URL: https://github.com/SSSD/sssd/pull/366 Author: jhrozek Title: #366: SUDO: Use initgr_with_views when looking up a sudo user Action: opened
PR body: """ Resolves: https://pagure.io/SSSD/sssd/issue/3488 The sudo responder code didn't take views into account when looking for rules, which resulted in sudo rules being ignored if the user's name was overriden. Please see the ticket for a detailed info on how to reproduce the bug. """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/366/head:pr366 git checkout pr366
From e880d58d824c6bc211a8c6768e53466d28de156a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jhro...@redhat.com> Date: Tue, 22 Aug 2017 22:32:19 +0200 Subject: [PATCH] SUDO: Use initgr_with_views when looking up a sudo user Resolves: https://pagure.io/SSSD/sssd/issue/3488 The sudo responder code didn't take views into account when looking for rules, which resulted in sudo rules being ignored if the user's name was overriden. Please see the ticket for a detailed info on how to reproduce the bug. --- src/db/sysdb_sudo.c | 56 +++++++++++++++++++++++++++++------------------------ 1 file changed, 31 insertions(+), 25 deletions(-) diff --git a/src/db/sysdb_sudo.c b/src/db/sysdb_sudo.c index 97a1bee99..25a80f429 100644 --- a/src/db/sysdb_sudo.c +++ b/src/db/sysdb_sudo.c @@ -375,33 +375,34 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, { TALLOC_CTX *tmp_ctx; errno_t ret; - struct ldb_message *msg; struct ldb_message *group_msg = NULL; + struct ldb_result *res; char **sysdb_groupnames = NULL; const char *primary_group = NULL; - struct ldb_message_element *groups; uid_t uid = 0; gid_t gid = 0; size_t num_groups = 0; - int i; - const char *attrs[] = { SYSDB_MEMBEROF, - SYSDB_GIDNUM, - SYSDB_UIDNUM, - NULL }; + const char *groupname; const char *group_attrs[] = { SYSDB_NAME, NULL }; tmp_ctx = talloc_new(NULL); NULL_CHECK(tmp_ctx, ret, done); - ret = sysdb_search_user_by_name(tmp_ctx, domain, username, attrs, &msg); + ret = sysdb_initgroups_with_views(tmp_ctx, domain, username, &res); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "Error looking up user %s\n", username); goto done; } + if (res->count == 0) { + DEBUG(SSSDBG_CRIT_FAILURE, "No such user %s\n", username); + ret = ENOENT; + goto done; + } + if (_uid != NULL) { - uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0); + uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0); if (!uid) { DEBUG(SSSDBG_CRIT_FAILURE, "A user with no UID?\n"); ret = EIO; @@ -409,35 +410,40 @@ sysdb_get_sudo_user_info(TALLOC_CTX *mem_ctx, } } - /* resolve secondary groups */ + /* get secondary group names */ if (groupnames != NULL) { - groups = ldb_msg_find_element(msg, SYSDB_MEMBEROF); - if (!groups || groups->num_values == 0) { + if (res->count < 2) { /* No groups for this user in sysdb currently */ sysdb_groupnames = NULL; num_groups = 0; } else { - num_groups = groups->num_values; - sysdb_groupnames = talloc_array(tmp_ctx, char *, num_groups + 1); + sysdb_groupnames = talloc_zero_array(tmp_ctx, char *, res->count); NULL_CHECK(sysdb_groupnames, ret, done); - /* Get a list of the groups by groupname only */ - for (i = 0; i < groups->num_values; i++) { - ret = sysdb_group_dn_name(domain->sysdb, - sysdb_groupnames, - (const char *)groups->values[i].data, - &sysdb_groupnames[i]); - if (ret != EOK) { - ret = ENOMEM; - goto done; + /* Start counting from 1 to exclude the user entry */ + num_groups = 0; + for (size_t i = 1; i < res->count; i++) { + groupname = ldb_msg_find_attr_as_string(res->msgs[i], + SYSDB_NAME, + NULL); + if (groupname == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "A group with no name?"); + continue; + } + + sysdb_groupnames[num_groups] = talloc_strdup(sysdb_groupnames, + groupname); + if (sysdb_groupnames[num_groups] == NULL) { + DEBUG(SSSDBG_MINOR_FAILURE, "Cannot strdup %s\n", groupname); + continue; } + num_groups++; } - sysdb_groupnames[groups->num_values] = NULL; } } /* resolve primary group */ - gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0); + gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0); if (gid != 0) { ret = sysdb_search_group_by_gid(tmp_ctx, domain, gid, group_attrs, &group_msg);
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
