From: Todd C. Miller Date: Tue, 8 Nov 2016 21:35:23 +0000 (-0700) Subject: Fix a bug in host matching where a negated sudoHost entry would X-Git-Tag: SUDO_1_8_19^2~56 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=17868f89d7a10ff05ed7f8a56a291d958f7ec485;p=sudo Fix a bug in host matching where a negated sudoHost entry would prevent other sudoHosts following it from matching. --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 35830dc1e..b1d1116f9 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -722,20 +722,21 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw) { struct berval **bv, **p; char *val; - bool ret = false; - bool foundbang = false; + int matched = UNSPEC; debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) if (!entry) - debug_return_bool(ret); + debug_return_bool(false); /* get the values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoHost"); if (bv == NULL) - debug_return_bool(ret); + debug_return_bool(false); /* walk through values */ - for (p = bv; *p != NULL && !foundbang; p++) { + for (p = bv; *p != NULL && matched != false; p++) { + bool foundbang = false; + val = (*p)->bv_val; if (*val == '!') { @@ -747,14 +748,17 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw) if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, user_runhost, user_srunhost, def_netgroup_tuple ? pw->pw_name : NULL) || - hostname_matches(user_srunhost, user_runhost, val)) - ret = !foundbang; - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + hostname_matches(user_srunhost, user_runhost, val)) { + + matched = foundbang ? false : true; + } + DPRINTF2("ldap sudoHost '%s' ... %s", + val, matched == true ? "MATCH!" : "not"); } ldap_value_free_len(bv); /* cleanup */ - debug_return_bool(ret); + debug_return_bool(matched == true); } static int diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 8ef4c9d41..f088b18bb 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -741,13 +741,12 @@ static bool sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { char **val_array, *val; - bool ret = false; - bool foundbang = false; + int matched = UNSPEC; int i; debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); if (rule == NULL) - debug_return_bool(ret); + debug_return_bool(false); /* get the values from the rule */ switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) debug_return_bool(false); default: sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); - debug_return_bool(ret); + debug_return_bool(false); } /* walk through values */ - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { + for (i = 0; val_array[i] != NULL && matched != false; ++i) { + bool foundbang = false; + val = val_array[i]; sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); @@ -775,16 +776,18 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, handle->host, handle->shost, def_netgroup_tuple ? handle->pw->pw_name : NULL) || - hostname_matches(handle->shost, handle->host, val)) - ret = !foundbang; + hostname_matches(handle->shost, handle->host, val)) { - sudo_debug_printf(SUDO_DEBUG_INFO, - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); + matched = foundbang ? false : true; + } + + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", + val, matched == true ? "MATCH!" : "not"); } handle->fn_free_values(val_array); - debug_return_bool(ret); + debug_return_bool(matched == true); } /*