STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) {
+	seen.len = 0;
+	ret = sudo_ldap_innetgr_base(ld, base->val, tvp, netgr, host,
+	    user, domain, &seen);
+	if (ret != 0)
+	    break;
+    }
+
+    debug_return_int(ret);
+}

plugins/sudoers/sudo_ldap.h

@@ -49,6 +49,9 @@
 /* Iterators used by sudo_ldap_role_to_priv() to handle bervar ** or char ** */
 typedef char * (*sudo_ldap_iter_t)(void **);
 
+/* ldap_innetgr.c */
+int sudo_ldap_innetgr_int(void *v, const char *netgr, const char *host, const char *user, const char *domain);
+
 /* ldap_util.c */
 bool sudo_ldap_is_negated(char **valp);
 size_t sudo_ldap_value_len(const char *value);

scripts/mkdep.pl

@@ -116,7 +116,7 @@ sub mkdep {
     $makefile =~ s:\@DEV\@::g;
     $makefile =~ s:\@COMMON_OBJS\@:aix.lo event_poll.lo event_select.lo:;
     $makefile =~ s:\@SUDO_OBJS\@:intercept.pb-c.o openbsd.o preload.o apparmor.o selinux.o sesh.o solaris.o:;
-    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo solaris_audit.lo sssd.lo:;
+    $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo ldap_util.lo ldap_conf.lo ldap_innetgr.lo solaris_audit.lo sssd.lo:;
     # XXX - fill in AUTH_OBJS from contents of the auth dir instead
     $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:;
     $makefile =~ s:\@DIGEST\@:digest.lo digest_openssl.lo digest_gcrypt.lo:;