Don't check the username when matching a host netgroup unless

def_netgroup_tuple is enabled.

diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index 3fb36f5e4e5c1202f2433697b0ff4901070cd3ba..769fe8519f94d585952bc4e7c0bd98c90393488c 100644 (file)
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -279,7 +279,7 @@ hostlist_matches(const struct passwd *pw, const struct member_list *list)
                break;
            case NETGROUP:
                if (netgr_matches(m->name, user_runhost, user_srunhost,
-                   pw->pw_name))
+                   def_netgroup_tuple ? pw->pw_name : NULL))
                    matched = !m->negated;
                break;
            case NTWKADDR: