Support negated sudoHost entries.

author Todd C. Miller <Todd.Miller@courtesan.com>

Wed, 14 Sep 2016 16:22:52 +0000 (10:22 -0600)

committer Todd C. Miller <Todd.Miller@courtesan.com>

Wed, 14 Sep 2016 16:22:52 +0000 (10:22 -0600)
author Todd C. Miller <Todd.Miller@courtesan.com>
Wed, 14 Sep 2016 16:22:52 +0000 (10:22 -0600)
committer Todd C. Miller <Todd.Miller@courtesan.com>
Wed, 14 Sep 2016 16:22:52 +0000 (10:22 -0600)
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c

index 4b2b0ed371736b3959d8f58794d343c46a30261d..fa65368d27cda8b7545c8f7ade12c640ae162811 100644 (file)
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -722,6 +722,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
      struct berval **bv, **p;
      char *val;
      bool ret = false;
+    bool foundbang = false;
      debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
  
      if (!entry)
@@ -733,14 +734,20 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
         debug_return_bool(ret);
  
      /* walk through values */
-    for (p = bv; *p != NULL && !ret; p++) {
+    for (p = bv; *p != NULL && !foundbang; p++) {
         val = (*p)->bv_val;
+
+       if (*val == '!') {
+           val++;
+           foundbang = true;
+       }
+
         /* match any or address or netgroup or hostname */
         if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
             netgr_matches(val, user_runhost, user_srunhost,
             def_netgroup_tuple ? pw->pw_name : NULL) ||
             hostname_matches(user_srunhost, user_runhost, val))
-           ret = true;
+           ret = !foundbang;
         DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
      }
author	Todd C. Miller <Todd.Miller@courtesan.com>
	Wed, 14 Sep 2016 16:22:52 +0000 (10:22 -0600)
committer	Todd C. Miller <Todd.Miller@courtesan.com>
	Wed, 14 Sep 2016 16:22:52 +0000 (10:22 -0600)