When matching against runas_default use userpw_matches() instead

of just strcasecmp().

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index d712b6b4069d19b40134c32d0b9105f659f26547..3ef461976e0b4faa08b849d57ae22c0d075ea4a7 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -870,8 +870,10 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry)
      * If there are no runas entries, match runas_default against
      * what the user specified on the command line.
      */
-    if (user_matched == UNSPEC && group_matched == UNSPEC)
-       debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default));
+    if (user_matched == UNSPEC && group_matched == UNSPEC) {
+       debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name,
+           runas_pw));
+    }
 
     debug_return_bool(group_matched != false && user_matched != false); 
 }

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 6aa38fc9e8bb78ea1a505f9673ea43ae6b11fbd7..8f341d9edba310e10766208350fed7dbf05181bc 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -716,7 +716,8 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
      */
     if (user_matched == UNSPEC && group_matched == UNSPEC) {
        sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against runas_default");
-       debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default));
+       debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name,
+           runas_pw));
     }
 
     debug_return_bool(group_matched != false && user_matched != false);