SF.net SVN: gar:[26028] csw/mgar/pkg/sudo/trunk

Wed, 09 Nov 2016 00:04:34 -0800 

Revision: 26028
          http://sourceforge.net/p/gar/code/26028
Author:   dmichelsen
Date:     2016-11-09 08:03:11 +0000 (Wed, 09 Nov 2016)
Log Message:
-----------
sudo/trunk: Add patch for sudo_ldap

Modified Paths:
--------------
    csw/mgar/pkg/sudo/trunk/Makefile

Added Paths:
-----------
    csw/mgar/pkg/sudo/trunk/files/40cbd5790106

Modified: csw/mgar/pkg/sudo/trunk/Makefile
===================================================================
--- csw/mgar/pkg/sudo/trunk/Makefile    2016-11-08 13:41:51 UTC (rev 26027)
+++ csw/mgar/pkg/sudo/trunk/Makefile    2016-11-09 08:03:11 UTC (rev 26028)
@@ -21,6 +21,10 @@
 DISTFILES += sudo.conf.CSW
 DISTFILES += map.sudo
 
+# Use patch until this is fixed:
+#   https://www.sudo.ws/pipermail/sudo-users/2016-November/005855.html
+PATCHFILES += 40cbd5790106
+
 LICENSE = doc/LICENSE
 
 VENDOR_URL = http://www.sudo.ws

Added: csw/mgar/pkg/sudo/trunk/files/40cbd5790106
===================================================================
--- csw/mgar/pkg/sudo/trunk/files/40cbd5790106                          (rev 0)
+++ csw/mgar/pkg/sudo/trunk/files/40cbd5790106  2016-11-09 08:03:11 UTC (rev 
26028)
@@ -0,0 +1,121 @@
+
+# HG changeset patch
+# User Todd C. Miller <todd.mil...@courtesan.com>
+# Date 1478640923 25200
+# Node ID 40cbd579010615597370933e1c66ca4627e9095a
+# Parent  6b64a8e3a19dbb6a3ed48b0751f1a6eeaf290d24
+Fix a bug in host matching where a negated sudoHost entry would
+prevent other sudoHosts following it from matching.
+
+diff -r 6b64a8e3a19d -r 40cbd5790106 plugins/sudoers/ldap.c
+--- a/plugins/sudoers/ldap.c   Tue Nov 08 12:58:28 2016 -0700
++++ b/plugins/sudoers/ldap.c   Tue Nov 08 14:35:23 2016 -0700
+@@ -722,20 +722,21 @@
+ {
+     struct berval **bv, **p;
+     char *val;
+-    bool ret = false;
+-    bool foundbang = false;
++    int matched = UNSPEC;
+     debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
+ 
+     if (!entry)
+-      debug_return_bool(ret);
++      debug_return_bool(false);
+ 
+     /* get the values from the entry */
+     bv = ldap_get_values_len(ld, entry, "sudoHost");
+     if (bv == NULL)
+-      debug_return_bool(ret);
++      debug_return_bool(false);
+ 
+     /* walk through values */
+-    for (p = bv; *p != NULL && !foundbang; p++) {
++    for (p = bv; *p != NULL && matched != false; p++) {
++      bool foundbang = false;
++
+       val = (*p)->bv_val;
+ 
+       if (*val == '!') {
+@@ -747,14 +748,17 @@
+       if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
+           netgr_matches(val, user_runhost, user_srunhost,
+           def_netgroup_tuple ? pw->pw_name : NULL) ||
+-          hostname_matches(user_srunhost, user_runhost, val))
+-          ret = !foundbang;
+-      DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
++          hostname_matches(user_srunhost, user_runhost, val)) {
++
++          matched = foundbang ? false : true;
++      }
++      DPRINTF2("ldap sudoHost '%s' ... %s",
++          val, matched == true ? "MATCH!" : "not");
+     }
+ 
+     ldap_value_free_len(bv);  /* cleanup */
+ 
+-    debug_return_bool(ret);
++    debug_return_bool(matched == true);
+ }
+ 
+ static int
+diff -r 6b64a8e3a19d -r 40cbd5790106 plugins/sudoers/sssd.c
+--- a/plugins/sudoers/sssd.c   Tue Nov 08 12:58:28 2016 -0700
++++ b/plugins/sudoers/sssd.c   Tue Nov 08 14:35:23 2016 -0700
+@@ -741,13 +741,12 @@
+ sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule 
*rule)
+ {
+     char **val_array, *val;
+-    bool ret = false;
+-    bool foundbang = false;
++    int matched = UNSPEC;
+     int i;
+     debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
+ 
+     if (rule == NULL)
+-      debug_return_bool(ret);
++      debug_return_bool(false);
+ 
+     /* get the values from the rule */
+     switch (handle->fn_get_values(rule, "sudoHost", &val_array)) {
+@@ -758,11 +757,13 @@
+       debug_return_bool(false);
+     default:
+       sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 
0");
+-      debug_return_bool(ret);
++      debug_return_bool(false);
+     }
+ 
+     /* walk through values */
+-    for (i = 0; val_array[i] != NULL && !foundbang; ++i) {
++    for (i = 0; val_array[i] != NULL && matched != false; ++i) {
++      bool foundbang = false;
++
+       val = val_array[i];
+       sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
+ 
+@@ -775,16 +776,18 @@
+       if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
+           netgr_matches(val, handle->host, handle->shost,
+           def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
+-          hostname_matches(handle->shost, handle->host, val))
+-          ret = !foundbang;
++          hostname_matches(handle->shost, handle->host, val)) {
+ 
+-      sudo_debug_printf(SUDO_DEBUG_INFO,
+-          "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
++          matched = foundbang ? false : true;
++      }
++
++      sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s",
++          val, matched == true ? "MATCH!" : "not");
+     }
+ 
+     handle->fn_free_values(val_array);
+ 
+-    debug_return_bool(ret);
++    debug_return_bool(matched == true);
+ }
+ 
+ /*
+

This was sent by the SourceForge.net collaborative development platform, the 
world's largest Open Source development site.

Reply via email to