From 27aff732f1f83c4235001c001f5b8d11c2d2bd11 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Wed, 9 Apr 2014 10:22:09 -0600
Subject: [PATCH] Fix matching of uids and gids broken in sudo 1.8.9.

---
 MANIFEST                                         |  4 ++++
 plugins/sudoers/match.c                          |  4 ++--
 plugins/sudoers/regress/testsudoers/test6.out.ok | 10 ++++++++++
 plugins/sudoers/regress/testsudoers/test6.sh     | 11 +++++++++++
 plugins/sudoers/regress/testsudoers/test7.out.ok | 10 ++++++++++
 plugins/sudoers/regress/testsudoers/test7.sh     | 11 +++++++++++
 6 files changed, 48 insertions(+), 2 deletions(-)
 create mode 100644 plugins/sudoers/regress/testsudoers/test6.out.ok
 create mode 100755 plugins/sudoers/regress/testsudoers/test6.sh
 create mode 100644 plugins/sudoers/regress/testsudoers/test7.out.ok
 create mode 100755 plugins/sudoers/regress/testsudoers/test7.sh

diff --git a/MANIFEST b/MANIFEST
index f5b45b81c..3c36b2714 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -364,6 +364,10 @@ plugins/sudoers/regress/testsudoers/test4.out.ok
 plugins/sudoers/regress/testsudoers/test4.sh
 plugins/sudoers/regress/testsudoers/test5.out.ok
 plugins/sudoers/regress/testsudoers/test5.sh
+plugins/sudoers/regress/testsudoers/test6.out.ok
+plugins/sudoers/regress/testsudoers/test6.sh
+plugins/sudoers/regress/testsudoers/test7.out.ok
+plugins/sudoers/regress/testsudoers/test7.sh
 plugins/sudoers/regress/visudo/test1.out.ok
 plugins/sudoers/regress/visudo/test1.sh
 plugins/sudoers/regress/visudo/test2.err.ok
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index 62ffcdb37..1ce8e2d66 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -802,7 +802,7 @@ userpw_matches(const char *sudoers_user, const char *user, const struct passwd *
 
     if (pw != NULL && *sudoers_user == '#') {
 	uid = (uid_t) atoid(sudoers_user + 1, NULL, NULL, &errstr);
-	if (errstr != NULL && uid == pw->pw_uid) {
+	if (errstr == NULL && uid == pw->pw_uid) {
 	    rc = true;
 	    goto done;
 	}
@@ -829,7 +829,7 @@ group_matches(const char *sudoers_group, const struct group *gr)
 
     if (*sudoers_group == '#') {
 	gid = (gid_t) atoid(sudoers_group + 1, NULL, NULL, &errstr);
-	if (errstr != NULL && gid == gr->gr_gid) {
+	if (errstr == NULL && gid == gr->gr_gid) {
 	    rc = true;
 	    goto done;
 	}
diff --git a/plugins/sudoers/regress/testsudoers/test6.out.ok b/plugins/sudoers/regress/testsudoers/test6.out.ok
new file mode 100644
index 000000000..eabeb20e7
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test6.out.ok
@@ -0,0 +1,10 @@
+Parses OK.
+
+Entries for user root:
+
+ALL = ALL
+	host  matched
+	runas matched
+	cmnd  allowed
+
+Command allowed
diff --git a/plugins/sudoers/regress/testsudoers/test6.sh b/plugins/sudoers/regress/testsudoers/test6.sh
new file mode 100755
index 000000000..ee9f93d37
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test6.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Verify sudoers matching by uid.
+#
+
+exec 2>&1
+./testsudoers root id <<EOF
+#0 ALL = ALL
+EOF
+
+exit 0
diff --git a/plugins/sudoers/regress/testsudoers/test7.out.ok b/plugins/sudoers/regress/testsudoers/test7.out.ok
new file mode 100644
index 000000000..eabeb20e7
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test7.out.ok
@@ -0,0 +1,10 @@
+Parses OK.
+
+Entries for user root:
+
+ALL = ALL
+	host  matched
+	runas matched
+	cmnd  allowed
+
+Command allowed
diff --git a/plugins/sudoers/regress/testsudoers/test7.sh b/plugins/sudoers/regress/testsudoers/test7.sh
new file mode 100755
index 000000000..497524527
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test7.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+#
+# Verify sudoers matching by gid.
+#
+
+exec 2>&1
+./testsudoers root id <<EOF
+%#0 ALL = ALL
+EOF
+
+exit 0
-- 
2.49.0