netgr_matches needs to check shost as well as host since they may be different.

diff --git a/parse.c b/parse.c
index b8da3d6177bfc9b01df3173fdb062ab5998867fb..9080da0b3e00d6d519eaad4ce30cea22d593f2c6 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -426,13 +426,14 @@ usergr_matches(group, user)
 
 /*
  * Returns TRUE if "host" and "user" belong to the netgroup "netgr",
- * else return FALSE.  Either of "host" or "user" may be NULL
+ * else return FALSE.  Either of "host", "shost" or "user" may be NULL
  * in which case that argument is not checked...
  */
 int
-netgr_matches(netgr, host, user)
+netgr_matches(netgr, host, shost, user)
     char *netgr;
     char *host;
+    char *shost;
     char *user;
 {
 #ifdef HAVE_GETDOMAINNAME
@@ -457,10 +458,13 @@ netgr_matches(netgr, host, user)
 #endif /* HAVE_GETDOMAINNAME */
 
 #ifdef HAVE_INNETGR
-    return(innetgr(netgr, host, user, domain));
-#else
-    return(FALSE);
+    if (innetgr(netgr, host, user, domain))
+       return(TRUE);
+    else if (host != shost && innetgr(netgr, shost, user, domain))
+       return(TRUE);
 #endif /* HAVE_INNETGR */
+
+    return(FALSE);
 }
 
 /*

diff --git a/parse.h b/parse.h
index 16ad97a07751be217fd12fd2c201d25a4cbff19a..e8a58b8362f66abd6cdd308748d1b3682f701940 100644 (file)
--- a/parse.h
+++ b/parse.h
@@ -109,7 +109,7 @@ extern int top;
  */
 int addr_matches       __P((char *));
 int command_matches    __P((char *, char *, char *, char *));
-int netgr_matches      __P((char *, char *, char *));
+int netgr_matches      __P((char *, char *, char *, char *));
 int usergr_matches     __P((char *, char *));
 
 #endif /* _SUDO_PARSE_H */

diff --git a/parse.yacc b/parse.yacc
index 9c365b671f87b32e372fd254f64186b55c8ec6a7..bff3424ce26a1b7f811a969e409438f543da2f79 100644 (file)
--- a/parse.yacc
+++ b/parse.yacc
@@ -354,7 +354,7 @@ host                :       ALL {
                            free($1);
                        }
                |       NETGROUP {
-                           if (netgr_matches($1, user_host, NULL))
+                           if (netgr_matches($1, user_host, user_shost, NULL))
                                $$ = TRUE;
                            else
                                $$ = -1;
@@ -535,7 +535,7 @@ runasuser   :       WORD {
                                    user_matches == TRUE)
                                    append_runas($1, ", ");
                            }
-                           if (netgr_matches($1, NULL, *user_runas))
+                           if (netgr_matches($1, NULL, NULL, *user_runas))
                                $$ = TRUE;
                            else
                                $$ = -1;
@@ -789,7 +789,7 @@ user                :       WORD {
                            free($1);
                        }
                |       NETGROUP {
-                           if (netgr_matches($1, NULL, user_name))
+                           if (netgr_matches($1, NULL, NULL, user_name))
                                $$ = TRUE;
                            else
                                $$ = -1;

diff --git a/sudo.tab.c b/sudo.tab.c
index f272763935c52147f96a9e5cd34e5e2db80bda16..266b475e6a495d5839824b75bc6313101ae208b0 100644 (file)
--- a/sudo.tab.c
+++ b/sudo.tab.c
@@ -1256,7 +1256,7 @@ break;
 case 30:
 #line 356 "parse.yacc"
 {
-                           if (netgr_matches(yyvsp[0].string, user_host, NULL))
+                           if (netgr_matches(yyvsp[0].string, user_host, user_shost, NULL))
                                yyval.BOOLEAN = TRUE;
                            else
                                yyval.BOOLEAN = -1;
@@ -1475,7 +1475,7 @@ case 49:
                                    user_matches == TRUE)
                                    append_runas(yyvsp[0].string, ", ");
                            }
-                           if (netgr_matches(yyvsp[0].string, NULL, *user_runas))
+                           if (netgr_matches(yyvsp[0].string, NULL, NULL, *user_runas))
                                yyval.BOOLEAN = TRUE;
                            else
                                yyval.BOOLEAN = -1;
@@ -1757,7 +1757,7 @@ break;
 case 84:
 #line 791 "parse.yacc"
 {
-                           if (netgr_matches(yyvsp[0].string, NULL, user_name))
+                           if (netgr_matches(yyvsp[0].string, NULL, NULL, user_name))
                                yyval.BOOLEAN = TRUE;
                            else
                                yyval.BOOLEAN = -1;

diff --git a/testsudoers.c b/testsudoers.c
index c98fdb494934f3a234a82759fad564bc692c1137..381a6b0d1fe2829b3fad02a0a25b2d428a85c3a8 100644 (file)
--- a/testsudoers.c
+++ b/testsudoers.c
@@ -240,9 +240,10 @@ usergr_matches(group, user)
 }
 
 int
-netgr_matches(netgr, host, user)
+netgr_matches(netgr, host, shost, user)
     char *netgr;
     char *host;
+    char *shost;
     char *user;
 {
 #ifdef HAVE_GETDOMAINNAME
@@ -268,10 +269,13 @@ netgr_matches(netgr, host, user)
 #endif /* HAVE_GETDOMAINNAME */
 
 #ifdef HAVE_INNETGR
-    return(innetgr(netgr, host, user, domain));
-#else
-    return(FALSE);
+    if (innetgr(netgr, host, user, domain))
+       return(TRUE);
+    else if (host != shost && innetgr(netgr, shost, user, domain))
+       return(TRUE);
 #endif /* HAVE_INNETGR */
+
+    return(FALSE);
 }
 
 void

diff --git a/visudo.c b/visudo.c
index 8d51b7c15e18c804d5005e1ab4dae6f2610425d7..e6092d674be31385ba73e4bcadb803b75ae7bc69 100644 (file)
--- a/visudo.c
+++ b/visudo.c
@@ -93,7 +93,7 @@ static RETSIGTYPE Exit                __P((int));
 static void setup_signals      __P((void));
 int command_matches            __P((char *, char *, char *, char *));
 int addr_matches               __P((char *));
-int netgr_matches              __P((char *, char *, char *));
+int netgr_matches              __P((char *, char *, char *, char *));
 int usergr_matches             __P((char *, char *));
 void init_parser               __P((void));
 void yyrestart                 __P((FILE *));
@@ -401,8 +401,8 @@ usergr_matches(g, u)
 }
 
 int
-netgr_matches(n, h, u)
-    char *n, *h, *u;
+netgr_matches(n, h, sh, u)
+    char *n, *h, *sh, *u;
 {
     return(TRUE);
 }