From: Todd C. Miller Date: Wed, 16 May 2018 16:27:28 +0000 (-0600) Subject: When building up the cmndspec, add the actual command member last. X-Git-Tag: SUDO_1_8_24^2~75 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b7e6d049076870e43a9f332a9f4c618b87b1baaf;p=sudo When building up the cmndspec, add the actual command member last. This simplifies the logic regarding the SETENV tag and alsomakes "out of memory" cleanup simpler. --- diff --git a/plugins/sudoers/ldap_util.c b/plugins/sudoers/ldap_util.c index af6dbdd70..4e47eccc8 100644 --- a/plugins/sudoers/ldap_util.c +++ b/plugins/sudoers/ldap_util.c @@ -170,11 +170,7 @@ array_to_member_list(void *a, sudo_ldap_iter_t iter) } debug_return_ptr(members); bad: - while ((m = TAILQ_FIRST(members)) != NULL) { - TAILQ_REMOVE(members, m, entries); - free(m->name); - free(m); - } + free_members(members); free(members); debug_return_ptr(NULL); } @@ -356,43 +352,10 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, cmndspec->notbefore = UNSPEC; cmndspec->notafter = UNSPEC; cmndspec->timeout = UNSPEC; - - /* Fill in member. */ - m->negated = negated; - if (c == NULL) { - /* No command name for "ALL" */ - m->type = ALL; - } else { - struct sudo_digest digest; - char *args; - - m->type = COMMAND; - m->name = (char *)c; - - /* Fill in command with optional digest. */ - if (sudo_ldap_extract_digest(&cmnd, &digest) != NULL) { - if ((c->digest = malloc(sizeof(*c->digest))) == NULL) { - free_member(m); - goto oom; - } - *c->digest = digest; - } - if ((args = strpbrk(cmnd, " \t")) != NULL) { - *args++ = '\0'; - if ((c->args = strdup(args)) == NULL) { - free_member(m); - goto oom; - } - } - if ((c->cmnd = strdup(cmnd)) == NULL) { - free_member(m); - goto oom; - } - } cmndspec->cmnd = m; if (prev_cmndspec != NULL) { - /* Inherit values from prior cmndspec */ + /* Inherit values from prior cmndspec (common to the sudoRole). */ cmndspec->runasuserlist = prev_cmndspec->runasuserlist; cmndspec->runasgrouplist = prev_cmndspec->runasgrouplist; cmndspec->notbefore = prev_cmndspec->notbefore; @@ -516,9 +479,35 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, /* So we can inherit previous values. */ prev_cmndspec = cmndspec; } - /* Sudo "ALL" implies the SETENV tag. */ - if (c == NULL && cmndspec->tags.setenv == UNSPEC) - cmndspec->tags.setenv = IMPLIED; + + /* Fill in command member now that options have been processed. */ + m->negated = negated; + if (c == NULL) { + /* No command name for "ALL" */ + m->type = ALL; + if (cmndspec->tags.setenv == UNSPEC) + cmndspec->tags.setenv = IMPLIED; + } else { + struct sudo_digest digest; + char *args; + + m->type = COMMAND; + m->name = (char *)c; + + /* Fill in command with optional digest. */ + if (sudo_ldap_extract_digest(&cmnd, &digest) != NULL) { + if ((c->digest = malloc(sizeof(*c->digest))) == NULL) + goto oom; + *c->digest = digest; + } + if ((args = strpbrk(cmnd, " \t")) != NULL) { + *args++ = '\0'; + if ((c->args = strdup(args)) == NULL) + goto oom; + } + if ((c->cmnd = strdup(cmnd)) == NULL) + goto oom; + } } /* Negated commands take precedence so we insert them at the end. */ TAILQ_CONCAT(&priv->cmndlist, &negated_cmnds, entries); @@ -527,8 +516,10 @@ sudo_ldap_role_to_priv(const char *cn, void *hosts, void *runasusers, oom: sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); - if (priv != NULL) + if (priv != NULL) { + TAILQ_CONCAT(&priv->cmndlist, &negated_cmnds, entries); free_privilege(priv); + } debug_return_ptr(NULL); }