|
 |
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/defaults.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:34:41.066246485 +0200
|
|
|
a67eaf |
@@ -362,6 +362,7 @@ init_defaults(void)
|
|
|
a67eaf |
}
|
|
|
a67eaf |
|
|
|
a67eaf |
/* First initialize the flags. */
|
|
|
a67eaf |
+ def_netgroup_tuple = false;
|
|
|
a67eaf |
def_legacy_group_processing = true;
|
|
|
a67eaf |
#ifdef LONG_OTP_PROMPT
|
|
|
a67eaf |
def_long_otp_prompt = true;
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:34:41.066246485 +0200
|
|
|
a67eaf |
@@ -359,6 +359,10 @@ struct sudo_defs_types sudo_defs_table[]
|
|
|
a67eaf |
N_("Don't pre-resolve all group names"),
|
|
|
a67eaf |
NULL,
|
|
|
a67eaf |
}, {
|
|
|
a67eaf |
+ "netgroup_tuple", T_FLAG,
|
|
|
a67eaf |
+ N_("Use both user and host/domain fields when matching netgroups"),
|
|
|
a67eaf |
+ NULL,
|
|
|
a67eaf |
+ }, {
|
|
|
a67eaf |
NULL, 0, NULL
|
|
|
a67eaf |
}
|
|
|
a67eaf |
};
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.h
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:34:41.066246485 +0200
|
|
|
a67eaf |
@@ -166,6 +166,8 @@
|
|
|
a67eaf |
#define I_CMND_NO_WAIT 82
|
|
|
a67eaf |
#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
|
|
|
a67eaf |
#define I_LEGACY_GROUP_PROCESSING 83
|
|
|
a67eaf |
+#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
|
|
|
a67eaf |
+#define I_NETGROUP_TUPLE 84
|
|
|
a67eaf |
|
|
|
a67eaf |
enum def_tuple {
|
|
|
a67eaf |
never,
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/ldap.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple 2016-05-09 15:34:41.065246499 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:34:41.066246485 +0200
|
|
|
a67eaf |
@@ -636,8 +636,12 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
|
|
|
a67eaf |
for (p = bv; *p != NULL && !ret; p++) {
|
|
|
a67eaf |
val = (*p)->bv_val;
|
|
|
a67eaf |
/* match any */
|
|
|
a67eaf |
- if (netgr_matches(val, NULL, NULL, user))
|
|
|
a67eaf |
- ret = true;
|
|
|
a67eaf |
+ if (netgr_matches(val,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_host : NULL,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_shost : NULL,
|
|
|
a67eaf |
+ user)) {
|
|
|
a67eaf |
+ ret = true;
|
|
|
a67eaf |
+ }
|
|
|
a67eaf |
DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val,
|
|
|
a67eaf |
ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1));
|
|
|
a67eaf |
}
|
|
|
a67eaf |
@@ -652,7 +656,7 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
|
|
|
a67eaf |
* host match, else false.
|
|
|
a67eaf |
*/
|
|
|
a67eaf |
static bool
|
|
|
a67eaf |
-sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
|
|
|
a67eaf |
+sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, char *user)
|
|
|
a67eaf |
{
|
|
|
a67eaf |
struct berval **bv, **p;
|
|
|
a67eaf |
char *val;
|
|
|
a67eaf |
@@ -672,7 +676,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessa
|
|
|
a67eaf |
val = (*p)->bv_val;
|
|
|
a67eaf |
/* match any or address or netgroup or hostname */
|
|
|
a67eaf |
if (!strcmp(val, "ALL") || addr_matches(val) ||
|
|
|
a67eaf |
- netgr_matches(val, user_host, user_shost, NULL) ||
|
|
|
a67eaf |
+ netgr_matches(val, user_host, user_shost, def_netgroup_tuple ? user : NULL) ||
|
|
|
a67eaf |
hostname_matches(user_shost, user_host, val))
|
|
|
a67eaf |
ret = true;
|
|
|
a67eaf |
DPRINTF(("ldap sudoHost '%s' ... %s", val,
|
|
|
a67eaf |
@@ -729,7 +733,10 @@ sudo_ldap_check_runas_user(LDAP *ld, LDA
|
|
|
a67eaf |
val = (*p)->bv_val;
|
|
|
a67eaf |
switch (val[0]) {
|
|
|
a67eaf |
case '+':
|
|
|
a67eaf |
- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name))
|
|
|
a67eaf |
+ if (netgr_matches(val,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_host : NULL,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_shost : NULL,
|
|
|
a67eaf |
+ runas_pw->pw_name))
|
|
|
a67eaf |
ret = true;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case '%':
|
|
|
a67eaf |
@@ -2755,13 +2762,13 @@ sudo_ldap_result_get(struct sudo_nss *ns
|
|
|
a67eaf |
LDAP_FOREACH(entry, ld, result) {
|
|
|
a67eaf |
if (do_netgr) {
|
|
|
a67eaf |
if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
|
|
|
a67eaf |
- sudo_ldap_check_host(ld, entry)) {
|
|
|
a67eaf |
+ sudo_ldap_check_host(ld, entry, pw->pw_name)) {
|
|
|
a67eaf |
lres->host_matches = true;
|
|
|
a67eaf |
lres->user_matches = true;
|
|
|
a67eaf |
sudo_ldap_result_add_entry(lres, entry);
|
|
|
a67eaf |
}
|
|
|
a67eaf |
} else {
|
|
|
a67eaf |
- if (sudo_ldap_check_host(ld, entry)) {
|
|
|
a67eaf |
+ if (sudo_ldap_check_host(ld, entry, pw->pw_name)) {
|
|
|
a67eaf |
lres->host_matches = true;
|
|
|
a67eaf |
sudo_ldap_result_add_entry(lres, entry);
|
|
|
a67eaf |
}
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/match.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple 2016-05-09 15:34:41.062246541 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/match.c 2016-05-09 15:34:41.067246471 +0200
|
|
|
a67eaf |
@@ -117,7 +117,10 @@ userlist_matches(struct passwd *pw, stru
|
|
|
a67eaf |
matched = !m->negated;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case NETGROUP:
|
|
|
a67eaf |
- if (netgr_matches(m->name, NULL, NULL, pw->pw_name))
|
|
|
a67eaf |
+ if (netgr_matches(m->name,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_host : NULL,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_shost : NULL,
|
|
|
a67eaf |
+ pw->pw_name))
|
|
|
a67eaf |
matched = !m->negated;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case USERGROUP:
|
|
|
a67eaf |
@@ -172,7 +175,10 @@ runaslist_matches(struct member_list *us
|
|
|
a67eaf |
user_matched = !m->negated;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case NETGROUP:
|
|
|
a67eaf |
- if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
|
|
|
a67eaf |
+ if (netgr_matches(m->name,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_host : NULL,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_shost : NULL,
|
|
|
a67eaf |
+ runas_pw->pw_name))
|
|
|
a67eaf |
user_matched = !m->negated;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case USERGROUP:
|
|
|
a67eaf |
@@ -269,7 +275,7 @@ hostlist_matches(struct member_list *lis
|
|
|
a67eaf |
matched = !m->negated;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case NETGROUP:
|
|
|
a67eaf |
- if (netgr_matches(m->name, user_host, user_shost, NULL))
|
|
|
a67eaf |
+ if (netgr_matches(m->name, user_host, user_shost, def_netgroup_tuple ? user_name : NULL))
|
|
|
a67eaf |
matched = !m->negated;
|
|
|
a67eaf |
break;
|
|
|
a67eaf |
case NTWKADDR:
|
|
|
a67eaf |
diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/sssd.c
|
|
|
a67eaf |
--- sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple 2016-05-09 15:34:41.056246625 +0200
|
|
|
a67eaf |
+++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-09 15:34:41.067246471 +0200
|
|
|
a67eaf |
@@ -452,7 +452,10 @@ sudo_sss_check_runas_user(struct sudo_ss
|
|
|
a67eaf |
switch (val[0]) {
|
|
|
a67eaf |
case '+':
|
|
|
a67eaf |
sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
|
|
|
a67eaf |
- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
|
|
|
a67eaf |
+ if (netgr_matches(val,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_host : NULL,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_shost : NULL,
|
|
|
a67eaf |
+ runas_pw->pw_name)) {
|
|
|
a67eaf |
sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
|
|
|
a67eaf |
ret = true;
|
|
|
a67eaf |
}
|
|
|
a67eaf |
@@ -551,7 +554,7 @@ sudo_sss_check_runas(struct sudo_sss_han
|
|
|
a67eaf |
debug_return_bool(ret);
|
|
|
a67eaf |
}
|
|
|
a67eaf |
|
|
|
a67eaf |
-static bool sudo_sss_ipa_hostname_matches(const char *hostname_val)
|
|
|
a67eaf |
+static bool sudo_sss_ipa_hostname_matches(const char *hostname_val, char *user)
|
|
|
a67eaf |
{
|
|
|
a67eaf |
bool ret = false;
|
|
|
a67eaf |
char *ipa_hostname_val;
|
|
|
a67eaf |
@@ -559,7 +562,7 @@ static bool sudo_sss_ipa_hostname_matche
|
|
|
a67eaf |
|
|
|
a67eaf |
if ((ipa_hostname_val = ipa_hostname()) != NULL) {
|
|
|
a67eaf |
ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \
|
|
|
a67eaf |
- netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL);
|
|
|
a67eaf |
+ netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, def_netgroup_tuple ? user : NULL);
|
|
|
a67eaf |
}
|
|
|
a67eaf |
|
|
|
a67eaf |
sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s",
|
|
|
a67eaf |
@@ -600,8 +603,9 @@ sudo_sss_check_host(struct sudo_sss_hand
|
|
|
a67eaf |
|
|
|
a67eaf |
/* match any or address or netgroup or hostname */
|
|
|
a67eaf |
if (!strcmp(val, "ALL") || addr_matches(val) ||
|
|
|
a67eaf |
- sudo_sss_ipa_hostname_matches(val) ||
|
|
|
a67eaf |
- netgr_matches(val, user_host, user_shost, NULL) ||
|
|
|
a67eaf |
+ sudo_sss_ipa_hostname_matches(val, handle->pw->pw_name) ||
|
|
|
a67eaf |
+ netgr_matches(val, user_host, user_shost,
|
|
|
a67eaf |
+ def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
|
|
|
a67eaf |
hostname_matches(user_shost, user_host, val))
|
|
|
a67eaf |
ret = true;
|
|
|
a67eaf |
|
|
|
a67eaf |
@@ -649,7 +653,10 @@ bool sudo_sss_filter_sudoUser(struct sud
|
|
|
a67eaf |
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
|
|
|
a67eaf |
if (*val == '+') {
|
|
|
a67eaf |
/* Netgroup spec found, check netgroup membership */
|
|
|
a67eaf |
- if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
|
|
|
a67eaf |
+ if (netgr_matches(val,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_host : NULL,
|
|
|
a67eaf |
+ def_netgroup_tuple ? user_shost : NULL,
|
|
|
a67eaf |
+ handle->pw->pw_name)) {
|
|
|
a67eaf |
ret = true;
|
|
|
a67eaf |
sudo_debug_printf(SUDO_DEBUG_DIAG,
|
|
|
a67eaf |
"sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);
|