The fix for matching when no sudoRunAsUser is present in a sudoRole

was incomplete.  If no -g option was specified on the command line
but sudoRunAsGroup is present in a sudoRole, we need to treat the
group match as failed instead of missing.

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 83202e288ede4f61fb69b5371896609af925c305..46309cba79a316665bd4020dad5571d1e3add425 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -781,7 +781,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
 }
 
 static int
-sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched)
+sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
 {
     struct berval **bv, **p;
     char *val;
@@ -793,9 +793,18 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched)
     if (bv == NULL)
        bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */
     if (bv == NULL) {
+       DPRINTF2("sudoRunAsUser: no result.");
+       if (*group_matched == UNSPEC) {
+           /* We haven't check for sudoRunAsGroup yet, check now. */
+           bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
+           if (bv != NULL) {
+               *group_matched = false;
+               ldap_value_free_len(bv);
+           }
+       }
        if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED))
            debug_return_int(UNSPEC);
-       switch (group_matched) {
+       switch (*group_matched) {
        case UNSPEC:
            /*
             * No runas user or group entries.  Match runas_default
@@ -875,6 +884,7 @@ sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry)
     /* get the values from the entry */
     bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup");
     if (bv == NULL) {
+       DPRINTF2("sudoRunAsGroup: no result.");
        if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) {
            if (runas_pw->pw_gid == runas_gr->gr_gid)
                ret = true;     /* runas group matches passwd db */
@@ -912,7 +922,7 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
 
     if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
        group_matched = sudo_ldap_check_runas_group(ld, entry);
-    user_matched = sudo_ldap_check_runas_user(ld, entry, group_matched);
+    user_matched = sudo_ldap_check_runas_user(ld, entry, &group_matched);
 
     debug_return_bool(group_matched != false && user_matched != false); 
 }

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 1c174bfacd2f9e676ec824dda2118fc2f07a8220..65b4d87598622d8c15ad3b142428372a7d5290f8 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -583,7 +583,7 @@ sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw)
 }
 
 static int
-sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched)
+sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int *group_matched)
 {
     const char *host = handle->ipa_host ? handle->ipa_host : user_runhost;
     const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost;
@@ -603,9 +603,17 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
        break;
     case ENOENT:
        sudo_debug_printf(SUDO_DEBUG_INFO, "sudoRunAsUser: no result.");
+        if (*group_matched == UNSPEC) {
+            /* We haven't check for sudoRunAsGroup yet, check now. */
+           i = handle->fn_get_values(sss_rule, "sudoRunAsGroup", &val_array);
+            if (i == 0) {
+                *group_matched = false;
+               handle->fn_free_values(val_array);
+            }
+        }
        if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED))
            debug_return_int(UNSPEC);
-       switch (group_matched) {
+       switch (*group_matched) {
        case UNSPEC:
            /*
             * No runas user or group entries.  Match runas_default
@@ -755,7 +763,7 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 
     if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED))
        group_matched = sudo_sss_check_runas_group(handle, rule);
-    user_matched = sudo_sss_check_runas_user(handle, rule, group_matched);
+    user_matched = sudo_sss_check_runas_user(handle, rule, &group_matched);
 
     debug_return_bool(group_matched != false && user_matched != false);
 }