This makes it possible to tell whether an entry was rejected due
to a negative match (explicitly denied) as opposed to a non-match.
Also fixes a bug where the runas status was only printed for positive
matches.
Previously, the user could specify the runas user's home dir for
"sudo -i" or the user's existing cwd when -i is not specified.
This behavior was never documented and is inconsistent with how
the -R option is handled.
macOS does not support direct access to the environ pointer from a
shared object. We need to redirect through _NSGetEnviron() instead.
Fixes GitHub issue #276.
Previously, check_user_runcwd() would return true if the runcwd
matched the user's cwd, even if sudoers specified a different one.
The user-specified runcwd was ignored but it is better to error out
in this case. It is now also possible to use "sudo -D" with the
directory specified in sudoers.
The lack of setting to NULL is a holdover from when command_info was a local variable and not a global one. However, we given how other global variables are set to NULL, it is best that we do the same here to avoid potential issues should sudoers_policy_store_result be called again after the first time failed, otherwise we could get a double-free.
Variable length arrays are supported by C99, but having it denoted as "1" confused the compiler and is not defined.
Note that because we don't get the inferred NULL terminator, we have to increase the malloc size by one.
This makes it possible to call the appropriate runas user or group
list match function when resolving aliases instead of calling
runaslist_matches() itself. Fixes a bug that prevented the group
specified via "sudo -g" from matching when a Runas_Alias was used
in the user or group portion of a Runas_Spec.
If a sudoers rule has no runas list, a user-specified runas group
should only be allowed if it matches a group that the default runas
user belongs to. Instead, a missing group check allowed the user
run commands as the default runas user with an arbitrary group.
This means that a rule like "somebody host = ALL", which should be
equivalent to "somebody host = (root) ALL", had the same effect as
"somebody host = (root:ALL) ALL".
Now that we are guaranteed to have a runas user list for all sudoers
rules that contain a runas list, we can remove support for the
special case where user_matched is set in the runas group matching
conditional. This fixes a bug where "sudo -u myuser -g mygroup"
was permitted by a rule like "myuser ALL = (root) ALL".
When a sudoers rule permits the user to run commands as a group,
not a user, we should set the runasusers to single member with the
special MYSELF token. This guarantees that the only time runasusers
will be NULL is when no runaslist is present.
