-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Allow entering parent groups for groupadd,useradd,usermod as FQDN. Since
members and parents must be from the same domain, error out if we can't
determine the domain of member.
Fixes: #121
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkq57t0ACgkQHsardTLnvCUorwCg5h0oBR5fiBkcRpl4YUTDfC/z
tOgAoIm8aFbSgNbdic2wnWQVTmczobKS
=MxFq
-----END PGP SIGNATURE-----
>From 811d8654832b5fc7df56159ed2198de5507b40df Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 10 Sep 2009 22:34:56 +0200
Subject: [PATCH] Allow entering parent groups as FQDN
Allow entering parent groups for groupadd,useradd,usermod as FQDN. Since
members and parents must be from the same domain, error out if we can't
determine the domain of member.
Fixes: #121
---
server/tools/sss_groupadd.c | 2 +-
server/tools/sss_groupdel.c | 2 +-
server/tools/sss_groupmod.c | 16 +++++++++++++++-
server/tools/sss_useradd.c | 9 ++++++++-
server/tools/sss_userdel.c | 2 +-
server/tools/sss_usermod.c | 16 +++++++++++++++-
server/tools/tools_util.c | 40 +++++++++++++++++++++++++++++++++++++++-
server/tools/tools_util.h | 3 +++
8 files changed, 83 insertions(+), 7 deletions(-)
diff --git a/server/tools/sss_groupadd.c b/server/tools/sss_groupadd.c
index f528730..72bd0fd 100644
--- a/server/tools/sss_groupadd.c
+++ b/server/tools/sss_groupadd.c
@@ -126,7 +126,7 @@ int main(int argc, const char **argv)
/* if the domain was not given as part of FQDN, default to local domain */
ret = parse_name_domain(tctx, pc_groupname);
if (ret != EOK) {
- ERROR("Cannot get domain information\n");
+ ERROR("Invalid domain specified in FQDN\n");
ret = EXIT_FAILURE;
goto fini;
}
diff --git a/server/tools/sss_groupdel.c b/server/tools/sss_groupdel.c
index 6677eb9..3134279 100644
--- a/server/tools/sss_groupdel.c
+++ b/server/tools/sss_groupdel.c
@@ -124,7 +124,7 @@ int main(int argc, const char **argv)
/* if the domain was not given as part of FQDN, default to local domain */
ret = parse_name_domain(tctx, pc_groupname);
if (ret != EOK) {
- ERROR("Cannot get domain information\n");
+ ERROR("Invalid domain specified in FQDN\n");
ret = EXIT_FAILURE;
goto fini;
}
diff --git a/server/tools/sss_groupmod.c b/server/tools/sss_groupmod.c
index caf4466..1ecf076 100644
--- a/server/tools/sss_groupmod.c
+++ b/server/tools/sss_groupmod.c
@@ -149,7 +149,7 @@ int main(int argc, const char **argv)
ret = parse_name_domain(tctx, pc_groupname);
if (ret != EOK) {
- ERROR("Cannot get domain information\n");
+ ERROR("Invalid domain specified in FQDN\n");
ret = EXIT_FAILURE;
goto fini;
}
@@ -163,6 +163,13 @@ int main(int argc, const char **argv)
ERROR("Internal error while parsing parameters\n");
goto fini;
}
+
+ ret = parse_group_name_domain(tctx, tctx->octx->addgroups);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot parse FQDN groups to add the group to\n"));
+ ERROR("Member groups must be in the same domain as parent group\n");
+ goto fini;
+ }
}
if (rmgroups) {
@@ -172,6 +179,13 @@ int main(int argc, const char **argv)
ERROR("Internal error while parsing parameters\n");
goto fini;
}
+
+ ret = parse_group_name_domain(tctx, tctx->octx->rmgroups);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot parse FQDN groups to remove the group from\n"));
+ ERROR("Member groups must be in the same domain as parent group\n");
+ goto fini;
+ }
}
if (id_in_range(tctx->octx->gid, tctx->octx->domain) != EOK) {
diff --git a/server/tools/sss_useradd.c b/server/tools/sss_useradd.c
index becf205..61034be 100644
--- a/server/tools/sss_useradd.c
+++ b/server/tools/sss_useradd.c
@@ -221,7 +221,7 @@ int main(int argc, const char **argv)
/* if the domain was not given as part of FQDN, default to local domain */
ret = parse_name_domain(tctx, pc_username);
if (ret != EOK) {
- ERROR("Cannot get domain information\n");
+ ERROR("Invalid domain specified in FQDN\n");
ret = EXIT_FAILURE;
goto fini;
}
@@ -233,6 +233,13 @@ int main(int argc, const char **argv)
ERROR("Internal error while parsing parameters\n");
goto fini;
}
+
+ ret = parse_group_name_domain(tctx, tctx->octx->addgroups);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot parse FQDN groups to add the user to\n"));
+ ERROR("Groups must be in the same domain as user\n");
+ goto fini;
+ }
}
/* Same as shadow-utils useradd, -g can specify gid or group name */
diff --git a/server/tools/sss_userdel.c b/server/tools/sss_userdel.c
index 7c20a69..83db3cd 100644
--- a/server/tools/sss_userdel.c
+++ b/server/tools/sss_userdel.c
@@ -124,7 +124,7 @@ int main(int argc, const char **argv)
/* if the domain was not given as part of FQDN, default to local domain */
ret = parse_name_domain(tctx, pc_username);
if (ret != EOK) {
- ERROR("Cannot get domain information\n");
+ ERROR("Invalid domain specified in FQDN\n");
ret = EXIT_FAILURE;
goto fini;
}
diff --git a/server/tools/sss_usermod.c b/server/tools/sss_usermod.c
index 02ed74e..5be1dfb 100644
--- a/server/tools/sss_usermod.c
+++ b/server/tools/sss_usermod.c
@@ -165,7 +165,7 @@ int main(int argc, const char **argv)
/* if the domain was not given as part of FQDN, default to local domain */
ret = parse_name_domain(tctx, pc_username);
if (ret != EOK) {
- ERROR("Cannot get domain information\n");
+ ERROR("Invalid domain specified in FQDN\n");
ret = EXIT_FAILURE;
goto fini;
}
@@ -183,6 +183,13 @@ int main(int argc, const char **argv)
ERROR("Internal error while parsing parameters\n");
goto fini;
}
+
+ ret = parse_group_name_domain(tctx, tctx->octx->addgroups);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot parse FQDN groups to add the user to\n"));
+ ERROR("Groups must be in the same domain as user\n");
+ goto fini;
+ }
}
if (rmgroups) {
@@ -192,6 +199,13 @@ int main(int argc, const char **argv)
ERROR("Internal error while parsing parameters\n");
goto fini;
}
+
+ ret = parse_group_name_domain(tctx, tctx->octx->rmgroups);
+ if (ret != EOK) {
+ DEBUG(1, ("Cannot parse FQDN groups to remove the user from\n"));
+ ERROR("Groups must be in the same domain as user\n");
+ goto fini;
+ }
}
tctx->octx->gecos = pc_gecos;
diff --git a/server/tools/tools_util.c b/server/tools/tools_util.c
index 34b2881..83aa56e 100644
--- a/server/tools/tools_util.c
+++ b/server/tools/tools_util.c
@@ -135,6 +135,44 @@ int parse_groups(TALLOC_CTX *mem_ctx, const char *optstr, char ***_out)
return EOK;
}
+int parse_group_name_domain(struct tools_ctx *tctx,
+ char **groups)
+{
+ int i;
+ int ret;
+ char *name = NULL;
+ char *domain = NULL;
+
+ if (!groups) {
+ return EOK;
+ }
+
+ for (i = 0; groups[i]; ++i) {
+ ret = sss_parse_name(tctx, tctx->snctx, groups[i], &domain, &name);
+
+ /* If FQDN is specified, it must be within the same domain as user */
+ if (domain) {
+ if (strcmp(domain, tctx->octx->domain->name) != 0) {
+ return EINVAL;
+ }
+
+ /* Use only groupname */
+ talloc_zfree(groups[i]);
+ groups[i] = talloc_strdup(tctx, name);
+ if (groups[i] == NULL) {
+ return ENOMEM;
+ }
+ }
+
+ talloc_zfree(name);
+ talloc_zfree(domain);
+ }
+
+ talloc_zfree(name);
+ talloc_zfree(domain);
+ return EOK;
+}
+
int parse_name_domain(struct tools_ctx *tctx,
const char *fullname)
{
@@ -152,7 +190,7 @@ int parse_name_domain(struct tools_ctx *tctx,
DEBUG(5, ("Parsed domain: %s\n", domain));
/* only the local domain, whatever named is allowed in tools */
if (strcasecmp(domain, tctx->local->name) != 0) {
- DEBUG(0, ("Invalid domain %s specified in FQDN\n", domain));
+ DEBUG(1, ("Invalid domain %s specified in FQDN\n", domain));
return EINVAL;
}
}
diff --git a/server/tools/tools_util.h b/server/tools/tools_util.h
index c63b903..f17e68d 100644
--- a/server/tools/tools_util.h
+++ b/server/tools/tools_util.h
@@ -70,6 +70,9 @@ int parse_groups(TALLOC_CTX *mem_ctx,
const char *optstr,
char ***_out);
+int parse_group_name_domain(struct tools_ctx *tctx,
+ char **groups);
+
void tools_transaction_done(struct tevent_req *req);
#endif /* __TOOLS_UTIL_H__ */
--
1.6.2.5
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
