[sudo-workers] parsing of ldap.conf

Radovan Sroka rsroka at redhat.com
Thu Sep 1 03:12:19 MDT 2016 

Hi sudo-workers,

"sudo_parseln_v1" parses ldap.conf incorrectly.

Comments always start with '#', it's okay but sudo "thinks" that '#' doesn't have to be first character of the line.

This could be a problem sometimes when your ldap.conf contains something like this:
........................................................
SUDOERS_BASE "ou=SUDOers,dc=example,dc=com"
SUDOERS_DEBUG 2
uri              ldap://127.0.0.1
sudoers_base     ou=Sudo,dc=example,dc=com
binddn           uid=root,dc=example,dc=com
bindpw           abc#123
timelimit        30
ssl              no
........................................................



Manual page of ldap.conf says:

"Lines beginning with a hash mark (`#') are comments, and ignored."

and
........................................................
# Wrong - erroneous quotes:
URI     "ldap:// ldaps://"

# Right - space-separated list of URIs, without quotes:
URI     ldap:// ldaps://

# Right - DN syntax needs quoting for Example, Inc:
BASE    ou=IT staff,o="Example, Inc",c=US
# or:
BASE    ou=IT staff,o=Example2C Inc,c=US

# Wrong - comment on same line as option:
DEREF   never           # Never follow aliases
........................................................


I made a fix for this problem but I'm not sure if it's right
because it's probably changing how all .conf files are parsed.

diff --git a/lib/util/parseln.c b/lib/util/parseln.c
index a1aae0d..a1befe6 100644
--- a/lib/util/parseln.c
+++ b/lib/util/parseln.c
@@ -67,9 +67,9 @@ sudo_parseln_v1(char **bufp, size_t *bufsizep, unsigned int *lineno, FILE *fp)
            line[--len] = '\0';
 
        /* Remove comments or check for line continuation (but not both) */
-       if ((cp = strchr(line, '#')) != NULL) {
-           *cp = '\0';
-           len = (ssize_t)(cp - line);
+       if (*line == '#') {
+           *line = '\0';
+           len = 0;
        } else if (len > 0 && line[len - 1] == '\\' && (len == 1 || line[len - 2] != '\\')) {
            line[--len] = '\0';
            continued = true;

So what do you think?

---------------------------------------------------------

Radovan Sroka
Security Technologies | Red hat, Inc.

More information about the sudo-workers mailing list