From: Todd C. Miller Date: Thu, 15 Sep 2016 19:36:43 +0000 (-0600) Subject: When matching against runas_default use userpw_matches() instead X-Git-Tag: SUDO_1_8_18^2~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0ff95dfaaa4e1626a837e066e21ce865e9b8b98c;p=sudo When matching against runas_default use userpw_matches() instead of just strcasecmp(). --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index d712b6b40..3ef461976 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -870,8 +870,10 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry) * If there are no runas entries, match runas_default against * what the user specified on the command line. */ - if (user_matched == UNSPEC && group_matched == UNSPEC) - debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); + if (user_matched == UNSPEC && group_matched == UNSPEC) { + debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, + runas_pw)); + } debug_return_bool(group_matched != false && user_matched != false); } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 6aa38fc9e..8f341d9ed 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -716,7 +716,8 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) */ if (user_matched == UNSPEC && group_matched == UNSPEC) { sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against runas_default"); - debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); + debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, + runas_pw)); } debug_return_bool(group_matched != false && user_matched != false);