Instead of checking the domain name explicitly for "(none)", just

check for illegal characters.

diff --git a/NEWS b/NEWS
index 706527ef789f3d74f540366423704bc0e962a3c9..fa434aa00291d840572bc573a52170ad3290bf1e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,10 @@ What's new in Sudo 1.8.7?
 
  * Dutch translation for sudo and sudoers from translationproject.org.
 
+ * The sudoers plugin will now ignore invalid domain names when
+   checking netgroup membership.  Some Linux systems use the string
+   "(none)" for the NIS-style domain name instead of an empty string.
+
 What's new in Sudo 1.8.6p7?
 
  * A time stamp file with the date set to the epoch by "sudo -k"

diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index e85b29c47070ec9fccdd94639bb46f6f6075b98f..2ace1548c85e50902e066240a517ae6995066192 100644 (file)
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -764,6 +764,34 @@ done:
     debug_return_bool(matched);
 }
 
+#ifdef HAVE_INNETGR
+/*
+ * Get NIS-style domain name and return a malloc()ed copy or NULL if none.
+ */
+static char *
+sudo_getdomainname(void)
+{
+#ifdef HAVE_GETDOMAINNAME
+    char *buf, *cp, *domain = NULL;
+
+    buf = emalloc(HOST_NAME_MAX + 1);
+    if (getdomainname(buf, HOST_NAME_MAX + 1) == 0 && *buf != '\0') {
+       domain = buf;
+       for (cp = buf; *cp != '\0'; cp++) {
+           /* Check for illegal characters, Linux may use "(none)". */
+           if (*cp == '(' || *cp == ')' || *cp == ',' || *cp == ' ') {
+               domain = NULL;
+               break;
+           }
+       }
+    }
+    if (domain == NULL)
+       efree(buf);
+#endif /* HAVE_GETDOMAINNAME */
+    return domain;
+}
+#endif /* HAVE_INNETGR */
+
 /*
  * Returns true if "host" and "user" belong to the netgroup "netgr",
  * else return false.  Either of "host", "shost" or "user" may be NULL
@@ -774,30 +802,23 @@ done:
 bool
 netgr_matches(char *netgr, char *lhost, char *shost, char *user)
 {
+#ifdef HAVE_INNETGR
     static char *domain;
-#ifdef HAVE_GETDOMAINNAME
     static int initialized;
 #endif
     debug_decl(netgr_matches, SUDO_DEBUG_MATCH)
 
+#ifdef HAVE_INNETGR
     /* make sure we have a valid netgroup, sudo style */
     if (*netgr++ != '+')
        debug_return_bool(false);
 
-#ifdef HAVE_GETDOMAINNAME
     /* get the domain name (if any) */
     if (!initialized) {
-       domain = (char *) emalloc(HOST_NAME_MAX + 1);
-       if (getdomainname(domain, HOST_NAME_MAX + 1) == -1 || *domain == '\0' ||
-           strcmp(domain, "(none)") == 0) {
-           efree(domain);
-           domain = NULL;
-       }
+       domain = sudo_getdomainname();
        initialized = 1;
     }
-#endif /* HAVE_GETDOMAINNAME */
 
-#ifdef HAVE_INNETGR
     if (innetgr(netgr, lhost, user, domain))
        debug_return_bool(true);
     else if (lhost != shost && innetgr(netgr, shost, user, domain))