mir/sudo
2
0
Fork 0
mirror of https://github.com/sudo-project/sudo.git synced 2025-08-22 09:57:41 +00:00
Code Issues Releases Wiki Activity

check_user: restrict the special case for running as the invoking user

Browse Source 
The intent is to allow the user to run a command or edit a file as
themself without entering a password.  It should not apply to listing
a command via "sudo -l command".
This commit is contained in:
Todd C. Miller 2025-04-30 11:07:37 -06:00
parent 9c98d0f4a5
commit 28837b2af1
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plugins/sudoers/check.c
View File

@ -136,8 +136,8 @@ check_user(struct sudoers_context *ctx, unsigned int validated,
ret = AUTH_SUCCESS; ret = AUTH_SUCCESS;
goto done; goto done;
} }
if (ctx->user.uid == 0 || (ctx->user.uid == ctx->runas.pw->pw_uid && if (ctx->user.uid == 0 || (ISSET(mode, MODE_RUN|MODE_EDIT) &&
(ctx->runas.gr == NULL || ctx->user.uid == ctx->runas.pw->pw_uid && (ctx->runas.gr == NULL ||
user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) { user_in_group(ctx->user.pw, ctx->runas.gr->gr_name)))) {
if (ctx->runas.role == NULL && ctx->runas.type == NULL && if (ctx->runas.role == NULL && ctx->runas.type == NULL &&
ctx->runas.apparmor_profile == NULL && ctx->runas.apparmor_profile == NULL &&