From: Todd C. Miller Date: Thu, 15 Sep 2016 19:47:38 +0000 (-0600) Subject: Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding X-Git-Tag: SUDO_1_8_18^2~5 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b165a5ff719d9363493d802a26d0a259da6e0602;p=sudo Use RUNAS_USER_SPECIFIED and RUNAS_GROUP_SPECIFIED when deciding whether to check runas user/group instead of checking runas_pw or runas_gr. --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index 3ef461976..517eae928 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -861,9 +861,9 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry) if (!entry) debug_return_bool(false); - if (runas_user_set()) + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) user_matched = sudo_ldap_check_runas_user(ld, entry); - if (runas_gr != NULL) + if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) group_matched = sudo_ldap_check_runas_group(ld, entry); /* diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 8bc06c3ed..894959101 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -153,12 +153,7 @@ runaslist_matches(const struct member_list *user_list, int group_matched = UNSPEC; debug_decl(runaslist_matches, SUDOERS_DEBUG_MATCH) - /* - * Skip checking runas user if it is the same as the invoking user - * and a runas group was specified. - * This logic assumes that we cache and refcount passwd structs. - */ - if (runas_user_set()) { + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) { /* If no runas user or runas group listed in sudoers, use default. */ if (user_list == NULL && group_list == NULL) { debug_return_int(userpw_matches(def_runas_default, @@ -214,7 +209,7 @@ runaslist_matches(const struct member_list *user_list, /* * Skip checking runas group if none was specified. */ - if (runas_gr != NULL) { + if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) { if (user_matched == UNSPEC) { if (strcmp(runas_pw->pw_name, user_name) == 0) user_matched = ALLOW; /* only changing group */ diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index 8398d5234..973d0ac60 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -27,11 +27,6 @@ #undef IMPLIED #define IMPLIED 2 -/* - * Returns true if a runas user was specified on the command line. - */ -#define runas_user_set() (runas_pw != sudo_user.pw || runas_gr == NULL) - /* * Initialize all tags to UNSPEC. */ diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 8f341d9ed..a274e34c2 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -705,9 +705,9 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) if (rule == NULL) debug_return_bool(false); - if (runas_user_set()) + if (ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) || !ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) user_matched = sudo_sss_check_runas_user(handle, rule); - if (runas_gr != NULL) + if (ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) group_matched = sudo_sss_check_runas_group(handle, rule); /*