sudoers_lookup_check: remove hack for runas.pw when only a group matches

millert · millert · commit eb778da02707 · 2025-08-28T12:59:27.000-06:00
This hack is no longer needed now that init_vars() calls set_runaspw().
Remove two arguments from runaslist_matches() that are now unused.
diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
@@ -745,7 +745,7 @@ default_binding_matches(const struct sudoers_context *ctx,
 	    debug_return_bool(true);
 	break;
     case DEFAULTS_RUNAS:
-	if (runaslist_matches(parse_tree, &d->binding->members, NULL, NULL, NULL) == ALLOW)
+	if (runaslist_matches(parse_tree, &d->binding->members, NULL) == ALLOW)
 	    debug_return_bool(true);
 	break;
     case DEFAULTS_HOST:
diff --git a/plugins/sudoers/display.c b/plugins/sudoers/display.c
@@ -579,7 +579,7 @@ display_cmnd_check(struct sudoers_context *ctx,
 			continue;
 		}
 		runas_match = runaslist_matches(parse_tree, cs->runasuserlist,
-		    cs->runasgrouplist, NULL, NULL);
+		    cs->runasgrouplist);
 		if (runas_match == ALLOW) {
 		    cmnd_match = cmnd_matches(parse_tree, cs->cmnd,
 			cs->runchroot, NULL);
diff --git a/plugins/sudoers/lookup.c b/plugins/sudoers/lookup.c
@@ -231,7 +231,6 @@ sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
     struct cmndspec *cs;
     struct privilege *priv;
     struct userspec *us;
-    struct member *matching_user;
     debug_decl(sudoers_lookup_check, SUDOERS_DEBUG_PARSER);
 
     memset(info, 0, sizeof(*info));
@@ -271,10 +270,8 @@ sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
 		    date_match = now > cs->notafter ? DENY : ALLOW;
 		}
 		if (date_match != DENY) {
-		    matching_user = NULL;
 		    runas_match = runaslist_matches(nss->parse_tree,
-			cs->runasuserlist, cs->runasgrouplist, &matching_user,
-			NULL);
+			cs->runasuserlist, cs->runasgrouplist);
 		    if (runas_match == ALLOW) {
 			cmnd_match = cmnd_matches(nss->parse_tree, cs->cmnd,
 			    cs->runchroot, info);
@@ -286,16 +283,6 @@ sudoers_lookup_check(struct sudo_nss *nss, struct sudoers_context *ctx,
 		}
 
 		if (SPECIFIED(cmnd_match)) {
-		    /*
-		     * If user is running command as themselves,
-		     * set ctx->runas.pw = ctx->user.pw.
-		     * XXX - hack, want more general solution
-		     */
-		    if (matching_user && matching_user->type == MYSELF) {
-			sudo_pw_delref(ctx->runas.pw);
-			sudo_pw_addref(ctx->user.pw);
-			ctx->runas.pw = ctx->user.pw;
-		    }
 		    *matching_cs = cs;
 		    *defs = &priv->defaults;
 		    sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
@@ -154,7 +154,7 @@ runas_getgroups(const struct sudoers_context *ctx)
  */
 static int
 runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
-    const struct member_list *user_list, struct member **matching_user)
+    const struct member_list *user_list)
 {
     const struct sudoers_context *ctx = parse_tree->ctx;
     const char *lhost = parse_tree->lhost ? parse_tree->lhost : ctx->runas.host;
@@ -184,7 +184,7 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
 		a = alias_get(parse_tree, m->name, RUNASALIAS);
 		if (a != NULL) {
 		    const int rc = runas_userlist_matches(parse_tree,
-			&a->members, matching_user);
+			&a->members);
 		    if (SPECIFIED(rc)) {
 			if (m->negated) {
 			    user_matched = rc == ALLOW ? DENY : ALLOW;
@@ -212,11 +212,6 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
 		    user_matched = m->negated ? DENY : ALLOW;
 		break;
 	}
-	if (SPECIFIED(user_matched)) {
-	    if (matching_user != NULL && m->type != ALIAS)
-		*matching_user = m;
-	    break;
-	}
     }
     debug_return_int(user_matched);
 }
@@ -228,7 +223,7 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
  */
 static int
 runas_grouplist_matches(const struct sudoers_parse_tree *parse_tree,
-    const struct member_list *group_list, struct member **matching_group)
+    const struct member_list *group_list)
 {
     const struct sudoers_context *ctx = parse_tree->ctx;
     int group_matched = UNSPEC;
@@ -246,7 +241,7 @@ runas_grouplist_matches(const struct sudoers_parse_tree *parse_tree,
 		    a = alias_get(parse_tree, m->name, RUNASALIAS);
 		    if (a != NULL) {
 			const int rc = runas_grouplist_matches(parse_tree,
-			    &a->members, matching_group);
+			    &a->members);
 			if (SPECIFIED(rc)) {
 			    if (m->negated) {
 				group_matched = rc == ALLOW ? DENY : ALLOW;
@@ -263,11 +258,6 @@ runas_grouplist_matches(const struct sudoers_parse_tree *parse_tree,
 			group_matched = m->negated ? DENY : ALLOW;
 		    break;
 	    }
-	    if (SPECIFIED(group_matched)) {
-		if (matching_group != NULL && m->type != ALIAS)
-		    *matching_group = m;
-		break;
-	    }
 	}
     }
     if (!SPECIFIED(group_matched)) {
@@ -303,8 +293,7 @@ runas_grouplist_matches(const struct sudoers_parse_tree *parse_tree,
  */
 int
 runaslist_matches(const struct sudoers_parse_tree *parse_tree,
-    const struct member_list *user_list, const struct member_list *group_list,
-    struct member **matching_user, struct member **matching_group)
+    const struct member_list *user_list, const struct member_list *group_list)
 {
     const struct sudoers_context *ctx = parse_tree->ctx;
     struct member_list _user_list = TAILQ_HEAD_INITIALIZER(_user_list);
@@ -319,13 +308,11 @@ runaslist_matches(const struct sudoers_parse_tree *parse_tree,
 	m_user.negated = false;
 	TAILQ_INSERT_HEAD(&_user_list, &m_user, entries);
 	user_list = &_user_list;
-	matching_user = NULL;
     }
 
-    user_matched = runas_userlist_matches(parse_tree, user_list, matching_user);
+    user_matched = runas_userlist_matches(parse_tree, user_list);
     if (ISSET(ctx->settings.flags, RUNAS_GROUP_SPECIFIED)) {
-	group_matched = runas_grouplist_matches(parse_tree, group_list,
-	    matching_group);
+	group_matched = runas_grouplist_matches(parse_tree, group_list);
     }
 
     if (user_matched == DENY || group_matched == DENY)
diff --git a/plugins/sudoers/parse.h b/plugins/sudoers/parse.h
@@ -433,7 +433,7 @@ int cmnd_matches_all(const struct sudoers_parse_tree *parse_tree, const struct m
 int cmndlist_matches(const struct sudoers_parse_tree *parse_tree, const struct member_list *list, const char *runchroot, struct cmnd_info *info);
 int host_matches(const struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const char *host, const char *shost, const struct member *m);
 int hostlist_matches(const struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member_list *list);
-int runaslist_matches(const struct sudoers_parse_tree *parse_tree, const struct member_list *user_list, const struct member_list *group_list, struct member **matching_user, struct member **matching_group);
+int runaslist_matches(const struct sudoers_parse_tree *parse_tree, const struct member_list *user_list, const struct member_list *group_list);
 int user_matches(const struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member *m);
 int userlist_matches(const struct sudoers_parse_tree *parse_tree, const struct passwd *pw, const struct member_list *list);
 const char *sudo_getdomainname(void);

Original file line number	Diff line number	Diff line change
`@@ -579,7 +579,7 @@ display_cmnd_check(struct sudoers_context *ctx,`
`579`	`579`	`continue;`
`580`	`580`	`}`
`581`	`581`	`runas_match = runaslist_matches(parse_tree, cs->runasuserlist,`
`582`		`- cs->runasgrouplist, NULL, NULL);`
	`582`	`+ cs->runasgrouplist);`
`583`	`583`	`if (runas_match == ALLOW) {`
`584`	`584`	`cmnd_match = cmnd_matches(parse_tree, cs->cmnd,`
`585`	`585`	`cs->runchroot, NULL);`