From: Todd C. Miller Date: Thu, 15 Sep 2016 15:37:53 +0000 (-0600) Subject: Update check for whether or not the runas user was set in the ldap X-Git-Tag: SUDO_1_8_18^2~11 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ef82f792a1883518ed46c559eb358790e537abc8;p=sudo Update check for whether or not the runas user was set in the ldap and sssd backends to match the sudoers file backend. Introduces the runas_user_set() macro to improve readability. Previously, runas_pw was set late, now it is set before checking sudoers. --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index fa65368d2..ce633c338 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -764,7 +764,7 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry) bool ret = false; debug_decl(sudo_ldap_check_runas_user, SUDOERS_DEBUG_LDAP) - if (!runas_pw) + if (!runas_user_set()) debug_return_int(UNSPEC); /* get the runas user from the entry */ diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 769fe8519..982a3ff96 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -158,7 +158,7 @@ runaslist_matches(const struct member_list *user_list, * and a runas group was specified. * This logic assumes that we cache and refcount passwd structs. */ - if (!(runas_pw == sudo_user.pw && runas_gr != NULL)) { + if (runas_user_set()) { /* If no runas user or runas group listed in sudoers, use default. */ if (user_list == NULL && group_list == NULL) { debug_return_int(userpw_matches(def_runas_default, diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h index 973d0ac60..8398d5234 100644 --- a/plugins/sudoers/parse.h +++ b/plugins/sudoers/parse.h @@ -27,6 +27,11 @@ #undef IMPLIED #define IMPLIED 2 +/* + * Returns true if a runas user was specified on the command line. + */ +#define runas_user_set() (runas_pw != sudo_user.pw || runas_gr == NULL) + /* * Initialize all tags to UNSPEC. */ diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index ffb8e0f2d..e40c297b8 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -568,7 +568,7 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule * int ret = false, i; debug_decl(sudo_sss_check_runas_user, SUDOERS_DEBUG_SSSD); - if (!runas_pw) + if (!runas_user_set()) debug_return_int(UNSPEC); /* get the runas user from the entry */