]> granicus.if.org Git - sudo/commitdiff
projects / sudo / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6f097eb)
When converting from LDAP to sudoers, put negated hosts and commands
authorTodd C. Miller <Todd.Miller@sudo.ws>
Sun, 25 Feb 2018 13:30:32 +0000 (06:30 -0700)
committerTodd C. Miller <Todd.Miller@sudo.ws>
Sun, 25 Feb 2018 13:30:32 +0000 (06:30 -0700)
at the end of the list.  Since LDAP doesn't guarantee attribute order
we need to make sure negated entries always override non-negated ones.

plugins/sudoers/ldap_common.c patch | blob | history

diff --git a/plugins/sudoers/ldap_common.c b/plugins/sudoers/ldap_common.c
index 9ecc847aca9a4d7e79ecfc11d6a941e7125a6e60..770de969afb479778f126368f38349bdc3bdb3d2 100644 (file)
--- a/plugins/sudoers/ldap_common.c
+++ b/plugins/sudoers/ldap_common.c
@@ -281,7 +281,11 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
        while ((host = iter(&hosts)) != NULL) {
            if ((m = host_to_member(host)) == NULL)
                goto oom;
-           TAILQ_INSERT_TAIL(&priv->hostlist, m, entries);
+           /* Negated hosts have precedence so insert them at the end. */
+           if (m->negated)
+               TAILQ_INSERT_TAIL(&priv->hostlist, m, entries);
+           else
+               TAILQ_INSERT_HEAD(&priv->hostlist, m, entries);
        }
     }
 
@@ -291,6 +295,7 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
     while ((cmnd = iter(&cmnds)) != NULL) {
        char *args;
        struct sudo_digest digest;
+       bool negated = sudo_ldap_is_negated(&cmnd);
 
        /* Allocate storage upfront. */
        cmndspec = calloc(1, sizeof(*cmndspec));
@@ -302,7 +307,12 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
            free(m);
            goto oom;
        }
-       TAILQ_INSERT_TAIL(&priv->cmndlist, cmndspec, entries);
+
+       /* Negated commands have precedence so insert them at the end. */
+       if (negated)
+           TAILQ_INSERT_TAIL(&priv->cmndlist, cmndspec, entries);
+       else
+           TAILQ_INSERT_HEAD(&priv->cmndlist, cmndspec, entries);
 
        /* Initialize cmndspec */
        TAGS_INIT(cmndspec->tags);
@@ -312,7 +322,7 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers,
 
        /* Fill in member. */
        m->type = COMMAND;
-       m->negated = sudo_ldap_is_negated(&cmnd);
+       m->negated = negated;
        m->name = (char *)c;
 
        /* Fill in command with optional digest. */
Unnamed repository; edit this file 'description' to name the repository.