sudo/sme9/sudo-1.8.6p3-sudoorderfix.patch

diff -up sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix sudo-1.8.6p3/common/sudo_debug.c
--- sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix       2015-02-27 19:00:15.546968602 +0100
+++ sudo-1.8.6p3/common/sudo_debug.c    2015-02-27 19:01:33.966134891 +0100
@@ -272,6 +272,13 @@ void sudo_debug_exit_ptr(const char *fun
        "<- %s @ %s:%d := %p", func, file, line, rval);
 }
 
+void sudo_debug_exit_double(const char *func, const char *file, int line,
+    int subsys, double rval)
+{
+    sudo_debug_printf2(NULL, NULL, 0, subsys | SUDO_DEBUG_TRACE,
+       "<- %s @ %s:%d := %f", func, file, line, rval);
+}
+
 static void
 sudo_debug_write_conv(const char *func, const char *file, int lineno,
     const char *str, int len, int errno_val)
diff -up sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix sudo-1.8.6p3/include/sudo_debug.h
--- sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix      2015-02-27 18:57:26.015770964 +0100
+++ sudo-1.8.6p3/include/sudo_debug.h   2015-02-27 18:59:27.375480734 +0100
@@ -166,6 +166,14 @@
        return (void *)sudo_debug_rval;                                        \
     } while (0)
 
+#define debug_return_double(rval)                                              \
+    do {                                                                       \
+       double sudo_debug_rval = (rval);                                        \
+       sudo_debug_exit_double(__func__, __FILE__, __LINE__, sudo_debug_subsys, \
+           sudo_debug_rval);                                                   \
+       return sudo_debug_rval;                                                 \
+    } while (0)
+
 /*
  * Variadic macros are a C99 feature but GNU cpp has supported
  * a (different) version of them for a long time.
@@ -193,6 +201,7 @@ void sudo_debug_enter(const char *func,
 void sudo_debug_execve2(int level, const char *path, char *const argv[], char *const envp[]);
 void sudo_debug_exit(const char *func, const char *file, int line, int subsys);
 void sudo_debug_exit_int(const char *func, const char *file, int line, int subsys, int rval);
+void sudo_debug_exit_double(const char *func, const char *file, int line, int subsys, double rval);
 void sudo_debug_exit_long(const char *func, const char *file, int line, int subsys, long rval);
 void sudo_debug_exit_size_t(const char *func, const char *file, int line, int subsys, size_t rval);
 void sudo_debug_exit_bool(const char *func, const char *file, int line, int subsys, int rval);
diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix sudo-1.8.6p3/plugins/sudoers/sssd.c
--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix    2015-02-27 18:53:18.259404975 +0100
+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2015-02-27 19:04:10.217473712 +0100
@@ -696,6 +696,74 @@ sudo_sss_result_filterp(struct sudo_sss_
        debug_return_int(0);
 }
 
+static double sudo_sss_rule_get_sudoOrder(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)
+{
+  char **val_array = NULL;
+  int i;
+
+  debug_decl(sudo_sss_rule_get_sudoOrder, SUDO_DEBUG_SSSD);
+
+  if (!rule) {
+    debug_return_double(-1);
+  }
+
+  switch (handle->fn_get_values(rule, "sudoOrder", &val_array)) {
+  case 0:
+    break;
+  case ENOENT:
+    /* default sudoOrder is 0 */
+    debug_return_double(0);
+  default:
+    sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
+    debug_return_double(-1);
+  }
+
+  if (val_array == NULL) {
+    sudo_debug_printf(SUDO_DEBUG_DEBUG,
+                     "BUG: val_array not allocated after a successful call to fn_get_values");
+    debug_return_double(-1);
+  }
+
+  /* Use the last sudoOrder value if there are more than one */
+  i = 0;
+  while (val_array[i] != NULL) {
+    if (val_array[i+1] == NULL) {
+      sudo_debug_printf(SUDO_DEBUG_DEBUG, "using sudoOrder value \"%s\"", val_array[i]);
+      double val = atof(val_array[i]);
+      handle->fn_free_values(val_array);
+      debug_return_double(val);
+    }
+    ++i;
+  }
+
+  /* We should get here in a normal case */
+  handle->fn_free_values(val_array);
+  sudo_debug_printf(SUDO_DEBUG_DEBUG,
+                   "fn_get_values call was successful but no values were stored in the array!");
+  debug_return_double(0);
+}
+
+static int sudo_sss_rule_order_compare(const void *a, const void *b, void *arg)
+{
+  struct sudo_sss_handle *handle = (struct sudo_sss_handle *)arg;
+  struct sss_sudo_rule *rule_a = (struct sss_sudo_rule *)a;
+  struct sss_sudo_rule *rule_b = (struct sss_sudo_rule *)b;
+  debug_decl(sudo_sss_rule_order_compare, SUDO_DEBUG_SSSD);
+
+  const double a_order = sudo_sss_rule_get_sudoOrder(handle, rule_a);
+  const double b_order = sudo_sss_rule_get_sudoOrder(handle, rule_b);
+
+  if (a_order > b_order) {
+    debug_return_int(-1);
+  }
+  else if (a_order < b_order) {
+    debug_return_int(1);
+  }
+  else {
+    debug_return_int(0);
+  }
+}
+
 static struct sss_sudo_result *
 sudo_sss_result_get(struct sudo_nss *nss, struct passwd *pw, uint32_t *state)
 {
@@ -761,6 +829,12 @@ sudo_sss_result_get(struct sudo_nss *nss
        "u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
        u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
 
+    sudo_debug_printf(SUDO_DEBUG_INFO,
+                     "Sorting the remaining entries using the sudoOrder attribute");
+
+    qsort_r(f_sss_result->rules, f_sss_result->num_rules, sizeof(f_sss_result->rules[0]),
+           sudo_sss_rule_order_compare, handle);
+
     handle->fn_free_result(u_sss_result);
 
     debug_return_ptr(f_sss_result);
1	jpp	1.1	diff -up sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix sudo-1.8.6p3/common/sudo_debug.c
2			--- sudo-1.8.6p3/common/sudo_debug.c.sudoorderfix 2015-02-27 19:00:15.546968602 +0100
3			+++ sudo-1.8.6p3/common/sudo_debug.c 2015-02-27 19:01:33.966134891 +0100
4			@@ -272,6 +272,13 @@ void sudo_debug_exit_ptr(const char *fun
5			"<- %s @ %s:%d := %p", func, file, line, rval);
6			}
7
8			+void sudo_debug_exit_double(const char func, const char file, int line,
9			+ int subsys, double rval)
10			+{
11			+ sudo_debug_printf2(NULL, NULL, 0, subsys \| SUDO_DEBUG_TRACE,
12			+ "<- %s @ %s:%d := %f", func, file, line, rval);
13			+}
14			+
15			static void
16			sudo_debug_write_conv(const char func, const char file, int lineno,
17			const char *str, int len, int errno_val)
18			diff -up sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix sudo-1.8.6p3/include/sudo_debug.h
19			--- sudo-1.8.6p3/include/sudo_debug.h.sudoorderfix 2015-02-27 18:57:26.015770964 +0100
20			+++ sudo-1.8.6p3/include/sudo_debug.h 2015-02-27 18:59:27.375480734 +0100
21			@@ -166,6 +166,14 @@
22			return (void *)sudo_debug_rval; \
23			} while (0)
24
25			+#define debug_return_double(rval) \
26			+ do { \
27			+ double sudo_debug_rval = (rval); \
28			+ sudo_debug_exit_double(__func__, __FILE__, __LINE__, sudo_debug_subsys, \
29			+ sudo_debug_rval); \
30			+ return sudo_debug_rval; \
31			+ } while (0)
32			+
33			/*
34			* Variadic macros are a C99 feature but GNU cpp has supported
35			* a (different) version of them for a long time.
36			@@ -193,6 +201,7 @@ void sudo_debug_enter(const char *func,
37			void sudo_debug_execve2(int level, const char path, char const argv[], char *const envp[]);
38			void sudo_debug_exit(const char func, const char file, int line, int subsys);
39			void sudo_debug_exit_int(const char func, const char file, int line, int subsys, int rval);
40			+void sudo_debug_exit_double(const char func, const char file, int line, int subsys, double rval);
41			void sudo_debug_exit_long(const char func, const char file, int line, int subsys, long rval);
42			void sudo_debug_exit_size_t(const char func, const char file, int line, int subsys, size_t rval);
43			void sudo_debug_exit_bool(const char func, const char file, int line, int subsys, int rval);
44			diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix sudo-1.8.6p3/plugins/sudoers/sssd.c
45			--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sudoorderfix 2015-02-27 18:53:18.259404975 +0100
46			+++ sudo-1.8.6p3/plugins/sudoers/sssd.c 2015-02-27 19:04:10.217473712 +0100
47			@@ -696,6 +696,74 @@ sudo_sss_result_filterp(struct sudo_sss_
48			debug_return_int(0);
49			}
50
51			+static double sudo_sss_rule_get_sudoOrder(struct sudo_sss_handle handle, struct sss_sudo_rule rule)
52			+{
53			+ char **val_array = NULL;
54			+ int i;
55			+
56			+ debug_decl(sudo_sss_rule_get_sudoOrder, SUDO_DEBUG_SSSD);
57			+
58			+ if (!rule) {
59			+ debug_return_double(-1);
60			+ }
61			+
62			+ switch (handle->fn_get_values(rule, "sudoOrder", &val_array)) {
63			+ case 0:
64			+ break;
65			+ case ENOENT:
66			+ /* default sudoOrder is 0 */
67			+ debug_return_double(0);
68			+ default:
69			+ sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");
70			+ debug_return_double(-1);
71			+ }
72			+
73			+ if (val_array == NULL) {
74			+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
75			+ "BUG: val_array not allocated after a successful call to fn_get_values");
76			+ debug_return_double(-1);
77			+ }
78			+
79			+ /* Use the last sudoOrder value if there are more than one */
80			+ i = 0;
81			+ while (val_array[i] != NULL) {
82			+ if (val_array[i+1] == NULL) {
83			+ sudo_debug_printf(SUDO_DEBUG_DEBUG, "using sudoOrder value \"%s\"", val_array[i]);
84			+ double val = atof(val_array[i]);
85			+ handle->fn_free_values(val_array);
86			+ debug_return_double(val);
87			+ }
88			+ ++i;
89			+ }
90			+
91			+ /* We should get here in a normal case */
92			+ handle->fn_free_values(val_array);
93			+ sudo_debug_printf(SUDO_DEBUG_DEBUG,
94			+ "fn_get_values call was successful but no values were stored in the array!");
95			+ debug_return_double(0);
96			+}
97			+
98			+static int sudo_sss_rule_order_compare(const void a, const void b, void *arg)
99			+{
100			+ struct sudo_sss_handle handle = (struct sudo_sss_handle )arg;
101			+ struct sss_sudo_rule rule_a = (struct sss_sudo_rule )a;
102			+ struct sss_sudo_rule rule_b = (struct sss_sudo_rule )b;
103			+ debug_decl(sudo_sss_rule_order_compare, SUDO_DEBUG_SSSD);
104			+
105			+ const double a_order = sudo_sss_rule_get_sudoOrder(handle, rule_a);
106			+ const double b_order = sudo_sss_rule_get_sudoOrder(handle, rule_b);
107			+
108			+ if (a_order > b_order) {
109			+ debug_return_int(-1);
110			+ }
111			+ else if (a_order < b_order) {
112			+ debug_return_int(1);
113			+ }
114			+ else {
115			+ debug_return_int(0);
116			+ }
117			+}
118			+
119			static struct sss_sudo_result *
120			sudo_sss_result_get(struct sudo_nss nss, struct passwd pw, uint32_t *state)
121			{
122			@@ -761,6 +829,12 @@ sudo_sss_result_get(struct sudo_nss *nss
123			"u_sss_result=(%p, %u) => f_sss_result=(%p, %u)", u_sss_result,
124			u_sss_result->num_rules, f_sss_result, f_sss_result->num_rules);
125
126			+ sudo_debug_printf(SUDO_DEBUG_INFO,
127			+ "Sorting the remaining entries using the sudoOrder attribute");
128			+
129			+ qsort_r(f_sss_result->rules, f_sss_result->num_rules, sizeof(f_sss_result->rules[0]),
130			+ sudo_sss_rule_order_compare, handle);
131			+
132			handle->fn_free_result(u_sss_result);
133
134			debug_return_ptr(f_sss_result);