Hi Dagobert, hi Todd, I have tested the patch that you provided and I can confirm that it works for me. The host entries are matching now and sudo is possible again.
Thanks and Regards, Stefan -----Ursprüngliche Nachricht----- Von: Dagobert Michelsen [mailto:[email protected]] Gesendet: Mittwoch, 9. November 2016 09:55 An: Stefan Maass <[email protected]> Cc: Todd C. Miller <[email protected]>; Sreejith Kuzhivayalil <[email protected]>; [email protected]; [email protected] Betreff: Re: [sudo-users] issue with sudo_ldap Hi Stefan, Am 09.11.2016 um 09:29 schrieb Stefan Maass <[email protected]>: > Thanks for that info! We however only entered the negated host for a test > after it did not work and we checked out the manual and saw that negated > hosts were added in version 1.8.18. It also did not match anything without > any negated host in the list. I made new packages with the patch applied which will appear here soon: http://buildfarm.opencsw.org/experimental.html#sudo You may want to give them a try. Best regards — Dago > > Regards, > Stefan > > -----Ursprüngliche Nachricht----- > Von: Todd C. Miller [mailto:[email protected]] > Gesendet: Dienstag, 8. November 2016 22:37 > An: Stefan Maass <[email protected]> > Cc: Dagobert Michelsen <[email protected]>; Sreejith Kuzhivayalil > <[email protected]>; [email protected]; > [email protected] > Betreff: Re: [sudo-users] issue with sudo_ldap > > There does appear to be a bug in the host matching where any hosts found > after a negated host would fail to match. I'm not sure that explains what > you are seeing though. > > I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106 > Below is the same diff based on 1.8.18p1 rather than trunk. > > - todd > > diff -r abda86e3b777 plugins/sudoers/ldap.c > --- a/plugins/sudoers/ldap.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/ldap.c Tue Nov 08 14:13:42 2016 -0700 > @@ -721,20 +721,21 @@ > { > struct berval **bv, **p; > char *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP) > > if (!entry) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the entry */ > bv = ldap_get_values_len(ld, entry, "sudoHost"); > if (bv == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* walk through values */ > - for (p = bv; *p != NULL && !foundbang; p++) { > + for (p = bv; *p != NULL && matched != false; p++) { > + bool foundbang = false; > + > val = (*p)->bv_val; > > if (*val == '!') { > @@ -746,14 +747,17 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, user_runhost, user_srunhost, > def_netgroup_tuple ? pw->pw_name : NULL) || > - hostname_matches(user_srunhost, user_runhost, val)) > - ret = !foundbang; > - DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + hostname_matches(user_srunhost, user_runhost, val)) { > + > + matched = foundbang ? false : true; > + } > + DPRINTF2("ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > ldap_value_free_len(bv); /* cleanup */ > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > static int > diff -r abda86e3b777 plugins/sudoers/sssd.c > --- a/plugins/sudoers/sssd.c Mon Oct 10 09:10:34 2016 -0600 > +++ b/plugins/sudoers/sssd.c Tue Nov 08 14:13:42 2016 -0700 > @@ -741,13 +741,12 @@ > sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule > *rule) { > char **val_array, *val; > - bool ret = false; > - bool foundbang = false; > + int matched = UNSPEC; > int i; > debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD); > > if (rule == NULL) > - debug_return_bool(ret); > + debug_return_bool(false); > > /* get the values from the rule */ > switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 > +757,13 @@ > debug_return_bool(false); > default: > sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != > 0"); > - debug_return_bool(ret); > + debug_return_bool(false); > } > > /* walk through values */ > - for (i = 0; val_array[i] != NULL && !foundbang; ++i) { > + for (i = 0; val_array[i] != NULL && matched != false; ++i) { > + bool foundbang = false; > + > val = val_array[i]; > sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); > > @@ -775,16 +776,18 @@ > if (strcmp(val, "ALL") == 0 || addr_matches(val) || > netgr_matches(val, handle->host, handle->shost, > def_netgroup_tuple ? handle->pw->pw_name : NULL) || > - hostname_matches(handle->shost, handle->host, val)) > - ret = !foundbang; > + hostname_matches(handle->shost, handle->host, val)) { > > - sudo_debug_printf(SUDO_DEBUG_INFO, > - "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not"); > + matched = foundbang ? false : true; > + } > + > + sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s", > + val, matched == true ? "MATCH!" : "not"); > } > > handle->fn_free_values(val_array); > > - debug_return_bool(ret); > + debug_return_bool(matched == true); > } > > /* -- "You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896
