From 0ff95dfaaa4e1626a837e066e21ce865e9b8b98c Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 15 Sep 2016 13:36:43 -0600 Subject: [PATCH] When matching against runas_default use userpw_matches() instead of just strcasecmp(). --- plugins/sudoers/ldap.c | 6 ++++-- plugins/sudoers/sssd.c | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index d712b6b40..3ef461976 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -870,8 +870,10 @@ sudo_ldap_check_runas(LDAP *ld, LDAPMessage *entry) * If there are no runas entries, match runas_default against * what the user specified on the command line. */ - if (user_matched == UNSPEC && group_matched == UNSPEC) - debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); + if (user_matched == UNSPEC && group_matched == UNSPEC) { + debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, + runas_pw)); + } debug_return_bool(group_matched != false && user_matched != false); } diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 6aa38fc9e..8f341d9ed 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -716,7 +716,8 @@ sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) */ if (user_matched == UNSPEC && group_matched == UNSPEC) { sudo_debug_printf(SUDO_DEBUG_INFO, "Matching against runas_default"); - debug_return_int(!strcasecmp(runas_pw->pw_name, def_runas_default)); + debug_return_int(userpw_matches(def_runas_default, runas_pw->pw_name, + runas_pw)); } debug_return_bool(group_matched != false && user_matched != false); -- 2.50.1