[sudo-users] issue with sudo_ldap

Stefan Maass stefan.maass at syniverse.com
Wed Nov 9 02:25:13 MST 2016 

Hi Dagobert,

I definitely will. I just downloaded the package. Will give you an update after I have tried it out.

Thanks and Regards,
Stefan

-----Ursprüngliche Nachricht-----
Von: Dagobert Michelsen [mailto:dam at opencsw.org] 
Gesendet: Mittwoch, 9. November 2016 09:55
An: Stefan Maass <stefan.maass at syniverse.com>
Cc: Todd C. Miller <Todd.Miller at courtesan.com>; Sreejith Kuzhivayalil <sreejith.kuzhivayalil at syniverse.com>; sudo-users at sudo.ws; users at lists.opencsw.org
Betreff: Re: [sudo-users] issue with sudo_ldap

Hi Stefan,

Am 09.11.2016 um 09:29 schrieb Stefan Maass <stefan.maass at syniverse.com>:
> Thanks for that info! We however only entered the negated host for a test after it did not work and we checked out the manual and saw that negated hosts were added in version 1.8.18. It also did not match anything without any negated host in the list.

I made new packages with the patch applied which will appear here soon:
  http://buildfarm.opencsw.org/experimental.html#sudo

You may want to give them a try.


Best regards

  — Dago

> 
> Regards,
> Stefan
> 
> -----Ursprüngliche Nachricht-----
> Von: Todd C. Miller [mailto:Todd.Miller at courtesan.com]
> Gesendet: Dienstag, 8. November 2016 22:37
> An: Stefan Maass <stefan.maass at syniverse.com>
> Cc: Dagobert Michelsen <dam at opencsw.org>; Sreejith Kuzhivayalil 
> <sreejith.kuzhivayalil at syniverse.com>; sudo-users at sudo.ws; 
> users at lists.opencsw.org
> Betreff: Re: [sudo-users] issue with sudo_ldap
> 
> There does appear to be a bug in the host matching where any hosts found after a negated host would fail to match.  I'm not sure that explains what you are seeing though.
> 
> I've committed a fix: https://www.sudo.ws/repos/sudo/rev/40cbd5790106
> Below is the same diff based on 1.8.18p1 rather than trunk.
> 
> - todd
> 
> diff -r abda86e3b777 plugins/sudoers/ldap.c
> --- a/plugins/sudoers/ldap.c	Mon Oct 10 09:10:34 2016 -0600
> +++ b/plugins/sudoers/ldap.c	Tue Nov 08 14:13:42 2016 -0700
> @@ -721,20 +721,21 @@
> {
>     struct berval **bv, **p;
>     char *val;
> -    bool ret = false;
> -    bool foundbang = false;
> +    int matched = UNSPEC;
>     debug_decl(sudo_ldap_check_host, SUDOERS_DEBUG_LDAP)
> 
>     if (!entry)
> -	debug_return_bool(ret);
> +	debug_return_bool(false);
> 
>     /* get the values from the entry */
>     bv = ldap_get_values_len(ld, entry, "sudoHost");
>     if (bv == NULL)
> -	debug_return_bool(ret);
> +	debug_return_bool(false);
> 
>     /* walk through values */
> -    for (p = bv; *p != NULL && !foundbang; p++) {
> +    for (p = bv; *p != NULL && matched != false; p++) {
> +	bool foundbang = false;
> +
> 	val = (*p)->bv_val;
> 
> 	if (*val == '!') {
> @@ -746,14 +747,17 @@
> 	if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
> 	    netgr_matches(val, user_runhost, user_srunhost,
> 	    def_netgroup_tuple ? pw->pw_name : NULL) ||
> -	    hostname_matches(user_srunhost, user_runhost, val))
> -	    ret = !foundbang;
> -	DPRINTF2("ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
> +	    hostname_matches(user_srunhost, user_runhost, val)) {
> +
> +	    matched = foundbang ? false : true;
> +	}
> +	DPRINTF2("ldap sudoHost '%s' ... %s",
> +	    val, matched == true ? "MATCH!" : "not");
>     }
> 
>     ldap_value_free_len(bv);	/* cleanup */
> 
> -    debug_return_bool(ret);
> +    debug_return_bool(matched == true);
> }
> 
> static int
> diff -r abda86e3b777 plugins/sudoers/sssd.c
> --- a/plugins/sudoers/sssd.c	Mon Oct 10 09:10:34 2016 -0600
> +++ b/plugins/sudoers/sssd.c	Tue Nov 08 14:13:42 2016 -0700
> @@ -741,13 +741,12 @@
> sudo_sss_check_host(struct sudo_sss_handle *handle, struct sss_sudo_rule *rule)  {
>     char **val_array, *val;
> -    bool ret = false;
> -    bool foundbang = false;
> +    int matched = UNSPEC;
>     int i;
>     debug_decl(sudo_sss_check_host, SUDOERS_DEBUG_SSSD);
> 
>     if (rule == NULL)
> -	debug_return_bool(ret);
> +	debug_return_bool(false);
> 
>     /* get the values from the rule */
>     switch (handle->fn_get_values(rule, "sudoHost", &val_array)) { @@ -758,11 +757,13 @@
> 	debug_return_bool(false);
>     default:
> 	sudo_debug_printf(SUDO_DEBUG_INFO, "handle->fn_get_values(sudoHost): != 0");
> -	debug_return_bool(ret);
> +	debug_return_bool(false);
>     }
> 
>     /* walk through values */
> -    for (i = 0; val_array[i] != NULL && !foundbang; ++i) {
> +    for (i = 0; val_array[i] != NULL && matched != false; ++i) {
> +	bool foundbang = false;
> +
> 	val = val_array[i];
> 	sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val);
> 
> @@ -775,16 +776,18 @@
> 	if (strcmp(val, "ALL") == 0 || addr_matches(val) ||
> 	    netgr_matches(val, handle->host, handle->shost,
> 	    def_netgroup_tuple ? handle->pw->pw_name : NULL) ||
> -	    hostname_matches(handle->shost, handle->host, val))
> -	    ret = !foundbang;
> +	    hostname_matches(handle->shost, handle->host, val)) {
> 
> -	sudo_debug_printf(SUDO_DEBUG_INFO,
> -	    "sssd/ldap sudoHost '%s' ... %s", val, ret ? "MATCH!" : "not");
> +	    matched = foundbang ? false : true;
> +	}
> +
> +	sudo_debug_printf(SUDO_DEBUG_INFO, "sssd/ldap sudoHost '%s' ... %s",
> +	    val, matched == true ? "MATCH!" : "not");
>     }
> 
>     handle->fn_free_values(val_array);
> 
> -    debug_return_bool(ret);
> +    debug_return_bool(matched == true);
> }
> 
> /*

--
"You don't become great by trying to be great, you become great by wanting to do something, and then doing it so hard that you become great in the process." - xkcd #896

More information about the sudo-users mailing list