From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 27 May 2004 19:55:06 +0000 (+0000)
Subject: In sudoers_lookup() return VALIDATE_NOT_OK if the runas user was
X-Git-Tag: SUDO_1_6_8~120
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=5150db1db3db2c8b9b71f92e6a4d10b7b045a438;p=sudo

In sudoers_lookup() return VALIDATE_NOT_OK if the runas user was
explicitly denied and the command matched.  This fixes a long-standing
bug and makes:
    foo machine = (ALL) /usr/bin/blah
    foo machine = (!bar) /usr/bin/blah

equivalent to:
    foo machine = (ALL, !bar) /usr/bin/blah
---

diff --git a/parse.c b/parse.c
index 33a77021b..7a1d2321e 100644
--- a/parse.c
+++ b/parse.c
@@ -193,22 +193,21 @@ sudoers_lookup(pwflag)
 	while (top) {
 	    if (host_matches == TRUE) {
 		CLR(error, FLAG_NO_HOST);
-		if (runas_matches == TRUE) {
-		    if (cmnd_matches == TRUE) {
-		    	/*
-			 * User was granted access to cmnd on host.
-			 */
-			return(VALIDATE_OK |
-			    (no_passwd == TRUE ? FLAG_NOPASS : 0) |
-			    (no_execve == TRUE ? FLAG_NOEXEC : 0));
-		    } else if (cmnd_matches == FALSE) {
-			/*
-			 * User was explicitly denied access to cmnd on host.
-			 */
-			return(VALIDATE_NOT_OK |
-			    (no_passwd == TRUE ? FLAG_NOPASS : 0) |
-			    (no_execve == TRUE ? FLAG_NOEXEC : 0));
-		    }
+		if (runas_matches == TRUE && cmnd_matches == TRUE) {
+		    /*
+		     * User was granted access to cmnd on host as user.
+		     */
+		    return(VALIDATE_OK |
+			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
+			(no_execve == TRUE ? FLAG_NOEXEC : 0));
+		} else if ((runas_matches == TRUE && cmnd_matches == FALSE) ||
+		    (runas_matches == FALSE && cmnd_matches == TRUE)) {
+		    /*
+		     * User was explicitly denied access to cmnd on host.
+		     */
+		    return(VALIDATE_NOT_OK |
+			(no_passwd == TRUE ? FLAG_NOPASS : 0) |
+			(no_execve == TRUE ? FLAG_NOEXEC : 0));
 		}
 	    }
 	    top--;