From: Todd C. Miller Date: Fri, 1 Sep 2017 17:36:15 +0000 (-0600) Subject: The fix for matching when no sudoRunAsUser is present in a sudoRole X-Git-Tag: SUDO_1_8_21p1^2~2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=06d52c97c22eeeaaf81a397612b4733e754ceff8;p=sudo The fix for matching when no sudoRunAsUser is present in a sudoRole was incomplete. If no -g option was specified on the command line but sudoRunAsGroup is present in a sudoRole, we need to treat the group match as failed instead of missing. --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 83202e288..46309cba7 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -781,7 +781,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw) } static int -sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched) +sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched) { struct berval **bv, **p; char *val; @@ -793,9 +793,18 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int group_matched) if (bv == NULL) bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */ if (bv == NULL) { + DPRINTF2("sudoRunAsUser: no result."); + if (*group_matched == UNSPEC) { + /* We haven't check for sudoRunAsGroup yet, check now. */ + bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); + if (bv != NULL) { + *group_matched = false; + ldap_value_free_len(bv); + } + } if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) debug_return_int(UNSPEC); - switch (group_matched) { + switch (*group_matched) { case UNSPEC: /* * No runas user or group entries. Match runas_default @@ -875,6 +884,7 @@ sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry) /* get the values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); if (bv == NULL) { + DPRINTF2("sudoRunAsGroup: no result."); if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) { if (runas_pw->pw_gid == runas_gr->gr_gid) ret = true; /* runas group matches passwd db */ @@ -912,7 +922,7 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry) if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) group_matched = sudo_ldap_check_runas_group(ld, entry); - user_matched = sudo_ldap_check_runas_user(ld, entry, group_matched); + user_matched = sudo_ldap_check_runas_user(ld, entry, &group_matched); debug_return_bool(group_matched != false && user_matched != false); } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 1c174bfac..65b4d8759 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -583,7 +583,7 @@ sudo_sss_checkpw(struct sudo_nss *nss, struct passwd *pw) } static int -sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int group_matched) +sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *sss_rule, int *group_matched) { const char *host = handle->ipa_host ? handle->ipa_host : user_runhost; const char *shost = handle->ipa_shost ? handle->ipa_shost : user_srunhost; @@ -603,9 +603,17 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule * break; case ENOENT: sudo_debug_printf(SUDO_DEBUG_INFO, "sudoRunAsUser: no result."); + if (*group_matched == UNSPEC) { + /* We haven't check for sudoRunAsGroup yet, check now. */ + i = handle->fn_get_values(sss_rule, "sudoRunAsGroup", &val_array); + if (i == 0) { + *group_matched = false; + handle->fn_free_values(val_array); + } + } if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED)) debug_return_int(UNSPEC); - switch (group_matched) { + switch (*group_matched) { case UNSPEC: /* * No runas user or group entries. Match runas_default @@ -755,7 +763,7 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) group_matched = sudo_sss_check_runas_group(handle, rule); - user_matched = sudo_sss_check_runas_user(handle, rule, group_matched); + user_matched = sudo_sss_check_runas_user(handle, rule, &group_matched); debug_return_bool(group_matched != false && user_matched != false); }