[sudo-users] sudo v1.7.1 runas group allows runas any user

Mon May 11 12:54:12 EDT 2009

I think the following should cover all the bases.  It also fixes
the output of "sudo -l" for group-only entries.  I made it print
the user's name as the runas user instead of leaving the user blank
because I find it easier to read that way, though I could be persuaded
to change that.

 - todd

Index: sudo.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/sudo.c,v
retrieving revision 1.511
retrieving revision 1.512
diff -u -p -u -r1.511 -r1.512

--- sudo.c	18 Apr 2009 23:25:08 -0000	1.511
+++ sudo.c	10 May 2009 01:00:23 -0000	1.512
@@ -826,7 +826,7 @@ set_cmnd(sudo_mode)
     if (!update_defaults(SETDEF_CMND))
 	log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");
 
-    if (!runas_user)
+    if (!runas_user && !runas_group)
 	set_runaspw(def_runas_default);	/* may have been updated above */
 
     return(rval);
Index: match.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/match.c,v
retrieving revision 1.42
retrieving revision 1.43
diff -u -p -u -r1.42 -r1.43
--- match.c	28 Mar 2009 13:07:16 -0000	1.42
+++ match.c	11 May 2009 16:47:10 -0000	1.43
@@ -174,9 +174,13 @@ _runaslist_matches(user_list, group_list
     struct alias *a;
     int rval, matched = UNSPEC;
 
-    /* Deny if user specified a group but there is no group in sudoers */
-    if (runas_gr != NULL && tq_empty(group_list))
-	return(DENY);
+    if (runas_gr != NULL) {
+	if (tq_empty(group_list))
+	    return(DENY); /* group was specified but none in sudoers */
+	if (runas_pw != NULL && strcmp(runas_pw->pw_name, user_name) &&
+	    tq_empty(user_list))
+	    return(DENY); /* user was specified but none in sudoers */
+    }
 
     if (tq_empty(user_list) && tq_empty(group_list))
 	return(userpw_matches(def_runas_default, runas_pw->pw_name, runas_pw));
Index: parse.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/parse.c,v
retrieving revision 1.240
retrieving revision 1.241
diff -u -p -u -r1.240 -r1.241
--- parse.c	18 Apr 2009 23:25:08 -0000	1.240
+++ parse.c	10 May 2009 11:33:45 -0000	1.241
@@ -328,8 +328,10 @@ sudo_file_display_priv_short(pw, us, lbu
 		    print_member(lbuf, m->name, m->type, m->negated,
 			RUNASALIAS);
 		}
-	    } else {
+	    } else if (tq_empty(&cs->runasgrouplist)) {
 		lbuf_append(lbuf, def_runas_default, NULL);
+	    } else {
+		lbuf_append(lbuf, pw->pw_name, NULL);
 	    }
 	    if (!tq_empty(&cs->runasgrouplist)) {
 		lbuf_append(lbuf, " : ", NULL);
@@ -377,8 +379,10 @@ sudo_file_display_priv_long(pw, us, lbuf
 		    print_member(lbuf, m->name, m->type, m->negated,
 			RUNASALIAS);
 		}
-	    } else {
+	    } else if (tq_empty(&cs->runasgrouplist)) {
 		lbuf_append(lbuf, def_runas_default, NULL);
+	    } else {
+		lbuf_append(lbuf, pw->pw_name, NULL);
 	    }
 	    lbuf_print(lbuf);
 	    if (!tq_empty(&cs->runasgrouplist)) {

