Fix another parser bug. For a sudoers entry like this:

    millert	ALL=/bin/ls,(daemon) !/bin/ls
sudo would not allow millert to run ls as root.

diff --git a/parse.c b/parse.c
index fd3fba71277c218e33abc38da65e2b5ac341b7bf..ace3f1d8d95b63f274d82c88600c7063eb36e49e 100644 (file)
--- a/parse.c
+++ b/parse.c
@@ -166,8 +166,8 @@ int validate(check_cmnd)
     else
        while (top) {
            if (host_matches == TRUE) {
-               if (cmnd_matches == TRUE) {
-                  if (runas_matches == TRUE) {
+               if (runas_matches == TRUE) {
+                   if (cmnd_matches == TRUE) {
                        /*
                         * User was granted access to cmnd on host.
                         * If no passwd required return as such.
@@ -176,10 +176,10 @@ int validate(check_cmnd)
                            return(VALIDATE_OK_NOPASS);
                        else
                            return(VALIDATE_OK);
+                   } else if (cmnd_matches == FALSE) {
+                       /* User was explicitly denied acces to cmnd on host. */
+                       return(VALIDATE_NOT_OK);
                    }
-               } else if (cmnd_matches == FALSE) {
-                   /* User was explicitly denied acces to cmnd on host. */
-                   return(VALIDATE_NOT_OK);
                }
            }
            top--;

diff --git a/parse.yacc b/parse.yacc
index e38e29d034fde7308193d18804d22e5fdcd308e3..caa0c633d8a7c12083bb3b68307078275d7ce8b1 100644 (file)
--- a/parse.yacc
+++ b/parse.yacc
@@ -278,11 +278,11 @@ cmndspec  :       {   /* Push a new entry onto the stack if needed */
                                no_passwd = -1;
                            }
                        } runasspec nopasswd opcmnd {
-                           if ($2 > 0 && $4 == TRUE) {
+                           if ($2 > 0)
                                runas_matches = TRUE;
-                               if ($3 == TRUE)
-                                   no_passwd = TRUE;
-                           } else if (printmatches == TRUE) {
+                           if ($3 == TRUE)
+                               no_passwd = TRUE;
+                           if (($2 == -1 || $4 == -1) && printmatches == TRUE) {
                                cm_list[cm_list_len].runas_len = 0;
                                cm_list[cm_list_len].cmnd_len = 0;
                                cm_list[cm_list_len].nopasswd = FALSE;

diff --git a/sudo.tab.c b/sudo.tab.c
index 17532c91eb6b7a3436b63deaef0eea41e3e438f3..657a6b6d5821fa283b83ee07d0f5b644da05e60c 100644 (file)
--- a/sudo.tab.c
+++ b/sudo.tab.c
@@ -1134,11 +1134,11 @@ break;
 case 23:
 #line 280 "parse.yacc"
 {
-                           if (yyvsp[-2].BOOLEAN > 0 && yyvsp[0].BOOLEAN == TRUE) {
+                           if (yyvsp[-2].BOOLEAN > 0)
                                runas_matches = TRUE;
-                               if (yyvsp[-1].BOOLEAN == TRUE)
-                                   no_passwd = TRUE;
-                           } else if (printmatches == TRUE) {
+                           if (yyvsp[-1].BOOLEAN == TRUE)
+                               no_passwd = TRUE;
+                           if ((yyvsp[-2].BOOLEAN == -1 || yyvsp[0].BOOLEAN == -1) && printmatches == TRUE) {
                                cm_list[cm_list_len].runas_len = 0;
                                cm_list[cm_list_len].cmnd_len = 0;
                                cm_list[cm_list_len].nopasswd = FALSE;