From 0d17325039807361a87cd4c82d4b24cc1fec6158 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 14 Jun 2023 10:15:38 -0600
Subject: [PATCH] Add test to exercise the bug that prevented the group
 specified via "sudo -g" from matching when a Runas_Alias was used in the user
 or group portion of a Runas_Spec.

---
 MANIFEST                                      |  2 ++
 plugins/sudoers/regress/testsudoers/passwd    |  6 ++++++
 .../sudoers/regress/testsudoers/test21.out.ok | 10 ++++++++++
 plugins/sudoers/regress/testsudoers/test21.sh | 20 +++++++++++++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 plugins/sudoers/regress/testsudoers/passwd
 create mode 100644 plugins/sudoers/regress/testsudoers/test21.out.ok
 create mode 100644 plugins/sudoers/regress/testsudoers/test21.sh

diff --git a/MANIFEST b/MANIFEST
index bb5b34f19..56fb2bef6 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1080,6 +1080,8 @@ plugins/sudoers/regress/testsudoers/test2.out.ok
 plugins/sudoers/regress/testsudoers/test2.sh
 plugins/sudoers/regress/testsudoers/test20.out.ok
 plugins/sudoers/regress/testsudoers/test20.sh
+plugins/sudoers/regress/testsudoers/test21.out.ok
+plugins/sudoers/regress/testsudoers/test21.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
diff --git a/plugins/sudoers/regress/testsudoers/passwd b/plugins/sudoers/regress/testsudoers/passwd
new file mode 100644
index 000000000..77e300edc
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/passwd
@@ -0,0 +1,6 @@
+root:*:0:0:Charlie &:/root:/bin/sh
+daemon:*:1:1:The devil himself:/root:/sbin/nologin
+operator:*:2:5:System &:/operator:/sbin/nologin
+bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
+admin:*:1000:20:Admin user:/home/admin:/bin/sh
+nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
diff --git a/plugins/sudoers/regress/testsudoers/test21.out.ok b/plugins/sudoers/regress/testsudoers/test21.out.ok
new file mode 100644
index 000000000..4f6940ddf
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test21.out.ok
@@ -0,0 +1,10 @@
+Parses OK
+
+Entries for user admin:
+
+ALL = (USERALIAS : GROUPALIAS) /bin/ls
+	host  matched
+	runas matched
+	cmnd  allowed
+
+Command allowed
diff --git a/plugins/sudoers/regress/testsudoers/test21.sh b/plugins/sudoers/regress/testsudoers/test21.sh
new file mode 100644
index 000000000..714caf1d1
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test21.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# Verify that a Runas_Alias works in both user and group lists.
+# This tests a bug fixed in sudo 1.9.14.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+# The user in USERALIAS must *not* belong to the group in GROUPALIAS
+# in the group or passwd file in order to reproduce the bug.
+$TESTSUDOERS -u root -g bin -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
+    admin /bin/ls <<'EOF'
+Runas_Alias USERALIAS = root
+Runas_Alias GROUPALIAS = bin
+admin ALL = (USERALIAS : GROUPALIAS) /bin/ls
+EOF
+
+exit 0