From: Todd C. Miller Date: Mon, 11 Jan 2016 23:35:05 +0000 (-0700) Subject: In sudo_netgroup_lookup() only build up the search filter once X-Git-Tag: SUDO_1_8_16^2~72 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=55fdf66c1daeff4ae4e1219b9ea54966cdde6740;p=sudo In sudo_netgroup_lookup() only build up the search filter once instead of once per netgroup_base. --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index b8ce5feb0..338991d59 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -1392,96 +1392,92 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw, /* Use NIS domain if set, else wildcard match. */ domain = sudo_getdomainname(); - STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) { - DPRINTF1("searching from netgroup_base '%s'", base->val); - - /* Build query, using NIS domain if it is set. */ - /* XXX - move outside foreach */ - if (domain != NULL) { - filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 + - sudo_ldap_value_len(pw->pw_name); - if (user_runhost == user_srunhost) { - filt_len *= 4; - filt_len += 2 * sudo_ldap_value_len(user_srunhost); - filt_len += 2 * sudo_ldap_value_len(domain); - } else { - filt_len *= 6; - filt_len += 2 * sudo_ldap_value_len(user_srunhost); - filt_len += 2 * sudo_ldap_value_len(user_runhost); - filt_len += 3 * sudo_ldap_value_len(domain); - } - filt_len += 7 + strlen(ldap_conf.netgroup_search_filter); - if ((filt = malloc(filt_len)) == NULL) - goto oom; - CHECK_STRLCPY(filt, "(&", filt_len); - CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len); - CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len); - CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + /* Build query, using NIS domain if it is set. */ + if (domain != NULL) { + filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 + + sudo_ldap_value_len(pw->pw_name); + if (user_runhost == user_srunhost) { + filt_len *= 4; + filt_len += 2 * sudo_ldap_value_len(user_srunhost); + filt_len += 2 * sudo_ldap_value_len(domain); + } else { + filt_len *= 6; + filt_len += 2 * sudo_ldap_value_len(user_srunhost); + filt_len += 2 * sudo_ldap_value_len(user_runhost); + filt_len += 3 * sudo_ldap_value_len(domain); + } + filt_len += 7 + strlen(ldap_conf.netgroup_search_filter); + if ((filt = malloc(filt_len)) == NULL) + goto oom; + CHECK_STRLCPY(filt, "(&", filt_len); + CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len); + CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len); + CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + CHECK_STRLCAT(filt, ",", filt_len); + CHECK_LDAP_VCAT(filt, domain, filt_len); + CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len); + CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); + CHECK_STRLCAT(filt, ",", filt_len); + CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + if (user_runhost != user_srunhost) { CHECK_STRLCAT(filt, ",", filt_len); CHECK_LDAP_VCAT(filt, domain, filt_len); CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len); - CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); - CHECK_STRLCAT(filt, ",", filt_len); - CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); - if (user_runhost != user_srunhost) { - CHECK_STRLCAT(filt, ",", filt_len); - CHECK_LDAP_VCAT(filt, domain, filt_len); - CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len); - CHECK_LDAP_VCAT(filt, user_runhost, filt_len); - CHECK_STRLCAT(filt, ",", filt_len); - CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); - } + CHECK_LDAP_VCAT(filt, user_runhost, filt_len); CHECK_STRLCAT(filt, ",", filt_len); - CHECK_LDAP_VCAT(filt, domain, filt_len); - CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28,", filt_len); CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + } + CHECK_STRLCAT(filt, ",", filt_len); + CHECK_LDAP_VCAT(filt, domain, filt_len); + CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28,", filt_len); + CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len); + CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); + CHECK_STRLCAT(filt, ",", filt_len); + CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + if (user_runhost != user_srunhost) { CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len); - CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); + CHECK_LDAP_VCAT(filt, user_runhost, filt_len); CHECK_STRLCAT(filt, ",", filt_len); CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); - if (user_runhost != user_srunhost) { - CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len); - CHECK_LDAP_VCAT(filt, user_runhost, filt_len); - CHECK_STRLCAT(filt, ",", filt_len); - CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); - } - CHECK_STRLCAT(filt, ",\\29)))", filt_len); + } + CHECK_STRLCAT(filt, ",\\29)))", filt_len); + } else { + filt_len = sizeof("(nisNetgroupTriple=\\28,,*\\29)") - 1 + + sudo_ldap_value_len(pw->pw_name); + if (user_runhost == user_srunhost) { + filt_len *= 2; + filt_len += sudo_ldap_value_len(user_srunhost); } else { - filt_len = sizeof("(nisNetgroupTriple=\\28,,*\\29)") - 1 + - sudo_ldap_value_len(pw->pw_name); - if (user_runhost == user_srunhost) { - filt_len *= 2; - filt_len += sudo_ldap_value_len(user_srunhost); - } else { - filt_len *= 3; - filt_len += sudo_ldap_value_len(user_srunhost); - filt_len += sudo_ldap_value_len(user_runhost); - } - filt_len += 7 + strlen(ldap_conf.netgroup_search_filter); - if ((filt = malloc(filt_len)) == NULL) - goto oom; - CHECK_STRLCPY(filt, "(&", filt_len); - CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len); - CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len); - CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + filt_len *= 3; + filt_len += sudo_ldap_value_len(user_srunhost); + filt_len += sudo_ldap_value_len(user_runhost); + } + filt_len += 7 + strlen(ldap_conf.netgroup_search_filter); + if ((filt = malloc(filt_len)) == NULL) + goto oom; + CHECK_STRLCPY(filt, "(&", filt_len); + CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len); + CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len); + CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len); + CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); + CHECK_STRLCAT(filt, ",", filt_len); + CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); + if (user_runhost != user_srunhost) { CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len); - CHECK_LDAP_VCAT(filt, user_srunhost, filt_len); + CHECK_LDAP_VCAT(filt, user_runhost, filt_len); CHECK_STRLCAT(filt, ",", filt_len); CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); - if (user_runhost != user_srunhost) { - CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len); - CHECK_LDAP_VCAT(filt, user_runhost, filt_len); - CHECK_STRLCAT(filt, ",", filt_len); - CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len); - } - CHECK_STRLCAT(filt, ",*\\29)))", filt_len); } - /* XXX - refactor duplicated code */ - DPRINTF1("ldap netgroup search filter: '%s'", filt); - result = NULL; + CHECK_STRLCAT(filt, ",*\\29)))", filt_len); + } + DPRINTF1("ldap netgroup search filter: '%s'", filt); + + STAILQ_FOREACH(base, &ldap_conf.netgroup_base, entries) { + DPRINTF1("searching from netgroup_base '%s'", base->val); rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt, NULL, 0, NULL, NULL, tvp, 0, &result); - free(filt); if (rc != LDAP_SUCCESS) { DPRINTF1("ldap netgroup search failed: %s", ldap_err2string(rc)); ldap_msgfree(result); @@ -1516,6 +1512,7 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw, } } ldap_msgfree(result); + result = NULL; /* Check for nested netgroups in what we added. */ ng = old_tail ? STAILQ_NEXT(old_tail, entries) : STAILQ_FIRST(netgroups); @@ -1524,9 +1521,11 @@ sudo_netgroup_lookup(LDAP *ld, struct passwd *pw, debug_return_bool(false); } } + free(filt); debug_return_bool(true); oom: sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); + free(filt); ldap_msgfree(result); debug_return_bool(false); overflow: