Bug 849

Summary: LDAP sortOrder doesn't work properly
Product: Sudo Reporter: sasaki
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.24   
Hardware: PC   
OS: FreeBSD   

Description sasaki 2018-08-30 01:23:28 MDT 
After updating to 1.8.24, LDAP sortOrder doesn't work properly.

I guess this is caused by ldap_entry_compare() in ldap.c.

  1736      debug_return_int(bw->order < aw->order ? -1 :
  1737          (bw->order > aw->order ? 1 : 0));

should be

  1736      debug_return_int(aw->order < bw->order ? -1 :
  1737          (aw->order > bw->order ? 1 : 0));

I think f9be3a48a221560671bd3dc6425f3aac348329b4 change made this behaviour. Sudo man page suggests that the last match is used when multiple matches occur.

However, I used the following LDIF to let the group member use sudo without authentication for some commands and this worked fine until 1.8.23. Since 1.8.24, I have to add sudoOrder: 200 to cn=admin.

dn: cn=admin,ou=SUDOers,dc=example,dc=com
cn: admin
objectClass: top
objectClass: sudoRole
sudoUser: %admin
sudoCommand: ALL
sudoHost: ALL
sudoRunAsUser: ALL

dn: cn=admin-noauth,ou=SUDOers,dc=example,dc=com
cn: admin-noauth
objectClass: top
objectClass: sudoRole
sudoUser: %admin
sudoCommand: COMMAND
sudoOption: !authenticate
sudoHost: ALL
sudoRunAsUser: ALL
sudoOrder: 100
Comment 1 Todd C. Miller 2018-08-30 07:58:16 MDT 
Starting in sudo 1.8.24 the LDAP backend converts the entries to a sudoers-style parse tree.  As a result, entries now need to be sorted in ascending, not descending order.

This was already correct for the LDIF parsing code in cvtsudoers but had not been changed in ldap.c itself.  It is fixed by the following commit which will be present in sudo 1.8.25:
https://www.sudo.ws/repos/sudo/rev/9f23126cded8
Comment 2 Todd C. Miller 2018-09-05 06:27:43 MDT 
Fixed in sudo 1.8.25