From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 14 Feb 2017 22:56:34 +0000 (-0700)
Subject: Only inherit SELinux role/type and Solaris privilege sets if
X-Git-Tag: SUDO_1_8_20^2~111
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d7f7cf7a79f53cfd8fd8a3e7e138cd62a5fc0179;p=sudo

Only inherit SELinux role/type and Solaris privilege sets if
the command does not include any.  Previously, a command with
only a role would inherit a type from the previous command
which is not what was intended.
---

diff --git a/plugins/sudoers/gram.c b/plugins/sudoers/gram.c
index c2f523609..ad9150e0b 100644
--- a/plugins/sudoers/gram.c
+++ b/plugins/sudoers/gram.c
@@ -1436,17 +1436,17 @@ case 35:
 			    HLTQ_CONCAT(yyvsp[-2].cmndspec, yyvsp[0].cmndspec, entries);
 #ifdef HAVE_SELINUX
 			    /* propagate role and type */
-			    if (yyvsp[0].cmndspec->role == NULL)
+			    if (yyvsp[0].cmndspec->role == NULL && yyvsp[0].cmndspec->type == NULL) {
 				yyvsp[0].cmndspec->role = prev->role;
-			    if (yyvsp[0].cmndspec->type == NULL)
 				yyvsp[0].cmndspec->type = prev->type;
+			    }
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_PRIV_SET
 			    /* propagate privs & limitprivs */
-			    if (yyvsp[0].cmndspec->privs == NULL)
+			    if (yyvsp[0].cmndspec->privs == NULL && yyvsp[0].cmndspec->limitprivs == NULL) {
 			        yyvsp[0].cmndspec->privs = prev->privs;
-			    if (yyvsp[0].cmndspec->limitprivs == NULL)
 			        yyvsp[0].cmndspec->limitprivs = prev->limitprivs;
+			    }
 #endif /* HAVE_PRIV_SET */
 			    /* propagate command timeout */
 			    if (yyvsp[0].cmndspec->timeout == UNSPEC)
diff --git a/plugins/sudoers/gram.y b/plugins/sudoers/gram.y
index 39fb51f64..04d68bf2c 100644
--- a/plugins/sudoers/gram.y
+++ b/plugins/sudoers/gram.y
@@ -343,17 +343,17 @@ cmndspeclist	:	cmndspec
 			    HLTQ_CONCAT($1, $3, entries);
 #ifdef HAVE_SELINUX
 			    /* propagate role and type */
-			    if ($3->role == NULL)
+			    if ($3->role == NULL && $3->type == NULL) {
 				$3->role = prev->role;
-			    if ($3->type == NULL)
 				$3->type = prev->type;
+			    }
 #endif /* HAVE_SELINUX */
 #ifdef HAVE_PRIV_SET
 			    /* propagate privs & limitprivs */
-			    if ($3->privs == NULL)
+			    if ($3->privs == NULL && $3->limitprivs == NULL) {
 			        $3->privs = prev->privs;
-			    if ($3->limitprivs == NULL)
 			        $3->limitprivs = prev->limitprivs;
+			    }
 #endif /* HAVE_PRIV_SET */
 			    /* propagate command timeout */
 			    if ($3->timeout == UNSPEC)