sudo/sme9/sudo-1.8.6p3-sudoorderfix.patch

diff -up sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix sudo-1.8.6p3/common/sudo_debug.c
--- sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix       2015-02-27 19:00:15.546968602 +0100
+++ sudo-1.8.6p3/common/sudo_debug.c    2015-02-27 19:01:33.966134891 +0100
@@ -272,6 +272,13 @@ void sudo_debug_exit_ptr(const char *fun
        "<- %s @ %s:%d := %p", func, file, line, rval);
 }
 
+void sudo_debug_exit_double(const char *func, const char *file, int line,
+    int subsys, double rval)
+{
+    sudo_debug_printf2(NULL, NULL, 0, subsys | SUDO_DEBUG_TRACE,
+       "<- %s @ %s:%d := %f", func, file, line, rval);
+}
+
 static void
 sudo_debug_write_conv(const char *func, const char *file, int lineno,
     const char *str, int len, int errno_val)
diff -up sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix sudo-1.8.6p3/include/sudo_debug.h
--- sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix      2015-02-27 18:57:26.015770964 +0100
+++ sudo-1.8.6p3/include/sudo_debug.h   2015-02-27 18:59:27.375480734 +0100
@@ -166,6 +166,14 @@
        return (void *)sudo_debug_rval;                                        \
     } while (0)
 
+#define debug_return_double(rval)                                              \
+    do {                                                                       \
+       double sudo_debug_rval = (rval);                                        \
+       sudo_debug_exit_double(__func__, __FILE__, __LINE__, sudo_debug_subsys, \
+           sudo_debug_rval);                                                   \
+       return sudo_debug_rval;                                                 \
+    } while (0)
+
 /*
  * Variadic macros are a C99 feature but GNU cpp has supported
  * a (different) version of them for a long time.
@@ -193,6 +201,7 @@ void sudo_debug_enter(const char *func,
 void sudo_debug_execve2(int level, const char *path, char *const argv[], char *const envp[]);
 void sudo_debug_exit(const char *func, const char *file, int line, int subsys);
 void sudo_debug_exit_int(const char *func, const char *file, int line, int subsys, int rval);
+void sudo_debug_exit_double(const char *func, const char *file, int line, int subsys, double rval);
 void sudo_debug_exit_long(const char *func, const char *file, int line, int subsys, long rval);
 void sudo_debug_exit_size_t(const char *func, const char *file, int line, int subsys, size_t rval);
 void sudo_debug_exit_bool(const char *func, const char *file, int line, int subsys, int rval);
diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix    2015-02-27 18:53:18.259404975 +0100
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2015-02-27 19:04:10.217473712 +0100
@@ -696,6 +696,74 @@ sudo_sss_result_filterp(struct sudo_sss_
        debug_return_int(0);
 }
 
+static double sudo_sss_rule_get_sudoOrder(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+  char **val_array = NULL;
+  int i;
+
+  debug_decl(sudo_sss_rule_get_sudoOrder, SUDO_DEBUG_SSSD);
+
+  if (!rule) {
+    debug_return_double(-1);
+  }
+
+  switch (handle->fn_get_values(rule, "sudoOrder", &val_array)) {
+  case 0:
+    break;
+  case ENOENT:
+    /* default sudoOrder is 0 */
+    debug_return_double(0);
+  default:
+    sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
+    debug_return_double(-1);
+  }
+
+  if (val_array == NULL) {
+    sudo_debug_printf(SUDO_DEBUG_DEBUG,
+                     "BUG: val_array not allocated after a successful call to fn_get_values");
+    debug_return_double(-1);
+  }
+
+  /* Use the last sudoOrder value if there are more than one */
+  i = 0;
+  while (val_array[i] != NULL) {
+    if (val_array[i+1] == NULL) {
+      sudo_debug_printf(SUDO_DEBUG_DEBUG, "using sudoOrder value \"%s\"", val_array[i]);
+      double val = atof(val_array[i]);
+      handle->fn_free_values(val_array);
+      debug_return_double(val);
+    }
+    ++i;
+  }
+
+  /* We should get here in a normal case */
+  handle->fn_free_values(val_array);
+  sudo_debug_printf(SUDO_DEBUG_DEBUG,
+                   "fn_get_values call was successful but no values were stored in the array!");
+  debug_return_double(0);
+}
+
+static int sudo_sss_rule_order_compare(const void *a, const void *b, void *arg)
+{
+  struct sudo_sss_handle *handle = (struct sudo_sss_handle *)arg;
+  struct sss_sudo_rule *rule_a = (struct sss_sudo_rule *)a;
+  struct sss_sudo_rule *rule_b = (struct sss_sudo_rule *)b;
+  debug_decl(sudo_sss_rule_order_compare, SUDO_DEBUG_SSSD);
+
+  const double a_order = sudo_sss_rule_get_sudoOrder(handle, rule_a);
+  const double b_order = sudo_sss_rule_get_sudoOrder(handle, rule_b);
+
+  if (a_order > b_order) {
+    debug_return_int(-1);
+  }
+  else if (a_order < b_order) {
+    debug_return_int(1);
+  }
+  else {
+    debug_return_int(0);
+  }
+}
+
 static struct sss_sudo_result *
 sudo_sss_result_get(struct sudo_nss *nss, struct passwd *pw, uint32_t *state)
 {
@@ -761,6 +829,12 @@ sudo_sss_result_get(struct sudo_nss *nss
        "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
        u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
 
+    sudo_debug_printf(SUDO_DEBUG_INFO,
+                     "Sorting the remaining entries using the sudoOrder attribute");
+
+    qsort_r(f_sss_result->rules, f_sss_result->num_rules, sizeof(f_sss_result->rules[0]),
+           sudo_sss_rule_order_compare, handle);
+
     handle->fn_free_result(u_sss_result);
 
     debug_return_ptr(f_sss_result);
1	diff -up sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix sudo-1.8.6p3/common/sudo_debug.c
2	--- sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix 2015-02-27 19:00:15.546968602 +0100
3	+++ sudo-1.8.6p3/common/sudo_debug.c 2015-02-27 19:01:33.966134891 +0100
4	@@ -272,6 +272,13 @@ void sudo_debug_exit_ptr(const char *fun
5	"<- %s @ %s:%d := %p", func, file, line, rval);
6	}
7
8	+void sudo_debug_exit_double(const char func, const char file, int line,
9	+ int subsys, double rval)
10	+{
11	+ sudo_debug_printf2(NULL, NULL, 0, subsys \| SUDO_DEBUG_TRACE,
12	+ "<- %s @ %s:%d := %f", func, file, line, rval);
13	+}
14	+
15	static void
16	sudo_debug_write_conv(const char func, const char file, int lineno,
17	const char *str, int len, int errno_val)
18	diff -up sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix sudo-1.8.6p3/include/sudo_debug.h
19	--- sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix 2015-02-27 18:57:26.015770964 +0100
20	+++ sudo-1.8.6p3/include/sudo_debug.h 2015-02-27 18:59:27.375480734 +0100
21	@@ -166,6 +166,14 @@
22	return (void *)sudo_debug_rval; \
23	} while (0)
24
25	+#define debug_return_double(rval) \
26	+ do { \
27	+ double sudo_debug_rval = (rval); \
28	+ sudo_debug_exit_double(__func__, __FILE__, __LINE__, sudo_debug_subsys, \
29	+ sudo_debug_rval); \
30	+ return sudo_debug_rval; \
31	+ } while (0)
32	+
33	/*
34	* Variadic macros are a C99 feature but GNU cpp has supported
35	* a (different) version of them for a long time.
36	@@ -193,6 +201,7 @@ void sudo_debug_enter(const char *func,
37	void sudo_debug_execve2(int level, const char path, char const argv[], char *const envp[]);
38	void sudo_debug_exit(const char func, const char file, int line, int subsys);
39	void sudo_debug_exit_int(const char func, const char file, int line, int subsys, int rval);
40	+void sudo_debug_exit_double(const char func, const char file, int line, int subsys, double rval);
41	void sudo_debug_exit_long(const char func, const char file, int line, int subsys, long rval);
42	void sudo_debug_exit_size_t(const char func, const char file, int line, int subsys, size_t rval);
43	void sudo_debug_exit_bool(const char func, const char file, int line, int subsys, int rval);
44	diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix sudo-1.8.6p3/plugins/sudoers/sssd.c
45	--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix 2015-02-27 18:53:18.259404975 +0100
46	+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2015-02-27 19:04:10.217473712 +0100
47	@@ -696,6 +696,74 @@ sudo_sss_result_filterp(struct sudo_sss_
48	debug_return_int(0);
49	}
50
51	+static double sudo_sss_rule_get_sudoOrder(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
52	+{
53	+ char **val_array = NULL;
54	+ int i;
55	+
56	+ debug_decl(sudo_sss_rule_get_sudoOrder, SUDO_DEBUG_SSSD);
57	+
58	+ if (!rule) {
59	+ debug_return_double(-1);
60	+ }
61	+
62	+ switch (handle->fn_get_values(rule, "sudoOrder", &val_array)) {
63	+ case 0:
64	+ break;
65	+ case ENOENT:
66	+ /* default sudoOrder is 0 */
67	+ debug_return_double(0);
68	+ default:
69	+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
70	+ debug_return_double(-1);
71	+ }
72	+
73	+ if (val_array == NULL) {
74	+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
75	+ "BUG: val_array not allocated after a successful call to fn_get_values");
76	+ debug_return_double(-1);
77	+ }
78	+
79	+ /* Use the last sudoOrder value if there are more than one */
80	+ i = 0;
81	+ while (val_array[i] != NULL) {
82	+ if (val_array[i+1] == NULL) {
83	+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "using sudoOrder value \"%s\"", val_array[i]);
84	+ double val = atof(val_array[i]);
85	+ handle->fn_free_values(val_array);
86	+ debug_return_double(val);
87	+ }
88	+ ++i;
89	+ }
90	+
91	+ /* We should get here in a normal case */
92	+ handle->fn_free_values(val_array);
93	+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
94	+ "fn_get_values call was successful but no values were stored in the array!");
95	+ debug_return_double(0);
96	+}
97	+
98	+static int sudo_sss_rule_order_compare(const void a, const void b, void *arg)
99	+{
100	+ struct sudo_sss_handle handle = (struct sudo_sss_handle )arg;
101	+ struct sss_sudo_rule rule_a = (struct sss_sudo_rule )a;
102	+ struct sss_sudo_rule rule_b = (struct sss_sudo_rule )b;
103	+ debug_decl(sudo_sss_rule_order_compare, SUDO_DEBUG_SSSD);
104	+
105	+ const double a_order = sudo_sss_rule_get_sudoOrder(handle, rule_a);
106	+ const double b_order = sudo_sss_rule_get_sudoOrder(handle, rule_b);
107	+
108	+ if (a_order > b_order) {
109	+ debug_return_int(-1);
110	+ }
111	+ else if (a_order < b_order) {
112	+ debug_return_int(1);
113	+ }
114	+ else {
115	+ debug_return_int(0);
116	+ }
117	+}
118	+
119	static struct sss_sudo_result *
120	sudo_sss_result_get(struct sudo_nss nss, struct passwd pw, uint32_t *state)
121	{
122	@@ -761,6 +829,12 @@ sudo_sss_result_get(struct sudo_nss *nss
123	"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
124	u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
125
126	+ sudo_debug_printf(SUDO_DEBUG_INFO,
127	+ "Sorting the remaining entries using the sudoOrder attribute");
128	+
129	+ qsort_r(f_sss_result->rules, f_sss_result->num_rules, sizeof(f_sss_result->rules[0]),
130	+ sudo_sss_rule_order_compare, handle);
131	+
132	handle->fn_free_result(u_sss_result);
133
134	debug_return_ptr(f_sss_result);