From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 13 Sep 2016 15:12:42 +0000 (-0600)
Subject: Don't check the username when matching a host netgroup unless
X-Git-Tag: SUDO_1_8_18^2~19
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ca2a1f31099bc18bb963e5211b43fbe1156f4c0f;p=sudo

Don't check the username when matching a host netgroup unless
def_netgroup_tuple is enabled.
---

diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index 3fb36f5e4..769fe8519 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -279,7 +279,7 @@ hostlist_matches(const struct passwd *pw, const struct member_list *list)
 		break;
 	    case NETGROUP:
 		if (netgr_matches(m->name, user_runhost, user_srunhost,
-		    pw->pw_name))
+		    def_netgroup_tuple ? pw->pw_name : NULL))
 		    matched = !m->negated;
 		break;
 	    case NTWKADDR: