You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
114 lines
3.8 KiB
114 lines
3.8 KiB
7 years ago
|
From 1f37620953699fe71b09760fe01e33eb6ada771c Mon Sep 17 00:00:00 2001
|
||
|
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
|
||
|
Date: Wed, 15 Nov 2017 12:27:39 -0700
|
||
|
Subject: [PATCH] When checking the results for "sudo -l" and "sudo -v", keep
|
||
|
checking even after we get a match since the value of doauth may depend on
|
||
|
evaluating all the results. From Radovan Sroka of RedHat.
|
||
|
|
||
|
In list (-l) or verify (-v) mode, if we have a match but authentication
|
||
|
is required, clear FLAG_NOPASSWD so that when listpw/verifypw is
|
||
|
set to "all" and there are multiple sudoers sources a password will
|
||
|
be required unless none of the entries in all sources require
|
||
|
authentication. From Radovan Sroka of RedHat
|
||
|
|
||
|
Avoid calling cmnd_matches() in list/verify mode if we already have
|
||
|
a match.
|
||
|
---
|
||
|
plugins/sudoers/ldap.c | 5 ++++-
|
||
|
plugins/sudoers/parse.c | 10 +++++++---
|
||
|
plugins/sudoers/sssd.c | 5 ++++-
|
||
|
3 files changed, 15 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/plugins/sudoers/ldap.c b/plugins/sudoers/ldap.c
|
||
|
index 46309cba..c5c18360 100644
|
||
|
--- a/plugins/sudoers/ldap.c
|
||
|
+++ b/plugins/sudoers/ldap.c
|
||
|
@@ -3320,12 +3320,13 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
|
||
|
(pwcheck == all && doauth != true)) {
|
||
|
doauth = !!sudo_ldap_check_bool(ld, entry, "authenticate");
|
||
|
}
|
||
|
+ if (matched == true)
|
||
|
+ continue;
|
||
|
/* Only check the command when listing another user. */
|
||
|
if (user_uid == 0 || list_pw == NULL ||
|
||
|
user_uid == list_pw->pw_uid ||
|
||
|
sudo_ldap_check_command(ld, entry, NULL) == true) {
|
||
|
matched = true;
|
||
|
- break;
|
||
|
}
|
||
|
}
|
||
|
if (matched == true || user_uid == 0) {
|
||
|
@@ -3339,6 +3340,8 @@ sudo_ldap_lookup(struct sudo_nss *nss, int ret, int pwflag)
|
||
|
case any:
|
||
|
if (doauth == false)
|
||
|
SET(ret, FLAG_NOPASSWD);
|
||
|
+ else
|
||
|
+ CLR(ret, FLAG_NOPASSWD);
|
||
|
break;
|
||
|
default:
|
||
|
break;
|
||
|
diff --git a/plugins/sudoers/parse.c b/plugins/sudoers/parse.c
|
||
|
index 749a3eb2..a12e88c5 100644
|
||
|
--- a/plugins/sudoers/parse.c
|
||
|
+++ b/plugins/sudoers/parse.c
|
||
|
@@ -182,14 +182,16 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
|
||
|
if (hostlist_matches(sudo_user.pw, &priv->hostlist) != ALLOW)
|
||
|
continue;
|
||
|
TAILQ_FOREACH(cs, &priv->cmndlist, entries) {
|
||
|
+ if ((pwcheck == any && cs->tags.nopasswd == true) ||
|
||
|
+ (pwcheck == all && cs->tags.nopasswd != true))
|
||
|
+ nopass = cs->tags.nopasswd;
|
||
|
+ if (match == ALLOW)
|
||
|
+ continue;
|
||
|
/* Only check the command when listing another user. */
|
||
|
if (user_uid == 0 || list_pw == NULL ||
|
||
|
user_uid == list_pw->pw_uid ||
|
||
|
cmnd_matches(cs->cmnd) == ALLOW)
|
||
|
match = ALLOW;
|
||
|
- if ((pwcheck == any && cs->tags.nopasswd == true) ||
|
||
|
- (pwcheck == all && cs->tags.nopasswd != true))
|
||
|
- nopass = cs->tags.nopasswd;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
@@ -202,6 +204,8 @@ sudo_file_lookup(struct sudo_nss *nss, int validated, int pwflag)
|
||
|
SET(validated, FLAG_CHECK_USER);
|
||
|
else if (nopass == true)
|
||
|
SET(validated, FLAG_NOPASSWD);
|
||
|
+ else
|
||
|
+ CLR(validated, FLAG_NOPASSWD);
|
||
|
debug_return_int(validated);
|
||
|
}
|
||
|
|
||
|
diff --git a/plugins/sudoers/sssd.c b/plugins/sudoers/sssd.c
|
||
|
index 65b4d875..09ca9fee 100644
|
||
|
--- a/plugins/sudoers/sssd.c
|
||
|
+++ b/plugins/sudoers/sssd.c
|
||
|
@@ -1321,12 +1321,13 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
|
||
|
(pwcheck == all && doauth != true)) {
|
||
|
doauth = !!sudo_sss_check_bool(handle, rule, "authenticate");
|
||
|
}
|
||
|
+ if (matched == true)
|
||
|
+ continue;
|
||
|
/* Only check the command when listing another user. */
|
||
|
if (user_uid == 0 || list_pw == NULL ||
|
||
|
user_uid == list_pw->pw_uid ||
|
||
|
sudo_sss_check_command(handle, rule, NULL) == true) {
|
||
|
matched = true;
|
||
|
- break;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
@@ -1341,6 +1342,8 @@ sudo_sss_lookup(struct sudo_nss *nss, int ret, int pwflag)
|
||
|
case any:
|
||
|
if (doauth == false)
|
||
|
SET(ret, FLAG_NOPASSWD);
|
||
|
+ else
|
||
|
+ CLR(ret, FLAG_NOPASSWD);
|
||
|
break;
|
||
|
default:
|
||
|
break;
|
||
|
--
|
||
|
2.14.3
|
||
|
|