https://fedorahosted.org/sssd/ticket/2212
From ed3093d513e54c377fcaf3234bc54e5143027da0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrez...@redhat.com> Date: Mon, 14 Jul 2014 14:23:50 +0200 Subject: [PATCH] sudo: fetch sudoRunAs attribute
This attribute was used in pre 1.7 versions of sudo and it is now deprecated by sudoRunAsUser and sudoRunAsGroup. However, some users still use this attribute so we need to support it to ensure backward compatibility. This patch makes sure that this attribute is downloaded if present and provided to sudo. Sudo than decides how to handle it. The new mapping option is not present in a man page since this attribute is deprecated in sudo for a very long time. Resolves: https://fedorahosted.org/sssd/ticket/2212 --- src/config/SSSDConfig/__init__.py.in | 1 + src/config/etc/sssd.api.d/sssd-ad.conf | 1 + src/config/etc/sssd.api.d/sssd-ipa.conf | 1 + src/config/etc/sssd.api.d/sssd-ldap.conf | 1 + src/db/sysdb_sudo.h | 1 + src/providers/ldap/ldap_opts.h | 1 + src/responder/sudo/sudosrv_get_sudorules.c | 1 + 7 files changed, 7 insertions(+) diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index d9b186f73220363f429b51260e6b83bd00a9cdb6..439378ff86d07311f67d51ed775e2d973cd93869 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -354,6 +354,7 @@ option_strings = { 'ldap_sudorule_host' : _('Sudo rule host attribute'), 'ldap_sudorule_user' : _('Sudo rule user attribute'), 'ldap_sudorule_option' : _('Sudo rule option attribute'), + 'ldap_sudorule_runas' : _('Sudo rule runas attribute'), 'ldap_sudorule_runasuser' : _('Sudo rule runasuser attribute'), 'ldap_sudorule_runasgroup' : _('Sudo rule runasgroup attribute'), 'ldap_sudorule_notbefore' : _('Sudo rule notbefore attribute'), diff --git a/src/config/etc/sssd.api.d/sssd-ad.conf b/src/config/etc/sssd.api.d/sssd-ad.conf index 33d460e828607f3640b9d19572b1319d4c0cc001..74ca49ab94c4824ecef0e7481243003c2c27cd35 100644 --- a/src/config/etc/sssd.api.d/sssd-ad.conf +++ b/src/config/etc/sssd.api.d/sssd-ad.conf @@ -151,6 +151,7 @@ ldap_sudorule_command = str, None, false ldap_sudorule_host = str, None, false ldap_sudorule_user = str, None, false ldap_sudorule_option = str, None, false +ldap_sudorule_runas = str, None, false ldap_sudorule_runasuser = str, None, false ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ipa.conf b/src/config/etc/sssd.api.d/sssd-ipa.conf index 11484e7d4bd9a9da15be38ef2a0fe3a9d931cb50..459db0627456241cc8b7c4f2ad04dbc084507813 100644 --- a/src/config/etc/sssd.api.d/sssd-ipa.conf +++ b/src/config/etc/sssd.api.d/sssd-ipa.conf @@ -216,6 +216,7 @@ ldap_sudorule_command = str, None, false ldap_sudorule_host = str, None, false ldap_sudorule_user = str, None, false ldap_sudorule_option = str, None, false +ldap_sudorule_runas = str, None, false ldap_sudorule_runasuser = str, None, false ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false diff --git a/src/config/etc/sssd.api.d/sssd-ldap.conf b/src/config/etc/sssd.api.d/sssd-ldap.conf index fa9cdd69846f142cbeef9b0192360816c9b554fc..c1c030976f7ba4c20fd34c72117f11bb6950e270 100644 --- a/src/config/etc/sssd.api.d/sssd-ldap.conf +++ b/src/config/etc/sssd.api.d/sssd-ldap.conf @@ -152,6 +152,7 @@ ldap_sudorule_command = str, None, false ldap_sudorule_host = str, None, false ldap_sudorule_user = str, None, false ldap_sudorule_option = str, None, false +ldap_sudorule_runas = str, None, false ldap_sudorule_runasuser = str, None, false ldap_sudorule_runasgroup = str, None, false ldap_sudorule_notbefore = str, None, false diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index f8e214f9f52ba870352b281d3f3a92f841779ef9..fc896c385c6fa71e735b3db763ccee4a0354d007 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -39,6 +39,7 @@ #define SYSDB_SUDO_CACHE_AT_HOST "sudoHost" #define SYSDB_SUDO_CACHE_AT_COMMAND "sudoCommand" #define SYSDB_SUDO_CACHE_AT_OPTION "sudoOption" +#define SYSDB_SUDO_CACHE_AT_RUNAS "sudoRunAs" #define SYSDB_SUDO_CACHE_AT_RUNASUSER "sudoRunAsUser" #define SYSDB_SUDO_CACHE_AT_RUNASGROUP "sudoRunAsGroup" #define SYSDB_SUDO_CACHE_AT_NOTBEFORE "sudoNotBefore" diff --git a/src/providers/ldap/ldap_opts.h b/src/providers/ldap/ldap_opts.h index adf200caa90b51e3e459e01251340c85ec2f518b..39c24733261e744aaff2954dad56c2609122bf49 100644 --- a/src/providers/ldap/ldap_opts.h +++ b/src/providers/ldap/ldap_opts.h @@ -321,6 +321,7 @@ struct sdap_attr_map native_sudorule_map[] = { { "ldap_sudorule_host", "sudoHost", SYSDB_SUDO_CACHE_AT_HOST, NULL }, { "ldap_sudorule_user", "sudoUser", SYSDB_SUDO_CACHE_AT_USER, NULL }, { "ldap_sudorule_option", "sudoOption", SYSDB_SUDO_CACHE_AT_OPTION, NULL }, + { "ldap_sudorule_runas", "sudoRunAs", SYSDB_SUDO_CACHE_AT_RUNAS, NULL }, { "ldap_sudorule_runasuser", "sudoRunAsUser", SYSDB_SUDO_CACHE_AT_RUNASUSER, NULL }, { "ldap_sudorule_runasgroup", "sudoRunAsGroup", SYSDB_SUDO_CACHE_AT_RUNASGROUP, NULL }, { "ldap_sudorule_notbefore", "sudoNotBefore", SYSDB_SUDO_CACHE_AT_NOTBEFORE, NULL }, diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index 9d8ef5d2ad2680f6c5e02c504d67271dc4587be2..4b35a1aed30a3f23ff17d205b83934f9697369e2 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -537,6 +537,7 @@ static errno_t sudosrv_get_sudorules_from_cache(TALLOC_CTX *mem_ctx, SYSDB_SUDO_CACHE_AT_HOST, SYSDB_SUDO_CACHE_AT_COMMAND, SYSDB_SUDO_CACHE_AT_OPTION, + SYSDB_SUDO_CACHE_AT_RUNAS, SYSDB_SUDO_CACHE_AT_RUNASUSER, SYSDB_SUDO_CACHE_AT_RUNASGROUP, SYSDB_SUDO_CACHE_AT_NOTBEFORE, -- 1.7.11.7
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
