sudo/sme9/sudo-1.8.6p3-netgrfilterfix.patch

diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix  2014-07-30 13:29:47.713823996 +0200
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-07-30 13:30:08.917436088 +0200
@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand
 }
 
 /*
- * Look for netgroup specifcations in the sudoUser attribute and
- * if found, filter according to netgroup membership.
- *  returns:
- *   true -> netgroup spec found && negroup member
- *  false -> netgroup spec found && not a meber of netgroup
- *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
+ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
+ * in sudo. The rules may contain mixed sudoUser specification so we have to check
+ * not only for netgroup membership but also for user and group matches.
  */
-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+bool sudo_sss_filter_sudoUser(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
 {
-       bool ret = false, netgroup_spec_found = false;
+       bool ret = false;
        char **val_array, *val;
        int i;
        debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc
                        sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
                        debug_return_bool(ret);
        }
-
+       /*
+        * Scan sudoUser values and look for netgroup specs.
+        * Netgroup-only rule specification should be filtered
+        * out if the user isn't member of any specified netgroup.
+        */
        for (i = 0; val_array[i] != NULL && !ret; ++i) {
                val = val_array[i];
-               if (*val == '+') {
-                       netgroup_spec_found = true;
-               }
                sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
-               if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {
-                       ret = true;
-                       sudo_debug_printf(SUDO_DEBUG_DIAG,
-                                         "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
+               if (*val == '+') {
+                       /* Netgroup spec found, check netgroup membership */
+                       if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
+                               ret = true;
+                               sudo_debug_printf(SUDO_DEBUG_DIAG,
+                                                 "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
+                       }
+               } else {
+                       /*
+                        * Non-netgroup sudoUser value
+                        */
+                       if (strcmp(val, "ALL") == 0) {
+                               ret = true;
+                       } else {
+                               const char *match_val = (*val == '!' ? val + 1 : val);
+                               const bool negated = (*val == '!' ? true : false);
+                               const bool group_spec = (*match_val == '%' ? true : false);
+
+                               if (group_spec) {
+                                       if (usergr_matches(match_val,
+                                                          handle->pw->pw_name, handle->pw)) {
+                                               ret = !negated;
+                                       }
+                               } else {
+                                       if (userpw_matches(match_val,
+                                                          handle->pw->pw_name, handle->pw)) {
+                                               ret = !negated;
+                                       }
+                               }
+                       }
                }
        }
        handle->fn_free_values(val_array);
-       debug_return_bool(netgroup_spec_found ? ret : true);
+       debug_return_bool(ret);
 }
 
 static int
@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_
     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
 
     if (sudo_sss_check_host(handle, rule) &&
-        sudo_sss_filter_user_netgroup(handle, rule))
+        sudo_sss_filter_sudoUser(handle, rule))
        debug_return_int(1);
     else
        debug_return_int(0);
1	diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c
2	--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix 2014-07-30 13:29:47.713823996 +0200
3	+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2014-07-30 13:30:08.917436088 +0200
4	@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand
5	}
6
7	/*
8	- * Look for netgroup specifcations in the sudoUser attribute and
9	- * if found, filter according to netgroup membership.
10	- * returns:
11	- * true -> netgroup spec found && negroup member
12	- * false -> netgroup spec found && not a meber of netgroup
13	- * true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)
14	+ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered
15	+ * in sudo. The rules may contain mixed sudoUser specification so we have to check
16	+ * not only for netgroup membership but also for user and group matches.
17	*/
18	-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
19	+bool sudo_sss_filter_sudoUser(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
20	{
21	- bool ret = false, netgroup_spec_found = false;
22	+ bool ret = false;
23	char *val_array, val;
24	int i;
25	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);
26	@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc
27	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
28	debug_return_bool(ret);
29	}
30	-
31	+ /*
32	+ * Scan sudoUser values and look for netgroup specs.
33	+ * Netgroup-only rule specification should be filtered
34	+ * out if the user isn't member of any specified netgroup.
35	+ */
36	for (i = 0; val_array[i] != NULL && !ret; ++i) {
37	val = val_array[i];
38	- if (*val == '+') {
39	- netgroup_spec_found = true;
40	- }
41	sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
42	- if (strcmp(val, "ALL") == 0 \|\| netgr_matches(val, NULL, NULL, user_name)) {
43	- ret = true;
44	- sudo_debug_printf(SUDO_DEBUG_DIAG,
45	- "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);
46	+ if (*val == '+') {
47	+ /* Netgroup spec found, check netgroup membership */
48	+ if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
49	+ ret = true;
50	+ sudo_debug_printf(SUDO_DEBUG_DIAG,
51	+ "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
52	+ }
53	+ } else {
54	+ /*
55	+ * Non-netgroup sudoUser value
56	+ */
57	+ if (strcmp(val, "ALL") == 0) {
58	+ ret = true;
59	+ } else {
60	+ const char match_val = (val == '!' ? val + 1 : val);
61	+ const bool negated = (*val == '!' ? true : false);
62	+ const bool group_spec = (*match_val == '%' ? true : false);
63	+
64	+ if (group_spec) {
65	+ if (usergr_matches(match_val,
66	+ handle->pw->pw_name, handle->pw)) {
67	+ ret = !negated;
68	+ }
69	+ } else {
70	+ if (userpw_matches(match_val,
71	+ handle->pw->pw_name, handle->pw)) {
72	+ ret = !negated;
73	+ }
74	+ }
75	+ }
76	}
77	}
78	handle->fn_free_values(val_array);
79	- debug_return_bool(netgroup_spec_found ? ret : true);
80	+ debug_return_bool(ret);
81	}
82
83	static int
84	@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_
85	debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);
86
87	if (sudo_sss_check_host(handle, rule) &&
88	- sudo_sss_filter_user_netgroup(handle, rule))
89	+ sudo_sss_filter_sudoUser(handle, rule))
90	debug_return_int(1);
91	else
92	debug_return_int(0);