Restore last match logic in runas user/group list maching

millert · millert · commit 91181151e969 · 2026-04-20T19:12:37.000-06:00
This was mistakenly removed in eb778da when the obsolete "matching_user" and "match_group" logic was removed. No released version of sudo has that commit. Thanks to Ax of Nozomi Networks Labs for reporting this.
diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
@@ -207,6 +207,8 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,
 		    user_matched = m->negated ? DENY : ALLOW;
 		break;
 	}
+	if (SPECIFIED(user_matched))
+	    break;
     }
     debug_return_int(user_matched);
 }
@@ -253,6 +255,8 @@ runas_grouplist_matches(const struct sudoers_parse_tree *parse_tree,
 			group_matched = m->negated ? DENY : ALLOW;
 		    break;
 	    }
+	    if (SPECIFIED(group_matched))
+		break;
 	}
     }
     if (!SPECIFIED(group_matched) && user_matched == ALLOW) {

Original file line number	Diff line number	Diff line change
`@@ -207,6 +207,8 @@ runas_userlist_matches(const struct sudoers_parse_tree *parse_tree,`
`207`	`207`	`user_matched = m->negated ? DENY : ALLOW;`
`208`	`208`	`break;`
`209`	`209`	`}`
	`210`	`+ if (SPECIFIED(user_matched))`
	`211`	`+ break;`
`210`	`212`	`}`
`211`	`213`	`debug_return_int(user_matched);`
`212`	`214`	`}`
`@@ -253,6 +255,8 @@ runas_grouplist_matches(const struct sudoers_parse_tree *parse_tree,`
`253`	`255`	`group_matched = m->negated ? DENY : ALLOW;`
`254`	`256`	`break;`
`255`	`257`	`}`
	`258`	`+ if (SPECIFIED(group_matched))`
	`259`	`+ break;`
`256`	`260`	`}`
`257`	`261`	`}`
`258`	`262`	`if (!SPECIFIED(group_matched) && user_matched == ALLOW) {`