From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Mon, 14 May 2018 16:43:51 +0000 (-0600)
Subject: Improve comments about why we need to do a user check and how it
X-Git-Tag: SUDO_1_8_24^2~84
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9f36ae62f0c9c2eb5ccc02cd88842305017a2351;p=sudo

Improve comments about why we need to do a user check and how it
related to netgroups.
---

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 7837b8b59..ea077b31b 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -446,6 +446,7 @@ bad:
  * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
  * in sudo. The rules may contain mixed sudoUser specification so we have to
  * check not only for netgroup membership but also for user and group matches.
+ * Otherwise, a netgroup non-match could override a user/group match.
  */
 static bool
 sudo_sss_check_user(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
@@ -665,7 +666,10 @@ sss_to_sudoers(struct sudo_sss_handle *handle, struct sss_sudo_result *sss_resul
 	char **hosts = NULL, **cn_array = NULL, *cn = NULL;
 	struct privilege *priv = NULL;
 
-	/* Only include matching user roles (XXX). */
+	/*
+	 * We don't know whether a rule was included due to a user/group
+	 * match or because it contained a netgroup.
+	 */
 	if (!sudo_sss_check_user(handle, rule))
 	    continue;