[sudo-workers] visudo's cycle detection algorithm
Daniel Kopecek
dkopecek at redhat.com
Wed May 22 07:12:42 MDT 2013
Hello,
I was digging in visudo yesterday and I think that its cycle detection
algorithm is too
strict. The strictness comes from the fact that it is treating the
underlying graph as an
undirected one. Therefore, loops such as:
Host_Alias H1 = host1
Host_Alias H2 = H1, host2
Host_Alias H3 = H1, H2
will cause a false positive, although they are harmless. I've attached a
proof-of-concept
patch to fix this issue by adding a `onstack' flag to the alias
structure. During the DFS,
the aliases are marked as being on stack when their contents are being
processed.
A cycle is reported only if an alias has the same sequence number (as
was done previously)
and if it is already on the stack. This basically makes the algorithm
treat the underlying
structure as a directed graph.
If the sequence number isn't used for anything else than cycle
detection, then it can be
dropped altogether in favor of the stack flag, I think. Let me know what
you think.
Thanks,
Dan K.
http://people.fedoraproject.org/~dkopecek/sudo/sudo-1.8.6p7-cycledetectfix.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo-1.8.6p7-cycledetectfix.patch
Type: text/x-patch
Size: 1665 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20130522/52e58911/attachment.bin>
More information about the sudo-workers
mailing list