Correctly handle multiple privileges per userspec and runas inheritence.

2025-09-04 16:25:25 +00:00 · 2004-11-23 23:18:15 +00:00
parent f2bdbda17f
commit 9c526bdc30
2 changed files with 68 additions and 56 deletions
--- a/parse.c
+++ b/parse.c
@@ -90,6 +90,7 @@ sudoers_lookup(pwflag)
    enum def_tupple pwcheck = 0;
    struct cmndspec *cs;
    struct cmndtag *tags = NULL;
+    struct member *runas;
    struct privilege *priv;
    struct userspec *us;

@@ -118,7 +119,7 @@ sudoers_lookup(pwflag)
 	matched = FALSE;
 	for (us = userspecs; us != NULL; us = us->next) {
 	    if (user_matches(sudo_user.pw, us->user) == TRUE) {
-		priv = us->privileges;
+		for (priv = us->privileges; priv != NULL; priv = priv->next) {
 		    if (host_matches(priv->hostlist) == TRUE) {
 			for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
 			    /* Only check the command when listing another user. */
@@ -133,6 +134,7 @@ sudoers_lookup(pwflag)
 		    }
 		}
 	    }
+	}
 	if (matched == TRUE) {
 	    /* User has an entry for this host. */
 	    CLR(validated, VALIDATE_NOT_OK);
@@ -152,11 +154,14 @@ sudoers_lookup(pwflag)
    for (us = userspecs; us != NULL; us = us->next) {
 	if (user_matches(sudo_user.pw, us->user) == TRUE) {
 	    CLR(validated, FLAG_NO_USER);
-	    priv = us->privileges;
+	    for (priv = us->privileges; priv != NULL; priv = priv->next) {
 		if (host_matches(priv->hostlist) == TRUE) {
 		    CLR(validated, FLAG_NO_HOST);
+		    runas = NULL;
 		    for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
-		    if (runas_matches(cs->runaslist) == TRUE) {
+			if (cs->runaslist != NULL)
+			    runas = cs->runaslist;
+			if (runas_matches(runas) == TRUE) {
 			    rval = cmnd_matches(cs->cmnd);
 			    if (rval != UNSPEC) {
 				matched = rval;
@@ -167,6 +172,7 @@ sudoers_lookup(pwflag)
 		}
 	    }
 	}
+    }
    if (matched == TRUE) {
 	CLR(validated, VALIDATE_NOT_OK);
 	SET(validated, VALIDATE_OK);
@@ -203,12 +209,12 @@ display_privs(pw)
 	  host_matches(us->privileges->hostlist) != TRUE)
 	    continue;

-	priv = us->privileges;
+	for (priv = us->privileges; priv != NULL; priv = priv->next) {
 	    runas = NULL;
 	    for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
-	    fputs("    ", stdout);
 		if (cs->runaslist != NULL)
 		    runas = cs->runaslist;
+		fputs("    ", stdout);
 		if (runas != NULL) {
 		    fputs("(", stdout);
 		    for (m = runas; m != NULL; m = m->next) {
@@ -230,6 +236,7 @@ display_privs(pw)
 	    }
 	}
    }
+}

 /*
 * Print the contents of a struct member to stdout
--- a/testsudoers.c
+++ b/testsudoers.c
@@ -105,6 +105,7 @@ main(argc, argv)
 {
    struct cmndspec *cs;
    struct passwd pw, rpw;
+    struct member *runas;
    struct privilege *priv;
    struct userspec *us;
    char *p, hbuf[MAXHOSTNAMELEN];
@@ -220,14 +221,17 @@ main(argc, argv)
    matched = UNSPEC;
    for (us = userspecs; us != NULL; us = us->next) {
 	if (user_matches(sudo_user.pw, us->user) == TRUE) {
-	    priv = us->privileges;
+	    for (priv = us->privileges; priv != NULL; priv = priv->next) {
 		putchar('\n');
 		print_privilege(priv);
 		putchar('\n');
 		if (host_matches(priv->hostlist) == TRUE) {
 		    puts("\thost  matched");
+		    runas = NULL;
 		    for (cs = priv->cmndlist; cs != NULL; cs = cs->next) {
-		    if (runas_matches(cs->runaslist) == TRUE) {
+			if (cs->runaslist != NULL)
+			    runas = cs->runaslist;
+			if (runas_matches(runas) == TRUE) {
 			    puts("\trunas matched");
 			    rval = cmnd_matches(cs->cmnd);
 			    if (rval != UNSPEC)
@@ -239,6 +243,7 @@ main(argc, argv)
 		}
 	    }
 	}
+    }
    printf("\nCommand %s\n", matched == TRUE ? "allowed" :
 	matched == FALSE ? "denied" : "unmatched");