diff -up sudo-1.8.6p3/plugins/sudoers/match.c.netgrmatchtrace sudo-1.8.6p3/plugins/sudoers/match.c --- sudo-1.8.6p3/plugins/sudoers/match.c.netgrmatchtrace 2013-08-12 14:42:56.498247674 +0200 +++ sudo-1.8.6p3/plugins/sudoers/match.c 2013-08-12 14:43:01.009264127 +0200 @@ -713,6 +713,10 @@ netgr_matches(char *netgr, char *lhost, #ifdef HAVE_GETDOMAINNAME static int initialized; #endif +#ifdef HAVE_INNETGR + bool innetgr_lhost = false; + bool innetgr_shost = false; +#endif debug_decl(netgr_matches, SUDO_DEBUG_MATCH) /* make sure we have a valid netgroup, sudo style */ @@ -733,9 +737,39 @@ netgr_matches(char *netgr, char *lhost, #ifdef HAVE_INNETGR if (innetgr(netgr, lhost, user, domain)) - debug_return_bool(true); + innetgr_lhost = true; else if (lhost != shost && innetgr(netgr, shost, user, domain)) - debug_return_bool(true); + innetgr_shost = true; + + if (innetgr_lhost) { + sudo_debug_printf(SUDO_DEBUG_TRACE, + "(%s, %s, %s) found in netgroup %s\n", + shost ? shost : "*", + user ? user : "*", + domain ? domain : "*", + netgr); + } else if (innetgr_shost) { + sudo_debug_printf(SUDO_DEBUG_TRACE, + "(%s, %s, %s) found in netgroup %s\n", + lhost ? lhost : "*", + user ? user : "*", + domain ? domain : "*", + netgr); + } else { + sudo_debug_printf(SUDO_DEBUG_TRACE, + "(%s, %s, %s) NOT found in netgroup %s\n", + shost ? shost : "*", + user ? user : "*", + domain ? domain : "*", + netgr); + sudo_debug_printf(SUDO_DEBUG_TRACE, + "(%s, %s, %s) NOT found in netgroup %s\n", + lhost ? lhost : "*", + user ? user : "*", + domain ? domain : "*", + netgr); + } + debug_return_bool(innetgr_lhost || innetgr_shost); #endif /* HAVE_INNETGR */ debug_return_bool(false);