[sudo-workers] visudo's cycle detection algorithm

Daniel Kopecek dkopecek at redhat.com
Wed May 22 07:12:42 MDT 2013


Hello,
  I was digging in visudo yesterday and I think that its cycle detection 
algorithm is too
strict. The strictness comes from the fact that it is treating the 
underlying graph as an
undirected one. Therefore, loops such as:

Host_Alias H1 = host1
Host_Alias H2 = H1, host2
Host_Alias H3 = H1, H2

will cause a false positive, although they are harmless. I've attached a 
proof-of-concept
patch to fix this issue by adding a `onstack' flag to the alias 
structure. During the DFS,
the aliases are marked as being on stack when their contents are being 
processed.
A cycle is reported only if an alias has the same sequence number (as 
was done previously)
and if it is already on the stack. This basically makes the algorithm 
treat the underlying
structure as a directed graph.

If the sequence number isn't used for anything else than cycle 
detection, then it can be
dropped altogether in favor of the stack flag, I think. Let me know what 
you think.

Thanks,
Dan K.

http://people.fedoraproject.org/~dkopecek/sudo/sudo-1.8.6p7-cycledetectfix.patch

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo-1.8.6p7-cycledetectfix.patch
Type: text/x-patch
Size: 1665 bytes
Desc: not available
URL: </pipermail/sudo-workers/attachments/20130522/52e58911/attachment.bin>


More information about the sudo-workers mailing list