[sudo-workers] parsing of ldap.conf
Radovan Sroka
rsroka at redhat.com
Thu Sep 1 03:12:19 MDT 2016
Hi sudo-workers,
"sudo_parseln_v1" parses ldap.conf incorrectly.
Comments always start with '#', it's okay but sudo "thinks" that '#' doesn't have to be first character of the line.
This could be a problem sometimes when your ldap.conf contains something like this:
........................................................
SUDOERS_BASE "ou=SUDOers,dc=example,dc=com"
SUDOERS_DEBUG 2
uri ldap://127.0.0.1
sudoers_base ou=Sudo,dc=example,dc=com
binddn uid=root,dc=example,dc=com
bindpw abc#123
timelimit 30
ssl no
........................................................
Manual page of ldap.conf says:
"Lines beginning with a hash mark (`#') are comments, and ignored."
and
........................................................
# Wrong - erroneous quotes:
URI "ldap:// ldaps://"
# Right - space-separated list of URIs, without quotes:
URI ldap:// ldaps://
# Right - DN syntax needs quoting for Example, Inc:
BASE ou=IT staff,o="Example, Inc",c=US
# or:
BASE ou=IT staff,o=Example2C Inc,c=US
# Wrong - comment on same line as option:
DEREF never # Never follow aliases
........................................................
I made a fix for this problem but I'm not sure if it's right
because it's probably changing how all .conf files are parsed.
diff --git a/lib/util/parseln.c b/lib/util/parseln.c
index a1aae0d..a1befe6 100644
--- a/lib/util/parseln.c
+++ b/lib/util/parseln.c
@@ -67,9 +67,9 @@ sudo_parseln_v1(char **bufp, size_t *bufsizep, unsigned int *lineno, FILE *fp)
line[--len] = '\0';
/* Remove comments or check for line continuation (but not both) */
- if ((cp = strchr(line, '#')) != NULL) {
- *cp = '\0';
- len = (ssize_t)(cp - line);
+ if (*line == '#') {
+ *line = '\0';
+ len = 0;
} else if (len > 0 && line[len - 1] == '\\' && (len == 1 || line[len - 2] != '\\')) {
line[--len] = '\0';
continued = true;
So what do you think?
---------------------------------------------------------
Radovan Sroka
Security Technologies | Red hat, Inc.
More information about the sudo-workers
mailing list