[sudo-workers] Empty SUDOERS_SEARCH_FILTER bug
Todd C. Miller
Todd.Miller at courtesan.com
Thu Aug 31 10:56:07 MDT 2017
I see now. I had a group plugin defined so the constructed filter
was different. When I disable that I get the invalid search filter.
The fix is to add the missing logical OR. The bug was introduced
in sudo 1.8.10 via https://www.sudo.ws/repos/sudo/rev/54856973af41
- todd
diff -r 29603b0a4315 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Tue Aug 29 08:58:14 2017 -0600
+++ b/plugins/sudoers/ldap.c Thu Aug 31 10:43:23 2017 -0600
@@ -1847,7 +1847,7 @@ sudo_ldap_build_pass2(void)
ldap_conf.timed ? timebuffer : "",
(ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
} else {
- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
+ len = asprintf(&filt, "%s%s(|(sudoUser=*)(sudoUser=%s*))%s%s",
(ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
ldap_conf.search_filter ? ldap_conf.search_filter : "",
query_netgroups ? "+" : "%:",
More information about the sudo-workers
mailing list