From 960bf99656ebefdc1bd60de68b17717d363492aa Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 31 Jan 2022 19:18:04 -0700 Subject: [PATCH] defaults_check_conflict: it is only really a conflict if the binding match If the Defaults name matched but the binding does not, we can simply leave it be. Fixes a problem where given two sudoers sources that have a host specified, if they contain conflicting Defaults entries we would drop one of the Defaults instead of keeping both after making them host-specific. --- MANIFEST | 2 ++ plugins/sudoers/cvtsudoers_merge.c | 14 ++++++++++---- plugins/sudoers/regress/cvtsudoers/test38.out.ok | 14 ++++++++++++++ plugins/sudoers/regress/cvtsudoers/test38.sh | 10 ++++++++++ 4 files changed, 36 insertions(+), 4 deletions(-) create mode 100644 plugins/sudoers/regress/cvtsudoers/test38.out.ok create mode 100755 plugins/sudoers/regress/cvtsudoers/test38.sh diff --git a/MANIFEST b/MANIFEST index 49c7a3b08..8b2aa8047 100644 --- a/MANIFEST +++ b/MANIFEST @@ -768,6 +768,8 @@ plugins/sudoers/regress/cvtsudoers/test36.out.ok plugins/sudoers/regress/cvtsudoers/test36.sh plugins/sudoers/regress/cvtsudoers/test37.out.ok plugins/sudoers/regress/cvtsudoers/test37.sh +plugins/sudoers/regress/cvtsudoers/test38.out.ok +plugins/sudoers/regress/cvtsudoers/test38.sh plugins/sudoers/regress/cvtsudoers/test4.out.ok plugins/sudoers/regress/cvtsudoers/test4.sh plugins/sudoers/regress/cvtsudoers/test5.out.ok diff --git a/plugins/sudoers/cvtsudoers_merge.c b/plugins/sudoers/cvtsudoers_merge.c index ad0eddaa5..5093a0fa5 100644 --- a/plugins/sudoers/cvtsudoers_merge.c +++ b/plugins/sudoers/cvtsudoers_merge.c @@ -822,10 +822,16 @@ defaults_check_conflict(struct defaults *def, } debug_return_int(CONFLICT_RESOLVED); } - log_warnx(U_("%s:%d:%d: conflicting Defaults entry \"%s\" host-specific in %s:%d:%d"), - def->file, def->line, def->column, def->var, - d->file, d->line, d->column); - debug_return_int(CONFLICT_UNRESOLVED); + /* + * If the value doesn't match but the Defaults name did we don't + * consider that a conflict. + */ + if (!mergeable) { + log_warnx(U_("%s:%d:%d: conflicting Defaults entry \"%s\" host-specific in %s:%d:%d"), + def->file, def->line, def->column, def->var, + d->file, d->line, d->column); + debug_return_int(CONFLICT_UNRESOLVED); + } } } diff --git a/plugins/sudoers/regress/cvtsudoers/test38.out.ok b/plugins/sudoers/regress/cvtsudoers/test38.out.ok new file mode 100644 index 000000000..26ac01415 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test38.out.ok @@ -0,0 +1,14 @@ +Defaults@xerxes\ + secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin +Defaults@xyzzy\ + secure_path=/opt/sudo/bin\:/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin + +User_Alias ADMINS = millert, dowdy, mikef +Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice,\ + /usr/bin/pkill, /usr/bin/top +Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff +Host_Alias WEBSERVERS_1 = www1, www2, www3, www5 + +root ALL = (ALL) ALL + +ALL ALL = (ALL) /usr/bin/id diff --git a/plugins/sudoers/regress/cvtsudoers/test38.sh b/plugins/sudoers/regress/cvtsudoers/test38.sh new file mode 100755 index 000000000..427313632 --- /dev/null +++ b/plugins/sudoers/regress/cvtsudoers/test38.sh @@ -0,0 +1,10 @@ +#!/bin/sh +# +# Test cvtsudoers merge: +# * two files, each bound to a host +# * only difference is a conflicting secure_path definition +# + +: ${CVTSUDOERS=cvtsudoers} + +$CVTSUDOERS -f sudoers -l /dev/null xerxes:${TESTDIR}/sudoers3 xyzzy:${TESTDIR}/sudoers4