From baf482763ce0960983139aa2e771c8cdea60647d Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Wed, 14 Jun 2023 10:29:07 -0600
Subject: [PATCH] Add tests to exercise recent runas user and group bug fixes.

---
 MANIFEST                                       |  4 ++++
 plugins/sudoers/regress/testsudoers/group      |  1 +
 plugins/sudoers/regress/testsudoers/passwd     |  2 +-
 .../sudoers/regress/testsudoers/test22.out.ok  |  8 ++++++++
 plugins/sudoers/regress/testsudoers/test22.sh  | 18 ++++++++++++++++++
 .../sudoers/regress/testsudoers/test23.out.ok  |  8 ++++++++
 plugins/sudoers/regress/testsudoers/test23.sh  | 17 +++++++++++++++++
 7 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 plugins/sudoers/regress/testsudoers/test22.out.ok
 create mode 100644 plugins/sudoers/regress/testsudoers/test22.sh
 create mode 100644 plugins/sudoers/regress/testsudoers/test23.out.ok
 create mode 100644 plugins/sudoers/regress/testsudoers/test23.sh

diff --git a/MANIFEST b/MANIFEST
index 56fb2bef6..bb89c043b 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1082,6 +1082,10 @@ plugins/sudoers/regress/testsudoers/test20.out.ok
 plugins/sudoers/regress/testsudoers/test20.sh
 plugins/sudoers/regress/testsudoers/test21.out.ok
 plugins/sudoers/regress/testsudoers/test21.sh
+plugins/sudoers/regress/testsudoers/test22.out.ok
+plugins/sudoers/regress/testsudoers/test22.sh
+plugins/sudoers/regress/testsudoers/test23.out.ok
+plugins/sudoers/regress/testsudoers/test23.sh
 plugins/sudoers/regress/testsudoers/test3.out.ok
 plugins/sudoers/regress/testsudoers/test3.sh
 plugins/sudoers/regress/testsudoers/test4.out.ok
diff --git a/plugins/sudoers/regress/testsudoers/group b/plugins/sudoers/regress/testsudoers/group
index e2202d62f..246055493 100644
--- a/plugins/sudoers/regress/testsudoers/group
+++ b/plugins/sudoers/regress/testsudoers/group
@@ -11,5 +11,6 @@ auth:*:11:
 games:*:13:
 staff:*:20:root
 guest:*:31:root
+admin:*:1000:
 nogroup:*:32766:
 nobody:*:32767:
diff --git a/plugins/sudoers/regress/testsudoers/passwd b/plugins/sudoers/regress/testsudoers/passwd
index 77e300edc..f1e472119 100644
--- a/plugins/sudoers/regress/testsudoers/passwd
+++ b/plugins/sudoers/regress/testsudoers/passwd
@@ -2,5 +2,5 @@ root:*:0:0:Charlie &:/root:/bin/sh
 daemon:*:1:1:The devil himself:/root:/sbin/nologin
 operator:*:2:5:System &:/operator:/sbin/nologin
 bin:*:3:7:Binaries Commands and Source:/:/sbin/nologin
-admin:*:1000:20:Admin user:/home/admin:/bin/sh
+admin:*:1000:1000:Admin user:/home/admin:/bin/sh
 nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin
diff --git a/plugins/sudoers/regress/testsudoers/test22.out.ok b/plugins/sudoers/regress/testsudoers/test22.out.ok
new file mode 100644
index 000000000..dfe0c9061
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test22.out.ok
@@ -0,0 +1,8 @@
+Parses OK
+
+Entries for user admin:
+
+ALL = /bin/ls
+	host  matched
+
+Command unmatched
diff --git a/plugins/sudoers/regress/testsudoers/test22.sh b/plugins/sudoers/regress/testsudoers/test22.sh
new file mode 100644
index 000000000..9d4dbcb84
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test22.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+#
+# Verify that a user is only allowed to run commands with a group
+# that is specified by sudoers (or that the runas user is a member of).
+# This tests a bug fixed in sudo 1.9.14.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+# The root user must *not* belong to the group specified below.
+$TESTSUDOERS -u root -g bin -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
+    admin /bin/ls <<'EOF'
+admin ALL = /bin/ls
+EOF
+
+exit 0
diff --git a/plugins/sudoers/regress/testsudoers/test23.out.ok b/plugins/sudoers/regress/testsudoers/test23.out.ok
new file mode 100644
index 000000000..8741bdafb
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test23.out.ok
@@ -0,0 +1,8 @@
+Parses OK
+
+Entries for user admin:
+
+ALL = (root) /bin/ls
+	host  matched
+
+Command unmatched
diff --git a/plugins/sudoers/regress/testsudoers/test23.sh b/plugins/sudoers/regress/testsudoers/test23.sh
new file mode 100644
index 000000000..a790c6ade
--- /dev/null
+++ b/plugins/sudoers/regress/testsudoers/test23.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Verify that a user is not allowed to run commands with their own
+# user and group if sudoers doesn't explicitly permit it.
+# This tests a bug fixed in sudo 1.9.14.
+#
+
+: ${TESTSUDOERS=testsudoers}
+
+exec 2>&1
+
+$TESTSUDOERS -u admin -g admin -p ${TESTDIR}/passwd -P ${TESTDIR}/group \
+    admin /bin/ls <<'EOF'
+admin ALL = (root) /bin/ls
+EOF
+
+exit 0