From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 2 Dec 2015 21:06:37 +0000 (-0700)
Subject: When checking the query results, don't set user_matches in the
X-Git-Tag: SUDO_1_8_16^2~100
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=29e9273a402caddb0238219f28a51489c210471b;p=sudo

When checking the query results, don't set user_matches in the
netgroup pass unless sudo_ldap_check_non_unix_group() returns true.
This was preventing the mail_no_user sudoOption from being effective.
---

diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
index 9549dc932..f46fc2d77 100644
--- a/plugins/sudoers/ldap.c
+++ b/plugins/sudoers/ldap.c
@@ -3132,8 +3132,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
 	debug_return_int(ret);
 
     /*
-     * The following queries are only determine whether or not a
-     * password is required, so the order of the entries doesn't matter.
+     * The following queries only determine whether or not a password
+     * is required, so the order of the entries doesn't matter.
      */
     if (pwflag) {
 	int doauth = UNSPEC;
@@ -3408,27 +3408,31 @@ sudo_ldap_result_get(struct sudo_nss *nss, struct passwd *pw)
 			ldap_err2string(rc));
 		    continue;
 		}
-		lres->user_matches = true;
 
-		/* Add the seach result to list of search results. */
+		/* Add the search result to list of search results. */
 		DPRINTF1("adding search result");
 		if (sudo_ldap_result_add_search(lres, ld, result) == NULL) {
-		    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
+		    sudo_warnx(U_("%s: %s"), __func__,
+			U_("unable to allocate memory"));
 		    free(filt);
 		    sudo_ldap_result_free(lres);
 		    debug_return_ptr(NULL);
 		}
 		LDAP_FOREACH(entry, ld, result) {
-		    if ((!pass ||
-			sudo_ldap_check_non_unix_group(ld, entry, pw)) &&
-			sudo_ldap_check_host(ld, entry)) {
-			lres->host_matches = true;
-			if (sudo_ldap_result_add_entry(lres, entry) == NULL) {
-			    sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
-			    free(filt);
-			    sudo_ldap_result_free(lres);
-			    debug_return_ptr(NULL);
-			}
+		    /* Check user or non-unix group. */
+		    if (pass && !sudo_ldap_check_non_unix_group(ld, entry, pw))
+			continue;
+		    lres->user_matches = true;
+		    /* Check host. */
+		    if (!sudo_ldap_check_host(ld, entry))
+			continue;
+		    lres->host_matches = true;
+		    if (sudo_ldap_result_add_entry(lres, entry) == NULL) {
+			sudo_warnx(U_("%s: %s"), __func__,
+			    U_("unable to allocate memory"));
+			free(filt);
+			sudo_ldap_result_free(lres);
+			debug_return_ptr(NULL);
 		    }
 		}
 		DPRINTF1("result now has %d entries", lres->nentries);