From: Todd C. Miller Date: Tue, 12 Dec 2017 21:20:56 +0000 (-0700) Subject: An empty RunAsUser means run as the invoking user, similar to how X-Git-Tag: SUDO_1_8_22^2~35 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6ca8447e0020643d0a18229ee00675fd3d70a9d9;p=sudo An empty RunAsUser means run as the invoking user, similar to how the sudoers files works. --- diff --git a/doc/sudoers.ldap.cat b/doc/sudoers.ldap.cat index 4da98df00..86ce8426b 100644 --- a/doc/sudoers.ldap.cat +++ b/doc/sudoers.ldap.cat @@ -122,7 +122,10 @@ DDEESSCCRRIIPPTTIIOONN A user name or uid (prefixed with `#') that commands may be run as or a Unix group (prefixed with a `%') or user netgroup (prefixed with a `+') that contains a list of users that commands may be run - as. The special value ALL will match any user. + as. The special value ALL will match any user. If sudoRunAsUser + is specified but empty, it will match the invoking user. If + neither sudoRunAsUser nor sudoRunAsGroup are present, the value of + the runas_default sudoOption is used (defaults to root ). The sudoRunAsUser attribute is only available in ssuuddoo versions 1.7.0 and higher. Older versions of ssuuddoo use the sudoRunAs @@ -910,4 +913,4 @@ DDIISSCCLLAAIIMMEERR file distributed with ssuuddoo or https://www.sudo.ws/license.html for complete details. -Sudo 1.8.22 January 17, 2017 Sudo 1.8.22 +Sudo 1.8.22 December 12, 2017 Sudo 1.8.22 diff --git a/doc/sudoers.ldap.man.in b/doc/sudoers.ldap.man.in index 6407962f9..fb9edce15 100644 --- a/doc/sudoers.ldap.man.in +++ b/doc/sudoers.ldap.man.in @@ -16,7 +16,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.TH "SUDOERS.LDAP" "5" "January 17, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDOERS.LDAP" "5" "December 12, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -245,6 +245,18 @@ that contains a list of users that commands may be run as. The special value \fRALL\fR will match any user. +If +\fRsudoRunAsUser\fR +is specified but empty, it will match the invoking user. +If neither +\fRsudoRunAsUser\fR +nor +\fRsudoRunAsGroup\fR +are present, the value of the +runas_default +\fRsudoOption\fR +is used (defaults to +\fR@runas_default@ ).\fR .sp The \fRsudoRunAsUser\fR diff --git a/doc/sudoers.ldap.mdoc.in b/doc/sudoers.ldap.mdoc.in index b6459cf44..ef0fe9ac3 100644 --- a/doc/sudoers.ldap.mdoc.in +++ b/doc/sudoers.ldap.mdoc.in @@ -14,7 +14,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd January 17, 2017 +.Dd December 12, 2017 .Dt SUDOERS.LDAP @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -229,6 +229,18 @@ that contains a list of users that commands may be run as. The special value .Li ALL will match any user. +If +.Li sudoRunAsUser +is specified but empty, it will match the invoking user. +If neither +.Li sudoRunAsUser +nor +.Li sudoRunAsGroup +are present, the value of the +.En runas_default +.Li sudoOption +is used (defaults to +.Li @runas_default@ ). .Pp The .Li sudoRunAsUser diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 15e6b155d..104816b8e 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -855,6 +855,12 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry, int *group_matched) if (usergr_matches(val, runas_pw->pw_name, runas_pw)) ret = true; break; + case '\0': + /* Empty RunAsUser means run as the invoking user. */ + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && + strcmp(user_name, runas_pw->pw_name) == 0) + ret = true; + break; case 'A': if (strcmp(val, "ALL") == 0) { ret = true; @@ -2459,7 +2465,8 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw, bv = ldap_get_values_len(ld, entry, "sudoRunAs"); if (bv != NULL) { for (p = bv; *p != NULL; p++) { - sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); + sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", + (*p)->bv_val[0] ? (*p)->bv_val : user_name); } ldap_value_free_len(bv); no_runas_user = false; diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index b29768cb4..afb2d2f74 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -680,6 +680,12 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule * ret = true; } break; + case '\0': + /* Empty RunAsUser means run as the invoking user. */ + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) && + strcmp(user_name, runas_pw->pw_name) == 0) + ret = true; + break; case 'A': if (strcmp(val, "ALL") == 0) { sudo_debug_printf(SUDO_DEBUG_DEBUG, "ALL => match"); @@ -1773,7 +1779,8 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle, switch (handle->fn_get_values(rule, "sudoCommand", &val_array)) { case 0: for (i = 0; val_array[i] != NULL; ++i) { - sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); + sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", + val_array[i][0] ? val_array[i] : user_name); count++; } handle->fn_free_values(val_array);