From: Todd C. Miller <Todd.Miller@sudo.ws>
Date: Thu, 30 Aug 2018 14:36:09 +0000 (-0600)
Subject: The sssd backend used to take the first match, assuming that entries
X-Git-Tag: SUDO_1_8_25^2~7
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ae04b40c052f1dc07ef7305dd87a5432aeb7bb1d;p=sudo

The sssd backend used to take the first match, assuming that entries
were sorted in descending order by sudoOrder.  That allowed it to
avoid iterating over the entire list of rules.  Now that we convert
to a sudoers parse tree, we need to convert rules in ascending
order, not descending.  The simplest way to accomplish this is to
simply iterate over the rules from last to first, reversing the
sort order.  Bug #849
---

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 5b2fbb78f..c522f3163 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -256,8 +256,14 @@ sss_to_sudoers(struct sudo_sss_handle *handle,
     m->type = ALL;
     TAILQ_INSERT_TAIL(&us->users, m, entries);
 
-    /* Treat each sudoRole as a separate privilege. */
-    for (i = 0; i < sss_result->num_rules; i++) {
+    /*
+     * Treat each sudoRole as a separate privilege.
+     *
+     * Sssd has already sorted the rules in descending order.
+     * The conversion to a sudoers parse tree requires that entries be
+     * in *ascending* order so we we iterate from last to first.
+     */
+    for (i = sss_result->num_rules; i-- > 0; ) {
 	struct sss_sudo_rule *rule = sss_result->rules + i;
 	char **cmnds, **runasusers = NULL, **runasgroups = NULL;
 	char **opts = NULL, **notbefore = NULL, **notafter = NULL;