From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Wed, 14 Sep 2016 16:33:27 +0000 (-0600)
Subject: Support negated sudoHost entries.
X-Git-Tag: SUDO_1_8_18^2~16
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ff753d1e16586145caafac5d2dd3dcf10517700e;p=sudo

Support negated sudoHost entries.
---

diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
index 14179fc59..d616b8514 100644
--- a/plugins/sudoers/sssd.c
+++ b/plugins/sudoers/sssd.c
@@ -730,6 +730,7 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
     char **val_array, *val;
     bool ret = false;
+    bool foundbang = false;
     int i;
     debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
 
@@ -749,16 +750,21 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
     }
 
     /* walk through values */
-    for (i = 0; val_array[i] != NULL && !ret; ++i) {
+    for (i = 0; val_array[i] != NULL && !foundbang; ++i) {
 	val = val_array[i];
 	sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
 
+	if (*val == '!') {
+	    val++;
+	    foundbang = true;
+	}
+
 	/* match any or address or netgroup or hostname */
 	if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
 	    netgr_matches(val, handle->host, handle->shost,
 	    def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
 	    hostname_matches(handle->shost, handle->host, val))
-	    ret = true;
+	    ret = !foundbang;
 
 	sudo_debug_printf(SUDO_DEBUG_INFO,
 	    "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");