runas_userlist_matches: fix matching a Runas_Spec with an empty runas user.

millert · millert · commit 23fc7abfadfe · 2023-07-15T08:44:57.000-06:00
We should only match a rule with an empty runas user if a group was specified on the command line (sudo -g) without a user (no -u option) or the user specified their own name on the command line. GitHub issue #290 --HG-- branch : 1.9
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
@@ -188,8 +188,14 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
 		    user_matched = !m->negated;
 		break;
 	    case MYSELF:
-		if (!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) ||
-		    strcmp(user_name, runas_pw->pw_name) == 0)
+		/*
+		 * Only match a rule with an empty runas user if a group
+		 * was specified on the command line without a user _or_
+		 * the user specified their own name on the command line.
+		 */
+		if ((!ISSET(sudo_user.flags, RUNAS_USER_SPECIFIED) &&
+			ISSET(sudo_user.flags, RUNAS_GROUP_SPECIFIED)) ||
+			strcmp(user_name, runas_pw->pw_name) == 0)
 		    user_matched = !m->negated;
 		break;
 	}
