diff -up sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes sudo-1.8.6p3/plugins/sudoers/sssd.c

--- sudo-1.8.6p3/plugins/sudoers/sssd.c.sssdfixes	2013-08-13 15:20:39.558187669 +0200

+++ sudo-1.8.6p3/plugins/sudoers/sssd.c	2013-08-13 16:24:27.209064162 +0200

@@ -534,30 +534,31 @@ sudo_sss_check_runas_group(struct sudo_s

  * Walk through search results and return true if we have a runas match,

  * else false.  RunAs info is optional.

  */

-static int

+static bool

 sudo_sss_check_runas(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)

 {

-    int ret;

+    bool ret;

     debug_decl(sudo_sss_check_runas, SUDO_DEBUG_SSSD);

     if (rule == NULL)

-	 debug_return_int(false);

+	 debug_return_bool(false);

     ret = sudo_sss_check_runas_user(handle, rule) != false &&

 	 sudo_sss_check_runas_group(handle, rule) != false;

-    debug_return_int(ret);

+    debug_return_bool(ret);

 }

-static int

+static bool

 sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)

 {

     char **val_array, *val;

-    int ret = false, i;

+    bool ret = false;

+    int i;

     debug_decl(sudo_sss_check_host, SUDO_DEBUG_SSSD);

     if (rule == NULL)

-	debug_return_int(ret);

+	debug_return_bool(ret);

     /* get the values from the rule */

     switch (handle->fn_get_values(rule, "sudoHost", &val_array))

@@ -566,10 +567,10 @@ sudo_sss_check_host(struct sudo_sss_hand

 	break;

     case ENOENT:

 	sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");

-	debug_return_int(false);

+	debug_return_bool(false);

     default:

 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");

-	debug_return_int(ret);

+	debug_return_bool(ret);

     }

     /* walk through values */

@@ -589,7 +590,52 @@ sudo_sss_check_host(struct sudo_sss_hand

     handle->fn_free_values(val_array);

-    debug_return_int(ret);

+    debug_return_bool(ret);

+}

+

+/*

+ * Look for netgroup specifcations in the sudoUser attribute and

+ * if found, filter according to netgroup membership.

+ *  returns:

+ *   true -> netgroup spec found && negroup member

+ *  false -> netgroup spec found && not a meber of netgroup

+ *   true -> netgroup spec not found (filtered by SSSD already, netgroups are an exception)

+ */

+bool sudo_sss_filter_user_netgroup(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)

+{

+	bool ret = false, netgroup_spec_found = false;

+	char **val_array, *val;

+	int i;

+	debug_decl(sudo_sss_check_user_netgroup, SUDO_DEBUG_SSSD);

+

+	if (!handle || !rule)

+		debug_return_bool(ret);

+

+	switch (handle->fn_get_values(rule, "sudoUser", &val_array)) {

+		case 0:

+			break;

+		case ENOENT:

+			sudo_debug_printf(SUDO_DEBUG_INFO, "No result.");

+			debug_return_bool(ret);

+		default:

+			sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoUser): != 0");

+			debug_return_bool(ret);

+	}

+

+	for (i = 0; val_array[i] != NULL && !ret; ++i) {

+		val = val_array[i];

+		if (*val == '+') {

+			netgroup_spec_found = true;

+		}

+		sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);

+		if (strcmp(val, "ALL") == 0 || netgr_matches(val, NULL, NULL, user_name)) {

+			ret = true;

+			sudo_debug_printf(SUDO_DEBUG_DIAG,

+			                  "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, user_name);

+		}

+	}

+	handle->fn_free_values(val_array);

+	debug_return_bool(netgroup_spec_found ? ret : true);

 }

 static int

@@ -599,7 +645,8 @@ sudo_sss_result_filterp(struct sudo_sss_

     (void)unused;

     debug_decl(sudo_sss_result_filterp, SUDO_DEBUG_SSSD);

-    if (sudo_sss_check_host(handle, rule))

+    if (sudo_sss_check_host(handle, rule) &&

+        sudo_sss_filter_user_netgroup(handle, rule))

 	debug_return_int(1);

     else

 	debug_return_int(0);