Respect Defaults in validate (#1126)

Author: squell

src/sudo/pipeline.rs

@@ -133,7 +133,7 @@ pub fn run(mut cmd_opts: SudoRunOptions) -> Result<(), Error> {
 }
 
 pub fn run_validate(cmd_opts: SudoValidateOptions) -> Result<(), Error> {
-    let policy = read_sudoers()?;
+    let mut policy = read_sudoers()?;
 
     let context = Context::from_validate_opts(cmd_opts)?;
 

src/sudoers/mod.rs

@@ -98,23 +98,34 @@ impl Sudoers {
         &mut self,
         hostname: &system::Hostname,
         requesting_user: &User,
-        target_user: &User,
+        target_user: Option<&User>,
     ) {
         let customisers = std::mem::take(&mut self.customisers.non_cmnd);
 
         let host_matcher = &match_token(hostname);
-        let user_matcher = &match_user(requesting_user);
-        let runas_matcher = &match_user(target_user);
-
         let host_aliases = get_aliases(&self.aliases.host, host_matcher);
+
+        let user_matcher = &match_user(requesting_user);
         let user_aliases = get_aliases(&self.aliases.user, user_matcher);
-        let runas_aliases = get_aliases(&self.aliases.runas, runas_matcher);
+
+        let runas_matcher_aliases = target_user.map(|target_user| {
+            let runas_matcher = match_user(target_user);
+            let runas_aliases = get_aliases(&self.aliases.runas, &runas_matcher);
+
+            (runas_matcher, runas_aliases)
+        });
 
         let match_scope = |scope| match scope {
             ConfigScope::Generic => true,
             ConfigScope::Host(list) => find_item(&list, host_matcher, &host_aliases).is_some(),
             ConfigScope::User(list) => find_item(&list, user_matcher, &user_aliases).is_some(),
-            ConfigScope::RunAs(list) => find_item(&list, runas_matcher, &runas_aliases).is_some(),
+            ConfigScope::RunAs(list) => {
+                runas_matcher_aliases
+                    .as_ref()
+                    .is_some_and(|(runas_matcher, runas_aliases)| {
+                        find_item(&list, runas_matcher, runas_aliases).is_some()
+                    })
+            }
             ConfigScope::Command(_list) => {
                 unreachable!("command-specific defaults are filtered out")
             }
@@ -150,7 +161,7 @@ impl Sudoers {
         on_host: &system::Hostname,
         request: Request<User, Group>,
     ) -> Judgement {
-        self.specify_host_user_runas(on_host, am_user, request.user);
+        self.specify_host_user_runas(on_host, am_user, Some(request.user));
         self.specify_command(request.command, request.arguments);
 
         // exception: if user is root or does not switch users, NOPASSWD is implied
@@ -215,10 +226,12 @@ impl Sudoers {
     }
 
     pub fn check_validate_permission<User: UnixUser + PartialEq<User>>(
-        &self,
+        &mut self,
         invoking_user: &User,
         hostname: &system::Hostname,
     ) -> Authorization {
+        self.specify_host_user_runas(hostname, invoking_user, None);
+
         // exception: if user is root, NOPASSWD is implied
         let skip_passwd = invoking_user.is_root();
 
@@ -283,7 +296,7 @@ impl Sudoers {
         am_user: &User,
         target_user: &User,
     ) -> Option<PathBuf> {
-        self.specify_host_user_runas(on_host, am_user, target_user);
+        self.specify_host_user_runas(on_host, am_user, Some(target_user));
         if self.settings.env_editor() {
             for key in ["SUDO_EDITOR", "VISUAL", "EDITOR"] {
                 if let Some(var) = std::env::var_os(key) {

src/sudoers/policy.rs

@@ -124,7 +124,7 @@ impl Sudoers {
         current_user: &User,
         target_user: &User,
     ) -> Option<&str> {
-        self.specify_host_user_runas(on_host, current_user, target_user);
+        self.specify_host_user_runas(on_host, current_user, Some(target_user));
         self.settings.secure_path()
     }
 }

src/sudoers/test/mod.rs

@@ -280,7 +280,7 @@ fn default_bool_test() {
     sudoers.specify_host_user_runas(
         &system::Hostname::fake("host"),
         &Named("user"),
-        &Named("root"),
+        Some(&Named("root")),
     );
 
     assert!(!sudoers.settings.env_editor());
@@ -307,7 +307,7 @@ fn default_set_test() {
     sudoers.specify_host_user_runas(
         &system::Hostname::fake("host"),
         &Named("user"),
-        &Named("root"),
+        Some(&Named("root")),
     );
 
     assert_eq!(
@@ -340,7 +340,7 @@ fn default_multi_test() {
     sudoers.specify_host_user_runas(
         &system::Hostname::fake("host"),
         &Named("user"),
-        &Named("root"),
+        Some(&Named("root")),
     );
 
     assert!(!sudoers.settings.env_editor());
@@ -514,7 +514,7 @@ fn default_specific_test() {
     base_sudoers.specify_host_user_runas(
         &system::Hostname::fake("generic"),
         &Named("generic"),
-        &Named("generic"),
+        Some(&Named("generic")),
     );
 
     assert!(base_sudoers.settings.env_editor());
@@ -526,7 +526,7 @@ fn default_specific_test() {
     mod_sudoers.specify_host_user_runas(
         &system::Hostname::fake("host"),
         &Named("user"),
-        &Named("root"),
+        Some(&Named("root")),
     );
     assert!(!mod_sudoers.settings.env_editor());
     assert!(mod_sudoers.settings.use_pty());
@@ -537,7 +537,7 @@ fn default_specific_test() {
     mod_sudoers.specify_host_user_runas(
         &system::Hostname::fake("machine"),
         &Named("admin"),
-        &Named("runas"),
+        Some(&Named("runas")),
     );
     assert!(mod_sudoers.settings.env_editor());
     assert!(!mod_sudoers.settings.use_pty());
@@ -550,7 +550,7 @@ fn default_specific_test() {
     mod_sudoers.specify_host_user_runas(
         &system::Hostname::fake("machine"),
         &Named("admin"),
-        &Named("self"),
+        Some(&Named("self")),
     );
     mod_sudoers.specify_command(Path::new("/usr/bin/rr"), &["thrice".to_string()]);
     assert!(mod_sudoers.settings.env_editor());