Bugzilla – Bug 538
primary gid gets added to LDAP search filter twice but space for it is only added once
Last modified: 2012-02-29 15:35:40 MST
Created attachment 330 [details] patch to plugins/sudoers/ldap.c sudo: ldap search '(|(sudoUser=elakin)(sudoUser=%elakin)(sudoUser=%#20076)(sudoUser=%ids)(sudoUser=%idssa)(sudoUser=%oe)(sudoUser=%#20076)(sudoUser=%#10000)(sudoUser=%#10001)(sudoUser=%#20000)(sudoUser=ALL))' Note that my gid "20076" is included in the filter twice. In ldap.c, when the size for the search filter string is calculated, the primary gid is skipped when calculating supplementary groups: for (i = 0; i < grlist->ngids; i++) { if (pw->pw_gid == grlist->gids[i]) continue; sz += 13 + MAX_UID_T_LEN; printf("sz=%i (gid: %i)\n", sz, grlist->gids[i]); } however, when the actual filter is constructed, it's not skipped: for (i = 0; i < grlist->ngids; i++) { (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)grlist->gids[i]); (void) strlcat(buf, "(sudoUser=%#", sz); (void) strlcat(buf, gidbuf, sz); (void) strlcat(buf, ")", sz); printf("%s\n", buf); } Due to extra space being allocated for GIDs, some accounts don't have issues, others get "sudo_ldap_build_pass1 allocation mismatch". Attached patch skips the primary gid in the search filter: sudo: ldap search '(|(sudoUser=elakin)(sudoUser=%elakin)(sudoUser=%#20076)(sudoUser=%ids)(sudoUser=%idssa)(sudoUser=%oe)(sudoUser=%#10000)(sudoUser=%#10001)(sudoUser=%#20000)(sudoUser=ALL))'
Thanks, I've committed that to the source repo. The patch will be part of sudo 1.8.4p2.
Fixed in sudo 1.8.4p2