An empty RunAsUser means run as the invoking user, similar to how

the sudoers files works.

diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat
index 4da98df00b40fc6b294ae320f39ebb7082a25f60..86ce8426b13ee5339106c41ae8e3aa3ff499a535 100644 (file)
--- a/doc/sudoers.ldap.cat
+++ b/doc/sudoers.ldap.cat
@@ -122,7 +122,10 @@ D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
            A user name or uid (prefixed with `#') that commands may be run as
            or a Unix group (prefixed with a `%') or user netgroup (prefixed
            with a `+') that contains a list of users that commands may be run
-           as.  The special value ALL will match any user.
+           as.  The special value ALL will match any user.  If sudoRunAsUser
+           is specified but empty, it will match the invoking user.  If
+           neither sudoRunAsUser nor sudoRunAsGroup are present, the value of
+           the runas_default sudoOption is used (defaults to root ).
 
            The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
            1.7.0 and higher.  Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
@@ -910,4 +913,4 @@ D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
      file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.22                    January 17, 2017                    Sudo 1.8.22
+Sudo 1.8.22                    December 12, 2017                   Sudo 1.8.22

diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in
index 6407962f9da958141d1470ec4b15699a01dcbf0e..fb9edce156c6854c44aac7d74d7f8c26e25b9991 100644 (file)
--- a/doc/sudoers.ldap.man.in
+++ b/doc/sudoers.ldap.man.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS.LDAP" "5" "December 12, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -245,6 +245,18 @@ that contains a list of users that commands may be run as.
 The special value
 \fRALL\fR
 will match any user.
+If
+\fRsudoRunAsUser\fR
+is specified but empty, it will match the invoking user.
+If neither
+\fRsudoRunAsUser\fR
+nor
+\fRsudoRunAsGroup\fR
+are present, the value of the
+runas_default
+\fRsudoOption\fR
+is used (defaults to
+\fR@runas_default@ ).\fR
 .sp
 The
 \fRsudoRunAsUser\fR

diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in
index b6459cf443972cac44ea42f8e1361bbf94a86dee..ef0fe9ac3836ea60d92c9a1973147a00a8c12a5c 100644 (file)
--- a/doc/sudoers.ldap.mdoc.in
+++ b/doc/sudoers.ldap.mdoc.in
@@ -14,7 +14,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 17, 2017
+.Dd December 12, 2017
 .Dt SUDOERS.LDAP @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -229,6 +229,18 @@ that contains a list of users that commands may be run as.
 The special value
 .Li ALL
 will match any user.
+If
+.Li sudoRunAsUser
+is specified but empty, it will match the invoking user.
+If neither
+.Li sudoRunAsUser
+nor
+.Li sudoRunAsGroup
+are present, the value of the
+.En runas_default
+.Li sudoOption
+is used (defaults to
+.Li @runas_default@ ).
 .Pp
 The
 .Li sudoRunAsUser

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 15e6b155d6bf77b2807c3cf025eba37c1f5bdc4e..104816b8e2df3985fbd2125462b65b55d863f007 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -855,6 +855,12 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched)
            if (usergr_matches(val, runas_pw->pw_name, runas_pw))
                ret = true;
            break;
+       case '\0':
+           /* Empty RunAsUser means run as the invoking user. */
+           if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
+               strcmp(user_name, runas_pw->pw_name) == 0)
+               ret = true;
+           break;
        case 'A':
            if (strcmp(val, "ALL") == 0) {
                ret = true;
@@ -2459,7 +2465,8 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw,
        bv = ldap_get_values_len(ld, entry, "sudoRunAs");
     if (bv != NULL) {
        for (p = bv; *p != NULL; p++) {
-           sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val);
+           sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "",
+               (*p)->bv_val[0] ? (*p)->bv_val : user_name);
        }
        ldap_value_free_len(bv);
        no_runas_user = false;

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index b29768cb4ddf7a3fb4907a18b5326fef6678c57e..afb2d2f7445c82039326521a09946ea11edd6ffc 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -680,6 +680,12 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *
                ret = true;
            }
            break;
+       case '\0':
+           /* Empty RunAsUser means run as the invoking user. */
+           if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
+               strcmp(user_name, runas_pw->pw_name) == 0)
+               ret = true;
+           break;
        case 'A':
            if (strcmp(val, "ALL") == 0) {
                sudo_debug_printf(SUDO_DEBUG_DEBUG, "ALL => match");
@@ -1773,7 +1779,8 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle,
     switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) {
     case 0:
        for (i = 0; val_array[i] != NULL; ++i) {
-           sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]);
+           sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "",
+               val_array[i][0] ? val_array[i] : user_name);
            count++;
        }
        handle->fn_free_values(val_array);