sudo/sme9/sudo-1.8.6p3-netgrfilterfix.patch

diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix  2014-07-30 13:29:47.713823996 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-07-30 13:30:08.917436088 +0200
@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand
 }
 
 /*
- * Look for netgroup specifcations in the sudoUser attribute and
- * if found, filter according to netgroup membership.
- *  returns:
- *   true -> netgroup spec found && negroup member
- *  false -> netgroup spec found && not a meber of netgroup
- *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
+ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
+ * in sudo. The rules may contain mixed sudoUser specification so we have to check
+ * not only for netgroup membership but also for user and group matches.
  */
-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+bool sudo_sss_filter_sudoUser(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
-       bool ret = false, netgroup_spec_found = false;
+       bool ret = false;
        char **val_array, *val;
        int i;
        debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc
                        sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
                        debug_return_bool(ret);
        }
-
+       /*
+        * Scan sudoUser values and look for netgroup specs.
+        * Netgroup-only rule specification should be filtered
+        * out if the user isn't member of any specified netgroup.
+        */
        for (i = 0; val_array[i] != NULL && !ret; ++i) {
                val = val_array[i];
-               if (*val == '+') {
-                       netgroup_spec_found = true;
-               }
                sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
-               if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
-                       ret = true;
-                       sudo_debug_printf(SUDO_DEBUG_DIAG,
-                                         "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
+               if (*val == '+') {
+                       /* Netgroup spec found, check netgroup membership */
+                       if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
+                               ret = true;
+                               sudo_debug_printf(SUDO_DEBUG_DIAG,
+                                                 "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
+                       }
+               } else {
+                       /*
+                        * Non-netgroup sudoUser value
+                        */
+                       if (strcmp(val, "ALL") == 0) {
+                               ret = true;
+                       } else {
+                               const char *match_val = (*val == '!' ? val + 1 : val);
+                               const bool negated = (*val == '!' ? true : false);
+                               const bool group_spec = (*match_val == '%' ? true : false);
+
+                               if (group_spec) {
+                                       if (usergr_matches(match_val,
+                                                          handle->pw->pw_name, handle->pw)) {
+                                               ret = !negated;
+                                       }
+                               } else {
+                                       if (userpw_matches(match_val,
+                                                          handle->pw->pw_name, handle->pw)) {
+                                               ret = !negated;
+                                       }
+                               }
+                       }
                }
        }
        handle->fn_free_values(val_array);
-       debug_return_bool(netgroup_spec_found ? ret : true);
+       debug_return_bool(ret);
 }
 
 static int
@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_
     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
 
     if (sudo_sss_check_host(handle, rule) &&
-        sudo_sss_filter_user_netgroup(handle, rule))
+        sudo_sss_filter_sudoUser(handle, rule))
        debug_return_int(1);
     else
        debug_return_int(0);
1	jpp	1.1	diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c
2			--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix 2014-07-30 13:29:47.713823996 +0200
3			+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-07-30 13:30:08.917436088 +0200
4			@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand
5			}
6
7			/*
8			- * Look for netgroup specifcations in the sudoUser attribute and
9			- * if found, filter according to netgroup membership.
10			- * returns:
11			- * true -> netgroup spec found && negroup member
12			- * false -> netgroup spec found && not a meber of netgroup
13			- * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
14			+ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
15			+ * in sudo. The rules may contain mixed sudoUser specification so we have to check
16			+ * not only for netgroup membership but also for user and group matches.
17			*/
18			-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
19			+bool sudo_sss_filter_sudoUser(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
20			{
21			- bool ret = false, netgroup_spec_found = false;
22			+ bool ret = false;
23			char *val_array, val;
24			int i;
25			debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
26			@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc
27			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
28			debug_return_bool(ret);
29			}
30			-
31			+ /*
32			+ * Scan sudoUser values and look for netgroup specs.
33			+ * Netgroup-only rule specification should be filtered
34			+ * out if the user isn't member of any specified netgroup.
35			+ */
36			for (i = 0; val_array[i] != NULL && !ret; ++i) {
37			val = val_array[i];
38			- if (*val == '+') {
39			- netgroup_spec_found = true;
40			- }
41			sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
42			- if (strcmp(val, "ALL") == 0 \|\| netgr_matches(val, NULL, NULL, user_name)) {
43			- ret = true;
44			- sudo_debug_printf(SUDO_DEBUG_DIAG,
45			- "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
46			+ if (*val == '+') {
47			+ /* Netgroup spec found, check netgroup membership */
48			+ if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
49			+ ret = true;
50			+ sudo_debug_printf(SUDO_DEBUG_DIAG,
51			+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
52			+ }
53			+ } else {
54			+ /*
55			+ * Non-netgroup sudoUser value
56			+ */
57			+ if (strcmp(val, "ALL") == 0) {
58			+ ret = true;
59			+ } else {
60			+ const char match_val = (val == '!' ? val + 1 : val);
61			+ const bool negated = (*val == '!' ? true : false);
62			+ const bool group_spec = (*match_val == '%' ? true : false);
63			+
64			+ if (group_spec) {
65			+ if (usergr_matches(match_val,
66			+ handle->pw->pw_name, handle->pw)) {
67			+ ret = !negated;
68			+ }
69			+ } else {
70			+ if (userpw_matches(match_val,
71			+ handle->pw->pw_name, handle->pw)) {
72			+ ret = !negated;
73			+ }
74			+ }
75			+ }
76			}
77			}
78			handle->fn_free_values(val_array);
79			- debug_return_bool(netgroup_spec_found ? ret : true);
80			+ debug_return_bool(ret);
81			}
82
83			static int
84			@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_
85			debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
86
87			if (sudo_sss_check_host(handle, rule) &&
88			- sudo_sss_filter_user_netgroup(handle, rule))
89			+ sudo_sss_filter_sudoUser(handle, rule))
90			debug_return_int(1);
91			else
92			debug_return_int(0);