From: Todd C. Miller Date: Thu, 15 Sep 2016 16:46:57 +0000 (-0600) Subject: Only match against runas_default if both sudoRunAsUser and X-Git-Tag: SUDO_1_8_18^2~9 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fb32867e4c9ada399e48ed1d7c1efa65a35d3fbd;p=sudo Only match against runas_default if both sudoRunAsUser and sudoRunAsGroup are missing. --- diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index ce633c338..bf1d41cc7 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -764,13 +764,12 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry) bool ret = false; debug_decl(sudo_ldap_check_runas_user, SUDOERS_DEBUG_LDAP) - if (!runas_user_set()) - debug_return_int(UNSPEC); - /* get the runas user from the entry */ bv = ldap_get_values_len(ld, entry, "sudoRunAsUser"); if (bv == NULL) bv = ldap_get_values_len(ld, entry, "sudoRunAs"); /* old style */ + if (bv == NULL) + debug_return_int(false); /* * BUG: @@ -789,13 +788,6 @@ sudo_ldap_check_runas_user(LDAP *ld, LDAPMessage *entry) * Sigh - maybe add this feature later */ - /* - * If there are no runas entries, match runas_default against - * what the user specified on the command line. - */ - if (bv == NULL) - debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); - /* walk through values returned, looking for a match */ for (p = bv; *p != NULL && !ret; p++) { val = (*p)->bv_val; @@ -836,10 +828,6 @@ sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry) bool ret = false; debug_decl(sudo_ldap_check_runas_group, SUDOERS_DEBUG_LDAP) - /* runas_gr is only set if the user specified the -g flag */ - if (!runas_gr) - debug_return_int(UNSPEC); - /* get the values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); if (bv == NULL) @@ -866,16 +854,26 @@ sudo_ldap_check_runas_group(LDAP *ld, LDAPMessage *entry) static bool sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry) { - bool ret; + bool user_matched = UNSPEC; + bool group_matched = UNSPEC; debug_decl(sudo_ldap_check_runas, SUDOERS_DEBUG_LDAP) if (!entry) debug_return_bool(false); - ret = sudo_ldap_check_runas_user(ld, entry) != false && - sudo_ldap_check_runas_group(ld, entry) != false; + if (runas_user_set()) + user_matched = sudo_ldap_check_runas_user(ld, entry); + if (runas_gr != NULL) + group_matched = sudo_ldap_check_runas_group(ld, entry); - debug_return_bool(ret); + /* + * If there are no runas entries, match runas_default against + * what the user specified on the command line. + */ + if (user_matched == UNSPEC && group_matched == UNSPEC) + debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); + + debug_return_bool(group_matched != false && user_matched != false); } static struct sudo_digest * diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index e40c297b8..93cb7a61e 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -568,35 +568,23 @@ sudo_sss_check_runas_user(struct sudo_sss_handle *handle, struct sss_sudo_rule * int ret = false, i; debug_decl(sudo_sss_check_runas_user, SUDOERS_DEBUG_SSSD); - if (!runas_user_set()) - debug_return_int(UNSPEC); - /* get the runas user from the entry */ - switch (handle->fn_get_values(sss_rule, "sudoRunAsUser", &val_array)) { + i = handle->fn_get_values(sss_rule, "sudoRunAsUser", &val_array); + if (i == ENOENT) { + sudo_debug_printf(SUDO_DEBUG_INFO, + "sudoRunAsUser: no result, trying sudoRunAs"); + i = handle->fn_get_values(sss_rule, "sudoRunAs", &val_array); + } + switch (i) { case 0: break; case ENOENT: - sudo_debug_printf(SUDO_DEBUG_INFO, "No result. Trying old style (sudoRunAs)"); - - /* try old style */ - switch (handle->fn_get_values(sss_rule, "sudoRunAs", &val_array)) { - case 0: - break; - case ENOENT: - sudo_debug_printf(SUDO_DEBUG_INFO, "No result. Matching against runas_default"); - /* - * If there are no runas entries, match runas_default against - * what the user specified on the command line. - */ - return !strcasecmp(runas_pw->pw_name, def_runas_default); - default: - sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAs): != 0"); - debug_return_int(UNSPEC); - } - break; + sudo_debug_printf(SUDO_DEBUG_INFO, "sudoRunAsUser: no result."); + debug_return_int(false); default: - sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAsUser): != 0"); - debug_return_int(UNSPEC); + sudo_debug_printf(SUDO_DEBUG_INFO, + "handle->fn_get_values(sudoRunAsUser): %d", i); + debug_return_int(false); } /* @@ -672,21 +660,18 @@ sudo_sss_check_runas_group(struct sudo_sss_handle *handle, struct sss_sudo_rule int ret = false, i; debug_decl(sudo_sss_check_runas_group, SUDOERS_DEBUG_SSSD); - /* runas_gr is only set if the user specified the -g flag */ - if (!runas_gr) - debug_return_int(UNSPEC); - /* get the values from the entry */ - switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) { + i = handle->fn_get_values(rule, "sudoRunAsGroup", &val_array); + switch (i) { case 0: break; case ENOENT: - sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); + sudo_debug_printf(SUDO_DEBUG_INFO, "sudoRunAsGroup: no result."); debug_return_int(false); default: sudo_debug_printf(SUDO_DEBUG_INFO, - "handle->fn_get_values(sudoRunAsGroup): != 0"); - debug_return_int(UNSPEC); + "handle->fn_get_values(sudoRunAsGroup): %d", i); + debug_return_int(false); } /* walk through values returned, looking for a match */ @@ -713,16 +698,28 @@ sudo_sss_check_runas_group(struct sudo_sss_handle *handle, struct sss_sudo_rule static bool sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) { - bool ret; + bool user_matched = UNSPEC; + bool group_matched = UNSPEC; debug_decl(sudo_sss_check_runas, SUDOERS_DEBUG_SSSD); if (rule == NULL) debug_return_bool(false); - ret = sudo_sss_check_runas_user(handle, rule) != false && - sudo_sss_check_runas_group(handle, rule) != false; + if (runas_user_set()) + user_matched = sudo_sss_check_runas_user(handle, rule); + if (runas_gr != NULL) + group_matched = sudo_sss_check_runas_group(handle, rule); - debug_return_bool(ret); + /* + * If there are no runas entries, match runas_default against + * what the user specified on the command line. + */ + if (user_matched == UNSPEC && group_matched == UNSPEC) { + sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against runas_default"); + debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); + } + + debug_return_bool(group_matched != false && user_matched != false); } static bool