URL: https://github.com/SSSD/sssd/pull/39 Author: celestian Title: #39: RESPONDER: Enable sudoRule in case insen. domains (1.13) Action: synchronized
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/39/head:pr39 git checkout pr39
From b268ea119a295ad20c7270ae7d0a5fc6bbcc04ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C4=8Cech?= <pc...@redhat.com> Date: Wed, 12 Oct 2016 16:48:38 +0200 Subject: [PATCH] SYSDB: Adding lowercase sudoUser form If domain is not case sensitive we add lowercase form of usernames to sudoUser attributes. So we actually able to apply sudoRule on user Administrator@... with login admnistrator@... Resolves: https://fedorahosted.org/sssd/ticket/3203 (cherry picked from commit f4a1046bb88d7a0ab3617e49ae94bfa849d10645) --- src/db/sysdb_sudo.c | 89 +++++++++++++++++++++++++++++- src/db/sysdb_sudo.h | 4 +- src/responder/sudo/sudosrv_get_sudorules.c | 2 +- 3 files changed, 90 insertions(+), 5 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 76116ab..6368c64 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -217,13 +217,14 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, errno_t sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter) + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter) { TALLOC_CTX *tmp_ctx = NULL; char *filter = NULL; char *specific_filter = NULL; char *sanitized = NULL; + const char *lowered = NULL; time_t now; errno_t ret; int i; @@ -258,6 +259,27 @@ sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, SYSDB_SUDO_CACHE_AT_USER, sanitized); NULL_CHECK(specific_filter, ret, done); + + if (case_sensitive_domain == false) { + lowered = sss_tc_utf8_str_tolower(tmp_ctx, username); + if (lowered == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); + ret = ENOMEM; + goto done; + } + + if (strcmp(username, lowered) != 0) { + ret = sss_filter_sanitize(tmp_ctx, lowered, &sanitized); + if (ret != EOK) { + goto done; + } + + specific_filter = talloc_asprintf_append(specific_filter, "(%s=%s)", + SYSDB_SUDO_CACHE_AT_USER, + sanitized); + NULL_CHECK(specific_filter, ret, done); + } + } } if ((flags & SYSDB_SUDO_FILTER_UID) && (uid != 0)) { @@ -801,6 +823,64 @@ sysdb_sudo_add_sss_attrs(struct sysdb_attrs *rule, return EOK; } +static errno_t sysdb_sudo_add_lowered_users(struct sss_domain_info *domain, + struct sysdb_attrs *rule) +{ + TALLOC_CTX *tmp_ctx; + const char **users = NULL; + const char *lowered = NULL; + errno_t ret; + + if (domain->case_sensitive == true || rule == NULL) { + return EOK; + } + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + return ENOMEM; + } + + ret = sysdb_attrs_get_string_array(rule, SYSDB_SUDO_CACHE_AT_USER, tmp_ctx, + &users); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to get %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); + goto done; + } + if (users == NULL) { + ret = EOK; + goto done; + } + + for (int i = 0; users[i] != NULL; i++) { + lowered = sss_tc_utf8_str_tolower(tmp_ctx, users[i]); + if (lowered == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "Cannot convert name to lowercase.\n"); + ret = ENOMEM; + goto done; + } + + if (strcmp(users[i], lowered) == 0) { + /* It protects us from adding duplicate. */ + continue; + } + + ret = sysdb_attrs_add_string(rule, SYSDB_SUDO_CACHE_AT_USER, lowered); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Unable to add %s attribute [%d]: %s\n", + SYSDB_SUDO_CACHE_AT_USER, ret, strerror(ret)); + goto done; + } + } + + ret = EOK; + +done: + talloc_zfree(tmp_ctx); + return ret; +} + static errno_t sysdb_sudo_store_rule(struct sss_domain_info *domain, struct sysdb_attrs *rule, @@ -817,6 +897,11 @@ sysdb_sudo_store_rule(struct sss_domain_info *domain, DEBUG(SSSDBG_TRACE_FUNC, "Adding sudo rule %s\n", name); + ret = sysdb_sudo_add_lowered_users(domain, rule); + if (ret != EOK) { + return ret; + } + ret = sysdb_sudo_add_sss_attrs(rule, name, cache_timeout, now); if (ret != EOK) { return ret; diff --git a/src/db/sysdb_sudo.h b/src/db/sysdb_sudo.h index 515f45a..18d7e32 100644 --- a/src/db/sysdb_sudo.h +++ b/src/db/sysdb_sudo.h @@ -98,8 +98,8 @@ errno_t sysdb_sudo_filter_rules_by_time(TALLOC_CTX *mem_ctx, errno_t sysdb_get_sudo_filter(TALLOC_CTX *mem_ctx, const char *username, - uid_t uid, char **groupnames, unsigned int flags, - char **_filter); + uid_t uid, char **groupnames, bool case_sensitive_domain, + unsigned int flags, char **_filter); errno_t sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, diff --git a/src/responder/sudo/sudosrv_get_sudorules.c b/src/responder/sudo/sudosrv_get_sudorules.c index 75d8cac..0f7945c 100644 --- a/src/responder/sudo/sudosrv_get_sudorules.c +++ b/src/responder/sudo/sudosrv_get_sudorules.c @@ -660,7 +660,7 @@ static errno_t sudosrv_get_sudorules_query_cache(TALLOC_CTX *mem_ctx, if (tmp_ctx == NULL) return ENOMEM; ret = sysdb_get_sudo_filter(tmp_ctx, username, uid, groupnames, - flags, &filter); + domain->case_sensitive, flags, &filter); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Could not construct the search filter [%d]: %s\n",
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org