From 0b59a0974d4e0f851620356904c7cf66d5b5e34b Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Tue, 11 Jan 2000 18:20:41 +0000
Subject: [PATCH] netgr_matches needs to check shost as well as host since they
 may be different.

---
 parse.c       | 14 +++++++++-----
 parse.h       |  2 +-
 parse.yacc    |  6 +++---
 sudo.tab.c    |  6 +++---
 testsudoers.c | 12 ++++++++----
 visudo.c      |  6 +++---
 6 files changed, 27 insertions(+), 19 deletions(-)

diff --git a/parse.c b/parse.c
index b8da3d617..9080da0b3 100644
--- a/parse.c
+++ b/parse.c
@@ -426,13 +426,14 @@ usergr_matches(group, user)
 
 /*
  * Returns TRUE if "host" and "user" belong to the netgroup "netgr",
- * else return FALSE.  Either of "host" or "user" may be NULL
+ * else return FALSE.  Either of "host", "shost" or "user" may be NULL
  * in which case that argument is not checked...
  */
 int
-netgr_matches(netgr, host, user)
+netgr_matches(netgr, host, shost, user)
     char *netgr;
     char *host;
+    char *shost;
     char *user;
 {
 #ifdef HAVE_GETDOMAINNAME
@@ -457,10 +458,13 @@ netgr_matches(netgr, host, user)
 #endif /* HAVE_GETDOMAINNAME */
 
 #ifdef HAVE_INNETGR
-    return(innetgr(netgr, host, user, domain));
-#else
-    return(FALSE);
+    if (innetgr(netgr, host, user, domain))
+	return(TRUE);
+    else if (host != shost && innetgr(netgr, shost, user, domain))
+	return(TRUE);
 #endif /* HAVE_INNETGR */
+
+    return(FALSE);
 }
 
 /*
diff --git a/parse.h b/parse.h
index 16ad97a07..e8a58b836 100644
--- a/parse.h
+++ b/parse.h
@@ -109,7 +109,7 @@ extern int top;
  */
 int addr_matches	__P((char *));
 int command_matches	__P((char *, char *, char *, char *));
-int netgr_matches	__P((char *, char *, char *));
+int netgr_matches	__P((char *, char *, char *, char *));
 int usergr_matches	__P((char *, char *));
 
 #endif /* _SUDO_PARSE_H */
diff --git a/parse.yacc b/parse.yacc
index 9c365b671..bff3424ce 100644
--- a/parse.yacc
+++ b/parse.yacc
@@ -354,7 +354,7 @@ host		:	ALL {
 			    free($1);
 			}
 		|	NETGROUP {
-			    if (netgr_matches($1, user_host, NULL))
+			    if (netgr_matches($1, user_host, user_shost, NULL))
 				$$ = TRUE;
 			    else
 				$$ = -1;
@@ -535,7 +535,7 @@ runasuser	:	WORD {
 				    user_matches == TRUE)
 				    append_runas($1, ", ");
 			    }
-			    if (netgr_matches($1, NULL, *user_runas))
+			    if (netgr_matches($1, NULL, NULL, *user_runas))
 				$$ = TRUE;
 			    else
 				$$ = -1;
@@ -789,7 +789,7 @@ user		:	WORD {
 			    free($1);
 			}
 		|	NETGROUP {
-			    if (netgr_matches($1, NULL, user_name))
+			    if (netgr_matches($1, NULL, NULL, user_name))
 				$$ = TRUE;
 			    else
 				$$ = -1;
diff --git a/sudo.tab.c b/sudo.tab.c
index f27276393..266b475e6 100644
--- a/sudo.tab.c
+++ b/sudo.tab.c
@@ -1256,7 +1256,7 @@ break;
 case 30:
 #line 356 "parse.yacc"
 {
-			    if (netgr_matches(yyvsp[0].string, user_host, NULL))
+			    if (netgr_matches(yyvsp[0].string, user_host, user_shost, NULL))
 				yyval.BOOLEAN = TRUE;
 			    else
 				yyval.BOOLEAN = -1;
@@ -1475,7 +1475,7 @@ case 49:
 				    user_matches == TRUE)
 				    append_runas(yyvsp[0].string, ", ");
 			    }
-			    if (netgr_matches(yyvsp[0].string, NULL, *user_runas))
+			    if (netgr_matches(yyvsp[0].string, NULL, NULL, *user_runas))
 				yyval.BOOLEAN = TRUE;
 			    else
 				yyval.BOOLEAN = -1;
@@ -1757,7 +1757,7 @@ break;
 case 84:
 #line 791 "parse.yacc"
 {
-			    if (netgr_matches(yyvsp[0].string, NULL, user_name))
+			    if (netgr_matches(yyvsp[0].string, NULL, NULL, user_name))
 				yyval.BOOLEAN = TRUE;
 			    else
 				yyval.BOOLEAN = -1;
diff --git a/testsudoers.c b/testsudoers.c
index c98fdb494..381a6b0d1 100644
--- a/testsudoers.c
+++ b/testsudoers.c
@@ -240,9 +240,10 @@ usergr_matches(group, user)
 }
 
 int
-netgr_matches(netgr, host, user)
+netgr_matches(netgr, host, shost, user)
     char *netgr;
     char *host;
+    char *shost;
     char *user;
 {
 #ifdef HAVE_GETDOMAINNAME
@@ -268,10 +269,13 @@ netgr_matches(netgr, host, user)
 #endif /* HAVE_GETDOMAINNAME */
 
 #ifdef HAVE_INNETGR
-    return(innetgr(netgr, host, user, domain));
-#else
-    return(FALSE);
+    if (innetgr(netgr, host, user, domain))
+	return(TRUE);
+    else if (host != shost && innetgr(netgr, shost, user, domain))
+	return(TRUE);
 #endif /* HAVE_INNETGR */
+
+    return(FALSE);
 }
 
 void
diff --git a/visudo.c b/visudo.c
index 8d51b7c15..e6092d674 100644
--- a/visudo.c
+++ b/visudo.c
@@ -93,7 +93,7 @@ static RETSIGTYPE Exit		__P((int));
 static void setup_signals	__P((void));
 int command_matches		__P((char *, char *, char *, char *));
 int addr_matches		__P((char *));
-int netgr_matches		__P((char *, char *, char *));
+int netgr_matches		__P((char *, char *, char *, char *));
 int usergr_matches		__P((char *, char *));
 void init_parser		__P((void));
 void yyrestart			__P((FILE *));
@@ -401,8 +401,8 @@ usergr_matches(g, u)
 }
 
 int
-netgr_matches(n, h, u)
-    char *n, *h, *u;
+netgr_matches(n, h, sh, u)
+    char *n, *h, *sh, *u;
 {
     return(TRUE);
 }
-- 
2.40.0