Bug 596 – when compiled with HAVE_DOMAINNAME sudo should still check there *IS* a domainname

Bug 596 - when compiled with HAVE_DOMAINNAME sudo should still check there *IS* a domainname


Summary:	when compiled with HAVE_DOMAINNAME sudo should still check there IS a domai...

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.6
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-03-26 15:14 MDT by Sean Kamath
Modified:	2013-06-16 05:05 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sean Kamath 2013-03-26 15:14:35 MDT

In parse.c's netgr_match() function, if HAVE_DOMAINNAME is defined, sudo blindly gets the domainname from getdomainname (line 453).

Apparently, on my RHEL6 box (and RHEL5), getdomainname returns the string literal "(none)".

That makes it hard to match on a domainname.

This stems from trying to be a little more careful in netgroup entries (so that a user entry of (user,,) doesn't accidentally cause everyone to have that permission.  Using (-,user,) is awkward, so it would be nice to use (-,user,-), since we don't have a domainname to be used with netgroups (and, really, that was just kinda weird anyway, to be valid only in that domain.  Now it makes some more sense, but at the same time, that information is really coded in the basedn of LDAP).

I propose if getdomainname returns (none) that domain == NULL, which will emulate what happens with no domainname.

Comment 1 Sean Kamath 2013-03-26 15:17:48 MDT

And I'm high on crack and looking at a revision from 12 years ago.

Comment 2 Sean Kamath 2013-03-26 15:31:34 MDT

OK, it's changed (there's now indeed a check), but it's still a problem for us.

Now, in plugins/sudoers/match.c line 749, the check is now made, but against NULL, not against the literal '(none)'.  I suppose this is a Red Hat weirdness, but nonetheless, seems like a || strcmp(domain,"(NULL)") might help us out.

Comment 3 Todd C. Miller 2013-03-27 01:42:50 MDT

That is somewhat odd.  I'll add a check for "(none)" for sudo 1.8.7.

Comment 4 Sean Kamath 2013-03-27 10:35:37 MDT

So, I opened a ticket with Red Hat.  Turns out they must be doing something to set the domain to "(none)" since we can set it to null with a little C program. . .

I'll update this ticket if they give me any useful information.  Still, any domain returned with a non-legal hostname character, like a paren or the like probably shouldn't be considered a domainname. :-)

Sean

Comment 5 Sean Kamath 2013-04-08 16:44:20 MDT

Hi.

I just checked the upstream kernel bits after Red Hat got back to me.

Turns out that there is this define in current stable on git.kernel.org:

In root/include/linux/uts.h:

#ifndef UTS_DOMAINNAME
#define UTS_DOMAINNAME "(none)"	/* set by setdomainname() */
#endif

Thus, if "setdomainname()" is NEVER called, domainname will be set to "(none)".

So, not a Red Hat-ism.

Thanks for adding this to 1.8.7.

Sean

Comment 6 Todd C. Miller 2013-06-16 05:05:23 MDT

Fixed in sudo 1.8.7.