From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 1 Jan 2008 19:01:42 +0000 (+0000)
Subject: Define LDAPNOINIT before calling ldap_init(), etc. to disable user
X-Git-Tag: SUDO_1_7_0~276
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=cd30e84743eddb30dc5e21e76a78fbaa4dc40cdc;p=sudo

Define LDAPNOINIT before calling ldap_init(), etc. to disable user
ldaprc and system defaults that could affect how LDAP works.
---

diff --git a/env.c b/env.c
index baa467493..13272c73a 100644
--- a/env.c
+++ b/env.c
@@ -261,7 +261,7 @@ _sudo_setenv(var, val, dupcheck)
     insert_env(estring, dupcheck, FALSE);
 }
 
-#if defined(HAVE_LDAP_SASL_INTERACTIVE_BIND_S) && !defined(HAVE_GSS_KRB5_CCACHE_NAME)
+#ifdef HAVE_LDAP
 /*
  * External version of sudo_setenv() that keeps things in sync with
  * the environ pointer.
@@ -318,7 +318,7 @@ sudo_unsetenv(var)
 	}
     }
 }
-#endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S && !HAVE_GSS_KRB5_CCACHE_NAME */
+#endif /* HAVE_LDAP */
 
 /*
  * Insert str into env.envp, assumes str has an '=' in it.
diff --git a/ldap.c b/ldap.c
index 7587fda97..530ff92c5 100644
--- a/ldap.c
+++ b/ldap.c
@@ -1150,7 +1150,7 @@ sudo_ldap_open(nss)
 {
     LDAP *ld;
     const char *old_ccname = user_ccname;
-    int rc;
+    int rc, ldapnoinit = FALSE;
 #ifdef HAVE_GSS_KRB5_CCACHE_NAME
     unsigned int status;
 #endif
@@ -1158,6 +1158,12 @@ sudo_ldap_open(nss)
     if (!sudo_ldap_read_config())
 	return(-1);
 
+    /* Prevent reading of user ldaprc and system defaults. */
+    if (getenv("LDAPNOINIT") == NULL) {
+	ldapnoinit = TRUE;
+	sudo_setenv("LDAPNOINIT", "1", TRUE);
+    }
+
 #ifdef HAVE_LDAPSSL_INIT
     if (ldap_conf.ssl_mode == SUDO_LDAP_SSL) {
 	DPRINTF(("ldapssl_clientauth_init(%s, %s)",
@@ -1200,6 +1206,9 @@ sudo_ldap_open(nss)
 	}
     }
 
+    if (ldapnoinit)
+	sudo_unsetenv("LDAPNOINIT");
+
     /* Set LDAP options */
     if (sudo_ldap_set_options(ld) < 0)
 	return(-1);