[sudo-workers] listpw/verifypw processing in LDAP/SSSD
Daniel Kopecek
dkopecek at redhat.com
Mon Mar 2 03:58:30 MST 2015
Hello,
I'm analyzing a bug report and got around to reading code that checks
whether or not to require authentication from the user. There's this
piece of code in plugins/sudoers/ldap.c, sudo_ldap_lookup, lines
2998-3039 (sudo-1.8.12 tarball):
...
2998 if (pwflag) {
2999 int doauth = UNSPEC;
3000 int matched = UNSPEC;
3001 enum def_tuple pwcheck =
3002 (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple;
3003
3004 DPRINTF1("perform search for pwflag %d", pwflag);
3005 for (i = 0; i < lres->nentries; i++) {
3006 entry = lres->entries[i].entry;
3007 if ((pwcheck == any && doauth != false) ||
3008 (pwcheck == all && doauth == false)) {
3009 doauth = sudo_ldap_check_bool(ld, entry, "authenticate");
3010 }
...
(doauth is not set anywhere else in this function)
Now, if pwcheck is set to "all", then there's no way the code gets to check
the "authenticate" boolean (sudoOption), is there? Since "doauth" is set to
"-1" (UNSPEC) and (int)-1 == false is never true. Is this intended? It seems
to break the usage of the listpw and verifypw options in combination with the
!authenticate option specified per-user in ldap (and in sssd since there's
basically the same code).
Thanks,
Dan K.
More information about the sudo-workers
mailing list