From d64153967e5452905420fb502d72651c47e91079 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Thu, 15 Sep 2016 11:29:27 -0600 Subject: [PATCH] Fix printing of the default runas user when a RunAsGroup is specified but no RunAsUser is present. --- plugins/sudoers/ldap.c | 42 ++++++++++++++++++++++++++++++++---------- plugins/sudoers/sssd.c | 36 ++++++++++++++++++++++++++++-------- 2 files changed, 60 insertions(+), 18 deletions(-) diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c index bf1d41cc7..d712b6b40 100644 --- a/plugins/sudoers/ldap.c +++ b/plugins/sudoers/ldap.c @@ -2357,9 +2357,11 @@ sudo_ldap_display_bound_defaults(struct sudo_nss *nss, struct passwd *pw, * Print a record in the short form, ala file sudoers. */ static int -sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct sudo_lbuf *lbuf) +sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct passwd *pw, + struct sudo_lbuf *lbuf) { struct berval **bv, **p; + bool no_runas_user = true; int count = 0; debug_decl(sudo_ldap_display_entry_short, SUDOERS_DEBUG_LDAP) @@ -2374,17 +2376,26 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct sudo_lbuf *lb sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); } ldap_value_free_len(bv); - } else - sudo_lbuf_append(lbuf, "%s", def_runas_default); + no_runas_user = false; + } /* get the RunAsGroup Values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); if (bv != NULL) { + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } sudo_lbuf_append(lbuf, " : "); for (p = bv; *p != NULL; p++) { sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); } ldap_value_free_len(bv); + } else { + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", def_runas_default); + } } sudo_lbuf_append(lbuf, ") "); @@ -2432,9 +2443,11 @@ sudo_ldap_display_entry_short(LDAP *ld, LDAPMessage *entry, struct sudo_lbuf *lb * Print a record in the long form. */ static int -sudo_ldap_display_entry_long(LDAP *ld, LDAPMessage *entry, struct sudo_lbuf *lbuf) +sudo_ldap_display_entry_long(LDAP *ld, LDAPMessage *entry, struct passwd *pw, + struct sudo_lbuf *lbuf) { struct berval **bv, **p; + bool no_runas_user = true; char *rdn; int count = 0; debug_decl(sudo_ldap_display_entry_long, SUDOERS_DEBUG_LDAP) @@ -2458,19 +2471,28 @@ sudo_ldap_display_entry_long(LDAP *ld, LDAPMessage *entry, struct sudo_lbuf *lbu sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); } ldap_value_free_len(bv); - } else - sudo_lbuf_append(lbuf, "%s", def_runas_default); - sudo_lbuf_append(lbuf, "\n"); + no_runas_user = false; + } /* get the RunAsGroup Values from the entry */ bv = ldap_get_values_len(ld, entry, "sudoRunAsGroup"); if (bv != NULL) { - sudo_lbuf_append(lbuf, " RunAsGroups: "); + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } + sudo_lbuf_append(lbuf, "\n RunAsGroups: "); for (p = bv; *p != NULL; p++) { sudo_lbuf_append(lbuf, "%s%s", p != bv ? ", " : "", (*p)->bv_val); } ldap_value_free_len(bv); sudo_lbuf_append(lbuf, "\n"); + } else { + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", def_runas_default); + } + sudo_lbuf_append(lbuf, "\n"); } /* get the Option Values from the entry */ @@ -2537,9 +2559,9 @@ sudo_ldap_display_privs(struct sudo_nss *nss, struct passwd *pw, for (i = 0; i < lres->nentries; i++) { entry = lres->entries[i].entry; if (long_list) - count += sudo_ldap_display_entry_long(ld, entry, lbuf); + count += sudo_ldap_display_entry_long(ld, entry, pw, lbuf); else - count += sudo_ldap_display_entry_short(ld, entry, lbuf); + count += sudo_ldap_display_entry_short(ld, entry, pw, lbuf); } done: diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c index 93cb7a61e..6aa38fc9e 100644 --- a/plugins/sudoers/sssd.c +++ b/plugins/sudoers/sssd.c @@ -1483,9 +1483,10 @@ sudo_sss_display_bound_defaults(struct sudo_nss *nss, static int sudo_sss_display_entry_long(struct sudo_sss_handle *handle, - struct sss_sudo_rule *rule, struct sudo_lbuf *lbuf) + struct sss_sudo_rule *rule, struct passwd *pw, struct sudo_lbuf *lbuf) { char **val_array = NULL; + bool no_runas_user = true; int count = 0, i; debug_decl(sudo_sss_display_entry_long, SUDOERS_DEBUG_SSSD); @@ -1507,6 +1508,7 @@ sudo_sss_display_entry_long(struct sudo_sss_handle *handle, for (i = 0; val_array[i] != NULL; ++i) sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); handle->fn_free_values(val_array); + no_runas_user = false; break; case ENOENT: switch (handle->fn_get_values(rule, "sudoRunAs", &val_array)) { @@ -1514,10 +1516,10 @@ sudo_sss_display_entry_long(struct sudo_sss_handle *handle, for (i = 0; val_array[i] != NULL; ++i) sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); handle->fn_free_values(val_array); + no_runas_user = false; break; case ENOENT: sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); - sudo_lbuf_append(lbuf, "%s", def_runas_default); break; default: sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAs): != 0"); @@ -1528,18 +1530,26 @@ sudo_sss_display_entry_long(struct sudo_sss_handle *handle, sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoRunAsUser): != 0"); debug_return_int(count); } - sudo_lbuf_append(lbuf, "\n"); /* get the RunAsGroup Values from the entry */ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) { case 0: - sudo_lbuf_append(lbuf, " RunAsGroups: "); + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } + sudo_lbuf_append(lbuf, "\n RunAsGroups: "); for (i = 0; val_array[i] != NULL; ++i) sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); handle->fn_free_values(val_array); sudo_lbuf_append(lbuf, "\n"); break; case ENOENT: + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } + sudo_lbuf_append(lbuf, "\n"); sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); break; default: @@ -1589,9 +1599,10 @@ sudo_sss_display_entry_long(struct sudo_sss_handle *handle, static int sudo_sss_display_entry_short(struct sudo_sss_handle *handle, - struct sss_sudo_rule *rule, struct sudo_lbuf *lbuf) + struct sss_sudo_rule *rule, struct passwd *pw, struct sudo_lbuf *lbuf) { char **val_array = NULL; + bool no_runas_user = true; int count = 0, i; debug_decl(sudo_sss_display_entry_short, SUDOERS_DEBUG_SSSD); @@ -1603,6 +1614,7 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle, for (i = 0; val_array[i] != NULL; ++i) sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); handle->fn_free_values(val_array); + no_runas_user = false; break; case ENOENT: sudo_debug_printf(SUDO_DEBUG_INFO, "No result. Trying old style (sudoRunAs)."); @@ -1612,10 +1624,10 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle, for (i = 0; val_array[i] != NULL; ++i) sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); handle->fn_free_values(val_array); + no_runas_user = false; break; case ENOENT: sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); - sudo_lbuf_append(lbuf, "%s", def_runas_default); break; default: sudo_debug_printf(SUDO_DEBUG_INFO, @@ -1632,12 +1644,20 @@ sudo_sss_display_entry_short(struct sudo_sss_handle *handle, /* get the RunAsGroup Values from the entry */ switch (handle->fn_get_values(rule, "sudoRunAsGroup", &val_array)) { case 0: + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", pw->pw_name); + } sudo_lbuf_append(lbuf, " : "); for (i = 0; val_array[i] != NULL; ++i) sudo_lbuf_append(lbuf, "%s%s", i != 0 ? ", " : "", val_array[i]); handle->fn_free_values(val_array); break; case ENOENT: + if (no_runas_user) { + /* finish printing sudoRunAs */ + sudo_lbuf_append(lbuf, "%s", def_runas_default); + } sudo_debug_printf(SUDO_DEBUG_INFO, "No result."); break; default: @@ -1726,9 +1746,9 @@ sudo_sss_display_privs(struct sudo_nss *nss, struct passwd *pw, for (i = 0; i < sss_result->num_rules; ++i) { rule = sss_result->rules + i; if (long_list) - count += sudo_sss_display_entry_long(handle, rule, lbuf); + count += sudo_sss_display_entry_long(handle, rule, pw, lbuf); else - count += sudo_sss_display_entry_short(handle, rule, lbuf); + count += sudo_sss_display_entry_short(handle, rule, pw, lbuf); } handle->fn_free_result(sss_result); -- 2.40.0