Only set early defaults once, regardless of how many times the

variable is set in sudoers.  This avoids running an early callback
more than once.  For example, we don't want to call cb_fqdn() if
sudo is compiled with FQDN set but sudoers has "Defaults !fqdn".

diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
index 499d4579266a84cfd63eb6647d7fc01bdeca0b69..054687dc664a09e4d9791f1439bf03ab4224b915 100644 (file)
--- a/plugins/sudoers/defaults.c
+++ b/plugins/sudoers/defaults.c
@@ -79,11 +79,21 @@ static struct strmap priorities[] = {
 /*
  * Defaults values to apply before others.
  */
-static const char *early_defaults[] = {
-    "fqdn",
-    "runas_default",
-    "sudoers_locale",
-    NULL
+struct early_default {
+    const char *var;
+    const char *val;
+    int op;
+};
+
+static struct early_default early_defaults[] = {
+#ifdef FQDN
+    { "fqdn", "true", true },
+#else
+    { "fqdn" },
+#endif
+    { "runas_default" },
+    { "sudoers_locale" },
+    { NULL }
 };
 
 /*
@@ -413,9 +423,6 @@ init_defaults(void)
 #ifndef DONT_LEAK_PATH_INFO
     def_path_info = true;
 #endif
-#ifdef FQDN
-    def_fqdn = true;
-#endif
 #ifdef USE_INSULTS
     def_insults = true;
 #endif
@@ -538,57 +545,72 @@ oom:
 bool
 update_defaults(int what)
 {
+    struct early_default *early;
     struct defaults *def;
     bool rc = true;
-    int pass;
     debug_decl(update_defaults, SUDOERS_DEBUG_DEFAULTS)
 
     /*
-     * Run through the Defaulsts list twice.
-     * First, set early defaults, then set the rest.
+     * First set Defaults values marked as early.
+     * We only set early Defaults once (the last instance).
      */
-    for (pass = 0; pass < 2; pass++) {
-       TAILQ_FOREACH(def, &defaults, entries) {
-           const char **early;
-
-           /* Only do early defaults in pass 0, skip them in pass 1. */
-           for (early = early_defaults; *early != NULL; early++) {
-               if (strcmp(def->var, *early) == 0)
-                   break;
-           }
-           if (!!*early == pass)
-               continue;
-
-           switch (def->type) {
-           case DEFAULTS:
-               if (!ISSET(what, SETDEF_GENERIC))
-                   continue;
-               break;
-           case DEFAULTS_USER:
-               if (!ISSET(what, SETDEF_USER) ||
-                   userlist_matches(sudo_user.pw, def->binding) != ALLOW)
-                   continue;
-               break;
-           case DEFAULTS_RUNAS:
-               if (!ISSET(what, SETDEF_RUNAS) ||
-                   runaslist_matches(def->binding, NULL, NULL, NULL) != ALLOW)
-                   continue;
-               break;
-           case DEFAULTS_HOST:
-               if (!ISSET(what, SETDEF_HOST) ||
-                   hostlist_matches(sudo_user.pw, def->binding) != ALLOW)
-                   continue;
-               break;
-           case DEFAULTS_CMND:
-               if (!ISSET(what, SETDEF_CMND) ||
-                   cmndlist_matches(def->binding) != ALLOW)
-                   continue;
+    TAILQ_FOREACH(def, &defaults, entries) {
+       for (early = early_defaults; early->var != NULL; early++) {
+           if (strcmp(def->var, early->var) == 0) {
+               early->val = def->val;
+               early->op = def->op;
                break;
            }
-           if (!set_default(def->var, def->val, def->op))
+       }
+    }
+    for (early = early_defaults; early->var != NULL; early++) {
+       if (early->val != NULL) {
+           if (!set_default(early->var, early->val, early->op))
                rc = false;
        }
     }
+
+    /*
+     * Then set the rest of the defaults.
+     */
+    TAILQ_FOREACH(def, &defaults, entries) {
+       /* Skip Defaults marked as early, we already did them. */
+       for (early = early_defaults; early->var != NULL; early++) {
+           if (strcmp(def->var, early->var) == 0)
+               break;
+       }
+       if (early->val != NULL)
+           continue;
+
+       switch (def->type) {
+       case DEFAULTS:
+           if (!ISSET(what, SETDEF_GENERIC))
+               continue;
+           break;
+       case DEFAULTS_USER:
+           if (!ISSET(what, SETDEF_USER) ||
+               userlist_matches(sudo_user.pw, def->binding) != ALLOW)
+               continue;
+           break;
+       case DEFAULTS_RUNAS:
+           if (!ISSET(what, SETDEF_RUNAS) ||
+               runaslist_matches(def->binding, NULL, NULL, NULL) != ALLOW)
+               continue;
+           break;
+       case DEFAULTS_HOST:
+           if (!ISSET(what, SETDEF_HOST) ||
+               hostlist_matches(sudo_user.pw, def->binding) != ALLOW)
+               continue;
+           break;
+       case DEFAULTS_CMND:
+           if (!ISSET(what, SETDEF_CMND) ||
+               cmndlist_matches(def->binding) != ALLOW)
+               continue;
+           break;
+       }
+       if (!set_default(def->var, def->val, def->op))
+           rc = false;
+    }
     debug_return_bool(rc);
 }
 

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 216eeafb75eb0b755d4fcf1223beefd2284fb40c..d71401b0cea6d46afbede2f08ae9f6e02e108c61 100644 (file)
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -762,10 +762,6 @@ init_vars(char * const envp[])
        debug_return_bool(false);
     }
 
-    /* Set fully-qualified domain name if specified. */
-    if (def_fqdn)
-       cb_fqdn(NULL);
-
     debug_return_bool(true);
 }