Bug 596

Summary: when compiled with HAVE_DOMAINNAME sudo should still check there *IS* a domainname
Product: Sudo Reporter: Sean Kamath <sean.kamath>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.6   
Hardware: PC   
OS: Linux   

Description Sean Kamath 2013-03-26 15:14:35 MDT 
In parse.c's netgr_match() function, if HAVE_DOMAINNAME is defined, sudo blindly gets the domainname from getdomainname (line 453).

Apparently, on my RHEL6 box (and RHEL5), getdomainname returns the string literal "(none)".

That makes it hard to match on a domainname.

This stems from trying to be a little more careful in netgroup entries (so that a user entry of (user,,) doesn't accidentally cause everyone to have that permission.  Using (-,user,) is awkward, so it would be nice to use (-,user,-), since we don't have a domainname to be used with netgroups (and, really, that was just kinda weird anyway, to be valid only in that domain.  Now it makes some more sense, but at the same time, that information is really coded in the basedn of LDAP).

I propose if getdomainname returns (none) that domain == NULL, which will emulate what happens with no domainname.
Comment 1 Sean Kamath 2013-03-26 15:17:48 MDT 
And I'm high on crack and looking at a revision from 12 years ago.
Comment 2 Sean Kamath 2013-03-26 15:31:34 MDT 
OK, it's changed (there's now indeed a check), but it's still a problem for us.

Now, in plugins/sudoers/match.c line 749, the check is now made, but against NULL, not against the literal '(none)'.  I suppose this is a Red Hat weirdness, but nonetheless, seems like a || strcmp(domain,"(NULL)") might help us out.
Comment 3 Todd C. Miller 2013-03-27 01:42:50 MDT 
That is somewhat odd.  I'll add a check for "(none)" for sudo 1.8.7.
Comment 4 Sean Kamath 2013-03-27 10:35:37 MDT 
So, I opened a ticket with Red Hat.  Turns out they must be doing something to set the domain to "(none)" since we can set it to null with a little C program. . .

I'll update this ticket if they give me any useful information.  Still, any domain returned with a non-legal hostname character, like a paren or the like probably shouldn't be considered a domainname. :-)

Sean
Comment 5 Sean Kamath 2013-04-08 16:44:20 MDT 
Hi.

I just checked the upstream kernel bits after Red Hat got back to me.

Turns out that there is this define in current stable on git.kernel.org:

In root/include/linux/uts.h:

#ifndef UTS_DOMAINNAME
#define UTS_DOMAINNAME "(none)"	/* set by setdomainname() */
#endif

Thus, if "setdomainname()" is NEVER called, domainname will be set to "(none)".

So, not a Red Hat-ism.

Thanks for adding this to 1.8.7.

Sean
Comment 6 Todd C. Miller 2013-06-16 05:05:23 MDT 
Fixed in sudo 1.8.7.