From e23ebd53c31a12b8258384d5f7e8d707a2f4dafe Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Mon, 1 Apr 2013 13:56:42 -0400
Subject: [PATCH] Instead of checking the domain name explicitly for "(none)",
 just check for illegal characters.

---
 NEWS                    |  4 ++++
 plugins/sudoers/match.c | 41 +++++++++++++++++++++++++++++++----------
 2 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index 706527ef7..fa434aa00 100644
--- a/NEWS
+++ b/NEWS
@@ -81,6 +81,10 @@ What's new in Sudo 1.8.7?
 
  * Dutch translation for sudo and sudoers from translationproject.org.
 
+ * The sudoers plugin will now ignore invalid domain names when
+   checking netgroup membership.  Some Linux systems use the string
+   "(none)" for the NIS-style domain name instead of an empty string.
+
 What's new in Sudo 1.8.6p7?
 
  * A time stamp file with the date set to the epoch by "sudo -k"
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index e85b29c47..2ace1548c 100644
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -764,6 +764,34 @@ done:
     debug_return_bool(matched);
 }
 
+#ifdef HAVE_INNETGR
+/*
+ * Get NIS-style domain name and return a malloc()ed copy or NULL if none.
+ */
+static char *
+sudo_getdomainname(void)
+{
+#ifdef HAVE_GETDOMAINNAME
+    char *buf, *cp, *domain = NULL;
+
+    buf = emalloc(HOST_NAME_MAX + 1);
+    if (getdomainname(buf, HOST_NAME_MAX + 1) == 0 && *buf != '\0') {
+	domain = buf;
+	for (cp = buf; *cp != '\0'; cp++) {
+	    /* Check for illegal characters, Linux may use "(none)". */
+	    if (*cp == '(' || *cp == ')' || *cp == ',' || *cp == ' ') {
+		domain = NULL;
+		break;
+	    }
+	}
+    }
+    if (domain == NULL)
+	efree(buf);
+#endif /* HAVE_GETDOMAINNAME */
+    return domain;
+}
+#endif /* HAVE_INNETGR */
+
 /*
  * Returns true if "host" and "user" belong to the netgroup "netgr",
  * else return false.  Either of "host", "shost" or "user" may be NULL
@@ -774,30 +802,23 @@ done:
 bool
 netgr_matches(char *netgr, char *lhost, char *shost, char *user)
 {
+#ifdef HAVE_INNETGR
     static char *domain;
-#ifdef HAVE_GETDOMAINNAME
     static int initialized;
 #endif
     debug_decl(netgr_matches, SUDO_DEBUG_MATCH)
 
+#ifdef HAVE_INNETGR
     /* make sure we have a valid netgroup, sudo style */
     if (*netgr++ != '+')
 	debug_return_bool(false);
 
-#ifdef HAVE_GETDOMAINNAME
     /* get the domain name (if any) */
     if (!initialized) {
-	domain = (char *) emalloc(HOST_NAME_MAX + 1);
-	if (getdomainname(domain, HOST_NAME_MAX + 1) == -1 || *domain == '\0' ||
-	    strcmp(domain, "(none)") == 0) {
-	    efree(domain);
-	    domain = NULL;
-	}
+	domain = sudo_getdomainname();
 	initialized = 1;
     }
-#endif /* HAVE_GETDOMAINNAME */
 
-#ifdef HAVE_INNETGR
     if (innetgr(netgr, lhost, user, domain))
 	debug_return_bool(true);
     else if (lhost != shost && innetgr(netgr, shost, user, domain))
-- 
2.40.0