[sudo-workers] Empty SUDOERS_SEARCH_FILTER bug
Todd C. Miller
Todd.Miller at courtesan.com
Thu Aug 31 11:01:37 MDT 2017
Sorry, that fix was incorrect, the "sudoUser=*" is just there to
avoid falling below the 3 character OpenSSL substring threshold.
Always including the AND operator is the correct fix.
- todd
diff -r 29603b0a4315 plugins/sudoers/ldap.c
--- a/plugins/sudoers/ldap.c Tue Aug 29 08:58:14 2017 -0600
+++ b/plugins/sudoers/ldap.c Thu Aug 31 11:00:55 2017 -0600
@@ -1847,12 +1847,10 @@ sudo_ldap_build_pass2(void)
ldap_conf.timed ? timebuffer : "",
(ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
} else {
- len = asprintf(&filt, "%s%s(sudoUser=*)(sudoUser=%s*)%s%s",
- (ldap_conf.timed || ldap_conf.search_filter) ? "(&" : "",
+ len = asprintf(&filt, "(&%s(sudoUser=*)(sudoUser=%s*)%s)",
ldap_conf.search_filter ? ldap_conf.search_filter : "",
query_netgroups ? "+" : "%:",
- ldap_conf.timed ? timebuffer : "",
- (ldap_conf.timed || ldap_conf.search_filter) ? ")" : "");
+ ldap_conf.timed ? timebuffer : "");
}
if (len == -1)
sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
More information about the sudo-workers
mailing list