From 217710df3602a726d935ee051e97f7309a55d600 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 29 Mar 1999 00:05:15 +0000
Subject: [PATCH] Fix a parser bug that was exposed when mixing different runas
 specs and ! commands.  For example:     millert        ALL=(daemon)
 /usr/bin/whoami,!/bin/ls would allow millert to run whoami as root as well as
 daemon when it should just allow daemon.  The problem was that
 comma-separated commands in a list shared the same entry on the matching
 stack.  Now they get their own entry iff there is a full match.  It may be
 better to just make the runas spec persistent across all commands in a list
 like the user and host entries of the matching stack.  However, since that is
 a fairly major change it should gets its own minor rev increase.

---
 CHANGES    | 3 +++
 INSTALL    | 3 +--
 parse.yacc | 5 +++++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 5347eecbf..86c72ee34 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1030,3 +1030,6 @@ Sudo 1.5.8p2 released.
 
 323) Fixed a segv if HOST_IN_LOG defined and gethostbyname() fails.
      Reported by Gero Treuner <gero@faveve.uni-stuttgart.de>.
+
+324) Fixed a parse bug wrt the ! operator and runas specs.  Noted by
+     David A Beck <BKD@payserv.telekurs.com>.
diff --git a/INSTALL b/INSTALL
index 8ccf9a1cc..d29753eb9 100644
--- a/INSTALL
+++ b/INSTALL
@@ -185,8 +185,7 @@ Special features/options:
 	on the machine.
 
   --with-pam
-	Enable PAM support.  Tested on Redhat Linux 5.x but should work on
-	earlier versions too.  Does *not* work on Solaris.
+	Enable PAM support.  Tested on Redhat Linux 5.x and Solaris 2.6.
 
   --with-AFS
 	Enable AFS support with kerberos authentication.  Should work under
diff --git a/parse.yacc b/parse.yacc
index 731274870..db58d7df1 100644
--- a/parse.yacc
+++ b/parse.yacc
@@ -275,10 +275,15 @@ cmndspec	:	runasspec nopasswd opcmnd {
 				runas_matches = TRUE;
 				if ($2 == TRUE)
 				    no_passwd = TRUE;
+				push;
 			    } else if (printmatches == TRUE) {
 				cm_list[cm_list_len].runas_len = 0;
 				cm_list[cm_list_len].cmnd_len = 0;
 				cm_list[cm_list_len].nopasswd = FALSE;
+			    } else {
+				cmnd_matches = -1;
+				runas_matches = -1;
+				no_passwd = -1;
 			    }
 			}
 		;
-- 
2.50.1