diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/defaults.c
--- sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
+++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:34:41.066246485 +0200
@@ -362,6 +362,7 @@ init_defaults(void)
}
/* First initialize the flags. */
+ def_netgroup_tuple = false;
def_legacy_group_processing = true;
#ifdef LONG_OTP_PROMPT
def_long_otp_prompt = true;
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.c
--- sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
+++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:34:41.066246485 +0200
@@ -359,6 +359,10 @@ struct sudo_defs_types sudo_defs_table[]
N_("Don't pre-resolve all group names"),
NULL,
}, {
+ "netgroup_tuple", T_FLAG,
+ N_("Use both user and host/domain fields when matching netgroups"),
+ NULL,
+ }, {
NULL, 0, NULL
}
};
diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.h
--- sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200
+++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:34:41.066246485 +0200
@@ -166,6 +166,8 @@
#define I_CMND_NO_WAIT 82
#define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag)
#define I_LEGACY_GROUP_PROCESSING 83
+#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag)
+#define I_NETGROUP_TUPLE 84
enum def_tuple {
never,
diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/ldap.c
--- sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple 2016-05-09 15:34:41.065246499 +0200
+++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:34:41.066246485 +0200
@@ -636,8 +636,12 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
for (p = bv; *p != NULL && !ret; p++) {
val = (*p)->bv_val;
/* match any */
- if (netgr_matches(val, NULL, NULL, user))
- ret = true;
+ if (netgr_matches(val,
+ def_netgroup_tuple ? user_host : NULL,
+ def_netgroup_tuple ? user_shost : NULL,
+ user)) {
+ ret = true;
+ }
DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val,
ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1));
}
@@ -652,7 +656,7 @@ sudo_ldap_check_user_netgroup(LDAP *ld,
* host match, else false.
*/
static bool
-sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry)
+sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, char *user)
{
struct berval **bv, **p;
char *val;
@@ -672,7 +676,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessa
val = (*p)->bv_val;
/* match any or address or netgroup or hostname */
if (!strcmp(val, "ALL") || addr_matches(val) ||
- netgr_matches(val, user_host, user_shost, NULL) ||
+ netgr_matches(val, user_host, user_shost, def_netgroup_tuple ? user : NULL) ||
hostname_matches(user_shost, user_host, val))
ret = true;
DPRINTF(("ldap sudoHost '%s' ... %s", val,
@@ -729,7 +733,10 @@ sudo_ldap_check_runas_user(LDAP *ld, LDA
val = (*p)->bv_val;
switch (val[0]) {
case '+':
- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name))
+ if (netgr_matches(val,
+ def_netgroup_tuple ? user_host : NULL,
+ def_netgroup_tuple ? user_shost : NULL,
+ runas_pw->pw_name))
ret = true;
break;
case '%':
@@ -2755,13 +2762,13 @@ sudo_ldap_result_get(struct sudo_nss *ns
LDAP_FOREACH(entry, ld, result) {
if (do_netgr) {
if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) &&
- sudo_ldap_check_host(ld, entry)) {
+ sudo_ldap_check_host(ld, entry, pw->pw_name)) {
lres->host_matches = true;
lres->user_matches = true;
sudo_ldap_result_add_entry(lres, entry);
}
} else {
- if (sudo_ldap_check_host(ld, entry)) {
+ if (sudo_ldap_check_host(ld, entry, pw->pw_name)) {
lres->host_matches = true;
sudo_ldap_result_add_entry(lres, entry);
}
diff -up sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/match.c
--- sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple 2016-05-09 15:34:41.062246541 +0200
+++ sudo-1.8.6p7/plugins/sudoers/match.c 2016-05-09 15:34:41.067246471 +0200
@@ -117,7 +117,10 @@ userlist_matches(struct passwd *pw, stru
matched = !m->negated;
break;
case NETGROUP:
- if (netgr_matches(m->name, NULL, NULL, pw->pw_name))
+ if (netgr_matches(m->name,
+ def_netgroup_tuple ? user_host : NULL,
+ def_netgroup_tuple ? user_shost : NULL,
+ pw->pw_name))
matched = !m->negated;
break;
case USERGROUP:
@@ -172,7 +175,10 @@ runaslist_matches(struct member_list *us
user_matched = !m->negated;
break;
case NETGROUP:
- if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name))
+ if (netgr_matches(m->name,
+ def_netgroup_tuple ? user_host : NULL,
+ def_netgroup_tuple ? user_shost : NULL,
+ runas_pw->pw_name))
user_matched = !m->negated;
break;
case USERGROUP:
@@ -269,7 +275,7 @@ hostlist_matches(struct member_list *lis
matched = !m->negated;
break;
case NETGROUP:
- if (netgr_matches(m->name, user_host, user_shost, NULL))
+ if (netgr_matches(m->name, user_host, user_shost, def_netgroup_tuple ? user_name : NULL))
matched = !m->negated;
break;
case NTWKADDR:
diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/sssd.c
--- sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple 2016-05-09 15:34:41.056246625 +0200
+++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-09 15:34:41.067246471 +0200
@@ -452,7 +452,10 @@ sudo_sss_check_runas_user(struct sudo_ss
switch (val[0]) {
case '+':
sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_");
- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) {
+ if (netgr_matches(val,
+ def_netgroup_tuple ? user_host : NULL,
+ def_netgroup_tuple ? user_shost : NULL,
+ runas_pw->pw_name)) {
sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match");
ret = true;
}
@@ -551,7 +554,7 @@ sudo_sss_check_runas(struct sudo_sss_han
debug_return_bool(ret);
}
-static bool sudo_sss_ipa_hostname_matches(const char *hostname_val)
+static bool sudo_sss_ipa_hostname_matches(const char *hostname_val, char *user)
{
bool ret = false;
char *ipa_hostname_val;
@@ -559,7 +562,7 @@ static bool sudo_sss_ipa_hostname_matche
if ((ipa_hostname_val = ipa_hostname()) != NULL) {
ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \
- netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL);
+ netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, def_netgroup_tuple ? user : NULL);
}
sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s",
@@ -600,8 +603,9 @@ sudo_sss_check_host(struct sudo_sss_hand
/* match any or address or netgroup or hostname */
if (!strcmp(val, "ALL") || addr_matches(val) ||
- sudo_sss_ipa_hostname_matches(val) ||
- netgr_matches(val, user_host, user_shost, NULL) ||
+ sudo_sss_ipa_hostname_matches(val, handle->pw->pw_name) ||
+ netgr_matches(val, user_host, user_shost,
+ def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
hostname_matches(user_shost, user_host, val))
ret = true;
@@ -649,7 +653,10 @@ bool sudo_sss_filter_sudoUser(struct sud
sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
if (*val == '+') {
/* Netgroup spec found, check netgroup membership */
- if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) {
+ if (netgr_matches(val,
+ def_netgroup_tuple ? user_host : NULL,
+ def_netgroup_tuple ? user_shost : NULL,
+ handle->pw->pw_name)) {
ret = true;
sudo_debug_printf(SUDO_DEBUG_DIAG,
"sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name);