The sssd backend used to take the first match, assuming that entries

were sorted in descending order by sudoOrder.  That allowed it to
avoid iterating over the entire list of rules.  Now that we convert
to a sudoers parse tree, we need to convert rules in ascending
order, not descending.  The simplest way to accomplish this is to
simply iterate over the rules from last to first, reversing the
sort order.  Bug #849

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 5b2fbb78fc669da73d0239f9247c6e5c249d8040..c522f31632b3ba27308e88afb1054ab00b52967a 100644 (file)
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -256,8 +256,14 @@ sss_to_sudoers(struct sudo_sss_handle *handle,
     m->type = ALL;
     TAILQ_INSERT_TAIL(&us->users, m, entries);
 
-    /* Treat each sudoRole as a separate privilege. */
-    for (i = 0; i < sss_result->num_rules; i++) {
+    /*
+     * Treat each sudoRole as a separate privilege.
+     *
+     * Sssd has already sorted the rules in descending order.
+     * The conversion to a sudoers parse tree requires that entries be
+     * in *ascending* order so we we iterate from last to first.
+     */
+    for (i = sss_result->num_rules; i-- > 0; ) {
        struct sss_sudo_rule *rule = sss_result->rules + i;
        char **cmnds, **runasusers = NULL, **runasgroups = NULL;
        char **opts = NULL, **notbefore = NULL, **notafter = NULL;