From: Todd C. Miller Date: Fri, 3 Jun 2016 20:07:40 +0000 (-0600) Subject: When matching host, short-circuit the loop when we get a match. X-Git-Tag: SUDO_1_8_17^2~20 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ccf88d3bb22fbb9804fd66bd4fb4ab6c168b10f4;p=sudo When matching host, short-circuit the loop when we get a match. Only check username as part of the netgroup when netgroup_tuple is enabled. --- diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 23a486cf7..b501258de 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -668,13 +668,14 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) } /* walk through values */ - for (i = 0; val_array[i] != NULL; ++i) { + for (i = 0; val_array[i] != NULL && !ret; ++i) { val = val_array[i]; sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); /* match any or address or netgroup or hostname */ - if (strcmp(val, "ALL") == 0 || addr_matches(val) || netgr_matches(val, - user_runhost, user_srunhost, handle->pw->pw_name) || + if (strcmp(val, "ALL") == 0 || addr_matches(val) || + netgr_matches(val, user_runhost, user_srunhost, + def_netgroup_tuple ? handle->pw->pw_name : NULL) || hostname_matches(user_srunhost, user_runhost, val)) ret = true;