diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix sudo-1.8.6p3/plugins/sudoers/sssd.c

--- sudo-1.8.6p3/plugins/sudoers/sssd.c.netgrfilterfix	2014-07-30 13:29:47.713823996 +0200

+++ sudo-1.8.6p3/plugins/sudoers/sssd.c	2014-07-30 13:30:08.917436088 +0200

@@ -614,16 +615,13 @@ sudo_sss_check_host(struct sudo_sss_hand

 }

 /*

- * Look for netgroup specifcations in the sudoUser attribute and

- * if found, filter according to netgroup membership.

- *  returns:

- *   true -> netgroup spec found && negroup member

- *  false -> netgroup spec found && not a meber of netgroup

- *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)

+ * SSSD doesn't handle netgroups, we have to ensure they are correctly filtered

+ * in sudo. The rules may contain mixed sudoUser specification so we have to check

+ * not only for netgroup membership but also for user and group matches.

  */

-bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)

+bool sudo_sss_filter_sudoUser(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)

 {

-	bool ret = false, netgroup_spec_found = false;

+	bool ret = false;

 	char **val_array, *val;

 	int i;

 	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);

@@ -641,21 +639,48 @@ bool sudo_sss_filter_user_netgroup(struc

 			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");

 			debug_return_bool(ret);

 	}

-

+	/*

+	 * Scan sudoUser values and look for netgroup specs.

+	 * Netgroup-only rule specification should be filtered

+	 * out if the user isn't member of any specified netgroup.

+	 */

 	for (i = 0; val_array[i] != NULL && !ret; ++i) {

 		val = val_array[i];

-		if (*val == '+') {

-			netgroup_spec_found = true;

-		}

 		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);

-		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {

-			ret = true;

-			sudo_debug_printf(SUDO_DEBUG_DIAG,

-			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);

+		if (*val == '+') {

+			/* Netgroup spec found, check netgroup membership */

+			if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {

+				ret = true;

+				sudo_debug_printf(SUDO_DEBUG_DIAG,

+						  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);

+			}

+		} else {

+			/*

+			 * Non-netgroup sudoUser value

+			 */

+			if (strcmp(val, "ALL") == 0) {

+				ret = true;

+			} else {

+				const char *match_val = (*val == '!' ? val + 1 : val);

+				const bool negated = (*val == '!' ? true : false);

+				const bool group_spec = (*match_val == '%' ? true : false);

+

+				if (group_spec) {

+					if (usergr_matches(match_val,

+							   handle->pw->pw_name, handle->pw)) {

+						ret = !negated;

+					}

+				} else {

+					if (userpw_matches(match_val,

+							   handle->pw->pw_name, handle->pw)) {

+						ret = !negated;

+					}

+				}

+			}

 		}

 	}

 	handle->fn_free_values(val_array);

-	debug_return_bool(netgroup_spec_found ? ret : true);

+	debug_return_bool(ret);

 }

 static int

@@ -666,7 +691,7 @@ sudo_sss_result_filterp(struct sudo_sss_

     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);

     if (sudo_sss_check_host(handle, rule) &&

-        sudo_sss_filter_user_netgroup(handle, rule))

+        sudo_sss_filter_sudoUser(handle, rule))

 	debug_return_int(1);

     else

 	debug_return_int(0);