From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 1 Jan 2005 17:41:21 +0000 (+0000)
Subject: Only check group vector in usergr_matches() if we are matching the
X-Git-Tag: SUDO_1_7_0~760
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a58012cfff0467df2c2e76e3919ab36534e4e158;p=sudo

Only check group vector in usergr_matches() if we are matching the
invoking or list user.  Always check the group members, even if
there was a group vector.
---

diff --git a/match.c b/match.c
index 940491642..80860a0ca 100644
--- a/match.c
+++ b/match.c
@@ -518,7 +518,6 @@ usergr_matches(group, user, pw)
     struct passwd *pw;
 {
     struct group *grp;
-    gid_t pw_gid;
     char **cur;
     int n;
 
@@ -529,28 +528,26 @@ usergr_matches(group, user, pw)
     /* look up user's primary gid in the passwd file */
     if (pw == NULL && (pw = sudo_getpwnam(user)) == NULL)
 	return(FALSE);
-    pw_gid = pw->pw_gid;
 
     if ((grp = sudo_getgrnam(group)) == NULL)
 	return(FALSE);
 
     /* check against user's primary (passwd file) gid */
-    if (grp->gr_gid == pw_gid)
+    if (grp->gr_gid == pw->pw_gid)
 	return(TRUE);
 
     /*
-     * If the user has a supplementary group vector, check it.
-     * Otherwise, check the member list in struct group for the user name.
+     * If we are matching the invoking or list user and that user has a
+     * supplementary group vector, check it first.
      */
-    if ((n = user_ngroups) > 0) {
-	while (n--)
+    if (strcmp(user, list_pw ? list_pw->pw_name : user_name) == 0) {
+	for (n = user_ngroups; n != 0; n--)
 	    if (grp->gr_gid == user_groups[n])
 		return(TRUE);
-    } else {
-	for (cur = grp->gr_mem; *cur; cur++)
-	    if (strcmp(*cur, user) == 0)
-		return(TRUE);
     }
+    for (cur = grp->gr_mem; *cur; cur++)
+	if (strcmp(*cur, user) == 0)
+	    return(TRUE);
 
     return(FALSE);
 }
diff --git a/testsudoers.c b/testsudoers.c
index 2ae467aaa..a16e97070 100644
--- a/testsudoers.c
+++ b/testsudoers.c
@@ -82,6 +82,7 @@ char **Argv, **NewArgv;
 int num_interfaces;
 struct interface *interfaces;
 struct sudo_user sudo_user;
+struct passwd *list_pw;
 extern int parse_error;
 
 /* For getopt(3) */
diff --git a/visudo.c b/visudo.c
index 58cc1fab4..78cdbd580 100644
--- a/visudo.c
+++ b/visudo.c
@@ -136,6 +136,7 @@ char **Argv;
 int num_interfaces;
 struct interface *interfaces;
 struct sudo_user sudo_user;
+struct passwd *list_pw;
 static struct sudoerslist {
     struct sudoersfile *first, *last;
 } sudoerslist;