]> granicus.if.org Git - sudo/commitdiff
projects / sudo / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 24cdbb8)
Only inherit SELinux role/type and Solaris privilege sets if
authorTodd C. Miller <Todd.Miller@courtesan.com>
Tue, 14 Feb 2017 22:56:34 +0000 (15:56 -0700)
committerTodd C. Miller <Todd.Miller@courtesan.com>
Tue, 14 Feb 2017 22:56:34 +0000 (15:56 -0700)
the command does not include any.  Previously, a command with
only a role would inherit a type from the previous command
which is not what was intended.

plugins/sudoers/gram.c patch | blob | history
plugins/sudoers/gram.y patch | blob | history

diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c
index c2f52360981d97ddf7497af5f2ced7fae3d003d6..ad9150e0bea98a938c9427ecfb03aede92e3f29d 100644 (file)
--- a/plugins/sudoers/gram.c
+++ b/plugins/sudoers/gram.c
@@ -1436,17 +1436,17 @@ case 35:
                            HLTQ_CONCAT(yyvsp[-2].cmndspec, yyvsp[0].cmndspec, entries);
 #ifdef HAVE_SELINUX
                            /* propagate role and type */
-                           if (yyvsp[0].cmndspec->role == NULL)
+                           if (yyvsp[0].cmndspec->role == NULL && yyvsp[0].cmndspec->type == NULL) {
                                yyvsp[0].cmndspec->role = prev->role;
-                           if (yyvsp[0].cmndspec->type == NULL)
                                yyvsp[0].cmndspec->type = prev->type;
+                           }
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_PRIV_SET
                            /* propagate privs & limitprivs */
-                           if (yyvsp[0].cmndspec->privs == NULL)
+                           if (yyvsp[0].cmndspec->privs == NULL && yyvsp[0].cmndspec->limitprivs == NULL) {
                                yyvsp[0].cmndspec->privs = prev->privs;
-                           if (yyvsp[0].cmndspec->limitprivs == NULL)
                                yyvsp[0].cmndspec->limitprivs = prev->limitprivs;
+                           }
 #endif /* HAVE_PRIV_SET */
                            /* propagate command timeout */
                            if (yyvsp[0].cmndspec->timeout == UNSPEC)
diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y
index 39fb51f649b5b00a690004bfcdb3913ac4b93612..04d68bf2c430bc7c7d2f176805db98c6f15b3269 100644 (file)
--- a/plugins/sudoers/gram.y
+++ b/plugins/sudoers/gram.y
@@ -343,17 +343,17 @@ cmndspeclist      :       cmndspec
                            HLTQ_CONCAT($1, $3, entries);
 #ifdef HAVE_SELINUX
                            /* propagate role and type */
-                           if ($3->role == NULL)
+                           if ($3->role == NULL && $3->type == NULL) {
                                $3->role = prev->role;
-                           if ($3->type == NULL)
                                $3->type = prev->type;
+                           }
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_PRIV_SET
                            /* propagate privs & limitprivs */
-                           if ($3->privs == NULL)
+                           if ($3->privs == NULL && $3->limitprivs == NULL) {
                                $3->privs = prev->privs;
-                           if ($3->limitprivs == NULL)
                                $3->limitprivs = prev->limitprivs;
+                           }
 #endif /* HAVE_PRIV_SET */
                            /* propagate command timeout */
                            if ($3->timeout == UNSPEC)
Unnamed repository; edit this file 'description' to name the repository.