[sudo-workers] Please update the LDAP search string for netgroup_base

Steven Soulen soulen3 at gmail.com
Mon Jun 15 13:17:20 MDT 2015 

Hi Todd,

I tried out the netgroup_base option on an AIX hosts and the ldapsearch
didn't run correctly.  After some debugging I found that the escape
characters on the parentheses in the search string are not working as
expected.

I then found RFC 2254, which specifies that \( and \) should be entered as
\28 and \29.

https://tools.ietf.org/search/rfc2254

So I updated the search string and I've tested it on RHEL, Solaris and AIX
against a DSEE LDAP server.

I had to test this using Sudo version 1.8.13 as I was unable to build a
clean version from source.   Bellow are the configurations options I've
used and the error message I received while running make.

Configure Optoins
# CC="gcc -static-libgcc" ./configure        --prefix=/opt/sudo
 --exec-prefix=/opt/sudo        --mandir=/opt/sudo/man
 --sysconfdir=/etc        --localstatedir=/var
 --datarootdir=/usr/share        --with-logging=both --with-logfac=local2
     --with-goodpri=info --with-badpri=err        --with-editor=/usr/bin/vi
--with-env-editor        --with-ignore-dot --with-tty-tickets
 --with-pam --with-nsswitch        --with-ldap        --with-project
 --with-ldap-conf-file=/opt/sudo/etc/ldap.conf
 --with-ldap-secret-file=/opt/sudo/etc/ldap.secret --disable-zlib
--without-sendmail --with-secure-path


Error message:
/bin/sh ../../libtool --mode=link gcc -static-libgcc -std=gnu99 -o visudo
find_path.o goodpath.o locale.o sudo_printf.o visudo.o visudo_json.o
-Wl,-z,relro -Wc,-fPIE -pie -Wc,-fstack-protector-all libparsesudoers.la
../../lib/util/libsudo_util.la
libtool: link: gcc -static-libgcc -std=gnu99 -o .libs/visudo find_path.o
goodpath.o locale.o sudo_printf.o visudo.o visudo_json.o -Wl,-z -Wl,relro
-fPIE -pie -fstack-protector-all  ./.libs/libparsesudoers.a
../../lib/util/.libs/libsudo_util.so -ldl -lrt -Wl,-rpath
-Wl,/opt/sudo/libexec/sudo
./.libs/libparsesudoers.a(pwutil_impl.o): In function
`sudo_make_grlist_item':
/tmp/sudo/plugins/sudoers/./pwutil_impl.c:259: undefined reference to
`sudo_reallocarray'
/tmp/sudo/plugins/sudoers/./pwutil_impl.c:267: undefined reference to
`sudo_reallocarray'
/tmp/sudo/plugins/sudoers/./pwutil_impl.c:272: undefined reference to
`sudo_reallocarray'
./.libs/libparsesudoers.a(toke.o): In function `push_include_int':
/tmp/sudo/plugins/sudoers/toke.l:929: undefined reference to
`sudo_reallocarray'
./.libs/libparsesudoers.a(toke.o): In function `switch_dir':
/tmp/sudo/plugins/sudoers/toke.l:822: undefined reference to
`sudo_reallocarray'
collect2: ld returned 1 exit status
make[1]: *** [visudo] Error 1
make[1]: Leaving directory `/tmp/sudo/plugins/sudoers'
make: *** [all] Error 2


Code diff for ldap.c:
--- ldap.c.orig 2015-06-15 13:45:56.000000000 -0500
+++ ldap.c      2015-06-15 14:12:31.000000000 -0500
@@ -1350,7 +1350,7 @@
        /* Build query, using NIS domain if it is set. */
        /* XXX - move outside foreach */
        if (domain != NULL) {
-           filt_len = sizeof("(nisNetgroupTriple=\\(,,\\))") - 1 +
+           filt_len = sizeof("(nisNetgroupTriple=\\28,,\\29)") - 1 +
                sudo_ldap_value_len(pw->pw_name);
            if (user_host == user_shost) {
                filt_len *= 4;
@@ -1366,39 +1366,39 @@
            filt = sudo_emalloc(filt_len);
            CHECK_STRLCPY(filt, "(&", filt_len);
            CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
-           CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\(,", filt_len);
+           CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
            CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            CHECK_STRLCAT(filt, ",", filt_len);
            CHECK_LDAP_VCAT(filt, domain, filt_len);
-           CHECK_STRLCAT(filt, "\\))(nisNetgroupTriple=\\(", filt_len);
+           CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28", filt_len);
            CHECK_LDAP_VCAT(filt, user_shost, filt_len);
            CHECK_STRLCAT(filt, ",", filt_len);
            CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            if (user_host != user_shost) {
                CHECK_STRLCAT(filt, ",", filt_len);
                CHECK_LDAP_VCAT(filt, domain, filt_len);
-               CHECK_STRLCAT(filt, "\\))(nisNetgroupTriple=\\(", filt_len);
+               CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28",
filt_len);
                CHECK_LDAP_VCAT(filt, user_host, filt_len);
                CHECK_STRLCAT(filt, ",", filt_len);
                CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            }
            CHECK_STRLCAT(filt, ",", filt_len);
            CHECK_LDAP_VCAT(filt, domain, filt_len);
-           CHECK_STRLCAT(filt, "\\))(nisNetgroupTriple=\\(,", filt_len);
+           CHECK_STRLCAT(filt, "\\29)(nisNetgroupTriple=\\28,", filt_len);
            CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
-           CHECK_STRLCAT(filt, ",\\))(nisNetgroupTriple=\\(", filt_len);
+           CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28", filt_len);
            CHECK_LDAP_VCAT(filt, user_shost, filt_len);
            CHECK_STRLCAT(filt, ",", filt_len);
            CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            if (user_host != user_shost) {
-               CHECK_STRLCAT(filt, ",\\))(nisNetgroupTriple=\\(",
filt_len);
+               CHECK_STRLCAT(filt, ",\\29)(nisNetgroupTriple=\\28",
filt_len);
                CHECK_LDAP_VCAT(filt, user_host, filt_len);
                CHECK_STRLCAT(filt, ",", filt_len);
                CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            }
-           CHECK_STRLCAT(filt, ",\\))))", filt_len);
+           CHECK_STRLCAT(filt, ",\\29)))", filt_len);
        } else {
-           filt_len = sizeof("(nisNetgroupTriple=\\(,,*\\))") - 1 +
+           filt_len = sizeof("(nisNetgroupTriple=\\28,,*\\29)") - 1 +
                sudo_ldap_value_len(pw->pw_name);
            if (user_host == user_shost) {
                filt_len *= 2;
@@ -1412,19 +1412,19 @@
            filt = sudo_emalloc(filt_len);
            CHECK_STRLCPY(filt, "(&", filt_len);
            CHECK_STRLCAT(filt, ldap_conf.netgroup_search_filter, filt_len);
-           CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\(,", filt_len);
+           CHECK_STRLCAT(filt, "(|(nisNetgroupTriple=\\28,", filt_len);
            CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
-           CHECK_STRLCAT(filt, ",*\\))(nisNetgroupTriple=\\(", filt_len);
+           CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28", filt_len);
            CHECK_LDAP_VCAT(filt, user_shost, filt_len);
            CHECK_STRLCAT(filt, ",", filt_len);
            CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            if (user_host != user_shost) {
-               CHECK_STRLCAT(filt, ",*\\))(nisNetgroupTriple=\\(",
filt_len);
+               CHECK_STRLCAT(filt, ",*\\29)(nisNetgroupTriple=\\28",
filt_len);
                CHECK_LDAP_VCAT(filt, user_host, filt_len);
                CHECK_STRLCAT(filt, ",", filt_len);
                CHECK_LDAP_VCAT(filt, pw->pw_name, filt_len);
            }
-           CHECK_STRLCAT(filt, ",*\\))))", filt_len);
+           CHECK_STRLCAT(filt, ",*\\29)))", filt_len);
        }
        DPRINTF1("ldap netgroup search filter: '%s'", filt);
        result = NULL;

More information about the sudo-workers mailing list