mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-09-04 08:15:15 +00:00
Code Issues Releases Wiki Activity

Fix a bug in host matching where a negated sudoHost entry would

Browse Source 
prevent other sudoHosts following it from matching.
This commit is contained in:
Todd C. Miller
2016-11-08 14:35:23 -07:00
parent 1d9b8ca32e
commit 17868f89d7
2 changed files with 26 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
plugins/sudoers/ldap.c
View File

@@ -722,20 +722,21 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
{ {
struct berval **bv, **p; struct berval **bv, **p;
char *val; char *val;
bool ret = false; int matched = UNSPEC;
bool foundbang = false;
debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
if (!entry) if (!entry)
debug_return_bool(ret); debug_return_bool(false);
/* get the values from the entry */ /* get the values from the entry */
bv = ldap_get_values_len(ld, entry, "sudoHost"); bv = ldap_get_values_len(ld, entry, "sudoHost");
if (bv == NULL) if (bv == NULL)
debug_return_bool(ret); debug_return_bool(false);
/* walk through values */ /* walk through values */
for (p = bv; *p != NULL && !foundbang; p++) { for (p = bv; *p != NULL && matched != false; p++) {
bool foundbang = false;
val = (*p)->bv_val; val = (*p)->bv_val;
if (*val == '!') { if (*val == '!') {
@@ -747,14 +748,17 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, struct passwd *pw)
if (strcmp(val, "ALL") == 0 || addr_matches(val) || if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
netgr_matches(val, user_runhost, user_srunhost, netgr_matches(val, user_runhost, user_srunhost,
def_netgroup_tuple ? pw->pw_name : NULL) || def_netgroup_tuple ? pw->pw_name : NULL) ||
hostname_matches(user_srunhost, user_runhost, val)) hostname_matches(user_srunhost, user_runhost, val)) {
ret = !foundbang;
DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); matched = foundbang ? false : true;
}
DPRINTF2("ldap sudoHost '%s' ... %s",
val, matched == true ? "MATCH!" : "not");
} }
ldap_value_free_len(bv); /* cleanup */ ldap_value_free_len(bv); /* cleanup */
debug_return_bool(ret); debug_return_bool(matched == true);
} }
static int static int

23
plugins/sudoers/sssd.c
View File

@@ -741,13 +741,12 @@ static bool
sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule) sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
{ {
char **val_array, *val; char **val_array, *val;
bool ret = false; int matched = UNSPEC;
bool foundbang = false;
int i; int i;
debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
if (rule == NULL) if (rule == NULL)
debug_return_bool(ret); debug_return_bool(false);
/* get the values from the rule */ /* get the values from the rule */
switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { switch (handle->fn_get_values(rule, "sudoHost", &val_array)) {
@@ -758,11 +757,13 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
debug_return_bool(false); debug_return_bool(false);
default: default:
sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0"); sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
debug_return_bool(ret); debug_return_bool(false);
} }
/* walk through values */ /* walk through values */
for (i = 0; val_array[i] != NULL && !foundbang; ++i) { for (i = 0; val_array[i] != NULL && matched != false; ++i) {
bool foundbang = false;
val = val_array[i]; val = val_array[i];
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
@@ -775,16 +776,18 @@ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
if (strcmp(val, "ALL") == 0 || addr_matches(val) || if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
netgr_matches(val, handle->host, handle->shost, netgr_matches(val, handle->host, handle->shost,
def_netgroup_tuple ? handle->pw->pw_name : NULL) || def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
hostname_matches(handle->shost, handle->host, val)) hostname_matches(handle->shost, handle->host, val)) {
ret = !foundbang;
sudo_debug_printf(SUDO_DEBUG_INFO, matched = foundbang ? false : true;
"sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); }
sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s",
val, matched == true ? "MATCH!" : "not");
} }
handle->fn_free_values(val_array); handle->fn_free_values(val_array);
debug_return_bool(ret); debug_return_bool(matched == true);
} }
/* /*